RubyGems - doorkeeper - Versions diffs - 3.1.0 → 4.2.6 - Mend

doorkeeper 3.1.0 → 4.2.6

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (137) hide show

checksums.yaml +4 -4
data/.coveralls.yml +1 -0
data/.gitignore +5 -0
data/.travis.yml +16 -12
data/Appraisals +14 -0
data/CONTRIBUTING.md +2 -0
data/Gemfile +5 -5
data/NEWS.md +83 -2
data/README.md +73 -43
data/RELEASING.md +5 -12
data/Rakefile +1 -1
data/app/controllers/doorkeeper/application_controller.rb +3 -1
data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
data/app/controllers/doorkeeper/applications_controller.rb +3 -7
data/app/controllers/doorkeeper/authorizations_controller.rb +1 -1
data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
data/app/controllers/doorkeeper/tokens_controller.rb +50 -14
data/app/helpers/doorkeeper/dashboard_helper.rb +13 -11
data/app/views/doorkeeper/applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/applications/_form.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +1 -1
data/app/views/doorkeeper/authorizations/new.html.erb +1 -1
data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
data/app/views/layouts/doorkeeper/admin.html.erb +1 -1
data/config/locales/en.yml +3 -2
data/doorkeeper.gemspec +12 -10
data/gemfiles/rails_4_2.gemfile +11 -0
data/gemfiles/rails_5_0.gemfile +12 -0
data/gemfiles/rails_5_1.gemfile +13 -0
data/lib/doorkeeper/config.rb +73 -16
data/lib/doorkeeper/engine.rb +11 -7
data/lib/doorkeeper/errors.rb +18 -0
data/lib/doorkeeper/grape/helpers.rb +2 -1
data/lib/doorkeeper/helpers/controller.rb +8 -23
data/lib/doorkeeper/models/access_grant_mixin.rb +21 -5
data/lib/doorkeeper/models/access_token_mixin.rb +145 -23
data/lib/doorkeeper/models/application_mixin.rb +21 -9
data/lib/doorkeeper/models/concerns/accessible.rb +4 -0
data/lib/doorkeeper/models/concerns/expirable.rb +10 -2
data/lib/doorkeeper/models/concerns/ownership.rb +6 -1
data/lib/doorkeeper/models/concerns/revocable.rb +37 -2
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +20 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -4
data/lib/doorkeeper/oauth/{request_concern.rb → base_request.rb} +3 -1
data/lib/doorkeeper/oauth/base_response.rb +29 -0
data/lib/doorkeeper/oauth/client/credentials.rb +17 -6
data/lib/doorkeeper/oauth/client.rb +0 -1
data/lib/doorkeeper/oauth/client_credentials/creator.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
data/lib/doorkeeper/oauth/client_credentials/validation.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -8
data/lib/doorkeeper/oauth/code_response.rb +16 -16
data/lib/doorkeeper/oauth/error_response.rb +9 -8
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +2 -1
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -13
data/lib/doorkeeper/oauth/refresh_token_request.rb +22 -14
data/lib/doorkeeper/oauth/scopes.rb +2 -2
data/lib/doorkeeper/oauth/token.rb +20 -21
data/lib/doorkeeper/oauth/token_request.rb +1 -2
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_token.rb +25 -0
data/lib/doorkeeper/orm/active_record/application.rb +12 -12
data/lib/doorkeeper/orm/active_record.rb +0 -16
data/lib/doorkeeper/rails/helpers.rb +1 -3
data/lib/doorkeeper/rails/routes/mapper.rb +4 -4
data/lib/doorkeeper/rails/routes/mapping.rb +1 -1
data/lib/doorkeeper/rails/routes.rb +4 -4
data/lib/doorkeeper/request/authorization_code.rb +7 -1
data/lib/doorkeeper/request/password.rb +11 -1
data/lib/doorkeeper/request/refresh_token.rb +1 -1
data/lib/doorkeeper/server.rb +0 -8
