doorkeeper 4.2.0 → 5.6.8

data/lib/doorkeeper/models/concerns/expirable.rb

@@ -1,21 +1,35 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Expirable
+      # Indicates whether the object is expired (`#expires_in` present and
+      # expiration time has come).
+      #
+      # @return [Boolean] true if object expired and false in other case
       def expired?
-        expires_in && Time.now.utc > expired_time
+        !!(expires_in && Time.now.utc > expires_at)
       end
 
+      # Calculates expiration time in seconds.
+      #
+      # @return [Integer, nil] number of seconds if object has expiration time
+      #   or nil if object never expires.
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now.utc
+
+        expires = expires_at - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
 
-      private
-
-      def expired_time
-        created_at + expires_in.seconds
+      # Expiration time (date time of creation + TTL).
+      #
+      # @return [Time, nil] expiration time in UTC
+      #   or nil if the object never expires.
+      #
+      def expires_at
+        expires_in && created_at + expires_in.seconds
       end
     end
   end

data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module ExpirationTimeSqlMath
+      extend ::ActiveSupport::Concern
+
+      class ExpirationTimeSqlGenerator
+        attr_reader :model
+
+        delegate :table_name, to: :@model
+
+        def initialize(model)
+          @model = model
+        end
+
+        def generate_sql
+          raise "`generate_sql` should be overridden for a #{self.class.name}!"
+        end
+      end
+
+      class MySqlExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATE_ADD(#{table_name}.created_at, INTERVAL #{table_name}.expires_in SECOND)")
+        end
+      end
+
+      class SqlLiteExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATETIME(#{table_name}.created_at, '+' || #{table_name}.expires_in || ' SECONDS')")
+        end
+      end
+
+      class SqlServerExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATEADD(second, #{table_name}.expires_in, #{table_name}.created_at) AT TIME ZONE 'UTC'")
+        end
+      end
+
+      class OracleExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("#{table_name}.created_at + INTERVAL to_char(#{table_name}.expires_in) second")
+        end
+      end
+
+      class PostgresExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("#{table_name}.created_at + #{table_name}.expires_in * INTERVAL '1 SECOND'")
+        end
+      end
+
+      ADAPTERS_MAPPING = {
+        "sqlite" => SqlLiteExpirationTimeSqlGenerator,
+        "sqlite3" => SqlLiteExpirationTimeSqlGenerator,
+        "postgis" => PostgresExpirationTimeSqlGenerator,
+        "postgresql" => PostgresExpirationTimeSqlGenerator,
+        "mysql" => MySqlExpirationTimeSqlGenerator,
+        "mysql2" => MySqlExpirationTimeSqlGenerator,
+        "trilogy" => MySqlExpirationTimeSqlGenerator,
+        "sqlserver" => SqlServerExpirationTimeSqlGenerator,
+        "oracleenhanced" => OracleExpirationTimeSqlGenerator,
+      }.freeze
+
+      module ClassMethods
+        def supports_expiration_time_math?
+          ADAPTERS_MAPPING.key?(adapter_name.downcase) ||
+            respond_to?(:custom_expiration_time_sql)
+        end
+
+        def expiration_time_sql
+          if respond_to?(:custom_expiration_time_sql)
+            custom_expiration_time_sql
+          else
+            expiration_time_sql_expression
+          end
+        end
+
+        def expiration_time_sql_expression
+          ADAPTERS_MAPPING.fetch(adapter_name.downcase).new(self).generate_sql
+        end
+
+        def adapter_name
+          ActiveRecord::Base.connection.adapter_name
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/orderable.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module Orderable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def ordered_by(attribute, direction = :asc)
+          order(attribute => direction)
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/ownership.rb

