doorkeeper 2.1.4 → 3.1.0

data/spec/requests/flows/implicit_grant_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper_integration'
 
-feature 'Implicit Grant Flow' do
+feature 'Implicit Grant Flow (feature spec)' do
   background do
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
     config_is_set(:grant_flows, ["implicit"])
@@ -17,10 +17,19 @@ feature 'Implicit Grant Flow' do
 
     i_should_be_on_client_callback @client
   end
+end
+
+describe 'Implicit Grant Flow (request spec)' do
+  before do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    config_is_set(:grant_flows, ["implicit"])
+    client_exists
+    create_resource_owner
+  end
 
   context 'token reuse' do
-    scenario 'should return a new token each request' do
-      Doorkeeper.configuration.stub(:reuse_access_token).and_return(false)
+    it 'should return a new token each request' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
 
       token = client_is_authorized(@client, @resource_owner)
 
@@ -34,8 +43,8 @@ feature 'Implicit Grant Flow' do
       expect(response.location).not_to include(token.token)
     end
 
-    scenario 'should return the same token if it is still accessible' do
-      Doorkeeper.configuration.stub(:reuse_access_token).and_return(true)
+    it 'should return the same token if it is still accessible' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
 
       token = client_is_authorized(@client, @resource_owner)
 

data/spec/requests/flows/password_spec.rb

@@ -1,19 +1,13 @@
-# coding: utf-8
-
-# TODO: this flow should be configurable (letting Doorkeeper users decide if
-# they want to make it available)
-
 require 'spec_helper_integration'
 
-feature 'Resource Owner Password Credentials Flow inproperly set up' do
-  background do
+describe 'Resource Owner Password Credentials Flow not set up' do
+  before do
     client_exists
     create_resource_owner
   end
 
   context 'with valid user credentials' do
-    scenario 'should issue new token' do
-      skip 'Check a way to supress warnings here (or handle config better)'
+    it 'doesn\'t issue new token' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to_not change { Doorkeeper::AccessToken.count }
@@ -21,8 +15,8 @@ feature 'Resource Owner Password Credentials Flow inproperly set up' do
   end
 end
 
-feature 'Resource Owner Password Credentials Flow' do
-  background do
+describe 'Resource Owner Password Credentials Flow' do
+  before do
     config_is_set(:grant_flows, ["password"])
     config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
     client_exists
@@ -30,7 +24,7 @@ feature 'Resource Owner Password Credentials Flow' do
   end
 
   context 'with valid user credentials' do
-    scenario 'should issue new token' do
+    it 'should issue new token' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to change { Doorkeeper::AccessToken.count }.by(1)
@@ -40,7 +34,7 @@ feature 'Resource Owner Password Credentials Flow' do
       should_have_json 'access_token',  token.token
     end
 
-    scenario 'should issue new token without client credentials' do
+    it 'should issue new token without client credentials' do
       expect do
         post password_token_endpoint_url(resource_owner: @resource_owner)
       end.to change { Doorkeeper::AccessToken.count }.by(1)
@@ -50,7 +44,7 @@ feature 'Resource Owner Password Credentials Flow' do
       should_have_json 'access_token',  token.token
     end
 
-    scenario 'should issue a refresh token if enabled' do
+    it 'should issue a refresh token if enabled' do
       config_is_set(:refresh_token_enabled, true)
 
       post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
@@ -60,20 +54,20 @@ feature 'Resource Owner Password Credentials Flow' do
       should_have_json 'refresh_token',  token.refresh_token
     end
 
