RubyGems - doorkeeper - Versions diffs - 4.2.0 → 5.5.2 - Mend

doorkeeper 4.2.0 → 5.5.2

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (271) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +1038 -0
data/README.md +110 -348
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +6 -7
data/app/controllers/doorkeeper/application_metal_controller.rb +7 -11
data/app/controllers/doorkeeper/applications_controller.rb +65 -20
data/app/controllers/doorkeeper/authorizations_controller.rb +97 -17
data/app/controllers/doorkeeper/authorized_applications_controller.rb +22 -3
data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
data/app/controllers/doorkeeper/tokens_controller.rb +112 -35
data/app/helpers/doorkeeper/dashboard_helper.rb +10 -6
data/app/views/doorkeeper/applications/_delete_form.html.erb +4 -3
data/app/views/doorkeeper/applications/_form.html.erb +33 -21
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +18 -6
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +40 -16
data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
data/app/views/doorkeeper/authorizations/new.html.erb +7 -1
data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
data/config/locales/en.yml +33 -9
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +82 -0
data/lib/doorkeeper/config/validations.rb +53 -0
data/lib/doorkeeper/config.rb +545 -143
data/lib/doorkeeper/engine.rb +11 -5
data/lib/doorkeeper/errors.rb +37 -10
data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
data/lib/doorkeeper/grant_flow/flow.rb +44 -0
data/lib/doorkeeper/grant_flow/registry.rb +50 -0
data/lib/doorkeeper/grant_flow.rb +45 -0
data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
data/lib/doorkeeper/grape/helpers.rb +24 -12
data/lib/doorkeeper/helpers/controller.rb +49 -27
data/lib/doorkeeper/models/access_grant_mixin.rb +100 -21
data/lib/doorkeeper/models/access_token_mixin.rb +379 -75
data/lib/doorkeeper/models/application_mixin.rb +72 -25
data/lib/doorkeeper/models/concerns/accessible.rb +6 -0
data/lib/doorkeeper/models/concerns/expirable.rb +20 -6
data/lib/doorkeeper/models/concerns/orderable.rb +15 -0
data/lib/doorkeeper/models/concerns/ownership.rb +4 -7
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
data/lib/doorkeeper/models/concerns/revocable.rb +12 -18
data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
data/lib/doorkeeper/oauth/authorization/code.rb +48 -12
data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
data/lib/doorkeeper/oauth/authorization/token.rb +66 -28
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +22 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +64 -14
data/lib/doorkeeper/oauth/base_request.rb +66 -0
data/lib/doorkeeper/oauth/base_response.rb +31 -0
data/lib/doorkeeper/oauth/client/credentials.rb +23 -10
data/lib/doorkeeper/oauth/client.rb +10 -12
data/lib/doorkeeper/oauth/client_credentials/creator.rb +47 -4
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +16 -9
data/lib/doorkeeper/oauth/client_credentials/validator.rb +56 -0
data/lib/doorkeeper/oauth/client_credentials_request.rb +11 -15
data/lib/doorkeeper/oauth/code_request.rb +8 -12
data/lib/doorkeeper/oauth/code_response.rb +28 -15
data/lib/doorkeeper/oauth/error.rb +5 -3
data/lib/doorkeeper/oauth/error_response.rb +41 -20
data/lib/doorkeeper/oauth/forbidden_token_response.rb +10 -3
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -18
data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +53 -3
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +31 -5
data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +45 -13
data/lib/doorkeeper/oauth/pre_authorization.rb +135 -26
data/lib/doorkeeper/oauth/refresh_token_request.rb +61 -36
data/lib/doorkeeper/oauth/scopes.rb +26 -12
data/lib/doorkeeper/oauth/token.rb +25 -23
data/lib/doorkeeper/oauth/token_introspection.rb +202 -0
data/lib/doorkeeper/oauth/token_request.rb +8 -21
data/lib/doorkeeper/oauth/token_response.rb +14 -10
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/access_grant.rb +6 -4
data/lib/doorkeeper/orm/active_record/access_token.rb +5 -25
data/lib/doorkeeper/orm/active_record/application.rb +6 -15
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +68 -0
