RubyGems - doorkeeper - Versions diffs - 4.2.0 → 5.6.8 - Mend

doorkeeper 4.2.0 → 5.6.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (273) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +1119 -0
data/README.md +112 -349
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +6 -7
data/app/controllers/doorkeeper/application_metal_controller.rb +7 -11
data/app/controllers/doorkeeper/applications_controller.rb +65 -20
data/app/controllers/doorkeeper/authorizations_controller.rb +115 -18
data/app/controllers/doorkeeper/authorized_applications_controller.rb +22 -3
data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
data/app/controllers/doorkeeper/tokens_controller.rb +118 -38
data/app/helpers/doorkeeper/dashboard_helper.rb +10 -6
data/app/views/doorkeeper/applications/_delete_form.html.erb +4 -3
data/app/views/doorkeeper/applications/_form.html.erb +33 -21
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +18 -6
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +40 -16
data/app/views/doorkeeper/authorizations/error.html.erb +4 -2
data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
data/app/views/doorkeeper/authorizations/new.html.erb +17 -11
data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
data/config/locales/en.yml +36 -9
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +82 -0
data/lib/doorkeeper/config/validations.rb +53 -0
data/lib/doorkeeper/config.rb +551 -155
data/lib/doorkeeper/engine.rb +19 -6
data/lib/doorkeeper/errors.rb +55 -10
data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
data/lib/doorkeeper/grant_flow/flow.rb +44 -0
data/lib/doorkeeper/grant_flow/registry.rb +50 -0
data/lib/doorkeeper/grant_flow.rb +45 -0
data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
data/lib/doorkeeper/grape/helpers.rb +24 -12
data/lib/doorkeeper/helpers/controller.rb +49 -27
data/lib/doorkeeper/models/access_grant_mixin.rb +100 -21
data/lib/doorkeeper/models/access_token_mixin.rb +383 -75
data/lib/doorkeeper/models/application_mixin.rb +72 -25
data/lib/doorkeeper/models/concerns/accessible.rb +6 -0
data/lib/doorkeeper/models/concerns/expirable.rb +20 -6
data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +88 -0
data/lib/doorkeeper/models/concerns/orderable.rb +15 -0
data/lib/doorkeeper/models/concerns/ownership.rb +4 -7
data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +30 -0
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
data/lib/doorkeeper/models/concerns/revocable.rb +12 -18
data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
data/lib/doorkeeper/oauth/authorization/code.rb +54 -12
data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
data/lib/doorkeeper/oauth/authorization/token.rb +72 -28
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +22 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +77 -17
data/lib/doorkeeper/oauth/base_request.rb +67 -0
data/lib/doorkeeper/oauth/base_response.rb +31 -0
data/lib/doorkeeper/oauth/client/credentials.rb +23 -10
data/lib/doorkeeper/oauth/client.rb +10 -12
data/lib/doorkeeper/oauth/client_credentials/creator.rb +44 -4
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +21 -13
data/lib/doorkeeper/oauth/client_credentials/validator.rb +55 -0
data/lib/doorkeeper/oauth/client_credentials_request.rb +20 -16
data/lib/doorkeeper/oauth/code_request.rb +9 -13
data/lib/doorkeeper/oauth/code_response.rb +28 -15
data/lib/doorkeeper/oauth/error.rb +5 -3
data/lib/doorkeeper/oauth/error_response.rb +43 -20
data/lib/doorkeeper/oauth/forbidden_token_response.rb +11 -3
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -18
data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +53 -3
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_request_response.rb +47 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +31 -5
data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +46 -14
data/lib/doorkeeper/oauth/pre_authorization.rb +138 -28
data/lib/doorkeeper/oauth/refresh_token_request.rb +74 -41
data/lib/doorkeeper/oauth/scopes.rb +26 -12
data/lib/doorkeeper/oauth/token.rb +25 -23
data/lib/doorkeeper/oauth/token_introspection.rb +204 -0
data/lib/doorkeeper/oauth/token_request.rb +9 -22
