doorkeeper 4.2.0 → 5.6.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +1119 -0
- data/README.md +112 -349
- data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
- data/app/controllers/doorkeeper/application_controller.rb +6 -7
- data/app/controllers/doorkeeper/application_metal_controller.rb +7 -11
- data/app/controllers/doorkeeper/applications_controller.rb +65 -20
- data/app/controllers/doorkeeper/authorizations_controller.rb +115 -18
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +22 -3
- data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
- data/app/controllers/doorkeeper/tokens_controller.rb +118 -38
- data/app/helpers/doorkeeper/dashboard_helper.rb +10 -6
- data/app/views/doorkeeper/applications/_delete_form.html.erb +4 -3
- data/app/views/doorkeeper/applications/_form.html.erb +33 -21
- data/app/views/doorkeeper/applications/edit.html.erb +1 -1
- data/app/views/doorkeeper/applications/index.html.erb +18 -6
- data/app/views/doorkeeper/applications/new.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +40 -16
- data/app/views/doorkeeper/authorizations/error.html.erb +4 -2
- data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
- data/app/views/doorkeeper/authorizations/new.html.erb +17 -11
- data/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +1 -2
- data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
- data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
- data/config/locales/en.yml +36 -9
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +82 -0
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/config.rb +551 -155
- data/lib/doorkeeper/engine.rb +19 -6
- data/lib/doorkeeper/errors.rb +55 -10
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
- data/lib/doorkeeper/grape/helpers.rb +24 -12
- data/lib/doorkeeper/helpers/controller.rb +49 -27
- data/lib/doorkeeper/models/access_grant_mixin.rb +100 -21
- data/lib/doorkeeper/models/access_token_mixin.rb +383 -75
- data/lib/doorkeeper/models/application_mixin.rb +72 -25
- data/lib/doorkeeper/models/concerns/accessible.rb +6 -0
- data/lib/doorkeeper/models/concerns/expirable.rb +20 -6
- data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +88 -0
- data/lib/doorkeeper/models/concerns/orderable.rb +15 -0
- data/lib/doorkeeper/models/concerns/ownership.rb +4 -7
- data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +30 -0
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +12 -18
- data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
- data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
- data/lib/doorkeeper/oauth/authorization/code.rb +54 -12
- data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
- data/lib/doorkeeper/oauth/authorization/token.rb +72 -28
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +22 -18
- data/lib/doorkeeper/oauth/authorization_code_request.rb +77 -17
- data/lib/doorkeeper/oauth/base_request.rb +67 -0
- data/lib/doorkeeper/oauth/base_response.rb +31 -0
- data/lib/doorkeeper/oauth/client/credentials.rb +23 -10
- data/lib/doorkeeper/oauth/client.rb +10 -12
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +44 -4
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +21 -13
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +55 -0
- data/lib/doorkeeper/oauth/client_credentials_request.rb +20 -16
- data/lib/doorkeeper/oauth/code_request.rb +9 -13
- data/lib/doorkeeper/oauth/code_response.rb +28 -15
- data/lib/doorkeeper/oauth/error.rb +5 -3
- data/lib/doorkeeper/oauth/error_response.rb +43 -20
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +11 -3
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -18
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +53 -3
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_request_response.rb +47 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +31 -5
- data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
- data/lib/doorkeeper/oauth/password_access_token_request.rb +46 -14
- data/lib/doorkeeper/oauth/pre_authorization.rb +138 -28
- data/lib/doorkeeper/oauth/refresh_token_request.rb +74 -41
- data/lib/doorkeeper/oauth/scopes.rb +26 -12
- data/lib/doorkeeper/oauth/token.rb +25 -23
- data/lib/doorkeeper/oauth/token_introspection.rb +204 -0
- data/lib/doorkeeper/oauth/token_request.rb +9 -22
- data/lib/doorkeeper/oauth/token_response.rb +13 -10
- data/lib/doorkeeper/oauth.rb +13 -0
- data/lib/doorkeeper/orm/active_record/access_grant.rb +6 -4
- data/lib/doorkeeper/orm/active_record/access_token.rb +5 -25
- data/lib/doorkeeper/orm/active_record/application.rb +6 -15
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +63 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +77 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +210 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +36 -0
- data/lib/doorkeeper/orm/active_record.rb +34 -12
- data/lib/doorkeeper/rails/helpers.rb +14 -15
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +3 -1
- data/lib/doorkeeper/rails/routes/mapping.rb +10 -8
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +50 -29
- data/lib/doorkeeper/rake/db.rake +40 -0
- data/lib/doorkeeper/rake/setup.rake +6 -0
- data/lib/doorkeeper/rake.rb +14 -0
- data/lib/doorkeeper/request/authorization_code.rb +12 -4
- data/lib/doorkeeper/request/client_credentials.rb +3 -3
- data/lib/doorkeeper/request/code.rb +1 -1
- data/lib/doorkeeper/request/password.rb +5 -14
- data/lib/doorkeeper/request/refresh_token.rb +6 -5
- data/lib/doorkeeper/request/strategy.rb +4 -2
- data/lib/doorkeeper/request/token.rb +1 -1
- data/lib/doorkeeper/request.rb +62 -29
- data/lib/doorkeeper/secret_storing/base.rb +64 -0
- data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
- data/lib/doorkeeper/secret_storing/plain.rb +33 -0
- data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
- data/lib/doorkeeper/server.rb +9 -19
- data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
- data/lib/doorkeeper/validations.rb +5 -2
- data/lib/doorkeeper/version.rb +12 -1
- data/lib/doorkeeper.rb +180 -57
- data/lib/generators/doorkeeper/application_owner_generator.rb +28 -13
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/install_generator.rb +19 -9
- data/lib/generators/doorkeeper/migration_generator.rb +27 -10
- data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +31 -19
- data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +9 -0
- data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +3 -1
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +436 -33
- data/lib/generators/doorkeeper/templates/migration.rb.erb +98 -0
- data/lib/generators/doorkeeper/views_generator.rb +8 -4
- data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
- metadata +129 -281
- data/.gitignore +0 -14
- data/.hound.yml +0 -13
- data/.rspec +0 -1
- data/.travis.yml +0 -20
- data/CONTRIBUTING.md +0 -47
- data/Gemfile +0 -14
- data/NEWS.md +0 -593
- data/RELEASING.md +0 -17
- data/Rakefile +0 -20
- data/app/validators/redirect_uri_validator.rb +0 -34
- data/doorkeeper.gemspec +0 -28
- data/lib/doorkeeper/oauth/client/methods.rb +0 -18
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
- data/lib/doorkeeper/oauth/request_concern.rb +0 -48
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb +0 -7
- data/lib/generators/doorkeeper/templates/migration.rb +0 -68
- data/spec/controllers/application_metal_controller.rb +0 -10
- data/spec/controllers/applications_controller_spec.rb +0 -58
- data/spec/controllers/authorizations_controller_spec.rb +0 -189
- data/spec/controllers/protected_resources_controller_spec.rb +0 -300
- data/spec/controllers/token_info_controller_spec.rb +0 -52
- data/spec/controllers/tokens_controller_spec.rb +0 -88
- data/spec/dummy/Rakefile +0 -7
- data/spec/dummy/app/controllers/application_controller.rb +0 -3
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
- data/spec/dummy/app/controllers/home_controller.rb +0 -17
- data/spec/dummy/app/controllers/metal_controller.rb +0 -11
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
- data/spec/dummy/app/helpers/application_helper.rb +0 -5
- data/spec/dummy/app/models/user.rb +0 -5
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -23
- data/spec/dummy/config/boot.rb +0 -9
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -29
- data/spec/dummy/config/environments/production.rb +0 -62
- data/spec/dummy/config/environments/test.rb +0 -44
- data/spec/dummy/config/initializers/active_record_belongs_to_required_by_default.rb +0 -6
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -96
- data/spec/dummy/config/initializers/secret_token.rb +0 -9
- data/spec/dummy/config/initializers/session_store.rb +0 -8
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -52
- data/spec/dummy/config.ru +0 -4
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -9
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -5
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -60
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -7
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -11
- data/spec/dummy/db/schema.rb +0 -67
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -6
- data/spec/factories.rb +0 -28
- data/spec/generators/application_owner_generator_spec.rb +0 -22
- data/spec/generators/install_generator_spec.rb +0 -31
- data/spec/generators/migration_generator_spec.rb +0 -20