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +59 -0
data/lib/doorkeeper/orm/active_record/mixins/application.rb +198 -0
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +33 -0
data/lib/doorkeeper/orm/active_record.rb +37 -8
data/lib/doorkeeper/rails/helpers.rb +14 -15
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +3 -1
data/lib/doorkeeper/rails/routes/mapping.rb +10 -8
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/rails/routes.rb +42 -30
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +11 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/authorization_code.rb +12 -4
data/lib/doorkeeper/request/client_credentials.rb +3 -3
data/lib/doorkeeper/request/code.rb +1 -1
data/lib/doorkeeper/request/password.rb +5 -14
data/lib/doorkeeper/request/refresh_token.rb +6 -5
data/lib/doorkeeper/request/strategy.rb +4 -2
data/lib/doorkeeper/request/token.rb +1 -1
data/lib/doorkeeper/request.rb +62 -29
data/lib/doorkeeper/secret_storing/base.rb +64 -0
data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
data/lib/doorkeeper/secret_storing/plain.rb +33 -0
data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
data/lib/doorkeeper/server.rb +9 -19
data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
data/lib/doorkeeper/validations.rb +5 -2
data/lib/doorkeeper/version.rb +12 -1
data/lib/doorkeeper.rb +111 -56
data/lib/generators/doorkeeper/application_owner_generator.rb +28 -13
data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/install_generator.rb +19 -9
data/lib/generators/doorkeeper/migration_generator.rb +27 -10
data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +31 -19
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +9 -0
data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +3 -1
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +410 -31
data/lib/generators/doorkeeper/templates/migration.rb.erb +88 -0
data/lib/generators/doorkeeper/views_generator.rb +8 -4
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +132 -286
data/.gitignore +0 -14
data/.hound.yml +0 -13
data/.rspec +0 -1
data/.travis.yml +0 -20
data/CONTRIBUTING.md +0 -47
data/Gemfile +0 -14
data/NEWS.md +0 -593
data/RELEASING.md +0 -17
data/Rakefile +0 -20
data/app/validators/redirect_uri_validator.rb +0 -34
data/doorkeeper.gemspec +0 -28
data/lib/doorkeeper/oauth/client/methods.rb +0 -18
data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
data/lib/doorkeeper/oauth/request_concern.rb +0 -48
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb +0 -7
data/lib/generators/doorkeeper/templates/migration.rb +0 -68
data/spec/controllers/application_metal_controller.rb +0 -10
data/spec/controllers/applications_controller_spec.rb +0 -58
data/spec/controllers/authorizations_controller_spec.rb +0 -189
data/spec/controllers/protected_resources_controller_spec.rb +0 -300
data/spec/controllers/token_info_controller_spec.rb +0 -52
data/spec/controllers/tokens_controller_spec.rb +0 -88
data/spec/dummy/Rakefile +0 -7
data/spec/dummy/app/controllers/application_controller.rb +0 -3
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
data/spec/dummy/app/controllers/home_controller.rb +0 -17
data/spec/dummy/app/controllers/metal_controller.rb +0 -11
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
data/spec/dummy/app/helpers/application_helper.rb +0 -5
data/spec/dummy/app/models/user.rb +0 -5
data/spec/dummy/app/views/home/index.html.erb +0 -0
data/spec/dummy/app/views/layouts/application.html.erb +0 -14
data/spec/dummy/config/application.rb +0 -23
data/spec/dummy/config/boot.rb +0 -9
data/spec/dummy/config/database.yml +0 -15
data/spec/dummy/config/environment.rb +0 -5
data/spec/dummy/config/environments/development.rb +0 -29
data/spec/dummy/config/environments/production.rb +0 -62
data/spec/dummy/config/environments/test.rb +0 -44
data/spec/dummy/config/initializers/active_record_belongs_to_required_by_default.rb +0 -6
data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
data/spec/dummy/config/initializers/doorkeeper.rb +0 -96
data/spec/dummy/config/initializers/secret_token.rb +0 -9
data/spec/dummy/config/initializers/session_store.rb +0 -8
data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
data/spec/dummy/config/routes.rb +0 -52