data/lib/doorkeeper/version.rb +1 -1
data/lib/doorkeeper.rb +8 -2
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +29 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb +1 -1
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb +11 -0
data/lib/generators/doorkeeper/templates/initializer.rb +8 -3
data/lib/generators/doorkeeper/templates/migration.rb +23 -5
data/spec/controllers/application_metal_controller.rb +10 -0
data/spec/controllers/authorizations_controller_spec.rb +39 -24
data/spec/controllers/protected_resources_controller_spec.rb +47 -18
data/spec/controllers/tokens_controller_spec.rb +1 -1
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +4 -4
data/spec/dummy/app/controllers/home_controller.rb +1 -1
data/spec/dummy/app/controllers/metal_controller.rb +1 -1
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +3 -3
data/spec/dummy/app/models/user.rb +0 -4
data/spec/dummy/config/application.rb +2 -36
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/environments/test.rb +4 -15
data/spec/dummy/config/initializers/active_record_belongs_to_required_by_default.rb +6 -0
data/spec/dummy/config/initializers/doorkeeper.rb +2 -2
data/spec/dummy/db/migrate/{20130902165751_create_doorkeeper_tables.rb → 20151223192035_create_doorkeeper_tables.rb} +24 -5
data/spec/dummy/db/migrate/{20130902175349_add_owner_to_application.rb → 20151223200000_add_owner_to_application.rb} +0 -0
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +11 -0
data/spec/dummy/db/schema.rb +23 -22
data/spec/factories.rb +3 -1
data/spec/lib/config_spec.rb +19 -2
data/spec/lib/doorkeeper_spec.rb +135 -13
data/spec/lib/models/expirable_spec.rb +0 -1
data/spec/lib/models/revocable_spec.rb +27 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +1 -2
data/spec/lib/oauth/authorization_code_request_spec.rb +1 -1
data/spec/lib/oauth/base_request_spec.rb +160 -0
data/spec/lib/oauth/base_response_spec.rb +45 -0
data/spec/lib/oauth/client/credentials_spec.rb +41 -0
data/spec/lib/oauth/code_response_spec.rb +34 -0
data/spec/lib/oauth/error_response_spec.rb +9 -9
data/spec/lib/oauth/invalid_token_response_spec.rb +36 -8
data/spec/lib/oauth/password_access_token_request_spec.rb +5 -5
data/spec/lib/oauth/refresh_token_request_spec.rb +34 -3
data/spec/lib/oauth/scopes_spec.rb +0 -1
data/spec/lib/oauth/token_spec.rb +12 -5
data/spec/lib/server_spec.rb +0 -3
data/spec/models/doorkeeper/access_token_spec.rb +45 -1
data/spec/models/doorkeeper/application_spec.rb +3 -11
data/spec/requests/endpoints/authorization_spec.rb +5 -6
data/spec/requests/flows/authorization_code_errors_spec.rb +11 -1
data/spec/requests/flows/authorization_code_spec.rb +4 -12
data/spec/requests/flows/password_spec.rb +26 -5
data/spec/requests/flows/refresh_token_spec.rb +87 -17
data/spec/requests/flows/revoke_token_spec.rb +100 -86
data/spec/spec_helper.rb +2 -0
data/spec/spec_helper_integration.rb +8 -1
data/spec/support/helpers/model_helper.rb +27 -5
data/spec/support/helpers/request_spec_helper.rb +12 -4
data/spec/support/http_method_shim.rb +38 -0
data/spec/support/shared/controllers_shared_context.rb +13 -4
data/spec/support/shared/models_shared_examples.rb +1 -1
metadata +72 -42
data/lib/doorkeeper/oauth/client/methods.rb +0 -18
data/lib/generators/doorkeeper/application_scopes_generator.rb +0 -34
data/lib/generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb +0 -5
data/spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb +0 -5
data/spec/lib/oauth/client/methods_spec.rb +0 -54

