doorkeeper 4.2.0 → 5.6.8

data/spec/requests/flows/refresh_token_spec.rb

@@ -1,174 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Refresh Token Flow' do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-
-  context 'issuing a refresh token' do
-    before do
-      authorization_code_exists application: @client
-    end
-
-    it 'client gets the refresh token and refreshses it' do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-
-      token = Doorkeeper::AccessToken.first
-
-      should_have_json 'access_token',  token.token
-      should_have_json 'refresh_token', token.refresh_token
-
-      expect(@authorization.reload).to be_revoked
-
-      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
-
-      new_token = Doorkeeper::AccessToken.last
-      should_have_json 'access_token',  new_token.token
-      should_have_json 'refresh_token', new_token.refresh_token
-
-      expect(token.token).not_to         eq(new_token.token)
-      expect(token.refresh_token).not_to eq(new_token.refresh_token)
-    end
-  end
-
-  context 'refreshing the token' do
-    before do
-      @token = FactoryGirl.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: 1,
-        use_refresh_token: true
-      )
-    end
-
-    context "refresh_token revoked on use" do
-      it 'client request a token with refresh token' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-
-      it 'client request a token with expired access token' do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-
-    context "refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-
-      it 'client request a token with refresh token' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).to be_revoked
-      end
-
-      it 'client request a token with expired access token' do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).to be_revoked
-      end
-    end
-
-    it 'client gets an error for invalid refresh token' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_grant'
-    end
-
-    it 'client gets an error for revoked acccess token' do
-      @token.revoke
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_grant'
-    end
-
-    it 'second of simultaneous client requests get an error for revoked acccess token' do
-      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_request'
-    end
-  end
-
-  context 'refreshing the token with multiple sessions (devices)' do
-    before do
-      # enable password auth to simulate other devices
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) do
-        User.authenticate! params[:username], params[:password]
-      end
-      create_resource_owner
-      _another_token = post password_token_endpoint_url(
-        client: @client, resource_owner: @resource_owner
-      )
-      last_token.update_attribute :created_at, 5.seconds.ago
-
-      @token = FactoryGirl.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: @resource_owner.id,
-        use_refresh_token: true
-      )
-      @token.update_attribute :expires_in, -100
-    end
-
-    context "refresh_token revoked on use" do
-      it 'client request a token after creating another token with the same user' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-
-        should_have_json 'refresh_token', last_token.refresh_token
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-
-    context "refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-
-      it 'client request a token after creating another token with the same user' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-
-        should_have_json 'refresh_token', last_token.refresh_token
-        expect(@token.reload).to be_revoked
-      end
-    end
-
-    def last_token
-      Doorkeeper::AccessToken.last_authorized_token_for(
-        @client.id, @resource_owner.id
-      )
-    end
-  end
-end

