doorkeeper 3.1.0 → 4.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03417189314de7b84fcfa05699c35a0346a55035
-  data.tar.gz: e4026de8e9ed39d2bb270abc9efc4e1ccca20775
+  metadata.gz: b4b94e7f1fb4975a36ad84ccfda9bcfb0b5e2bd7
+  data.tar.gz: fc5914c689e55572a9313caa07f2644c29f37574
 SHA512:
-  metadata.gz: bbe0a1693809bfc8802a66c50df30a128a527a3f239114ffdc69d46e948ac0516594fe3872f3624157632e91078a0ad64aa1f98932b26bdf389228b22bed246b
-  data.tar.gz: 6d434e7dc34b65d1022914f8fd348c9d1c8e6ef41bb30761411eb0c693531ccb12c87c237c1e54fbcbee11a8dd0bf68c82768a6801f273dab2bcaf1fe96afea6
+  metadata.gz: f90cc508667ce0ec9693925a187fbc9ae5b9eeaf95b74648c9981ceea9eaef305d9981f75d48a8b8f0e00929bcc748a51da4b013b814ffa8a9344a4fc44257e1
+  data.tar.gz: 433cafea0488b8d0ab2d7d9b164b9510191f9a6d6534443674064e60c8ea2c0007494a9015b8c9d96a44b603182217496d4221db752c21d1cc5e56b1e377ae86

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.gitignore

@@ -12,3 +12,8 @@ spec/generators/tmp
 .rvmrc
 *.swp
 .idea
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+coverage

data/.travis.yml

@@ -3,20 +3,24 @@ language: ruby
 sudo: false
 
 rvm:
-  - 2.0
   - 2.1
-  - 2.2
-  - jruby-head
+  - 2.2.6
+  - 2.3.3
+  - 2.4.0
 
-env:
-  - rails=3.2.0
-  - rails=4.1.0
-  - rails=4.2.0
+before_install:
+  - gem install bundler -v '~> 1.10'
+
+gemfile:
+  - gemfiles/rails_4_2.gemfile
+  - gemfiles/rails_5_0.gemfile
+  - gemfiles/rails_5_1.gemfile
 
 matrix:
   exclude:
-    - env: rails=3.2.0
-      rvm: jruby-head
-  exclude:
-    - env: rails=3.2.0
-      rvm: 2.2
+    - gemfile: gemfiles/rails_5_0.gemfile
+      rvm: 2.1
+    - gemfile: gemfiles/rails_5_1.gemfile
+      rvm: 2.1
+  allowed_failures:
+    - gemfile: gemfiles/rails_5_1.gemfile

data/Appraisals

@@ -0,0 +1,14 @@
+appraise "rails-4-2" do
+  gem "rails", "~> 4.2.0"
+end
+
+appraise "rails-5-0" do
+  gem "rails", "~> 5.0.0"
+  gem "rspec-rails", "~> 3.5"
+end
+
+appraise "rails-5-1" do
+  gem "rails", github: "rails/rails"
+  gem "arel", github: "rails/arel"
+  gem "rspec-rails", "~> 3.5"
+end

data/CONTRIBUTING.md

@@ -26,6 +26,8 @@ Make the tests pass:
 
     rake
 
+Add notes on your change to the `NEWS.md` file.
+
 Write a [good commit message][commit].
 Push to your fork.
 [Submit a pull request][pr].

data/Gemfile

@@ -1,10 +1,10 @@
-ENV['rails'] ||= '4.2.0'
+source "https://rubygems.org"
 
-source 'https://rubygems.org'
+gem "rails", "~> 4.2.0"
 
-gem 'rails', "~> #{ENV['rails']}"
+gem "appraisal"
 
-gem "sqlite3", platform: [:ruby, :mswin, :mingw]
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
-
+gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw]
 gemspec

data/NEWS.md

@@ -2,7 +2,88 @@
 
 User-visible changes worth mentioning.
 
