doorkeeper 3.1.0 → 5.6.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +1079 -0
- data/README.md +114 -326
- data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
- data/app/controllers/doorkeeper/application_controller.rb +7 -6
- data/app/controllers/doorkeeper/application_metal_controller.rb +9 -12
- data/app/controllers/doorkeeper/applications_controller.rb +66 -21
- data/app/controllers/doorkeeper/authorizations_controller.rb +100 -18
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +23 -4
- data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
- data/app/controllers/doorkeeper/tokens_controller.rb +138 -22
- data/app/helpers/doorkeeper/dashboard_helper.rb +15 -9
- data/app/views/doorkeeper/applications/_delete_form.html.erb +4 -3
- data/app/views/doorkeeper/applications/_form.html.erb +33 -21
- data/app/views/doorkeeper/applications/edit.html.erb +1 -1
- data/app/views/doorkeeper/applications/index.html.erb +18 -6
- data/app/views/doorkeeper/applications/new.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +40 -16
- data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
- data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
- data/app/views/doorkeeper/authorizations/new.html.erb +17 -11
- data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
- data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
- data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
- data/config/locales/en.yml +37 -9
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +82 -0
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/config.rb +602 -142
- data/lib/doorkeeper/engine.rb +22 -7
- data/lib/doorkeeper/errors.rb +37 -10
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
- data/lib/doorkeeper/grape/helpers.rb +24 -12
- data/lib/doorkeeper/helpers/controller.rb +49 -27
- data/lib/doorkeeper/models/access_grant_mixin.rb +99 -16
- data/lib/doorkeeper/models/access_token_mixin.rb +386 -77
- data/lib/doorkeeper/models/application_mixin.rb +73 -30
- data/lib/doorkeeper/models/concerns/accessible.rb +6 -0
- data/lib/doorkeeper/models/concerns/expirable.rb +20 -6
- data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +88 -0
- data/lib/doorkeeper/models/concerns/orderable.rb +15 -0
- data/lib/doorkeeper/models/concerns/ownership.rb +4 -2
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +13 -2
- data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
- data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
- data/lib/doorkeeper/oauth/authorization/code.rb +48 -12
- data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
- data/lib/doorkeeper/oauth/authorization/token.rb +72 -28
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +22 -18
- data/lib/doorkeeper/oauth/authorization_code_request.rb +64 -14
- data/lib/doorkeeper/oauth/base_request.rb +66 -0
- data/lib/doorkeeper/oauth/base_response.rb +31 -0
- data/lib/doorkeeper/oauth/client/credentials.rb +23 -10
- data/lib/doorkeeper/oauth/client.rb +10 -12
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +48 -4
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +17 -9
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +55 -0
- data/lib/doorkeeper/oauth/client_credentials_request.rb +14 -15
- data/lib/doorkeeper/oauth/code_request.rb +8 -12
- data/lib/doorkeeper/oauth/code_response.rb +31 -19
- data/lib/doorkeeper/oauth/error.rb +5 -3
- data/lib/doorkeeper/oauth/error_response.rb +41 -20
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +11 -3
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +24 -19
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +55 -4
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +31 -5
- data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
- data/lib/doorkeeper/oauth/password_access_token_request.rb +46 -18
- data/lib/doorkeeper/oauth/pre_authorization.rb +135 -26
- data/lib/doorkeeper/oauth/refresh_token_request.rb +67 -30
- data/lib/doorkeeper/oauth/scopes.rb +26 -12
- data/lib/doorkeeper/oauth/token.rb +28 -25
- data/lib/doorkeeper/oauth/token_introspection.rb +202 -0
- data/lib/doorkeeper/oauth/token_request.rb +8 -21
- data/lib/doorkeeper/oauth/token_response.rb +14 -10
- data/lib/doorkeeper/oauth.rb +13 -0
- data/lib/doorkeeper/orm/active_record/access_grant.rb +6 -4
- data/lib/doorkeeper/orm/active_record/access_token.rb +5 -17
- data/lib/doorkeeper/orm/active_record/application.rb +6 -20
