doorkeeper 4.2.0 → 5.6.8

data/lib/doorkeeper/rails/routes.rb

@@ -1,33 +1,42 @@
-require 'doorkeeper/rails/routes/mapping'
-require 'doorkeeper/rails/routes/mapper'
+# frozen_string_literal: true
+
+require "doorkeeper/rails/routes/mapping"
+require "doorkeeper/rails/routes/mapper"
+require "doorkeeper/rails/routes/abstract_router"
+require "doorkeeper/rails/routes/registry"
 
 module Doorkeeper
   module Rails
-    class Routes
+    class Routes # :nodoc:
       module Helper
-        # TODO: options hash is not being used
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
       end
 
-      def self.install!
-        ActionDispatch::Routing::Mapper.send :include, Doorkeeper::Rails::Routes::Helper
+      include AbstractRouter
+      extend Registry
+
+      mattr_reader :mapping do
+        {}
       end
 
-      attr_accessor :routes
+      def self.install!
+        ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
+
+        registered_routes.each(&:install!)
+      end
 
-      def initialize(routes, &block)
-        @routes = routes
-        @block = block
+      def initialize(routes, mapper = Mapper.new, &block)
+        super
       end
 
       def generate_routes!(options)
-        @mapping = Mapper.new.map(&@block)
-        routes.scope options[:scope] || 'oauth', as: 'oauth' do
+        routes.scope options[:scope] || "oauth", as: "oauth" do
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
+          map_route(:tokens, :introspect_routes) if introspection_routes?
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -36,21 +45,15 @@ module Doorkeeper
 
       private
 
-      def map_route(name, method)
-        unless @mapping.skipped?(name)
-          send method, @mapping[name]
-        end
-      end
-
       def authorization_routes(mapping)
         routes.resource(
           :authorization,
-          path: 'authorize',
-          only: [:create, :destroy],
+          path: "authorize",
+          only: %i[create destroy],
           as: mapping[:as],
-          controller: mapping[:controllers]
+          controller: mapping[:controllers],
         ) do
-          routes.get '/:code', action: :show, on: :member
+          routes.get native_authorization_code_route, action: :show, on: :member
           routes.get '/', action: :new, on: :member
         end
       end
@@ -58,31 +61,49 @@ module Doorkeeper
       def token_routes(mapping)
         routes.resource(
           :token,
-          path: 'token',
+          path: "token",
           only: [:create], as: mapping[:as],
-          controller: mapping[:controllers]
+          controller: mapping[:controllers],
         )
       end
 
       def revoke_routes(mapping)
-        routes.post 'revoke', controller: mapping[:controllers], action: :revoke
+        routes.post "revoke", controller: mapping[:controllers], action: :revoke
+      end
+
+      def introspect_routes(mapping)
+        routes.post "introspect", controller: mapping[:controllers], action: :introspect
       end
 
       def token_info_routes(mapping)
         routes.resource(
           :token_info,
-          path: 'token/info',
+          path: "token/info",
           only: [:show], as: mapping[:as],
-          controller: mapping[:controllers]
+          controller: mapping[:controllers],
         )
       end
 
       def application_routes(mapping)
-        routes.resources :doorkeeper_applications, controller: mapping[:controllers], as: :applications, path: 'applications'
+        routes.resources :doorkeeper_applications,
+                         controller: mapping[:controllers],
+                         as: :applications,
+                         path: "applications"
       end
 
       def authorized_applications_routes(mapping)
-        routes.resources :authorized_applications, only: [:index, :destroy], controller: mapping[:controllers]
+        routes.resources :authorized_applications,
+                         only: %i[index destroy],
+                         controller: mapping[:controllers]
+      end
+
+      def native_authorization_code_route
+        Doorkeeper.configuration.native_authorization_code_route
+      end
+
+      def introspection_routes?
+        Doorkeeper.configured? &&
+          !Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
       end
     end
   end