data/spec/dummy/config.ru +0 -4
data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -9
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -5
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -60
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -7
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -11
data/spec/dummy/db/schema.rb +0 -67
data/spec/dummy/public/404.html +0 -26
data/spec/dummy/public/422.html +0 -26
data/spec/dummy/public/500.html +0 -26
data/spec/dummy/public/favicon.ico +0 -0
data/spec/dummy/script/rails +0 -6
data/spec/factories.rb +0 -28
data/spec/generators/application_owner_generator_spec.rb +0 -22
data/spec/generators/install_generator_spec.rb +0 -31
data/spec/generators/migration_generator_spec.rb +0 -20
data/spec/generators/templates/routes.rb +0 -3
data/spec/generators/views_generator_spec.rb +0 -27
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
data/spec/lib/config_spec.rb +0 -334
data/spec/lib/doorkeeper_spec.rb +0 -28
data/spec/lib/models/expirable_spec.rb +0 -51
data/spec/lib/models/revocable_spec.rb +0 -59
data/spec/lib/models/scopes_spec.rb +0 -43
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -42
data/spec/lib/oauth/authorization_code_request_spec.rb +0 -80
data/spec/lib/oauth/client/credentials_spec.rb +0 -47
data/spec/lib/oauth/client/methods_spec.rb +0 -54
data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
data/spec/lib/oauth/client_credentials_request_spec.rb +0 -104
data/spec/lib/oauth/client_spec.rb +0 -39
data/spec/lib/oauth/code_request_spec.rb +0 -45
data/spec/lib/oauth/code_response_spec.rb +0 -34
data/spec/lib/oauth/error_response_spec.rb +0 -61
data/spec/lib/oauth/error_spec.rb +0 -23
data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -104
data/spec/lib/oauth/invalid_token_response_spec.rb +0 -28
data/spec/lib/oauth/password_access_token_request_spec.rb +0 -90
data/spec/lib/oauth/pre_authorization_spec.rb +0 -155
data/spec/lib/oauth/refresh_token_request_spec.rb +0 -154
data/spec/lib/oauth/scopes_spec.rb +0 -122
data/spec/lib/oauth/token_request_spec.rb +0 -98
data/spec/lib/oauth/token_response_spec.rb +0 -85
data/spec/lib/oauth/token_spec.rb +0 -116
data/spec/lib/request/strategy_spec.rb +0 -53
data/spec/lib/server_spec.rb +0 -52
data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
data/spec/models/doorkeeper/access_token_spec.rb +0 -394
data/spec/models/doorkeeper/application_spec.rb +0 -179
data/spec/requests/applications/applications_request_spec.rb +0 -94
data/spec/requests/applications/authorized_applications_spec.rb +0 -30
data/spec/requests/endpoints/authorization_spec.rb +0 -72
data/spec/requests/endpoints/token_spec.rb +0 -64
data/spec/requests/flows/authorization_code_errors_spec.rb +0 -66
data/spec/requests/flows/authorization_code_spec.rb +0 -156
data/spec/requests/flows/client_credentials_spec.rb +0 -58
data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
data/spec/requests/flows/implicit_grant_spec.rb +0 -61
data/spec/requests/flows/password_spec.rb +0 -115
data/spec/requests/flows/refresh_token_spec.rb +0 -174
data/spec/requests/flows/revoke_token_spec.rb +0 -157
data/spec/requests/flows/skip_authorization_spec.rb +0 -59
data/spec/requests/protected_resources/metal_spec.rb +0 -14
data/spec/requests/protected_resources/private_api_spec.rb +0 -81
data/spec/routing/custom_controller_routes_spec.rb +0 -71
data/spec/routing/default_routes_spec.rb +0 -35
data/spec/routing/scoped_routes_spec.rb +0 -31
data/spec/spec_helper.rb +0 -2
data/spec/spec_helper_integration.rb +0 -59
data/spec/support/dependencies/factory_girl.rb +0 -2
data/spec/support/helpers/access_token_request_helper.rb +0 -11
data/spec/support/helpers/authorization_request_helper.rb +0 -41
data/spec/support/helpers/config_helper.rb +0 -9
data/spec/support/helpers/model_helper.rb +0 -67
data/spec/support/helpers/request_spec_helper.rb +0 -76
data/spec/support/helpers/url_helper.rb +0 -55
data/spec/support/http_method_shim.rb +0 -24
data/spec/support/orm/active_record.rb +0 -3
data/spec/support/shared/controllers_shared_context.rb +0 -69
data/spec/support/shared/models_shared_examples.rb +0 -52
data/spec/validators/redirect_uri_validator_spec.rb +0 -78

