doorkeeper 3.1.0 → 4.4.3

data/README.md

@@ -1,58 +1,74 @@
-# Doorkeeper - awesome oauth provider for your Rails app.
+# Doorkeeper - awesome OAuth 2 provider for your Rails app.
 
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
-[![Dependency Status](https://gemnasium.com/applicake/doorkeeper.svg?travis)](https://gemnasium.com/applicake/doorkeeper)
-[![Code Climate](https://codeclimate.com/github/applicake/doorkeeper.svg)](https://codeclimate.com/github/applicake/doorkeeper)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
+[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
+[![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper)
+[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
+[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
+[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 
 Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider
 functionality to your Rails or Grape application.
 
-[PR 567]: https://github.com/doorkeeper-gem/doorkeeper/pull/567
+Supported features:
 
+- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
+  - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
+  - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
+  - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
+  - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
+  - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
+  - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
+- [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
+- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 
 ## Documentation valid for `master` branch
 
 Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases
 
+- See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+- See [SECURITY.md](SECURITY.md) for this project's security disclose
+  policy
+
 ## Table of Contents
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-- [Useful links](#useful-links)
+
 - [Installation](#installation)
 - [Configuration](#configuration)
+  - [ORM](#orm)
     - [Active Record](#active-record)
-    - [Other ORMs](#other-orms)
-    - [Routes](#routes)
-    - [Authenticating](#authenticating)
-    - [Internationalization (I18n)](#internationalization-i18n)
+    - [MongoDB](#mongodb)
+    - [Sequel](#sequel)
+    - [Couchbase](#couchbase)
+  - [Routes](#routes)
+  - [Authenticating](#authenticating)
+  - [Internationalization (I18n)](#internationalization-i18n)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
-    - [Protect your API with OAuth when using Grape](#protect-your-api-with-oauth-when-using-grape)
-    - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
-    - [Access Token Scopes](#access-token-scopes)
-    - [Custom Access Token Generator](#custom-access-token-generator)
-    - [Authenticated resource owner](#authenticated-resource-owner)
-    - [Applications list](#applications-list)
+  - [Ruby on Rails controllers](#ruby-on-rails-controllers)
+  - [Grape endpoints](#grape-endpoints)
+  - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
+  - [Access Token Scopes](#access-token-scopes)
+  - [Custom Access Token Generator](#custom-access-token-generator)
+  - [Authenticated resource owner](#authenticated-resource-owner)
+  - [Applications list](#applications-list)
 - [Other customizations](#other-customizations)
+- [Testing](#testing)
 - [Upgrading](#upgrading)
 - [Development](#development)
 - [Contributing](#contributing)
 - [Other resources](#other-resources)
-    - [Wiki](#wiki)
-    - [Screencast](#screencast)
-    - [Client applications](#client-applications)
-    - [Contributors](#contributors)
-    - [IETF Standards](#ietf-standards)
-    - [License](#license)
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
+  - [Wiki](#wiki)
+  - [Screencast](#screencast)
+  - [Client applications](#client-applications)
+  - [Contributors](#contributors)
+  - [IETF Standards](#ietf-standards)
+  - [License](#license)
 
-## Useful links
-
-- For documentation, please check out our [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
-- For general questions, please post it in [stack overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Installation
 
@@ -70,24 +86,66 @@ This will install the doorkeeper initializer into `config/initializers/doorkeepe
 
 ## Configuration
 
-### Active Record
+### ORM
+
+#### Active Record
 
-By default doorkeeper is configured to use active record, so to start you have
-to generate the migration tables:
+By default doorkeeper is configured to use Active Record, so to start you have
+to generate the migration tables (supports Rails >= 5 migrations versioning):
 
     rails generate doorkeeper:migration
 
-Don't forget to run the migration with:
+You may want to add foreign keys to your migration. For example, if you plan on
+using `User` as the resource owner, add the following line to the migration file
+for each table that includes a `resource_owner_id` column:
+
+```ruby
+add_foreign_key :table_name, :users, column: :resource_owner_id
+```
+
+Then run migrations:
 
-    rake db:migrate
+```sh
+rake db:migrate
+```
 
-### Other ORMs
+Remember to add associations to your model so the related records are deleted.
+If you don't do this an `ActiveRecord::InvalidForeignKey`-error will be raised
+when you try to destroy a model with related access grants or access tokens.
 