-    scenario 'should return the same token if it is still accessible' do
-      Doorkeeper.configuration.stub(:reuse_access_token).and_return(true)
+    it 'should return the same token if it is still accessible' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
 
       client_is_authorized(@client, @resource_owner)
 
       post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
 
-      Doorkeeper::AccessToken.count.should be(1)
+      expect(Doorkeeper::AccessToken.count).to be(1)
       should_have_json 'access_token', Doorkeeper::AccessToken.first.token
     end
   end
 
   context 'with invalid user credentials' do
-    scenario 'should not issue new token with bad password' do
+    it 'should not issue new token with bad password' do
       expect do
         post password_token_endpoint_url(client: @client,
                                          resource_owner_username: @resource_owner.name,
@@ -81,7 +75,7 @@ feature 'Resource Owner Password Credentials Flow' do
       end.to_not change { Doorkeeper::AccessToken.count }
     end
 
-    scenario 'should not issue new token without credentials' do
+    it 'should not issue new token without credentials' do
       expect do
         post password_token_endpoint_url(client: @client)
       end.to_not change { Doorkeeper::AccessToken.count }
@@ -89,7 +83,7 @@ feature 'Resource Owner Password Credentials Flow' do
   end
 
   context 'with invalid client credentials' do
-    scenario 'should not issue new token with bad client credentials' do
+    it 'should not issue new token with bad client credentials' do
       expect do
         post password_token_endpoint_url(client_id: @client.uid,
                                          client_secret: 'bad_secret',

data/spec/requests/flows/refresh_token_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper_integration'
 
-feature 'Refresh Token Flow' do
+describe 'Refresh Token Flow' do
   before do
     Doorkeeper.configure do
       orm DOORKEEPER_ORM
@@ -14,7 +14,7 @@ feature 'Refresh Token Flow' do
       authorization_code_exists application: @client
     end
 
-    scenario 'client gets the refresh token and refreshses it' do
+    it 'client gets the refresh token and refreshses it' do
       post token_endpoint_url(code: @authorization.token, client: @client)
 
       token = Doorkeeper::AccessToken.first
@@ -40,31 +40,39 @@ feature 'Refresh Token Flow' do
       @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: 1, use_refresh_token: true)
     end
 
-    scenario 'client request a token with refresh token' do
+    it 'client request a token with refresh token' do
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
       expect(@token.reload).to be_revoked
     end
 
-    scenario 'client request a token with expired access token' do
+    it 'client request a token with expired access token' do
       @token.update_attribute :expires_in, -100
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
       expect(@token.reload).to be_revoked
     end
 
-    scenario 'client gets an error for invalid refresh token' do
+    it 'client gets an error for invalid refresh token' do
       post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
       should_not_have_json 'refresh_token'
       should_have_json 'error', 'invalid_grant'
     end
 
-    scenario 'client gets an error for revoked acccess token' do
+    it 'client gets an error for revoked acccess token' do
       @token.revoke
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_not_have_json 'refresh_token'
       should_have_json 'error', 'invalid_grant'
     end
+
+    it 'second of simultaneous client requests get an error for revoked acccess token' do
+      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
+
+      should_not_have_json 'refresh_token'
+      should_have_json 'error', 'invalid_request'
+    end
   end
 
   context 'refreshing the token with multiple sessions (devices)' do
@@ -80,7 +88,7 @@ feature 'Refresh Token Flow' do
       @token.update_attribute :expires_in, -100
     end
 
-    scenario 'client request a token after creating another token with the same user' do
+    it 'client request a token after creating another token with the same user' do
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
 
       should_have_json 'refresh_token', last_token.refresh_token

data/spec/requests/flows/revoke_token_spec.rb

@@ -1,13 +1,11 @@
 require 'spec_helper_integration'
 
-feature 'Revoke Token Flow' do
-
+describe 'Revoke Token Flow' do
   before do
     Doorkeeper.configure { orm DOORKEEPER_ORM }
   end
 
   context 'with default parameters' do
-
     let(:client_application) { FactoryGirl.create :application }
     let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
     let(:authorization_access_token) do
@@ -16,13 +14,10 @@ feature 'Revoke Token Flow' do
                          resource_owner_id: resource_owner.id,
                          use_refresh_token: true)
     end
-
     let(:headers) { { 'HTTP_AUTHORIZATION' => "Bearer #{authorization_access_token.token}" } }
 
     context 'With invalid token to revoke' do
-
-      scenario 'client wants to revoke the given access token' do
-
+      it 'client wants to revoke the given access token' do
         post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALIDE_TOKEN' }, headers
 
         authorization_access_token.reload
@@ -34,11 +29,9 @@ feature 'Revoke Token Flow' do
     end
 
     context 'The access token to revoke is the same than the authorization access token' do
-
       let(:token_to_revoke) { authorization_access_token }
 