- data/spec/generators/templates/routes.rb +0 -3
- data/spec/generators/views_generator_spec.rb +0 -27
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
- data/spec/lib/config_spec.rb +0 -334
- data/spec/lib/doorkeeper_spec.rb +0 -28
- data/spec/lib/models/expirable_spec.rb +0 -51
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -43
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -42
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -80
- data/spec/lib/oauth/client/credentials_spec.rb +0 -47
- data/spec/lib/oauth/client/methods_spec.rb +0 -54
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -104
- data/spec/lib/oauth/client_spec.rb +0 -39
- data/spec/lib/oauth/code_request_spec.rb +0 -45
- data/spec/lib/oauth/code_response_spec.rb +0 -34
- data/spec/lib/oauth/error_response_spec.rb +0 -61
- data/spec/lib/oauth/error_spec.rb +0 -23
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -104
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -28
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -90
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -155
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -154
- data/spec/lib/oauth/scopes_spec.rb +0 -122
- data/spec/lib/oauth/token_request_spec.rb +0 -98
- data/spec/lib/oauth/token_response_spec.rb +0 -85
- data/spec/lib/oauth/token_spec.rb +0 -116
- data/spec/lib/request/strategy_spec.rb +0 -53
- data/spec/lib/server_spec.rb +0 -52
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
- data/spec/models/doorkeeper/access_token_spec.rb +0 -394
- data/spec/models/doorkeeper/application_spec.rb +0 -179
- data/spec/requests/applications/applications_request_spec.rb +0 -94
- data/spec/requests/applications/authorized_applications_spec.rb +0 -30
- data/spec/requests/endpoints/authorization_spec.rb +0 -72
- data/spec/requests/endpoints/token_spec.rb +0 -64
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -66
- data/spec/requests/flows/authorization_code_spec.rb +0 -156
- data/spec/requests/flows/client_credentials_spec.rb +0 -58
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
- data/spec/requests/flows/implicit_grant_spec.rb +0 -61
- data/spec/requests/flows/password_spec.rb +0 -115
- data/spec/requests/flows/refresh_token_spec.rb +0 -174
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -59
- data/spec/requests/protected_resources/metal_spec.rb +0 -14
- data/spec/requests/protected_resources/private_api_spec.rb +0 -81
- data/spec/routing/custom_controller_routes_spec.rb +0 -71
- data/spec/routing/default_routes_spec.rb +0 -35
- data/spec/routing/scoped_routes_spec.rb +0 -31
- data/spec/spec_helper.rb +0 -2
- data/spec/spec_helper_integration.rb +0 -59
- data/spec/support/dependencies/factory_girl.rb +0 -2
- data/spec/support/helpers/access_token_request_helper.rb +0 -11
- data/spec/support/helpers/authorization_request_helper.rb +0 -41
- data/spec/support/helpers/config_helper.rb +0 -9
- data/spec/support/helpers/model_helper.rb +0 -67
- data/spec/support/helpers/request_spec_helper.rb +0 -76
- data/spec/support/helpers/url_helper.rb +0 -55
- data/spec/support/http_method_shim.rb +0 -24
- data/spec/support/orm/active_record.rb +0 -3
- data/spec/support/shared/controllers_shared_context.rb +0 -69
- data/spec/support/shared/models_shared_examples.rb +0 -52
- data/spec/validators/redirect_uri_validator_spec.rb +0 -78
data/CHANGELOG.md
ADDED
@@ -0,0 +1,1119 @@
|
|
1
|
+
# Changelog
|
2
|
+
|
3
|
+
See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
|
4
|
+
upgrade guides.
|
5
|
+
|
6
|
+
User-visible changes worth mentioning.
|
7
|
+
|
8
|
+
## main
|
9
|
+
|
10
|
+
- [#PR ID] Add your changelog here.
|
11
|
+
|
12
|
+
## 5.6.8
|
13
|
+
|
14
|
+
- [#1680] Fix handle_auth_errors :raise NotImplementedError
|
15
|
+
|
16
|
+
## 5.6.7
|
17
|
+
|
18
|
+
- [#1662] Specify uri_redirect validation class explicitly.
|
19
|
+
- [#1652] Add custom attributes support to token generator.
|
20
|
+
- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
|
21
|
+
- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
|
22
|
+
- [#1676] Improve AuthorizationsController error response handling
|
23
|
+
- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
|
24
|
+
|
25
|
+
## 5.6.6
|
26
|
+
|
27
|
+
- [#1644] Update HTTP headers.
|
28
|
+
- [#1646] Block public clients automatic authorization skip.
|
29
|
+
- [#1648] Add custom token attributes to Refresh Token Request.
|
30
|
+
- [#1649] Fixed custom_access_token_attributes related errors.
|
31
|
+
|
32
|
+
# 5.6.5
|
33
|
+
|
34
|
+
- [#1602] Allow custom data to be stored inside access grants/tokens.
|
35
|
+
- [#1634] Code refactoring for custom token attributes.
|
36
|
+
- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
|
37
|
+
|
38
|
+
# 5.6.4
|
39
|
+
|
40
|
+
- [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
|
41
|
+
|
42
|
+
# 5.6.3
|
43
|
+
|
44
|
+
- [#1622] Drop support for Rubies 2.5 and 2.6
|
45
|
+
- [#1605] Fix URI validation for Ruby 3.2+.
|
46
|
+
- [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
|
47
|
+
- [#1626] Remove deprecated `active_record_options` config option.
|
48
|
+
- [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
|
49
|
+
- [#1630] Special case unique index creation for refresh_token on SQL Server.
|
50
|
+
- [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
|
51
|
+
|
52
|
+
## 5.6.2
|
53
|
+
|
54
|
+
- [#1604] Fix fetching of the application when custom application_class defined.
|
55
|
+
|
56
|
+
## 5.6.1
|
57
|
+
|
58
|
+
- [#1593] Add support for Trilogy ActiveRecord adapter.
|
59
|
+
- [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
|
60
|
+
- [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
|
61
|
+
|
62
|
+
## 5.6.0
|
63
|
+
|
64
|
+
- [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
|
65
|
+
|
66
|
+
## 5.6.0.rc2
|
67
|
+
|
68
|
+
- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
|
69
|
+
application scopes when using client credentials.
|
70
|
+
- [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
|
71
|
+
|
72
|
+
## 5.6.0.rc1
|
73
|
+
|
74
|
+
- [#1551] Change lazy loading for ORM to be Ruby standard autoload.
|
75
|
+
- [#1552] Remove duplicate IDs on Auth form to improve accessibility.
|
76
|
+
- [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
|
77
|
+
|
78
|
+
**[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
|
79
|
+
only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
|
80
|
+
`reuse_access_token` option is to check for existing _active_ token (see configuration option description).
|
81
|
+
|
82
|
+
## 5.5.4
|
83
|
+
|
84
|
+
- [#1535] Revert changes introduced in #1528 to allow query params in `redirect_uri` as per the spec.
|
85
|
+
|
86
|
+
## 5.5.3
|
87
|
+
|
88
|
+
- [#1528] Don't allow extra query params in redirect_uri.
|
89
|
+
- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
|
90
|
+
- [#1531] Disable `strict-loading` for Doorkeeper models by default.
|
91
|
+
- [#1532] Add support for Rails 7.
|
92
|
+
|
93
|
+
## 5.5.2
|
94
|
+
|
95
|
+
- [#1502] Drop support for Ruby 2.4 because of EOL.
|
96
|
+
- [#1504] Updated the url fragment in the comment for code documentation.
|
97
|
+
- [#1512] Fix form behavior when response mode is form_post.
|
98
|
+
- [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
|
99
|
+
|
100
|
+
## 5.5.1
|
101
|
+
|
102
|
+
- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
|
103
|
+
- [#1495] Fix `respond_to` undefined in API-only mode
|
104
|
+
- [#1488] Verify client authentication for Resource Owner Password Grant when
|
105
|
+
`config.skip_client_authentication_for_password_grant` is set and the client credentials
|
106
|
+
are sent in a HTTP Basic auth header.
|
107
|
+
|
108
|
+
## 5.5.0
|
109
|
+
|
110
|
+
- [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
|
111
|
+
- [#1478] Fix ownership association and Rake tasks when custom models configured.
|
112
|
+
- [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
|
113
|
+
|
114
|
+
## 5.5.0.rc2
|
115
|
+
|
116
|
+
- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
|
117
|
+
|
118
|
+
**[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
|
119
|
+
`use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
|
120
|
+
|
121
|
+
- [#1472] Fix `establish_connection` configuration for custom defined models.
|
122
|
+
- [#1471] Add support for Ruby 3.0.
|
123
|
+
- [#1469] Check if `redirect_uri` exists.
|
124
|
+
- [#1465] Memoize nil doorkeeper_token.
|
125
|
+
- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
|
126
|
+
- [#1457] Make owner_id a bigint for newly-generated owner migrations
|
127
|
+
- [#1452] Empty previous_refresh_token only if present.
|
128
|
+
- [#1440] Validate empty host in redirect_uri.
|
129
|
+
- [#1438] Add form post response mode.
|
130
|
+
- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
|
131
|
+
|
132
|
+
## 5.5.0.rc1
|
133
|
+
|
134
|
+
- [#1435] Make error response not redirectable when client is unauthorized
|
135
|
+
- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
|
136
|
+
- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
|
137
|
+
- [#1416] Don't add introspection route if token introspection completely disabled.
|
138
|
+
- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
|
139
|
+
- [#1415] Ignore PKCE params for non-PKCE grants.
