RubyGems - doorkeeper - Versions diffs - 3.1.0 → 4.4.3 - Mend

doorkeeper 3.1.0 → 4.4.3

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (195) hide show

checksums.yaml +4 -4
data/.coveralls.yml +1 -0
data/.github/ISSUE_TEMPLATE.md +25 -0
data/.github/PULL_REQUEST_TEMPLATE.md +17 -0
data/.gitignore +6 -1
data/.hound.yml +2 -13
data/.rubocop.yml +17 -0
data/.travis.yml +26 -10
data/Appraisals +18 -0
data/CODE_OF_CONDUCT.md +46 -0
data/CONTRIBUTING.md +2 -0
data/Gemfile +5 -5
data/NEWS.md +141 -2
data/README.md +149 -66
data/RELEASING.md +5 -12
data/Rakefile +1 -1
data/SECURITY.md +15 -0
data/app/controllers/doorkeeper/application_controller.rb +4 -6
data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
data/app/controllers/doorkeeper/applications_controller.rb +18 -8
data/app/controllers/doorkeeper/authorizations_controller.rb +1 -1
data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
data/app/controllers/doorkeeper/tokens_controller.rb +62 -15
data/app/helpers/doorkeeper/dashboard_helper.rb +14 -10
data/app/validators/redirect_uri_validator.rb +12 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/applications/_form.html.erb +13 -2
data/app/views/doorkeeper/applications/index.html.erb +2 -0
data/app/views/doorkeeper/applications/show.html.erb +4 -1
data/app/views/doorkeeper/authorizations/new.html.erb +1 -1
data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/app/views/layouts/doorkeeper/admin.html.erb +1 -1
data/config/locales/en.yml +12 -7
data/doorkeeper.gemspec +16 -11
data/gemfiles/rails_4_2.gemfile +13 -0
data/gemfiles/rails_5_0.gemfile +12 -0
data/gemfiles/rails_5_1.gemfile +12 -0
data/gemfiles/rails_5_2.gemfile +12 -0
data/gemfiles/rails_master.gemfile +14 -0
data/lib/doorkeeper/config.rb +119 -46
data/lib/doorkeeper/engine.rb +11 -7
data/lib/doorkeeper/errors.rb +18 -0
data/lib/doorkeeper/grape/helpers.rb +14 -8
data/lib/doorkeeper/helpers/controller.rb +8 -19
data/lib/doorkeeper/models/access_grant_mixin.rb +10 -21
data/lib/doorkeeper/models/access_token_mixin.rb +147 -43
data/lib/doorkeeper/models/application_mixin.rb +33 -35
data/lib/doorkeeper/models/concerns/accessible.rb +4 -0
data/lib/doorkeeper/models/concerns/expirable.rb +15 -5
data/lib/doorkeeper/models/concerns/orderable.rb +13 -0
data/lib/doorkeeper/models/concerns/ownership.rb +6 -1
data/lib/doorkeeper/models/concerns/revocable.rb +37 -2
data/lib/doorkeeper/oauth/authorization/token.rb +22 -18
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +20 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +7 -5
data/lib/doorkeeper/oauth/{request_concern.rb → base_request.rb} +9 -2
data/lib/doorkeeper/oauth/base_response.rb +29 -0
data/lib/doorkeeper/oauth/client/credentials.rb +21 -8
data/lib/doorkeeper/oauth/client.rb +2 -3
data/lib/doorkeeper/oauth/client_credentials/creator.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
data/lib/doorkeeper/oauth/client_credentials/validation.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -8
data/lib/doorkeeper/oauth/code_response.rb +16 -16
data/lib/doorkeeper/oauth/error.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +10 -10
data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +17 -1
data/lib/doorkeeper/oauth/invalid_token_response.rb +5 -4
data/lib/doorkeeper/oauth/password_access_token_request.rb +8 -13
data/lib/doorkeeper/oauth/pre_authorization.rb +5 -3
data/lib/doorkeeper/oauth/refresh_token_request.rb +23 -14
data/lib/doorkeeper/oauth/scopes.rb +18 -8
data/lib/doorkeeper/oauth/token.rb +20 -21
data/lib/doorkeeper/oauth/token_introspection.rb +128 -0
data/lib/doorkeeper/oauth/token_request.rb +1 -2
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_grant.rb +27 -0
data/lib/doorkeeper/orm/active_record/access_token.rb +34 -8
data/lib/doorkeeper/orm/active_record/application.rb +48 -11
data/lib/doorkeeper/orm/active_record.rb +17 -22
data/lib/doorkeeper/rails/helpers.rb +6 -9
data/lib/doorkeeper/rails/routes/mapper.rb +4 -4
data/lib/doorkeeper/rails/routes/mapping.rb +1 -1
data/lib/doorkeeper/rails/routes.rb +17 -11
data/lib/doorkeeper/request/authorization_code.rb +7 -1
data/lib/doorkeeper/request/password.rb +2 -2
data/lib/doorkeeper/request/refresh_token.rb +1 -1
data/lib/doorkeeper/request.rb +7 -1
data/lib/doorkeeper/server.rb +0 -8
data/lib/doorkeeper/validations.rb +3 -2
data/lib/doorkeeper/version.rb +34 -1
data/lib/doorkeeper.rb +10 -2
data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +31 -0
data/lib/generators/doorkeeper/application_owner_generator.rb +11 -2
data/lib/generators/doorkeeper/migration_generator.rb +13 -1
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +35 -0
data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +11 -0
data/{spec/dummy/db/migrate/20130902175349_add_owner_to_application.rb → lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +11 -0
data/lib/generators/doorkeeper/templates/initializer.rb +38 -6
data/lib/generators/doorkeeper/templates/migration.rb.erb +69 -0