-      scenario 'client wants to revoke the given access token' do
-
+      it 'client wants to revoke the given access token' do
         post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
 
         token_to_revoke.reload
@@ -47,11 +40,9 @@ feature 'Revoke Token Flow' do
         expect(response).to be_success
         expect(token_to_revoke.revoked?).to be_truthy
         expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_truthy
-
       end
 
-      scenario 'client wants to revoke the given access token using the POST query string' do
-
+      it 'client wants to revoke the given access token using the POST query string' do
         url_with_query_string = revocation_token_endpoint_url + '?' + Rack::Utils.build_query(token: token_to_revoke.token)
         post url_with_query_string, {}, headers
 
@@ -62,13 +53,10 @@ feature 'Revoke Token Flow' do
         expect(token_to_revoke.revoked?).to be_falsey
         expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_falsey
         expect(authorization_access_token.revoked?).to be_falsey
-
       end
-
     end
 
     context 'The access token to revoke app and owners are the same than the authorization access token' do
-
       let(:token_to_revoke) do
         FactoryGirl.create(:access_token,
                            application: client_application,
@@ -76,8 +64,7 @@ feature 'Revoke Token Flow' do
                            use_refresh_token: true)
       end
 
-      scenario 'client wants to revoke the given access token' do
-
+      it 'client wants to revoke the given access token' do
         post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
 
         token_to_revoke.reload
@@ -87,12 +74,10 @@ feature 'Revoke Token Flow' do
         expect(token_to_revoke.revoked?).to be_truthy
         expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_truthy
         expect(authorization_access_token.revoked?).to be_falsey
-
       end
     end
 
     context 'The access token to revoke authorization owner is the same than the authorization access token' do
-
       let(:other_client_application) { FactoryGirl.create :application }
       let(:token_to_revoke) do
         FactoryGirl.create(:access_token,
@@ -101,8 +86,7 @@ feature 'Revoke Token Flow' do
                            use_refresh_token: true)
       end
 
-      scenario 'client wants to revoke the given access token' do
-
+      it 'client wants to revoke the given access token' do
         post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
 
         token_to_revoke.reload
@@ -112,11 +96,10 @@ feature 'Revoke Token Flow' do
         expect(token_to_revoke.revoked?).to be_falsey
         expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_falsey
         expect(authorization_access_token.revoked?).to be_falsey
-
       end
     end
-    context 'The access token to revoke app is the same than the authorization access token' do
 
+    context 'The access token to revoke app is the same than the authorization access token' do
       let(:other_resource_owner) { User.create!(name: 'Matheo', password: 'pareto') }
       let(:token_to_revoke) do
         FactoryGirl.create(:access_token,
@@ -125,8 +108,7 @@ feature 'Revoke Token Flow' do
                            use_refresh_token: true)
       end
 
-      scenario 'client wants to revoke the given access token' do
-
+      it 'client wants to revoke the given access token' do
         post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
 
         token_to_revoke.reload
@@ -136,12 +118,10 @@ feature 'Revoke Token Flow' do
         expect(token_to_revoke.revoked?).to be_falsey
         expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_falsey
         expect(authorization_access_token.revoked?).to be_falsey
-
       end
     end
 
     context 'With valid refresh token to revoke' do
-
       let(:token_to_revoke) do
         FactoryGirl.create(:access_token,
                            application: client_application,
@@ -149,8 +129,7 @@ feature 'Revoke Token Flow' do
                            use_refresh_token: true)
       end
 