----
+## master
+
+- [#970] Escape certain attributes in authorization forms.
+
+## 4.2.5
+
+- [#936] Deprecate `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
+  `Doorkeeper#installed?`
+- [#909] Add `InvalidTokenResponse#reason` reader method to allow read the kind
+  of invalid token error.
+- [#928] Test against more recent Ruby versions
+- Small refactorings within the codebase
+- [#921] Switch to Appraisal, and test against Rails master
+- [#892] Add minimum Ruby version requirement
+
+## 4.2.0
+
+- Security fix: Address CVE-2016-6582, implement token revocation according to
+    spec (tokens might not be revoked if client follows the spec).
+- [#873] Add hooks to Doorkeeper::ApplicationMetalController
+- [#871] Allow downstream users to better utilize doorkeeper spec factories by
+  eliminating name conflict on `:user` factory.
+
+## 4.1.0
+
+- [#845] Allow customising the `Doorkeeper::ApplicationController` base
+  controller
+
+## 4.0.0
+
+- [#834] Fix AssetNotPrecompiled error with Sprockets 4
+- [#843] Revert "Fix validation error messages"
+- [#847] Specify Null option to timestamps
+
+## 4.0.0.rc4
+
+- [#777] Add support for public client in password grant flow
+- [#823] Make configuration and specs ORM independent
+- [#745] Add created_at timestamp to token generation options
+- [#838] Drop `Application#scopes` generator and warning, introduced for
+  upgrading doorkeeper from v2 to v3.
+- [#801] Fix Rails 5 warning messages
+- Test against Rails 5 RC1
+
+## 4.0.0.rc3
+
+- [#769] Revoke refresh token on access token use. To make use of the new config
+  add `previous_refresh_token` column to `oauth_access_tokens`:
+
+  ```
+  rails generate doorkeeper:previous_refresh_token
+  ```
+- [#811] Toughen parameters filter with exact match
+- [#813] Applications admin bugfix
+- [#799] Fix Ruby Warnings
+- Drop `attr_accessible` from models
+
+### Backward incompatible changes
+
+- [#730] Force all timezones to use UTC to prevent comparison issues.
+- [#802] Remove `config.i18n.fallbacks` from engine
+
+## 4.0.0.rc2
+
+- Fix optional belongs_to for Rails 5
+- Fix Ruby warnings
+
+## 4.0.0.rc1
+
+### Backward incompatible changes
+
+- Drops support for Rails 4.1 and earlier
+- Drops support for Ruby 2.0
+- [#778] Bug fix: use the remaining time that a token is still valid when
+  building the redirect URI for the implicit grant flow
+
+### Other changes
+
+- [#771] Validation error messages fixes
+- Adds foreign key constraints in generated migrations between tokens and
+  grants, and applications
+- Support Rails 5
 
 ## 3.1.0
 
@@ -67,7 +148,7 @@ User-visible changes worth mentioning.
 - Remove `applications.scopes` upgrade notice.
 
 
-## 2.2.2 (unreleased)
+## 2.2.2
 
 - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
     (happens only when ProtectedAttributes gem is used) in #599

data/README.md

@@ -1,9 +1,10 @@
-# Doorkeeper - awesome oauth provider for your Rails app.
+# Doorkeeper - awesome OAuth2 provider for your Rails app.
 
 [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
-[![Dependency Status](https://gemnasium.com/applicake/doorkeeper.svg?travis)](https://gemnasium.com/applicake/doorkeeper)
-[![Code Climate](https://codeclimate.com/github/applicake/doorkeeper.svg)](https://codeclimate.com/github/applicake/doorkeeper)
+[![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper)
+[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
+[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 
 Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider
 functionality to your Rails or Grape application.
@@ -16,43 +17,41 @@ functionality to your Rails or Grape application.
 Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases
 
+- See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+
 ## Table of Contents
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-- [Useful links](#useful-links)
+
 - [Installation](#installation)
 - [Configuration](#configuration)
-    - [Active Record](#active-record)
-    - [Other ORMs](#other-orms)
-    - [Routes](#routes)
-    - [Authenticating](#authenticating)
-    - [Internationalization (I18n)](#internationalization-i18n)
+  - [Active Record](#active-record)
+  - [Other ORMs](#other-orms)
+  - [Routes](#routes)
+  - [Authenticating](#authenticating)
+  - [Internationalization (I18n)](#internationalization-i18n)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
-    - [Protect your API with OAuth when using Grape](#protect-your-api-with-oauth-when-using-grape)
-    - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
-    - [Access Token Scopes](#access-token-scopes)
-    - [Custom Access Token Generator](#custom-access-token-generator)
-    - [Authenticated resource owner](#authenticated-resource-owner)
-    - [Applications list](#applications-list)
+  - [Protect your API with OAuth when using Grape](#protect-your-api-with-oauth-when-using-grape)
+  - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
+  - [Access Token Scopes](#access-token-scopes)
+  - [Custom Access Token Generator](#custom-access-token-generator)
+  - [Authenticated resource owner](#authenticated-resource-owner)
+  - [Applications list](#applications-list)
 - [Other customizations](#other-customizations)
 - [Upgrading](#upgrading)
 - [Development](#development)
 - [Contributing](#contributing)
 - [Other resources](#other-resources)
-    - [Wiki](#wiki)
-    - [Screencast](#screencast)
-    - [Client applications](#client-applications)
-    - [Contributors](#contributors)
-    - [IETF Standards](#ietf-standards)
-    - [License](#license)
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+  - [Wiki](#wiki)
+  - [Screencast](#screencast)
+  - [Client applications](#client-applications)
+  - [Contributors](#contributors)
+  - [IETF Standards](#ietf-standards)
+  - [License](#license)
 