data/spec/controllers/application_metal_controller.rb +10 -0
data/spec/controllers/applications_controller_spec.rb +15 -4
data/spec/controllers/authorizations_controller_spec.rb +74 -27
data/spec/controllers/protected_resources_controller_spec.rb +70 -32
data/spec/controllers/token_info_controller_spec.rb +17 -13
data/spec/controllers/tokens_controller_spec.rb +198 -12
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +4 -4
data/spec/dummy/app/controllers/home_controller.rb +1 -1
data/spec/dummy/app/controllers/metal_controller.rb +1 -1
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +3 -3
data/spec/dummy/app/models/user.rb +0 -4
data/spec/dummy/config/application.rb +2 -36
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/environments/test.rb +4 -15
data/spec/dummy/config/initializers/doorkeeper.rb +19 -3
data/spec/dummy/config/initializers/new_framework_defaults.rb +6 -0
data/spec/dummy/config/initializers/secret_token.rb +0 -1
data/spec/dummy/db/migrate/20111122132257_create_users.rb +3 -1
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +3 -1
data/{lib/generators/doorkeeper/templates/migration.rb → spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb} +16 -4
data/{lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb → spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb} +4 -2
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +13 -0
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb +13 -0
data/spec/dummy/db/schema.rb +24 -22
data/spec/factories.rb +4 -2
data/spec/generators/application_owner_generator_spec.rb +24 -5
data/spec/generators/migration_generator_spec.rb +24 -3
data/spec/generators/previous_refresh_token_generator_spec.rb +57 -0
data/spec/grape/grape_integration_spec.rb +135 -0
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +159 -14
data/spec/lib/doorkeeper_spec.rb +135 -13
data/spec/lib/models/expirable_spec.rb +0 -1
data/spec/lib/models/revocable_spec.rb +27 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +1 -2
data/spec/lib/oauth/authorization_code_request_spec.rb +55 -12
data/spec/lib/oauth/base_request_spec.rb +155 -0
data/spec/lib/oauth/base_response_spec.rb +45 -0
data/spec/lib/oauth/client/credentials_spec.rb +45 -2
data/spec/lib/oauth/client_credentials/creator_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_integration_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_request_spec.rb +1 -0
data/spec/lib/oauth/code_request_spec.rb +1 -3
data/spec/lib/oauth/code_response_spec.rb +34 -0
data/spec/lib/oauth/error_response_spec.rb +9 -9
data/spec/lib/oauth/error_spec.rb +1 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +115 -1
data/spec/lib/oauth/invalid_token_response_spec.rb +36 -8
data/spec/lib/oauth/password_access_token_request_spec.rb +14 -8
data/spec/lib/oauth/pre_authorization_spec.rb +12 -7
data/spec/lib/oauth/refresh_token_request_spec.rb +52 -9
data/spec/lib/oauth/scopes_spec.rb +28 -2
data/spec/lib/oauth/token_request_spec.rb +6 -8
data/spec/lib/oauth/token_spec.rb +12 -5
data/spec/lib/server_spec.rb +10 -3
data/spec/models/doorkeeper/access_grant_spec.rb +1 -1
data/spec/models/doorkeeper/access_token_spec.rb +116 -48
data/spec/models/doorkeeper/application_spec.rb +145 -29
data/spec/requests/applications/applications_request_spec.rb +5 -5
data/spec/requests/endpoints/authorization_spec.rb +5 -6
data/spec/requests/endpoints/token_spec.rb +8 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +11 -1
data/spec/requests/flows/authorization_code_spec.rb +6 -13
data/spec/requests/flows/client_credentials_spec.rb +29 -1
data/spec/requests/flows/implicit_grant_errors_spec.rb +2 -2
data/spec/requests/flows/password_spec.rb +118 -15
data/spec/requests/flows/refresh_token_spec.rb +89 -19
data/spec/requests/flows/revoke_token_spec.rb +105 -91
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +1 -1
data/spec/routing/custom_controller_routes_spec.rb +4 -0
data/spec/routing/default_routes_spec.rb +5 -1
data/spec/spec_helper.rb +2 -0
data/spec/spec_helper_integration.rb +22 -4
data/spec/support/dependencies/factory_girl.rb +2 -2
data/spec/support/helpers/access_token_request_helper.rb +1 -1
data/spec/support/helpers/model_helper.rb +34 -7
data/spec/support/helpers/request_spec_helper.rb +17 -5
data/spec/support/helpers/url_helper.rb +9 -8
data/spec/support/http_method_shim.rb +38 -0
data/spec/support/shared/controllers_shared_context.rb +15 -10
data/spec/support/shared/models_shared_examples.rb +5 -5
data/spec/validators/redirect_uri_validator_spec.rb +51 -6
data/spec/version/version_spec.rb +15 -0
metadata +128 -46
data/lib/doorkeeper/oauth/client/methods.rb +0 -18
data/lib/generators/doorkeeper/application_scopes_generator.rb +0 -34
data/lib/generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb +0 -5
data/spec/dummy/db/migrate/20130902165751_create_doorkeeper_tables.rb +0 -41
data/spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb +0 -5
data/spec/lib/oauth/client/methods_spec.rb +0 -54

