RubyGems - doorkeeper - Versions diffs - 3.1.0 → 4.4.3 - Mend

doorkeeper 3.1.0 → 4.4.3

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (195) hide show

checksums.yaml +4 -4
data/.coveralls.yml +1 -0
data/.github/ISSUE_TEMPLATE.md +25 -0
data/.github/PULL_REQUEST_TEMPLATE.md +17 -0
data/.gitignore +6 -1
data/.hound.yml +2 -13
data/.rubocop.yml +17 -0
data/.travis.yml +26 -10
data/Appraisals +18 -0
data/CODE_OF_CONDUCT.md +46 -0
data/CONTRIBUTING.md +2 -0
data/Gemfile +5 -5
data/NEWS.md +141 -2
data/README.md +149 -66
data/RELEASING.md +5 -12
data/Rakefile +1 -1
data/SECURITY.md +15 -0
data/app/controllers/doorkeeper/application_controller.rb +4 -6
data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
data/app/controllers/doorkeeper/applications_controller.rb +18 -8
data/app/controllers/doorkeeper/authorizations_controller.rb +1 -1
data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
data/app/controllers/doorkeeper/tokens_controller.rb +62 -15
data/app/helpers/doorkeeper/dashboard_helper.rb +14 -10
data/app/validators/redirect_uri_validator.rb +12 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/applications/_form.html.erb +13 -2
data/app/views/doorkeeper/applications/index.html.erb +2 -0
data/app/views/doorkeeper/applications/show.html.erb +4 -1
data/app/views/doorkeeper/authorizations/new.html.erb +1 -1
data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/app/views/layouts/doorkeeper/admin.html.erb +1 -1
data/config/locales/en.yml +12 -7
data/doorkeeper.gemspec +16 -11
data/gemfiles/rails_4_2.gemfile +13 -0
data/gemfiles/rails_5_0.gemfile +12 -0
data/gemfiles/rails_5_1.gemfile +12 -0
data/gemfiles/rails_5_2.gemfile +12 -0
data/gemfiles/rails_master.gemfile +14 -0
data/lib/doorkeeper/config.rb +119 -46
data/lib/doorkeeper/engine.rb +11 -7
data/lib/doorkeeper/errors.rb +18 -0
data/lib/doorkeeper/grape/helpers.rb +14 -8
data/lib/doorkeeper/helpers/controller.rb +8 -19
data/lib/doorkeeper/models/access_grant_mixin.rb +10 -21
data/lib/doorkeeper/models/access_token_mixin.rb +147 -43
data/lib/doorkeeper/models/application_mixin.rb +33 -35
data/lib/doorkeeper/models/concerns/accessible.rb +4 -0
data/lib/doorkeeper/models/concerns/expirable.rb +15 -5
data/lib/doorkeeper/models/concerns/orderable.rb +13 -0
data/lib/doorkeeper/models/concerns/ownership.rb +6 -1
data/lib/doorkeeper/models/concerns/revocable.rb +37 -2
data/lib/doorkeeper/oauth/authorization/token.rb +22 -18
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +20 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +7 -5
data/lib/doorkeeper/oauth/{request_concern.rb → base_request.rb} +9 -2
data/lib/doorkeeper/oauth/base_response.rb +29 -0
data/lib/doorkeeper/oauth/client/credentials.rb +21 -8
data/lib/doorkeeper/oauth/client.rb +2 -3
data/lib/doorkeeper/oauth/client_credentials/creator.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
data/lib/doorkeeper/oauth/client_credentials/validation.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -8
data/lib/doorkeeper/oauth/code_response.rb +16 -16
data/lib/doorkeeper/oauth/error.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +10 -10
data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +17 -1
data/lib/doorkeeper/oauth/invalid_token_response.rb +5 -4
data/lib/doorkeeper/oauth/password_access_token_request.rb +8 -13
