doorkeeper 3.1.0 → 4.4.3

data/lib/doorkeeper/engine.rb

@@ -1,13 +1,8 @@
 module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|
-      app.config.filter_parameters += [:client_secret, :code, :token]
-    end
-
-    initializer "doorkeeper.locales" do |app|
-      if app.config.i18n.fallbacks.blank?
-        app.config.i18n.fallbacks = [:en]
-      end
+      parameters = %w[client_secret code authentication_token access_token refresh_token]
+      app.config.filter_parameters << /^(#{Regexp.union parameters})$/
     end
 
     initializer "doorkeeper.routes" do
@@ -19,5 +14,14 @@ module Doorkeeper
         include Doorkeeper::Rails::Helpers
       end
     end
+
+    if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
+      initializer 'doorkeeper.assets.precompile' do |app|
+        app.config.assets.precompile += %w[
+          doorkeeper/application.css
+          doorkeeper/admin/application.css
+        ]
+      end
+    end
   end
 end

data/lib/doorkeeper/errors.rb

@@ -1,21 +1,39 @@
 module Doorkeeper
   module Errors
     class DoorkeeperError < StandardError
+      def type
+        message
+      end
     end
 
     class InvalidAuthorizationStrategy < DoorkeeperError
+      def type
+        :unsupported_response_type
+      end
     end
 
     class InvalidTokenReuse < DoorkeeperError
+      def type
+        :invalid_request
+      end
     end
 
     class InvalidGrantReuse < DoorkeeperError
+      def type
+        :invalid_grant
+      end
     end
 
     class InvalidTokenStrategy < DoorkeeperError
+      def type
+        :unsupported_grant_type
+      end
     end
 
     class MissingRequestStrategy < DoorkeeperError
+      def type
+        :invalid_request
+      end
     end
 
     class UnableToGenerateToken < DoorkeeperError

data/lib/doorkeeper/grape/helpers.rb

@@ -3,12 +3,13 @@ require 'doorkeeper/grape/authorization_decorator'
 module Doorkeeper
   module Grape
     module Helpers
+      # These helpers are for grape >= 0.10
       extend ::Grape::API::Helpers
       include Doorkeeper::Rails::Helpers
 
       # endpoint specific scopes > parameter scopes > default scopes
       def doorkeeper_authorize!(*scopes)
-        endpoint_scopes = env['api.endpoint'].options[:route_options][:scopes]
+        endpoint_scopes = endpoint.route_setting(:scopes) || endpoint.options[:route_options][:scopes]
         scopes = if endpoint_scopes
                    Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
                  elsif scopes && !scopes.empty?
@@ -19,18 +20,16 @@ module Doorkeeper
       end
 
       def doorkeeper_render_error_with(error)
-        status_code = case error.status
-                      when :unauthorized
-                        401
-                      when :forbidden
-                        403
-                      end
-
+        status_code = error_status_codes[error.status]
         error!({ error: error.description }, status_code, error.headers)
       end
 
       private
 
+      def endpoint
+        env['api.endpoint']
+      end
+
       def doorkeeper_token
         @_doorkeeper_token ||= OAuth::Token.authenticate(
           decorated_request,
@@ -41,6 +40,13 @@ module Doorkeeper
       def decorated_request
         AuthorizationDecorator.new(request)
       end
+
+      def error_status_codes
+        {
+          unauthorized: 401,
+          forbidden: 403
+        }
+      end
     end
   end
 end

data/lib/doorkeeper/helpers/controller.rb

@@ -1,14 +1,16 @@
+# Define methods that can be called in any controller that inherits from
+# Doorkeeper::ApplicationMetalController or Doorkeeper::ApplicationController
 module Doorkeeper
   module Helpers
     module Controller
-      extend ActiveSupport::Concern
-
       private
 
+      # :doc:
       def authenticate_resource_owner!
         current_resource_owner
       end
 
+      # :doc:
       def current_resource_owner
         instance_eval(&Doorkeeper.configuration.authenticate_resource_owner)
       end
@@ -17,6 +19,7 @@ module Doorkeeper
         instance_eval(&Doorkeeper.configuration.resource_owner_from_credentials)
       end
 