-
-## Useful links
-
-- For documentation, please check out our [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
-- For general questions, please post it in [stack overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Installation
 
@@ -77,17 +76,33 @@ to generate the migration tables:
 
     rails generate doorkeeper:migration
 
-Don't forget to run the migration with:
+You may want to add foreign keys to your migration. For example, if you plan on
+using `User` as the resource owner, add the following line to the migration file
+for each table that includes a `resource_owner_id` column:
 
-    rake db:migrate
+```ruby
+add_foreign_key :table_name, :users, column: :resource_owner_id
+```
+
+Then run migrations:
+
+```sh
+rake db:migrate
+```
 
 ### Other ORMs
 
-See [doorkeeper-mongodb project] for mongoid and mongomapper support. Follow along
+See [doorkeeper-mongodb project] for Mongoid and MongoMapper support. Follow along
 the implementation in that repository to extend doorkeeper with other ORMs.
 
 [doorkeeper-mongodb project]: https://github.com/doorkeeper-gem/doorkeeper-mongodb
 
+If you are using [Sequel gem] then you can add [doorkeeper-sequel extension] to your project.
+Follow configuration instructions for setting up the necessary Doorkeeper ORM.
+
+[Sequel gem]: https://github.com/jeremyevans/sequel/
+[doorkeeper-sequel extension]: https://github.com/nbulaj/doorkeeper-sequel
+
 ### Routes
 
 The installation script will also automatically add the Doorkeeper routes into
@@ -119,7 +134,7 @@ wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
 ### Authenticating
 
 You need to configure Doorkeeper in order to provide `resource_owner` model
-and authentication block `initializers/doorkeeper.rb`
+and authentication block in `config/initializers/doorkeeper.rb`:
 
 ``` ruby
 Doorkeeper.configure do
@@ -161,7 +176,7 @@ You can pass any option `before_action` accepts, such as `if`, `only`,
 
 ### Protect your API with OAuth when using Grape
 
-As of [PR 567] doorkeeper has helpers for Grape. One of them is
+As of [PR 567] doorkeeper has helpers for Grape >= 0.10. One of them is
 `doorkeeper_authorize!` and can be used in a similar way as an example above.
 Note that you have to use `require 'doorkeeper/grape/helpers'` and
 `helpers Doorkeeper::Grape::Helpers`.
@@ -183,6 +198,11 @@ module API
         doorkeeper_authorize!
       end
 
+      route_setting :scopes, ['user:email']
+      get :emails do
+        [{'email' => current_user.email}]
+      end
+
       # ...
     end
   end
@@ -238,13 +258,13 @@ class Api::V1::ProductsController < Api::V1::ApiController
 end
 ```
 
-Please note that there is a logical OR between multiple required scopes. In
+Please note that there is a logical OR between multiple required scopes. In the
 above example, `doorkeeper_authorize! :admin, :write` means that the access
-token is required to have either `:admin` scope or `:write` scope, but not need
-have both of them.
+token is required to have either `:admin` scope or `:write` scope, but does not
+need have both of them.
 
-If want to require the access token to have multiple scopes at the same time,
-use multiple `doorkeeper_authorize!`, for example:
+If you want to require the access token to have multiple scopes at the same
+time, use multiple `doorkeeper_authorize!`, for example:
 
 ```ruby
 class Api::V1::ProductsController < Api::V1::ApiController
@@ -256,8 +276,8 @@ class Api::V1::ProductsController < Api::V1::ApiController
 end
 ```
 
-In above example, a client can call `:create` action only if its access token
-have both `:admin` and `:write` scopes.
+In the above example, a client can call `:create` action only if its access token
+has both `:admin` and `:write` scopes.
 
 ### Custom Access Token Generator
 
@@ -274,6 +294,16 @@ end
 JWT token support is available with
 [Doorkeeper-JWT](https://github.com/chriswarren/doorkeeper-jwt).
 