data/lib/doorkeeper/oauth/pre_authorization.rb +5 -3
data/lib/doorkeeper/oauth/refresh_token_request.rb +23 -14
data/lib/doorkeeper/oauth/scopes.rb +18 -8
data/lib/doorkeeper/oauth/token.rb +20 -21
data/lib/doorkeeper/oauth/token_introspection.rb +128 -0
data/lib/doorkeeper/oauth/token_request.rb +1 -2
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_grant.rb +27 -0
data/lib/doorkeeper/orm/active_record/access_token.rb +34 -8
data/lib/doorkeeper/orm/active_record/application.rb +48 -11
data/lib/doorkeeper/orm/active_record.rb +17 -22
data/lib/doorkeeper/rails/helpers.rb +6 -9
data/lib/doorkeeper/rails/routes/mapper.rb +4 -4
data/lib/doorkeeper/rails/routes/mapping.rb +1 -1
data/lib/doorkeeper/rails/routes.rb +17 -11
data/lib/doorkeeper/request/authorization_code.rb +7 -1
data/lib/doorkeeper/request/password.rb +2 -2
data/lib/doorkeeper/request/refresh_token.rb +1 -1
data/lib/doorkeeper/request.rb +7 -1
data/lib/doorkeeper/server.rb +0 -8
data/lib/doorkeeper/validations.rb +3 -2
data/lib/doorkeeper/version.rb +34 -1
data/lib/doorkeeper.rb +10 -2
data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +31 -0
data/lib/generators/doorkeeper/application_owner_generator.rb +11 -2
data/lib/generators/doorkeeper/migration_generator.rb +13 -1
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +35 -0
data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +11 -0
data/{spec/dummy/db/migrate/20130902175349_add_owner_to_application.rb → lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +11 -0
data/lib/generators/doorkeeper/templates/initializer.rb +38 -6
data/lib/generators/doorkeeper/templates/migration.rb.erb +69 -0
data/spec/controllers/application_metal_controller.rb +10 -0
data/spec/controllers/applications_controller_spec.rb +15 -4
data/spec/controllers/authorizations_controller_spec.rb +74 -27
data/spec/controllers/protected_resources_controller_spec.rb +70 -32
data/spec/controllers/token_info_controller_spec.rb +17 -13
data/spec/controllers/tokens_controller_spec.rb +198 -12
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +4 -4
data/spec/dummy/app/controllers/home_controller.rb +1 -1
data/spec/dummy/app/controllers/metal_controller.rb +1 -1
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +3 -3
data/spec/dummy/app/models/user.rb +0 -4
data/spec/dummy/config/application.rb +2 -36
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/environments/test.rb +4 -15
data/spec/dummy/config/initializers/doorkeeper.rb +19 -3
data/spec/dummy/config/initializers/new_framework_defaults.rb +6 -0
data/spec/dummy/config/initializers/secret_token.rb +0 -1
data/spec/dummy/db/migrate/20111122132257_create_users.rb +3 -1
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +3 -1
data/{lib/generators/doorkeeper/templates/migration.rb → spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb} +16 -4
data/{lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb → spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb} +4 -2
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +13 -0
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb +13 -0
data/spec/dummy/db/schema.rb +24 -22
data/spec/factories.rb +4 -2
data/spec/generators/application_owner_generator_spec.rb +24 -5
data/spec/generators/migration_generator_spec.rb +24 -3