data/lib/doorkeeper/models/concerns/expirable.rb CHANGED Viewed

@@ -1,21 +1,35 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Models
     module Expirable
+      # Indicates whether the object is expired (`#expires_in` present and
+      # expiration time has come).
+      #
+      # @return [Boolean] true if object expired and false in other case
       def expired?
-        expires_in && Time.now.utc > expired_time
+        !!(expires_in && Time.now.utc > expires_at)
       end
+      # Calculates expiration time in seconds.
+      #
+      # @return [Integer, nil] number of seconds if object has expiration time
+      #   or nil if object never expires.
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now.utc
+        expires = expires_at - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
-      private
-      def expired_time
-        created_at + expires_in.seconds
+      # Expiration time (date time of creation + TTL).
+      #
+      # @return [Time, nil] expiration time in UTC
+      #   or nil if the object never expires.
+      #
+      def expires_at
+        expires_in && created_at + expires_in.seconds
       end
     end
   end

data/lib/doorkeeper/models/concerns/orderable.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Models
+    module Orderable
+      extend ActiveSupport::Concern
+      module ClassMethods
+        def ordered_by(attribute, direction = :asc)
+          order(attribute => direction)
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/ownership.rb CHANGED Viewed

@@ -1,20 +1,17 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Models
     module Ownership
       extend ActiveSupport::Concern
       included do
-        belongs_to_options = { polymorphic: true }
-        if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
-          belongs_to_options[:optional] = true
-        end
-        belongs_to :owner, belongs_to_options
+        belongs_to :owner, polymorphic: true, optional: true
         validates :owner, presence: true, if: :validate_owner?
       end
       def validate_owner?
-        Doorkeeper.configuration.confirm_application_owner?
+        Doorkeeper.config.confirm_application_owner?
       end
     end
   end

data/lib/doorkeeper/models/concerns/resource_ownerable.rb ADDED Viewed

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Models
+    module ResourceOwnerable
+      extend ActiveSupport::Concern
+      module ClassMethods
+        # Searches for record by Resource Owner considering Doorkeeper
+        # configuration for resource owner association.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [Doorkeeper::AccessGrant, Doorkeeper::AccessToken]
+        #   collection of records
+        #
+        def by_resource_owner(resource_owner)
+          if Doorkeeper.configuration.polymorphic_resource_owner?
+            where(resource_owner: resource_owner)
+          else
+            where(resource_owner_id: resource_owner_id_for(resource_owner))
+          end
+        end
+        protected
+        # Backward compatible way to retrieve resource owner itself (if
+        # polymorphic association enabled) or just it's ID.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [ActiveRecord::Base, Integer]
+        #   instance of Resource Owner or it's ID
+        #
+        def resource_owner_id_for(resource_owner)
+          if resource_owner.respond_to?(:to_key)
+            resource_owner.id
+          else
+            resource_owner
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/reusable.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Models
+    module Reusable
+      # Indicates whether the object is reusable (i.e. It is not expired and
+      # has not crossed reuse_limit).
+      #
+      # @return [Boolean] true if can be reused and false in other case
+      def reusable?
+        return false if expired?
+        return true unless expires_in
+        threshold_limit = 100 - Doorkeeper.config.token_reuse_limit
+        expires_in_seconds >= threshold_limit * expires_in / 100
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/revocable.rb CHANGED Viewed