data/lib/doorkeeper/oauth/token_response.rb +13 -10
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/access_grant.rb +6 -4
data/lib/doorkeeper/orm/active_record/access_token.rb +5 -25
data/lib/doorkeeper/orm/active_record/application.rb +6 -15
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +63 -0
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +77 -0
data/lib/doorkeeper/orm/active_record/mixins/application.rb +210 -0
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +36 -0
data/lib/doorkeeper/orm/active_record.rb +34 -12
data/lib/doorkeeper/rails/helpers.rb +14 -15
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +3 -1
data/lib/doorkeeper/rails/routes/mapping.rb +10 -8
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/rails/routes.rb +50 -29
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +6 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/authorization_code.rb +12 -4
data/lib/doorkeeper/request/client_credentials.rb +3 -3
data/lib/doorkeeper/request/code.rb +1 -1
data/lib/doorkeeper/request/password.rb +5 -14
data/lib/doorkeeper/request/refresh_token.rb +6 -5
data/lib/doorkeeper/request/strategy.rb +4 -2
data/lib/doorkeeper/request/token.rb +1 -1
data/lib/doorkeeper/request.rb +62 -29
data/lib/doorkeeper/secret_storing/base.rb +64 -0
data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
data/lib/doorkeeper/secret_storing/plain.rb +33 -0
data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
data/lib/doorkeeper/server.rb +9 -19
data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
data/lib/doorkeeper/validations.rb +5 -2
data/lib/doorkeeper/version.rb +12 -1
data/lib/doorkeeper.rb +180 -57
data/lib/generators/doorkeeper/application_owner_generator.rb +28 -13
data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/install_generator.rb +19 -9
data/lib/generators/doorkeeper/migration_generator.rb +27 -10
data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +31 -19
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +9 -0
data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +3 -1
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +436 -33
data/lib/generators/doorkeeper/templates/migration.rb.erb +98 -0
data/lib/generators/doorkeeper/views_generator.rb +8 -4
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +129 -281
data/.gitignore +0 -14
data/.hound.yml +0 -13
data/.rspec +0 -1
data/.travis.yml +0 -20
data/CONTRIBUTING.md +0 -47
data/Gemfile +0 -14
data/NEWS.md +0 -593
data/RELEASING.md +0 -17
data/Rakefile +0 -20
data/app/validators/redirect_uri_validator.rb +0 -34
data/doorkeeper.gemspec +0 -28
data/lib/doorkeeper/oauth/client/methods.rb +0 -18
data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
data/lib/doorkeeper/oauth/request_concern.rb +0 -48
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb +0 -7
data/lib/generators/doorkeeper/templates/migration.rb +0 -68
data/spec/controllers/application_metal_controller.rb +0 -10
data/spec/controllers/applications_controller_spec.rb +0 -58
data/spec/controllers/authorizations_controller_spec.rb +0 -189
data/spec/controllers/protected_resources_controller_spec.rb +0 -300
data/spec/controllers/token_info_controller_spec.rb +0 -52
data/spec/controllers/tokens_controller_spec.rb +0 -88
data/spec/dummy/Rakefile +0 -7
data/spec/dummy/app/controllers/application_controller.rb +0 -3
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
data/spec/dummy/app/controllers/home_controller.rb +0 -17
data/spec/dummy/app/controllers/metal_controller.rb +0 -11
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
data/spec/dummy/app/helpers/application_helper.rb +0 -5
data/spec/dummy/app/models/user.rb +0 -5
data/spec/dummy/app/views/home/index.html.erb +0 -0
data/spec/dummy/app/views/layouts/application.html.erb +0 -14
data/spec/dummy/config/application.rb +0 -23
data/spec/dummy/config/boot.rb +0 -9
data/spec/dummy/config/database.yml +0 -15
data/spec/dummy/config/environment.rb +0 -5
data/spec/dummy/config/environments/development.rb +0 -29
data/spec/dummy/config/environments/production.rb +0 -62
data/spec/dummy/config/environments/test.rb +0 -44