data/lib/doorkeeper/rails/routes.rb CHANGED Viewed

@@ -3,9 +3,8 @@ require 'doorkeeper/rails/routes/mapper'
 module Doorkeeper
   module Rails
-    class Routes
+    class Routes # :nodoc:
       module Helper
-        # TODO: options hash is not being used
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
@@ -15,18 +14,19 @@ module Doorkeeper
         ActionDispatch::Routing::Mapper.send :include, Doorkeeper::Rails::Routes::Helper
       end
-      attr_accessor :routes
+      attr_reader :routes
       def initialize(routes, &block)
-        @routes, @block = routes, block
+        @routes = routes
+        @mapping = Mapper.new.map(&block)
       end
       def generate_routes!(options)
-        @mapping = Mapper.new.map(&@block)
         routes.scope options[:scope] || 'oauth', as: 'oauth' do
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
+          map_route(:tokens, :introspect_routes)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -36,20 +36,18 @@ module Doorkeeper
       private
       def map_route(name, method)
-        unless @mapping.skipped?(name)
-          send method, @mapping[name]
-        end
+        send(method, @mapping[name]) unless @mapping.skipped?(name)
       end
       def authorization_routes(mapping)
         routes.resource(
           :authorization,
           path: 'authorize',
-          only: [:create, :destroy],
+          only: %i[create destroy],
           as: mapping[:as],
           controller: mapping[:controllers]
         ) do
-          routes.get '/:code', action: :show, on: :member
+          routes.get native_authorization_code_route, action: :show, on: :member
           routes.get '/', action: :new, on: :member
         end
       end
@@ -67,6 +65,10 @@ module Doorkeeper
         routes.post 'revoke', controller: mapping[:controllers], action: :revoke
       end
+      def introspect_routes(mapping)
+        routes.post 'introspect', controller: mapping[:controllers], action: :introspect
+      end
       def token_info_routes(mapping)
         routes.resource(
           :token_info,
@@ -81,7 +83,11 @@ module Doorkeeper
       end
       def authorized_applications_routes(mapping)
-        routes.resources :authorized_applications, only: [:index, :destroy], controller: mapping[:controllers]
+        routes.resources :authorized_applications, only: %i[index destroy], controller: mapping[:controllers]
+      end
+      def native_authorization_code_route
+        Doorkeeper.configuration.native_authorization_code_route
       end
     end
   end

