doorkeeper 2.0.1 → 2.1.0

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -52,7 +52,18 @@ module Doorkeeper
                               resource_owner_or_id
                             end
         token = last_authorized_token_for(application.try(:id), resource_owner_id)
-        token if token && Doorkeeper::OAuth::Helpers::ScopeChecker.matches?(token.scopes, scopes)
+        if token && scopes_match?(token.scopes, scopes, application.try(:scopes))
+          token
+        end
+      end
+
+      def scopes_match?(token_scopes, param_scopes, app_scopes)
+        (!token_scopes.present? && !param_scopes.present?) ||
+          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+            token_scopes.to_s,
+            param_scopes,
+            app_scopes
+          )
       end
 
       def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
@@ -92,10 +103,11 @@ module Doorkeeper
 
     def as_json(_options = {})
       {
-        resource_owner_id: resource_owner_id,
-        scopes: scopes,
+        resource_owner_id:  resource_owner_id,
+        scopes:             scopes,
         expires_in_seconds: expires_in_seconds,
-        application: { uid: application.try(:uid) }
+        application:        { uid: application.try(:uid) },
+        created_at:         created_at.to_i,
       }
     end
 

data/lib/doorkeeper/oauth/client.rb

@@ -17,7 +17,7 @@ module Doorkeeper
         end
       end
 
-      delegate :id, :name, :uid, :redirect_uri, to: :@application
+      delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application
 
       def initialize(application)
         @application = application

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -13,19 +13,31 @@ module Doorkeeper
         validate :scopes, error: :invalid_scope
 
         def initialize(server, request)
-          @server, @request = server, request
+          @server, @request, @client = server, request, request.client
+
           validate
         end
 
         private
 
         def validate_client
-          @request.client.present?
+          @client.present?
         end
 
         def validate_scopes
           return true unless @request.original_scopes.present?
-          ScopeChecker.valid?(@request.original_scopes, @server.scopes)
+
+          application_scopes = if @client.present?
+                                 @client.application.scopes
+                               else
+                                 ''
+                               end
+
+          ScopeChecker.valid?(
+            @request.original_scopes,
+            @server.scopes,
+            application_scopes
+          )
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -2,15 +2,16 @@ module Doorkeeper
   module OAuth
     module Helpers
       module ScopeChecker
-        def self.matches?(current_scopes, scopes)
-          return false if current_scopes.nil? || scopes.nil?
-          current_scopes == scopes
-        end
+        def self.valid?(scope_str, server_scopes, application_scopes = nil)
+          valid_scopes = if application_scopes.present?
+                           server_scopes & application_scopes
+                         else
+                           server_scopes
+                         end
 
-        def self.valid?(scope, server_scopes)
-          scope.present? &&
-          scope !~ /[\n|\r|\t]/ &&
-          server_scopes.has_scopes?(OAuth::Scopes.from_string(scope))
+          scope_str.present? &&
+            scope_str !~ /[\n|\r|\t]/ &&
+            valid_scopes.has_scopes?(OAuth::Scopes.from_string(scope_str))
         end
       end
     end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -32,7 +32,7 @@ module Doorkeeper
 
       def validate_scopes
         return true unless @original_scopes.present?
-        ScopeChecker.valid?(@original_scopes, @server.scopes)
+        ScopeChecker.valid? @original_scopes, server.scopes, client.try(:scopes)
       end
 
       def validate_resource_owner

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -48,11 +48,11 @@ module Doorkeeper
 
       def validate_scopes
         return true unless scope.present?
-        if client.application.scopes.empty?
-          Helpers::ScopeChecker.valid?(scope, server.scopes)
-        else
-          Helpers::ScopeChecker.valid?(scope, server.scopes & client.application.scopes)
-        end
+        Helpers::ScopeChecker.valid?(
+          scope,
+          server.scopes,
+          client.application.scopes
+        )
       end
 
       # TODO: test uri should be matched against the client's one

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -5,7 +5,8 @@ module Doorkeeper
       include OAuth::RequestConcern
       include OAuth::Helpers
 
