doorkeeper 3.0.0 → 4.0.0

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -1,19 +1,27 @@
 module Doorkeeper
   class AccessToken < ActiveRecord::Base
-    include AccessTokenMixin
-
     self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}".to_sym
 
+    include AccessTokenMixin
+
     def self.delete_all_for(application_id, resource_owner)
       where(application_id: application_id,
             resource_owner_id: resource_owner.id).delete_all
     end
     private_class_method :delete_all_for
 
+    def self.active_for(resource_owner)
+      where(resource_owner_id: resource_owner.id, revoked_at: nil)
+    end
+
     def self.order_method
       :order
     end
 
+    def self.refresh_token_revoked_on_use?
+      column_names.include?('previous_refresh_token')
+    end
+
     def self.created_at_desc
       'created_at desc'
     end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -1,9 +1,9 @@
 module Doorkeeper
   class Application < ActiveRecord::Base
-    include ApplicationMixin
-
     self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}".to_sym
 
+    include ApplicationMixin
+
     if ActiveRecord::VERSION::MAJOR >= 4
       has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: 'AccessToken'
     else
@@ -11,14 +11,9 @@ module Doorkeeper
     end
     has_many :authorized_applications, through: :authorized_tokens, source: :application
 
-    def self.column_names_with_table
-      self.column_names.map { |c| "#{table_name}.#{c}" }
-    end
-
     def self.authorized_for(resource_owner)
-      joins(:authorized_applications).
-        where(AccessToken.table_name => { resource_owner_id: resource_owner.id, revoked_at: nil }).
-        group(column_names_with_table.join(','))
+      resource_access_tokens = AccessToken.active_for(resource_owner)
+      where(id: resource_access_tokens.select(:application_id).distinct)
     end
   end
 end

data/lib/doorkeeper/orm/active_record.rb

@@ -18,21 +18,6 @@ module Doorkeeper
 
         Doorkeeper::Application.send :include, Doorkeeper::Models::Ownership
       end
-
-      def self.check_requirements!(_config)
-        if ::ActiveRecord::Base.connected? &&
-           ::ActiveRecord::Base.connection.table_exists?(
-             Doorkeeper::Application.table_name
-           )
-          unless Doorkeeper::Application.new.attributes.include?("scopes")
-            fail <<-MSG.squish
-[doorkeeper] Missing column: `oauth_applications.scopes`.
-Run `rails generate doorkeeper:application_scopes
-&& rake db:migrate` to add it.
-            MSG
-          end
-        end
-      end
     end
   end
 end

data/lib/doorkeeper/rails/helpers.rb

@@ -6,7 +6,7 @@ module Doorkeeper
       def doorkeeper_authorize!(*scopes)
         @_doorkeeper_scopes = scopes.presence || Doorkeeper.configuration.default_scopes
 
-        if !valid_doorkeeper_token?
+        unless valid_doorkeeper_token?
           doorkeeper_render_error
         end
       end
@@ -31,10 +31,12 @@ module Doorkeeper
 
       def doorkeeper_render_error_with(error)
         options = doorkeeper_render_options(error) || {}
+        status = doorkeeper_status_for_error(
+          error, options.delete(:respond_not_found_when_forbidden))
         if options.blank?
-          head error.status
+          head status
         else
-          options[:status] = error.status
+          options[:status] = status
           options[:layout] = false if options[:layout].nil?
           render options
         end
@@ -56,6 +58,14 @@ module Doorkeeper
         end
       end
 
+      def doorkeeper_status_for_error(error, respond_not_found_when_forbidden)
+        if respond_not_found_when_forbidden && error.status == :forbidden
+          :not_found
+        else
+          error.status
+        end
+      end
+
       def doorkeeper_invalid_token_response?
         !doorkeeper_token || !doorkeeper_token.accessible?
       end

data/lib/doorkeeper/rails/routes/mapper.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         end
 
         def map(&block)
-          self.instance_eval(&block) if block
+          instance_eval(&block) if block
           @mapping
         end
 

data/lib/doorkeeper/rails/routes.rb

@@ -18,7 +18,8 @@ module Doorkeeper
       attr_accessor :routes
 
       def initialize(routes, &block)
-        @routes, @block = routes, block
+        @routes = routes
+        @block = block
       end
 
       def generate_routes!(options)