-See [doorkeeper-mongodb project] for mongoid and mongomapper support. Follow along
+```ruby
+class User < ApplicationRecord
+  has_many :access_grants, class_name: "Doorkeeper::AccessGrant",
+                           foreign_key: :resource_owner_id,
+                           dependent: :delete_all # or :destroy if you need callbacks
+
+  has_many :access_tokens, class_name: "Doorkeeper::AccessToken",
+                           foreign_key: :resource_owner_id,
+                           dependent: :delete_all # or :destroy if you need callbacks
+end
+```
+
+#### MongoDB
+
+See [doorkeeper-mongodb project] for Mongoid and MongoMapper support. Follow along
 the implementation in that repository to extend doorkeeper with other ORMs.
 
 [doorkeeper-mongodb project]: https://github.com/doorkeeper-gem/doorkeeper-mongodb
 
+#### Sequel
+
+If you are using [Sequel gem] then you can add [doorkeeper-sequel extension] to your project.
+Follow configuration instructions for setting up the necessary Doorkeeper ORM.
+
+[Sequel gem]: https://github.com/jeremyevans/sequel/
+[doorkeeper-sequel extension]: https://github.com/nbulaj/doorkeeper-sequel
+
+#### Couchbase
+
+Use [doorkeeper-couchbase] extension if you are using Couchbase database.
+
+[doorkeeper-couchbase]: https://github.com/acaprojects/doorkeeper-couchbase
+
 ### Routes
 
 The installation script will also automatically add the Doorkeeper routes into
@@ -102,12 +160,13 @@ end
 
 This will mount following routes:
 
-    GET       /oauth/authorize/:code
+    GET       /oauth/authorize/native?code
     GET       /oauth/authorize
     POST      /oauth/authorize
     DELETE    /oauth/authorize
     POST      /oauth/token
     POST      /oauth/revoke
+    POST      /oauth/introspect
     resources /oauth/applications
     GET       /oauth/authorized_applications
     DELETE    /oauth/authorized_applications/:id
@@ -119,12 +178,12 @@ wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
 ### Authenticating
 
 You need to configure Doorkeeper in order to provide `resource_owner` model
-and authentication block `initializers/doorkeeper.rb`
+and authentication block in `config/initializers/doorkeeper.rb`:
 
 ``` ruby
 Doorkeeper.configure do
   resource_owner_authenticator do
-    User.find_by_id(session[:current_user_id]) || redirect_to(login_url)
+    User.find_by(id: session[:current_user_id]) || redirect_to(login_url)
   end
 end
 ```
@@ -137,16 +196,17 @@ the methods defined over there.
 You may want to check other ways of authentication
 [here](https://github.com/doorkeeper-gem/doorkeeper/wiki/Authenticating-using-Clearance-or-DIY).
 
-
 ### Internationalization (I18n)
 
 See language files in [the I18n repository](https://github.com/doorkeeper-gem/doorkeeper-i18n).
 
-
 ## Protecting resources with OAuth (a.k.a your API endpoint)
 
-To protect your API with OAuth, you just need to setup `before_action`s
-specifying the actions you want to protect. For example:
+### Ruby on Rails controllers
+
+To protect your controllers (usual one or `ActionController::API`) with OAuth,
+you just need to setup `before_action`s specifying the actions you want to
+protect. For example:
 
 ``` ruby
 class Api::V1::ProductsController < Api::V1::ApiController
@@ -159,16 +219,17 @@ end
 You can pass any option `before_action` accepts, such as `if`, `only`,
 `except`, and others.
 
-### Protect your API with OAuth when using Grape
+### Grape endpoints
 
-As of [PR 567] doorkeeper has helpers for Grape. One of them is
-`doorkeeper_authorize!` and can be used in a similar way as an example above.
-Note that you have to use `require 'doorkeeper/grape/helpers'` and
-`helpers Doorkeeper::Grape::Helpers`.
+Starting from version 2.2 Doorkeeper provides helpers for the
+[Grape framework] >= 0.10. One of them is `doorkeeper_authorize!` that
+can be used in a similar way as an example above to protect your API
+with OAuth. Note that you have to use `require 'doorkeeper/grape/helpers'`
+and `helpers Doorkeeper::Grape::Helpers` in your Grape API class.
 
 For more information about integration with Grape see the [Wiki].
 
-[PR 567]: https://github.com/doorkeeper-gem/doorkeeper/pull/567
+[Grape framework]: https://github.com/ruby-grape/grape
 [Wiki]: https://github.com/doorkeeper-gem/doorkeeper/wiki/Grape-Integration
 
 ``` ruby
@@ -183,13 +244,17 @@ module API
         doorkeeper_authorize!
       end
 
