doorkeeper 3.1.0 → 4.4.3

data/app/helpers/doorkeeper/dashboard_helper.rb

@@ -1,15 +1,19 @@
-module Doorkeeper::DashboardHelper
-  def doorkeeper_errors_for(object, method)
-    if object.errors[method].present?
-      object.errors[method].map do |msg|
-        content_tag(:span, class: 'help-block') do
-          msg.capitalize
+module Doorkeeper
+  module DashboardHelper
+    def doorkeeper_errors_for(object, method)
+      if object.errors[method].present?
+        output = object.errors[method].map do |msg|
+          content_tag(:span, class: 'help-block') do
+            msg.capitalize
+          end
         end
-      end.join.html_safe
+
+        safe_join(output)
+      end
     end
-  end
 
-  def doorkeeper_submit_path(application)
-    application.persisted? ? oauth_application_path(application) : oauth_applications_path
+    def doorkeeper_submit_path(application)
+      application.persisted? ? oauth_application_path(application) : oauth_applications_path
+    end
   end
 end

data/app/validators/redirect_uri_validator.rb

@@ -11,7 +11,8 @@ class RedirectUriValidator < ActiveModel::EachValidator
     else
       value.split.each do |val|
         uri = ::URI.parse(val)
-        return if native_redirect_uri?(uri)
+        next if native_redirect_uri?(uri)
+        record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
         record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
         record.errors.add(attribute, :relative_uri) if uri.scheme.nil? || uri.host.nil?
         record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
@@ -27,8 +28,17 @@ class RedirectUriValidator < ActiveModel::EachValidator
     self.class.native_redirect_uri.present? && uri.to_s == self.class.native_redirect_uri.to_s
   end
 
+  def forbidden_uri?(uri)
+    Doorkeeper.configuration.forbid_redirect_uri.call(uri)
+  end
+
   def invalid_ssl_uri?(uri)
     forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
-    forces_ssl && uri.try(:scheme) == 'http'
+
+    if forces_ssl.respond_to?(:call)
+      forces_ssl.call(uri)
+    else
+      forces_ssl && uri.try(:scheme) == 'http'
+    end
   end
 end

data/app/views/doorkeeper/applications/_delete_form.html.erb

@@ -1,5 +1,4 @@
 <%- submit_btn_css ||= 'btn btn-link' %>
-<%= form_tag oauth_application_path(application) do %>
-  <input type="hidden" name="_method" value="delete">
+<%= form_tag oauth_application_path(application), method: :delete do %>
   <%= submit_tag t('doorkeeper.applications.buttons.destroy'), onclick: "return confirm('#{ t('doorkeeper.applications.confirmations.destroy') }')", class: submit_btn_css %>
 <% end %>

data/app/views/doorkeeper/applications/_form.html.erb

@@ -21,12 +21,23 @@
       </span>
       <% if Doorkeeper.configuration.native_redirect_uri %>
           <span class="help-block">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: "<code>#{ Doorkeeper.configuration.native_redirect_uri }</code>") %>
+            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code) { Doorkeeper.configuration.native_redirect_uri }) %>
           </span>
       <% end %>
     </div>
   <% end %>
 
+  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:confidential].present?}" do %>
+    <%= f.label :confidential, class: 'col-sm-2 control-label' %>
+    <div class="col-sm-10">
+      <%= f.check_box :confidential, class: 'form-control', disabled: !Doorkeeper::Application.supports_confidentiality? %>
+      <%= doorkeeper_errors_for application, :confidential %>
+      <span class="help-block">
+        <%= t('doorkeeper.applications.help.confidential') %>
+      </span>
+    </div>
+  <% end %>
+
   <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:scopes].present?}" do %>
     <%= f.label :scopes, class: 'col-sm-2 control-label' %>
     <div class="col-sm-10">
@@ -41,7 +52,7 @@
   <div class="form-group">
     <div class="col-sm-offset-2 col-sm-10">
       <%= f.submit t('doorkeeper.applications.buttons.submit'), class: "btn btn-primary" %>
-      <%= link_to t('doorkeeper.applications.buttons.cancel'), oauth_applications_path, :class => "btn btn-default" %>
+      <%= link_to t('doorkeeper.applications.buttons.cancel'), oauth_applications_path, class: "btn btn-default" %>
     </div>
   </div>
 <% end %>