@@ -1,20 +1,17 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Ownership
       extend ActiveSupport::Concern
 
       included do
-        belongs_to_options = { polymorphic: true }
-        if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
-          belongs_to_options[:optional] = true
-        end
-
-        belongs_to :owner, belongs_to_options
+        belongs_to :owner, polymorphic: true, optional: true
         validates :owner, presence: true, if: :validate_owner?
       end
 
       def validate_owner?
-        Doorkeeper.configuration.confirm_application_owner?
+        Doorkeeper.config.confirm_application_owner?
       end
     end
   end

data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module PolymorphicResourceOwner
+      module ForAccessGrant
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: false
+          else
+            validates :resource_owner_id, presence: true
+          end
+        end
+      end
+
+      module ForAccessToken
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: true
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/doorkeeper/models/concerns/resource_ownerable.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module ResourceOwnerable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Searches for record by Resource Owner considering Doorkeeper
+        # configuration for resource owner association.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [Doorkeeper::AccessGrant, Doorkeeper::AccessToken]
+        #   collection of records
+        #
+        def by_resource_owner(resource_owner)
+          if Doorkeeper.configuration.polymorphic_resource_owner?
+            where(resource_owner: resource_owner)
+          else
+            where(resource_owner_id: resource_owner_id_for(resource_owner))
+          end
+        end
+
+        protected
+
+        # Backward compatible way to retrieve resource owner itself (if
+        # polymorphic association enabled) or just it's ID.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [ActiveRecord::Base, Integer]
+        #   instance of Resource Owner or it's ID
+        #
+        def resource_owner_id_for(resource_owner)
+          if resource_owner.respond_to?(:to_key)
+            resource_owner.id
+          else
+            resource_owner
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/reusable.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module Reusable
+      # Indicates whether the object is reusable (i.e. It is not expired and
+      # has not crossed reuse_limit).
+      #
+      # @return [Boolean] true if can be reused and false in other case
+      def reusable?
+        return false if expired?
+        return true unless expires_in
+
+        threshold_limit = 100 - Doorkeeper.config.token_reuse_limit
+        expires_in_seconds >= threshold_limit * expires_in / 100
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -1,30 +1,24 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Revocable
+      # Revokes the object (updates `:revoked_at` attribute setting its value
+      # to the specific time).
+      #
+      # @param clock [Time] time object
+      #
       def revoke(clock = Time)
-        update_attribute :revoked_at, clock.now.utc
+        update_attribute(:revoked_at, clock.now.utc)
       end
 
+      # Indicates whether the object has been revoked.
+      #
+      # @return [Boolean] true if revoked, false in other case
+      #
       def revoked?
         !!(revoked_at && revoked_at <= Time.now.utc)
       end
-
-      def revoke_previous_refresh_token!
-        return unless refresh_token_revoked_on_use?
-        old_refresh_token.revoke if old_refresh_token
-        update_attribute :previous_refresh_token, ""
-      end
-
-      private
-
-      def old_refresh_token
-        @old_refresh_token ||=
-          AccessToken.by_refresh_token(previous_refresh_token)
-      end
-
-      def refresh_token_revoked_on_use?
-        AccessToken.refresh_token_revoked_on_use?
-      end
     end
   end
 end

data/lib/doorkeeper/models/concerns/scopes.rb

@@ -1,8 +1,18 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Scopes
       def scopes
-        OAuth::Scopes.from_string(self[:scopes])
+        OAuth::Scopes.from_string(scopes_string)
+      end
+
+      def scopes=(value)
+        if value.is_a?(Array)
+          super(Doorkeeper::OAuth::Scopes.from_array(value).to_s)
+        else
+          super(Doorkeeper::OAuth::Scopes.from_string(value.to_s).to_s)
+        end
       end
 
       def scopes_string
@@ -10,7 +20,7 @@ module Doorkeeper
       end
 
       def includes_scope?(*required_scopes)
-        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s.to_s) }
+        required_scopes.blank? || required_scopes.any? { |scope| scopes.exists?(scope.to_s) }
       end
     end
   end

