doorkeeper 4.2.5 → 4.3.0

data/gemfiles/rails_5_1.gemfile

@@ -2,12 +2,11 @@
 
 source "https://rubygems.org"
 
-gem "rails", :github => "rails/rails"
+gem "rails", "~> 5.1.0"
 gem "appraisal"
-gem "activerecord-jdbcsqlite3-adapter", :platform => :jruby
-gem "sqlite3", :platform => [:ruby, :mswin, :mingw, :x64_mingw]
-gem "tzinfo-data", :platforms => [:mingw, :mswin, :x64_mingw]
-gem "arel", :github => "rails/arel"
-gem "rspec-rails", "~> 3.5"
+gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
+gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.7"
 
-gemspec :path => "../"
+gemspec path: "../"

data/gemfiles/rails_5_2.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "5.2.0.rc1"
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
+gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.7"
+
+gemspec path: "../"

data/gemfiles/rails_master.gemfile

@@ -0,0 +1,14 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", git: 'https://github.com/rails/rails'
+gem "arel", git: 'https://github.com/rails/arel'
+
+gem "appraisal"
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gem "rspec-rails", "~> 3.7"
+
+gemspec path: "../"

data/lib/doorkeeper/config.rb

@@ -59,12 +59,12 @@ doorkeeper.
       # @option opts[Boolean] :confirmation (false)
       #   Set confirm_application_owner variable
       def enable_application_owner(opts = {})
-        @config.instance_variable_set('@enable_application_owner', true)
+        @config.instance_variable_set(:@enable_application_owner, true)
         confirm_application_owner if opts[:confirmation].present? && opts[:confirmation]
       end
 
       def confirm_application_owner
-        @config.instance_variable_set('@confirm_application_owner', true)
+        @config.instance_variable_set(:@confirm_application_owner, true)
       end
 
       # Define default access token scopes for your provider
@@ -72,7 +72,7 @@ doorkeeper.
       # @param scopes [Array] Default set of access (OAuth::Scopes.new)
       # token scopes
       def default_scopes(*scopes)
-        @config.instance_variable_set('@default_scopes', OAuth::Scopes.from_array(scopes))
+        @config.instance_variable_set(:@default_scopes, OAuth::Scopes.from_array(scopes))
       end
 
       # Define default access token scopes for your provider
@@ -80,7 +80,7 @@ doorkeeper.
       # @param scopes [Array] Optional set of access (OAuth::Scopes.new)
       # token scopes
       def optional_scopes(*scopes)
-        @config.instance_variable_set('@optional_scopes', OAuth::Scopes.from_array(scopes))
+        @config.instance_variable_set(:@optional_scopes, OAuth::Scopes.from_array(scopes))
       end
 
       # Change the way client credentials are retrieved from the request object.
@@ -90,7 +90,7 @@ doorkeeper.
       #
       # @param methods [Array] Define client credentials
       def client_credentials(*methods)
-        @config.instance_variable_set('@client_credentials', methods)
+        @config.instance_variable_set(:@client_credentials, methods)
       end
 
       # Change the way access token is authenticated from the request object.
@@ -100,57 +100,19 @@ doorkeeper.
       #
       # @param methods [Array] Define access token methods
       def access_token_methods(*methods)
-        @config.instance_variable_set('@access_token_methods', methods)
+        @config.instance_variable_set(:@access_token_methods, methods)
       end
 
       # Issue access tokens with refresh token (disabled by default)
       def use_refresh_token
-        @config.instance_variable_set('@refresh_token_enabled', true)
-      end
-
-      # WWW-Authenticate Realm (default "Doorkeeper").
-      #
-      # @param realm [String] ("Doorkeeper") Authentication realm
-      def realm(realm)
-        @config.instance_variable_set('@realm', realm)
+        @config.instance_variable_set(:@refresh_token_enabled, true)
       end
 
