doorkeeper 2.0.0.rc2 → 2.0.0.rc3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -3
  3. data/app/controllers/doorkeeper/application_controller.rb +6 -0
  4. data/lib/doorkeeper/models/access_grant_mixin.rb +1 -1
  5. data/lib/doorkeeper/models/access_token_mixin.rb +2 -1
  6. data/lib/doorkeeper/models/application_mixin.rb +2 -2
  7. data/lib/doorkeeper/orm/active_record/access_token.rb +1 -0
  8. data/lib/doorkeeper/orm/mongo_mapper/access_token.rb +8 -10
  9. data/lib/doorkeeper/orm/mongoid2/access_token.rb +1 -0
  10. data/lib/doorkeeper/orm/mongoid3/access_token.rb +1 -0
  11. data/lib/doorkeeper/orm/mongoid4/access_token.rb +1 -0
  12. data/lib/doorkeeper/version.rb +1 -1
  13. data/spec/requests/endpoints/authorization_spec.rb +23 -0
  14. data/spec/requests/flows/refresh_token_spec.rb +12 -3
  15. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 210e4fe74a245228a17d33cee59e3ca0b623cf6f
4
- data.tar.gz: d639da9ead08dc48b5dbe89837bd086e909e14c0
3
+ metadata.gz: b6af4f799e8a70cbaf372a0fc40c916ef361b724
4
+ data.tar.gz: 6ec873aec540c727246755b3dbb3c910c97d4c98
5
5
  SHA512:
6
- metadata.gz: 9e01e9c004ced7e97eef6920c963fbb27c7fa7e3179c2bd00df7a3474c7e0185409cb029d1f2854ea66288f8d16fc27afc8d3bd50c548e37abb77cfbbcdad97b
7
- data.tar.gz: 1516f21f124320f14516e5167fb498075105e3453f683465fe08953b44e779d5d7e68fb7ca3f5a97b9db7e822e1bf151ac81813c45d0932d00cacc1bb1faa0eb
6
+ metadata.gz: 59e4096fcacac6391f65fa6006dc9704cac6b8b8f85e1988bca2c731ecd70017b67916a96443671a585c05fefce61512936640dcbb9f8fb37d7cb0b68ba73ae7
7
+ data.tar.gz: 8a30f7ceeeb1d32c248e862c51e9ad0b504aadb8b82d01888a12ae0545c5ddd3fd3a8f6512f795f2b82fe3a68d085dd9b8deaa3bb841199c2511e94debe1b91f
data/CHANGELOG.md CHANGED
@@ -8,9 +8,13 @@
8
8
  `before_action :doorkeeper_authorize!`.
9
9
  - [#469] Allow client applications to restrict the set of allowable scopes.
10
10
  Fixes #317. `oauth_applications` relation needs a new `scopes` string column,
11
- non nullable, which defaults to an empty string. Run `rails generate
12
- doorkeeper:application_scopes` to add the column. If you’d rather do it by
13
- hand, your ActiveRecord migration should contain:
11
+ non nullable, which defaults to an empty string. To add the column run:
12
+
13
+ ```
14
+ rails generate doorkeeper:application_scopes
15
+ ```
16
+
17
+ If you’d rather do it by hand, your ActiveRecord migration should contain:
14
18
 
15
19
  ```ruby
16
20
  add_column :oauth_applications, :scopes, :string, null: false, default: ‘’
@@ -23,6 +27,7 @@
23
27
 
24
28
  ### Other changes/enhancements
25
29
 
30
+ - [#484] Performance improvement - avoid performing order_by when not required.
26
31
  - [#450] When password is invalid in Password Credentials Grant, Doorkeeper
27
32
  returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec
28
33
  declares. Fixes #444.
@@ -35,6 +40,8 @@
35
40
  - [#496] Tests with Rails 4.2.
36
41
  - [#489] Adds `force_ssl_in_redirect_uri` to force the usage of the HTTPS
37
42
  protocol in non-native redirect uris.
43
+ - [#516] Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
44
+ - [#518] Fix random failures in mongodb.
38
45
 
39
46
 
40
47
  ## 1.4.0
data/app/controllers/doorkeeper/application_controller.rb CHANGED
@@ -2,6 +2,12 @@ module Doorkeeper
2
2
  class ApplicationController < ActionController::Base
3
3
  include Helpers::Controller
4
4
 
5
+ if ::Rails.version.to_i < 4
6
+ protect_from_forgery
7
+ else
8
+ protect_from_forgery with: :exception
9
+ end
10
+
5
11
  helper 'doorkeeper/dashboard'
6
12
  end
7
13
  end
data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED
@@ -23,7 +23,7 @@ module Doorkeeper
23
23
 
24
24
  module ClassMethods
25
25
  def by_token(token)
26
- where(token: token).first
26
+ where(token: token).limit(1).to_a.first
27
27
  end
28
28
  end
29
29
 
data/lib/doorkeeper/models/access_token_mixin.rb CHANGED
@@ -31,7 +31,7 @@ module Doorkeeper
31
31
 
32
32
  module ClassMethods
33
33
  def by_token(token)
34
- where(token: token).first
34
+ where(token: token).limit(1).to_a.first
35
35
  end
36
36
 
37
37
  def by_refresh_token(refresh_token)
@@ -77,6 +77,7 @@ module Doorkeeper
77
77
  revoked_at: nil).