data/app/views/doorkeeper/applications/index.html.erb

@@ -9,6 +9,7 @@
   <tr>
     <th><%= t('.name') %></th>
     <th><%= t('.callback_url') %></th>
+    <th><%= t('.confidential') %></th>
     <th></th>
     <th></th>
   </tr>
@@ -18,6 +19,7 @@
     <tr id="application_<%= application.id %>">
       <td><%= link_to application.name, oauth_application_path(application) %></td>
       <td><%= application.redirect_uri %></td>
+      <td><%= application.confidential? ? t('doorkeeper.applications.index.confidentiality.yes') : t('doorkeeper.applications.index.confidentiality.no') %></td>
       <td><%= link_to t('doorkeeper.applications.buttons.edit'), edit_oauth_application_path(application), class: 'btn btn-link' %></td>
       <td><%= render 'delete_form', application: application %></td>
     </tr>

data/app/views/doorkeeper/applications/show.html.erb

@@ -13,6 +13,9 @@
     <h4><%= t('.scopes') %>:</h4>
     <p><code id="scopes"><%= @application.scopes %></code></p>
 
+    <h4><%= t('.confidential') %>:</h4>
+    <p><code id="confidential"><%= @application.confidential? %></code></p>
+
     <h4><%= t('.callback_urls') %>:</h4>
 
     <table>
@@ -22,7 +25,7 @@
             <code><%= uri %></code>
           </td>
           <td>
-            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code'), class: 'btn btn-success', target: '_blank' %>
+            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
           </td>
         </tr>
       <% end %>

data/app/views/doorkeeper/authorizations/new.html.erb

@@ -4,7 +4,7 @@
 
 <main role="main">
   <p class="h4">
-    <%= raw t('.prompt', client_name: "<strong class=\"text-info\">#{ @pre_auth.client.name }</strong>") %>
+    <%= raw t('.prompt', client_name: content_tag(:strong, class: 'text-info') { @pre_auth.client.name }) %>
   </p>
 
   <% if @pre_auth.scopes.count > 0 %>

data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb

@@ -1,5 +1,4 @@
 <%- submit_btn_css ||= 'btn btn-link' %>
-<%= form_tag oauth_authorized_application_path(application) do %>
-  <input type="hidden" name="_method" value="delete">
+<%= form_tag oauth_authorized_application_path(application), method: :delete do %>
   <%= submit_tag t('doorkeeper.authorized_applications.buttons.revoke'), onclick: "return confirm('#{ t('doorkeeper.authorized_applications.confirmations.revoke') }')", class: submit_btn_css %>
 <% end %>

data/app/views/doorkeeper/authorized_applications/index.html.erb

@@ -9,7 +9,6 @@
       <th><%= t('doorkeeper.authorized_applications.index.application') %></th>
       <th><%= t('doorkeeper.authorized_applications.index.created_at') %></th>
       <th></th>
-      <th></th>
     </tr>
     </thead>
     <tbody>

data/app/views/layouts/doorkeeper/admin.html.erb

@@ -19,7 +19,7 @@
         <%= link_to t('doorkeeper.layouts.admin.nav.applications'), oauth_applications_path %>
       <% end %>
       <%= content_tag :li do %>
-        <%= link_to 'Home', root_path %>
+        <%= link_to t('doorkeeper.layouts.admin.nav.home'), root_path %>
       <% end %>
     </ul>
   </div>

data/config/locales/en.yml

@@ -13,6 +13,7 @@ en:
               invalid_uri: 'must be a valid URI.'
               relative_uri: 'must be an absolute URI.'
               secured_uri: 'must be an HTTPS/SSL URI.'
+              forbidden_uri: 'is forbidden by the server.'
 
   doorkeeper:
     applications:
@@ -27,8 +28,9 @@ en:
       form:
         error: 'Whoops! Check your form for possible errors'
       help:
+        confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
         redirect_uri: 'Use one line per URI'
-        native_redirect_uri: 'Use %{native_redirect_uri} for local tests'
+        native_redirect_uri: 'Use %{native_redirect_uri} if you want to add localhost URIs for development purposes'
         scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
       edit:
         title: 'Edit application'
@@ -37,6 +39,10 @@ en:
         new: 'New Application'
         name: 'Name'
         callback_url: 'Callback URL'
+        confidential: 'Confidential?'
+        confidentiality:
+          'yes': 'Yes'
+          'no': 'No'
       new:
         title: 'New Application'
       show:
@@ -44,6 +50,7 @@ en:
         application_id: 'Application Id'
         secret: 'Secret'
         scopes: 'Scopes'
+        confidential: 'Confidential'
         callback_urls: 'Callback urls'
         actions: 'Actions'
 
@@ -75,16 +82,16 @@ en:
       messages:
         # Common error messages
         invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
-        invalid_redirect_uri: 'The redirect uri included is not valid.'
+        invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
 
-        #configuration error messages
+        # Configuration error messages
         credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.'
-        resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfiged.'
+        resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfigured.'
 