data/spec/lib/oauth/error_response_spec.rb CHANGED Viewed

@@ -43,19 +43,19 @@ module Doorkeeper::OAuth
       end
     end
-    describe '.authenticate_info' do
+    describe '.headers' do
       let(:error_response) { ErrorResponse.new(name: :some_error, state: :some_state) }
-      subject { error_response.authenticate_info }
+      subject { error_response.headers }
-      it { expect(subject).to include("realm=\"#{error_response.realm}\"") }
-      it { expect(subject).to include("error=\"#{error_response.name}\"") }
-      it { expect(subject).to include("error_description=\"#{error_response.description}\"") }
-    end
+      it { expect(subject).to include 'WWW-Authenticate' }
-    describe '.headers' do
-      subject { ErrorResponse.new(name: :some_error, state: :some_state).headers }
+      describe "WWW-Authenticate header" do
+        subject { error_response.headers["WWW-Authenticate"] }
-      it { expect(subject).to include 'WWW-Authenticate' }
+        it { expect(subject).to include("realm=\"#{error_response.realm}\"") }
+        it { expect(subject).to include("error=\"#{error_response.name}\"") }
+        it { expect(subject).to include("error_description=\"#{error_response.description}\"") }
+      end
     end
   end
 end

data/spec/lib/oauth/invalid_token_response_spec.rb CHANGED Viewed

@@ -5,23 +5,51 @@ require 'doorkeeper/oauth/invalid_token_response'
 module Doorkeeper::OAuth
   describe InvalidTokenResponse do
-    describe '#name' do
+    describe "#name" do
       it  { expect(subject.name).to eq(:invalid_token) }
     end
-    describe '#status' do
+    describe "#status" do
       it { expect(subject.status).to eq(:unauthorized) }
     end
     describe :from_access_token do
-      it 'revoked' do
-        response = InvalidTokenResponse.from_access_token double(revoked?: true, expired?: true)
-        expect(response.description).to include('revoked')
+      let(:response) { InvalidTokenResponse.from_access_token(access_token) }
+      context "revoked" do
+        let(:access_token) { double(revoked?: true, expired?: true) }
+        it "sets a description" do
+          expect(response.description).to include("revoked")
+        end
+        it "sets the reason" do
+          expect(response.reason).to eq(:revoked)
+        end
       end
-      it 'expired' do
-        response = InvalidTokenResponse.from_access_token double(revoked?: false, expired?: true)
-        expect(response.description).to include('expired')
+      context "expired" do
+        let(:access_token) { double(revoked?: false, expired?: true) }
+        it "sets a description" do
+          expect(response.description).to include("expired")
+        end
+        it "sets the reason" do
+          expect(response.reason).to eq(:expired)
+        end
+      end
+      context "unkown" do
+        let(:access_token) { double(revoked?: false, expired?: false) }
+        it "sets a description" do
+          expect(response.description).to include("invalid")
+        end
+        it "sets the reason" do
+          expect(response.reason).to eq(:unknown)
+        end
       end
     end
   end

data/spec/lib/oauth/password_access_token_request_spec.rb CHANGED Viewed

@@ -11,23 +11,22 @@ module Doorkeeper::OAuth
         custom_access_token_expires_in: ->(_app) { nil }
       )
     end
-    let(:credentials) { Client::Credentials.new(client.uid, client.secret) }
     let(:client) { FactoryGirl.create(:application) }
     let(:owner)  { double :owner, id: 99 }
     subject do
-      PasswordAccessTokenRequest.new(server, credentials, owner)
+      PasswordAccessTokenRequest.new(server, client, owner)
     end
     it 'issues a new token for the client' do
       expect do
         subject.authorize
-      end.to change { client.access_tokens.count }.by(1)
+      end.to change { client.reload.access_tokens.count }.by(1)
     end
     it 'issues a new token without a client' do
       expect do
-        subject.credentials = nil
+        subject.client = nil
         subject.authorize
       end.to change { Doorkeeper::AccessToken.count }.by(1)
     end
@@ -35,6 +34,7 @@ module Doorkeeper::OAuth
     it 'does not issue a new token with an invalid client' do
       expect do
         subject.client = nil
+        subject.parameters = { client_id: 'bad_id' }
         subject.authorize
       end.to_not change { Doorkeeper::AccessToken.count }
@@ -48,7 +48,7 @@ module Doorkeeper::OAuth
     end
     it 'optionally accepts the client' do
-      subject.credentials = nil
+      subject.client = nil
       expect(subject).to be_valid
     end