|
140
|
+
- [#1418] Add ability to register custom OAuth Grant Flows.
|
141
|
+
- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
|
142
|
+
|
143
|
+
**[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
|
144
|
+
have it before and use client credentials in HTTP Basic auth if you previously used this grant
|
145
|
+
flow without client authentication. To opt out of this you could set the
|
146
|
+
`skip_client_authentication_for_password_grant` configuration option to `true`, but note that
|
147
|
+
this is in violation of the OAuth spec and represents a security risk.
|
148
|
+
All the users of your provider application now need to include client credentials when they use
|
149
|
+
this grant flow.
|
150
|
+
|
151
|
+
- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
|
152
|
+
configuration option to allow resource owner based Access Tokens TTL.
|
153
|
+
|
154
|
+
## 5.4.0
|
155
|
+
|
156
|
+
- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
|
157
|
+
|
158
|
+
## 5.4.0.rc2
|
159
|
+
|
160
|
+
- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
|
161
|
+
Fixes information disclosure vulnerability (CVE-2020-10187).
|
162
|
+
|
163
|
+
**[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
|
164
|
+
if you previously used `#to_json` serialization with custom options or attributes or rely on
|
165
|
+
JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
|
166
|
+
is a breaking change which restricts serialized attributes to a very small set of columns.
|
167
|
+
|
168
|
+
- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
|
169
|
+
- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
|
170
|
+
custom configured application model.
|
171
|
+
- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
|
172
|
+
option (fixes #1398).
|
173
|
+
- [#1402] Handle trying authorization with client credentials.
|
174
|
+
|
175
|
+
## 5.4.0.rc1
|
176
|
+
- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
|
177
|
+
- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
|
178
|
+
- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
|
179
|
+
models (`use_polymorphic_resource_owner` configuration option).
|
180
|
+
|
181
|
+
**[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
|
182
|
+
have such - since now Doorkeeper passes Resource Owner instance to every objects and not
|
183
|
+
just it's ID. See PR description for details.
|
184
|
+
|
185
|
+
- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
|
186
|
+
- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
|
187
|
+
`Stack level too deep` error with AMS (fix #1312).
|
188
|
+
- [#1358] Deprecate `active_record_options` configuration option.
|
189
|
+
- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
|
190
|
+
in external extensions.
|
191
|
+
- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
|
192
|
+
- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
|
193
|
+
- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
|
194
|
+
|
195
|
+
**[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
|
196
|
+
(for public clients) and `client_secret` (for private clients). Please update your apps to include that
|
197
|
+
info in the revocation request payload.
|
198
|
+
|
199
|
+
- [#1373] Make Doorkeeper routes mapper reusable in extensions.
|
200
|
+
- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
|
201
|
+
- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
|
202
|
+
- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
|
203
|
+
- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
|
204
|
+
- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
|
205
|
+
- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
|
206
|
+
|
207
|
+
## 5.3.3
|
208
|
+
|
209
|
+
- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
|
210
|
+
|
211
|
+
## 5.3.2
|
212
|
+
|
213
|
+
- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
|
214
|
+
Fixes information disclosure vulnerability (CVE-2020-10187).
|
215
|
+
|
216
|
+
## 5.3.1
|
217
|
+
|
218
|
+
- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
|
219
|
+
|
220
|
+
## 5.3.0
|
221
|
+
|
222
|
+
- [#1339] Validate Resource Owner in `PasswordAccessTokenRequest` against `nil` and `false` values.
|
223
|
+
- [#1341] Fix `refresh_token_revoked_on_use` with `hash_token_secrets` enabled.
|
224
|
+
- [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.
|
225
|
+
- [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.
|
226
|
+
- [#1346] Refactor `Doorkeeper::Application#to_json` into convenient `#as_json` (fix #1344).
|
227
|
+
- [#1349] Fix `Doorkeeper::Application` AR associations using an incorrect foreign key name when using a custom class.
|
228
|
+
- [#1318] Make existing token revocation for client credentials optional and disable it by default.
|
229
|
+
|
230
|
+
**[IMPORTANT]** This is a change compared to the behaviour of version 5.2.
|
231
|
+
If you were relying on access tokens being revoked once the same client
|
232
|
+
requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
|
233
|
+
initialization file.
|
234
|
+
|
235
|
+
## 5.2.6
|
236
|
+
|
237
|
+
- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
|
238
|
+
|
239
|
+
## 5.2.5
|
240
|
+
|
241
|
+
- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
|
242
|
+
Fixes information disclosure vulnerability (CVE-2020-10187).
|
243
|
+
|
244
|
+
## 5.2.4
|
245
|
+
|
246
|
+
- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
|
247
|
+
|
248
|
+
## 5.2.3
|
249
|
+
|
250
|
+
- [#1334] Remove `application_secret` flash helper and `redirect_to` keyword.
|
251
|
+
- [#1331] Move redirect_uri_validator to where it is used (`Application` model).
|
252
|
+
- [#1326] Move response_type check in pre_authorization to a method to be easily to override.
|
253
|
+
- [#1329] Fix `find_in_batches` order warning.
|
254
|
+
|
255
|
+
## 5.2.2
|
256
|
+
|
257
|
+
- [#1320] Call configured `authenticate_resource_owner` method once per request.
|
258
|
+
- [#1315] Allow generation of new secret with `Doorkeeper::Application#renew_secret`.
|
259
|
+
- [#1309] Allow `Doorkeeper::Application#to_json` to work without arguments.
|
260
|
+
|
261
|
+
## 5.2.1
|
262
|
+
|
263
|
+
- [#1308] Fix flash types for `api_only` mode (no flashes for `ActionController::API`).
|
264
|
+
- [#1306] Fix interpolation of `missing_param` I18n.
|
265
|
+
|
266
|
+
## 5.2.0
|
267
|
+
|
268
|
+
- [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
|
269
|
+
when `api_mode` enabled (fixes #1302).
|
270
|
+
|
271
|
+
## 5.2.0.rc3
|
272
|
+
|
273
|
+
- [#1298] Slice strong params so doesn't error with Rails forms.
|
274
|
+
- [#1300] Limiting access to attributes of pre_authorization.
|
275
|
+
- [#1296] Adding client_id to strong parameters.
|
276
|
+
|
277
|
+
**[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
|
278
|
+
|
279
|
+
- [#1293] Move ar specific redirect uri validator to ar orm directory.
|
280
|
+
- [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
|
281
|
+
the PreAuthorization response.
|
282
|
+
- [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
|
283
|
+
- [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
|
284
|
+
option called `base_metal_controller` (fix #1273).
|
285
|
+
- [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
|
286
|
+
|
287
|
+
## 5.2.0.rc2
|
288
|
+
|
289
|
+
- [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
|
290
|
+
- [#1271] Reintroduce existing token revocation for client credentials.
|
291
|
+
|
292
|
+
**[IMPORTANT]** If you rely on being able to fetch multiple access tokens from the same
|
293
|
+
client using client credentials flow, you should skip to version 5.3, where this behaviour
|
294
|
+
is deactivated by default.
|
295
|
+
|
296
|
+
- [#1269] Update initializer template documentation.
|
297
|
+
- [#1266] Use strong parameters within pre-authorization.
|
298
|
+
- [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
|
299
|
+
- [#1263] Response properly when introspection fails and fix configurations's user guide.
|
300
|
+
|
301
|
+
## 5.2.0.rc1
|
302
|
+
|
303
|
+
- [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
|
304
|
+
- [#1257] Add constraint configuration when using client authentication on introspection endpoint.
|
305
|
+
- [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
|
306
|
+
- [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
|
307
|
+
- [#1248] Display the Application Secret in HTML after creating a new application even when `hash_application_secrets` is used.
|
308
|
+
- [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
|
309
|
+
- [#1238] Better support for native app with support for custom scheme and localhost redirection.
|
310
|
+
|
311
|
+
## 5.1.2
|
312
|
+
|
313
|
+
- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
|
314
|
+
|
315
|
+
## 5.1.1
|
316
|
+
|
317
|
+
- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
|
318
|
+
Fixes information disclosure vulnerability (CVE-2020-10187).
|
319
|
+
|
320
|
+
## 5.1.0
|
321
|
+
|
322
|
+
- [#1243] Add nil check operator in token checking at token introspection.
|
323
|
+
- [#1241] Explaining foreign key options for resource owner in a single place
|
324
|
+
- [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
|
325
|
+
- [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
|
326
|
+
- [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
|
327
|
+
option using `Float::INFINITY` return value.
|
328
|
+
- [#1224] Do not try to store token if not found by fallback hashing strategy.
|
329
|
+
- [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
|
330
|
+
- [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
|
331
|
+
|
332
|
+
## 5.1.0.rc2
|
333
|
+
|
334
|
+
- [#1208] Unify hashing implementation into secret storing strategies
|
335
|
+
|
336
|
+
**[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
|
337
|
+
your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
|
338
|
+
`hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt`.
|
339
|
+
|
340
|
+
- [#1216] Add nil check to `expires_at` method.
