doorkeeper 3.1.0 → 4.0.0

data/spec/lib/models/revocable_spec.rb

@@ -11,20 +11,21 @@ describe 'Revocable' do
 
   describe :revoke do
     it 'updates :revoked_at attribute with current time' do
-      clock = double now: double
-      expect(subject).to receive(:update_attribute).with(:revoked_at, clock.now)
+      utc = double utc: double
+      clock = double now: utc
+      expect(subject).to receive(:update_attribute).with(:revoked_at, clock.now.utc)
       subject.revoke(clock)
     end
   end
 
   describe :revoked? do
     it 'is revoked if :revoked_at has passed' do
-      allow(subject).to receive(:revoked_at).and_return(Time.now - 1000)
+      allow(subject).to receive(:revoked_at).and_return(Time.now.utc - 1000)
       expect(subject).to be_revoked
     end
 
     it 'is not revoked if :revoked_at has not passed' do
-      allow(subject).to receive(:revoked_at).and_return(Time.now + 1000)
+      allow(subject).to receive(:revoked_at).and_return(Time.now.utc + 1000)
       expect(subject).not_to be_revoked
     end
 
@@ -33,4 +34,26 @@ describe 'Revocable' do
       expect(subject).not_to be_revoked
     end
   end
+
+  describe :revoke_previous_refresh_token! do
+    it "revokes the previous token if existing, and resets the
+      `previous_refresh_token` attribute" do
+      previous_token = FactoryGirl.create(
+        :access_token,
+        refresh_token: "refresh_token"
+      )
+      current_token = FactoryGirl.create(
+        :access_token,
+        previous_refresh_token: previous_token.refresh_token
+      )
+
+      expect_any_instance_of(
+        Doorkeeper::AccessToken
+      ).to receive(:revoke).and_call_original
+      current_token.revoke_previous_refresh_token!
+
+      expect(current_token.previous_refresh_token).to be_empty
+      expect(previous_token.reload).to be_revoked
+    end
+  end
 end

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -18,7 +18,7 @@ module Doorkeeper::OAuth
     it 'issues a new token for the client' do
       expect do
         subject.authorize
-      end.to change { client.access_tokens.count }.by(1)
+      end.to change { client.reload.access_tokens.count }.by(1)
     end
 
     it "issues the token with same grant's scopes" do

data/spec/lib/oauth/code_response_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+module Doorkeeper
+  module OAuth
+    describe CodeResponse do
+      describe '.redirect_uri' do
+        context 'when generating the redirect URI for an implicit grant' do
+          let :pre_auth do
+            double(
+              :pre_auth,
+              client: double(:application, id: 1),
+              redirect_uri: 'http://tst.com/cb',
+              state: nil,
+              scopes: Scopes.from_string('public'),
+            )
+          end
+
+          let :auth do
+            Authorization::Token.new(pre_auth, double(id: 1)).tap do |c|
+              c.issue_token
+              allow(c.token).to receive(:expires_in_seconds).and_return(3600)
+            end
+          end
+
+          subject { CodeResponse.new(pre_auth, auth, response_on_fragment: true).redirect_uri }
+
+          it 'includes the remaining TTL of the token relative to the time the token was generated' do
+            expect(subject).to include('expires_in=3600')
+          end
+        end
+      end
+    end
+  end
+end

data/spec/lib/oauth/password_access_token_request_spec.rb

@@ -11,23 +11,22 @@ module Doorkeeper::OAuth
         custom_access_token_expires_in: ->(_app) { nil }
       )
     end
-    let(:credentials) { Client::Credentials.new(client.uid, client.secret) }
     let(:client) { FactoryGirl.create(:application) }
     let(:owner)  { double :owner, id: 99 }
 
     subject do
-      PasswordAccessTokenRequest.new(server, credentials, owner)
+      PasswordAccessTokenRequest.new(server, client, owner)
     end
 
     it 'issues a new token for the client' do
       expect do
         subject.authorize
-      end.to change { client.access_tokens.count }.by(1)
+      end.to change { client.reload.access_tokens.count }.by(1)
     end
 
     it 'issues a new token without a client' do
       expect do
-        subject.credentials = nil
+        subject.client = nil
         subject.authorize
       end.to change { Doorkeeper::AccessToken.count }.by(1)
     end
@@ -35,6 +34,7 @@ module Doorkeeper::OAuth
     it 'does not issue a new token with an invalid client' do
       expect do
         subject.client = nil
+        subject.parameters = { client_id: 'bad_id' }
         subject.authorize
       end.to_not change { Doorkeeper::AccessToken.count }
 