data/lib/doorkeeper/models/concerns/secret_storable.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    ##
+    # Storable finder to provide lookups for input plaintext values which are
+    # mapped to their stored versions (e.g., hashing, encryption) before lookup.
+    module SecretStorable
+      extend ActiveSupport::Concern
+
+      delegate :secret_strategy,
+               :fallback_secret_strategy,
+               to: :class
+
+      # :nodoc
+      module ClassMethods
+        # Compare the given plaintext with the secret
+        #
+        # @param input [String]
+        #   The plain input to compare.
+        #
+        # @param secret [String]
+        #   The secret value to compare with.
+        #
+        # @return [Boolean]
+        #   Whether input matches secret as per the secret strategy
+        #
+        delegate :secret_matches?, to: :secret_strategy
+
+        # Returns an instance of the Doorkeeper::AccessToken with
+        # specific token value.
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param token [#to_s]
+        #   token value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_plaintext_token(attr, token)
+          token = token.to_s
+
+          find_by(attr => secret_strategy.transform_secret(token)) ||
+            find_by_fallback_token(attr, token)
+        end
+
+        # Allow looking up previously plain tokens as a fallback
+        # IFF a fallback strategy has been defined
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param plain_secret [#to_s]
+        #   plain secret value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_fallback_token(attr, plain_secret)
+          return nil unless fallback_secret_strategy
+
+          # Use the previous strategy to look up
+          stored_token = fallback_secret_strategy.transform_secret(plain_secret)
+          find_by(attr => stored_token).tap do |resource|
+            return nil unless resource
+
+            upgrade_fallback_value resource, attr, plain_secret
+          end
+        end
+
+        # Allow implementations in ORMs to replace a plain
+        # value falling back to to avoid it remaining as plain text.
+        #
+        # @param instance
+        #   An instance of this model with a plain value token.
+        #
+        # @param attr
+        #   The secret attribute name to upgrade.
+        #
+        # @param plain_secret
+        #   The plain secret to upgrade.
+        #
+        def upgrade_fallback_value(instance, attr, plain_secret)
+          upgraded = secret_strategy.store_secret(instance, attr, plain_secret)
+          instance.update(attr => upgraded)
+        end
+
+        ##
+        # Determines the secret storing transformer
+        # Unless configured otherwise, uses the plain secret strategy
+        def secret_strategy
+          ::Doorkeeper::SecretStoring::Plain
+        end
+
+        ##
+        # Determine the fallback storing strategy
+        # Unless configured, there will be no fallback
+        def fallback_secret_strategy
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -1,30 +1,72 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     module Authorization
       class Code
-        attr_accessor :pre_auth, :resource_owner, :token
+        attr_reader :pre_auth, :resource_owner, :token
 
         def initialize(pre_auth, resource_owner)
-          @pre_auth       = pre_auth
+          @pre_auth = pre_auth
           @resource_owner = resource_owner
         end
 
-        def issue_token
-          @token ||= AccessGrant.create!(
+        def issue_token!
+          return @token if defined?(@token)
+
+          @token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
+        end
+
+        def oob_redirect
+          { action: :show, code: token.plaintext_token }
+        end
+
+        def access_grant?
+          true
+        end
+
+        private
+
+        def authorization_code_expires_in
+          Doorkeeper.config.authorization_code_expires_in
+        end
+
+        def access_grant_attributes
+          attributes = {
             application_id: pre_auth.client.id,
-            resource_owner_id: resource_owner.id,
-            expires_in: configuration.authorization_code_expires_in,
+            expires_in: authorization_code_expires_in,
             redirect_uri: pre_auth.redirect_uri,
-            scopes: pre_auth.scopes.to_s
-          )
+            scopes: pre_auth.scopes.to_s,
+          }
+
+          if Doorkeeper.config.polymorphic_resource_owner?
+            attributes[:resource_owner] = resource_owner
+          else
+            attributes[:resource_owner_id] = resource_owner.id
+          end
+
+          pkce_attributes.merge(attributes).merge(custom_attributes)
+        end
+
+        def custom_attributes
+          # Custom access token attributes are saved into the access grant,
+          # and then included in subsequently generated access tokens.
+          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access
         end
 