@@ -1,30 +1,24 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Models
     module Revocable
+      # Revokes the object (updates `:revoked_at` attribute setting its value
+      # to the specific time).
+      #
+      # @param clock [Time] time object
+      #
       def revoke(clock = Time)
-        update_attribute :revoked_at, clock.now.utc
+        update_attribute(:revoked_at, clock.now.utc)
       end
+      # Indicates whether the object has been revoked.
+      #
+      # @return [Boolean] true if revoked, false in other case
+      #
       def revoked?
         !!(revoked_at && revoked_at <= Time.now.utc)
       end
-      def revoke_previous_refresh_token!
-        return unless refresh_token_revoked_on_use?
-        old_refresh_token.revoke if old_refresh_token
-        update_attribute :previous_refresh_token, ""
-      end
-      private
-      def old_refresh_token
-        @old_refresh_token ||=
-          AccessToken.by_refresh_token(previous_refresh_token)
-      end
-      def refresh_token_revoked_on_use?
-        AccessToken.refresh_token_revoked_on_use?
-      end
     end
   end
 end

data/lib/doorkeeper/models/concerns/scopes.rb CHANGED Viewed

@@ -1,8 +1,18 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Models
     module Scopes
       def scopes
-        OAuth::Scopes.from_string(self[:scopes])
+        OAuth::Scopes.from_string(scopes_string)
+      end
+      def scopes=(value)
+        if value.is_a?(Array)
+          super(Doorkeeper::OAuth::Scopes.from_array(value).to_s)
+        else
+          super(Doorkeeper::OAuth::Scopes.from_string(value.to_s).to_s)
+        end
       end
       def scopes_string
@@ -10,7 +20,7 @@ module Doorkeeper
       end
       def includes_scope?(*required_scopes)
-        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s.to_s) }
+        required_scopes.blank? || required_scopes.any? { |scope| scopes.exists?(scope.to_s) }
       end
     end
   end