|
341
|
+
- [#1215] Fix deprecates for Rails 6.
|
342
|
+
- [#1214] Scopes field accepts array.
|
343
|
+
- [#1209] Fix tokens validation for Token Introspection request.
|
344
|
+
- [#1202] Use correct HTTP status codes for error responses.
|
345
|
+
|
346
|
+
**[IMPORTANT]**: this change might break your application if you were relying on the previous
|
347
|
+
401 status codes, this is now a 400 by default, or a 401 for `invalid_client` and `invalid_token` errors.
|
348
|
+
|
349
|
+
- [#1201] Fix custom TTL block `client` parameter to always be an `Doorkeeper::Application` instance.
|
350
|
+
|
351
|
+
**[IMPORTANT]**: those who defined `custom_access_token_expires_in` configuration option need to check
|
352
|
+
their block implementation: if you are using `oauth_client.application` to get `Doorkeeper::Application`
|
353
|
+
instance, then you need to replace it with just `oauth_client`.
|
354
|
+
|
355
|
+
- [#1200] Increase default Doorkeeper access token value complexity (`urlsafe_base64` instead of just `hex`)
|
356
|
+
matching RFC6749/RFC6750.
|
357
|
+
|
358
|
+
**[IMPORTANT]**: this change have possible side-effects in case you have custom database constraints for
|
359
|
+
access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
|
360
|
+
token value validations, or you are using database with case-insensitive WHERE clause like MySQL
|
361
|
+
(you can face some collisions). Before this change access token value matched `[a-f0-9]` regex, and now
|
362
|
+
it matches `[a-zA-Z0-9\-_]`. In case you have such restrictions and your don't use custom token generator
|
363
|
+
please change configuration option `default_generator_method` to `:hex`.
|
364
|
+
|
365
|
+
- [#1195] Allow to customize Token Introspection response (fixes #1194).
|
366
|
+
- [#1189] Option to set `token_reuse_limit`.
|
367
|
+
- [#1191] Try to load bcrypt for hashing of application secrets, but add fallback.
|
368
|
+
|
369
|
+
## 5.1.0.rc1
|
370
|
+
|
371
|
+
- [#1188] Use `params` instead of `request.POST` in tokens controller (fixes #1183).
|
372
|
+
- [#1182] Fix loopback IP redirect URIs to conform with RFC8252, p. 7.3 (fixes #1170).
|
373
|
+
- [#1179] Authorization Code Grant Flow without client id returns invalid_client error.
|
374
|
+
- [#1177] Allow to limit `scopes` for certain `grant_types`
|
375
|
+
- [#1176] Fix test factory support for `factory_bot_rails`
|
376
|
+
- [#1175] Internal refactor: use `scopes_string` inside `scopes`.
|
377
|
+
- [#1168] Allow optional hashing of tokens and secrets.
|
378
|
+
- [#1164] Fix error when `root_path` is not defined.
|
379
|
+
- [#1162] Fix `enforce_content_type` for requests without body.
|
380
|
+
|
381
|
+
## 5.0.3
|
382
|
+
|
383
|
+
- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
|
384
|
+
Fixes information disclosure vulnerability (CVE-2020-10187).
|
385
|
+
|
386
|
+
## 5.0.2
|
387
|
+
|
388
|
+
- [#1158] Fix initializer template: change `handle_auth_errors` option
|
389
|
+
- [#1157] Remove redundant index from migration template.
|
390
|
+
|
391
|
+
## 5.0.1
|
392
|
+
|
393
|
+
- [#1154] Refactor `StaleRecordsCleaner` to be ORM agnostic.
|
394
|
+
- [#1152] Fix migration template: change resource owner data type from integer to Rails generic `references`
|
395
|
+
- [#1151] Fix Refresh Token strategy: add proper validation of client credentials both for Public & Private clients.
|
396
|
+
- [#1149] Fix for `URIChecker#valid_for_authorization?` false negative when query is blank, but `?` present.
|
397
|
+
- [#1140] Allow rendering custom errors from exceptions (issue #844). Originally opened as [#944].
|
398
|
+
- [#1138] Revert regression bug (check for token expiration in Authorizations controller so authorization
|
399
|
+
triggers every time)
|
400
|
+
|
401
|
+
## 5.0.0
|
402
|
+
|
403
|
+
- [#1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.
|
404
|
+
|
405
|
+
## 5.0.0.rc2
|
406
|
+
|
407
|
+
- [#1122] Fix AuthorizationsController#new error response to be in JSON format
|
408
|
+
- [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
|
409
|
+
- [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
|
410
|
+
hitting the `AuthorizedApplicationController#destroy` route.
|
411
|
+
- [#1114] Make token info endpoint's attributes consistent with token creation
|
412
|
+
- [#1108] Simple formatting of callback URLs when listing oauth applications
|
413
|
+
- [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
|
414
|
+
configured by developers.
|
415
|
+
|
416
|
+
## 5.0.0.rc1
|
417
|
+
|
418
|
+
- [#1103] Allow customizing use_refresh_token
|
419
|
+
- [#1089] Removed enable_pkce_without_secret configuration option
|
420
|
+
- [#1102] Expiration time based on scopes
|
421
|
+
- [#1099] All the configuration variables in `Doorkeeper.configuration` now
|
422
|
+
always return a non-nil value (`true` or `false`)
|
423
|
+
- [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
|
424
|
+
in `doorkeeper.rb`
|
425
|
+
- [#996] Expiration Time Base On Grant Type
|
426
|
+
- [#997] Allow PKCE authorization_code flow as specified in RFC7636
|
427
|
+
- [#907] Fix lookup for matching tokens in certain edge-cases
|
428
|
+
- [#992] Add API option to use Doorkeeper without management views for API only
|
429
|
+
Rails applications (`api_only`)
|
430
|
+
- [#1045] Validate redirect_uri as the native URI when making authorization code requests
|
431
|
+
- [#1048] Remove deprecated `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
|
432
|
+
`Doorkeeper#installed?` method
|
433
|
+
- [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
|
434
|
+
either public or private/confidential
|
435
|
+
|
436
|
+
**[IMPORTANT]**: all the applications (clients) now are considered as private by default.
|
437
|
+
You need to manually change `confidential` column to `false` if you are using public clients,
|
438
|
+
in other case your mobile (or other) applications will not be able to authorize.
|
439
|
+
See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
|
440
|
+
|
441
|
+
- [#1010] Add configuration to enforce configured scopes (`default_scopes` and
|
442
|
+
`optional_scopes`) for applications
|
443
|
+
- [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
|
444
|
+
- [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
|
445
|
+
- [#1069] Upgrade Bootstrap to 4 for Admin
|
446
|
+
- [#1068] Add rake task to cleanup databases that can become large over time
|
447
|
+
- [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
|
448
|
+
subclasses to use the response object.
|
449
|
+
- [#1075] Call `before_successful_authorization` and `after_successful_authorization` hooks
|
450
|
+
on `create` action as well as `new`
|
451
|
+
- [#1082] Fix #916: remember routes mapping and use it required places (fix error with
|
452
|
+
customized Token Info route).
|
453
|
+
- [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
|
454
|
+
not present in the application scopes (use scopes intersection).
|
455
|
+
- [#1076] Add config to enforce content type to application/x-www-form-urlencoded
|
456
|
+
- Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
|
457
|
+
SSL redirect_uri.
|
458
|
+
|
459
|
+
## 4.4.3
|
460
|
+
|
461
|
+
- [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
|
462
|
+
changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
|
463
|
+
|
464
|
+
## 4.4.2
|
465
|
+
|
466
|
+
- [#1130] Backport fix for native redirect_uri from 5.x.
|
467
|
+
|
468
|
+
## 4.4.1
|
469
|
+
|
470
|
+
- [#1127] Backport token type to comply with the RFC6750 specification.
|
471
|
+
- [#1125] Backport Quote surround I18n yes/no keys
|
472
|
+
|
473
|
+
## 4.4.0
|
474
|
+
|
475
|
+
- [#1120] Backport security fix from 5.x for token revocation when using public clients
|
476
|
+
|
477
|
+
**[IMPORTANT]**: all the applications (clients) now are considered as private by default.
|
478
|
+
You need to manually change `confidential` column to `false` if you are using public clients,
|
479
|
+
in other case your mobile (or other) applications will not be able to authorize.
|
480
|
+
See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
|
481
|
+
|
482
|
+
## 4.3.2
|
483
|
+
|
484
|
+
- [#1053] Support authorizing with query params in the request `redirect_uri` if explicitly present in app's `Application#redirect_uri`
|
485
|
+
|
486
|
+
## 4.3.1
|
487
|
+
|
488
|
+
- Remove `BaseRecord` and introduce additional concern for ordering methods to fix
|
489
|
+
braking changes for Doorkeeper models.
|
490
|
+
- [#1032] Refactor BaseRequest callbacks into configurable lambdas
|
491
|
+
- [#1040] Clear mixins from ActiveRecord DSL and save only overridable API. It
|
492
|
+
allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.