+      # :doc:
       def authenticate_admin!
         instance_eval(&Doorkeeper.configuration.authenticate_admin)
       end
@@ -25,6 +28,7 @@ module Doorkeeper
         @server ||= Server.new(self)
       end
 
+      # :doc:
       def doorkeeper_token
         @token ||= OAuth::Token.authenticate request, *config_methods
       end
@@ -34,27 +38,12 @@ module Doorkeeper
       end
 
       def get_error_response_from_exception(exception)
-        error_name = case exception
-                     when Errors::InvalidTokenStrategy
-                       :unsupported_grant_type
-                     when Errors::InvalidAuthorizationStrategy
-                       :unsupported_response_type
-                     when Errors::MissingRequestStrategy
-                       :invalid_request
-                     when Errors::InvalidTokenReuse
-                       :invalid_request
-                     when Errors::InvalidGrantReuse
-                       :invalid_grant
-                     when Errors::DoorkeeperError
-                       exception.message
-                     end
-
-        OAuth::ErrorResponse.new name: error_name, state: params[:state]
+        OAuth::ErrorResponse.new name: exception.type, state: params[:state]
       end
 
       def handle_token_exception(exception)
         error = get_error_response_from_exception exception
-        self.headers.merge! error.headers
+        headers.merge! error.headers
         self.response_body = error.body.to_json
         self.status        = error.status
       end

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -6,32 +6,21 @@ module Doorkeeper
     include Models::Expirable
     include Models::Revocable
     include Models::Accessible
+    include Models::Orderable
     include Models::Scopes
-    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
-
-    included do
-      belongs_to :application, class_name: 'Doorkeeper::Application', inverse_of: :access_grants
-
-      if respond_to?(:attr_accessible)
-        attr_accessible :resource_owner_id, :application_id, :expires_in, :redirect_uri, :scopes
-      end
-
-      validates :resource_owner_id, :application_id, :token, :expires_in, :redirect_uri, presence: true
-      validates :token, uniqueness: true
-
-      before_validation :generate_token, on: :create
-    end
 
     module ClassMethods
+      # Searches for Doorkeeper::AccessGrant record with the
+      # specific token value.
+      #
+      # @param token [#to_s] token value (any object that responds to `#to_s`)
+      #
+      # @return [Doorkeeper::AccessGrant, nil] AccessGrant object or nil
+      #   if there is no record with such token
+      #
       def by_token(token)
-        where(token: token.to_s).limit(1).to_a.first
+        find_by(token: token.to_s)
       end
     end
-
-    private
-
-    def generate_token
-      self.token = UniqueToken.generate
-    end
   end
 end

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -6,46 +6,64 @@ module Doorkeeper
     include Models::Expirable
     include Models::Revocable
     include Models::Accessible
+    include Models::Orderable
     include Models::Scopes
-    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
-
-    included do
-      belongs_to :application,
-                 class_name: 'Doorkeeper::Application',
-                 inverse_of: :access_tokens
-
-      validates :token, presence: true, uniqueness: true
-      validates :refresh_token, uniqueness: true, if: :use_refresh_token?
-
-      attr_writer :use_refresh_token
-
-      if respond_to?(:attr_accessible)
-        attr_accessible :application_id, :resource_owner_id, :expires_in,
-                        :scopes, :use_refresh_token
-      end
-
-      before_validation :generate_token, on: :create
-      before_validation :generate_refresh_token,
-                        on: :create,
-                        if: :use_refresh_token?
-    end
 
     module ClassMethods
+      # Returns an instance of the Doorkeeper::AccessToken with
+      # specific token value.
+      #
+      # @param token [#to_s]
+      #   token value (any object that responds to `#to_s`)
+      #
+      # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+      #   if there is no record with such token
+      #
       def by_token(token)
-        where(token: token.to_s).limit(1).to_a.first
+        find_by(token: token.to_s)
       end
 