data/lib/doorkeeper/models/concerns/secret_storable.rb ADDED Viewed

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Models
+    ##
+    # Storable finder to provide lookups for input plaintext values which are
+    # mapped to their stored versions (e.g., hashing, encryption) before lookup.
+    module SecretStorable
+      extend ActiveSupport::Concern
+      delegate :secret_strategy,
+               :fallback_secret_strategy,
+               to: :class
+      # :nodoc
+      module ClassMethods
+        # Compare the given plaintext with the secret
+        #
+        # @param input [String]
+        #   The plain input to compare.
+        #
+        # @param secret [String]
+        #   The secret value to compare with.
+        #
+        # @return [Boolean]
+        #   Whether input matches secret as per the secret strategy
+        #
+        delegate :secret_matches?, to: :secret_strategy
+        # Returns an instance of the Doorkeeper::AccessToken with
+        # specific token value.
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param token [#to_s]
+        #   token value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_plaintext_token(attr, token)
+          token = token.to_s
+          find_by(attr => secret_strategy.transform_secret(token)) ||
+            find_by_fallback_token(attr, token)
+        end
+        # Allow looking up previously plain tokens as a fallback
+        # IFF a fallback strategy has been defined
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param plain_secret [#to_s]
+        #   plain secret value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_fallback_token(attr, plain_secret)
+          return nil unless fallback_secret_strategy
+          # Use the previous strategy to look up
+          stored_token = fallback_secret_strategy.transform_secret(plain_secret)
+          find_by(attr => stored_token).tap do |resource|
+            return nil unless resource
+            upgrade_fallback_value resource, attr, plain_secret
+          end
+        end
+        # Allow implementations in ORMs to replace a plain
+        # value falling back to to avoid it remaining as plain text.
+        #
+        # @param instance
+        #   An instance of this model with a plain value token.
+        #
+        # @param attr
+        #   The secret attribute name to upgrade.
+        #
+        # @param plain_secret
+        #   The plain secret to upgrade.
+        #
+        def upgrade_fallback_value(instance, attr, plain_secret)
+          upgraded = secret_strategy.store_secret(instance, attr, plain_secret)
+          instance.update(attr => upgraded)
+        end
+        ##
+        # Determines the secret storing transformer
+        # Unless configured otherwise, uses the plain secret strategy
+        def secret_strategy
+          ::Doorkeeper::SecretStoring::Plain
+        end
+        ##
+        # Determine the fallback storing strategy
+        # Unless configured, there will be no fallback
+        def fallback_secret_strategy
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/code.rb CHANGED Viewed

@@ -1,30 +1,66 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     module Authorization
       class Code
-        attr_accessor :pre_auth, :resource_owner, :token
+        attr_reader :pre_auth, :resource_owner, :token
         def initialize(pre_auth, resource_owner)
-          @pre_auth       = pre_auth
+          @pre_auth = pre_auth
           @resource_owner = resource_owner
         end
-        def issue_token
-          @token ||= AccessGrant.create!(
+        def issue_token!
+          return @token if defined?(@token)
+          @token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
+        end
+        def oob_redirect
+          { action: :show, code: token.plaintext_token }
+        end
+        def access_grant?
+          true
+        end
+        private
+        def authorization_code_expires_in
+          Doorkeeper.config.authorization_code_expires_in
+        end
+        def access_grant_attributes
+          attributes = {
             application_id: pre_auth.client.id,
-            resource_owner_id: resource_owner.id,
-            expires_in: configuration.authorization_code_expires_in,
+            expires_in: authorization_code_expires_in,
             redirect_uri: pre_auth.redirect_uri,
-            scopes: pre_auth.scopes.to_s
-          )
+            scopes: pre_auth.scopes.to_s,
+          }
+          if Doorkeeper.config.polymorphic_resource_owner?
+            attributes[:resource_owner] = resource_owner
+          else
+            attributes[:resource_owner_id] = resource_owner.id
+          end
+          pkce_attributes.merge(attributes)
         end
-        def native_redirect
-          { action: :show, code: token.token }
+        def pkce_attributes
+          return {} unless pkce_supported?
+          {
+            code_challenge: pre_auth.code_challenge,
+            code_challenge_method: pre_auth.code_challenge_method,
+          }
         end
-        def configuration
-          Doorkeeper.configuration
+        # Ensures firstly, if migration with additional PKCE columns was
+        # generated and migrated
+        def pkce_supported?
+          Doorkeeper.config.access_grant_model.pkce_supported?
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/context.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    module Authorization
+      class Context
+        attr_reader :client, :grant_type, :resource_owner, :scopes
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb CHANGED Viewed