data/spec/generators/previous_refresh_token_generator_spec.rb +57 -0
data/spec/grape/grape_integration_spec.rb +135 -0
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +159 -14
data/spec/lib/doorkeeper_spec.rb +135 -13
data/spec/lib/models/expirable_spec.rb +0 -1
data/spec/lib/models/revocable_spec.rb +27 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +1 -2
data/spec/lib/oauth/authorization_code_request_spec.rb +55 -12
data/spec/lib/oauth/base_request_spec.rb +155 -0
data/spec/lib/oauth/base_response_spec.rb +45 -0
data/spec/lib/oauth/client/credentials_spec.rb +45 -2
data/spec/lib/oauth/client_credentials/creator_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_integration_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_request_spec.rb +1 -0
data/spec/lib/oauth/code_request_spec.rb +1 -3
data/spec/lib/oauth/code_response_spec.rb +34 -0
data/spec/lib/oauth/error_response_spec.rb +9 -9
data/spec/lib/oauth/error_spec.rb +1 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +115 -1
data/spec/lib/oauth/invalid_token_response_spec.rb +36 -8
data/spec/lib/oauth/password_access_token_request_spec.rb +14 -8
data/spec/lib/oauth/pre_authorization_spec.rb +12 -7
data/spec/lib/oauth/refresh_token_request_spec.rb +52 -9
data/spec/lib/oauth/scopes_spec.rb +28 -2
data/spec/lib/oauth/token_request_spec.rb +6 -8
data/spec/lib/oauth/token_spec.rb +12 -5
data/spec/lib/server_spec.rb +10 -3
data/spec/models/doorkeeper/access_grant_spec.rb +1 -1
data/spec/models/doorkeeper/access_token_spec.rb +116 -48
data/spec/models/doorkeeper/application_spec.rb +145 -29
data/spec/requests/applications/applications_request_spec.rb +5 -5
data/spec/requests/endpoints/authorization_spec.rb +5 -6
data/spec/requests/endpoints/token_spec.rb +8 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +11 -1
data/spec/requests/flows/authorization_code_spec.rb +6 -13
data/spec/requests/flows/client_credentials_spec.rb +29 -1
data/spec/requests/flows/implicit_grant_errors_spec.rb +2 -2
data/spec/requests/flows/password_spec.rb +118 -15
data/spec/requests/flows/refresh_token_spec.rb +89 -19
data/spec/requests/flows/revoke_token_spec.rb +105 -91
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +1 -1
data/spec/routing/custom_controller_routes_spec.rb +4 -0
data/spec/routing/default_routes_spec.rb +5 -1
data/spec/spec_helper.rb +2 -0
data/spec/spec_helper_integration.rb +22 -4
data/spec/support/dependencies/factory_girl.rb +2 -2
data/spec/support/helpers/access_token_request_helper.rb +1 -1
data/spec/support/helpers/model_helper.rb +34 -7
data/spec/support/helpers/request_spec_helper.rb +17 -5
data/spec/support/helpers/url_helper.rb +9 -8
data/spec/support/http_method_shim.rb +38 -0
data/spec/support/shared/controllers_shared_context.rb +15 -10
data/spec/support/shared/models_shared_examples.rb +5 -5
data/spec/validators/redirect_uri_validator_spec.rb +51 -6
data/spec/version/version_spec.rb +15 -0
metadata +128 -46
data/lib/doorkeeper/oauth/client/methods.rb +0 -18
data/lib/generators/doorkeeper/application_scopes_generator.rb +0 -34
data/lib/generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb +0 -5
data/spec/dummy/db/migrate/20130902165751_create_doorkeeper_tables.rb +0 -41
data/spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb +0 -5
data/spec/lib/oauth/client/methods_spec.rb +0 -54