-      scenario 'client wants to revoke the given refresh token' do
-
+      it 'client wants to revoke the given refresh token' do
         post revocation_token_endpoint_url, { token: token_to_revoke.refresh_token, token_type_hint: 'refresh_token' }, headers
         authorization_access_token.reload
         token_to_revoke.reload
@@ -158,7 +137,6 @@ feature 'Revoke Token Flow' do
         expect(response).to be_success
         expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_truthy
         expect(authorization_access_token).to_not be_revoked
-
       end
     end
   end

data/spec/requests/protected_resources/metal_spec.rb

@@ -1,13 +1,13 @@
 require 'spec_helper_integration'
 
-feature 'ActionController::Metal API' do
-  background do
+describe 'ActionController::Metal API' do
+  before do
     @client   = FactoryGirl.create(:application)
     @resource = User.create!(name: 'Joe', password: 'sekret')
     @token    = client_is_authorized(@client, @resource)
   end
 
-  scenario 'client requests protected resource with valid token' do
+  it 'client requests protected resource with valid token' do
     get "/metal.json?access_token=#{@token.token}"
     should_have_json 'ok', true
   end

data/spec/requests/protected_resources/private_api_spec.rb

@@ -40,6 +40,17 @@ feature 'Private API' do
     expect(page.body).to have_content('index')
   end
 
+  scenario 'access token with no default scopes' do
+    Doorkeeper.configuration.instance_eval {
+      @default_scopes = Doorkeeper::OAuth::Scopes.from_array([:public])
+      @scopes = default_scopes + optional_scopes
+    }
+    @token.update_attribute :scopes, 'dummy'
+    with_access_token_header @token.token
+    visit '/full_protected_resources'
+    response_status_should_be 403
+  end
+
   scenario 'access token with no allowed scopes' do
     @token.update_attribute :scopes, nil
     with_access_token_header @token.token

data/spec/routing/custom_controller_routes_spec.rb

@@ -42,7 +42,7 @@ describe 'Custom controller for routes' do
   end
 
   it 'POST /space/oauth/revoke routes to tokens controller' do
-    post('/space/oauth/revoke').should route_to('custom_authorizations#revoke')
+    expect(post('/space/oauth/revoke')).to route_to('custom_authorizations#revoke')
   end
 
   it 'GET /space/oauth/applications routes to applications controller' do
@@ -68,5 +68,4 @@ describe 'Custom controller for routes' do
   it 'GET /outer_space/oauth/token_info is not routable' do
     expect(get('/outer_space/oauth/token/info')).not_to be_routable
   end
-
 end

data/spec/routing/default_routes_spec.rb

@@ -18,7 +18,7 @@ describe 'Default routes' do
   end
 
   it 'POST /oauth/revoke routes to tokens controller' do
-    post('/oauth/revoke').should route_to('doorkeeper/tokens#revoke')
+    expect(post('/oauth/revoke')).to route_to('doorkeeper/tokens#revoke')
   end
 
   it 'GET /oauth/applications routes to applications controller' do
@@ -32,5 +32,4 @@ describe 'Default routes' do
   it 'GET /oauth/token/info route to authorzed tokeninfo controller' do
     expect(get('/oauth/token/info')).to route_to('doorkeeper/token_info#show')
   end
-
 end

data/spec/routing/scoped_routes_spec.rb

@@ -28,5 +28,4 @@ describe 'Scoped routes' do
   it 'GET /scope/token/info route to authorzed tokeninfo controller' do
     expect(get('/scope/token/info')).to route_to('doorkeeper/token_info#show')
   end
-
 end

data/spec/spec_helper_integration.rb

@@ -8,14 +8,19 @@ DOORKEEPER_ORM = (orm && orm[1] || :active_record).to_sym
 $LOAD_PATH.unshift File.dirname(__FILE__)
 
 require 'capybara/rspec'
-require 'rspec/active_model/mocks'
 require 'dummy/config/environment'
 require 'rspec/rails'
-require 'rspec/autorun'
 require 'generator_spec/test_case'
 require 'timecop'
 require 'database_cleaner'
 