78
78
  send(order_method, created_at_desc).
79
79
  limit(1).
80
+ to_a.
80
81
  first
81
82
  end
82
83
  end
data/lib/doorkeeper/models/application_mixin.rb CHANGED
@@ -22,11 +22,11 @@ module Doorkeeper
22
22
 
23
23
  module ClassMethods
24
24
  def by_uid_and_secret(uid, secret)
25
- where(uid: uid, secret: secret).first
25
+ where(uid: uid, secret: secret).limit(1).to_a.first
26
26
  end
27
27
 
28
28
  def by_uid(uid)
29
- where(uid: uid).first
29
+ where(uid: uid).limit(1).to_a.first
30
30
  end
31
31
  end
32
32
 
data/lib/doorkeeper/orm/active_record/access_token.rb CHANGED
@@ -13,6 +13,7 @@ module Doorkeeper
13
13
  def self.order_method
14
14
  :order
15
15
  end
16
+
16
17
  def self.created_at_desc
17
18
  'created_at desc'
18
19
  end
data/lib/doorkeeper/orm/mongo_mapper/access_token.rb CHANGED
@@ -27,19 +27,17 @@ module Doorkeeper
27
27
  end
28
28
  private_class_method :delete_all_for
29
29
 
30
- def self.last_authorized_token_for(application_id, resource_owner_id)
31
- where(application_id: application_id,
32
- resource_owner_id: resource_owner_id,
33
- revoked_at: nil).
34
- sort(:created_at.desc).
35
- limit(1).
36
- first
37
- end
38
- private_class_method :last_authorized_token_for
39
-
40
30
  def self.create_indexes
41
31
  ensure_index :token, unique: true
42
32
  ensure_index [[:refresh_token, 1]], unique: true, sparse: true
43
33
  end
34
+
35
+ def self.order_method
36
+ :sort
37
+ end
38
+
39
+ def self.created_at_desc
40
+ :created_at.desc
41
+ end
44
42
  end
45
43
  end
data/lib/doorkeeper/orm/mongoid2/access_token.rb CHANGED
@@ -29,6 +29,7 @@ module Doorkeeper
29
29
  def self.order_method
30
30
  :order_by
31
31
  end
32
+
32
33
  def self.created_at_desc
33
34
  [:created_at, :desc]
34
35
  end
data/lib/doorkeeper/orm/mongoid3/access_token.rb CHANGED
@@ -29,6 +29,7 @@ module Doorkeeper
29
29
  def self.order_method
30
30
  :order_by
31
31
  end
32
+
32
33
  def self.created_at_desc
33
34
  [:created_at, :desc]
34
35
  end
data/lib/doorkeeper/orm/mongoid4/access_token.rb CHANGED
@@ -29,6 +29,7 @@ module Doorkeeper
29
29
  def self.order_method
30
30
  :order_by
31
31
  end
32
+
32
33
  def self.created_at_desc
33
34
  [:created_at, :desc]
34
35
  end
data/lib/doorkeeper/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Doorkeeper
2
- VERSION = '2.0.0.rc2'
2
+ VERSION = '2.0.0.rc3'
3
3
  end
data/spec/requests/endpoints/authorization_spec.rb CHANGED
@@ -51,4 +51,27 @@ feature 'Authorization endpoint' do
51
51
  i_should_see_translated_error_message :unsupported_response_type
52
52
  end
53
53
  end
54
+
55
+ context 'forgery protection enabled' do
56
+ before do
57
+ ActionController::Base.allow_forgery_protection = true
58
+ end
59
+
60
+ after do
61
+ ActionController::Base.allow_forgery_protection = false
62
+ end
63
+
64
+ background do
65
+ create_resource_owner
66
+ sign_in
67
+ end
68
+
69
+ scenario 'raises exception on forged requests' do
70
+ ActionController::Base.any_instance.should_receive(:handle_unverified_request)
71
+ post "/oauth/authorize",
72
+ client_id: @client.uid,
73
+ redirect_uri: @client.redirect_uri,
74
+ response_type: 'code'
75
+ end
76
+ end
54
77
  end
data/spec/requests/flows/refresh_token_spec.rb CHANGED
@@ -74,15 +74,24 @@ feature 'Refresh Token Flow' do
74
74
  # enable password auth to simulate other devices
75
75
  config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
76
76
  create_resource_owner
77
+ _another_token = post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
78
+ last_token.update_attribute :created_at, 5.seconds.ago
79
+
77
80
  @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: @resource_owner.id, use_refresh_token: true)
81
+ @token.update_attribute :expires_in, -100
78
82
  end
79
83
 
80
84
  scenario 'client request a token after creating another token with the same user' do
81
- @token.update_attribute :expires_in, -100
82
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
83
85
  post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
84
- should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
86
+
87
+ should_have_json 'refresh_token', last_token.refresh_token
85
88
  expect(@token.reload).to be_revoked
86
89
  end
90
+
91
+ def last_token
92
+ Doorkeeper::AccessToken.last_authorized_token_for(
93
+ @client.id, @resource_owner.id
94
+ )
95
+ end
87
96
  end
88
97
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.0.rc2
4
+ version: 2.0.0.rc3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Felipe Elias Philipp
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-12-09 00:00:00.000000000 Z
12
+ date: 2014-12-14 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: railties