data/spec/requests/applications/applications_request_spec.rb CHANGED Viewed

@@ -25,8 +25,8 @@ end
 feature 'Listing applications' do
   background do
-    FactoryGirl.create :application, name: 'Oauth Dude'
-    FactoryGirl.create :application, name: 'Awesome App'
+    FactoryBot.create :application, name: 'Oauth Dude'
+    FactoryBot.create :application, name: 'Awesome App'
   end
   scenario 'application list' do
@@ -38,7 +38,7 @@ end
 feature 'Show application' do
   given :app do
-    FactoryGirl.create :application, name: 'Just another oauth app'
+    FactoryBot.create :application, name: 'Just another oauth app'
   end
   scenario 'visiting application page' do
@@ -49,7 +49,7 @@ end
 feature 'Edit application' do
   let :app do
-    FactoryGirl.create :application, name: 'OMG my app'
+    FactoryBot.create :application, name: 'OMG my app'
   end
   background do
@@ -73,7 +73,7 @@ end
 feature 'Remove application' do
   background do
-    @app = FactoryGirl.create :application
+    @app = FactoryBot.create :application
   end
   scenario 'deleting an application from list' do

data/spec/requests/endpoints/authorization_spec.rb CHANGED Viewed

@@ -59,13 +59,12 @@ feature 'Authorization endpoint' do
     end
     scenario 'raises exception on forged requests' do
-      skip 'TODO: need to add request helpers to this feature spec'
-      allow_any_instance_of(ActionController::Base).to receive(:handle_unverified_request)
       allowing_forgery_protection do
-        post "/oauth/authorize",
-          client_id:      @client.uid,
-          redirect_uri:   @client.redirect_uri,
-          response_type:  'code'
+        expect {
+          page.driver.post authorization_endpoint_url(client_id: @client.uid,
+                                                      redirect_uri: @client.redirect_uri,
+                                                      response_type:  'code')
+        }.to raise_error(ActionController::InvalidAuthenticityToken)
       end
     end
   end

data/spec/requests/endpoints/token_spec.rb CHANGED Viewed

@@ -9,7 +9,14 @@ describe 'Token endpoint' do
   it 'respond with correct headers' do
     post token_endpoint_url(code: @authorization.token, client: @client)
     should_have_header 'Pragma', 'no-cache'
-    should_have_header 'Cache-Control', 'no-store'
+    # Rails 5.2 changed headers
+    if ::Rails::VERSION::MAJOR >= 5 && ::Rails::VERSION::MINOR >= 2 || ::Rails::VERSION::MAJOR >= 6
+      should_have_header 'Cache-Control', 'private, no-store'
+    else
+      should_have_header 'Cache-Control', 'no-store'
+    end
     should_have_header 'Content-Type', 'application/json; charset=utf-8'
   end

data/spec/requests/flows/authorization_code_errors_spec.rb CHANGED Viewed

@@ -1,9 +1,10 @@
 require 'spec_helper_integration'
 feature 'Authorization Code Flow Errors' do
+  let(:client_params) { {} }
   background do
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
+    client_exists client_params
     create_resource_owner
     sign_in
   end
@@ -12,6 +13,15 @@ feature 'Authorization Code Flow Errors' do
     access_grant_should_not_exist
   end
+  context "with a client trying to xss resource owner" do
+    let(:client_name) { "<div id='xss'>XSS</div>" }
+    let(:client_params) { { name: client_name } }
+    scenario "resource owner visit authorization endpoint" do
+      visit authorization_endpoint_url(client: @client)
+      expect(page).not_to have_css("#xss")
+    end
+  end
   context 'when access was denied' do
     scenario 'redirects with error' do
       visit authorization_endpoint_url(client: @client)