+      # route_setting :scopes, ['user:email'] - for old versions of Grape
+      get :emails, scopes: [:user, :write] do
+        [{'email' => current_user.email}]
+      end
+
       # ...
     end
   end
 end
 ```
 
-
 ### Route Constraints and other integrations
 
 You can leverage the `Doorkeeper.authenticate` facade to easily extract a
@@ -204,7 +269,6 @@ module Constraint
       token = Doorkeeper.authenticate(request)
       token && token.accessible?
     end
-
   end
 end
 ```
@@ -238,13 +302,13 @@ class Api::V1::ProductsController < Api::V1::ApiController
 end
 ```
 
-Please note that there is a logical OR between multiple required scopes. In
+Please note that there is a logical OR between multiple required scopes. In the
 above example, `doorkeeper_authorize! :admin, :write` means that the access
-token is required to have either `:admin` scope or `:write` scope, but not need
-have both of them.
+token is required to have either `:admin` scope or `:write` scope, but does not
+need have both of them.
 
-If want to require the access token to have multiple scopes at the same time,
-use multiple `doorkeeper_authorize!`, for example:
+If you want to require the access token to have multiple scopes at the same
+time, use multiple `doorkeeper_authorize!`, for example:
 
 ```ruby
 class Api::V1::ProductsController < Api::V1::ApiController
@@ -256,8 +320,8 @@ class Api::V1::ProductsController < Api::V1::ApiController
 end
 ```
 
-In above example, a client can call `:create` action only if its access token
-have both `:admin` and `:write` scopes.
+In the above example, a client can call `:create` action only if its access token
+has both `:admin` and `:write` scopes.
 
 ### Custom Access Token Generator
 
@@ -274,6 +338,18 @@ end
 JWT token support is available with
 [Doorkeeper-JWT](https://github.com/chriswarren/doorkeeper-jwt).
 
+### Custom Base Controller
+
+By default Doorkeeper's main controller `Doorkeeper::ApplicationController`
+inherits from `ActionController::Base`. You may want to use your own
+controller to inherit from, to keep Doorkeeper controllers in the same
+context than the rest your app:
+
+```ruby
+Doorkeeper.configure do
+  base_controller 'ApplicationController'
+end
+```
 
 ### Authenticated resource owner
 
@@ -305,28 +381,38 @@ token owner.
 
 ### Applications list
 
-By default, the applications list (`/oauth/applications`) is public available.
+By default, the applications list (`/oauth/applications`) is publicly available.
 To protect the endpoint you should uncomment these lines:
 
 ```ruby
 # config/initializers/doorkeeper.rb
 Doorkeeper.configure do
   admin_authenticator do |routes|
-    Admin.find_by_id(session[:admin_id]) || redirect_to(routes.new_admin_session_url)
+    Admin.find_by(id: session[:admin_id]) || redirect_to(routes.new_admin_session_url)
   end
 end
 ```
 
 The logic is the same as the `resource_owner_authenticator` block. **Note:**
 since the application list is just a scaffold, it's recommended to either
-customize the controller used by the list or skip the controller at all. For
-more information see the page [in the
-wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
+customize the controller used by the list or skip the controller all together.
+For more information see the page
+[in the wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
 
 ## Other customizations
 
 - [Associate users to OAuth applications (ownership)](https://github.com/doorkeeper-gem/doorkeeper/wiki/Associate-users-to-OAuth-applications-%28ownership%29)
 - [CORS - Cross Origin Resource Sharing](https://github.com/doorkeeper-gem/doorkeeper/wiki/%5BCORS%5D-Cross-Origin-Resource-Sharing)
+- see more on [Wiki page](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+
+## Testing
+
+You can use Doorkeeper models in your application test suite. Note that starting from
+Doorkeeper 4.3.0 it uses [ActiveSupport lazy loading hooks](http://api.rubyonrails.org/classes/ActiveSupport/LazyLoadHooks.html)
+to load models. There are [known issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1043)
+with the `factory_bot_rails` gem (it executes factories building before `ActiveRecord::Base`
+is initialized using hooks in gem railtie, so you can catch a `uninitialized constant` error).
+It is recommended to use pure `factory_bot` gem to solve this problem. 
 
 ## Upgrading
 
@@ -353,8 +439,6 @@ tests with a specific ORM and Rails version:
 rails=4.2.0 orm=active_record bundle exec rake
 ```
 
-Or you might prefer to run `script/run_all` to integrate against all ORMs.
-
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -370,7 +454,7 @@ page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
 
 ### Wiki
 
-You can find everything about doorkeeper in our [wiki
+You can find everything about Doorkeeper in our [wiki
 here](https://github.com/doorkeeper-gem/doorkeeper/wiki).
 