data/spec/lib/oauth/refresh_token_request_spec.rb CHANGED Viewed

@@ -2,6 +2,9 @@ require 'spec_helper_integration'
 module Doorkeeper::OAuth
   describe RefreshTokenRequest do
+    before do
+      allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+    end
     let(:server) do
       double :server,
              access_token_expires_in: 2.minutes,
@@ -16,9 +19,7 @@ module Doorkeeper::OAuth
     subject { RefreshTokenRequest.new server, refresh_token, credentials }
     it 'issues a new token for the client' do
-      expect do
-        subject.authorize
-      end.to change { client.access_tokens.count }.by(1)
+      expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
       expect(client.reload.access_tokens.last.expires_in).to eq(120)
     end
@@ -27,6 +28,8 @@ module Doorkeeper::OAuth
                       access_token_expires_in: 2.minutes,
                       custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+      allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
       RefreshTokenRequest.new(server, refresh_token, credentials).authorize
       expect(client.reload.access_tokens.last.expires_in).to eq(1234)
@@ -67,6 +70,34 @@ module Doorkeeper::OAuth
       expect(subject).to be_valid
     end
+    context 'refresh tokens expire on access token use' do
+      let(:server) do
+        double :server,
+               access_token_expires_in: 2.minutes,
+               custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+      end
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(true)
+      end
+      it 'issues a new token for the client' do
+        expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
+      end
+      it 'does not revoke the previous token' do
+        subject.authorize
+        expect(refresh_token).not_to be_revoked
+      end
+      it 'sets the previous refresh token in the new access token' do
+        subject.authorize
+        expect(
+          client.access_tokens.last.previous_refresh_token
+        ).to eq(refresh_token.refresh_token)
+      end
+    end
     context 'clientless access tokens' do
       let!(:refresh_token) { FactoryGirl.create(:clientless_access_token, use_refresh_token: true) }

data/spec/lib/oauth/scopes_spec.rb CHANGED Viewed

@@ -67,7 +67,6 @@ module Doorkeeper::OAuth
       it 'does not change the existing object' do
         origin = Scopes.from_string('public')
-        new_scope = origin + Scopes.from_string('admin')
         expect(origin.to_s).to eq('public')
       end

data/spec/lib/oauth/token_spec.rb CHANGED Viewed

@@ -30,7 +30,7 @@ module Doorkeeper
         it 'stops at the first credentials found' do
           not_called_method = double
           expect(not_called_method).not_to receive(:call)
-          Token.from_request request, ->(r) {}, method, not_called_method
+          Token.from_request request, ->(_r) {}, method, not_called_method
         end
         it 'returns the credential from extractor method' do
@@ -96,13 +96,20 @@ module Doorkeeper
       end
       describe :authenticate do
-        let(:finder) { double :finder }
-        it 'calls the finder if token was found' do
-          token = ->(r) { 'token' }
+        it 'calls the finder if token was returned' do
+          token = ->(_r) { 'token' }
           expect(AccessToken).to receive(:by_token).with('token')
           Token.authenticate double, token
         end
+        it 'revokes previous refresh_token if token was found' do
+          token = ->(_r) { 'token' }
+          expect(
+            AccessToken
+          ).to receive(:by_token).with('token').and_return(token)
+          expect(token).to receive(:revoke_previous_refresh_token!)
+          Token.authenticate double, token
+        end
       end
     end
   end

data/spec/lib/server_spec.rb CHANGED Viewed

@@ -1,7 +1,4 @@
 require 'spec_helper'
-require 'active_support/all'
-require 'doorkeeper/errors'
-require 'doorkeeper/server'
 describe Doorkeeper::Server do
   let(:fake_class) { double :fake_class }

data/spec/models/doorkeeper/access_token_spec.rb CHANGED Viewed

@@ -12,6 +12,11 @@ module Doorkeeper
       let(:factory_name) { :access_token }
     end
+    module CustomGeneratorArgs
+      def self.generate
+      end
+    end
     describe :generate_token do
       it 'generates a token using the default method' do
         FactoryGirl.create :access_token
@@ -21,6 +26,10 @@ module Doorkeeper
       end
       it 'generates a token using a custom object' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:resource_owner_id]}"
@@ -37,6 +46,10 @@ module Doorkeeper
       end
       it 'allows the custom generator to access the application details' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:application].name}"
@@ -53,6 +66,10 @@ module Doorkeeper
       end
       it 'allows the custom generator to access the scopes' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:scopes].count}_#{opts[:scopes]}"
@@ -70,6 +87,10 @@ module Doorkeeper
       end
       it 'allows the custom generator to access the expiry length' do
+        eigenclass = class << CustomGeneratorArgs; self; end
+        eigenclass.class_eval do
+          remove_method :generate
+        end
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:expires_in]}"
@@ -85,6 +106,23 @@ module Doorkeeper
         expect(token.token).to eq 'custom_generator_token_7200'
       end
+      it 'allows the custom generator to access the created time' do
+        module CustomGeneratorArgs
+          def self.generate(opts = {})
+            "custom_generator_token_#{opts[:created_at].to_i}"
+          end
+        end
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          access_token_generator "Doorkeeper::CustomGeneratorArgs"
+        end
+        token = FactoryGirl.create :access_token
+        created_at = token.created_at
+        expect(token.token).to eq "custom_generator_token_#{created_at.to_i}"
+      end
       it 'raises an error if the custom object does not support generate' do
         module NoGenerate
         end
@@ -133,7 +171,7 @@ module Doorkeeper
         expect do
           token2.refresh_token = token1.refresh_token
           token2.save(validate: false)
-        end.to raise_error(ActiveRecord::RecordNotUnique)
+        end.to raise_error(uniqueness_error)
       end
     end
@@ -143,6 +181,12 @@ module Doorkeeper
         subject.resource_owner_id = nil
         expect(subject).to be_valid
       end
+      it 'is valid without application_id' do
+        # For resource owner credentials flow
+        subject.application_id = nil
+        expect(subject).to be_valid
+      end
     end
     describe '#same_credential?' do