data/lib/doorkeeper/request/authorization_code.rb CHANGED Viewed

@@ -3,7 +3,7 @@ require 'doorkeeper/request/strategy'
 module Doorkeeper
   module Request
     class AuthorizationCode < Strategy
-      delegate :grant, :client, :parameters, to: :server
+      delegate :client, :parameters, to: :server
       def request
         @request ||= OAuth::AuthorizationCodeRequest.new(
@@ -13,6 +13,12 @@ module Doorkeeper
           parameters
         )
       end
+      private
+      def grant
+        AccessGrant.by_token(parameters[:code])
+      end
     end
   end
 end

data/lib/doorkeeper/request/password.rb CHANGED Viewed

@@ -3,12 +3,12 @@ require 'doorkeeper/request/strategy'
 module Doorkeeper
   module Request
     class Password < Strategy
-      delegate :credentials, :resource_owner, :parameters, to: :server
+      delegate :credentials, :resource_owner, :parameters, :client, to: :server
       def request
         @request ||= OAuth::PasswordAccessTokenRequest.new(
           Doorkeeper.configuration,
-          credentials,
+          client,
           resource_owner,
           parameters
         )

data/lib/doorkeeper/request/refresh_token.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Doorkeeper
       delegate :credentials, :parameters, to: :server
       def refresh_token
-        server.current_refresh_token
+        AccessToken.by_refresh_token(parameters[:refresh_token])
       end
       def request

data/lib/doorkeeper/request.rb CHANGED Viewed

@@ -24,7 +24,7 @@ module Doorkeeper
     def get_strategy(grant_or_request_type, available)
       fail Errors::MissingRequestStrategy unless grant_or_request_type.present?
       fail NameError unless available.include?(grant_or_request_type.to_s)
-      "Doorkeeper::Request::#{grant_or_request_type.to_s.camelize}".constantize
+      strategy_class(grant_or_request_type)
     end
     def authorization_response_types
@@ -36,5 +36,11 @@ module Doorkeeper
       Doorkeeper.configuration.token_grant_types
     end
     private_class_method :token_grant_types
+    def strategy_class(grant_or_request_type)
+      strategy_class_name = grant_or_request_type.to_s.tr(' ', '_').camelize
+      "Doorkeeper::Request::#{strategy_class_name}".constantize
+    end
+    private_class_method :strategy_class
   end
 end

data/lib/doorkeeper/server.rb CHANGED Viewed

@@ -33,14 +33,6 @@ module Doorkeeper
       context.send :current_resource_owner
     end
-    def current_refresh_token
-      AccessToken.by_refresh_token(parameters[:refresh_token])
-    end
-    def grant
-      AccessGrant.by_token(parameters[:code])
-    end
     # TODO: Use configuration and evaluate proper context on block
     def resource_owner
       context.send :resource_owner_from_credentials

data/lib/doorkeeper/validations.rb CHANGED Viewed

@@ -6,9 +6,10 @@ module Doorkeeper
     def validate
       @error = nil
       self.class.validations.each do |validation|
+        @error = validation[:options][:error] unless send("validate_#{validation[:attribute]}")
         break if @error
-        @error = validation.last unless send("validate_#{validation.first}")
       end
     end
@@ -19,7 +20,7 @@ module Doorkeeper
     module ClassMethods
       def validate(attribute, options = {})
-        validations << [attribute, options[:error]]
+        validations << { attribute: attribute, options: options }
       end
       def validations