+      # Returns an instance of the Doorkeeper::AccessToken
+      # with specific token value.
+      #
+      # @param refresh_token [#to_s]
+      #   refresh token value (any object that responds to `#to_s`)
+      #
+      # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+      #   if there is no record with such refresh token
+      #
       def by_refresh_token(refresh_token)
-        where(refresh_token: refresh_token.to_s).first
+        find_by(refresh_token: refresh_token.to_s)
       end
 
-      def revoke_all_for(application_id, resource_owner)
+      # Revokes AccessToken records that have not been revoked and associated
+      # with the specific Application and Resource Owner.
+      #
+      # @param application_id [Integer]
+      #   ID of the Application
+      # @param resource_owner [ActiveRecord::Base]
+      #   instance of the Resource Owner model
+      #
+      def revoke_all_for(application_id, resource_owner, clock = Time)
         where(application_id: application_id,
               resource_owner_id: resource_owner.id,
               revoked_at: nil).
-          map(&:revoke)
+          update_all(revoked_at: clock.now.utc)
       end
 
+      # Looking for not expired Access Token with a matching set of scopes
+      # that belongs to specific Application and Resource Owner.
+      #
+      # @param application [Doorkeeper::Application]
+      #   Application instance
+      # @param resource_owner_or_id [ActiveRecord::Base, Integer]
+      #   Resource Owner model instance or it's ID
+      # @param scopes [String, Doorkeeper::OAuth::Scopes]
+      #   set of scopes
+      #
+      # @return [Doorkeeper::AccessToken, nil] Access Token instance or
+      #   nil if matching record was not found
+      #
       def matching_token_for(application, resource_owner_or_id, scopes)
         resource_owner_id = if resource_owner_or_id.respond_to?(:to_key)
                               resource_owner_or_id.id
@@ -58,6 +76,19 @@ module Doorkeeper
         end
       end
 
+      # Checks whether the token scopes match the scopes from the parameters or
+      # Application scopes (if present).
+      #
+      # @param token_scopes [#to_s]
+      #   set of scopes (any object that responds to `#to_s`)
+      # @param param_scopes [String]
+      #   scopes from params
+      # @param app_scopes [String]
+      #   Application scopes
+      #
+      # @return [Boolean] true if all scopes are blank or matches
+      #   and false in other cases
+      #
       def scopes_match?(token_scopes, param_scopes, app_scopes)
         (!token_scopes.present? && !param_scopes.present?) ||
           Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
@@ -67,6 +98,23 @@ module Doorkeeper
           )
       end
 
+      # Looking for not expired AccessToken record with a matching set of
+      # scopes that belongs to specific Application and Resource Owner.
+      # If it doesn't exists - then creates it.
+      #
+      # @param application [Doorkeeper::Application]
+      #   Application instance
+      # @param resource_owner_id [ActiveRecord::Base, Integer]
+      #   Resource Owner model instance or it's ID
+      # @param scopes [#to_s]
+      #   set of scopes (any object that responds to `#to_s`)
+      # @param expires_in [Integer]
+      #   token lifetime in seconds
+      # @param use_refresh_token [Boolean]
+      #   whether to use the refresh token
+      #
+      # @return [Doorkeeper::AccessToken] existing record or a new one
+      #
       def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
         if Doorkeeper.configuration.reuse_access_token
           access_token = matching_token_for(application, resource_owner_id, scopes)
@@ -74,6 +122,7 @@ module Doorkeeper
             return access_token
           end
         end
+
         create!(
           application_id:    application.try(:id),
           resource_owner_id: resource_owner_id,
@@ -83,60 +132,115 @@ module Doorkeeper
         )
       end
 
