doorkeeper 3.1.0 → 4.0.0

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -10,20 +10,21 @@ module Doorkeeper
     include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
 
     included do
-      belongs_to :application,
-                 class_name: 'Doorkeeper::Application',
-                 inverse_of: :access_tokens
+      belongs_to_options = {
+        class_name: 'Doorkeeper::Application',
+        inverse_of: :access_tokens
+      }
+      if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
+        belongs_to_options[:optional] = true
+      end
+
+      belongs_to :application, belongs_to_options
 
       validates :token, presence: true, uniqueness: true
       validates :refresh_token, uniqueness: true, if: :use_refresh_token?
 
       attr_writer :use_refresh_token
 
-      if respond_to?(:attr_accessible)
-        attr_accessible :application_id, :resource_owner_id, :expires_in,
-                        :scopes, :use_refresh_token
-      end
-
       before_validation :generate_token, on: :create
       before_validation :generate_refresh_token,
                         on: :create,
@@ -32,18 +33,18 @@ module Doorkeeper
 
     module ClassMethods
       def by_token(token)
-        where(token: token.to_s).limit(1).to_a.first
+        find_by(token: token.to_s)
       end
 
       def by_refresh_token(refresh_token)
-        where(refresh_token: refresh_token.to_s).first
+        find_by(refresh_token: refresh_token.to_s)
       end
 
       def revoke_all_for(application_id, resource_owner)
         where(application_id: application_id,
               resource_owner_id: resource_owner.id,
               revoked_at: nil).
-          map(&:revoke)
+          each(&:revoke)
       end
 
       def matching_token_for(application, resource_owner_or_id, scopes)
@@ -74,6 +75,7 @@ module Doorkeeper
             return access_token
           end
         end
+
         create!(
           application_id:    application.try(:id),
           resource_owner_id: resource_owner_id,
@@ -84,13 +86,10 @@ module Doorkeeper
       end
 
       def last_authorized_token_for(application_id, resource_owner_id)
-        where(application_id: application_id,
-              resource_owner_id: resource_owner_id,
-              revoked_at: nil).
-          send(order_method, created_at_desc).
-          limit(1).
-          to_a.
-          first
+        send(order_method, created_at_desc).
+          find_by(application_id: application_id,
+                  resource_owner_id: resource_owner_id,
+                  revoked_at: nil)
       end
     end
 
@@ -99,6 +98,7 @@ module Doorkeeper
     end
 
     def use_refresh_token?
+      @use_refresh_token ||= false
       !!@use_refresh_token
     end
 
@@ -108,7 +108,7 @@ module Doorkeeper
         scopes:             scopes,
         expires_in_seconds: expires_in_seconds,
         application:        { uid: application.try(:uid) },
-        created_at:         created_at.to_i,
+        created_at:         created_at.to_i
       }
     end
 
@@ -129,10 +129,16 @@ module Doorkeeper
     end
 
     def generate_token
+      self.created_at ||= Time.now.utc
+
       generator = Doorkeeper.configuration.access_token_generator.constantize
-      self.token = generator.generate(resource_owner_id: resource_owner_id,
-                                      scopes: scopes, application: application,
-                                      expires_in: expires_in)
+      self.token = generator.generate(
+        resource_owner_id: resource_owner_id,
+        scopes: scopes,
+        application: application,
+        expires_in: expires_in,
+        created_at: created_at
+      )
     rescue NoMethodError
       raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
     rescue NameError

data/lib/doorkeeper/models/application_mixin.rb

@@ -15,19 +15,15 @@ module Doorkeeper
       validates :redirect_uri, redirect_uri: true
 
       before_validation :generate_uid, :generate_secret, on: :create
-
-      if respond_to?(:attr_accessible)
-        attr_accessible :name, :redirect_uri, :scopes
-      end
     end
 
     module ClassMethods
       def by_uid_and_secret(uid, secret)
-        where(uid: uid.to_s, secret: secret.to_s).limit(1).to_a.first
+        find_by(uid: uid.to_s, secret: secret.to_s)
       end
 
       def by_uid(uid)
-        where(uid: uid.to_s).limit(1).to_a.first
+        find_by(uid: uid.to_s)
       end
     end
 