|
493
|
+
|
494
|
+
## 4.3.0
|
495
|
+
|
496
|
+
- [#976] Fix to invalidate the second redirect URI when the first URI is the native URI
|
497
|
+
- [#1035] Allow `Application#redirect_uri=` to handle array of URIs.
|
498
|
+
- [#1036] Allow to forbid Application redirect URI's with specific rules.
|
499
|
+
- [#1029] Deprecate `order_method` and introduce `ordered_by`. Sort applications
|
500
|
+
by `created_at` in index action.
|
501
|
+
- [#1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
|
502
|
+
- Fix Grape integration & add specs for it
|
503
|
+
- [#913] Deferred ORM (ActiveRecord) models loading
|
504
|
+
- [#943] Fix Access Token token generation when certain errors occur in custom token generators
|
505
|
+
- [#1026] Implement RFC7662 - OAuth 2.0 Token Introspection
|
506
|
+
- [#985] Generate valid migration files for Rails >= 5
|
507
|
+
- [#972] Replace Struct subclassing with block-form initialization
|
508
|
+
- [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
|
509
|
+
|
510
|
+
**[IMPORTANT]**: Previously authorization code response route was `/oauth/authorize/<code>`,
|
511
|
+
now it is `oauth/authorize/native?code=<code>` (in order to help applications to automatically find the code value).
|
512
|
+
|
513
|
+
- [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
|
514
|
+
object.
|
515
|
+
- [#1019] Remove translation not in use: `invalid_resource_owner`.
|
516
|
+
- Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
|
517
|
+
- [#948] Make Scopes.<=> work with any "other" value.
|
518
|
+
- [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
|
519
|
+
- [#1004] More explicit help text for `native_redirect_uri`.
|
520
|
+
- [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
|
521
|
+
- [#1024] Migrate from FactoryGirl to FactoryBot.
|
522
|
+
- [#1025] Improve documentation for adding foreign keys
|
523
|
+
- [#1028] Make it possible to have composite strategy names.
|
524
|
+
|
525
|
+
## 4.2.6
|
526
|
+
|
527
|
+
- [#970] Escape certain attributes in authorization forms.
|
528
|
+
|
529
|
+
## 4.2.5
|
530
|
+
|
531
|
+
- [#936] Deprecate `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
|
532
|
+
`Doorkeeper#installed?`
|
533
|
+
- [#909] Add `InvalidTokenResponse#reason` reader method to allow read the kind
|
534
|
+
of invalid token error.
|
535
|
+
- [#928] Test against more recent Ruby versions
|
536
|
+
- Small refactorings within the codebase
|
537
|
+
- [#921] Switch to Appraisal, and test against Rails master
|
538
|
+
- [#892] Add minimum Ruby version requirement
|
539
|
+
|
540
|
+
## 4.2.0
|
541
|
+
|
542
|
+
- Security fix: Address CVE-2016-6582, implement token revocation according to
|
543
|
+
spec (tokens might not be revoked if client follows the spec).
|
544
|
+
- [#873] Add hooks to Doorkeeper::ApplicationMetalController
|
545
|
+
- [#871] Allow downstream users to better utilize doorkeeper spec factories by
|
546
|
+
eliminating name conflict on `:user` factory.
|
547
|
+
|
548
|
+
## 4.1.0
|
549
|
+
|
550
|
+
- [#845] Allow customising the `Doorkeeper::ApplicationController` base
|
551
|
+
controller
|
552
|
+
|
553
|
+
## 4.0.0
|
554
|
+
|
555
|
+
- [#834] Fix AssetNotPrecompiled error with Sprockets 4
|
556
|
+
- [#843] Revert "Fix validation error messages"
|
557
|
+
- [#847] Specify Null option to timestamps
|
558
|
+
|
559
|
+
## 4.0.0.rc4
|
560
|
+
|
561
|
+
- [#777] Add support for public client in password grant flow
|
562
|
+
- [#823] Make configuration and specs ORM independent
|
563
|
+
- [#745] Add created_at timestamp to token generation options
|
564
|
+
- [#838] Drop `Application#scopes` generator and warning, introduced for
|
565
|
+
upgrading doorkeeper from v2 to v3.
|
566
|
+
- [#801] Fix Rails 5 warning messages
|
567
|
+
- Test against Rails 5 RC1
|
568
|
+
|
569
|
+
## 4.0.0.rc3
|
570
|
+
|
571
|
+
- [#769] Revoke refresh token on access token use. To make use of the new config
|
572
|
+
add `previous_refresh_token` column to `oauth_access_tokens`:
|
573
|
+
|
574
|
+
```
|
575
|
+
rails generate doorkeeper:previous_refresh_token
|
576
|
+
```
|
577
|
+
|
578
|
+
- [#811] Toughen parameters filter with exact match
|
579
|
+
- [#813] Applications admin bugfix
|
580
|
+
- [#799] Fix Ruby Warnings
|
581
|
+
- Drop `attr_accessible` from models
|
582
|
+
|
583
|
+
### Backward incompatible changes
|
584
|
+
|
585
|
+
- [#730] Force all timezones to use UTC to prevent comparison issues.
|
586
|
+
- [#802] Remove `config.i18n.fallbacks` from engine
|
587
|
+
|
588
|
+
## 4.0.0.rc2
|
589
|
+
|
590
|
+
- Fix optional belongs_to for Rails 5
|
591
|
+
- Fix Ruby warnings
|
592
|
+
|
593
|
+
## 4.0.0.rc1
|
594
|
+
|
595
|
+
### Backward incompatible changes
|
596
|
+
|
597
|
+
- Drops support for Rails 4.1 and earlier
|
598
|
+
- Drops support for Ruby 2.0
|
599
|
+
- [#778] Bug fix: use the remaining time that a token is still valid when
|
600
|
+
building the redirect URI for the implicit grant flow
|
601
|
+
|
602
|
+
### Other changes
|
603
|
+
|
604
|
+
- [#771] Validation error messages fixes
|
605
|
+
- Adds foreign key constraints in generated migrations between tokens and
|
606
|
+
grants, and applications
|
607
|
+
- Support Rails 5
|
608
|
+
|
609
|
+
## 3.1.0
|
610
|
+
|
611
|
+
- [#736] Existing valid tokens are now reused in client_credentials flow
|
612
|
+
- [#749] Allow user to raise authorization error with custom messages.
|
613
|
+
Under `resource_owner_authenticator` block a user can
|
614
|
+
`raise Doorkeeper::Errors::DoorkeeperError.new('custom_message')`
|
615
|
+
- [#762] Check doesn’t abort the actual migration, so it runs
|
616
|
+
- [#722] `doorkeeper_forbidden_render_options` now supports returning a 404 by
|
617
|
+
specifying `respond_not_found_when_forbidden: true` in the
|
618
|
+
`doorkeeper_forbidden_render_options` method.
|
619
|
+
- [#734] Simplify and remove duplication in request strategy classes
|
620
|
+
|
621
|
+
## 3.0.1
|
622
|
+
|
623
|
+
- [#712] Wrap exchange of grant token for access token and access token refresh
|
624
|
+
in transactions
|
625
|
+
- [#704] Allow applications scopes to be mass assigned
|
626
|
+
- [#707] Fixed order of Mixin inclusion and table_name configuration in models
|
627
|
+
- [#712] Wrap access token and refresh grants in transactions
|
628
|
+
- Adds JRuby support
|
629
|
+
- Specs, views and documentation adjustments
|
630
|
+
|
631
|
+
## 3.0.0
|
632
|
+
|
633
|
+
### Other changes
|
634
|
+
|
635
|
+
- [#693] Updates `en.yml`.
|
636
|
+
|
637
|
+
## 3.0.0 (rc2)
|
638
|
+
|
639
|
+
### Backward incompatible changes
|
640
|
+
|
641
|
+
- [#678] Change application-specific scopes to take precedence over server-wide
|
642
|
+
scopes. This removes the previous behavior where the intersection between
|
643
|
+
application and server scopes was used.
|
644
|
+
|
645
|
+
### Other changes
|
646
|
+
|
647
|
+
- [#671] Fixes `NoMethodError - undefined method 'getlocal'` when calling
|
648
|
+
the /oauth/token path. Switch from using a DateTime object to update
|
649
|
+
AR to using a Time object. (Issue #668)
|
650
|
+
- [#677] Support editing application-specific scopes via the standard forms
|
651
|
+
- [#682] Pass error hash to Grape `error!`
|
652
|
+
- [#683] Generate application secret/UID if fields are blank strings
|
653
|
+
|
654
|
+
## 3.0.0 (rc1)
|
655
|
+
|
656
|
+
### Backward incompatible changes
|
657
|
+
|
658
|
+
- [#648] Extracts mongodb ORMs to
|
659
|
+
https://github.com/doorkeeper-gem/doorkeeper-mongodb. If you use ActiveRecord
|
660
|
+
you don’t need to do any change, otherwise you will need to install the new
|
661
|
+
plugin.