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -1,3 +1,36 @@
 module Doorkeeper
-  VERSION = "3.1.0"
+  CVE_2018_1000211_WARNING = <<-HEREDOC.freeze
+  WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
+  There is no breaking change in this release, however to take advantage of the security fix you must:
+    1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
+    2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
+    3. Update their `confidential` column to `false` for those public apps
+  This is a backported security release.
+  For more information:
+    * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
+    * https://github.com/doorkeeper-gem/doorkeeper/issues/891
+HEREDOC
+  def self.gem_version
+    Gem::Version.new VERSION::STRING
+  end
+  module VERSION
+    # Semantic versioning
+    MAJOR = 4
+    MINOR = 4
+    TINY = 3
+    # Full version number
+    STRING = [MAJOR, MINOR, TINY].compact.join('.')
+  end
 end

data/lib/doorkeeper.rb CHANGED Viewed

@@ -16,11 +16,12 @@ require 'doorkeeper/oauth/helpers/unique_token'
 require 'doorkeeper/oauth/scopes'
 require 'doorkeeper/oauth/error'
+require 'doorkeeper/oauth/base_response'
 require 'doorkeeper/oauth/code_response'
 require 'doorkeeper/oauth/token_response'
 require 'doorkeeper/oauth/error_response'
 require 'doorkeeper/oauth/pre_authorization'
-require 'doorkeeper/oauth/request_concern'
+require 'doorkeeper/oauth/base_request'
 require 'doorkeeper/oauth/authorization_code_request'
 require 'doorkeeper/oauth/refresh_token_request'
 require 'doorkeeper/oauth/password_access_token_request'
@@ -29,9 +30,11 @@ require 'doorkeeper/oauth/code_request'
 require 'doorkeeper/oauth/token_request'
 require 'doorkeeper/oauth/client'
 require 'doorkeeper/oauth/token'
+require 'doorkeeper/oauth/token_introspection'
 require 'doorkeeper/oauth/invalid_token_response'
 require 'doorkeeper/oauth/forbidden_token_response'
+require 'doorkeeper/models/concerns/orderable'
 require 'doorkeeper/models/concerns/scopes'
 require 'doorkeeper/models/concerns/expirable'
 require 'doorkeeper/models/concerns/revocable'
@@ -48,16 +51,21 @@ require 'doorkeeper/rails/helpers'
 require 'doorkeeper/orm/active_record'
+require 'active_support/deprecation'
 module Doorkeeper
   def self.configured?
+    ActiveSupport::Deprecation.warn "Method `Doorkeeper#configured?` has been deprecated without replacement."
     @config.present?
   end
   def self.database_installed?
-    [AccessToken, AccessGrant, Application].all? { |model| model.table_exists? }
+    ActiveSupport::Deprecation.warn "Method `Doorkeeper#database_installed?` has been deprecated without replacement."
+    [AccessToken, AccessGrant, Application].all?(&:table_exists?)
   end
   def self.installed?
+    ActiveSupport::Deprecation.warn "Method `Doorkeeper#installed?` has been deprecated without replacement."
     configured? && database_installed?
   end

data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require 'rails/generators/active_record'
+module Doorkeeper
+  class AddClientConfidentialityGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Adds a migration to fix CVE-2018-1000211.'
+    def install
+      migration_template(
+        'add_confidential_to_application_migration.rb.erb',
+        'db/migrate/add_confidential_to_doorkeeper_application.rb',
+        migration_version: migration_version
+      )
+    end
+    def self.next_migration_number(dirname)
+      ::ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+    private
+    def migration_version
+      if ::ActiveRecord::VERSION::MAJOR >= 5
+        "[#{::ActiveRecord::VERSION::MAJOR}.#{::ActiveRecord::VERSION::MINOR}]"
+      end
+    end
+  end
+end

data/lib/generators/doorkeeper/application_owner_generator.rb CHANGED Viewed

@@ -7,12 +7,21 @@ class Doorkeeper::ApplicationOwnerGenerator < Rails::Generators::Base
   def application_owner
     migration_template(
-      'add_owner_to_application_migration.rb',
-      'db/migrate/add_owner_to_application.rb'
+      'add_owner_to_application_migration.rb.erb',
+      'db/migrate/add_owner_to_application.rb',
+      migration_version: migration_version
     )
   end
   def self.next_migration_number(dirname)
     ActiveRecord::Generators::Base.next_migration_number(dirname)
   end
+  private
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
 end

data/lib/generators/doorkeeper/migration_generator.rb CHANGED Viewed

@@ -6,10 +6,22 @@ class Doorkeeper::MigrationGenerator < ::Rails::Generators::Base
   desc 'Installs Doorkeeper migration file.'
   def install
-    migration_template 'migration.rb', 'db/migrate/create_doorkeeper_tables.rb'
+    migration_template(
+      'migration.rb.erb',
+      'db/migrate/create_doorkeeper_tables.rb',
+      migration_version: migration_version
+    )
   end
   def self.next_migration_number(dirname)
     ActiveRecord::Generators::Base.next_migration_number(dirname)
   end
+  private
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
 end