-      validate :token,        error: :invalid_request
+      validate :token_presence, error: :invalid_request
+      validate :token,        error: :invalid_grant
       validate :client,       error: :invalid_client
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
@@ -18,6 +19,7 @@ module Doorkeeper
         @refresh_token   = refresh_token
         @credentials     = credentials
         @original_scopes = parameters[:scopes]
+        @refresh_token_parameter = parameters[:refresh_token]
 
         if credentials
           @client = Application.by_uid_and_secret credentials.uid,
@@ -27,6 +29,8 @@ module Doorkeeper
 
       private
 
+      attr_reader :refresh_token_parameter
+
       def before_successful_response
         refresh_token.revoke
         create_access_token
@@ -45,6 +49,10 @@ module Doorkeeper
           use_refresh_token: true)
       end
 
+      def validate_token_presence
+        refresh_token.present? || refresh_token_parameter.present?
+      end
+
       def validate_token
         refresh_token.present? && !refresh_token.revoked?
       end

data/lib/doorkeeper/oauth/token_response.rb

@@ -13,7 +13,8 @@ module Doorkeeper
           'token_type'    => token.token_type,
           'expires_in'    => token.expires_in_seconds,
           'refresh_token' => token.refresh_token,
-          'scope'         => token.scopes_string
+          'scope'         => token.scopes_string,
+          'created_at'    => token.created_at.to_i,
         }.reject { |_, value| value.blank? }
       end
 

data/lib/doorkeeper/version.rb

@@ -1,3 +1,3 @@
 module Doorkeeper
-  VERSION = '2.0.1'
+  VERSION = '2.1.0'
 end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -78,9 +78,15 @@ Doorkeeper.configure do
   # "password"           => Resource Owner Password Credentials Grant Flow
   # "client_credentials" => Client Credentials Grant Flow
   #
-  # If not specified, Doorkeeper enables all the four grant flows.
+  # If not specified, Doorkeeper enables authorization_code and
+  # client_credentials.
   #
-  # grant_flows %w(authorization_code implicit password client_credentials)
+  # implicit and password grant flows have risks that you should understand
+  # before enabling:
+  #   http://tools.ietf.org/html/rfc6819#section-4.4.2
+  #   http://tools.ietf.org/html/rfc6819#section-4.4.3
+  #
+  # grant_flows %w(authorization_code client_credentials)
 
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.

data/spec/controllers/authorizations_controller_spec.rb

@@ -16,6 +16,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
   let(:user)   { User.create!(name: 'Joe', password: 'sekret') }
 
   before do
+    allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["implicit"])
     allow(controller).to receive(:current_resource_owner).and_return(user)
   end
 
@@ -123,6 +124,8 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
 
   describe 'GET #new code request with native url and skip_authorization true' do
     before do
+      allow(Doorkeeper.configuration).to receive(:grant_flows).
+        and_return(%w(authorization_code))
       allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
         true
       end)

data/spec/dummy/config/environments/test.rb

@@ -8,7 +8,6 @@ Dummy::Application.configure do
   config.cache_classes = true
 
   # Configure static asset server for tests with Cache-Control for performance
-  config.serve_static_assets = true
   config.static_cache_control = 'public, max-age=3600'
 
   if Rails.version.to_i < 4

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -1,34 +1,42 @@
 Doorkeeper.configure do
-  # Change the ORM that doorkeeper will use
-  # Currently supported options are :active_record, :mongoid2, :mongoid3, :mongo_mapper
+  # Change the ORM that doorkeeper will use.
+  # Currently supported options are :active_record, :mongoid2, :mongoid3,
+  # :mongoid4, :mongo_mapper
   orm DOORKEEPER_ORM
 
-  # This block will be called to check whether the
-  # resource owner is authenticated or not
+  # This block will be called to check whether the resource owner is authenticated or not.
   resource_owner_authenticator do
     # Put your resource owner authentication logic here.
-    # e.g. User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
     User.where(id: session[:user_id]).first || redirect_to(root_url, alert: 'Needs sign in.')
   end
 
-  # If you want to restrict the access to the web interface for
-  # adding oauth authorized applications you need to declare the
-  # block below
+  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
   # admin_authenticator do
   #   # Put your admin authentication logic here.
+  #   # Example implementation:
   #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
   # end
 
   # Authorization Code expiration time (default 10 minutes).
-  # access_token_expires_in 10.minutes
+  # authorization_code_expires_in 10.minutes
 