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +69 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +81 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +214 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +33 -0
- data/lib/doorkeeper/orm/active_record.rb +36 -26
- data/lib/doorkeeper/rails/helpers.rb +14 -15
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +4 -2
- data/lib/doorkeeper/rails/routes/mapping.rb +10 -8
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +45 -28
- data/lib/doorkeeper/rake/db.rake +40 -0
- data/lib/doorkeeper/rake/setup.rake +6 -0
- data/lib/doorkeeper/rake.rb +14 -0
- data/lib/doorkeeper/request/authorization_code.rb +12 -4
- data/lib/doorkeeper/request/client_credentials.rb +3 -3
- data/lib/doorkeeper/request/code.rb +1 -1
- data/lib/doorkeeper/request/password.rb +5 -4
- data/lib/doorkeeper/request/refresh_token.rb +6 -5
- data/lib/doorkeeper/request/strategy.rb +4 -2
- data/lib/doorkeeper/request/token.rb +1 -1
- data/lib/doorkeeper/request.rb +62 -29
- data/lib/doorkeeper/secret_storing/base.rb +64 -0
- data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
- data/lib/doorkeeper/secret_storing/plain.rb +33 -0
- data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
- data/lib/doorkeeper/server.rb +9 -19
- data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
- data/lib/doorkeeper/validations.rb +5 -2
- data/lib/doorkeeper/version.rb +12 -1
- data/lib/doorkeeper.rb +112 -56
- data/lib/generators/doorkeeper/application_owner_generator.rb +28 -13
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/install_generator.rb +19 -9
- data/lib/generators/doorkeeper/migration_generator.rb +27 -10
- data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +41 -0
- data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +9 -0
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +13 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +417 -32
- data/lib/generators/doorkeeper/templates/migration.rb.erb +88 -0
- data/lib/generators/doorkeeper/views_generator.rb +8 -4
- data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
- metadata +163 -280
- data/.gitignore +0 -14
- data/.hound.yml +0 -13
- data/.rspec +0 -1
- data/.travis.yml +0 -22
- data/CONTRIBUTING.md +0 -45
- data/Gemfile +0 -10
- data/NEWS.md +0 -525
- data/RELEASING.md +0 -17
- data/Rakefile +0 -20
- data/app/validators/redirect_uri_validator.rb +0 -34
- data/doorkeeper.gemspec +0 -27
- data/lib/doorkeeper/oauth/client/methods.rb +0 -18
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
- data/lib/doorkeeper/oauth/request_concern.rb +0 -48
- data/lib/generators/doorkeeper/application_scopes_generator.rb +0 -34
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb +0 -7
- data/lib/generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb +0 -5
- data/lib/generators/doorkeeper/templates/migration.rb +0 -50
- data/spec/controllers/applications_controller_spec.rb +0 -58
- data/spec/controllers/authorizations_controller_spec.rb +0 -203
- data/spec/controllers/protected_resources_controller_spec.rb +0 -271
- data/spec/controllers/token_info_controller_spec.rb +0 -52
- data/spec/controllers/tokens_controller_spec.rb +0 -88
- data/spec/dummy/Rakefile +0 -7
- data/spec/dummy/app/controllers/application_controller.rb +0 -3
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
- data/spec/dummy/app/controllers/home_controller.rb +0 -17
- data/spec/dummy/app/controllers/metal_controller.rb +0 -11
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
- data/spec/dummy/app/helpers/application_helper.rb +0 -5
- data/spec/dummy/app/models/user.rb +0 -9
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -57
- data/spec/dummy/config/boot.rb +0 -9
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -29
- data/spec/dummy/config/environments/production.rb +0 -62
- data/spec/dummy/config/environments/test.rb +0 -55
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -96
- data/spec/dummy/config/initializers/secret_token.rb +0 -9
- data/spec/dummy/config/initializers/session_store.rb +0 -8
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -52
- data/spec/dummy/config.ru +0 -4
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -9
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -5
- data/spec/dummy/db/migrate/20130902165751_create_doorkeeper_tables.rb +0 -41
- data/spec/dummy/db/migrate/20130902175349_add_owner_to_application.rb +0 -7
- data/spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb +0 -5