data/spec/models/doorkeeper/application_spec.rb CHANGED Viewed

@@ -30,7 +30,7 @@ module Doorkeeper
       context 'application owner is required' do
         before(:each) do
           require_owner
-          @owner = FactoryGirl.build_stubbed(:user)
+          @owner = FactoryGirl.build_stubbed(:doorkeeper_testing_user)
         end
         it 'is invalid without an owner' do
@@ -90,7 +90,7 @@ module Doorkeeper
       app1 = FactoryGirl.create(:application)
       app2 = FactoryGirl.create(:application)
       app2.uid = app1.uid
-      expect { app2.save!(validate: false) }.to raise_error(ActiveRecord::RecordNotUnique)
+      expect { app2.save!(validate: false) }.to raise_error(uniqueness_error)
     end
     it 'generate secret on create' do
@@ -129,7 +129,7 @@ module Doorkeeper
       it 'should destroy its access tokens' do
         FactoryGirl.create(:access_token, application: new_application)
-        FactoryGirl.create(:access_token, application: new_application, revoked_at: Time.now)
+        FactoryGirl.create(:access_token, application: new_application, revoked_at: Time.now.utc)
         expect do
           new_application.destroy
         end.to change { Doorkeeper::AccessToken.count }.by(-2)
@@ -166,14 +166,6 @@ module Doorkeeper
         FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id, application: application)
         expect(Application.authorized_for(resource_owner)).to eq([application])
       end
-      it 'should fail to mass assign a new application', if: ::Rails::VERSION::MAJOR < 4 do
-        mass_assign = { name: 'Something',
-                        redirect_uri: 'http://somewhere.com/something',
-                        uid: 123,
-                        secret: 'something' }
-        expect(Application.create(mass_assign).uid).not_to eq(123)
-      end
     end
     describe :authenticate do

data/spec/requests/endpoints/authorization_spec.rb CHANGED Viewed

@@ -59,13 +59,12 @@ feature 'Authorization endpoint' do
     end
     scenario 'raises exception on forged requests' do
-      skip 'TODO: need to add request helpers to this feature spec'
-      allow_any_instance_of(ActionController::Base).to receive(:handle_unverified_request)
       allowing_forgery_protection do
-        post "/oauth/authorize",
-          client_id:      @client.uid,
-          redirect_uri:   @client.redirect_uri,
-          response_type:  'code'
+        expect {
+          page.driver.post authorization_endpoint_url(client_id: @client.uid,
+                                                      redirect_uri: @client.redirect_uri,
+                                                      response_type:  'code')
+        }.to raise_error(ActionController::InvalidAuthenticityToken)
       end
     end
   end

data/spec/requests/flows/authorization_code_errors_spec.rb CHANGED Viewed

@@ -1,9 +1,10 @@
 require 'spec_helper_integration'
 feature 'Authorization Code Flow Errors' do
+  let(:client_params) { {} }
   background do
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
+    client_exists client_params
     create_resource_owner
     sign_in
   end
@@ -12,6 +13,15 @@ feature 'Authorization Code Flow Errors' do
     access_grant_should_not_exist
   end
+  context "with a client trying to xss resource owner" do
+    let(:client_name) { "<div id='xss'>XSS</div>" }
+    let(:client_params) { { name: client_name } }
+    scenario "resource owner visit authorization endpoint" do
+      visit authorization_endpoint_url(client: @client)
+      expect(page).not_to have_css("#xss")
+    end
+  end
   context 'when access was denied' do
     scenario 'redirects with error' do
       visit authorization_endpoint_url(client: @client)