|
662
|
+
- [#665] `doorkeeper_unauthorized_render_options(error:)` and
|
663
|
+
`doorkeeper_forbidden_render_options(error:)` now accept `error` keyword
|
664
|
+
argument.
|
665
|
+
|
666
|
+
### Removed deprecations
|
667
|
+
|
668
|
+
- Removes `doorkeeper_for` deprecation notice.
|
669
|
+
- Remove `applications.scopes` upgrade notice.
|
670
|
+
|
671
|
+
## 2.2.2
|
672
|
+
|
673
|
+
- [#541] Fixed `undefined method attr_accessible` problem on Rails 4
|
674
|
+
(happens only when ProtectedAttributes gem is used) in #599
|
675
|
+
|
676
|
+
## 2.2.1
|
677
|
+
|
678
|
+
- [#636] `custom_access_token_expires_in` bugfixes
|
679
|
+
- [#641] syntax error fix (Issue #612)
|
680
|
+
- [#633] Send extra details to Custom Token Generator
|
681
|
+
- [#628] Refactor: improve orm adapters to ease extension
|
682
|
+
- [#637] Upgrade to rspec to 3.2
|
683
|
+
|
684
|
+
## 2.2.0 - 2015-04-19
|
685
|
+
|
686
|
+
- [#611] Allow custom access token generators to be used
|
687
|
+
- [#632] Properly fallback to `default_scopes` when no scope is specified
|
688
|
+
- [#622] Clarify that there is a logical OR between scopes for authorizing
|
689
|
+
- [#635] Upgrade to rspec 3
|
690
|
+
- [#627] i18n fallbacks to english
|
691
|
+
- Moved CHANGELOG to NEWS.md
|
692
|
+
|
693
|
+
## 2.1.4 - 2015-03-27
|
694
|
+
|
695
|
+
- [#595] HTTP spec: Add `scope` for refresh token scope param
|
696
|
+
- [#596] Limit scopes in app scopes for client credentials
|
697
|
+
- [#567] Add Grape helpers for easier integration with Grape framework
|
698
|
+
- [#606] Add custom access token expiration support for Client Credentials flow
|
699
|
+
|
700
|
+
## 2.1.3 - 2015-03-01
|
701
|
+
|
702
|
+
- [#588] Fixes scopes_match? bug that skipped authorization form in some cases
|
703
|
+
|
704
|
+
## 2.1.2 - 2015-02-25
|
705
|
+
|
706
|
+
- [#574] Remove unused update authorization route.
|
707
|
+
- [#576] Filter out sensitive parameters from logs.
|
708
|
+
- [#582] The Authorization HTTP header fields are now case insensitive.
|
709
|
+
- [#583] Database connection bugfix in certain scenarios.
|
710
|
+
- Testing improvements
|
711
|
+
|
712
|
+
## 2.1.1 - 2015-02-06
|
713
|
+
|
714
|
+
- Remove `wildcard_redirect_url` option
|
715
|
+
- [#481] Customize token flow OAuth expirations with a config lambda
|
716
|
+
- [#568] TokensController: Memoize strategy.authorize_response result to enable
|
717
|
+
subclasses to use the response object.
|
718
|
+
- [#571] Fix database initialization issues in some configurations.
|
719
|
+
- Documentation improvements
|
720
|
+
|
721
|
+
## 2.1.0 - 2015-01-13
|
722
|
+
|
723
|
+
- [#540] Include `created_at` in response.
|
724
|
+
- [#538] Check application-level scopes in client_credentials and password flow.
|
725
|
+
- [5596227] Check application scopes in AccessToken when present. Fixes a bug in
|
726
|
+
doorkeeper 2.0.0 and 2.0.1 referring to application specific scopes.
|
727
|
+
- [#534] Internationalizes doorkeeper views.
|
728
|
+
- [#545] Ensure there is a connection to the database before checking for
|
729
|
+
missing columns
|
730
|
+
- [#546] Use `Doorkeeper::` prefix when referencing `Application` to avoid
|
731
|
+
possible application model name conflict.
|
732
|
+
- [#538] Test with Rails ~> 4.2.
|
733
|
+
|
734
|
+
### Potentially backward incompatible changes
|
735
|
+
|
736
|
+
- Enable by default `authorization_code` and `client_credentials` grant flows.
|
737
|
+
Disables implicit and password grant flows by default.
|
738
|
+
- [#510, #544, 722113f] Revoked refresh token response bugfix.
|
739
|
+
|
740
|
+
## 2.0.1 - 2014-12-17
|
741
|
+
|
742
|
+
- [#525, #526, #527] Fix `ActiveRecord::NoDatabaseError` on gem load.
|
743
|
+
|
744
|
+
## 2.0.0 - 2014-12-16
|
745
|
+
|
746
|
+
### Backward incompatible changes
|
747
|
+
|
748
|
+
- [#448] Removes `doorkeeper_for` helper. Now we use
|
749
|
+
`before_action :doorkeeper_authorize!`.
|
750
|
+
- [#469] Allow client applications to restrict the set of allowable scopes.
|
751
|
+
Fixes #317. `oauth_applications` relation needs a new `scopes` string column,
|
752
|
+
non nullable, which defaults to an empty string. To add the column run:
|
753
|
+
|
754
|
+
```
|
755
|
+
rails generate doorkeeper:application_scopes
|
756
|
+
```
|
757
|
+
|
758
|
+
If you’d rather do it by hand, your ActiveRecord migration should contain:
|
759
|
+
|
760
|
+
```ruby
|
761
|
+
add_column :oauth_applications, :scopes, :string, null: false, default: ‘’
|
762
|
+
```
|
763
|
+
|
764
|
+
### Removed deprecations
|
765
|
+
|
766
|
+
- Removes `test_redirect_uri` option. It is now called `native_redirect_uri`.
|
767
|
+
- [#446] Removes `mount Doorkeeper::Engine`. Now we use `use_doorkeeper`.
|
768
|
+
|
769
|
+
### Others
|
770
|
+
|
771
|
+
- [#484] Performance improvement - avoid performing order_by when not required.
|
772
|
+
- [#450] When password is invalid in Password Credentials Grant, Doorkeeper
|
773
|
+
returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec
|
774
|
+
declares. Fixes #444.
|
775
|
+
- [#452] Allows `revoked_at` to be set in the future, for future expiry.
|
776
|
+
Rationale: https://github.com/doorkeeper-gem/doorkeeper/pull/452#issuecomment-51431459
|
777
|
+
- [#480] For Implicit grant flow, access tokens can now be reused. Fixes #421.
|
778
|
+
- [#491] Reworks of @jasl's #454 and #478. ORM refactor that allows doorkeeper
|
779
|
+
to be extended more easily with unsupported ORMs. It also marks the boundaries
|
780
|
+
between shared model code and ORM specifics inside of the gem.
|
781
|
+
- [#496] Tests with Rails 4.2.
|
782
|
+
- [#489] Adds `force_ssl_in_redirect_uri` to force the usage of the HTTPS
|
783
|
+
protocol in non-native redirect uris.
|
784
|
+
- [#516] SECURITY: Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
|
785
|
+
- [#518] Fix random failures in mongodb.
|
786
|
+
|
787
|
+
---
|
788
|
+
|
789
|
+
## 1.4.2 - 2015-03-02
|
790
|
+
|
791
|
+
- [#576] Filter out sensitive parameters from logs
|
792
|
+
|
793
|
+
## 1.4.1 - 2014-12-17
|
794
|
+
|
795
|
+
- [#516] SECURITY: Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
|
796
|
+
|
797
|
+
## 1.4.0 - 2014-07-31
|
798
|
+
|
799
|
+
- internals
|
800
|
+
- [#427] Adds specs expectations.
|
801
|
+
- [#428] Error response refactor.
|
802
|
+
- [#417] Moves token validation into Access Token class.
|
803
|
+
- [#439] Removes redundant module includes.
|
804
|
+
- [#443] TokensController and TokenInfoController inherit from ActionController::Metal
|
805
|
+
- bug
|
806
|
+
- [#418] fixes #243, requests with insufficient scope now respond 403 instead
|
807
|
+
of 401. (API change)
|
808
|
+
- [#438] fixes #398, native redirect for implicit token grant bug.
|
809
|
+
- [#440] namespace fixes
|
810
|
+
- enhancements
|
811
|
+
- [#432] Keeps query parameters
|
812
|
+
|
813
|
+
## 1.3.1 - 2014-07-06
|
814
|
+
|
815
|
+
- enhancements
|
816
|
+
- [#405] Adds facade to more easily get the token from a request in a route
|
817
|
+
constraint.
|
818
|
+
- [#415] Extend Doorkeeper TokenResponse with an `after_successful_response`
|
819
|
+
callback that allows handling of `response` object.
|
820
|
+
- internals
|
821
|
+
- [#409] Deprecates `test_redirect_uri` in favor of `native_redirect_uri`.