- data/spec/dummy/db/schema.rb +0 -66
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -6
- data/spec/factories.rb +0 -26
- data/spec/generators/application_owner_generator_spec.rb +0 -22
- data/spec/generators/install_generator_spec.rb +0 -31
- data/spec/generators/migration_generator_spec.rb +0 -20
- data/spec/generators/templates/routes.rb +0 -3
- data/spec/generators/views_generator_spec.rb +0 -27
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
- data/spec/lib/config_spec.rb +0 -317
- data/spec/lib/doorkeeper_spec.rb +0 -28
- data/spec/lib/models/expirable_spec.rb +0 -51
- data/spec/lib/models/revocable_spec.rb +0 -36
- data/spec/lib/models/scopes_spec.rb +0 -43
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -42
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -80
- data/spec/lib/oauth/client/credentials_spec.rb +0 -47
- data/spec/lib/oauth/client/methods_spec.rb +0 -54
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -104
- data/spec/lib/oauth/client_spec.rb +0 -39
- data/spec/lib/oauth/code_request_spec.rb +0 -45
- data/spec/lib/oauth/error_response_spec.rb +0 -61
- data/spec/lib/oauth/error_spec.rb +0 -23
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -104
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -28
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -90
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -155
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -123
- data/spec/lib/oauth/scopes_spec.rb +0 -123
- data/spec/lib/oauth/token_request_spec.rb +0 -98
- data/spec/lib/oauth/token_response_spec.rb +0 -85
- data/spec/lib/oauth/token_spec.rb +0 -109
- data/spec/lib/request/strategy_spec.rb +0 -53
- data/spec/lib/server_spec.rb +0 -52
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
- data/spec/models/doorkeeper/access_token_spec.rb +0 -350
- data/spec/models/doorkeeper/application_spec.rb +0 -187
- data/spec/requests/applications/applications_request_spec.rb +0 -94
- data/spec/requests/applications/authorized_applications_spec.rb +0 -30
- data/spec/requests/endpoints/authorization_spec.rb +0 -72
- data/spec/requests/endpoints/token_spec.rb +0 -64
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -66
- data/spec/requests/flows/authorization_code_spec.rb +0 -156
- data/spec/requests/flows/client_credentials_spec.rb +0 -58
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
- data/spec/requests/flows/implicit_grant_spec.rb +0 -61
- data/spec/requests/flows/password_spec.rb +0 -94
- data/spec/requests/flows/refresh_token_spec.rb +0 -104
- data/spec/requests/flows/revoke_token_spec.rb +0 -143
- data/spec/requests/flows/skip_authorization_spec.rb +0 -59
- data/spec/requests/protected_resources/metal_spec.rb +0 -14
- data/spec/requests/protected_resources/private_api_spec.rb +0 -81
- data/spec/routing/custom_controller_routes_spec.rb +0 -71
- data/spec/routing/default_routes_spec.rb +0 -35
- data/spec/routing/scoped_routes_spec.rb +0 -31
- data/spec/spec_helper.rb +0 -2
- data/spec/spec_helper_integration.rb +0 -56
- data/spec/support/dependencies/factory_girl.rb +0 -2
- data/spec/support/helpers/access_token_request_helper.rb +0 -11
- data/spec/support/helpers/authorization_request_helper.rb +0 -41
- data/spec/support/helpers/config_helper.rb +0 -9
- data/spec/support/helpers/model_helper.rb +0 -45
- data/spec/support/helpers/request_spec_helper.rb +0 -76
- data/spec/support/helpers/url_helper.rb +0 -55
- data/spec/support/orm/active_record.rb +0 -3
- data/spec/support/shared/controllers_shared_context.rb +0 -60
- data/spec/support/shared/models_shared_examples.rb +0 -52
- data/spec/validators/redirect_uri_validator_spec.rb +0 -78
@@ -1,72 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
feature 'Authorization endpoint' do
|
4
|
-
background do
|
5
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
|
6
|
-
client_exists(name: 'MyApp')
|
7
|
-
end
|
8
|
-
|
9
|
-
scenario 'requires resource owner to be authenticated' do
|
10
|
-
visit authorization_endpoint_url(client: @client)
|
11
|
-
i_should_see 'Sign in'
|
12
|
-
i_should_be_on '/'
|
13
|
-
end
|
14
|
-
|
15
|
-
context 'with authenticated resource owner' do
|
16
|
-
background do
|
17
|
-
create_resource_owner
|
18
|
-
sign_in
|
19
|
-
end
|
20
|
-
|
21
|
-
scenario 'displays the authorization form' do
|
22
|
-
visit authorization_endpoint_url(client: @client)
|
23
|
-
i_should_see 'Authorize MyApp to use your account?'