data/spec/requests/flows/revoke_token_spec.rb

@@ -1,157 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Revoke Token Flow' do
-  before do
-    Doorkeeper.configure { orm DOORKEEPER_ORM }
-  end
-
-  context 'with default parameters' do
-    let(:client_application) { FactoryGirl.create :application }
-    let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
-    let(:access_token) do
-      FactoryGirl.create(:access_token,
-                         application: client_application,
-                         resource_owner_id: resource_owner.id,
-                         use_refresh_token: true)
-    end
-
-    context 'with authenticated, confidential OAuth 2.0 client/application' do
-      let(:headers) do
-        client_id = client_application.uid
-        client_secret = client_application.secret
-        credentials = Base64.encode64("#{client_id}:#{client_secret}")
-        { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
-      end
-
-      it 'should revoke the access token provided' do
-        post revocation_token_endpoint_url, { token: access_token.token }, headers
-
-        access_token.reload
-
-        expect(response).to be_success
-        expect(access_token.revoked?).to be_truthy
-      end
-
-      it 'should revoke the refresh token provided' do
-        post revocation_token_endpoint_url, { token: access_token.refresh_token }, headers
-
-        access_token.reload
-
-        expect(response).to be_success
-        expect(access_token.revoked?).to be_truthy
-      end
-
-      context 'with invalid token to revoke' do
-        it 'should not revoke any tokens and respond successfully' do
-          num_prev_revoked_tokens = Doorkeeper::AccessToken.where(revoked_at: nil).count
-          post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALID_TOKEN' }, headers
-
-          # The authorization server responds with HTTP status code 200 even if
-          # token is invalid
-          expect(response).to be_success
-          expect(Doorkeeper::AccessToken.where(revoked_at: nil).count).to eq(num_prev_revoked_tokens)
-        end
-      end
-
-      context 'with bad credentials and a valid token' do
-        let(:headers) do
-          client_id = client_application.uid
-          credentials = Base64.encode64("#{client_id}:poop")
-          { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
-        end
-        it 'should not revoke any tokens and respond successfully' do
-          post revocation_token_endpoint_url, { token: access_token.token }, headers
-
-          access_token.reload
-
-          expect(response).to be_success
-          expect(access_token.revoked?).to be_falsey
-        end
-      end
-
-      context 'with no credentials and a valid token' do
-        it 'should not revoke any tokens and respond successfully' do
-          post revocation_token_endpoint_url, { token: access_token.token }
-
-          access_token.reload
-
-          expect(response).to be_success
-          expect(access_token.revoked?).to be_falsey
-        end
-      end
-
-      context 'with valid token for another client application' do
-        let(:other_client_application) { FactoryGirl.create :application }
-        let(:headers) do
-          client_id = other_client_application.uid
-          client_secret = other_client_application.secret
-          credentials = Base64.encode64("#{client_id}:#{client_secret}")
-          { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
-        end
-
-        it 'should not revoke the token as its unauthorized' do
-          post revocation_token_endpoint_url, { token: access_token.token }, headers
-
-          access_token.reload
-
-          expect(response).to be_success
-          expect(access_token.revoked?).to be_falsey
-        end
-      end
-    end
-
-    context 'with public OAuth 2.0 client/application' do
-      let(:access_token) do
-        FactoryGirl.create(:access_token,
-                           application: nil,
-                           resource_owner_id: resource_owner.id,
-                           use_refresh_token: true)
-      end
-
-      it 'should revoke the access token provided' do
-        post revocation_token_endpoint_url, { token: access_token.token }
-
-        access_token.reload
-
-        expect(response).to be_success
-        expect(access_token.revoked?).to be_truthy
-      end
-
-      it 'should revoke the refresh token provided' do
-        post revocation_token_endpoint_url, { token: access_token.refresh_token }
-
-        access_token.reload
-
-        expect(response).to be_success
-        expect(access_token.revoked?).to be_truthy
-      end
-
-      context 'with a valid token issued for a confidential client' do
-        let(:access_token) do
-          FactoryGirl.create(:access_token,
-                             application: client_application,
-                             resource_owner_id: resource_owner.id,
-                             use_refresh_token: true)
-        end
-
-        it 'should not revoke the access token provided' do
-          post revocation_token_endpoint_url, { token: access_token.token }
-
-          access_token.reload
-
-          expect(response).to be_success
-          expect(access_token.revoked?).to be_falsey
-        end
-
-        it 'should not revoke the refresh token provided' do
-          post revocation_token_endpoint_url, { token: access_token.token }
-
-          access_token.reload
-
-          expect(response).to be_success
-          expect(access_token.revoked?).to be_falsey
-        end
-      end
-    end
-  end
-end

data/spec/requests/flows/skip_authorization_spec.rb

@@ -1,59 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Skip authorization form' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
-    default_scopes_exist  :public
-    optional_scopes_exist :write
-  end
-
-  context 'for previously authorized clients' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'skips the authorization and return a new grant code' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client)
-
-      i_should_not_see 'Authorize'
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param 'code', Doorkeeper::AccessGrant.first.token
-    end
-
-    scenario 'does not skip authorization when scopes differ (new request has fewer scopes)' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scope: 'public')
-      i_should_see 'Authorize'
-    end
-
-    scenario 'does not skip authorization when scopes differ (new request has more scopes)' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scopes: 'public write email')
-      i_should_see 'Authorize'
-    end
-
-    scenario 'creates grant with new scope when scopes differ' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scope: 'public')
-      click_on 'Authorize'
-      access_grant_should_have_scopes :public
-    end
-
-    scenario 'doesn not skip authorization when scopes are greater' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      i_should_see 'Authorize'
-    end
-
-    scenario 'creates grant with new scope when scopes are greater' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-      access_grant_should_have_scopes :public, :write
-    end
-  end
-end

data/spec/requests/protected_resources/metal_spec.rb

@@ -1,14 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'ActionController::Metal API' do
-  before do
-    @client   = FactoryGirl.create(:application)
-    @resource = User.create!(name: 'Joe', password: 'sekret')
-    @token    = client_is_authorized(@client, @resource)
-  end
-
-  it 'client requests protected resource with valid token' do
-    get "/metal.json?access_token=#{@token.token}"
-    should_have_json 'ok', true
-  end
-end