data/spec/dummy/config/initializers/active_record_belongs_to_required_by_default.rb +0 -6
data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
data/spec/dummy/config/initializers/doorkeeper.rb +0 -96
data/spec/dummy/config/initializers/secret_token.rb +0 -9
data/spec/dummy/config/initializers/session_store.rb +0 -8
data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
data/spec/dummy/config/routes.rb +0 -52
data/spec/dummy/config.ru +0 -4
data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -9
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -5
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -60
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -7
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -11
data/spec/dummy/db/schema.rb +0 -67
data/spec/dummy/public/404.html +0 -26
data/spec/dummy/public/422.html +0 -26
data/spec/dummy/public/500.html +0 -26
data/spec/dummy/public/favicon.ico +0 -0
data/spec/dummy/script/rails +0 -6
data/spec/factories.rb +0 -28
data/spec/generators/application_owner_generator_spec.rb +0 -22
data/spec/generators/install_generator_spec.rb +0 -31
data/spec/generators/migration_generator_spec.rb +0 -20
data/spec/generators/templates/routes.rb +0 -3
data/spec/generators/views_generator_spec.rb +0 -27
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
data/spec/lib/config_spec.rb +0 -334
data/spec/lib/doorkeeper_spec.rb +0 -28
data/spec/lib/models/expirable_spec.rb +0 -51
data/spec/lib/models/revocable_spec.rb +0 -59
data/spec/lib/models/scopes_spec.rb +0 -43
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -42
data/spec/lib/oauth/authorization_code_request_spec.rb +0 -80
data/spec/lib/oauth/client/credentials_spec.rb +0 -47
data/spec/lib/oauth/client/methods_spec.rb +0 -54
data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
data/spec/lib/oauth/client_credentials_request_spec.rb +0 -104
data/spec/lib/oauth/client_spec.rb +0 -39
data/spec/lib/oauth/code_request_spec.rb +0 -45
data/spec/lib/oauth/code_response_spec.rb +0 -34
data/spec/lib/oauth/error_response_spec.rb +0 -61
data/spec/lib/oauth/error_spec.rb +0 -23
data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -104
data/spec/lib/oauth/invalid_token_response_spec.rb +0 -28
data/spec/lib/oauth/password_access_token_request_spec.rb +0 -90
data/spec/lib/oauth/pre_authorization_spec.rb +0 -155
data/spec/lib/oauth/refresh_token_request_spec.rb +0 -154
data/spec/lib/oauth/scopes_spec.rb +0 -122
data/spec/lib/oauth/token_request_spec.rb +0 -98
data/spec/lib/oauth/token_response_spec.rb +0 -85
data/spec/lib/oauth/token_spec.rb +0 -116
data/spec/lib/request/strategy_spec.rb +0 -53
data/spec/lib/server_spec.rb +0 -52
data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
data/spec/models/doorkeeper/access_token_spec.rb +0 -394
data/spec/models/doorkeeper/application_spec.rb +0 -179
data/spec/requests/applications/applications_request_spec.rb +0 -94
data/spec/requests/applications/authorized_applications_spec.rb +0 -30
data/spec/requests/endpoints/authorization_spec.rb +0 -72
data/spec/requests/endpoints/token_spec.rb +0 -64
data/spec/requests/flows/authorization_code_errors_spec.rb +0 -66
data/spec/requests/flows/authorization_code_spec.rb +0 -156
data/spec/requests/flows/client_credentials_spec.rb +0 -58
data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
data/spec/requests/flows/implicit_grant_spec.rb +0 -61
data/spec/requests/flows/password_spec.rb +0 -115
data/spec/requests/flows/refresh_token_spec.rb +0 -174
data/spec/requests/flows/revoke_token_spec.rb +0 -157
data/spec/requests/flows/skip_authorization_spec.rb +0 -59
data/spec/requests/protected_resources/metal_spec.rb +0 -14
data/spec/requests/protected_resources/private_api_spec.rb +0 -81
data/spec/routing/custom_controller_routes_spec.rb +0 -71
data/spec/routing/default_routes_spec.rb +0 -35
data/spec/routing/scoped_routes_spec.rb +0 -31
data/spec/spec_helper.rb +0 -2
data/spec/spec_helper_integration.rb +0 -59
data/spec/support/dependencies/factory_girl.rb +0 -2
data/spec/support/helpers/access_token_request_helper.rb +0 -11
data/spec/support/helpers/authorization_request_helper.rb +0 -41
data/spec/support/helpers/config_helper.rb +0 -9