+      # Looking for not revoked Access Token record that belongs to specific
+      # Application and Resource Owner.
+      #
+      # @param application_id [Integer]
+      #   ID of the Application model instance
+      # @param resource_owner_id [Integer]
+      #   ID of the Resource Owner model instance
+      #
+      # @return [Doorkeeper::AccessToken, nil] matching AccessToken object or
+      #   nil if nothing was found
+      #
       def last_authorized_token_for(application_id, resource_owner_id)
-        where(application_id: application_id,
-              resource_owner_id: resource_owner_id,
-              revoked_at: nil).
-          send(order_method, created_at_desc).
-          limit(1).
-          to_a.
-          first
+        ordered_by(:created_at, :desc).
+          find_by(application_id: application_id,
+                  resource_owner_id: resource_owner_id,
+                  revoked_at: nil)
       end
     end
 
+    # Access Token type: Bearer.
+    # @see https://tools.ietf.org/html/rfc6750
+    #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
+    #
     def token_type
-      'bearer'
+      'Bearer'
     end
 
     def use_refresh_token?
+      @use_refresh_token ||= false
       !!@use_refresh_token
     end
 
+    # JSON representation of the Access Token instance.
+    #
+    # @return [Hash] hash with token data
     def as_json(_options = {})
       {
         resource_owner_id:  resource_owner_id,
         scopes:             scopes,
         expires_in_seconds: expires_in_seconds,
         application:        { uid: application.try(:uid) },
-        created_at:         created_at.to_i,
+        created_at:         created_at.to_i
       }
     end
 
-    # It indicates whether the tokens have the same credential
+    # Indicates whether the token instance have the same credential
+    # as the other Access Token.
+    #
+    # @param access_token [Doorkeeper::AccessToken] other token
+    #
+    # @return [Boolean] true if credentials are same of false in other cases
+    #
     def same_credential?(access_token)
       application_id == access_token.application_id &&
         resource_owner_id == access_token.resource_owner_id
     end
 
+    # Indicates if token is acceptable for specific scopes.
+    #
+    # @param scopes [Array<String>] scopes
+    #
+    # @return [Boolean] true if record is accessible and includes scopes or
+    #   false in other cases
+    #
     def acceptable?(scopes)
       accessible? && includes_scope?(*scopes)
     end
 
     private
 
+    # Generates refresh token with UniqueToken generator.
+    #
+    # @return [String] refresh token value
+    #
     def generate_refresh_token
-      write_attribute :refresh_token, UniqueToken.generate
+      self.refresh_token = UniqueToken.generate
     end
 
+    # Generates and sets the token value with the
+    # configured Generator class (see Doorkeeper.configuration).
+    #
+    # @return [String] generated token value
+    #
+    # @raise [Doorkeeper::Errors::UnableToGenerateToken]
+    #   custom class doesn't implement .generate method
+    # @raise [Doorkeeper::Errors::TokenGeneratorNotFound]
+    #   custom class doesn't exist
+    #
     def generate_token
-      generator = Doorkeeper.configuration.access_token_generator.constantize
-      self.token = generator.generate(resource_owner_id: resource_owner_id,
-                                      scopes: scopes, application: application,
-                                      expires_in: expires_in)
-    rescue NoMethodError
+      self.created_at ||= Time.now.utc
+
+      self.token = token_generator.generate(
+        resource_owner_id: resource_owner_id,
+        scopes: scopes,
+        application: application,
+        expires_in: expires_in,
+        created_at: created_at
+      )
+    end
+
+    def token_generator
+      generator_name = Doorkeeper.configuration.access_token_generator
+      generator = generator_name.constantize
+
+      return generator if generator.respond_to?(:generate)
+
       raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
     rescue NameError
-      raise Errors::TokenGeneratorNotFound, "#{generator} not found"
+      raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
     end
   end
 end

data/lib/doorkeeper/models/application_mixin.rb

@@ -3,51 +3,49 @@ module Doorkeeper
     extend ActiveSupport::Concern
 
     include OAuth::Helpers
+    include Models::Orderable
     include Models::Scopes
-    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
-
-    included do
-      has_many :access_grants, dependent: :destroy, class_name: 'Doorkeeper::AccessGrant'
-      has_many :access_tokens, dependent: :destroy, class_name: 'Doorkeeper::AccessToken'
-
-      validates :name, :secret, :uid, presence: true
-      validates :uid, uniqueness: true
-      validates :redirect_uri, redirect_uri: true
-
-      before_validation :generate_uid, :generate_secret, on: :create
-
-      if respond_to?(:attr_accessible)
-        attr_accessible :name, :redirect_uri, :scopes
-      end
-    end
 
