doorkeeper 3.1.0 → 5.6.2

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -1,23 +1,36 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class PreAuthorization
       include Validations
 
-      validate :response_type, error: :unsupported_response_type
+      validate :client_id, error: :invalid_request
       validate :client, error: :invalid_client
-      validate :scopes, error: :invalid_scope
+      validate :client_supports_grant_flow, error: :unauthorized_client
+      validate :resource_owner_authorize_for_client, error: :invalid_client
       validate :redirect_uri, error: :invalid_redirect_uri
+      validate :params, error: :invalid_request
+      validate :response_type, error: :unsupported_response_type
+      validate :response_mode, error: :unsupported_response_mode
+      validate :scopes, error: :invalid_scope
+      validate :code_challenge_method, error: :invalid_code_challenge_method
 
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state
-      attr_writer   :scope
+      attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
+                  :redirect_uri, :resource_owner, :response_type, :state,
+                  :authorization_response_flow, :response_mode
 
-      def initialize(server, client, attrs = {})
-        @server        = server
-        @client        = client
-        @response_type = attrs[:response_type]
-        @redirect_uri  = attrs[:redirect_uri]
-        @scope         = attrs[:scope]
-        @state         = attrs[:state]
+      def initialize(server, parameters = {}, resource_owner = nil)
+        @server                = server
+        @client_id             = parameters[:client_id]
+        @response_type         = parameters[:response_type]
+        @response_mode         = parameters[:response_mode]
+        @redirect_uri          = parameters[:redirect_uri]
+        @scope                 = parameters[:scope]
+        @state                 = parameters[:state]
+        @code_challenge        = parameters[:code_challenge]
+        @code_challenge_method = parameters[:code_challenge_method]
+        @resource_owner        = resource_owner
       end
 
       def authorizable?
@@ -25,41 +38,137 @@ module Doorkeeper
       end
 
       def scopes
-        Scopes.from_string scope
+        Scopes.from_string(scope)
       end
 
       def scope
-        @scope.presence || server.default_scopes.to_s
+        @scope.presence || (server.default_scopes.presence && build_scopes)
       end
 
       def error_response
-        OAuth::ErrorResponse.from_request(self)
+        if error == :invalid_request
+          OAuth::InvalidRequestResponse.from_request(
+            self,
+            response_on_fragment: response_on_fragment?,
+          )
+        else
+          OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
+        end
+      end
+
+      def as_json(_options = nil)
+        pre_auth_hash
+      end
+
+      def form_post_response?
+        response_mode == "form_post"
       end
 
       private
 
-      def validate_response_type
-        server.authorization_response_types.include? response_type
+      attr_reader :client_id, :server
+
+      def build_scopes
+        client_scopes = client.scopes
+        if client_scopes.blank?
+          server.default_scopes.to_s
+        else
+          (server.default_scopes & client_scopes).to_s
+        end
+      end
+
+      def validate_client_id
+        @missing_param = :client_id if client_id.blank?
+        @missing_param.nil?
       end
 
       def validate_client
-        client.present?
+        @client = OAuth::Client.find(client_id)
+        @client.present?
+      end
+
+      def validate_client_supports_grant_flow
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
+      end
+
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
+
+      def validate_redirect_uri
+        return false if redirect_uri.blank?
+
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          client.redirect_uri,
+        )
+      end
+
+      def validate_params
+        @missing_param = if response_type.blank?
+                           :response_type
+                         elsif @scope.blank? && server.default_scopes.blank?
+                           :scope
+                         end
+
+        @missing_param.nil?
+      end
+
+      def validate_response_type
+        server.authorization_response_flows.any? do |flow|
+          if flow.matches_response_type?(response_type)
+            @authorization_response_flow = flow
+            true
+          end
+        end
+      end
+
+      def validate_response_mode
+        if response_mode.blank?
+          @response_mode = authorization_response_flow.default_response_mode
+          return true
+        end
+
+        authorization_response_flow.matches_response_mode?(response_mode)
       end
 
       def validate_scopes
-        return true unless scope.present?
         Helpers::ScopeChecker.valid?(
-          scope,
-          server.scopes,
-          client.application.scopes
+          scope_str: scope,
+          server_scopes: server.scopes,
+          app_scopes: client.scopes,
+          grant_type: grant_type,
         )
       end
 
-      # TODO: test uri should be matched against the client's one
-      def validate_redirect_uri
-        return false unless redirect_uri.present?
-        Helpers::URIChecker.native_uri?(redirect_uri) ||
-          Helpers::URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
+      def validate_code_challenge_method
+        return true unless Doorkeeper.config.access_grant_model.pkce_supported?
+
+        code_challenge.blank? ||
+          (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+      end
+
+      def response_on_fragment?
+        return response_type == "token" if response_mode.nil?
+
+        response_mode == "fragment"
+      end
+
+      def grant_type
+        response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
+      end
+
+      def pre_auth_hash
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t("doorkeeper.pre_authorization.status"),
+        }
       end
     end
   end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -1,8 +1,8 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
-    class RefreshTokenRequest
-      include Validations
-      include OAuth::RequestConcern
+    class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
 
       validate :token_presence, error: :invalid_request
@@ -11,34 +11,37 @@ module Doorkeeper
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
 
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
 
       def initialize(server, refresh_token, credentials, parameters = {})
-        @server          = server
-        @refresh_token   = refresh_token
-        @credentials     = credentials
+        @server = server
+        @refresh_token = refresh_token
+        @credentials = credentials
         @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
-
-        if credentials
-          @client = Application.by_uid_and_secret credentials.uid,
-                                                  credentials.secret
-        end
+        @client = load_client(credentials) if credentials
       end
 
       private
 
-      attr_reader :refresh_token_parameter
+      def load_client(credentials)
+        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
+      end
 
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
-          raise Errors::InvalidTokenReuse if refresh_token.revoked?
+          raise Errors::InvalidGrantReuse if refresh_token.revoked?
 