data/spec/support/helpers/model_helper.rb +0 -67
data/spec/support/helpers/request_spec_helper.rb +0 -76
data/spec/support/helpers/url_helper.rb +0 -55
data/spec/support/http_method_shim.rb +0 -24
data/spec/support/orm/active_record.rb +0 -3
data/spec/support/shared/controllers_shared_context.rb +0 -69
data/spec/support/shared/models_shared_examples.rb +0 -52
data/spec/validators/redirect_uri_validator_spec.rb +0 -78

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -1,23 +1,37 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class PreAuthorization
       include Validations
-      validate :response_type, error: :unsupported_response_type
-      validate :client, error: :invalid_client
-      validate :scopes, error: :invalid_scope
-      validate :redirect_uri, error: :invalid_redirect_uri
+      validate :client_id, error: Errors::InvalidRequest
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner_authorize_for_client, error: Errors::InvalidClient
+      validate :redirect_uri, error: Errors::InvalidRedirectUri
+      validate :params, error: Errors::InvalidRequest
+      validate :response_type, error: Errors::UnsupportedResponseType
+      validate :response_mode, error: Errors::UnsupportedResponseMode
+      validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state
-      attr_writer   :scope
+      attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
+                  :redirect_uri, :resource_owner, :response_type, :state,
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
-      def initialize(server, client, attrs = {})
-        @server        = server
-        @client        = client
-        @response_type = attrs[:response_type]
-        @redirect_uri  = attrs[:redirect_uri]
-        @scope         = attrs[:scope]
-        @state         = attrs[:state]
+      def initialize(server, parameters = {}, resource_owner = nil)
+        @server = server
+        @client_id = parameters[:client_id]
+        @response_type = parameters[:response_type]
+        @response_mode = parameters[:response_mode]
+        @redirect_uri = parameters[:redirect_uri]
+        @scope = parameters[:scope]
+        @state = parameters[:state]
+        @code_challenge = parameters[:code_challenge]
+        @code_challenge_method = parameters[:code_challenge_method]
+        @resource_owner = resource_owner
+        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes)
       end
       def authorizable?
@@ -25,41 +39,137 @@ module Doorkeeper
       end
       def scopes
-        Scopes.from_string scope
+        Scopes.from_string(scope)
       end
       def scope
-        @scope.presence || server.default_scopes.to_s
+        @scope.presence || (server.default_scopes.presence && build_scopes)
       end
       def error_response
-        OAuth::ErrorResponse.from_request(self)
+        if error == Errors::InvalidRequest
+          OAuth::InvalidRequestResponse.from_request(
+            self,
+            response_on_fragment: response_on_fragment?,
+          )
+        else
+          OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
+        end
+      end
+      def as_json(_options = nil)
+        pre_auth_hash
+      end
+      def form_post_response?
+        response_mode == "form_post"
       end
       private
-      def validate_response_type
-        server.authorization_response_types.include? response_type
+      attr_reader :client_id, :server
+      def build_scopes
+        client_scopes = client.scopes
+        if client_scopes.blank?
+          server.default_scopes.to_s
+        else
+          (server.default_scopes & client_scopes).to_s
+        end
+      end
+      def validate_client_id
+        @missing_param = :client_id if client_id.blank?
+        @missing_param.nil?
       end
       def validate_client
-        client.present?
+        @client = OAuth::Client.find(client_id)
+        @client.present?
+      end
+      def validate_client_supports_grant_flow
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
+      end
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
+      def validate_redirect_uri
+        return false if redirect_uri.blank?