@@ -35,7 +31,7 @@ module Doorkeeper
 
     def has_scopes?
       Doorkeeper.configuration.orm != :active_record ||
-        Application.new.attributes.include?("scopes")
+        Doorkeeper::Application.column_names.include?("scopes")
     end
 
     def generate_uid

data/lib/doorkeeper/models/concerns/expirable.rb

@@ -2,12 +2,12 @@ module Doorkeeper
   module Models
     module Expirable
       def expired?
-        expires_in && Time.now > expired_time
+        expires_in && Time.now.utc > expired_time
       end
 
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now
+        expires = (created_at + expires_in.seconds) - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end

data/lib/doorkeeper/models/concerns/ownership.rb

@@ -4,7 +4,12 @@ module Doorkeeper
       extend ActiveSupport::Concern
 
       included do
-        belongs_to :owner, polymorphic: true
+        belongs_to_options = { polymorphic: true }
+        if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
+          belongs_to_options[:optional] = true
+        end
+
+        belongs_to :owner, belongs_to_options
         validates :owner, presence: true, if: :validate_owner?
       end
 

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -2,11 +2,28 @@ module Doorkeeper
   module Models
     module Revocable
       def revoke(clock = Time)
-        update_attribute :revoked_at, clock.now
+        update_attribute :revoked_at, clock.now.utc
       end
 
       def revoked?
-        !!(revoked_at && revoked_at <= Time.now)
+        !!(revoked_at && revoked_at <= Time.now.utc)
+      end
+
+      def revoke_previous_refresh_token!
+        return unless refresh_token_revoked_on_use?
+        old_refresh_token.revoke if old_refresh_token
+        update_attribute :previous_refresh_token, ""
+      end
+
+      private
+
+      def old_refresh_token
+        @old_refresh_token ||=
+          AccessToken.by_refresh_token(previous_refresh_token)
+      end
+
+      def refresh_token_revoked_on_use?
+        AccessToken.refresh_token_revoked_on_use?
       end
     end
   end

data/lib/doorkeeper/oauth/authorization/uri_builder.rb

@@ -20,7 +20,7 @@ module Doorkeeper
         end
 
         def build_query(parameters = {})
-          parameters = parameters.reject { |k, v| v.blank? }
+          parameters = parameters.reject { |_, v| v.blank? }
           super parameters
         end
       end

data/lib/doorkeeper/oauth/client/credentials.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         def self.from_request(request, *credentials_methods)
           credentials_methods.inject(nil) do |credentials, method|
             method = self.method(method) if method.is_a?(Symbol)
-            credentials = Credentials.new *method.call(request)
+            credentials = Credentials.new(*method.call(request))
             break credentials unless credentials.blank?
           end
         end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -7,7 +7,8 @@ module Doorkeeper
         attr_accessor :token, :validation, :error
 
         def initialize(server, validation)
-          @server, @validation = server, validation
+          @server = server
+          @validation = validation
         end
 
         def create(client, scopes, creator = Creator.new)

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -8,9 +8,11 @@ module Doorkeeper
       include Validations
       include OAuth::RequestConcern
 