+### Custom Base Controller
+
+By default Doorkeeper's main controller `Doorkeeper::ApplicationController` inherits from `ActionController::Base`.
+You may want to use your own controller to inherit from, to keep Doorkeeper controllers in the same context than the rest your app:
+
+```ruby
+Doorkeeper.configure do
+  base_controller 'ApplicationController'
+end
+```
 
 ### Authenticated resource owner
 
@@ -305,7 +335,7 @@ token owner.
 
 ### Applications list
 
-By default, the applications list (`/oauth/applications`) is public available.
+By default, the applications list (`/oauth/applications`) is publicly available.
 To protect the endpoint you should uncomment these lines:
 
 ```ruby
@@ -319,9 +349,9 @@ end
 
 The logic is the same as the `resource_owner_authenticator` block. **Note:**
 since the application list is just a scaffold, it's recommended to either
-customize the controller used by the list or skip the controller at all. For
-more information see the page [in the
-wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
+customize the controller used by the list or skip the controller all together.
+For more information see the page
+[in the wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
 
 ## Other customizations
 

data/RELEASING.md

@@ -1,17 +1,10 @@
 # Releasing doorkeeper
 
+How to release doorkeeper in five easy steps!
+
 1. Update `lib/doorkeeper/version.rb` file accordingly.
 2. Update `NEWS.md` to reflect the changes since last release.
-3. Commit changes. There shouldn’t be code changes, and thus CI doesn’t need to
-   run, you can then add “[ci skip]” to the commit message.
-4. Tag the release: `git tag vVERSION -m "Release vVERSION"`
-5. Push changes: `git push && git push --tags`
-6. Build and publish the gem:
-
-   ```bash
-   gem build doorkeeper.gemspec
-   gem push doorkeeper-*.gem
-   ```
-
-7. Announce the new release, making sure to say “thank you” to the contributors
+3. Commit changes: `git commit -am 'Bump to vVERSION'`
+4. Run `rake release`
+5. Announce the new release, making sure to say “thank you” to the contributors
    who helped shape this version!

data/Rakefile

@@ -2,7 +2,7 @@ require 'bundler/setup'
 require 'rspec/core/rake_task'
 
 desc 'Default: run specs.'
-task :default => :spec
+task default: :spec
 
 desc "Run all specs"
 RSpec::Core::RakeTask.new(:spec) do |config|

data/app/controllers/doorkeeper/application_controller.rb

@@ -1,5 +1,7 @@
 module Doorkeeper
-  class ApplicationController < ActionController::Base
+  class ApplicationController <
+    Doorkeeper.configuration.base_controller.constantize
+
     include Helpers::Controller
 
     if ::Rails.version.to_i < 4

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,16 +1,17 @@
 module Doorkeeper
   class ApplicationMetalController < ActionController::Metal
     MODULES = [
-      ActionController::RackDelegation,
       ActionController::Instrumentation,
       AbstractController::Rendering,
       ActionController::Rendering,
       ActionController::Renderers::All,
       Helpers::Controller
-    ]
+    ].freeze
 
     MODULES.each do |mod|
       include mod
     end
+
+    ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end
 end

data/app/controllers/doorkeeper/applications_controller.rb

@@ -2,8 +2,8 @@ module Doorkeeper
   class ApplicationsController < Doorkeeper::ApplicationController
     layout 'doorkeeper/admin'
 
-    before_filter :authenticate_admin!
-    before_filter :set_application, only: [:show, :edit, :update, :destroy]
+    before_action :authenticate_admin!
+    before_action :set_application, only: [:show, :edit, :update, :destroy]
 
     def index
       @applications = Application.all
@@ -44,11 +44,7 @@ module Doorkeeper
     end
 
     def application_params
-      if params.respond_to?(:permit)
-        params.require(:doorkeeper_application).permit(:name, :redirect_uri, :scopes)
-      else
-        params[:doorkeeper_application].slice(:name, :redirect_uri, :scopes) rescue nil
-      end
+      params.require(:doorkeeper_application).permit(:name, :redirect_uri, :scopes)
     end
   end
 end

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -1,6 +1,6 @@
 module Doorkeeper
   class AuthorizationsController < Doorkeeper::ApplicationController
-    before_filter :authenticate_resource_owner!
+    before_action :authenticate_resource_owner!
 
     def new
       if pre_auth.authorizable?

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -1,6 +1,6 @@
 module Doorkeeper
   class AuthorizedApplicationsController < Doorkeeper::ApplicationController
-    before_filter :authenticate_resource_owner!
+    before_action :authenticate_resource_owner!
 
     def index
       @applications = Application.authorized_for(current_resource_owner)

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -2,7 +2,7 @@ module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
     def create
       response = authorize_response
-      self.headers.merge! response.headers
+      headers.merge! response.headers
       self.response_body = response.body.to_json