 ### Screencast
@@ -392,7 +476,6 @@ here](https://github.com/doorkeeper-gem/doorkeeper/wiki/Testing-your-provider-wi
 Thanks to all our [awesome
 contributors](https://github.com/doorkeeper-gem/doorkeeper/graphs/contributors)!
 
-
 ### IETF Standards
 
 * [The OAuth 2.0 Authorization Framework](http://tools.ietf.org/html/rfc6749)

data/RELEASING.md

@@ -1,17 +1,10 @@
 # Releasing doorkeeper
 
+How to release doorkeeper in five easy steps!
+
 1. Update `lib/doorkeeper/version.rb` file accordingly.
 2. Update `NEWS.md` to reflect the changes since last release.
-3. Commit changes. There shouldn’t be code changes, and thus CI doesn’t need to
-   run, you can then add “[ci skip]” to the commit message.
-4. Tag the release: `git tag vVERSION -m "Release vVERSION"`
-5. Push changes: `git push && git push --tags`
-6. Build and publish the gem:
-
-   ```bash
-   gem build doorkeeper.gemspec
-   gem push doorkeeper-*.gem
-   ```
-
-7. Announce the new release, making sure to say “thank you” to the contributors
+3. Commit changes: `git commit -am 'Bump to vVERSION'`
+4. Run `rake release`
+5. Announce the new release, making sure to say “thank you” to the contributors
    who helped shape this version!

data/Rakefile

@@ -2,7 +2,7 @@ require 'bundler/setup'
 require 'rspec/core/rake_task'
 
 desc 'Default: run specs.'
-task :default => :spec
+task default: :spec
 
 desc "Run all specs"
 RSpec::Core::RakeTask.new(:spec) do |config|

data/SECURITY.md

@@ -0,0 +1,15 @@
+# Reporting security issues in Doorkeeper
+
+Hello! Thank you for wanting to disclose a possible security
+vulnerability within the Doorkeeper gem! Please follow our disclosure
+policy as outlined below:
+
+1. Do NOT open up a GitHub issue with your report. Security reports
+   should be kept private until a possible fix is determined.
+2. Send an email to Nikita Bulai at bulaj.nikita AT gmail.com or one of
+   the others Doorkeeper maintainers listed in gemspec. You should receive
+   a prompt response.
+3. Be patient. Since Doorkeeper is in a stable maintenance phase, we want to
+   do as little as possible to rock the boat of the project.
+
+Thank you very much for adhering for these policies!

data/app/controllers/doorkeeper/application_controller.rb

@@ -1,12 +1,10 @@
 module Doorkeeper
-  class ApplicationController < ActionController::Base
+  class ApplicationController <
+    Doorkeeper.configuration.base_controller.constantize
+
     include Helpers::Controller
 
-    if ::Rails.version.to_i < 4
-      protect_from_forgery
-    else
-      protect_from_forgery with: :exception
-    end
+    protect_from_forgery with: :exception
 
     helper 'doorkeeper/dashboard'
   end

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,16 +1,17 @@
 module Doorkeeper
   class ApplicationMetalController < ActionController::Metal
     MODULES = [
-      ActionController::RackDelegation,
       ActionController::Instrumentation,
       AbstractController::Rendering,
       ActionController::Rendering,
       ActionController::Renderers::All,
       Helpers::Controller
-    ]
+    ].freeze
 
     MODULES.each do |mod|
       include mod
     end
+
+    ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end
 end

data/app/controllers/doorkeeper/applications_controller.rb

@@ -2,13 +2,24 @@ module Doorkeeper
   class ApplicationsController < Doorkeeper::ApplicationController
     layout 'doorkeeper/admin'
 
-    before_filter :authenticate_admin!
-    before_filter :set_application, only: [:show, :edit, :update, :destroy]
+    before_action :authenticate_admin!
+    before_action :set_application, only: [:show, :edit, :update, :destroy]
 
     def index
-      @applications = Application.all
+      @applications = if Application.respond_to?(:ordered_by)
+                        Application.ordered_by(:created_at)
+                      else
+                        ActiveSupport::Deprecation.warn <<-MSG.squish
+                          Doorkeeper #{Doorkeeper.configuration.orm} extension must implement #ordered_by
+                          method for it's models as it will be used by default in Doorkeeper 5.
+                        MSG
+
+                        Application.all
+                      end
     end
 