@@ -48,7 +48,7 @@ module Doorkeeper::OAuth
     end
 
     it 'optionally accepts the client' do
-      subject.credentials = nil
+      subject.client = nil
       expect(subject).to be_valid
     end
 

data/spec/lib/oauth/refresh_token_request_spec.rb

@@ -2,6 +2,9 @@ require 'spec_helper_integration'
 
 module Doorkeeper::OAuth
   describe RefreshTokenRequest do
+    before do
+      allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+    end
     let(:server) do
       double :server,
              access_token_expires_in: 2.minutes,
@@ -16,9 +19,7 @@ module Doorkeeper::OAuth
     subject { RefreshTokenRequest.new server, refresh_token, credentials }
 
     it 'issues a new token for the client' do
-      expect do
-        subject.authorize
-      end.to change { client.access_tokens.count }.by(1)
+      expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
       expect(client.reload.access_tokens.last.expires_in).to eq(120)
     end
 
@@ -27,6 +28,8 @@ module Doorkeeper::OAuth
                       access_token_expires_in: 2.minutes,
                       custom_access_token_expires_in: ->(_oauth_client) { 1234 }
 
+      allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+
       RefreshTokenRequest.new(server, refresh_token, credentials).authorize
 
       expect(client.reload.access_tokens.last.expires_in).to eq(1234)
@@ -67,6 +70,34 @@ module Doorkeeper::OAuth
       expect(subject).to be_valid
     end
 
+    context 'refresh tokens expire on access token use' do
+      let(:server) do
+        double :server,
+               access_token_expires_in: 2.minutes,
+               custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+      end
+
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(true)
+      end
+
+      it 'issues a new token for the client' do
+        expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
+      end
+
+      it 'does not revoke the previous token' do
+        subject.authorize
+        expect(refresh_token).not_to be_revoked
+      end
+
+      it 'sets the previous refresh token in the new access token' do
+        subject.authorize
+        expect(
+          client.access_tokens.last.previous_refresh_token
+        ).to eq(refresh_token.refresh_token)
+      end
+    end
+
     context 'clientless access tokens' do
       let!(:refresh_token) { FactoryGirl.create(:clientless_access_token, use_refresh_token: true) }
 

data/spec/lib/oauth/scopes_spec.rb

@@ -67,7 +67,6 @@ module Doorkeeper::OAuth
 
       it 'does not change the existing object' do
         origin = Scopes.from_string('public')
-        new_scope = origin + Scopes.from_string('admin')
         expect(origin.to_s).to eq('public')
       end
 

data/spec/lib/oauth/token_spec.rb

@@ -30,7 +30,7 @@ module Doorkeeper
         it 'stops at the first credentials found' do
           not_called_method = double
           expect(not_called_method).not_to receive(:call)
-          Token.from_request request, ->(r) {}, method, not_called_method
+          Token.from_request request, ->(_r) {}, method, not_called_method
         end
 
         it 'returns the credential from extractor method' do
@@ -96,13 +96,20 @@ module Doorkeeper
       end
 
       describe :authenticate do
-        let(:finder) { double :finder }
-
-        it 'calls the finder if token was found' do
-          token = ->(r) { 'token' }
+        it 'calls the finder if token was returned' do
+          token = ->(_r) { 'token' }
           expect(AccessToken).to receive(:by_token).with('token')
           Token.authenticate double, token
         end
+
+        it 'revokes previous refresh_token if token was found' do
+          token = ->(_r) { 'token' }
+          expect(
+            AccessToken
+          ).to receive(:by_token).with('token').and_return(token)
+          expect(token).to receive(:revoke_previous_refresh_token!)
+          Token.authenticate double, token
+        end
       end
     end
   end

data/spec/models/doorkeeper/access_token_spec.rb

@@ -12,6 +12,11 @@ module Doorkeeper
       let(:factory_name) { :access_token }
     end
 