       self.status        = response.status
     rescue Errors::DoorkeeperError => e
@@ -11,29 +11,65 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # The authorization server first validates the client credentials
-      if doorkeeper_token && doorkeeper_token.accessible?
-        # Doorkeeper does not use the token_type_hint logic described in the RFC 7009
-        # due to the refresh token implementation that is a field in the access token model.
-        revoke_token(request.POST['token']) if request.POST['token']
+      # The authorization server, if applicable, first authenticates the client
+      # and checks its ownership of the provided token.
+      #
+      # Doorkeeper does not use the token_type_hint logic described in the
+      # RFC 7009 due to the refresh token implementation that is a field in
+      # the access token model.
+      if authorized?
+        revoke_token
       end
-      # The authorization server responds with HTTP status code 200 if the
-      # token has been revoked successfully or if the client submitted an invalid token
+
+      # The authorization server responds with HTTP status code 200 if the token
+      # has been revoked successfully or if the client submitted an invalid
+      # token
       render json: {}, status: 200
     end
 
     private
 
-    def revoke_token(token)
-      token = AccessToken.by_token(token) || AccessToken.by_refresh_token(token)
-      if token && doorkeeper_token.same_credential?(token)
+    # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
+    # Public clients (as per RFC 7009) do not require authentication whereas
+    # confidential clients must be authenticated for their token revocation.
+    #
+    # Once a confidential client is authenticated, it must be authorized to
+    # revoke the provided access or refresh token. This ensures one client
+    # cannot revoke another's tokens.
+    #
+    # Doorkeeper determines the client type implicitly via the presence of the
+    # OAuth client associated with a given access or refresh token. Since public
+    # clients authenticate the resource owner via "password" or "implicit" grant
+    # types, they set the application_id as null (since the claim cannot be
+    # verified).
+    #
+    # https://tools.ietf.org/html/rfc6749#section-2.1
+    # https://tools.ietf.org/html/rfc7009
+    def authorized?
+      if token.present?
+        # Client is confidential, therefore client authentication & authorization
+        # is required
+        if token.application_id?
+          # We authorize client by checking token's application
+          server.client && server.client.application == token.application
+        else
+          # Client is public, authentication unnecessary
+          true
+        end
+      end
+    end
+
+    def revoke_token
+      if token.accessible?
         token.revoke
-        true
-      else
-        false
       end
     end
 
+    def token
+      @token ||= AccessToken.by_token(request.POST['token']) ||
+        AccessToken.by_refresh_token(request.POST['token'])
+    end
+
     def strategy
       @strategy ||= server.token_request params[:grant_type]
     end

data/app/helpers/doorkeeper/dashboard_helper.rb

@@ -1,15 +1,17 @@
-module Doorkeeper::DashboardHelper
-  def doorkeeper_errors_for(object, method)
-    if object.errors[method].present?
-      object.errors[method].map do |msg|
-        content_tag(:span, class: 'help-block') do
-          msg.capitalize
-        end
-      end.join.html_safe
+module Doorkeeper
+  module DashboardHelper
+    def doorkeeper_errors_for(object, method)
+      if object.errors[method].present?
+        object.errors[method].map do |msg|
+          content_tag(:span, class: 'help-block') do
+            msg.capitalize
+          end
+        end.join.html_safe
+      end
     end
-  end
 
-  def doorkeeper_submit_path(application)
-    application.persisted? ? oauth_application_path(application) : oauth_applications_path
+    def doorkeeper_submit_path(application)
+      application.persisted? ? oauth_application_path(application) : oauth_applications_path
+    end
   end
 end

data/app/views/doorkeeper/applications/_delete_form.html.erb

@@ -1,5 +1,4 @@
 <%- submit_btn_css ||= 'btn btn-link' %>
-<%= form_tag oauth_application_path(application) do %>
-  <input type="hidden" name="_method" value="delete">
+<%= form_tag oauth_application_path(application), method: :delete do %>
   <%= submit_tag t('doorkeeper.applications.buttons.destroy'), onclick: "return confirm('#{ t('doorkeeper.applications.confirmations.destroy') }')", class: submit_btn_css %>
 <% end %>

data/app/views/doorkeeper/applications/_form.html.erb

@@ -21,7 +21,7 @@
       </span>
       <% if Doorkeeper.configuration.native_redirect_uri %>
           <span class="help-block">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: "<code>#{ Doorkeeper.configuration.native_redirect_uri }</code>") %>
+            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code) { Doorkeeper.configuration.native_redirect_uri }) %>
           </span>
       <% end %>
     </div>