|
24
|
-
end
|
25
|
-
|
26
|
-
scenario 'displays all requested scopes' do
|
27
|
-
default_scopes_exist :public
|
28
|
-
optional_scopes_exist :write
|
29
|
-
visit authorization_endpoint_url(client: @client, scope: 'public write')
|
30
|
-
i_should_see 'Access your public data'
|
31
|
-
i_should_see 'Update your data'
|
32
|
-
end
|
33
|
-
end
|
34
|
-
|
35
|
-
context 'with a invalid request' do
|
36
|
-
background do
|
37
|
-
create_resource_owner
|
38
|
-
sign_in
|
39
|
-
end
|
40
|
-
|
41
|
-
scenario 'displays the related error' do
|
42
|
-
visit authorization_endpoint_url(client: @client, response_type: '')
|
43
|
-
i_should_not_see 'Authorize'
|
44
|
-
i_should_see_translated_error_message :unsupported_response_type
|
45
|
-
end
|
46
|
-
|
47
|
-
scenario "displays unsupported_response_type error when using a disabled response type" do
|
48
|
-
config_is_set(:grant_flows, ['implicit'])
|
49
|
-
visit authorization_endpoint_url(client: @client, response_type: 'code')
|
50
|
-
i_should_not_see "Authorize"
|
51
|
-
i_should_see_translated_error_message :unsupported_response_type
|
52
|
-
end
|
53
|
-
end
|
54
|
-
|
55
|
-
context 'forgery protection enabled' do
|
56
|
-
background do
|
57
|
-
create_resource_owner
|
58
|
-
sign_in
|
59
|
-
end
|
60
|
-
|
61
|
-
scenario 'raises exception on forged requests' do
|
62
|
-
skip 'TODO: need to add request helpers to this feature spec'
|
63
|
-
allow_any_instance_of(ActionController::Base).to receive(:handle_unverified_request)
|
64
|
-
allowing_forgery_protection do
|
65
|
-
post "/oauth/authorize",
|
66
|
-
client_id: @client.uid,
|
67
|
-
redirect_uri: @client.redirect_uri,
|
68
|
-
response_type: 'code'
|
69
|
-
end
|
70
|
-
end
|
71
|
-
end
|
72
|
-
end
|
@@ -1,64 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
describe 'Token endpoint' do
|
4
|
-
before do
|
5
|
-
client_exists
|
6
|
-
authorization_code_exists application: @client, scopes: 'public'
|
7
|
-
end
|
8
|
-
|
9
|
-
it 'respond with correct headers' do
|
10
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
11
|
-
should_have_header 'Pragma', 'no-cache'
|
12
|
-
should_have_header 'Cache-Control', 'no-store'
|
13
|
-
should_have_header 'Content-Type', 'application/json; charset=utf-8'
|
14
|
-
end
|
15
|
-
|
16
|
-
it 'accepts client credentials with basic auth header' do
|
17
|
-
post token_endpoint_url(
|
18
|
-
code: @authorization.token,
|
19
|
-
redirect_uri: @client.redirect_uri
|
20
|
-
), {}, 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client)
|
21
|
-
|
22
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
23
|
-
end
|
24
|
-
|
25
|
-
it 'returns null for expires_in when a permanent token is set' do
|
26
|
-
config_is_set(:access_token_expires_in, nil)
|
27
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
28
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
29
|
-
should_not_have_json 'expires_in'
|
30
|
-
end
|
31
|
-
|
32
|
-
it 'returns unsupported_grant_type for invalid grant_type param' do
|
33
|
-
post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'nothing')
|
34
|
-
|
35
|
-
should_not_have_json 'access_token'
|
36
|
-
should_have_json 'error', 'unsupported_grant_type'
|
37
|
-
should_have_json 'error_description', translated_error_message('unsupported_grant_type')
|
38
|
-
end
|
39
|
-
|
40
|
-
it 'returns unsupported_grant_type for disabled grant flows' do
|
41
|
-
config_is_set(:grant_flows, ['implicit'])
|
42
|
-
post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'authorization_code')
|
43
|
-
|
44
|
-
should_not_have_json 'access_token'
|
45
|
-
should_have_json 'error', 'unsupported_grant_type'
|
46
|
-
should_have_json 'error_description', translated_error_message('unsupported_grant_type')
|
47
|
-
end
|
48
|
-
|
49
|
-
it 'returns unsupported_grant_type when refresh_token is not in use' do
|
50
|
-
post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'refresh_token')
|
51
|
-
|
52
|
-
should_not_have_json 'access_token'
|
53
|
-
should_have_json 'error', 'unsupported_grant_type'
|
54
|
-
should_have_json 'error_description', translated_error_message('unsupported_grant_type')
|
55
|
-
end
|
56
|
-
|
57
|
-
it 'returns invalid_request if grant_type is missing' do
|
58
|
-
post token_endpoint_url(code: @authorization.token, client: @client, grant_type: '')