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb ADDED Viewed

@@ -0,0 +1,35 @@
+require 'rails/generators/active_record'
+class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
+  include Rails::Generators::Migration
+  source_root File.expand_path('../templates', __FILE__)
+  desc 'Support revoke refresh token on access token use'
+  def self.next_migration_number(path)
+    ActiveRecord::Generators::Base.next_migration_number(path)
+  end
+  def previous_refresh_token
+    if no_previous_refresh_token_column?
+      migration_template(
+        'add_previous_refresh_token_to_access_tokens.rb.erb',
+        'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
+      )
+    end
+  end
+  private
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+  def no_previous_refresh_token_column?
+    !ActiveRecord::Base.connection.column_exists?(
+      :oauth_access_tokens,
+      :previous_refresh_token
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb ADDED Viewed

@@ -0,0 +1,11 @@
+class AddConfidentialToDoorkeeperApplication < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true # maintaining backwards compatibility: require secrets
+    )
+  end
+end

data/{spec/dummy/db/migrate/20130902175349_add_owner_to_application.rb → lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb} RENAMED Viewed

@@ -1,4 +1,4 @@
-class AddOwnerToApplication < ActiveRecord::Migration
+class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true
     add_column :oauth_applications, :owner_type, :string, null: true

data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb ADDED Viewed

@@ -0,0 +1,11 @@
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_access_tokens,
+      :previous_refresh_token,
+      :string,
+      default: "",
+      null: false
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb CHANGED Viewed

@@ -31,7 +31,12 @@ Doorkeeper.configure do
   # Use a custom class for generating the access token.
   # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
-  # access_token_generator "::Doorkeeper::JWT"
+  # access_token_generator '::Doorkeeper::JWT'
+  # The controller Doorkeeper::ApplicationController inherits from.
+  # Defaults to ActionController::Base.
+  # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  # base_controller 'ApplicationController'
   # Reuse access token for the same resource owner within an application (disabled by default)
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
@@ -41,10 +46,10 @@ Doorkeeper.configure do
   # use_refresh_token
   # Provide support for an owner to be assigned to each registered application (disabled by default)
-  # Optional parameter :confirmation => true (default false) if you want to enforce ownership of
+  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
   # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
-  # enable_application_owner :confirmation => false
+  # enable_application_owner confirmation: false
   # Define access token scopes for your provider
   # For more information go to
@@ -55,13 +60,15 @@ Doorkeeper.configure do
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
-  # Check out the wiki for more information on customization
+  # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
+  # for more information on customization
   # client_credentials :from_basic, :from_params
   # Change the way access token is authenticated from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
-  # Check out the wiki for more information on customization
+  # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
+  # for more information on customization
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
   # Change the native redirect uri for client apps
@@ -75,7 +82,21 @@ Doorkeeper.configure do
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
   #
+  # Callable objects such as proc, lambda, block or any object that responds to
+  # #call can be used in order to allow conditional checks (to allow non-SSL
+  # redirects to localhost for example).
+  #
   # force_ssl_in_redirect_uri !Rails.env.development?
+  #
+  # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
+  # Specify what redirect URI's you want to block during creation. Any redirect
+  # URI is whitelisted by default.
+  #
+  # You can use this option in order to forbid URI's with 'javascript' scheme
+  # for example.
+  #
+  # forbid_redirect_uri { |uri| uri.scheme.to_s.downcase == 'javascript' }
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
@@ -93,7 +114,18 @@ Doorkeeper.configure do
   #   http://tools.ietf.org/html/rfc6819#section-4.4.2
   #   http://tools.ietf.org/html/rfc6819#section-4.4.3
   #
-  # grant_flows %w(authorization_code client_credentials)
+  # grant_flows %w[authorization_code client_credentials]
+  # Hook into the strategies' request & response life-cycle in case your
+  # application needs advanced customization or logging:
+  #
+  # before_successful_strategy_response do |request|
+  #   puts "BEFORE HOOK FIRED! #{request}"
+  # end
+  #
+  # after_successful_strategy_response do |request, response|
+  #   puts "AFTER HOOK FIRED! #{request}, #{response}"
+  # end
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.