-      attr_accessor :issuer, :server, :client, :original_scopes
+      attr_accessor :server, :client, :original_scopes
       attr_reader :response
-      alias :error_response :response
+      attr_writer :issuer
+
+      alias_method :error_response, :response
 
       delegate :error, to: :issuer
 
@@ -19,8 +21,9 @@ module Doorkeeper
       end
 
       def initialize(server, client, parameters = {})
-        @client, @server = client, server
-        @response        = nil
+        @client = client
+        @server = server
+        @response = nil
         @original_scopes = parameters[:scope]
       end
 

data/lib/doorkeeper/oauth/code_response.rb

@@ -7,7 +7,8 @@ module Doorkeeper
       attr_accessor :pre_auth, :auth, :response_on_fragment
 
       def initialize(pre_auth, auth, options = {})
-        @pre_auth, @auth      = pre_auth, auth
+        @pre_auth = pre_auth
+        @auth = auth
         @response_on_fragment = options[:response_on_fragment]
       end
 
@@ -18,20 +19,18 @@ module Doorkeeper
       def redirect_uri
         if URIChecker.native_uri? pre_auth.redirect_uri
           auth.native_redirect
+        elsif response_on_fragment
+          uri_with_fragment(
+            pre_auth.redirect_uri,
+            access_token: auth.token.token,
+            token_type: auth.token.token_type,
+            expires_in: auth.token.expires_in_seconds,
+            state: pre_auth.state
+          )
         else
-          if response_on_fragment
-            uri_with_fragment(
-              pre_auth.redirect_uri,
-              access_token: auth.token.token,
-              token_type: auth.token.token_type,
-              expires_in: auth.token.expires_in,
-              state: pre_auth.state
-            )
-          else
-            uri_with_query pre_auth.redirect_uri,
-                           code: auth.token.token,
-                           state: pre_auth.state
-          end
+          uri_with_query pre_auth.redirect_uri,
+                         code: auth.token.token,
+                         state: pre_auth.state
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -13,7 +13,7 @@ module Doorkeeper
 
           def valid?
             scope_str.present? &&
-              scope_str !~ /[\n|\r|\t]/ &&
+              scope_str !~ /[\n\r\t]/ &&
               @valid_scopes.has_scopes?(parsed_scopes)
           end
 

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -10,7 +10,8 @@ module Doorkeeper
         end
 
         def self.matches?(url, client_url)
-          url, client_url = as_uri(url), as_uri(client_url)
+          url = as_uri(url)
+          client_url = as_uri(client_url)
           url.query = nil
           url == client_url
         end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -9,19 +9,15 @@ module Doorkeeper
       validate :resource_owner, error: :invalid_grant
       validate :scopes,         error: :invalid_scope
 
-      attr_accessor :server, :resource_owner, :credentials, :access_token
-      attr_accessor :client
+      attr_accessor :server, :client, :resource_owner, :parameters,
+                    :access_token
 
-      def initialize(server, credentials, resource_owner, parameters = {})
+      def initialize(server, client, resource_owner, parameters = {})
         @server          = server
         @resource_owner  = resource_owner
-        @credentials     = credentials
+        @client          = client
+        @parameters      = parameters
         @original_scopes = parameters[:scope]
-
-        if credentials
-          @client = Application.by_uid_and_secret credentials.uid,
-                                                  credentials.secret
-        end
       end
 
       private
@@ -40,7 +36,7 @@ module Doorkeeper
       end
 
       def validate_client
-        !credentials || !!client
+        !parameters[:client_id] || !!client
       end
     end
   end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -12,7 +12,9 @@ module Doorkeeper
       validate :scope,        error: :invalid_scope
 
       attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
+                    :server, :refresh_token_parameter
+
+      private :refresh_token_parameter, :refresh_token_parameter=
 
       def initialize(server, refresh_token, credentials, parameters = {})
         @server          = server
@@ -29,34 +31,44 @@ module Doorkeeper
 
       private
 
-      attr_reader :refresh_token_parameter
-
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
           raise Errors::InvalidTokenReuse if refresh_token.revoked?
 