|
59
|
-
|
60
|
-
should_not_have_json 'access_token'
|
61
|
-
should_have_json 'error', 'invalid_request'
|
62
|
-
should_have_json 'error_description', translated_error_message('invalid_request')
|
63
|
-
end
|
64
|
-
end
|
@@ -1,66 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
feature 'Authorization Code Flow Errors' do
|
4
|
-
background do
|
5
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
|
6
|
-
client_exists
|
7
|
-
create_resource_owner
|
8
|
-
sign_in
|
9
|
-
end
|
10
|
-
|
11
|
-
after do
|
12
|
-
access_grant_should_not_exist
|
13
|
-
end
|
14
|
-
|
15
|
-
context 'when access was denied' do
|
16
|
-
scenario 'redirects with error' do
|
17
|
-
visit authorization_endpoint_url(client: @client)
|
18
|
-
click_on 'Deny'
|
19
|
-
|
20
|
-
i_should_be_on_client_callback @client
|
21
|
-
url_should_not_have_param 'code'
|
22
|
-
url_should_have_param 'error', 'access_denied'
|
23
|
-
url_should_have_param 'error_description', translated_error_message(:access_denied)
|
24
|
-
end
|
25
|
-
|
26
|
-
scenario 'redirects with state parameter' do
|
27
|
-
visit authorization_endpoint_url(client: @client, state: 'return-this')
|
28
|
-
click_on 'Deny'
|
29
|
-
|
30
|
-
i_should_be_on_client_callback @client
|
31
|
-
url_should_not_have_param 'code'
|
32
|
-
url_should_have_param 'state', 'return-this'
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
36
|
-
|
37
|
-
describe 'Authorization Code Flow Errors', 'after authorization' do
|
38
|
-
before do
|
39
|
-
client_exists
|
40
|
-
authorization_code_exists application: @client
|
41
|
-
end
|
42
|
-
|
43
|
-
it 'returns :invalid_grant error when posting an already revoked grant code' do
|
44
|
-
# First successful request
|
45
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
46
|
-
|
47
|
-
# Second attempt with same token
|
48
|
-
expect do
|
49
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
50
|
-
end.to_not change { Doorkeeper::AccessToken.count }
|
51
|
-
|
52
|
-
should_not_have_json 'access_token'
|
53
|
-
should_have_json 'error', 'invalid_grant'
|
54
|
-
should_have_json 'error_description', translated_error_message('invalid_grant')
|
55
|
-
end
|
56
|
-
|
57
|
-
it 'returns :invalid_grant error for invalid grant code' do
|
58
|
-
post token_endpoint_url(code: 'invalid', client: @client)
|
59
|
-
|
60
|
-
access_token_should_not_exist
|
61
|
-
|
62
|
-
should_not_have_json 'access_token'
|
63
|
-
should_have_json 'error', 'invalid_grant'
|
64
|
-
should_have_json 'error_description', translated_error_message('invalid_grant')
|
65
|
-
end
|
66
|
-
end
|
@@ -1,156 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
feature 'Authorization Code Flow' do
|
4
|
-
background do
|
5
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
|
6
|
-
client_exists
|
7
|
-
create_resource_owner
|
8
|
-
sign_in
|
9
|
-
end
|
10
|
-
|
11
|
-
scenario 'resource owner authorizes the client' do
|
12
|
-
visit authorization_endpoint_url(client: @client)
|
13
|
-
click_on 'Authorize'
|
14
|
-
|
15
|
-
access_grant_should_exist_for(@client, @resource_owner)
|
16
|
-
|
17
|
-
i_should_be_on_client_callback(@client)
|
18
|
-
|
19
|
-
url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
|
20
|
-
url_should_not_have_param('state')
|
21
|
-
url_should_not_have_param('error')
|
22
|
-
end
|
23
|
-
|
24
|
-
scenario 'resource owner authorizes using test url' do
|
25
|
-
@client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
|
26
|
-
@client.save!
|
27
|
-
visit authorization_endpoint_url(client: @client)
|
28
|
-
click_on 'Authorize'
|
29
|
-
|
30
|
-
access_grant_should_exist_for(@client, @resource_owner)
|
31
|
-
|
32
|
-
i_should_see 'Authorization code:'
|
33
|
-
i_should_see Doorkeeper::AccessGrant.first.token
|
34
|
-
end
|
35
|
-
|
36
|
-
scenario 'resource owner authorizes the client with state parameter set' do
|
37
|
-
visit authorization_endpoint_url(client: @client, state: 'return-me')
|
38
|
-
click_on 'Authorize'
|
39
|
-
url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
|
40
|
-
url_should_have_param('state', 'return-me')
|
41
|
-
end
|
42
|
-
|
43
|
-
scenario 'resource owner requests an access token with authorization code' do
|
44
|
-
skip 'TODO: need to add request helpers to this feature spec'
|
45
|
-
|