       # Reuse access token for the same resource owner within an application
       # (disabled by default)
       # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
       def reuse_access_token
-        @config.instance_variable_set("@reuse_access_token", true)
-      end
-
-      # Forces the usage of the HTTPS protocol in non-native redirect uris
-      # (enabled by default in non-development environments). OAuth2
-      # delegates security in communication to the HTTPS protocol so it is
-      # wise to keep this enabled.
-      #
-      # @param [Boolean] boolean value for the parameter, true by default in
-      # non-development environment
-      def force_ssl_in_redirect_uri(boolean)
-        @config.instance_variable_set("@force_ssl_in_redirect_uri", boolean)
-      end
-
-      # Use a custom class for generating the access token.
-      # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
-      #
-      # @param access_token_generator [String]
-      #   the name of the access token generator class
-      def access_token_generator(access_token_generator)
-        @config.instance_variable_set(
-          '@access_token_generator', access_token_generator
-        )
-      end
-
-      # The controller Doorkeeper::ApplicationController inherits from.
-      # Defaults to ActionController::Base.
-      # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
-      #
-      # @param base_controller [String] the name of the base controller
-      def base_controller(base_controller)
-        @config.instance_variable_set('@base_controller', base_controller)
+        @config.instance_variable_set(:@reuse_access_token, true)
       end
     end
 
@@ -210,10 +172,6 @@ doorkeeper.
 
         public attribute
       end
-
-      def extended(base)
-        base.send(:private, :option)
-      end
     end
 
     extend Option
@@ -221,15 +179,17 @@ doorkeeper.
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
-             logger.warn(I18n.translate('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
+             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
              nil
            end)
+
     option :admin_authenticator,
            as: :authenticate_admin,
            default: ->(_routes) {}
+
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
-             warn(I18n.translate('doorkeeper.errors.messages.credential_flow_not_configured'))
+             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.credential_flow_not_configured'))
              nil
            end)
 
@@ -240,11 +200,51 @@ doorkeeper.
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: 'urn:ietf:wg:oauth:2.0:oob'
     option :active_record_options,          default: {}
+    option :grant_flows,                    default: %w[authorization_code client_credentials]
+
+    # Allows to forbid specific Application redirect URI's by custom rules.
+    # Doesn't forbid any URI by default.
+    #
+    # @param forbid_redirect_uri [Proc] Block or any object respond to #call
+    #
+    option :forbid_redirect_uri,            default: ->(_uri) { false }
+
+    # WWW-Authenticate Realm (default "Doorkeeper").
+    #
+    # @param realm [String] ("Doorkeeper") Authentication realm
+    #
     option :realm,                          default: 'Doorkeeper'
+
+    # Forces the usage of the HTTPS protocol in non-native redirect uris
+    # (enabled by default in non-development environments). OAuth2
+    # delegates security in communication to the HTTPS protocol so it is
+    # wise to keep this enabled.
+    #
+    # @param [Boolean] boolean_or_block value for the parameter, true by default in
+    # non-development environment
+    #
+    # @yield [uri] Conditional usage of SSL redirect uris.
+    # @yieldparam [URI] Redirect URI
+    # @yieldreturn [Boolean] Indicates necessity of usage of the HTTPS protocol
+    #   in non-native redirect uris
+    #
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
-    option :grant_flows,                    default: %w(authorization_code client_credentials)
+
+
+    # Use a custom class for generating the access token.
+    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    #
+    # @param access_token_generator [String]
+    #   the name of the access token generator class
+    #
     option :access_token_generator,
            default: 'Doorkeeper::OAuth::Helpers::UniqueToken'
+
+    # The controller Doorkeeper::ApplicationController inherits from.
+    # Defaults to ActionController::Base.
+    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    #
+    # @param base_controller [String] the name of the base controller
     option :base_controller,
            default: 'ActionController::Base'
 