data/spec/requests/protected_resources/private_api_spec.rb

@@ -1,81 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Private API' do
-  background do
-    @client   = FactoryGirl.create(:application)
-    @resource = User.create!(name: 'Joe', password: 'sekret')
-    @token    = client_is_authorized(@client, @resource)
-  end
-
-  scenario 'client requests protected resource with valid token' do
-    with_access_token_header @token.token
-    visit '/full_protected_resources'
-    expect(page.body).to have_content('index')
-  end
-
-  scenario 'client requests protected resource with disabled header authentication' do
-    config_is_set :access_token_methods, [:from_access_token_param]
-    with_access_token_header @token.token
-    visit '/full_protected_resources'
-    response_status_should_be 401
-  end
-
-  scenario 'client attempts to request protected resource with invalid token' do
-    with_access_token_header 'invalid'
-    visit '/full_protected_resources'
-    response_status_should_be 401
-  end
-
-  scenario 'client attempts to request protected resource with expired token' do
-    @token.update_attribute :expires_in, -100 # expires token
-    with_access_token_header @token.token
-    visit '/full_protected_resources'
-    response_status_should_be 401
-  end
-
-  scenario 'client requests protected resource with permanent token' do
-    @token.update_attribute :expires_in, nil # never expires
-    with_access_token_header @token.token
-    visit '/full_protected_resources'
-    expect(page.body).to have_content('index')
-  end
-
-  scenario 'access token with no default scopes' do
-    Doorkeeper.configuration.instance_eval {
-      @default_scopes = Doorkeeper::OAuth::Scopes.from_array([:public])
-      @scopes = default_scopes + optional_scopes
-    }
-    @token.update_attribute :scopes, 'dummy'
-    with_access_token_header @token.token
-    visit '/full_protected_resources'
-    response_status_should_be 403
-  end
-
-  scenario 'access token with no allowed scopes' do
-    @token.update_attribute :scopes, nil
-    with_access_token_header @token.token
-    visit '/full_protected_resources/1.json'
-    response_status_should_be 403
-  end
-
-  scenario 'access token with one of allowed scopes' do
-    @token.update_attribute :scopes, 'admin'
-    with_access_token_header @token.token
-    visit '/full_protected_resources/1.json'
-    expect(page.body).to have_content('show')
-  end
-
-  scenario 'access token with another of allowed scopes' do
-    @token.update_attribute :scopes, 'write'
-    with_access_token_header @token.token
-    visit '/full_protected_resources/1.json'
-    expect(page.body).to have_content('show')
-  end
-
-  scenario 'access token with both allowed scopes' do
-    @token.update_attribute :scopes, 'write admin'
-    with_access_token_header @token.token
-    visit '/full_protected_resources/1.json'
-    expect(page.body).to have_content('show')
-  end
-end

data/spec/routing/custom_controller_routes_spec.rb

@@ -1,71 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Custom controller for routes' do
-  it 'GET /space/scope/authorize routes to custom authorizations controller' do
-    expect(get('/inner_space/scope/authorize')).to route_to('custom_authorizations#new')
-  end
-
-  it 'POST /space/scope/authorize routes to custom authorizations controller' do
-    expect(post('/inner_space/scope/authorize')).to route_to('custom_authorizations#create')
-  end
-
-  it 'DELETE /space/scope/authorize routes to custom authorizations controller' do
-    expect(delete('/inner_space/scope/authorize')).to route_to('custom_authorizations#destroy')
-  end
-
-  it 'POST /space/scope/token routes to tokens controller' do
-    expect(post('/inner_space/scope/token')).to route_to('custom_authorizations#create')
-  end
-
-  it 'GET /space/scope/applications routes to applications controller' do
-    expect(get('/inner_space/scope/applications')).to route_to('custom_authorizations#index')
-  end
-
-  it 'GET /space/scope/token/info routes to the token_info controller' do
-    expect(get('/inner_space/scope/token/info')).to route_to('custom_authorizations#show')
-  end
-
-  it 'GET /space/oauth/authorize routes to custom authorizations controller' do
-    expect(get('/space/oauth/authorize')).to route_to('custom_authorizations#new')
-  end
-
-  it 'POST /space/oauth/authorize routes to custom authorizations controller' do
-    expect(post('/space/oauth/authorize')).to route_to('custom_authorizations#create')
-  end
-
-  it 'DELETE /space/oauth/authorize routes to custom authorizations controller' do
-    expect(delete('/space/oauth/authorize')).to route_to('custom_authorizations#destroy')
-  end
-
-  it 'POST /space/oauth/token routes to tokens controller' do
-    expect(post('/space/oauth/token')).to route_to('custom_authorizations#create')
-  end
-
-  it 'POST /space/oauth/revoke routes to tokens controller' do
-    expect(post('/space/oauth/revoke')).to route_to('custom_authorizations#revoke')
-  end
-
-  it 'GET /space/oauth/applications routes to applications controller' do
-    expect(get('/space/oauth/applications')).to route_to('custom_authorizations#index')
-  end
-
-  it 'GET /space/oauth/token/info routes to the token_info controller' do
-    expect(get('/space/oauth/token/info')).to route_to('custom_authorizations#show')
-  end
-
-  it 'POST /outer_space/oauth/token is not be routable' do
-    expect(post('/outer_space/oauth/token')).not_to be_routable
-  end
-
-  it 'GET /outer_space/oauth/authorize routes to custom authorizations controller' do
-    expect(get('/outer_space/oauth/authorize')).to be_routable
-  end
-
-  it 'GET /outer_space/oauth/applications is not routable' do
-    expect(get('/outer_space/oauth/applications')).not_to be_routable
-  end
-
-  it 'GET /outer_space/oauth/token_info is not routable' do
-    expect(get('/outer_space/oauth/token/info')).not_to be_routable
-  end
-end