-  # Access token expiration time (default 2 hours)
+  # Access token expiration time (default 2 hours).
   # If you want to disable expiration, set this to nil.
   # access_token_expires_in 2.hours
 
+  # Reuse access token for the same resource owner within an application (disabled by default)
+  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
+  # reuse_access_token
+
   # Issue access tokens with refresh token (disabled by default)
   use_refresh_token
 
+  # Provide support for an owner to be assigned to each registered application (disabled by default)
+  # Optional parameter :confirmation => true (default false) if you want to enforce ownership of
+  # a registered application
+  # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
+  # enable_application_owner :confirmation => false
+
   # Define access token scopes for your provider
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
@@ -36,15 +44,15 @@ Doorkeeper.configure do
   optional_scopes :write, :update
 
   # Change the way client credentials are retrieved from the request object.
-  # By default it retrieves first from `HTTP_AUTHORIZATION` header and
-  # fallsback to `:client_id` and `:client_secret` from `params` object
-  # Check out the wiki for mor information on customization
+  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
+  # falls back to the `:client_id` and `:client_secret` params from the `params` object.
+  # Check out the wiki for more information on customization
   # client_credentials :from_basic, :from_params
 
   # Change the way access token is authenticated from the request object.
-  # By default it retrieves first from `HTTP_AUTHORIZATION` header and
-  # fallsback to `:access_token` or `:bearer_token` from `params` object
-  # Check out the wiki for mor information on customization
+  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
+  # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
+  # Check out the wiki for more information on customization
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
   # Change the native redirect uri for client apps
@@ -54,6 +62,42 @@ Doorkeeper.configure do
   #
   # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
 
-  # WWW-Authenticate Realm (default 'Doorkeeper').
-  realm 'Doorkeeper'
+  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
+  # by default in non-development environments). OAuth2 delegates security in
+  # communication to the HTTPS protocol so it is wise to keep this enabled.
+  #
+  # force_ssl_in_redirect_uri !Rails.env.development?
+
+  # Specify what grant flows are enabled in array of Strings. The valid
+  # strings and the flows they enable are:
+  #
+  # "authorization_code" => Authorization Code Grant Flow
+  # "implicit"           => Implicit Grant Flow
+  # "password"           => Resource Owner Password Credentials Grant Flow
+  # "client_credentials" => Client Credentials Grant Flow
+  #
+  # If not specified, Doorkeeper enables authorization_code and
+  # client_credentials.
+  #
+  # implicit and password grant flows have risks that you should understand
+  # before enabling:
+  #   http://tools.ietf.org/html/rfc6819#section-4.4.2
+  #   http://tools.ietf.org/html/rfc6819#section-4.4.3
+  #
+  # grant_flows %w(authorization_code client_credentials)
+
+  # Under some circumstances you might want to have applications auto-approved,
+  # so that the user skips the authorization step.
+  # For example if dealing with trusted a application.
+  # skip_authorization do |resource_owner, client|
+  #   client.superapp? or resource_owner.admin?
+  # end
+
+  # WWW-Authenticate Realm (default "Doorkeeper").
+  realm "Doorkeeper"
+
+  # Allow dynamic query parameters (disabled by default)
+  # Some applications require dynamic query parameters on their request_uri
+  # set to true if you want this to be allowed
+  # wildcard_redirect_uri false
 end

data/spec/lib/config_spec.rb

@@ -221,12 +221,8 @@ describe Doorkeeper, 'configuration' do
 
   describe "grant_flows" do
     it "is set to all grant flows by default" do
-      expect(Doorkeeper.configuration.grant_flows).to eq [
-        'authorization_code',
-        'implicit',
-        'password',
-        'client_credentials'
-      ]
+      expect(Doorkeeper.configuration.grant_flows).
+        to eq(%w(authorization_code client_credentials))
     end
 
     it "can change the value" do

data/spec/lib/oauth/client_credentials/validation_spec.rb

@@ -4,8 +4,10 @@ require 'doorkeeper/oauth/client_credentials/validation'
 