         # Access grant errors
         unsupported_response_type: 'The authorization server does not support this response type.'
@@ -94,9 +101,6 @@ en:
         invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.'
         unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.'
 
-        # Password Access token errors
-        invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found'
-
         invalid_token:
           revoked: "The access token was revoked"
           expired: "The access token expired"
@@ -119,5 +123,6 @@ en:
         nav:
           oauth2_provider: 'OAuth2 Provider'
           applications: 'Applications'
+          home: 'Home'
       application:
         title: 'OAuth authorization required'

data/doorkeeper.gemspec

@@ -1,12 +1,12 @@
-$:.push File.expand_path("../lib", __FILE__)
+$LOAD_PATH.push File.expand_path("../lib", __FILE__)
 
 require "doorkeeper/version"
 
 Gem::Specification.new do |s|
   s.name        = "doorkeeper"
-  s.version     = Doorkeeper::VERSION
-  s.authors     = ["Felipe Elias Philipp", "Tute Costa"]
-  s.email       = %w(tutecosta@gmail.com)
+  s.version     = Doorkeeper.gem_version
+  s.authors     = ["Felipe Elias Philipp", "Tute Costa", "Jon Moss", "Nikita Bulai"]
+  s.email       = %w(bulaj.nikita@gmail.com)
   s.homepage    = "https://github.com/doorkeeper-gem/doorkeeper"
   s.summary     = "OAuth 2 provider for Rails and Grape"
   s.description = "Doorkeeper is an OAuth 2 provider for Rails and Grape."
@@ -16,12 +16,17 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- spec/*`.split("\n")
   s.require_paths = ["lib"]
 
-  s.add_dependency "railties", ">= 3.2"
+  s.add_dependency "railties", ">= 4.2"
+  s.required_ruby_version = ">= 2.1"
 
-  s.add_development_dependency "rspec-rails", "~> 3.4.0"
-  s.add_development_dependency "capybara", "~> 2.3.0"
-  s.add_development_dependency "generator_spec", "~> 0.9.0"
-  s.add_development_dependency "factory_girl", "~> 4.5.0"
-  s.add_development_dependency "timecop", "~> 0.7.0"
-  s.add_development_dependency "database_cleaner", "~> 1.3.0"
+  s.add_development_dependency "capybara"
+  s.add_development_dependency "coveralls"
+  s.add_development_dependency "grape"
+  s.add_development_dependency "database_cleaner", "~> 1.6"
+  s.add_development_dependency "factory_bot", "~> 4.8"
+  s.add_development_dependency "generator_spec", "~> 0.9.3"
+  s.add_development_dependency "rake", ">= 11.3.0"
+  s.add_development_dependency "rspec-rails"
+
+  s.post_install_message = Doorkeeper::CVE_2018_1000211_WARNING
 end

data/gemfiles/rails_4_2.gemfile

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 4.2.0"
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+# Older Grape requires Ruby >= 2.2.2
+gem "grape", '~> 0.16', '< 0.19.2'
+
+gemspec path: "../"

data/gemfiles/rails_5_0.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 5.0.0"
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
+gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.5"
+
+gemspec path: "../"

data/gemfiles/rails_5_1.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 5.1.0"
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
+gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.7"
+
+gemspec path: "../"

data/gemfiles/rails_5_2.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "5.2.0.rc1"
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
+gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.7"
+
+gemspec path: "../"

data/gemfiles/rails_master.gemfile

@@ -0,0 +1,14 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", git: 'https://github.com/rails/rails'
+gem "arel", git: 'https://github.com/rails/arel'
+
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.7"
+
+gemspec path: "../"

data/lib/doorkeeper/config.rb

@@ -1,5 +1,7 @@
 module Doorkeeper
   class MissingConfiguration < StandardError
+    # Defines a MissingConfiguration error for a missing Doorkeeper
+    # configuration
     def initialize
       super('Configuration for doorkeeper missing. Do you have doorkeeper initializer?')
     end
@@ -10,15 +12,10 @@ module Doorkeeper
     setup_orm_adapter
     setup_orm_models
     setup_application_owner if @config.enable_application_owner?
-    check_requirements
   end
 
   def self.configuration
-    @config || (fail MissingConfiguration.new)
-  end
-
-  def self.check_requirements
-    @orm_adapter.check_requirements!(configuration)
+    @config || (fail MissingConfiguration)
   end
 
   def self.setup_orm_adapter
@@ -52,51 +49,79 @@ doorkeeper.
         @config
       end
 