+    module CustomGeneratorArgs
+      def self.generate
+      end
+    end
+
     describe :generate_token do
       it 'generates a token using the default method' do
         FactoryGirl.create :access_token
@@ -21,6 +26,10 @@ module Doorkeeper
       end
 
       it 'generates a token using a custom object' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:resource_owner_id]}"
@@ -37,6 +46,10 @@ module Doorkeeper
       end
 
       it 'allows the custom generator to access the application details' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:application].name}"
@@ -53,6 +66,10 @@ module Doorkeeper
       end
 
       it 'allows the custom generator to access the scopes' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:scopes].count}_#{opts[:scopes]}"
@@ -70,6 +87,10 @@ module Doorkeeper
       end
 
       it 'allows the custom generator to access the expiry length' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:expires_in]}"
@@ -85,6 +106,23 @@ module Doorkeeper
         expect(token.token).to eq 'custom_generator_token_7200'
       end
 
+      it 'allows the custom generator to access the created time' do
+        module CustomGeneratorArgs
+          def self.generate(opts = {})
+            "custom_generator_token_#{opts[:created_at].to_i}"
+          end
+        end
+
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          access_token_generator "Doorkeeper::CustomGeneratorArgs"
+        end
+
+        token = FactoryGirl.create :access_token
+        created_at = token.created_at
+        expect(token.token).to eq "custom_generator_token_#{created_at.to_i}"
+      end
+
       it 'raises an error if the custom object does not support generate' do
         module NoGenerate
         end
@@ -133,7 +171,7 @@ module Doorkeeper
         expect do
           token2.refresh_token = token1.refresh_token
           token2.save(validate: false)
-        end.to raise_error(ActiveRecord::RecordNotUnique)
+        end.to raise_error(uniqueness_error)
       end
     end
 
@@ -143,6 +181,12 @@ module Doorkeeper
         subject.resource_owner_id = nil
         expect(subject).to be_valid
       end
+
+      it 'is valid without application_id' do
+        # For resource owner credentials flow
+        subject.application_id = nil
+        expect(subject).to be_valid
+      end
     end
 
     describe '#same_credential?' do

data/spec/models/doorkeeper/application_spec.rb

@@ -90,7 +90,7 @@ module Doorkeeper
       app1 = FactoryGirl.create(:application)
       app2 = FactoryGirl.create(:application)
       app2.uid = app1.uid
-      expect { app2.save!(validate: false) }.to raise_error(ActiveRecord::RecordNotUnique)
+      expect { app2.save!(validate: false) }.to raise_error(uniqueness_error)
     end
 
     it 'generate secret on create' do
@@ -129,7 +129,7 @@ module Doorkeeper
 
       it 'should destroy its access tokens' do
         FactoryGirl.create(:access_token, application: new_application)
-        FactoryGirl.create(:access_token, application: new_application, revoked_at: Time.now)
+        FactoryGirl.create(:access_token, application: new_application, revoked_at: Time.now.utc)
         expect do
           new_application.destroy
         end.to change { Doorkeeper::AccessToken.count }.by(-2)
@@ -166,14 +166,6 @@ module Doorkeeper
         FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id, application: application)
         expect(Application.authorized_for(resource_owner)).to eq([application])
       end
-
-      it 'should fail to mass assign a new application', if: ::Rails::VERSION::MAJOR < 4 do
-        mass_assign = { name: 'Something',
-                        redirect_uri: 'http://somewhere.com/something',
-                        uid: 123,
-                        secret: 'something' }
-        expect(Application.create(mass_assign).uid).not_to eq(123)
-      end
     end
 