data/spec/requests/flows/authorization_code_spec.rb CHANGED Viewed

@@ -29,6 +29,7 @@ feature 'Authorization Code Flow' do
     access_grant_should_exist_for(@client, @resource_owner)
+    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
     i_should_see 'Authorization code:'
     i_should_see Doorkeeper::AccessGrant.first.token
   end
@@ -41,20 +42,18 @@ feature 'Authorization Code Flow' do
   end
   scenario 'resource owner requests an access token with authorization code' do
-    skip 'TODO: need to add request helpers to this feature spec'
     visit authorization_endpoint_url(client: @client)
     click_on 'Authorize'
     authorization_code = Doorkeeper::AccessGrant.first.token
-    post token_endpoint_url(code: authorization_code, client: @client)
+    create_access_token authorization_code, @client
     access_token_should_exist_for(@client, @resource_owner)
     should_not_have_json 'error'
     should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_have_json 'token_type', 'bearer'
+    should_have_json 'token_type', 'Bearer'
     should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
   end
@@ -84,27 +83,23 @@ feature 'Authorization Code Flow' do
     end
     scenario 'new access token matches required scopes' do
-      skip 'TODO: need to add request helpers to this feature spec'
       visit authorization_endpoint_url(client: @client, scope: 'public write')
       click_on 'Authorize'
       authorization_code = Doorkeeper::AccessGrant.first.token
-      post token_endpoint_url(code: authorization_code, client: @client)
+      create_access_token authorization_code, @client
       access_token_should_exist_for(@client, @resource_owner)
       access_token_should_have_scopes :public, :write
     end
     scenario 'returns new token if scopes have changed' do
-      skip 'TODO: need to add request helpers to this feature spec'
       client_is_authorized(@client, @resource_owner, scopes: 'public write')
       visit authorization_endpoint_url(client: @client, scope: 'public')
       click_on 'Authorize'
       authorization_code = Doorkeeper::AccessGrant.first.token
-      post token_endpoint_url(code: authorization_code, client: @client)
+      create_access_token authorization_code, @client
       expect(Doorkeeper::AccessToken.count).to be(2)
@@ -112,14 +107,12 @@ feature 'Authorization Code Flow' do
     end
     scenario 'resource owner authorizes the client with extra scopes' do
-      skip 'TODO: need to add request helpers to this feature spec'
       client_is_authorized(@client, @resource_owner, scopes: 'public')
       visit authorization_endpoint_url(client: @client, scope: 'public write')
       click_on 'Authorize'
       authorization_code = Doorkeeper::AccessGrant.first.token
-      post token_endpoint_url(code: authorization_code, client: @client)
+      create_access_token authorization_code, @client
       expect(Doorkeeper::AccessToken.count).to be(2)

data/spec/requests/flows/client_credentials_spec.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 require 'spec_helper_integration'
 describe 'Client Credentials Request' do
-  let(:client) { FactoryGirl.create :application }
+  let(:client) { FactoryBot.create :application }
   context 'a valid request' do
     it 'authorizes the client and returns the token response' do
@@ -22,6 +22,7 @@ describe 'Client Credentials Request' do
     context 'with scopes' do
       before do
         optional_scopes_exist :write
+        default_scopes_exist :public
       end
       it 'adds the scope to the token an returns in the response' do
@@ -33,6 +34,33 @@ describe 'Client Credentials Request' do
         should_have_json 'access_token', Doorkeeper::AccessToken.first.token
         should_have_json 'scope', 'write'
       end
+      context 'that are default' do
+        it 'adds the scope to the token an returns in the response' do
+          headers = authorization client.uid, client.secret
+          params  = { grant_type: 'client_credentials', scope: 'public' }
+          post '/oauth/token', params, headers
+          should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+          should_have_json 'scope', 'public'
+        end
+      end
+      context 'that are invalid' do
+        it 'does not authorize the client and returns the error' do
+          headers = authorization client.uid, client.secret
+          params  = { grant_type: 'client_credentials', scope: 'random' }
+          post '/oauth/token', params, headers
+          should_have_json 'error', 'invalid_scope'
+          should_have_json 'error_description', translated_error_message(:invalid_scope)
+          should_not_have_json 'access_token'
+          expect(response.status).to eq(401)
+        end
+      end
     end
   end

data/spec/requests/flows/implicit_grant_errors_spec.rb CHANGED Viewed

@@ -17,13 +17,13 @@ feature 'Implicit Grant Flow Errors' do
     [:client_id,     :invalid_client],
     [:redirect_uri,  :invalid_redirect_uri]
   ].each do |error|
-    scenario "displays #{error.last.inspect} error for invalid #{error.first.inspect}" do
+    scenario "displays #{error.last} error for invalid #{error.first}" do
       visit authorization_endpoint_url(client: @client, error.first => 'invalid', response_type: 'token')
       i_should_not_see 'Authorize'
       i_should_see_translated_error_message error.last
     end
-    scenario "displays #{error.last.inspect} error when #{error.first.inspect} is missing" do
+    scenario "displays #{error.last} error when #{error.first} is missing" do
       visit authorization_endpoint_url(client: @client, error.first => '', response_type: 'token')
       i_should_not_see 'Authorize'
       i_should_see_translated_error_message error.last