-        def native_redirect
-          { action: :show, code: token.token }
+        def pkce_attributes
+          return {} unless pkce_supported?
+
+          {
+            code_challenge: pre_auth.code_challenge,
+            code_challenge_method: pre_auth.code_challenge_method,
+          }
         end
 
-        def configuration
-          Doorkeeper.configuration
+        # Ensures firstly, if migration with additional PKCE columns was
+        # generated and migrated
+        def pkce_supported?
+          Doorkeeper.config.access_grant_model.pkce_supported?
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/context.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    module Authorization
+      class Context
+        attr_reader :client, :grant_type, :resource_owner, :scopes
+
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -1,54 +1,98 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     module Authorization
       class Token
-        attr_accessor :pre_auth, :resource_owner, :token
+        attr_reader :pre_auth, :resource_owner, :token
+
+        class << self
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes, resource_owner)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
+                             pre_auth_or_oauth_client.application
+                           elsif pre_auth_or_oauth_client.respond_to?(:client)
+                             pre_auth_or_oauth_client.client
+                           else
+                             pre_auth_or_oauth_client
+                           end
+
+            Doorkeeper::OAuth::Authorization::Context.new(
+              client: oauth_client,
+              grant_type: grant_type,
+              scopes: scopes,
+              resource_owner: resource_owner,
+            )
+          end
+
+          def access_token_expires_in(configuration, context)
+            if configuration.option_defined?(:custom_access_token_expires_in)
+              expiration = configuration.custom_access_token_expires_in.call(context)
+              return nil if expiration == Float::INFINITY
+
+              expiration || configuration.access_token_expires_in
+            else
+              configuration.access_token_expires_in
+            end
+          end
+
+          def refresh_token_enabled?(server, context)
+            if server.refresh_token_enabled?.respond_to?(:call)
+              server.refresh_token_enabled?.call(context)
+            else
+              !!server.refresh_token_enabled?
+            end
+          end
+        end
 
         def initialize(pre_auth, resource_owner)
           @pre_auth       = pre_auth
           @resource_owner = resource_owner
         end
 
-        def self.access_token_expires_in(server, pre_auth_or_oauth_client)
-          if expiration = custom_expiration(server, pre_auth_or_oauth_client)
-            expiration
-          else
-            server.access_token_expires_in
-          end
-        end
+        def issue_token!
+          return @token if defined?(@token)
 
-        def issue_token
-          @token ||= AccessToken.find_or_create_for(
+          context = self.class.build_context(
             pre_auth.client,
-            resource_owner.id,
+            Doorkeeper::OAuth::IMPLICIT,
             pre_auth.scopes,
-            self.class.access_token_expires_in(configuration, pre_auth),
-            false
+            resource_owner,
           )
+
+          @token = Doorkeeper.config.access_token_model.find_or_create_for(
+            application: application,
+            resource_owner: resource_owner,
+            scopes: pre_auth.scopes,
+            expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
+            use_refresh_token: false,
+          )
+        end
+
+        def application
+          return unless pre_auth.client
+
+          pre_auth.client.is_a?(Doorkeeper.config.application_model) ? pre_auth.client : pre_auth.client.application
         end
 
-        def native_redirect
+        def oob_redirect
           {
-            controller: 'doorkeeper/token_info',
+            controller: controller,
             action: :show,
-            access_token: token.token
+            access_token: token.plaintext_token,
           }
         end
 
-        private
-
-        def self.custom_expiration(server, pre_auth_or_oauth_client)
-          oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
-                           pre_auth_or_oauth_client.client
-                         else
-                           pre_auth_or_oauth_client
-                         end
-
-          server.custom_access_token_expires_in.call(oauth_client)
+        def access_token?
+          true
         end
 
-        def configuration
-          Doorkeeper.configuration
+        private
+
+        def controller
+          @controller ||= begin
+            mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
+            mapping[:controllers] || "doorkeeper/token_info"
+          end
         end
       end
     end