@@ -278,11 +278,11 @@ doorkeeper.
     end
 
     def client_credentials_methods
-      @client_credentials ||= [:from_basic, :from_params]
+      @client_credentials ||= %i[from_basic from_params]
     end
 
     def access_token_methods
-      @access_token_methods ||= [:from_bearer_authorization, :from_access_token_param, :from_bearer_param]
+      @access_token_methods ||= %i[from_bearer_authorization from_access_token_param from_bearer_param]
     end
 
     def authorization_response_types

data/lib/doorkeeper/engine.rb

@@ -1,7 +1,7 @@
 module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|
-      parameters = %w(client_secret code authentication_token access_token refresh_token)
+      parameters = %w[client_secret code authentication_token access_token refresh_token]
       app.config.filter_parameters << /^(#{Regexp.union parameters})$/
     end
 
@@ -17,10 +17,10 @@ module Doorkeeper
 
     if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
       initializer 'doorkeeper.assets.precompile' do |app|
-        app.config.assets.precompile += %w(
+        app.config.assets.precompile += %w[
           doorkeeper/application.css
           doorkeeper/admin/application.css
-        )
+        ]
       end
     end
   end

data/lib/doorkeeper/errors.rb

@@ -1,21 +1,39 @@
 module Doorkeeper
   module Errors
     class DoorkeeperError < StandardError
+      def type
+        message
+      end
     end
 
     class InvalidAuthorizationStrategy < DoorkeeperError
+      def type
+        :unsupported_response_type
+      end
     end
 
     class InvalidTokenReuse < DoorkeeperError
+      def type
+        :invalid_request
+      end
     end
 
     class InvalidGrantReuse < DoorkeeperError
+      def type
+        :invalid_grant
+      end
     end
 
     class InvalidTokenStrategy < DoorkeeperError
+      def type
+        :unsupported_grant_type
+      end
     end
 
     class MissingRequestStrategy < DoorkeeperError
+      def type
+        :invalid_request
+      end
     end
 
     class UnableToGenerateToken < DoorkeeperError

data/lib/doorkeeper/grape/helpers.rb

@@ -9,7 +9,7 @@ module Doorkeeper
 
       # endpoint specific scopes > parameter scopes > default scopes
       def doorkeeper_authorize!(*scopes)
-        endpoint_scopes = env["api.endpoint"].route_setting(:scopes)
+        endpoint_scopes = endpoint.route_setting(:scopes) || endpoint.options[:route_options][:scopes]
         scopes = if endpoint_scopes
                    Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
                  elsif scopes && !scopes.empty?
@@ -20,18 +20,16 @@ module Doorkeeper
       end
 
       def doorkeeper_render_error_with(error)
-        status_code = case error.status
-                      when :unauthorized
-                        401
-                      when :forbidden
-                        403
-                      end
-
+        status_code = error_status_codes[error.status]
         error!({ error: error.description }, status_code, error.headers)
       end
 
       private
 
+      def endpoint
+        env['api.endpoint']
+      end
+
       def doorkeeper_token
         @_doorkeeper_token ||= OAuth::Token.authenticate(
           decorated_request,
@@ -42,6 +40,13 @@ module Doorkeeper
       def decorated_request
         AuthorizationDecorator.new(request)
       end
+
+      def error_status_codes
+        {
+          unauthorized: 401,
+          forbidden: 403
+        }
+      end
     end
   end
 end

data/lib/doorkeeper/helpers/controller.rb

@@ -5,11 +5,13 @@ module Doorkeeper
     module Controller
       private
 
-      def authenticate_resource_owner! # :doc:
+      # :doc:
+      def authenticate_resource_owner!
         current_resource_owner
       end
 
-      def current_resource_owner # :doc:
+      # :doc:
+      def current_resource_owner
         instance_eval(&Doorkeeper.configuration.authenticate_resource_owner)
       end
 
@@ -17,7 +19,8 @@ module Doorkeeper
         instance_eval(&Doorkeeper.configuration.resource_owner_from_credentials)
       end
 
-      def authenticate_admin! # :doc:
+      # :doc:
+      def authenticate_admin!
         instance_eval(&Doorkeeper.configuration.authenticate_admin)
       end
 