 class Doorkeeper::OAuth::ClientCredentialsRequest
   describe Validation do
-    let(:server)  { double :server, scopes: nil }
-    let(:request) { double :request, client: double, original_scopes: nil }
+    let(:server)      { double :server, scopes: nil }
+    let(:application) { double scopes: nil }
+    let(:client)      { double application: application }
+    let(:request)     { double :request, client: client, original_scopes: nil }
 
     subject { Validation.new(server, request) }
 
@@ -20,10 +22,31 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
     context 'with scopes' do
       it 'is invalid when scopes are not included in the server' do
-        allow(server).to receive(:scopes).and_return(Doorkeeper::OAuth::Scopes.from_string('email'))
+        server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email'
+        allow(server).to receive(:scopes).and_return(server_scopes)
         allow(request).to receive(:original_scopes).and_return('invalid')
         expect(subject).not_to be_valid
       end
+
+      context 'with application scopes' do
+        it 'is valid when scopes are included in the application' do
+          application_scopes = Doorkeeper::OAuth::Scopes.from_string 'app'
+          server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email app'
+          allow(application).to receive(:scopes).and_return(application_scopes)
+          allow(server).to receive(:scopes).and_return(server_scopes)
+          allow(request).to receive(:original_scopes).and_return('app')
+          expect(subject).to be_valid
+        end
+
+        it 'is invalid when scopes are not included in the application' do
+          application_scopes = Doorkeeper::OAuth::Scopes.from_string 'app'
+          server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email app'
+          allow(application).to receive(:scopes).and_return(application_scopes)
+          allow(server).to receive(:scopes).and_return(server_scopes)
+          allow(request).to receive(:original_scopes).and_return('email')
+          expect(subject).not_to be_valid
+        end
+      end
     end
   end
 end

data/spec/lib/oauth/helpers/scope_checker_spec.rb

@@ -4,41 +4,6 @@ require 'doorkeeper/oauth/helpers/scope_checker'
 require 'doorkeeper/oauth/scopes'
 
 module Doorkeeper::OAuth::Helpers
-  describe ScopeChecker, '.matches?' do
-    def new_scope(*args)
-      Doorkeeper::OAuth::Scopes.from_array args
-    end
-
-    it 'true if scopes matches' do
-      scopes = new_scope :public
-      scopes_to_match = new_scope :public
-      expect(ScopeChecker.matches?(scopes, scopes_to_match)).to be_truthy
-    end
-
-    it 'is false when scopes differs' do
-      scopes = new_scope :public
-      scopes_to_match = new_scope :write
-      expect(ScopeChecker.matches?(scopes, scopes_to_match)).to be_falsey
-    end
-
-    it 'is false when scope in array is missing' do
-      scopes = new_scope :public
-      scopes_to_match = new_scope :public, :write
-      expect(ScopeChecker.matches?(scopes, scopes_to_match)).to be_falsey
-    end
-
-    it 'is false when scope in string is missing' do
-      scopes = new_scope :public, :write
-      scopes_to_match = new_scope :public
-      expect(ScopeChecker.matches?(scopes, scopes_to_match)).to be_falsey
-    end
-
-    it 'is false when any of attributes is nil' do
-      expect(ScopeChecker.matches?(nil, double)).to be_falsey
-      expect(ScopeChecker.matches?(double, nil)).to be_falsey
-    end
-  end
-
   describe ScopeChecker, '.valid?' do
     let(:server_scopes) { Doorkeeper::OAuth::Scopes.new }
 
@@ -70,5 +35,30 @@ module Doorkeeper::OAuth::Helpers
     it 'is invalid if any scope is not included in server scopes' do
       expect(ScopeChecker.valid?('scope another', server_scopes)).to be_falsey
     end
+
+    context 'with application_scopes' do
+      let(:server_scopes) do
+        Doorkeeper::OAuth::Scopes.from_string 'common svr'
+      end
+      let(:application_scopes) do
+        Doorkeeper::OAuth::Scopes.from_string 'common'
+      end
+
+      it 'is valid if scope is included in the server and the application' do
+        expect(ScopeChecker.valid?(
+          'common',
+          server_scopes,
+          application_scopes
+        )).to be_truthy
+      end
+
+      it 'is invalid if any scope is not included in the application' do
+        expect(ScopeChecker.valid?(
+          'svr',
+          server_scopes,
+          application_scopes
+        )).to be_falsey
+      end
+    end
   end
 end