data/lib/doorkeeper/rake/db.rake

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+namespace :doorkeeper do
+  namespace :db do
+    desc "Removes stale data from doorkeeper related database tables"
+    task cleanup: [
+      "doorkeeper:db:cleanup:revoked_tokens",
+      "doorkeeper:db:cleanup:expired_tokens",
+      "doorkeeper:db:cleanup:revoked_grants",
+      "doorkeeper:db:cleanup:expired_grants",
+    ]
+
+    namespace :cleanup do
+      desc "Removes stale access tokens"
+      task revoked_tokens: "doorkeeper:setup" do
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_token_model)
+        cleaner.clean_revoked
+      end
+
+      desc "Removes expired (TTL passed) access tokens"
+      task expired_tokens: "doorkeeper:setup" do
+        expirable_tokens = Doorkeeper.config.access_token_model.where(refresh_token: nil)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(expirable_tokens)
+        cleaner.clean_expired(Doorkeeper.config.access_token_expires_in)
+      end
+
+      desc "Removes stale access grants"
+      task revoked_grants: "doorkeeper:setup" do
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
+        cleaner.clean_revoked
+      end
+
+      desc "Removes expired (TTL passed) access grants"
+      task expired_grants: "doorkeeper:setup" do
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
+        cleaner.clean_expired(Doorkeeper.config.authorization_code_expires_in)
+      end
+    end
+  end
+end

data/lib/doorkeeper/rake/setup.rake

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+namespace :doorkeeper do
+  task setup: :environment do
+  end
+end

data/lib/doorkeeper/rake.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rake
+    class << self
+      def load_tasks
+        glob = File.join(File.absolute_path(__dir__), "rake", "*.rake")
+        Dir[glob].each do |rake_file|
+          load rake_file
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/authorization_code.rb

@@ -1,18 +1,26 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request
     class AuthorizationCode < Strategy
-      delegate :grant, :client, :parameters, to: :server
+      delegate :client, :parameters, to: :server
 
       def request
         @request ||= OAuth::AuthorizationCodeRequest.new(
-          Doorkeeper.configuration,
+          Doorkeeper.config,
           grant,
           client,
-          parameters
+          parameters,
         )
       end
+
+      private
+
+      def grant
+        raise Errors::MissingRequiredParameter, :code if parameters[:code].blank?
+
+        Doorkeeper.config.access_grant_model.by_token(parameters[:code])
+      end
     end
   end
 end

data/lib/doorkeeper/request/client_credentials.rb

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request
@@ -7,9 +7,9 @@ module Doorkeeper
 
       def request
         @request ||= OAuth::ClientCredentialsRequest.new(
-          Doorkeeper.configuration,
+          Doorkeeper.config,
           client,
-          parameters
+          parameters,
         )
       end
     end

data/lib/doorkeeper/request/code.rb

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request

data/lib/doorkeeper/request/password.rb

@@ -1,28 +1,19 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request
     class Password < Strategy
-      delegate :credentials, :resource_owner, :parameters, to: :server
+      delegate :credentials, :resource_owner, :parameters, :client, to: :server
 
       def request
         @request ||= OAuth::PasswordAccessTokenRequest.new(
-          Doorkeeper.configuration,
+          Doorkeeper.config,
           client,
+          credentials,
           resource_owner,
-          parameters
+          parameters,
         )
       end
-
-      private
-
-      def client
-        if credentials
-          server.client
-        elsif parameters[:client_id]
-          server.client_via_uid
-        end
-      end
     end
   end
 end

data/lib/doorkeeper/request/refresh_token.rb

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request
@@ -6,14 +6,15 @@ module Doorkeeper
       delegate :credentials, :parameters, to: :server
 
       def refresh_token
-        server.current_refresh_token
+        Doorkeeper.config.access_token_model.by_refresh_token(parameters[:refresh_token])
       end
 
       def request
         @request ||= OAuth::RefreshTokenRequest.new(
-          Doorkeeper.configuration,
-          refresh_token, credentials,
-          parameters
+          Doorkeeper.config,
+          refresh_token,
+          credentials,
+          parameters,
         )
       end
     end

data/lib/doorkeeper/request/strategy.rb

@@ -1,12 +1,14 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Request
     class Strategy
-      attr_accessor :server
+      attr_reader :server
 
       delegate :authorize, to: :request
 
       def initialize(server)
-        self.server = server
+        @server = server
       end
 
       def request

data/lib/doorkeeper/request/token.rb

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request

data/lib/doorkeeper/request.rb

@@ -1,40 +1,73 @@
-require 'doorkeeper/request/authorization_code'
-require 'doorkeeper/request/client_credentials'
-require 'doorkeeper/request/code'
-require 'doorkeeper/request/password'
-require 'doorkeeper/request/refresh_token'
-require 'doorkeeper/request/token'
+# frozen_string_literal: true
 
 module Doorkeeper
   module Request
-    module_function
+    class << self
+      def authorization_strategy(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
 