46
|
-
visit authorization_endpoint_url(client: @client)
|
47
|
-
click_on 'Authorize'
|
48
|
-
|
49
|
-
authorization_code = Doorkeeper::AccessGrant.first.token
|
50
|
-
post token_endpoint_url(code: authorization_code, client: @client)
|
51
|
-
|
52
|
-
access_token_should_exist_for(@client, @resource_owner)
|
53
|
-
|
54
|
-
should_not_have_json 'error'
|
55
|
-
|
56
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
57
|
-
should_have_json 'token_type', 'bearer'
|
58
|
-
should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
|
59
|
-
end
|
60
|
-
|
61
|
-
context 'with scopes' do
|
62
|
-
background do
|
63
|
-
default_scopes_exist :public
|
64
|
-
optional_scopes_exist :write
|
65
|
-
end
|
66
|
-
|
67
|
-
scenario 'resource owner authorizes the client with default scopes' do
|
68
|
-
visit authorization_endpoint_url(client: @client)
|
69
|
-
click_on 'Authorize'
|
70
|
-
access_grant_should_exist_for(@client, @resource_owner)
|
71
|
-
access_grant_should_have_scopes :public
|
72
|
-
end
|
73
|
-
|
74
|
-
scenario 'resource owner authorizes the client with required scopes' do
|
75
|
-
visit authorization_endpoint_url(client: @client, scope: 'public write')
|
76
|
-
click_on 'Authorize'
|
77
|
-
access_grant_should_have_scopes :public, :write
|
78
|
-
end
|
79
|
-
|
80
|
-
scenario 'resource owner authorizes the client with required scopes (without defaults)' do
|
81
|
-
visit authorization_endpoint_url(client: @client, scope: 'write')
|
82
|
-
click_on 'Authorize'
|
83
|
-
access_grant_should_have_scopes :write
|
84
|
-
end
|
85
|
-
|
86
|
-
scenario 'new access token matches required scopes' do
|
87
|
-
skip 'TODO: need to add request helpers to this feature spec'
|
88
|
-
|
89
|
-
visit authorization_endpoint_url(client: @client, scope: 'public write')
|
90
|
-
click_on 'Authorize'
|
91
|
-
|
92
|
-
authorization_code = Doorkeeper::AccessGrant.first.token
|
93
|
-
post token_endpoint_url(code: authorization_code, client: @client)
|
94
|
-
|
95
|
-
access_token_should_exist_for(@client, @resource_owner)
|
96
|
-
access_token_should_have_scopes :public, :write
|
97
|
-
end
|
98
|
-
|
99
|
-
scenario 'returns new token if scopes have changed' do
|
100
|
-
skip 'TODO: need to add request helpers to this feature spec'
|
101
|
-
|
102
|
-
client_is_authorized(@client, @resource_owner, scopes: 'public write')
|
103
|
-
visit authorization_endpoint_url(client: @client, scope: 'public')
|
104
|
-
click_on 'Authorize'
|
105
|
-
|
106
|
-
authorization_code = Doorkeeper::AccessGrant.first.token
|
107
|
-
post token_endpoint_url(code: authorization_code, client: @client)
|
108
|
-
|
109
|
-
expect(Doorkeeper::AccessToken.count).to be(2)
|
110
|
-
|
111
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.last.token
|
112
|
-
end
|
113
|
-
|
114
|
-
scenario 'resource owner authorizes the client with extra scopes' do
|
115
|
-
skip 'TODO: need to add request helpers to this feature spec'
|
116
|
-
|
117
|
-
client_is_authorized(@client, @resource_owner, scopes: 'public')
|
118
|
-
visit authorization_endpoint_url(client: @client, scope: 'public write')
|
119
|
-
click_on 'Authorize'
|
120
|
-
|
121
|
-
authorization_code = Doorkeeper::AccessGrant.first.token
|
122
|
-
post token_endpoint_url(code: authorization_code, client: @client)
|
123
|
-
|
124
|
-
expect(Doorkeeper::AccessToken.count).to be(2)
|
125
|
-
|
126
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.last.token
|
127
|
-
access_token_should_have_scopes :public, :write
|
128
|
-
end
|
129
|
-
end
|
130
|
-
end
|
131
|
-
|
132
|
-
describe 'Authorization Code Flow' do
|
133
|
-
before do
|
134
|
-
Doorkeeper.configure do
|
135
|
-
orm DOORKEEPER_ORM
|
136
|
-
use_refresh_token
|
137
|
-
end
|
138
|
-
client_exists
|
139
|
-
end
|
140
|
-
|
141
|
-
context 'issuing a refresh token' do
|
142
|
-
before do
|
143
|
-
authorization_code_exists application: @client
|
144
|
-
end
|
145
|
-
|
146
|
-
it 'second of simultaneous client requests get an error for revoked acccess token' do
|
147
|
-
authorization_code = Doorkeeper::AccessGrant.first.token
|
148
|
-
allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:revoked?).and_return(false, true)
|
149
|
-
|
150
|
-
post token_endpoint_url(code: authorization_code, client: @client)
|
151
|
-
|
152
|
-