@@ -1,54 +1,92 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     module Authorization
       class Token
-        attr_accessor :pre_auth, :resource_owner, :token
+        attr_reader :pre_auth, :resource_owner, :token
+        class << self
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes, resource_owner)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
+                             pre_auth_or_oauth_client.application
+                           elsif pre_auth_or_oauth_client.respond_to?(:client)
+                             pre_auth_or_oauth_client.client
+                           else
+                             pre_auth_or_oauth_client
+                           end
+            Doorkeeper::OAuth::Authorization::Context.new(
+              client: oauth_client,
+              grant_type: grant_type,
+              scopes: scopes,
+              resource_owner: resource_owner,
+            )
+          end
+          def access_token_expires_in(configuration, context)
+            if configuration.option_defined?(:custom_access_token_expires_in)
+              expiration = configuration.custom_access_token_expires_in.call(context)
+              return nil if expiration == Float::INFINITY
+              expiration || configuration.access_token_expires_in
+            else
+              configuration.access_token_expires_in
+            end
+          end
+          def refresh_token_enabled?(server, context)
+            if server.refresh_token_enabled?.respond_to?(:call)
+              server.refresh_token_enabled?.call(context)
+            else
+              !!server.refresh_token_enabled?
+            end
+          end
+        end
         def initialize(pre_auth, resource_owner)
           @pre_auth       = pre_auth
           @resource_owner = resource_owner
         end
-        def self.access_token_expires_in(server, pre_auth_or_oauth_client)
-          if expiration = custom_expiration(server, pre_auth_or_oauth_client)
-            expiration
-          else
-            server.access_token_expires_in
-          end
-        end
+        def issue_token!
+          return @token if defined?(@token)
-        def issue_token
-          @token ||= AccessToken.find_or_create_for(
+          context = self.class.build_context(
             pre_auth.client,
-            resource_owner.id,
+            Doorkeeper::OAuth::IMPLICIT,
             pre_auth.scopes,
-            self.class.access_token_expires_in(configuration, pre_auth),
-            false
+            resource_owner,
+          )
+          @token = Doorkeeper.config.access_token_model.find_or_create_for(
+            application: pre_auth.client,
+            resource_owner: resource_owner,
+            scopes: pre_auth.scopes,
+            expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
+            use_refresh_token: false,
           )
         end
-        def native_redirect
+        def oob_redirect
           {
-            controller: 'doorkeeper/token_info',
+            controller: controller,
             action: :show,
-            access_token: token.token
+            access_token: token.plaintext_token,
           }
         end
-        private
-        def self.custom_expiration(server, pre_auth_or_oauth_client)
-          oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
-                           pre_auth_or_oauth_client.client
-                         else
-                           pre_auth_or_oauth_client
-                         end
-          server.custom_access_token_expires_in.call(oauth_client)
+        def access_token?
+          true
         end
-        def configuration
-          Doorkeeper.configuration
+        private
+        def controller
+          @controller ||= begin
+            mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
+            mapping[:controllers] || "doorkeeper/token_info"
+          end
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/uri_builder.rb CHANGED Viewed

@@ -1,27 +1,31 @@
+# frozen_string_literal: true
+require "rack/utils"
 module Doorkeeper
   module OAuth
     module Authorization
-      module URIBuilder
-        include Rack::Utils
+      class URIBuilder
+        class << self
+          def uri_with_query(url, parameters = {})
+            uri = URI.parse(url)
+            original_query = Rack::Utils.parse_query(uri.query)
+            uri.query = build_query(original_query.merge(parameters))
+            uri.to_s
+          end
-        extend self
+          def uri_with_fragment(url, parameters = {})
+            uri = URI.parse(url)
+            uri.fragment = build_query(parameters)
+            uri.to_s
+          end
-        def uri_with_query(url, parameters = {})
-          uri            = URI.parse(url)
-          original_query = parse_query(uri.query)
-          uri.query      = build_query(original_query.merge(parameters))
-          uri.to_s
-        end
-        def uri_with_fragment(url, parameters = {})
-          uri = URI.parse(url)
-          uri.fragment = build_query(parameters)
-          uri.to_s
-        end
+          private
-        def build_query(parameters = {})
-          parameters = parameters.reject { |_, v| v.blank? }
-          super parameters
+          def build_query(parameters = {})
+            parameters.reject! { |_, value| value.blank? }
+            Rack::Utils.build_query(parameters)
+          end
         end
       end
     end