|
822
|
+
See discussion in: [#351].
|
823
|
+
- [#411] Clean rspec deprecations. General test improvements.
|
824
|
+
- [#412] rspec line width can go longer than 80 (hound CI config).
|
825
|
+
- bug
|
826
|
+
- [#413] fixes #340, routing scope is now taken into account in redirect.
|
827
|
+
- [#401] and [#425] application is not required any longer for access_token.
|
828
|
+
|
829
|
+
## 1.3.0 - 2014-05-23
|
830
|
+
|
831
|
+
- enhancements
|
832
|
+
- [#387] Adds reuse_access_token configuration option.
|
833
|
+
|
834
|
+
## 1.2.0 - 2014-05-02
|
835
|
+
|
836
|
+
- enhancements
|
837
|
+
- [#376] Allow users to enable basic header authorization for access tokens.
|
838
|
+
- [#374] Token revocation implementation [RFC 7009]
|
839
|
+
- [#295] Only enable specific grant flows.
|
840
|
+
- internals
|
841
|
+
- [#381] Locale source fix.
|
842
|
+
- [#380] Renames `errors_for` to `doorkeeper_errors_for`.
|
843
|
+
- [#390] Style adjustments in accordance with Ruby Style Guide form
|
844
|
+
Thoughtbot.
|
845
|
+
|
846
|
+
## 1.1.0 - 2014-03-29
|
847
|
+
|
848
|
+
- enhancements
|
849
|
+
- [#336] mongoid4 support.
|
850
|
+
- [#372] Allow users to set ActiveRecord table_name_prefix/suffix options
|
851
|
+
- internals
|
852
|
+
- [#343] separate OAuth's admin and user end-point to different layouts, upgrade theme to Bootstrap 3.1.
|
853
|
+
- [#348] Move render_options in filter after `@error` has been set
|
854
|
+
|
855
|
+
## 1.0.0 - 2014-01-13
|
856
|
+
|
857
|
+
- bug (spec)
|
858
|
+
- [#228] token response `expires_in` value is now in seconds, relative to
|
859
|
+
request time
|
860
|
+
- [#296] client is optional for password grant type.
|
861
|
+
- [#319] If client credentials are present on password grant type they are validated
|
862
|
+
- [#326] If client credentials are present in refresh token they are validated
|
863
|
+
- [#326] If authenticated client does not match original client that
|
864
|
+
obtained a refresh token it responds `invalid_grant` instead of
|
865
|
+
`invalid_client`. Previous usage was invalid according to Section 5.2 of
|
866
|
+
the spec.
|
867
|
+
- [#329] access tokens' `scopes` string wa being compared against
|
868
|
+
`default_scopes` symbols, always unauthorizing.
|
869
|
+
- [#318] Include "WWW-Authenticate" header with Unauthorized responses
|
870
|
+
- enhancements
|
871
|
+
- [#293] Adds ActionController::Instrumentation in TokensController
|
872
|
+
- [#298] Support for multiple redirect_uris added.
|
873
|
+
- [#313] `AccessToken.revoke_all_for` actually revokes all non-revoked
|
874
|
+
tokens for an application/owner instead of deleting them.
|
875
|
+
- [#333] Rails 4.1 support
|
876
|
+
- internals
|
877
|
+
- Removes jQuery dependency [fixes #300][pr #312 is related]
|
878
|
+
- [#294] Client uid and secret will be generated only if not present.
|
879
|
+
- [#316] Test warnings addressed.
|
880
|
+
- [#338] Rspec 3 syntax.
|
881
|
+
|
882
|
+
---
|
883
|
+
|
884
|
+
## 0.7.4 - 2013-12-01
|
885
|
+
|
886
|
+
- bug
|
887
|
+
- Symbols instead of strings for user input.
|
888
|
+
|
889
|
+
## 0.7.3 - 2013-10-04
|
890
|
+
|
891
|
+
- enhancements
|
892
|
+
- [#204] Allow to overwrite scope in routes
|
893
|
+
- internals
|
894
|
+
- Returns only present keys in Token Response (may imply a backwards
|
895
|
+
incompatible change). https://github.com/doorkeeper-gem/doorkeeper/issues/220
|
896
|
+
- bug
|
897
|
+
- [#290] Support for Rails 4 when 'protected_attributes' gem is present.
|
898
|
+
|
899
|
+
## 0.7.2 - 2013-09-11
|
900
|
+
|
901
|
+
- enhancements
|
902
|
+
- [#272] Allow issuing multiple access_tokens for one user/application for multiple devices
|
903
|
+
- [#170] Increase length of allowed redirect URIs
|
904
|
+
- [#239] Do not try to load unavailable Request class for the current phase.
|
905
|
+
- [#273] Relax jquery-rails gem dependency
|
906
|
+
|
907
|
+
## 0.7.1 - 2013-08-30
|
908
|
+
|
909
|
+
- bug
|
910
|
+
- [#269] Rails 3.2 raised `ActiveModel::MassAssignmentSecurity::Error`.
|
911
|
+
|
912
|
+
## 0.7.0 - 2013-08-21
|
913
|
+
|
914
|
+
- enhancements
|
915
|
+
- [#229] Rails 4!
|
916
|
+
- internals
|
917
|
+
- [#203] Changing table name to be specific in column_names_with_table
|
918
|
+
- [#215] README update
|
919
|
+
- [#227] Use Rails.config.paths["config/routes"] instead of assuming "config/routes.rb" exists
|
920
|
+
- [#262] Add jquery as gem dependency
|
921
|
+
- [#263] Add a configuration for ActiveRecord.establish_connection
|
922
|
+
- Deprecation and Ruby warnings (PRs merged outside of GitHub).
|
923
|
+
|
924
|
+
## 0.6.7 - 2013-01-13
|
925
|
+
|
926
|
+
- internals
|
927
|
+
- [#188] Add IDs to the show views for integration testing [@egtann](https://github.com/egtann)
|
928
|
+
|
929
|
+
## 0.6.6 - 2013-01-04
|
930
|
+
|
931
|
+
- enhancements
|
932
|
+
- [#187] Raise error if configuration is not set
|
933
|
+
|
934
|
+
## 0.6.5 - 2012-12-26
|
935
|
+
|
936
|
+
- enhancements
|
937
|
+
- [#184] Vendor the Bootstrap CSS [@tylerhunt](https://github.com/tylerhunt)
|
938
|
+
|
939
|
+
## 0.6.4 - 2012-12-15
|
940
|
+
|
941
|
+
- bug
|
942
|
+
- [#180] Add localization to authorized_applications destroy notice [@aalvarado](https://github.com/aalvarado)
|
943
|
+
|
944
|
+
## 0.6.3 - 2012-12-07
|
945
|
+
|
946
|
+
- bugfixes
|
947
|
+
- [#163] Error response content-type header should be application/json [@ggayan](https://github.com/ggayan)
|
948
|
+
- [#175] Make token.expires_in_seconds return nil when expires_in is nil [@miyagawa](https://github.com/miyagawa)
|
949
|
+
- enhancements
|
950
|
+
- [#166, #172, #174] Behavior to automatically authorize based on a configured proc
|
951
|
+
- internals
|
952
|
+
- [#168] Using expectation syntax for controller specs [@rdsoze](https://github.com/rdsoze)
|
953
|
+
|
954
|
+
## 0.6.2 - 2012-11-10
|
955
|
+
|
956
|
+
- bugfixes
|
957
|
+
- [#162] Remove ownership columns from base migration template [@rdsoze](https://github.com/rdsoze)
|
958
|
+
|
959
|
+
## 0.6.1 - 2012-11-07
|
960
|
+
|
961
|
+
- bugfixes
|
962
|
+
- [#160] Removed |routes| argument from initializer authenticator blocks
|
963
|
+
- documentation
|
964
|
+
- [#160] Fixed description of context of authenticator blocks
|
965
|
+
|
966
|
+
## 0.6.0 - 2012-11-05
|
967
|
+
|
968
|
+
- enhancements
|
969
|
+
- Mongoid `orm` configuration accepts only :mongoid2 or :mongoid3
|
970
|
+
- Authorization endpoint does not redirect in #new action anymore. It wasn't specified by OAuth spec
|
971
|
+
- TokensController now inherits from ActionController::Metal. There might be performance upgrades
|
972
|
+
- Add link to authorization in Applications scaffold
|
973
|
+
- [#116] MongoMapper support [@carols10cents](https://github.com/carols10cents)
|
974
|
+
- [#122] Mongoid3 support [@petergoldstein](https://github.com/petergoldstein)
|
975
|
+
- [#150] Introduce test redirect uri for applications
|
976
|
+
- bugfixes
|
977
|
+
- [#157] Response token status should be `:ok`, not `:success` [@theycallmeswift](https://github.com/theycallmeswift)
|
978
|
+
- [#159] Remove ActionView::Base.field_error_proc override (fixes #145)
|
979
|
+
- internals
|
980
|
+
- Update development dependencies
|
981
|
+
- Several refactorings
|
982
|
+
- Rails/ORM are easily swichable with env vars (rails and orm)
|
983
|
+
- Travis now tests against Mongoid v2
|
984
|
+
|
985
|
+
## 0.5.0 - 2012-10-20
|
986
|
+
|
987
|
+
Official support for rubinius was removed.