@@ -25,7 +28,8 @@ module Doorkeeper
         @server ||= Server.new(self)
       end
 
-      def doorkeeper_token # :doc:
+      # :doc:
+      def doorkeeper_token
         @token ||= OAuth::Token.authenticate request, *config_methods
       end
 
@@ -34,22 +38,7 @@ module Doorkeeper
       end
 
       def get_error_response_from_exception(exception)
-        error_name = case exception
-                     when Errors::InvalidTokenStrategy
-                       :unsupported_grant_type
-                     when Errors::InvalidAuthorizationStrategy
-                       :unsupported_response_type
-                     when Errors::MissingRequestStrategy
-                       :invalid_request
-                     when Errors::InvalidTokenReuse
-                       :invalid_request
-                     when Errors::InvalidGrantReuse
-                       :invalid_grant
-                     when Errors::DoorkeeperError
-                       exception.message
-                     end
-
-        OAuth::ErrorResponse.new name: error_name, state: params[:state]
+        OAuth::ErrorResponse.new name: exception.type, state: params[:state]
       end
 
       def handle_token_exception(exception)

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -68,11 +68,11 @@ module Doorkeeper
       # @param resource_owner [ActiveRecord::Base]
       #   instance of the Resource Owner model
       #
-      def revoke_all_for(application_id, resource_owner)
+      def revoke_all_for(application_id, resource_owner, clock = Time)
         where(application_id: application_id,
               resource_owner_id: resource_owner.id,
               revoked_at: nil).
-          each(&:revoke)
+          update_all(revoked_at: clock.now.utc)
       end
 
       # Looking for not expired Access Token with a matching set of scopes
@@ -168,7 +168,7 @@ module Doorkeeper
       #   nil if nothing was found
       #
       def last_authorized_token_for(application_id, resource_owner_id)
-        send(order_method, created_at_desc).
+        ordered_by(:created_at, :desc).
           find_by(application_id: application_id,
                   resource_owner_id: resource_owner_id,
                   revoked_at: nil)
@@ -247,7 +247,11 @@ module Doorkeeper
     def generate_token
       self.created_at ||= Time.now.utc
 
-      generator = Doorkeeper.configuration.access_token_generator.constantize
+      generator = token_generator
+      unless generator.respond_to?(:generate)
+        raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+      end
+
       self.token = generator.generate(
         resource_owner_id: resource_owner_id,
         scopes: scopes,
@@ -255,10 +259,13 @@ module Doorkeeper
         expires_in: expires_in,
         created_at: created_at
       )
-    rescue NoMethodError
-      raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+    end
+
+    def token_generator
+      generator_name = Doorkeeper.configuration.access_token_generator
+      generator_name.constantize
     rescue NameError
-      raise Errors::TokenGeneratorNotFound, "#{generator} not found"
+      raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
     end
   end
 end

data/lib/doorkeeper/models/application_mixin.rb

@@ -43,6 +43,15 @@ module Doorkeeper
       end
     end
 
+    # Set an application's valid redirect URIs.
+    #
+    # @param uris [String, Array] Newline-separated string or array the URI(s)
+    #
+    # @return [String] The redirect URI(s) seperated by newlines.
+    def redirect_uri=(uris)
+      super(uris.is_a?(Array) ? uris.join("\n") : uris)
+    end
+
     private
 
     def has_scopes?
@@ -51,15 +60,11 @@ module Doorkeeper
     end
 
     def generate_uid
-      if uid.blank?
-        self.uid = UniqueToken.generate
-      end
+      self.uid = UniqueToken.generate if uid.blank?
     end
 
     def generate_secret
-      if secret.blank?
-        self.secret = UniqueToken.generate
-      end
+      self.secret = UniqueToken.generate if secret.blank?
     end
   end
 end

data/lib/doorkeeper/models/concerns/expirable.rb

@@ -6,7 +6,7 @@ module Doorkeeper
       #
       # @return [Boolean] true if object expired and false in other case
       def expired?
-        expires_in && Time.now.utc > expired_time
+        expires_in && Time.now.utc > expires_at
       end
 