-          refresh_token.revoke
+          refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
       end
 
+      def refresh_token_revoked_on_use?
+        Doorkeeper::AccessToken.refresh_token_revoked_on_use?
+      end
+
       def default_scopes
         refresh_token.scopes
       end
 
       def create_access_token
-        expires_in = Authorization::Token.access_token_expires_in(
-          server,
-          client
-        )
+        @access_token = AccessToken.create!(access_token_attributes)
+      end
 
-        @access_token = AccessToken.create!(
+      def access_token_attributes
+        {
           application_id: refresh_token.application_id,
           resource_owner_id: refresh_token.resource_owner_id,
           scopes: scopes.to_s,
-          expires_in: expires_in,
-          use_refresh_token: true)
+          expires_in: access_token_expires_in,
+          use_refresh_token: true
+        }.tap do |attributes|
+          if refresh_token_revoked_on_use?
+            attributes[:previous_refresh_token] = refresh_token.refresh_token
+          end
+        end
+      end
+
+      def access_token_expires_in
+        Authorization::Token.access_token_expires_in(server, client)
       end
 
       def validate_token_presence

data/lib/doorkeeper/oauth/scopes.rb

@@ -46,14 +46,14 @@ module Doorkeeper
 
       def +(other)
         if other.is_a? Scopes
-          self.class.from_array(self.all + other.all)
+          self.class.from_array(all + other.all)
         else
           super(other)
         end
       end
 
       def <=>(other)
-        self.map(&:to_s).sort <=> other.map(&:to_s).sort
+        map(&:to_s).sort <=> other.map(&:to_s).sort
       end
 
       def &(other)

data/lib/doorkeeper/oauth/token.rb

@@ -26,12 +26,11 @@ module Doorkeeper
 
         def token_from_basic_header(header, pattern)
           encoded_header = token_from_header(header, pattern)
-          token, _ = decode_basic_credentials(encoded_header)
-          token
+          decode_basic_credentials_token(encoded_header)
         end
 
-        def decode_basic_credentials(encoded_header)
-          Base64.decode64(encoded_header).split(/:/, 2)
+        def decode_basic_credentials_token(encoded_header)
+          Base64.decode64(encoded_header).split(/:/, 2).first
         end
 
         def token_from_header(header, pattern)
@@ -55,7 +54,9 @@ module Doorkeeper
 
       def self.authenticate(request, *methods)
         if token = from_request(request, *methods)
-          AccessToken.by_token(token)
+          access_token = AccessToken.by_token(token)
+          access_token.revoke_previous_refresh_token! if access_token
+          access_token
         end
       end
     end

data/lib/doorkeeper/oauth/token_response.rb

@@ -14,7 +14,7 @@ module Doorkeeper
           'expires_in'    => token.expires_in_seconds,
           'refresh_token' => token.refresh_token,
           'scope'         => token.scopes_string,
-          'created_at'    => token.created_at.to_i,
+          'created_at'    => token.created_at.to_i
         }.reject { |_, value| value.blank? }
       end
 

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -10,10 +10,18 @@ module Doorkeeper
     end
     private_class_method :delete_all_for
 
+    def self.active_for(resource_owner)
+      where(resource_owner_id: resource_owner.id, revoked_at: nil)
+    end
+
     def self.order_method
       :order
     end
 
+    def self.refresh_token_revoked_on_use?
+      column_names.include?('previous_refresh_token')
+    end
+
     def self.created_at_desc
       'created_at desc'
     end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -11,14 +11,9 @@ module Doorkeeper
     end
     has_many :authorized_applications, through: :authorized_tokens, source: :application
 
-    def self.column_names_with_table
-      self.column_names.map { |c| "#{table_name}.#{c}" }
-    end
-
     def self.authorized_for(resource_owner)
-      joins(:authorized_applications).
-        where(AccessToken.table_name => { resource_owner_id: resource_owner.id, revoked_at: nil }).
-        group(column_names_with_table.join(','))
+      resource_access_tokens = AccessToken.active_for(resource_owner)
+      where(id: resource_access_tokens.select(:application_id).distinct)
     end
   end
 end