should_not_have_json 'access_token'
|
153
|
-
should_have_json 'error', 'invalid_grant'
|
154
|
-
end
|
155
|
-
end
|
156
|
-
end
|
@@ -1,58 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
describe 'Client Credentials Request' do
|
4
|
-
let(:client) { FactoryGirl.create :application }
|
5
|
-
|
6
|
-
context 'a valid request' do
|
7
|
-
it 'authorizes the client and returns the token response' do
|
8
|
-
headers = authorization client.uid, client.secret
|
9
|
-
params = { grant_type: 'client_credentials' }
|
10
|
-
|
11
|
-
post '/oauth/token', params, headers
|
12
|
-
|
13
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
14
|
-
should_have_json_within 'expires_in', Doorkeeper.configuration.access_token_expires_in, 1
|
15
|
-
should_not_have_json 'scope'
|
16
|
-
should_not_have_json 'refresh_token'
|
17
|
-
|
18
|
-
should_not_have_json 'error'
|
19
|
-
should_not_have_json 'error_description'
|
20
|
-
end
|
21
|
-
|
22
|
-
context 'with scopes' do
|
23
|
-
before do
|
24
|
-
optional_scopes_exist :write
|
25
|
-
end
|
26
|
-
|
27
|
-
it 'adds the scope to the token an returns in the response' do
|
28
|
-
headers = authorization client.uid, client.secret
|
29
|
-
params = { grant_type: 'client_credentials', scope: 'write' }
|
30
|
-
|
31
|
-
post '/oauth/token', params, headers
|
32
|
-
|
33
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
34
|
-
should_have_json 'scope', 'write'
|
35
|
-
end
|
36
|
-
end
|
37
|
-
end
|
38
|
-
|
39
|
-
context 'an invalid request' do
|
40
|
-
it 'does not authorize the client and returns the error' do
|
41
|
-
headers = {}
|
42
|
-
params = { grant_type: 'client_credentials' }
|
43
|
-
|
44
|
-
post '/oauth/token', params, headers
|
45
|
-
|
46
|
-
should_have_json 'error', 'invalid_client'
|
47
|
-
should_have_json 'error_description', translated_error_message(:invalid_client)
|
48
|
-
should_not_have_json 'access_token'
|
49
|
-
|
50
|
-
expect(response.status).to eq(401)
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
def authorization(username, password)
|
55
|
-
credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
|
56
|
-
{ 'HTTP_AUTHORIZATION' => credentials }
|
57
|
-
end
|
58
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
feature 'Implicit Grant Flow Errors' do
|
4
|
-
background do
|
5
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
|
6
|
-
config_is_set(:grant_flows, ["implicit"])
|
7
|
-
client_exists
|
8
|
-
create_resource_owner
|
9
|
-
sign_in
|
10
|
-
end
|
11
|
-
|
12
|
-
after do
|
13
|
-
access_token_should_not_exist
|
14
|
-
end
|
15
|
-
|
16
|
-
[
|
17
|
-
[:client_id, :invalid_client],
|
18
|
-
[:redirect_uri, :invalid_redirect_uri]
|
19
|
-
].each do |error|
|
20
|
-
scenario "displays #{error.last.inspect} error for invalid #{error.first.inspect}" do
|
21
|
-
visit authorization_endpoint_url(client: @client, error.first => 'invalid', response_type: 'token')
|
22
|
-
i_should_not_see 'Authorize'
|
23
|
-
i_should_see_translated_error_message error.last
|
24
|
-
end
|
25
|
-
|
26
|
-
scenario "displays #{error.last.inspect} error when #{error.first.inspect} is missing" do
|
27
|
-
visit authorization_endpoint_url(client: @client, error.first => '', response_type: 'token')
|
28
|
-
i_should_not_see 'Authorize'
|
29
|
-
i_should_see_translated_error_message error.last
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,61 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
feature 'Implicit Grant Flow (feature spec)' do
|
4
|
-
background do
|
5
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
|
6
|
-
config_is_set(:grant_flows, ["implicit"])
|
7
|
-
client_exists
|
8
|
-
create_resource_owner
|
9
|
-
sign_in
|
10
|
-
end
|
11
|
-
|
12
|
-
scenario 'resource owner authorizes the client' do
|
13
|
-
visit authorization_endpoint_url(client: @client, response_type: 'token')
|
14
|
-
click_on 'Authorize'
|
15
|
-
|
16
|
-
access_token_should_exist_for @client, @resource_owner
|
17
|
-
|
18
|
-
i_should_be_on_client_callback @client
|
19
|
-
end
|
20
|
-
end
|
21
|
-
|
22
|
-
describe 'Implicit Grant Flow (request spec)' do
|
23
|
-
before do
|
24
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
|
25
|
-
config_is_set(:grant_flows, ["implicit"])
|
26
|
-
client_exists
|
27
|
-
create_resource_owner
|
28
|
-
end
|
29
|
-