data/lib/doorkeeper/request/authorization_code.rb

@@ -1,22 +1,17 @@
+require 'doorkeeper/request/strategy'
+
 module Doorkeeper
   module Request
-    class AuthorizationCode
-      def self.build(server)
-        new(server.grant, server.client, server)
-      end
-
-      attr_accessor :grant, :client, :server
-
-      def initialize(grant, client, server)
-        @grant, @client, @server = grant, client, server
-      end
+    class AuthorizationCode < Strategy
+      delegate :grant, :client, :parameters, to: :server
 
       def request
-        @request ||= OAuth::AuthorizationCodeRequest.new(Doorkeeper.configuration, grant, client, server.parameters)
-      end
-
-      def authorize
-        request.authorize
+        @request ||= OAuth::AuthorizationCodeRequest.new(
+          Doorkeeper.configuration,
+          grant,
+          client,
+          parameters
+        )
       end
     end
   end

data/lib/doorkeeper/request/client_credentials.rb

@@ -1,22 +1,16 @@
+require 'doorkeeper/request/strategy'
+
 module Doorkeeper
   module Request
-    class ClientCredentials
-      def self.build(server)
-        new(server.client, server)
-      end
-
-      attr_accessor :client, :server
-
-      def initialize(client, server)
-        @client, @server = client, server
-      end
+    class ClientCredentials < Strategy
+      delegate :client, :parameters, to: :server
 
       def request
-        @request ||= OAuth::ClientCredentialsRequest.new(Doorkeeper.configuration, client, server.parameters)
-      end
-
-      def authorize
-        request.authorize
+        @request ||= OAuth::ClientCredentialsRequest.new(
+          Doorkeeper.configuration,
+          client,
+          parameters
+        )
       end
     end
   end

data/lib/doorkeeper/request/code.rb

@@ -1,22 +1,16 @@
+require 'doorkeeper/request/strategy'
+
 module Doorkeeper
   module Request
-    class Code
-      def self.build(server)
-        new(server.context.send(:pre_auth), server)
-      end
-
-      attr_accessor :pre_auth, :server
+    class Code < Strategy
+      delegate :current_resource_owner, to: :server
 
-      def initialize(pre_auth, server)
-        @pre_auth, @server = pre_auth, server
+      def pre_auth
+        server.context.send(:pre_auth)
       end
 
       def request
-        @request ||= OAuth::CodeRequest.new(pre_auth, server.current_resource_owner)
-      end
-
-      def authorize
-        request.authorize
+        @request ||= OAuth::CodeRequest.new(pre_auth, current_resource_owner)
       end
     end
   end

data/lib/doorkeeper/request/password.rb

@@ -1,22 +1,27 @@
+require 'doorkeeper/request/strategy'
+
 module Doorkeeper
   module Request
-    class Password
-      def self.build(server)
-        new(server.credentials, server.resource_owner, server)
-      end
-
-      attr_accessor :credentials, :resource_owner, :server
-
-      def initialize(credentials, resource_owner, server)
-        @credentials, @resource_owner, @server = credentials, resource_owner, server
-      end
+    class Password < Strategy
+      delegate :credentials, :resource_owner, :parameters, to: :server
 
       def request
-        @request ||= OAuth::PasswordAccessTokenRequest.new(Doorkeeper.configuration, credentials, resource_owner, server.parameters)
+        @request ||= OAuth::PasswordAccessTokenRequest.new(
+          Doorkeeper.configuration,
+          client,
+          resource_owner,
+          parameters
+        )
       end
 
-      def authorize
-        request.authorize
+      private
+
+      def client
+        if credentials
+          server.client
+        elsif parameters[:client_id]
+          server.client_via_uid
+        end
       end
     end
   end

data/lib/doorkeeper/request/refresh_token.rb

@@ -1,22 +1,20 @@
+require 'doorkeeper/request/strategy'
+
 module Doorkeeper
   module Request
-    class RefreshToken
-      def self.build(server)
-        new(server.current_refresh_token, server.credentials, server)
-      end
-
-      attr_accessor :refresh_token, :credentials, :server
+    class RefreshToken < Strategy
+      delegate :credentials, :parameters, to: :server
 