data/spec/routing/default_routes_spec.rb

@@ -1,35 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Default routes' do
-  it 'GET /oauth/authorize routes to authorizations controller' do
-    expect(get('/oauth/authorize')).to route_to('doorkeeper/authorizations#new')
-  end
-
-  it 'POST /oauth/authorize routes to authorizations controller' do
-    expect(post('/oauth/authorize')).to route_to('doorkeeper/authorizations#create')
-  end
-
-  it 'DELETE /oauth/authorize routes to authorizations controller' do
-    expect(delete('/oauth/authorize')).to route_to('doorkeeper/authorizations#destroy')
-  end
-
-  it 'POST /oauth/token routes to tokens controller' do
-    expect(post('/oauth/token')).to route_to('doorkeeper/tokens#create')
-  end
-
-  it 'POST /oauth/revoke routes to tokens controller' do
-    expect(post('/oauth/revoke')).to route_to('doorkeeper/tokens#revoke')
-  end
-
-  it 'GET /oauth/applications routes to applications controller' do
-    expect(get('/oauth/applications')).to route_to('doorkeeper/applications#index')
-  end
-
-  it 'GET /oauth/authorized_applications routes to authorized applications controller' do
-    expect(get('/oauth/authorized_applications')).to route_to('doorkeeper/authorized_applications#index')
-  end
-
-  it 'GET /oauth/token/info route to authorzed tokeninfo controller' do
-    expect(get('/oauth/token/info')).to route_to('doorkeeper/token_info#show')
-  end
-end

data/spec/routing/scoped_routes_spec.rb

@@ -1,31 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Scoped routes' do
-  it 'GET /scope/authorize routes to authorizations controller' do
-    expect(get('/scope/authorize')).to route_to('doorkeeper/authorizations#new')
-  end
-
-  it 'POST /scope/authorize routes to authorizations controller' do
-    expect(post('/scope/authorize')).to route_to('doorkeeper/authorizations#create')
-  end
-
-  it 'DELETE /scope/authorize routes to authorizations controller' do
-    expect(delete('/scope/authorize')).to route_to('doorkeeper/authorizations#destroy')
-  end
-
-  it 'POST /scope/token routes to tokens controller' do
-    expect(post('/scope/token')).to route_to('doorkeeper/tokens#create')
-  end
-
-  it 'GET /scope/applications routes to applications controller' do
-    expect(get('/scope/applications')).to route_to('doorkeeper/applications#index')
-  end
-
-  it 'GET /scope/authorized_applications routes to authorized applications controller' do
-    expect(get('/scope/authorized_applications')).to route_to('doorkeeper/authorized_applications#index')
-  end
-
-  it 'GET /scope/token/info route to authorzed tokeninfo controller' do
-    expect(get('/scope/token/info')).to route_to('doorkeeper/token_info#show')
-  end
-end

data/spec/spec_helper.rb

@@ -1,2 +0,0 @@
-$LOAD_PATH.unshift File.expand_path(File.join(File.dirname(__FILE__), '../lib'))
-$LOAD_PATH.unshift File.expand_path(File.join(File.dirname(__FILE__), '../app'))