data/lib/generators/doorkeeper/templates/migration.rb.erb ADDED Viewed

@@ -0,0 +1,69 @@
+class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :oauth_applications do |t|
+      t.string  :name,         null: false
+      t.string  :uid,          null: false
+      t.string  :secret,       null: false
+      t.text    :redirect_uri, null: false
+      t.string  :scopes,       null: false, default: ''
+      t.boolean :confidential, null: false, default: true
+      t.timestamps             null: false
+    end
+    add_index :oauth_applications, :uid, unique: true
+    create_table :oauth_access_grants do |t|
+      t.integer  :resource_owner_id, null: false
+      t.references :application,     null: false
+      t.string   :token,             null: false
+      t.integer  :expires_in,        null: false
+      t.text     :redirect_uri,      null: false
+      t.datetime :created_at,        null: false
+      t.datetime :revoked_at
+      t.string   :scopes
+    end
+    add_index :oauth_access_grants, :token, unique: true
+    add_foreign_key(
+      :oauth_access_grants,
+      :oauth_applications,
+      column: :application_id
+    )
+    create_table :oauth_access_tokens do |t|
+      t.integer  :resource_owner_id
+      t.references :application
+      # If you use a custom token generator you may need to change this column
+      # from string to text, so that it accepts tokens larger than 255
+      # characters. More info on custom token generators in:
+      # https://github.com/doorkeeper-gem/doorkeeper/tree/v3.0.0.rc1#custom-access-token-generator
+      #
+      # t.text     :token,             null: false
+      t.string   :token,                  null: false
+      t.string   :refresh_token
+      t.integer  :expires_in
+      t.datetime :revoked_at
+      t.datetime :created_at,             null: false
+      t.string   :scopes
+      # If there is a previous_refresh_token column,
+      # refresh tokens will be revoked after a related access token is used.
+      # If there is no previous_refresh_token column,
+      # previous tokens are revoked as soon as a new access token is created.
+      # Comment out this line if you'd rather have refresh tokens
+      # instantly revoked.
+      t.string   :previous_refresh_token, null: false, default: ""
+    end
+    add_index :oauth_access_tokens, :token, unique: true
+    add_index :oauth_access_tokens, :resource_owner_id
+    add_index :oauth_access_tokens, :refresh_token, unique: true
+    add_foreign_key(
+      :oauth_access_tokens,
+      :oauth_applications,
+      column: :application_id
+    )
+  end
+end

data/spec/controllers/application_metal_controller.rb ADDED Viewed

@@ -0,0 +1,10 @@
+require "spec_helper_integration"
+describe Doorkeeper::ApplicationMetalController do
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+    expect(i).to eq 1
+  end
+end

data/spec/controllers/applications_controller_spec.rb CHANGED Viewed

@@ -19,13 +19,24 @@ module Doorkeeper
           post :create, doorkeeper_application: {
             name: 'Example',
             redirect_uri: 'https://example.com' }
-        end.to_not change { Doorkeeper::Application.count }
+        end.not_to change { Doorkeeper::Application.count }
       end
     end
     context 'when admin is authenticated' do
+      render_views
       before do
-        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(arg) { true })
+        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+      end
+      it 'sorts applications by created_at' do
+        first_application = FactoryBot.create(:application)
+        second_application = FactoryBot.create(:application)
+        expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+        get :index
+        expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
+        expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
       end
       it 'creates application' do
@@ -38,7 +49,7 @@ module Doorkeeper
       end
       it 'does not allow mass assignment of uid or secret' do
-        application = FactoryGirl.create(:application)
+        application = FactoryBot.create(:application)
         put :update, id: application.id, doorkeeper_application: {
           uid: '1A2B3C4D',
           secret: '1A2B3C4D' }
@@ -47,7 +58,7 @@ module Doorkeeper
       end
       it 'updates application' do
-        application = FactoryGirl.create(:application)
+        application = FactoryBot.create(:application)
         put :update, id: application.id, doorkeeper_application: {
           name: 'Example',
           redirect_uri: 'https://example.com' }