data/lib/doorkeeper/orm/active_record.rb

@@ -18,22 +18,6 @@ module Doorkeeper
 
         Doorkeeper::Application.send :include, Doorkeeper::Models::Ownership
       end
-
-      def self.check_requirements!(_config)
-        if ::ActiveRecord::Base.connected? &&
-           ::ActiveRecord::Base.connection.table_exists?(
-             Doorkeeper::Application.table_name
-           )
-          unless Doorkeeper::Application.new.attributes.include?("scopes")
-            migration_path = '../../../generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb'
-            puts <<-MSG.squish
-[doorkeeper] Missing column: `oauth_applications.scopes`.
-Create the following migration and run `rake db:migrate`.
-            MSG
-            puts File.read(File.expand_path(migration_path, __FILE__))
-          end
-        end
-      end
     end
   end
 end

data/lib/doorkeeper/rails/helpers.rb

@@ -6,7 +6,7 @@ module Doorkeeper
       def doorkeeper_authorize!(*scopes)
         @_doorkeeper_scopes = scopes.presence || Doorkeeper.configuration.default_scopes
 
-        if !valid_doorkeeper_token?
+        unless valid_doorkeeper_token?
           doorkeeper_render_error
         end
       end

data/lib/doorkeeper/rails/routes/mapper.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         end
 
         def map(&block)
-          self.instance_eval(&block) if block
+          instance_eval(&block) if block
           @mapping
         end
 

data/lib/doorkeeper/rails/routes.rb

@@ -18,7 +18,8 @@ module Doorkeeper
       attr_accessor :routes
 
       def initialize(routes, &block)
-        @routes, @block = routes, block
+        @routes = routes
+        @block = block
       end
 
       def generate_routes!(options)

data/lib/doorkeeper/request/password.rb

@@ -8,11 +8,21 @@ module Doorkeeper
       def request
         @request ||= OAuth::PasswordAccessTokenRequest.new(
           Doorkeeper.configuration,
-          credentials,
+          client,
           resource_owner,
           parameters
         )
       end
+
+      private
+
+      def client
+        if credentials
+          server.client
+        elsif parameters[:client_id]
+          server.client_via_uid
+        end
+      end
     end
   end
 end

data/lib/doorkeeper/version.rb

@@ -1,3 +1,3 @@
 module Doorkeeper
-  VERSION = "3.1.0"
+  VERSION = "4.0.0".freeze
 end

data/lib/doorkeeper.rb

@@ -54,7 +54,7 @@ module Doorkeeper
   end
 
   def self.database_installed?
-    [AccessToken, AccessGrant, Application].all? { |model| model.table_exists? }
+    [AccessToken, AccessGrant, Application].all?(&:table_exists?)
   end
 
   def self.installed?

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -0,0 +1,29 @@
+require 'rails/generators/active_record'
+
+class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
+  include Rails::Generators::Migration
+  source_root File.expand_path('../templates', __FILE__)
+  desc 'Support revoke refresh token on access token use'
+
+  def self.next_migration_number(path)
+    ActiveRecord::Generators::Base.next_migration_number(path)
+  end
+
+  def previous_refresh_token
+    if no_previous_refresh_token_column?
+      migration_template(
+        'add_previous_refresh_token_to_access_tokens.rb',
+        'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
+      )
+    end
+  end
+
+  private
+
+  def no_previous_refresh_token_column?
+    !ActiveRecord::Base.connection.column_exists?(
+      :oauth_access_tokens,
+      :previous_refresh_token
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb

@@ -4,4 +4,4 @@ class AddOwnerToApplication < ActiveRecord::Migration
     add_column :oauth_applications, :owner_type, :string, null: true
     add_index :oauth_applications, [:owner_id, :owner_type]
   end
-end
+end

data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb

@@ -0,0 +1,11 @@
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+  def change
+    add_column(
+      :oauth_access_tokens,
+      :previous_refresh_token,
+      :string,
+      default: "",
+      null: false
+    )
+  end
+end