+# Load JRuby SQLite3 if in that platform
+begin
+  require 'jdbc/sqlite3'
+  Jdbc::SQLite3.load_driver
+rescue LoadError
+end
+
 Rails.logger.info "====> Doorkeeper.orm = #{Doorkeeper.configuration.orm.inspect}"
 if Doorkeeper.configuration.orm == :active_record
   Rails.logger.info "======> active_record.table_name_prefix = #{Rails.configuration.active_record.table_name_prefix.inspect}"
@@ -24,11 +29,7 @@ end
 Rails.logger.info "====> Rails version: #{Rails.version}"
 Rails.logger.info "====> Ruby version: #{RUBY_VERSION}"
 
-if [:mongoid2, :mongoid3, :mongoid4].include?(DOORKEEPER_ORM)
-  require "support/orm/mongoid"
-else
-  require "support/orm/#{DOORKEEPER_ORM}"
-end
+require "support/orm/#{DOORKEEPER_ORM}"
 
 ENGINE_RAILS_ROOT = File.join(File.dirname(__FILE__), '../')
 
@@ -40,6 +41,8 @@ RSpec.configure do |config|
 
   config.infer_base_class_for_anonymous_controllers = false
 
+  config.include RSpec::Rails::RequestExampleGroup, type: :request
+
   config.before do
     DatabaseCleaner.start
     Doorkeeper.configure { orm DOORKEEPER_ORM }

data/spec/support/helpers/access_token_request_helper.rb

@@ -8,4 +8,4 @@ module AccessTokenRequestHelper
   end
 end
 
-RSpec.configuration.send :include, AccessTokenRequestHelper, type: :request
+RSpec.configuration.send :include, AccessTokenRequestHelper

data/spec/support/helpers/authorization_request_helper.rb

@@ -38,4 +38,4 @@ module AuthorizationRequestHelper
   end
 end
 
-RSpec.configuration.send :include, AuthorizationRequestHelper, type: :request
+RSpec.configuration.send :include, AuthorizationRequestHelper

data/spec/support/helpers/config_helper.rb

@@ -6,4 +6,4 @@ module ConfigHelper
   end
 end
 
-RSpec.configuration.send :include, ConfigHelper, type: :request
+RSpec.configuration.send :include, ConfigHelper

data/spec/support/helpers/model_helper.rb

@@ -42,4 +42,4 @@ module ModelHelper
   end
 end
 
-RSpec.configuration.send :include, ModelHelper, type: :request
+RSpec.configuration.send :include, ModelHelper

data/spec/support/helpers/request_spec_helper.rb

@@ -73,4 +73,4 @@ module RequestSpecHelper
   end
 end
 
-RSpec.configuration.send :include, RequestSpecHelper, type: :request
+RSpec.configuration.send :include, RequestSpecHelper

data/spec/support/helpers/url_helper.rb

@@ -52,4 +52,4 @@ module UrlHelper
   end
 end
 
-RSpec.configuration.send :include, UrlHelper, type: :request
+RSpec.configuration.send :include, UrlHelper

data/spec/support/shared/models_shared_examples.rb

@@ -46,7 +46,7 @@ shared_examples 'a unique token' do
       token2.token = token1.token
       expect do
         token2.save!(validate: false)
-      end.to raise_error
+      end.to raise_error(ActiveRecord::RecordNotUnique)
     end
   end
 end

data/spec/validators/redirect_uri_validator_spec.rb

@@ -55,6 +55,11 @@ describe RedirectUriValidator do
       expect(subject).to be_valid
     end
 
+    it 'accepts app redirect uri' do
+      subject.redirect_uri = 'some-awesome-app://oauth/callback'
+      expect(subject).to be_valid
+    end
+
     it 'accepts a non secured protocol when disabled' do
       subject.redirect_uri = 'http://example.com/callback'
       allow(Doorkeeper.configuration).to receive(