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          client.redirect_uri,
+        )
+      end
+      def validate_params
+        @missing_param = if response_type.blank?
+                           :response_type
+                         elsif @scope.blank? && server.default_scopes.blank?
+                           :scope
+                         end
+        @missing_param.nil?
+      end
+      def validate_response_type
+        server.authorization_response_flows.any? do |flow|
+          if flow.matches_response_type?(response_type)
+            @authorization_response_flow = flow
+            true
+          end
+        end
+      end
+      def validate_response_mode
+        if response_mode.blank?
+          @response_mode = authorization_response_flow.default_response_mode
+          return true
+        end
+        authorization_response_flow.matches_response_mode?(response_mode)
       end
       def validate_scopes
-        return true unless scope.present?
         Helpers::ScopeChecker.valid?(
-          scope,
-          server.scopes,
-          client.application.scopes
+          scope_str: scope,
+          server_scopes: server.scopes,
+          app_scopes: client.scopes,
+          grant_type: grant_type,
         )
       end
-      # TODO: test uri should be matched against the client's one
-      def validate_redirect_uri
-        return false unless redirect_uri.present?
-        Helpers::URIChecker.native_uri?(redirect_uri) ||
-          Helpers::URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
+      def validate_code_challenge_method
+        return true unless Doorkeeper.config.access_grant_model.pkce_supported?
+        code_challenge.blank? ||
+          (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+      end
+      def response_on_fragment?
+        return response_type == "token" if response_mode.nil?
+        response_mode == "fragment"
+      end
+      def grant_type
+        response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
+      end
+      def pre_auth_hash
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t("doorkeeper.pre_authorization.status"),
+        }
       end
     end
   end

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -1,48 +1,47 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
-    class RefreshTokenRequest
-      include Validations
-      include OAuth::RequestConcern
+    class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :token_presence, error: :invalid_request
-      validate :token,        error: :invalid_grant
-      validate :client,       error: :invalid_client
-      validate :client_match, error: :invalid_grant
-      validate :scope,        error: :invalid_scope
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server, :refresh_token_parameter
+      validate :token_presence, error: Errors::InvalidRequest
+      validate :token,        error: Errors::InvalidGrant
+      validate :client,       error: Errors::InvalidClient
+      validate :client_match, error: Errors::InvalidGrant
+      validate :scope,        error: Errors::InvalidScope
-      private :refresh_token_parameter, :refresh_token_parameter=
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
       def initialize(server, refresh_token, credentials, parameters = {})
-        @server          = server
-        @refresh_token   = refresh_token
-        @credentials     = credentials
+        @server = server
+        @refresh_token = refresh_token
+        @credentials = credentials
         @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
-        if credentials
-          @client = Application.by_uid_and_secret credentials.uid,
-                                                  credentials.secret
-        end
+        @client = load_client(credentials) if credentials
       end
       private
+      def load_client(credentials)
+        Doorkeeper.config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
+      end
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
-          raise Errors::InvalidTokenReuse if refresh_token.revoked?
+          raise Errors::InvalidGrantReuse if refresh_token.revoked?
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
+        super
       end
       def refresh_token_revoked_on_use?
-        Doorkeeper::AccessToken.refresh_token_revoked_on_use?
+        Doorkeeper.config.access_token_model.refresh_token_revoked_on_use?
       end
       def default_scopes
@@ -50,29 +49,46 @@ module Doorkeeper
       end
       def create_access_token
-        @access_token = AccessToken.create!(access_token_attributes)
-      end
+        attributes = {}.merge(custom_token_attributes_with_data)
-      def access_token_attributes
-        {
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: access_token_expires_in,
-          use_refresh_token: true
-        }.tap do |attributes|
-          if refresh_token_revoked_on_use?
-            attributes[:previous_refresh_token] = refresh_token.refresh_token
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
           end
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
-      end
-      def access_token_expires_in
-        Authorization::Token.access_token_expires_in(server, client)
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
+        @access_token = Doorkeeper.config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
+        )
       end
       def validate_token_presence
-        refresh_token.present? || refresh_token_parameter.present?