data/spec/requests/flows/password_spec.rb CHANGED Viewed

@@ -10,38 +10,94 @@ describe 'Resource Owner Password Credentials Flow not set up' do
     it 'doesn\'t issue new token' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 end
 describe 'Resource Owner Password Credentials Flow' do
+  let(:client_attributes) { {} }
   before do
     config_is_set(:grant_flows, ["password"])
     config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists
+    client_exists(client_attributes)
     create_resource_owner
   end
   context 'with valid user credentials' do
-    it 'should issue new token' do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+    context "with non-confidential/public client" do
+      let(:client_attributes) { { confidential: false } }
+      context "when client_secret absent" do
+        it "should issue new token" do
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
+          token = Doorkeeper::AccessToken.first
+          expect(token.application_id).to eq @client.id
+          should_have_json 'access_token', token.token
+        end
+      end
+      context "when client_secret present" do
+        it "should issue new token" do
+          expect do
+            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
+          token = Doorkeeper::AccessToken.first
+          expect(token.application_id).to eq @client.id
+          should_have_json 'access_token', token.token
+        end
+        context "when client_secret incorrect" do
+          it "should not issue new token" do
+            expect do
+              post password_token_endpoint_url(client_id: @client.uid, client_secret: 'foobar', resource_owner: @resource_owner)
+            end.not_to(change { Doorkeeper::AccessToken.count })
+            expect(response).not_to be_ok
+          end
+        end
+      end
+    end
-      token = Doorkeeper::AccessToken.first
+    context "with confidential/private client" do
+      it "should issue new token" do
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
+        token = Doorkeeper::AccessToken.first
-      should_have_json 'access_token',  token.token
+        expect(token.application_id).to eq @client.id
+        should_have_json 'access_token', token.token
+      end
+      context "when client_secret absent" do
+        it "should not issue new token" do
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.not_to(change { Doorkeeper::AccessToken.count })
+          expect(response).not_to be_ok
+        end
+      end
     end
     it 'should issue new token without client credentials' do
       expect do
         post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+      end.to(change { Doorkeeper::AccessToken.count }.by(1))
       token = Doorkeeper::AccessToken.first
-      should_have_json 'access_token',  token.token
+      expect(token.application_id).to be_nil
+      should_have_json 'access_token', token.token
     end
     it 'should issue a refresh token if enabled' do
@@ -51,7 +107,7 @@ describe 'Resource Owner Password Credentials Flow' do
       token = Doorkeeper::AccessToken.first
-      should_have_json 'refresh_token',  token.refresh_token
+      should_have_json 'refresh_token', token.refresh_token
     end
     it 'should return the same token if it is still accessible' do
@@ -64,6 +120,45 @@ describe 'Resource Owner Password Credentials Flow' do
       expect(Doorkeeper::AccessToken.count).to be(1)
       should_have_json 'access_token', Doorkeeper::AccessToken.first.token
     end
+    context 'with valid, default scope' do
+      before do
+        default_scopes_exist :public
+      end
+      it 'should issue new token' do
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: 'public')
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
+        token = Doorkeeper::AccessToken.first
+        expect(token.application_id).to eq @client.id
+        should_have_json 'access_token', token.token
+        should_have_json 'scope', 'public'
+      end
+    end
+  end
+  context 'with invalid scopes' do
+    subject do
+      post password_token_endpoint_url(client: @client,
+                                       resource_owner: @resource_owner,
+                                       scope: 'random')
+    end
+    it 'should not issue new token' do
+      expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
+    end
+    it 'should return invalid_scope error' do
+      subject
+      should_have_json 'error', 'invalid_scope'
+      should_have_json 'error_description', translated_error_message(:invalid_scope)
+      should_not_have_json 'access_token'
+      expect(response.status).to eq(401)
+    end
   end
   context 'with invalid user credentials' do
@@ -72,23 +167,31 @@ describe 'Resource Owner Password Credentials Flow' do
         post password_token_endpoint_url(client: @client,
                                          resource_owner_username: @resource_owner.name,
                                          resource_owner_password: 'wrongpassword')
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
     it 'should not issue new token without credentials' do
       expect do
         post password_token_endpoint_url(client: @client)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
-  context 'with invalid client credentials' do
+  context 'with invalid confidential client credentials' do
     it 'should not issue new token with bad client credentials' do
       expect do
         post password_token_endpoint_url(client_id: @client.uid,
                                          client_secret: 'bad_secret',
                                          resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
+    end
+  end
+  context 'with invalid public client id' do
+    it 'should not issue new token with bad client id' do
+      expect do
+        post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 end