       # Calculates expiration time in seconds.
@@ -15,14 +15,16 @@ module Doorkeeper
       #   or nil if object never expires.
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now.utc
+        expires = expires_at - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
 
-      private
-
-      def expired_time
+      # Expiration time (date time of creation + TTL).
+      #
+      # @return [Time] expiration time in UTC
+      #
+      def expires_at
         created_at + expires_in.seconds
       end
     end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -4,19 +4,33 @@ module Doorkeeper
       class Token
         attr_accessor :pre_auth, :resource_owner, :token
 
+        class << self
+          def access_token_expires_in(server, pre_auth_or_oauth_client)
+            if (expiration = custom_expiration(server, pre_auth_or_oauth_client))
+              expiration
+            else
+              server.access_token_expires_in
+            end
+          end
+
+          private
+
+          def custom_expiration(server, pre_auth_or_oauth_client)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
+                             pre_auth_or_oauth_client.client
+                           else
+                             pre_auth_or_oauth_client
+                           end
+
+            server.custom_access_token_expires_in.call(oauth_client)
+          end
+        end
+
         def initialize(pre_auth, resource_owner)
           @pre_auth       = pre_auth
           @resource_owner = resource_owner
         end
 
-        def self.access_token_expires_in(server, pre_auth_or_oauth_client)
-          if expiration = custom_expiration(server, pre_auth_or_oauth_client)
-            expiration
-          else
-            server.access_token_expires_in
-          end
-        end
-
         def issue_token
           @token ||= AccessToken.find_or_create_for(
             pre_auth.client,
@@ -37,16 +51,6 @@ module Doorkeeper
 
         private
 
-        def self.custom_expiration(server, pre_auth_or_oauth_client)
-          oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
-                           pre_auth_or_oauth_client.client
-                         else
-                           pre_auth_or_oauth_client
-                         end
-
-          server.custom_access_token_expires_in.call(oauth_client)
-        end
-
         def configuration
           Doorkeeper.configuration
         end

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -4,6 +4,7 @@ module Doorkeeper
       validate :attributes,   error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
+      # @see https://tools.ietf.org/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
 
       attr_accessor :server, :grant, :client, :redirect_uri, :access_token
@@ -28,6 +29,7 @@ module Doorkeeper
                                       grant.scopes,
                                       server)
         end
+        super
       end
 
       def validate_attributes
@@ -44,7 +46,10 @@ module Doorkeeper
       end
 
       def validate_redirect_uri
-        grant.redirect_uri == redirect_uri
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          grant.redirect_uri
+        )
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb

@@ -5,6 +5,7 @@ module Doorkeeper
 
       def authorize
         validate
+
         if valid?
           before_successful_response
           @response = TokenResponse.new(access_token)
@@ -37,14 +38,13 @@ module Doorkeeper
           resource_owner_id,
           scopes,
           Authorization::Token.access_token_expires_in(server, client),
-          server.refresh_token_enabled?)
+          server.refresh_token_enabled?
+        )
       end
 
-      def before_successful_response
-      end
+      def before_successful_response; end
 
-      def after_successful_response
-      end
+      def after_successful_response; end
     end
   end
 end

data/lib/doorkeeper/oauth/client/credentials.rb

@@ -1,7 +1,7 @@
 module Doorkeeper
   module OAuth
     class Client
-      class Credentials < Struct.new(:uid, :secret)
+      Credentials = Struct.new(:uid, :secret) do
         class << self
           def from_request(request, *credentials_methods)
             credentials_methods.inject(nil) do |credentials, method|
@@ -18,7 +18,7 @@ module Doorkeeper
           def from_basic(request)
             authorization = request.authorization
             if authorization.present? && authorization =~ /^Basic (.*)/m
-              Base64.decode64($1).split(/:/, 2)
+              Base64.decode64(Regexp.last_match(1)).split(/:/, 2)
             end
           end
         end