data/spec/requests/flows/authorization_code_spec.rb CHANGED Viewed

@@ -41,13 +41,11 @@ feature 'Authorization Code Flow' do
   end
   scenario 'resource owner requests an access token with authorization code' do
-    skip 'TODO: need to add request helpers to this feature spec'
     visit authorization_endpoint_url(client: @client)
     click_on 'Authorize'
     authorization_code = Doorkeeper::AccessGrant.first.token
-    post token_endpoint_url(code: authorization_code, client: @client)
+    create_access_token authorization_code, @client
     access_token_should_exist_for(@client, @resource_owner)
@@ -84,27 +82,23 @@ feature 'Authorization Code Flow' do
     end
     scenario 'new access token matches required scopes' do
-      skip 'TODO: need to add request helpers to this feature spec'
       visit authorization_endpoint_url(client: @client, scope: 'public write')
       click_on 'Authorize'
       authorization_code = Doorkeeper::AccessGrant.first.token
-      post token_endpoint_url(code: authorization_code, client: @client)
+      create_access_token authorization_code, @client
       access_token_should_exist_for(@client, @resource_owner)
       access_token_should_have_scopes :public, :write
     end
     scenario 'returns new token if scopes have changed' do
-      skip 'TODO: need to add request helpers to this feature spec'
       client_is_authorized(@client, @resource_owner, scopes: 'public write')
       visit authorization_endpoint_url(client: @client, scope: 'public')
       click_on 'Authorize'
       authorization_code = Doorkeeper::AccessGrant.first.token
-      post token_endpoint_url(code: authorization_code, client: @client)
+      create_access_token authorization_code, @client
       expect(Doorkeeper::AccessToken.count).to be(2)
@@ -112,14 +106,12 @@ feature 'Authorization Code Flow' do
     end
     scenario 'resource owner authorizes the client with extra scopes' do
-      skip 'TODO: need to add request helpers to this feature spec'
       client_is_authorized(@client, @resource_owner, scopes: 'public')
       visit authorization_endpoint_url(client: @client, scope: 'public write')
       click_on 'Authorize'
       authorization_code = Doorkeeper::AccessGrant.first.token
-      post token_endpoint_url(code: authorization_code, client: @client)
+      create_access_token authorization_code, @client
       expect(Doorkeeper::AccessToken.count).to be(2)

data/spec/requests/flows/password_spec.rb CHANGED Viewed

@@ -24,14 +24,26 @@ describe 'Resource Owner Password Credentials Flow' do
   end
   context 'with valid user credentials' do
-    it 'should issue new token' do
+    it 'should issue new token with confidential client' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to change { Doorkeeper::AccessToken.count }.by(1)
       token = Doorkeeper::AccessToken.first
-      should_have_json 'access_token',  token.token
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+    end
+    it 'should issue new token with public client (only client_id present)' do
+      expect do
+        post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+      token = Doorkeeper::AccessToken.first
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
     end
     it 'should issue new token without client credentials' do
@@ -41,7 +53,8 @@ describe 'Resource Owner Password Credentials Flow' do
       token = Doorkeeper::AccessToken.first
-      should_have_json 'access_token',  token.token
+      expect(token.application_id).to be_nil
+      should_have_json 'access_token', token.token
     end
     it 'should issue a refresh token if enabled' do
@@ -51,7 +64,7 @@ describe 'Resource Owner Password Credentials Flow' do
       token = Doorkeeper::AccessToken.first
-      should_have_json 'refresh_token',  token.refresh_token
+      should_have_json 'refresh_token', token.refresh_token
     end
     it 'should return the same token if it is still accessible' do
@@ -82,7 +95,7 @@ describe 'Resource Owner Password Credentials Flow' do
     end
   end
-  context 'with invalid client credentials' do
+  context 'with invalid confidential client credentials' do
     it 'should not issue new token with bad client credentials' do
       expect do
         post password_token_endpoint_url(client_id: @client.uid,
@@ -91,4 +104,12 @@ describe 'Resource Owner Password Credentials Flow' do
       end.to_not change { Doorkeeper::AccessToken.count }
     end
   end
+  context 'with invalid public client id' do
+    it 'should not issue new token with bad client id' do
+      expect do
+        post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+  end
 end