|
30
|
-
context 'token reuse' do
|
31
|
-
it 'should return a new token each request' do
|
32
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
|
33
|
-
|
34
|
-
token = client_is_authorized(@client, @resource_owner)
|
35
|
-
|
36
|
-
post "/oauth/authorize",
|
37
|
-
client_id: @client.uid,
|
38
|
-
state: '',
|
39
|
-
redirect_uri: @client.redirect_uri,
|
40
|
-
response_type: 'token',
|
41
|
-
commit: 'Authorize'
|
42
|
-
|
43
|
-
expect(response.location).not_to include(token.token)
|
44
|
-
end
|
45
|
-
|
46
|
-
it 'should return the same token if it is still accessible' do
|
47
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
48
|
-
|
49
|
-
token = client_is_authorized(@client, @resource_owner)
|
50
|
-
|
51
|
-
post "/oauth/authorize",
|
52
|
-
client_id: @client.uid,
|
53
|
-
state: '',
|
54
|
-
redirect_uri: @client.redirect_uri,
|
55
|
-
response_type: 'token',
|
56
|
-
commit: 'Authorize'
|
57
|
-
|
58
|
-
expect(response.location).to include(token.token)
|
59
|
-
end
|
60
|
-
end
|
61
|
-
end
|
@@ -1,94 +0,0 @@
|
|
1
|
-
require 'spec_helper_integration'
|
2
|
-
|
3
|
-
describe 'Resource Owner Password Credentials Flow not set up' do
|
4
|
-
before do
|
5
|
-
client_exists
|
6
|
-
create_resource_owner
|
7
|
-
end
|
8
|
-
|
9
|
-
context 'with valid user credentials' do
|
10
|
-
it 'doesn\'t issue new token' do
|
11
|
-
expect do
|
12
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
13
|
-
end.to_not change { Doorkeeper::AccessToken.count }
|
14
|
-
end
|
15
|
-
end
|
16
|
-
end
|
17
|
-
|
18
|
-
describe 'Resource Owner Password Credentials Flow' do
|
19
|
-
before do
|
20
|
-
config_is_set(:grant_flows, ["password"])
|
21
|
-
config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
|
22
|
-
client_exists
|
23
|
-
create_resource_owner
|
24
|
-
end
|
25
|
-
|
26
|
-
context 'with valid user credentials' do
|
27
|
-
it 'should issue new token' do
|
28
|
-
expect do
|
29
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
30
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
31
|
-
|
32
|
-
token = Doorkeeper::AccessToken.first
|
33
|
-
|
34
|
-
should_have_json 'access_token', token.token
|
35
|
-
end
|
36
|
-
|
37
|
-
it 'should issue new token without client credentials' do
|
38
|
-
expect do
|
39
|
-
post password_token_endpoint_url(resource_owner: @resource_owner)
|
40
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
41
|
-
|
42
|
-
token = Doorkeeper::AccessToken.first
|
43
|
-
|
44
|
-
should_have_json 'access_token', token.token
|
45
|
-
end
|
46
|
-
|
47
|
-
it 'should issue a refresh token if enabled' do
|
48
|
-
config_is_set(:refresh_token_enabled, true)
|
49
|
-
|
50
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
51
|
-
|
52
|
-
token = Doorkeeper::AccessToken.first
|
53
|
-
|
54
|
-
should_have_json 'refresh_token', token.refresh_token
|
55
|
-
end
|
56
|
-
|
57
|
-
it 'should return the same token if it is still accessible' do
|
58
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
59
|
-
|
60
|
-
client_is_authorized(@client, @resource_owner)
|
61
|
-
|
62
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
63
|
-
|
64
|
-
expect(Doorkeeper::AccessToken.count).to be(1)
|
65
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
66
|
-
end
|
67
|
-
end
|
68
|
-
|
69
|
-
context 'with invalid user credentials' do
|
70
|
-
it 'should not issue new token with bad password' do
|
71
|
-
expect do
|
72
|
-
post password_token_endpoint_url(client: @client,
|
73
|
-
resource_owner_username: @resource_owner.name,
|
74
|
-
resource_owner_password: 'wrongpassword')
|
75
|
-
end.to_not change { Doorkeeper::AccessToken.count }
|
76
|
-
end
|
77
|
-
|
78
|
-
it 'should not issue new token without credentials' do
|
79
|
-
expect do
|
80
|
-
post password_token_endpoint_url(client: @client)
|
81
|
-
end.to_not change { Doorkeeper::AccessToken.count }
|
82
|
-
end
|
83
|
-
end
|
84
|
-
|
85
|
-
context 'with invalid client credentials' do
|
86
|
-
it 'should not issue new token with bad client credentials' do
|
87
|
-
expect do
|
88
|
-
post password_token_endpoint_url(client_id: @client.uid,
|
89
|
-
client_secret: 'bad_secret',
|
90
|
-
resource_owner: @resource_owner)
|
91
|
-
end.to_not change { Doorkeeper::AccessToken.count }
|
92
|
-
end
|
93
|
-
end
|
94
|
-
end
|