     module ClassMethods
+      # Returns an instance of the Doorkeeper::Application with
+      # specific UID and secret.
+      #
+      # Public/Non-confidential applications will only find by uid if secret is
+      # blank.
+      #
+      # @param uid [#to_s] UID (any object that responds to `#to_s`)
+      # @param secret [#to_s] secret (any object that responds to `#to_s`)
+      #
+      # @return [Doorkeeper::Application, nil] Application instance or nil
+      #   if there is no record with such credentials
+      #
       def by_uid_and_secret(uid, secret)
-        where(uid: uid.to_s, secret: secret.to_s).limit(1).to_a.first
+        app = by_uid(uid)
+        return unless app
+        return app if secret.blank? && !app.confidential?
+        return unless app.secret == secret
+        app
       end
 
+      # Returns an instance of the Doorkeeper::Application with specific UID.
+      #
+      # @param uid [#to_s] UID (any object that responds to `#to_s`)
+      #
+      # @return [Doorkeeper::Application, nil] Application instance or nil
+      #   if there is no record with such UID
+      #
       def by_uid(uid)
-        where(uid: uid.to_s).limit(1).to_a.first
+        find_by(uid: uid.to_s)
       end
     end
 
-    private
-
-    def has_scopes?
-      Doorkeeper.configuration.orm != :active_record ||
-        Application.new.attributes.include?("scopes")
-    end
-
-    def generate_uid
-      if uid.blank?
-        self.uid = UniqueToken.generate
-      end
-    end
-
-    def generate_secret
-      if secret.blank?
-        self.secret = UniqueToken.generate
-      end
+    # Set an application's valid redirect URIs.
+    #
+    # @param uris [String, Array] Newline-separated string or array the URI(s)
+    #
+    # @return [String] The redirect URI(s) seperated by newlines.
+    def redirect_uri=(uris)
+      super(uris.is_a?(Array) ? uris.join("\n") : uris)
     end
   end
 end

data/lib/doorkeeper/models/concerns/accessible.rb

@@ -1,6 +1,10 @@
 module Doorkeeper
   module Models
     module Accessible
+      # Indicates whether the object is accessible (not expired and not revoked).
+      #
+      # @return [Boolean] true if object accessible or false in other case
+      #
       def accessible?
         !expired? && !revoked?
       end

data/lib/doorkeeper/models/concerns/expirable.rb

@@ -1,20 +1,30 @@
 module Doorkeeper
   module Models
     module Expirable
+      # Indicates whether the object is expired (`#expires_in` present and
+      # expiration time has come).
+      #
+      # @return [Boolean] true if object expired and false in other case
       def expired?
-        expires_in && Time.now > expired_time
+        expires_in && Time.now.utc > expires_at
       end
 
+      # Calculates expiration time in seconds.
+      #
+      # @return [Integer, nil] number of seconds if object has expiration time
+      #   or nil if object never expires.
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now
+        expires = expires_at - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
 
-      private
-
-      def expired_time
+      # Expiration time (date time of creation + TTL).
+      #
+      # @return [Time] expiration time in UTC
+      #
+      def expires_at
         created_at + expires_in.seconds
       end
     end

data/lib/doorkeeper/models/concerns/orderable.rb

@@ -0,0 +1,13 @@
+module Doorkeeper
+  module Models
+    module Orderable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def ordered_by(attribute, direction = :asc)
+          order(attribute => direction)
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/ownership.rb

@@ -4,7 +4,12 @@ module Doorkeeper
       extend ActiveSupport::Concern
 
       included do
-        belongs_to :owner, polymorphic: true
+        belongs_to_options = { polymorphic: true }
+        if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
+          belongs_to_options[:optional] = true
+        end
+
+        belongs_to :owner, belongs_to_options
         validates :owner, presence: true, if: :validate_owner?
       end