     describe :authenticate do

data/spec/requests/flows/password_spec.rb

@@ -24,14 +24,26 @@ describe 'Resource Owner Password Credentials Flow' do
   end
 
   context 'with valid user credentials' do
-    it 'should issue new token' do
+    it 'should issue new token with confidential client' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to change { Doorkeeper::AccessToken.count }.by(1)
 
       token = Doorkeeper::AccessToken.first
 
-      should_have_json 'access_token',  token.token
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+    end
+
+    it 'should issue new token with public client (only client_id present)' do
+      expect do
+        post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
     end
 
     it 'should issue new token without client credentials' do
@@ -41,7 +53,8 @@ describe 'Resource Owner Password Credentials Flow' do
 
       token = Doorkeeper::AccessToken.first
 
-      should_have_json 'access_token',  token.token
+      expect(token.application_id).to be_nil
+      should_have_json 'access_token', token.token
     end
 
     it 'should issue a refresh token if enabled' do
@@ -51,7 +64,7 @@ describe 'Resource Owner Password Credentials Flow' do
 
       token = Doorkeeper::AccessToken.first
 
-      should_have_json 'refresh_token',  token.refresh_token
+      should_have_json 'refresh_token', token.refresh_token
     end
 
     it 'should return the same token if it is still accessible' do
@@ -82,7 +95,7 @@ describe 'Resource Owner Password Credentials Flow' do
     end
   end
 
-  context 'with invalid client credentials' do
+  context 'with invalid confidential client credentials' do
     it 'should not issue new token with bad client credentials' do
       expect do
         post password_token_endpoint_url(client_id: @client.uid,
@@ -91,4 +104,12 @@ describe 'Resource Owner Password Credentials Flow' do
       end.to_not change { Doorkeeper::AccessToken.count }
     end
   end
+
+  context 'with invalid public client id' do
+    it 'should not issue new token with bad client id' do
+      expect do
+        post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+  end
 end

data/spec/requests/flows/refresh_token_spec.rb

@@ -37,20 +37,62 @@ describe 'Refresh Token Flow' do
 
   context 'refreshing the token' do
     before do
-      @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: 1, use_refresh_token: true)
+      @token = FactoryGirl.create(
+        :access_token,
+        application: @client,
+        resource_owner_id: 1,
+        use_refresh_token: true
+      )
     end
 
-    it 'client request a token with refresh token' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-      expect(@token.reload).to be_revoked
+    context "refresh_token revoked on use" do
+      it 'client request a token with refresh token' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).not_to be_revoked
+      end
+
+      it 'client request a token with expired access token' do
+        @token.update_attribute :expires_in, -100
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).not_to be_revoked
+      end
     end
 
-    it 'client request a token with expired access token' do
-      @token.update_attribute :expires_in, -100
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-      expect(@token.reload).to be_revoked
+    context "refresh_token revoked on refresh_token request" do
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+      end
+
+      it 'client request a token with refresh token' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).to be_revoked
+      end
+
+      it 'client request a token with expired access token' do
+        @token.update_attribute :expires_in, -100
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).to be_revoked
+      end
     end
 
     it 'client gets an error for invalid refresh token' do
@@ -79,20 +121,48 @@ describe 'Refresh Token Flow' do
     before do
       # enable password auth to simulate other devices
       config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
+      config_is_set(:resource_owner_from_credentials) do
+        User.authenticate! params[:username], params[:password]
+      end
       create_resource_owner
-      _another_token = post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      _another_token = post password_token_endpoint_url(
+        client: @client, resource_owner: @resource_owner
+      )
       last_token.update_attribute :created_at, 5.seconds.ago
 
-      @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: @resource_owner.id, use_refresh_token: true)
+      @token = FactoryGirl.create(
+        :access_token,
+        application: @client,
+        resource_owner_id: @resource_owner.id,
+        use_refresh_token: true
+      )
       @token.update_attribute :expires_in, -100
     end
 