-          refresh_token.revoke
+          refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
+        super
+      end
+
+      def refresh_token_revoked_on_use?
+        server_config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -46,21 +49,46 @@ module Doorkeeper
       end
 
       def create_access_token
-        expires_in = Authorization::Token.access_token_expires_in(
-          server,
-          client
-        )
+        attributes = {}
 
-        @access_token = AccessToken.create!(
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: expires_in,
-          use_refresh_token: true)
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
+          end
+
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
+        end
+
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
+        @access_token = server_config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
+        )
       end
 
       def validate_token_presence
-        refresh_token.present? || refresh_token_parameter.present?
+        @missing_param = :refresh_token if refresh_token.blank? && @refresh_token_parameter.blank?
+
+        @missing_param.nil?
       end
 
       def validate_token
@@ -68,16 +96,25 @@ module Doorkeeper
       end
 
       def validate_client
-        !credentials || !!client
+        return true if credentials.blank?
+
+        client.present?
       end
 
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
+      #
       def validate_client_match
-        !client || refresh_token.application_id == client.id
+        return true if refresh_token.application_id.blank?
+
+        client && refresh_token.application_id == client.id
       end
 
       def validate_scope
         if @original_scopes.present?
-          ScopeChecker.valid?(@original_scopes, refresh_token.scopes)
+          ScopeChecker.valid?(
+            scope_str: @original_scopes,
+            server_scopes: refresh_token.scopes,
+          )
         else
           true
         end

data/lib/doorkeeper/oauth/scopes.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class Scopes
@@ -5,7 +7,7 @@ module Doorkeeper
       include Comparable
 
       def self.from_string(string)
-        string ||= ''
+        string ||= ""
         new.tap do |scope|
           scope.add(*string.split)
         end
@@ -37,28 +39,40 @@ module Doorkeeper
       end
 
       def to_s
-        @scopes.join(' ')
+        @scopes.join(" ")
       end
 
-      def has_scopes?(scopes)
-        scopes.all? { |s| exists?(s) }
+      def scopes?(scopes)
+        scopes.all? { |scope| exists?(scope) }
       end
 
+      alias has_scopes? scopes?
+
       def +(other)
-        if other.is_a? Scopes
-          self.class.from_array(self.all + other.all)
-        else
-          super(other)
-        end
+        self.class.from_array(all + to_array(other))
       end
 
       def <=>(other)
-        self.map(&:to_s).sort <=> other.map(&:to_s).sort
+        if other.respond_to?(:map)
+          map(&:to_s).sort <=> other.map(&:to_s).sort
+        else
+          super
+        end
       end
 
       def &(other)
-        other_array = other.present? ? other.all : []
-        self.class.from_array(all & other_array)
+        self.class.from_array(all & to_array(other))
+      end
+
+      private
+
+      def to_array(other)
+        case other
+        when Scopes
+          other.all
+        else
+          other.to_a
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/token.rb

@@ -1,7 +1,27 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class Token
-      module Methods
+      class << self
+        def from_request(request, *methods)
+          methods.inject(nil) do |_, method|
+            method = self.method(method) if method.is_a?(Symbol)
+            credentials = method.call(request)
+            break credentials if credentials.present?
+          end
+        end
+
+        def authenticate(request, *methods)
+          if (token = from_request(request, *methods))
+            access_token = Doorkeeper.config.access_token_model.by_token(token)
+            if access_token.present? && Doorkeeper.config.refresh_token_enabled?
+              access_token.revoke_previous_refresh_token!
+            end
+            access_token
+          end
+        end
+
         def from_access_token_param(request)
           request.parameters[:access_token]
         end
@@ -12,13 +32,13 @@ module Doorkeeper
 
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
 
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
 
@@ -26,36 +46,19 @@ module Doorkeeper
 
         def token_from_basic_header(header, pattern)
           encoded_header = token_from_header(header, pattern)
-          token, _ = decode_basic_credentials(encoded_header)
-          token
+          decode_basic_credentials_token(encoded_header)
         end
 
-        def decode_basic_credentials(encoded_header)
-          Base64.decode64(encoded_header).split(/:/, 2)
+        def decode_basic_credentials_token(encoded_header)
+          Base64.decode64(encoded_header).split(/:/, 2).first
         end
 
         def token_from_header(header, pattern)
-          header.gsub pattern, ''
+          header.gsub(pattern, "")
         end
 
         def match?(header, pattern)
-          header && header.match(pattern)
-        end
-      end
-
-      extend Methods
-
-      def self.from_request(request, *methods)
-        methods.inject(nil) do |credentials, method|
-          method = self.method(method) if method.is_a?(Symbol)
-          credentials = method.call(request)
-          break credentials unless credentials.blank?
-        end
-      end
-
-      def self.authenticate(request, *methods)
-        if token = from_request(request, *methods)
-          AccessToken.by_token(token)
+          header&.match(pattern)
         end
       end
     end