-      def initialize(refresh_token, credentials, server)
-        @refresh_token, @credentials, @server = refresh_token, credentials, server
+      def refresh_token
+        server.current_refresh_token
       end
 
       def request
-        @request ||= OAuth::RefreshTokenRequest.new(Doorkeeper.configuration, refresh_token, credentials, server.parameters)
-      end
-
-      def authorize
-        request.authorize
+        @request ||= OAuth::RefreshTokenRequest.new(
+          Doorkeeper.configuration,
+          refresh_token, credentials,
+          parameters
+        )
       end
     end
   end

data/lib/doorkeeper/request/strategy.rb

@@ -0,0 +1,17 @@
+module Doorkeeper
+  module Request
+    class Strategy
+      attr_accessor :server
+
+      delegate :authorize, to: :request
+
+      def initialize(server)
+        self.server = server
+      end
+
+      def request
+        raise NotImplementedError, "request strategies must define #request"
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/token.rb

@@ -1,22 +1,16 @@
+require 'doorkeeper/request/strategy'
+
 module Doorkeeper
   module Request
-    class Token
-      def self.build(server)
-        new(server.context.send(:pre_auth), server)
-      end
-
-      attr_accessor :pre_auth, :server
+    class Token < Strategy
+      delegate :current_resource_owner, to: :server
 
-      def initialize(pre_auth, server)
-        @pre_auth, @server = pre_auth, server
+      def pre_auth
+        server.context.send(:pre_auth)
       end
 
       def request
-        @request ||= OAuth::TokenRequest.new(pre_auth, server.current_resource_owner)
-      end
-
-      def authorize
-        request.authorize
+        @request ||= OAuth::TokenRequest.new(pre_auth, current_resource_owner)
       end
     end
   end

data/lib/doorkeeper/request.rb

@@ -9,22 +9,32 @@ module Doorkeeper
   module Request
     module_function
 
-    def authorization_strategy(strategy)
-      get_strategy strategy, Doorkeeper.configuration.authorization_response_types
+    def authorization_strategy(response_type)
+      get_strategy response_type, authorization_response_types
     rescue NameError
       raise Errors::InvalidAuthorizationStrategy
     end
 
-    def token_strategy(strategy)
-      get_strategy strategy, Doorkeeper.configuration.token_grant_types
+    def token_strategy(grant_type)
+      get_strategy grant_type, token_grant_types
     rescue NameError
       raise Errors::InvalidTokenStrategy
     end
 
-    def get_strategy(strategy, available)
-      fail Errors::MissingRequestStrategy unless strategy.present?
-      fail NameError unless available.include?(strategy.to_s)
-      "Doorkeeper::Request::#{strategy.to_s.camelize}".constantize
+    def get_strategy(grant_or_request_type, available)
+      fail Errors::MissingRequestStrategy unless grant_or_request_type.present?
+      fail NameError unless available.include?(grant_or_request_type.to_s)
+      "Doorkeeper::Request::#{grant_or_request_type.to_s.camelize}".constantize
     end
+
+    def authorization_response_types
+      Doorkeeper.configuration.authorization_response_types
+    end
+    private_class_method :authorization_response_types
+
+    def token_grant_types
+      Doorkeeper.configuration.token_grant_types
+    end
+    private_class_method :token_grant_types
   end
 end

data/lib/doorkeeper/server.rb

@@ -8,12 +8,12 @@ module Doorkeeper
 
     def authorization_request(strategy)
       klass = Request.authorization_strategy strategy
-      klass.build self
+      klass.new self
     end
 
     def token_request(strategy)
       klass = Request.token_strategy strategy
-      klass.build self
+      klass.new self
     end
 
     # TODO: context should be the request

data/lib/doorkeeper/version.rb

@@ -1,3 +1,3 @@
 module Doorkeeper
-  VERSION = '3.0.0'
+  VERSION = "4.0.0".freeze
 end

data/lib/doorkeeper.rb

@@ -54,7 +54,7 @@ module Doorkeeper
   end
 
   def self.database_installed?
-    [AccessToken, AccessGrant, Application].all? { |model| model.table_exists? }
+    [AccessToken, AccessGrant, Application].all?(&:table_exists?)
   end
 
   def self.installed?