-    it 'client request a token after creating another token with the same user' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
+    context "refresh_token revoked on use" do
+      it 'client request a token after creating another token with the same user' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+
+        should_have_json 'refresh_token', last_token.refresh_token
+        expect(@token.reload).not_to be_revoked
+      end
+    end
+
+    context "refresh_token revoked on refresh_token request" do
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+      end
+
+      it 'client request a token after creating another token with the same user' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
 
-      should_have_json 'refresh_token', last_token.refresh_token
-      expect(@token.reload).to be_revoked
+        should_have_json 'refresh_token', last_token.refresh_token
+        expect(@token.reload).to be_revoked
+      end
     end
 
     def last_token

data/spec/spec_helper_integration.rb

@@ -35,6 +35,9 @@ ENGINE_RAILS_ROOT = File.join(File.dirname(__FILE__), '../')
 
 Dir["#{File.dirname(__FILE__)}/support/{dependencies,helpers,shared}/*.rb"].each { |f| require f }
 
+# Remove after dropping support of Rails 4.2
+require "#{File.dirname(__FILE__)}/support/http_method_shim.rb"
+
 RSpec.configure do |config|
   config.infer_spec_type_from_file_location!
   config.mock_with :rspec

data/spec/support/helpers/model_helper.rb

@@ -13,14 +13,20 @@ module ModelHelper
 
   def access_grant_should_exist_for(client, resource_owner)
     grant = Doorkeeper::AccessGrant.first
-    expect(grant.application).to eq(client)
-    grant.resource_owner_id  == resource_owner.id
+
+    expect(grant.application).to have_attributes(id: client.id).
+      and(be_instance_of(Doorkeeper::Application))
+
+    expect(grant.resource_owner_id).to eq(resource_owner.id)
   end
 
   def access_token_should_exist_for(client, resource_owner)
-    grant = Doorkeeper::AccessToken.first
-    expect(grant.application).to eq(client)
-    grant.resource_owner_id  == resource_owner.id
+    token = Doorkeeper::AccessToken.first
+
+    expect(token.application).to have_attributes(id: client.id).
+      and(be_instance_of(Doorkeeper::Application))
+
+    expect(token.resource_owner_id).to eq(resource_owner.id)
   end
 
   def access_grant_should_not_exist
@@ -40,6 +46,22 @@ module ModelHelper
     grant = Doorkeeper::AccessToken.last
     expect(grant.scopes).to eq(Doorkeeper::OAuth::Scopes.from_array(args))
   end
+
+  def uniqueness_error
+    case DOORKEEPER_ORM
+    when :active_record
+      ActiveRecord::RecordNotUnique
+    when :sequel
+      error_classes = [Sequel::UniqueConstraintViolation, Sequel::ValidationFailed]
+      proc { |error| expect(error.class).to be_in(error_classes) }
+    when :mongo_mapper
+      MongoMapper::DocumentNotValid
+    when /mongoid/
+      Mongoid::Errors::Validations
+    else
+      raise "'#{DOORKEEPER_ORM}' ORM is not supported!"
+    end
+  end
 end
 
 RSpec.configuration.send :include, ModelHelper

data/spec/support/http_method_shim.rb

@@ -0,0 +1,24 @@
+# Rails 5 deprecates calling HTTP action methods with positional arguments
+# in favor of keyword arguments. However, the keyword argument form is only
+# supported in Rails 5+. Since we support back to 4, we need some sort of shim
+# to avoid super noisy deprecations when running tests.
+module HTTPMethodShim
+  def get(path, params = nil, headers = nil)
+    super(path, params: params, headers: headers)
+  end
+
+  def post(path, params = nil, headers = nil)
+    super(path, params: params, headers: headers)
+  end
+
+  def put(path, params = nil, headers = nil)
+    super(path, params: params, headers: headers)
+  end
+end
+
+if ::Rails::VERSION::MAJOR >= 5
+  RSpec.configure do |config|
+    config.include HTTPMethodShim, type: :controller
+    config.include HTTPMethodShim, type: :request
+  end
+end