data/spec/requests/flows/refresh_token_spec.rb CHANGED Viewed

@@ -37,20 +37,62 @@ describe 'Refresh Token Flow' do
   context 'refreshing the token' do
     before do
-      @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: 1, use_refresh_token: true)
+      @token = FactoryBot.create(
+        :access_token,
+        application: @client,
+        resource_owner_id: 1,
+        use_refresh_token: true
+      )
     end
-    it 'client request a token with refresh token' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-      expect(@token.reload).to be_revoked
+    context "refresh_token revoked on use" do
+      it 'client request a token with refresh token' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).not_to be_revoked
+      end
+      it 'client request a token with expired access token' do
+        @token.update_attribute :expires_in, -100
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).not_to be_revoked
+      end
     end
-    it 'client request a token with expired access token' do
-      @token.update_attribute :expires_in, -100
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-      expect(@token.reload).to be_revoked
+    context "refresh_token revoked on refresh_token request" do
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+      end
+      it 'client request a token with refresh token' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).to be_revoked
+      end
+      it 'client request a token with expired access token' do
+        @token.update_attribute :expires_in, -100
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).to be_revoked
+      end
     end
     it 'client gets an error for invalid refresh token' do
@@ -59,14 +101,14 @@ describe 'Refresh Token Flow' do
       should_have_json 'error', 'invalid_grant'
     end
-    it 'client gets an error for revoked acccess token' do
+    it 'client gets an error for revoked access token' do
       @token.revoke
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_not_have_json 'refresh_token'
       should_have_json 'error', 'invalid_grant'
     end
-    it 'second of simultaneous client requests get an error for revoked acccess token' do
+    it 'second of simultaneous client requests get an error for revoked access token' do
       allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
@@ -79,20 +121,48 @@ describe 'Refresh Token Flow' do
     before do
       # enable password auth to simulate other devices
       config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
+      config_is_set(:resource_owner_from_credentials) do
+        User.authenticate! params[:username], params[:password]
+      end
       create_resource_owner
-      _another_token = post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      _another_token = post password_token_endpoint_url(
+        client: @client, resource_owner: @resource_owner
+      )
       last_token.update_attribute :created_at, 5.seconds.ago
-      @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: @resource_owner.id, use_refresh_token: true)
+      @token = FactoryBot.create(
+        :access_token,
+        application: @client,
+        resource_owner_id: @resource_owner.id,
+        use_refresh_token: true
+      )
       @token.update_attribute :expires_in, -100
     end
-    it 'client request a token after creating another token with the same user' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
+    context "refresh_token revoked on use" do
+      it 'client request a token after creating another token with the same user' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json 'refresh_token', last_token.refresh_token
+        expect(@token.reload).not_to be_revoked
+      end
+    end
+    context "refresh_token revoked on refresh_token request" do
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+      end
+      it 'client request a token after creating another token with the same user' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
-      should_have_json 'refresh_token', last_token.refresh_token
-      expect(@token.reload).to be_revoked
+        should_have_json 'refresh_token', last_token.refresh_token
+        expect(@token.reload).to be_revoked
+      end
     end
     def last_token