+        @missing_param = :refresh_token if refresh_token.blank? && @refresh_token_parameter.blank?
+        @missing_param.nil?
       end
       def validate_token
@@ -80,20 +96,37 @@ module Doorkeeper
       end
       def validate_client
-        !credentials || !!client
+        return true if credentials.blank?
+        client.present?
       end
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
+      #
       def validate_client_match
-        !client || refresh_token.application_id == client.id
+        return true if refresh_token.application_id.blank?
+        client && refresh_token.application_id == client.id
       end
       def validate_scope
         if @original_scopes.present?
-          ScopeChecker.valid?(@original_scopes, refresh_token.scopes)
+          ScopeChecker.valid?(
+            scope_str: @original_scopes,
+            server_scopes: refresh_token.scopes,
+          )
         else
           true
         end
       end
+      def custom_token_attributes_with_data
+        refresh_token
+        .attributes
+        .with_indifferent_access
+        .slice(*Doorkeeper.config.custom_access_token_attributes)
+        .symbolize_keys
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/scopes.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class Scopes
@@ -5,7 +7,7 @@ module Doorkeeper
       include Comparable
       def self.from_string(string)
-        string ||= ''
+        string ||= ""
         new.tap do |scope|
           scope.add(*string.split)
         end
@@ -37,28 +39,40 @@ module Doorkeeper
       end
       def to_s
-        @scopes.join(' ')
+        @scopes.join(" ")
       end
-      def has_scopes?(scopes)
-        scopes.all? { |s| exists?(s) }
+      def scopes?(scopes)
+        scopes.all? { |scope| exists?(scope) }
       end
+      alias has_scopes? scopes?
       def +(other)
-        if other.is_a? Scopes
-          self.class.from_array(all + other.all)
-        else
-          super(other)
-        end
+        self.class.from_array(all + to_array(other))
       end
       def <=>(other)
-        map(&:to_s).sort <=> other.map(&:to_s).sort
+        if other.respond_to?(:map)
+          map(&:to_s).sort <=> other.map(&:to_s).sort
+        else
+          super
+        end
       end
       def &(other)
-        other_array = other.present? ? other.all : []
-        self.class.from_array(all & other_array)
+        self.class.from_array(all & to_array(other))
+      end
+      private
+      def to_array(other)
+        case other
+        when Scopes
+          other.all
+        else
+          other.to_a
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/token.rb CHANGED Viewed

@@ -1,7 +1,27 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class Token
-      module Methods
+      class << self
+        def from_request(request, *methods)
+          methods.inject(nil) do |_, method|
+            method = self.method(method) if method.is_a?(Symbol)
+            credentials = method.call(request)
+            break credentials if credentials.present?
+          end
+        end
+        def authenticate(request, *methods)
+          if (token = from_request(request, *methods))
+            access_token = Doorkeeper.config.access_token_model.by_token(token)
+            if access_token.present? && Doorkeeper.config.refresh_token_enabled?
+              access_token.revoke_previous_refresh_token!
+            end
+            access_token
+          end
+        end
         def from_access_token_param(request)
           request.parameters[:access_token]
         end
@@ -12,13 +32,13 @@ module Doorkeeper
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
@@ -34,29 +54,11 @@ module Doorkeeper
         end
         def token_from_header(header, pattern)
-          header.gsub pattern, ''
+          header.gsub(pattern, "")
         end
         def match?(header, pattern)
-          header && header.match(pattern)
-        end
-      end
-      extend Methods
-      def self.from_request(request, *methods)
-        methods.inject(nil) do |credentials, method|
-          method = self.method(method) if method.is_a?(Symbol)
-          credentials = method.call(request)
-          break credentials unless credentials.blank?
-        end
-      end
-      def self.authenticate(request, *methods)
-        if token = from_request(request, *methods)
-          access_token = AccessToken.by_token(token)
-          access_token.revoke_previous_refresh_token! if access_token
-          access_token
+          header&.match(pattern)
         end
       end
     end