+    def show; end
+
     def new
       @application = Application.new
     end
@@ -23,6 +34,8 @@ module Doorkeeper
       end
     end
 
+    def edit; end
+
     def update
       if @application.update_attributes(application_params)
         flash[:notice] = I18n.t(:notice, scope: [:doorkeeper, :flash, :applications, :update])
@@ -44,11 +57,8 @@ module Doorkeeper
     end
 
     def application_params
-      if params.respond_to?(:permit)
-        params.require(:doorkeeper_application).permit(:name, :redirect_uri, :scopes)
-      else
-        params[:doorkeeper_application].slice(:name, :redirect_uri, :scopes) rescue nil
-      end
+      params.require(:doorkeeper_application).
+        permit(:name, :redirect_uri, :scopes, :confidential)
     end
   end
 end

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -1,6 +1,6 @@
 module Doorkeeper
   class AuthorizationsController < Doorkeeper::ApplicationController
-    before_filter :authenticate_resource_owner!
+    before_action :authenticate_resource_owner!
 
     def new
       if pre_auth.authorizable?

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -1,6 +1,6 @@
 module Doorkeeper
   class AuthorizedApplicationsController < Doorkeeper::ApplicationController
-    before_filter :authenticate_resource_owner!
+    before_action :authenticate_resource_owner!
 
     def index
       @applications = Application.authorized_for(current_resource_owner)

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -2,38 +2,85 @@ module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
     def create
       response = authorize_response
-      self.headers.merge! response.headers
+      headers.merge! response.headers
       self.response_body = response.body.to_json
-      self.status        = response.status
+      self.status = response.status
     rescue Errors::DoorkeeperError => e
       handle_token_exception e
     end
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # The authorization server first validates the client credentials
-      if doorkeeper_token && doorkeeper_token.accessible?
-        # Doorkeeper does not use the token_type_hint logic described in the RFC 7009
-        # due to the refresh token implementation that is a field in the access token model.
-        revoke_token(request.POST['token']) if request.POST['token']
+      # The authorization server, if applicable, first authenticates the client
+      # and checks its ownership of the provided token.
+      #
+      # Doorkeeper does not use the token_type_hint logic described in the
+      # RFC 7009 due to the refresh token implementation that is a field in
+      # the access token model.
+      if authorized?
+        revoke_token
       end
-      # The authorization server responds with HTTP status code 200 if the
-      # token has been revoked successfully or if the client submitted an invalid token
+
+      # The authorization server responds with HTTP status code 200 if the token
+      # has been revoked successfully or if the client submitted an invalid
+      # token
       render json: {}, status: 200
     end
 
+    def introspect
+      introspection = OAuth::TokenIntrospection.new(server, token)
+
+      if introspection.authorized?
+        render json: introspection.to_json, status: 200
+      else
+        error = OAuth::ErrorResponse.new(name: introspection.error)
+        response.headers.merge!(error.headers)
+        render json: error.body, status: error.status
+      end
+    end
+
     private
 
-    def revoke_token(token)
-      token = AccessToken.by_token(token) || AccessToken.by_refresh_token(token)
-      if token && doorkeeper_token.same_credential?(token)
-        token.revoke
-        true
+    # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
+    # Public clients (as per RFC 7009) do not require authentication whereas
+    # confidential clients must be authenticated for their token revocation.
+    #
+    # Once a confidential client is authenticated, it must be authorized to
+    # revoke the provided access or refresh token. This ensures one client
+    # cannot revoke another's tokens.
+    #
+    # Doorkeeper determines the client type implicitly via the presence of the
+    # OAuth client associated with a given access or refresh token. Since public
+    # clients authenticate the resource owner via "password" or "implicit" grant
+    # types, they set the application_id as null (since the claim cannot be
+    # verified).
+    #
+    # https://tools.ietf.org/html/rfc6749#section-2.1
+    # https://tools.ietf.org/html/rfc7009
+    def authorized?
+      return unless token.present?
+      # Client is confidential, therefore client authentication & authorization
+      # is required
+      if token.application_id? && token.application.confidential?
+        # We authorize client by checking token's application
+        server.client && server.client.application == token.application
       else
-        false
+        # Client is public, authentication unnecessary
+        true
       end
     end
 
+    def revoke_token
+      if token.accessible?
+        token.revoke
+      end
+    end
+
+    def token
+      @token ||= AccessToken.by_token(request.POST['token']) ||
+        AccessToken.by_refresh_token(request.POST['token'])
+    end
+
     def strategy
       @strategy ||= server.token_request params[:grant_type]
     end