+      # Provide support for an owner to be assigned to each registered
+      # application (disabled by default)
+      # Optional parameter confirmation: true (default false) if you want
+      # to enforce ownership of a registered application
+      #
+      # @param opts [Hash] the options to confirm if an application owner
+      #   is present
+      # @option opts[Boolean] :confirmation (false)
+      #   Set confirm_application_owner variable
       def enable_application_owner(opts = {})
-        @config.instance_variable_set('@enable_application_owner', true)
+        @config.instance_variable_set(:@enable_application_owner, true)
         confirm_application_owner if opts[:confirmation].present? && opts[:confirmation]
       end
 
       def confirm_application_owner
-        @config.instance_variable_set('@confirm_application_owner', true)
+        @config.instance_variable_set(:@confirm_application_owner, true)
       end
 
+      # Define default access token scopes for your provider
+      #
+      # @param scopes [Array] Default set of access (OAuth::Scopes.new)
+      # token scopes
       def default_scopes(*scopes)
-        @config.instance_variable_set('@default_scopes', OAuth::Scopes.from_array(scopes))
+        @config.instance_variable_set(:@default_scopes, OAuth::Scopes.from_array(scopes))
       end
 
+      # Define default access token scopes for your provider
+      #
+      # @param scopes [Array] Optional set of access (OAuth::Scopes.new)
+      # token scopes
       def optional_scopes(*scopes)
-        @config.instance_variable_set('@optional_scopes', OAuth::Scopes.from_array(scopes))
+        @config.instance_variable_set(:@optional_scopes, OAuth::Scopes.from_array(scopes))
       end
 
+      # Change the way client credentials are retrieved from the request object.
+      # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
+      # falls back to the `:client_id` and `:client_secret` params from the
+      # `params` object.
+      #
+      # @param methods [Array] Define client credentials
       def client_credentials(*methods)
-        @config.instance_variable_set('@client_credentials', methods)
+        @config.instance_variable_set(:@client_credentials, methods)
       end
 
+      # Change the way access token is authenticated from the request object.
+      # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
+      # falls back to the `:access_token` or `:bearer_token` params from the
+      # `params` object.
+      #
+      # @param methods [Array] Define access token methods
       def access_token_methods(*methods)
-        @config.instance_variable_set('@access_token_methods', methods)
+        @config.instance_variable_set(:@access_token_methods, methods)
       end
 
+      # Issue access tokens with refresh token (disabled by default)
       def use_refresh_token
-        @config.instance_variable_set('@refresh_token_enabled', true)
-      end
-
-      def realm(realm)
-        @config.instance_variable_set('@realm', realm)
+        @config.instance_variable_set(:@refresh_token_enabled, true)
       end
 
+      # Reuse access token for the same resource owner within an application
+      # (disabled by default)
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
       def reuse_access_token
-        @config.instance_variable_set("@reuse_access_token", true)
-      end
-
-      def force_ssl_in_redirect_uri(boolean)
-        @config.instance_variable_set("@force_ssl_in_redirect_uri", boolean)
+        @config.instance_variable_set(:@reuse_access_token, true)
       end
 
-      def access_token_generator(access_token_generator)
-        @config.instance_variable_set(
-          '@access_token_generator', access_token_generator
-        )
+      # Opt out of breaking api change to the native authorization code flow.
+      # Opting out sets the authorization code response route for native
+      # redirect uris to oauth/authorize/<code>. The default is
+      # oauth/authorize/native?code=<code>.
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+      def opt_out_native_route_change
+        @config.instance_variable_set(:@opt_out_native_route_change, true)
       end
     end
 
@@ -133,19 +158,20 @@ doorkeeper.
         attribute_builder = options[:builder_class]
 
         Builder.instance_eval do
+          remove_method name if method_defined?(name)
           define_method name do |*args, &block|
             # TODO: is builder_class option being used?
-            value = unless attribute_builder
-                      block ? block : args.first
-                    else
+            value = if attribute_builder
                       attribute_builder.new(&block).build
+                    else
+                      block ? block : args.first
                     end
 
             @config.instance_variable_set(:"@#{attribute}", value)
           end
         end
 