|
988
|
+
|
989
|
+
- enhancements
|
990
|
+
- Configure the way access token is retrieved from request (default to bearer header)
|
991
|
+
- Authorization Code expiration time is now configurable
|
992
|
+
- Add support for mongoid
|
993
|
+
- [#78, #128, #137, #138] Application Ownership
|
994
|
+
- [#92] Allow users to skip controllers
|
995
|
+
- [#99] Remove deprecated warnings for data-\* attributes [@towerhe](https://github.com/towerhe)
|
996
|
+
- [#101] Return existing access_token for PasswordAccessTokenRequest [@benoist](https://github.com/benoist)
|
997
|
+
- [#104] Changed access token scopes example code to default_scopes and optional_scopes [@amkirwan](https://github.com/amkirwan)
|
998
|
+
- [#107] Fix typos in initializer
|
999
|
+
- [#123] i18n for validator, flash messages [@petergoldstein](https://github.com/petergoldstein)
|
1000
|
+
- [#140] ActiveRecord is the default value for the ORM [@petergoldstein](https://github.com/petergoldstein)
|
1001
|
+
- internals
|
1002
|
+
- [#112, #120] Replacing update_attribute with update_column to eliminate deprecation warnings [@rmoriz](https://github.com/rmoriz), [@petergoldstein](https://github.com/petergoldstein)
|
1003
|
+
- [#121] Updating all development dependencies to recent versions. [@petergoldstein](https://github.com/petergoldstein)
|
1004
|
+
- [#144] Adding MongoDB dependency to .travis.yml [@petergoldstein](https://github.com/petergoldstein)
|
1005
|
+
- [#143] Displays errors for unconfigured error messages [@timgaleckas](https://github.com/timgaleckas)
|
1006
|
+
- bugfixes
|
1007
|
+
- [#102] Not returning 401 when access token generation fails [@cslew](https://github.com/cslew)
|
1008
|
+
- [#125] Doorkeeper is using ActiveRecord version of as_json in ORM agnostic code [@petergoldstein](https://github.com/petergoldstein)
|
1009
|
+
- [#142] Prevent double submission of password based authentication [@bdurand](https://github.com/bdurand)
|
1010
|
+
- documentation
|
1011
|
+
- [#141] Add rack-cors middleware to readme [@gottfrois](https://github.com/gottfrois)
|
1012
|
+
|
1013
|
+
## 0.4.2 - 2012-06-05
|
1014
|
+
|
1015
|
+
- bugfixes:
|
1016
|
+
- [#94] Uninitialized Constant in Password Flow
|
1017
|
+
|
1018
|
+
## 0.4.1 - 2012-06-02
|
1019
|
+
|
1020
|
+
- enhancements:
|
1021
|
+
- Backport: Move doorkeeper_for extension to Filter helper
|
1022
|
+
|
1023
|
+
## 0.4.0 - 2012-05-26
|
1024
|
+
|
1025
|
+
- deprecation
|
1026
|
+
- Deprecate authorization_scopes
|
1027
|
+
- database changes
|
1028
|
+
- AccessToken#resource_owner_id is not nullable
|
1029
|
+
- enhancements
|
1030
|
+
- [#83] Add Resource Owner Password Credentials flow [@jaimeiniesta](https://github.com/jaimeiniesta)
|
1031
|
+
- [#76] Allow token expiration to be disabled [@mattgreen](https://github.com/mattgreen)
|
1032
|
+
- [#89] Configure the way client credentials are retrieved from request
|
1033
|
+
- [#b6470a] Add Client Credentials flow
|
1034
|
+
- internals
|
1035
|
+
- [#2ece8d, #f93778] Introduce Client and ErrorResponse classes
|
1036
|
+
|
1037
|
+
## 0.3.4 - 2012-05-24
|
1038
|
+
|
1039
|
+
- Fix attr_accessible for rails 3.2.x
|
1040
|
+
|
1041
|
+
## 0.3.3 - 2012-05-07
|
1042
|
+
|
1043
|
+
- [#86] shrink gem package size
|
1044
|
+
|
1045
|
+
## 0.3.2 - 2012-04-29
|
1046
|
+
|
1047
|
+
- enhancements
|
1048
|
+
- [#54] Ignore Authorization: headers that are not Bearer [@miyagawa](https://github.com/miyagawa)
|
1049
|
+
- [#58, #64] Add destroy action to applications endpoint [@jaimeiniesta](https://github.com/jaimeiniesta), [@davidfrey](https://github.com/davidfrey)
|
1050
|
+
- [#63] TokensController responds with `401 unauthorized` [@jaimeiniesta](https://github.com/jaimeiniesta)
|
1051
|
+
- [#67, #72] Fix for mass-assignment [@cicloid](https://github.com/cicloid)
|
1052
|
+
- internals
|
1053
|
+
- [#49] Add Gemnasium status image to README [@laserlemon](https://github.com/laserlemon)
|
1054
|
+
- [#50] Fix typos [@tomekw](https://github.com/tomekw)
|
1055
|
+
- [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer [@antekpiechnik](https://github.com/antekpiechnik)
|
1056
|
+
- [#62] Typos, .gitignore [@jaimeiniesta](https://github.com/jaimeiniesta)
|
1057
|
+
- [#65] Change \_path redirections to \_url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
|
1058
|
+
- [#75] Fix unknown method #authenticate_admin! [@mattgreen](https://github.com/mattgreen)
|
1059
|
+
- Remove application link in authorized app view
|
1060
|
+
|
1061
|
+
## 0.3.1 - 2012-02-17
|
1062
|
+
|
1063
|
+
- enhancements
|
1064
|
+
- [#48] Add if, else options to doorkeeper_for
|
1065
|
+
- Add views generator
|
1066
|
+
- internals
|
1067
|
+
- Namespace models
|
1068
|
+
|
1069
|
+
## 0.3.0 - 2012-02-11
|
1070
|
+
|
1071
|
+
- enhancements
|
1072
|
+
- [#17, #31] Add support for client credentials in basic auth header [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
|
1073
|
+
- [#28] Add indices to migration [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
|
1074
|
+
- [#29] Allow doorkeeper to run with rails 3.2 [@john-griffin](https://github.com/john-griffin)
|
1075
|
+
- [#30] Improve client's redirect uri validation [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
|
1076
|
+
- [#32] Add token (implicit grant) flow [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
|
1077
|
+
- [#34] Add support for custom unathorized responses [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
|
1078
|
+
- [#36] Remove repetitions from the Authorised Applications view [@carvil](https://github.com/carvil)
|
1079
|
+
- When user revoke an application, all tokens for that application are revoked
|
1080
|
+
- Error messages now can be translated
|
1081
|
+
- Install generator copies the error messages localization file
|
1082
|
+
- internals
|
1083
|
+
- Fix deprecation warnings in ActiveSupport::Base64
|
1084
|
+
- Remove deprecation in doorkeeper_for that handles hash arguments
|
1085
|
+
- Depends on railties instead of whole rails framework
|
1086
|
+
- CI now integrates with rails 3.1 and 3.2
|
1087
|
+
|
1088
|
+
## 0.2.0 - 2011-12-17
|
1089
|
+
|
1090
|
+
- enhancements
|
1091
|
+
- [#4] Add authorized applications endpoint
|
1092
|
+
- [#5, #11] Add access token scopes
|
1093
|
+
- [#10] Add access token expiration by default
|
1094
|
+
- [#9, #12] Add refresh token flow
|
1095
|
+
- internals
|
1096
|
+
- [#7] Improve configuration options with :default
|
1097
|
+
- Improve configuration options with :builder
|
1098
|
+
- Refactor config class
|
1099
|
+
- Improve coverage of authorization request integration
|
1100
|
+
- bug fixes
|
1101
|
+
- [#6, #20] Fix access token response headers
|
1102
|
+
- Fix issue with state parameter
|
1103
|
+
- deprecation
|
1104
|
+
- deprecate :only and :except options in doorkeeper_for
|
1105
|
+
|
1106
|
+
## 0.1.1 - 2011-11-30
|
1107
|
+
|
1108
|
+
- enhancements
|
1109
|
+
- [#3] Authorization code must be short lived and single use
|
1110
|
+
- [#2] Improve views provided by doorkeeper
|
1111
|
+
- [#1] Skips authorization form if the client has been authorized by the resource owner
|
1112
|
+
- Improve readme
|
1113
|
+
- bugfixes
|
1114
|
+
- Fix issue when creating the access token (wrong client id)
|
1115
|
+
|
1116
|
+
## 0.1.0 - 2011-11-25
|
1117
|
+
|
1118
|
+
- Authorization Code flow
|
1119
|
+
- OAuth applications endpoint
|