-    def authorization_strategy(response_type)
-      get_strategy response_type, authorization_response_types
-    rescue NameError
-      raise Errors::InvalidAuthorizationStrategy
-    end
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
+      end
 
-    def token_strategy(grant_type)
-      get_strategy grant_type, token_grant_types
-    rescue NameError
-      raise Errors::InvalidTokenStrategy
-    end
+      def token_strategy(grant_type)
+        raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-    def get_strategy(grant_or_request_type, available)
-      fail Errors::MissingRequestStrategy unless grant_or_request_type.present?
-      fail NameError unless available.include?(grant_or_request_type.to_s)
-      "Doorkeeper::Request::#{grant_or_request_type.to_s.camelize}".constantize
-    end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-    def authorization_response_types
-      Doorkeeper.configuration.authorization_response_types
-    end
-    private_class_method :authorization_response_types
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
+
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
+      end
+
+      private
+
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
+      end
+
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
+        strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
 
-    def token_grant_types
-      Doorkeeper.configuration.token_grant_types
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
+      end
     end
-    private_class_method :token_grant_types
   end
 end

data/lib/doorkeeper/secret_storing/base.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Base class for secret storing, including common helpers
+    class Base
+      ##
+      # Return the value to be stored by the database
+      # used for looking up a database value.
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(_plain_secret)
+        raise NotImplementedError
+      end
+
+      ##
+      # Transform and store the given secret attribute => value
+      # pair used for safely storing the attribute
+      # @param resource The model instance being modified
+      # @param attribute The secret attribute
+      # @param plain_secret The plain secret input / generated
+      def self.store_secret(resource, attribute, plain_secret)
+        transformed_value = transform_secret(plain_secret)
+        resource.public_send(:"#{attribute}=", transformed_value)
+
+        transformed_value
+      end
+
+      ##
+      # Return the restored value from the database
+      # @param resource The resource instance to act on
+      # @param attribute The secret attribute to restore
+      # as retrieved from the database.
+      def self.restore_secret(_resource, _attribute)
+        raise NotImplementedError
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+
+      ##
+      # Determines what secrets this strategy is applicable for
+      def self.validate_for(model)
+        valid = %i[token application]
+        return true if valid.include?(model.to_sym)
+
+        raise ArgumentError, "'#{name}' can not be used for #{model}."
+      end
+
+      ##
+      # Securely compare the given +input+ value with a +stored+ value
+      # processed by +transform_secret+.
+      def self.secret_matches?(input, stored)
+        transformed_input = transform_secret(input)
+        ActiveSupport::SecurityUtils.secure_compare transformed_input, stored
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/bcrypt.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class BCrypt < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        ::BCrypt::Password.create(plain_secret.to_s)
+      end
+
+      ##
+      # Securely compare the given +input+ value with a +stored+ value
+      # processed by +transform_secret+.
+      def self.secret_matches?(input, stored)
+        ::BCrypt::Password.new(stored.to_s) == input.to_s
+      rescue ::BCrypt::Errors::InvalidHash
+        false
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+
+      ##
+      # Determines what secrets this strategy is applicable for
+      def self.validate_for(model)
+        unless model.to_sym == :application
+          raise ArgumentError,
+                "'#{name}' can only be used for storing application secrets."
+        end
+
+        unless bcrypt_present?
+          raise ArgumentError,
+                "'#{name}' requires the 'bcrypt' gem being loaded."
+        end
+
+        true
+      end
+
+      ##
+      # Test if we can require the BCrypt gem
+      def self.bcrypt_present?
+        require "bcrypt"
+        true
+      rescue LoadError
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/plain.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class Plain < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        plain_secret
+      end
+
+      ##
+      # Return the restored value from the database
+      # @param resource The resource instance to act on
+      # @param attribute The secret attribute to restore
+      # as retrieved from the database.
+      def self.restore_secret(resource, attribute)
+        resource.public_send(attribute)
+      end
+
+      ##
+      # Plain values obviously allow restoring
+      def self.allows_restoring_secrets?
+        true
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/sha256_hash.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module SecretStoring
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class Sha256Hash < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        ::Digest::SHA256.hexdigest plain_secret
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+    end
+  end
+end