-        define_method attribute do |*args|
+        define_method attribute do |*_args|
           if instance_variable_defined?(:"@#{attribute}")
             instance_variable_get(:"@#{attribute}")
           else
@@ -155,10 +181,6 @@ doorkeeper.
 
         public attribute
       end
-
-      def extended(base)
-        base.send(:private, :option)
-      end
     end
 
     extend Option
@@ -166,41 +188,91 @@ doorkeeper.
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
-             logger.warn(I18n.translate('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
+             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
              nil
            end)
+
     option :admin_authenticator,
            as: :authenticate_admin,
            default: ->(_routes) {}
+
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
-             warn(I18n.translate('doorkeeper.errors.messages.credential_flow_not_configured'))
+             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.credential_flow_not_configured'))
              nil
            end)
-
+    option :before_successful_strategy_response, default: ->(_request) {}
+    option :after_successful_strategy_response,
+           default: ->(_request, _response) {}
     option :skip_authorization,             default: ->(_routes) {}
     option :access_token_expires_in,        default: 7200
-    option :custom_access_token_expires_in, default: lambda { |_app| nil }
+    option :custom_access_token_expires_in, default: ->(_app) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: 'urn:ietf:wg:oauth:2.0:oob'
     option :active_record_options,          default: {}
+    option :grant_flows,                    default: %w[authorization_code client_credentials]
+
+    # Allows to forbid specific Application redirect URI's by custom rules.
+    # Doesn't forbid any URI by default.
+    #
+    # @param forbid_redirect_uri [Proc] Block or any object respond to #call
+    #
+    option :forbid_redirect_uri,            default: ->(_uri) { false }
+
+    # WWW-Authenticate Realm (default "Doorkeeper").
+    #
+    # @param realm [String] ("Doorkeeper") Authentication realm
+    #
     option :realm,                          default: 'Doorkeeper'
+
+    # Forces the usage of the HTTPS protocol in non-native redirect uris
+    # (enabled by default in non-development environments). OAuth2
+    # delegates security in communication to the HTTPS protocol so it is
+    # wise to keep this enabled.
+    #
+    # @param [Boolean] boolean_or_block value for the parameter, true by default in
+    # non-development environment
+    #
+    # @yield [uri] Conditional usage of SSL redirect uris.
+    # @yieldparam [URI] Redirect URI
+    # @yieldreturn [Boolean] Indicates necessity of usage of the HTTPS protocol
+    #   in non-native redirect uris
+    #
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
-    option :grant_flows,                    default: %w(authorization_code client_credentials)
-    option :access_token_generator,         default: "Doorkeeper::OAuth::Helpers::UniqueToken"
+
+
+    # Use a custom class for generating the access token.
+    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    #
+    # @param access_token_generator [String]
+    #   the name of the access token generator class
+    #
+    option :access_token_generator,
+           default: 'Doorkeeper::OAuth::Helpers::UniqueToken'
+
+    # The controller Doorkeeper::ApplicationController inherits from.
+    # Defaults to ActionController::Base.
+    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    #
+    # @param base_controller [String] the name of the base controller
+    option :base_controller,
+           default: 'ActionController::Base'
 
     attr_reader :reuse_access_token
 
     def refresh_token_enabled?
+      @refresh_token_enabled ||= false
       !!@refresh_token_enabled
     end
 
     def enable_application_owner?
+      @enable_application_owner ||= false
       !!@enable_application_owner
     end
 
     def confirm_application_owner?
+      @confirm_application_owner ||= false
       !!@confirm_application_owner
     end
 
@@ -217,15 +289,11 @@ doorkeeper.
     end
 
     def client_credentials_methods
-      @client_credentials ||= [:from_basic, :from_params]
+      @client_credentials ||= %i[from_basic from_params]
     end
 
     def access_token_methods
-      @access_token_methods ||= [:from_bearer_authorization, :from_access_token_param, :from_bearer_param]
-    end
-
-    def realm
-      @realm ||= 'Doorkeeper'
+      @access_token_methods ||= %i[from_bearer_authorization from_access_token_param from_bearer_param]
     end
 
     def authorization_response_types
@@ -236,6 +304,11 @@ doorkeeper.
       @token_grant_types ||= calculate_token_grant_types
     end
 
+    def native_authorization_code_route
+      @opt_out_native_route_change ||= false
+      @opt_out_native_route_change ? '/:code' : '/native'
+    end
+
     private
 
     # Determines what values are acceptable for 'response_type' param in