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -0,0 +1,29 @@
+require 'rails/generators/active_record'
+
+class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
+  include Rails::Generators::Migration
+  source_root File.expand_path('../templates', __FILE__)
+  desc 'Support revoke refresh token on access token use'
+
+  def self.next_migration_number(path)
+    ActiveRecord::Generators::Base.next_migration_number(path)
+  end
+
+  def previous_refresh_token
+    if no_previous_refresh_token_column?
+      migration_template(
+        'add_previous_refresh_token_to_access_tokens.rb',
+        'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
+      )
+    end
+  end
+
+  private
+
+  def no_previous_refresh_token_column?
+    !ActiveRecord::Base.connection.column_exists?(
+      :oauth_access_tokens,
+      :previous_refresh_token
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb

@@ -4,4 +4,4 @@ class AddOwnerToApplication < ActiveRecord::Migration
     add_column :oauth_applications, :owner_type, :string, null: true
     add_index :oauth_applications, [:owner_id, :owner_type]
   end
-end
+end

data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb

@@ -0,0 +1,11 @@
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+  def change
+    add_column(
+      :oauth_access_tokens,
+      :previous_refresh_token,
+      :string,
+      default: "",
+      null: false
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -41,10 +41,10 @@ Doorkeeper.configure do
   # use_refresh_token
 
   # Provide support for an owner to be assigned to each registered application (disabled by default)
-  # Optional parameter :confirmation => true (default false) if you want to enforce ownership of
+  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
   # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
-  # enable_application_owner :confirmation => false
+  # enable_application_owner confirmation: false
 
   # Define access token scopes for your provider
   # For more information go to

data/lib/generators/doorkeeper/templates/migration.rb

@@ -6,14 +6,14 @@ class CreateDoorkeeperTables < ActiveRecord::Migration
       t.string  :secret,       null: false
       t.text    :redirect_uri, null: false
       t.string  :scopes,       null: false, default: ''
-      t.timestamps
+      t.timestamps             null: false
     end
 
     add_index :oauth_applications, :uid, unique: true
 
     create_table :oauth_access_grants do |t|
       t.integer  :resource_owner_id, null: false
-      t.integer  :application_id,    null: false
+      t.references :application,     null: false
       t.string   :token,             null: false
       t.integer  :expires_in,        null: false
       t.text     :redirect_uri,      null: false
@@ -23,10 +23,15 @@ class CreateDoorkeeperTables < ActiveRecord::Migration
     end
 
     add_index :oauth_access_grants, :token, unique: true
+    add_foreign_key(
+      :oauth_access_grants,
+      :oauth_applications,
+      column: :application_id
+    )
 
     create_table :oauth_access_tokens do |t|
       t.integer  :resource_owner_id
-      t.integer  :application_id
+      t.references :application
 
       # If you use a custom token generator you may need to change this column
       # from string to text, so that it accepts tokens larger than 255
@@ -34,17 +39,30 @@ class CreateDoorkeeperTables < ActiveRecord::Migration
       # https://github.com/doorkeeper-gem/doorkeeper/tree/v3.0.0.rc1#custom-access-token-generator
       #
       # t.text     :token,             null: false
-      t.string   :token,             null: false
+      t.string   :token,                  null: false
 
       t.string   :refresh_token
       t.integer  :expires_in
       t.datetime :revoked_at
-      t.datetime :created_at,        null: false
+      t.datetime :created_at,             null: false
       t.string   :scopes
+
+      # If there is a previous_refresh_token column,
+      # refresh tokens will be revoked after a related access token is used.
+      # If there is no previous_refresh_token column,
+      # previous tokens are revoked as soon as a new access token is created.
+      # Comment out this line if you'd rather have refresh tokens
+      # instantly revoked.
+      t.string   :previous_refresh_token, null: false, default: ""
     end
 
     add_index :oauth_access_tokens, :token, unique: true
     add_index :oauth_access_tokens, :resource_owner_id
     add_index :oauth_access_tokens, :refresh_token, unique: true
+    add_foreign_key(
+      :oauth_access_tokens,
+      :oauth_applications,
+      column: :application_id
+    )
   end
 end

data/spec/controllers/authorizations_controller_spec.rb

@@ -89,16 +89,6 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     it 'returns the existing access token in a fragment'
   end
 
-  describe 'GET #new' do
-    before do
-      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
-    end
-
-    it 'renders new template' do
-      expect(response).to render_template(:new)
-    end
-  end
-
   describe 'GET #new token request with native url and skip_authorization true' do
     before do
       allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
@@ -191,10 +181,6 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
       expect(response).to_not be_redirect
     end
 
-    it 'renders error template' do
-      expect(response).to render_template(:error)
-    end
-
     it 'does not issue any token' do
       expect(Doorkeeper::AccessGrant.count).to eq 0
       expect(Doorkeeper::AccessToken.count).to eq 0