doorkeeper 4.2.5 → 4.3.0

data/lib/doorkeeper/oauth/client.rb

@@ -12,7 +12,7 @@ module Doorkeeper
       end
 
       def self.find(uid, method = Application.method(:by_uid))
-        if application = method.call(uid)
+        if (application = method.call(uid))
           new(application)
         end
       end
@@ -20,7 +20,7 @@ module Doorkeeper
       def self.authenticate(credentials, method = Application.method(:by_uid_and_secret))
         return false if credentials.blank?
 
-        if application = method.call(credentials.uid, credentials.secret)
+        if (application = method.call(credentials.uid, credentials.secret))
           new(application)
         end
       end

data/lib/doorkeeper/oauth/error.rb

@@ -1,10 +1,10 @@
 module Doorkeeper
   module OAuth
-    class Error < Struct.new(:name, :state)
+    Error = Struct.new(:name, :state) do
       def description
         I18n.translate(
           name,
-          scope: [:doorkeeper, :errors, :messages],
+          scope: %i[doorkeeper errors messages],
           default: :server_error
         )
       end

data/lib/doorkeeper/oauth/error_response.rb

@@ -4,8 +4,7 @@ module Doorkeeper
       include OAuth::Helpers
 
       def self.from_request(request, attributes = {})
-        state = request.state if request.respond_to?(:state)
-        new(attributes.merge(name: request.error, state: state))
+        new(attributes.merge(name: request.error, state: request.try(:state)))
       end
 
       delegate :name, :description, :state, to: :@error

data/lib/doorkeeper/oauth/forbidden_token_response.rb

@@ -21,7 +21,7 @@ module Doorkeeper
       end
 
       def description
-        scope = { scope: [:doorkeeper, :scopes] }
+        scope = { scope: %i[doorkeeper scopes] }
         @description ||= @scopes.map { |r| I18n.translate r, scope }.join('\n')
       end
     end

data/lib/doorkeeper/oauth/invalid_token_response.rb

@@ -4,10 +4,9 @@ module Doorkeeper
       attr_reader :reason
 
       def self.from_access_token(access_token, attributes = {})
-        reason = case
-                 when access_token.try(:revoked?)
+        reason = if access_token.try(:revoked?)
                    :revoked
-                 when access_token.try(:expired?)
+                 elsif access_token.try(:expired?)
                    :expired
                  else
                    :unknown

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -22,6 +22,7 @@ module Doorkeeper
 
       def before_successful_response
         find_or_create_access_token(client, resource_owner.id, scopes, server)
+        super
       end
 
       def validate_scopes

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -35,6 +35,7 @@ module Doorkeeper
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
+        super
       end
 
       def refresh_token_revoked_on_use?

data/lib/doorkeeper/oauth/scopes.rb

@@ -45,20 +45,30 @@ module Doorkeeper
       end
 
       def +(other)
-        if other.is_a? Scopes
-          self.class.from_array(all + other.all)
-        else
-          super(other)
-        end
+        self.class.from_array(all + to_array(other))
       end
 
       def <=>(other)
-        map(&:to_s).sort <=> other.map(&:to_s).sort
+        if other.respond_to?(:map)
+          map(&:to_s).sort <=> other.map(&:to_s).sort
+        else
+          super
+        end
       end
 
       def &(other)
-        other_array = other.present? ? other.all : []
-        self.class.from_array(all & other_array)
+        self.class.from_array(all & to_array(other))
+      end
+
+      private
+
+      def to_array(other)
+        case other
+        when Scopes
+          other.all
+        else
+          other.to_a
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/token.rb

@@ -11,7 +11,7 @@ module Doorkeeper
         end
 
         def authenticate(request, *methods)
-          if token = from_request(request, *methods)
+          if (token = from_request(request, *methods))
             access_token = AccessToken.by_token(token)
             access_token.revoke_previous_refresh_token! if access_token
             access_token

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -0,0 +1,128 @@
+module Doorkeeper
+  module OAuth
+    # RFC7662 OAuth 2.0 Token Introspection
+    #
+    # @see https://tools.ietf.org/html/rfc7662
+    class TokenIntrospection
+      attr_reader :server, :token
+      attr_reader :error
+
+      def initialize(server, token)
+        @server = server
+        @token = token
+
+        authorize!
+      end
+
+      def authorized?
+        @error.blank?
+      end
+
+      def to_json
+        active? ? success_response : failure_response
+      end
+
+      private
+
+      # If the protected resource uses OAuth 2.0 client credentials to
+      # authenticate to the introspection endpoint and its credentials are
+      # invalid, the authorization server responds with an HTTP 401
+      # (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].
+      #
+      # Endpoint must first validate the authentication.
+      # If the authentication is invalid, the endpoint should respond with
+      # an HTTP 401 status code and an invalid_client response.
+      #
+      # @see https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
+      #
+      def authorize!
+        # Requested client authorization
+        if server.credentials
+          @error = :invalid_client unless authorized_client
+        else
+          # Requested bearer token authorization
+          @error = :invalid_request unless authorized_token
+        end
+      end
+
+      # Client Authentication
+      def authorized_client
+        @_authorized_client ||= server.credentials && server.client
+      end
+
+      # Bearer Token Authentication
+      def authorized_token
+        @_authorized_token ||=
+          OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
+      end
+
+      # 2.2. Introspection Response
+      def success_response
+        {
+          active: true,
+          scope: @token.scopes_string,
+          client_id: @token.try(:application).try(:uid),
+          token_type: @token.token_type,
+          exp: @token.expires_at.to_i,
+          iat: @token.created_at.to_i
+        }
+      end
+
+      # If the introspection call is properly authorized but the token is not
+      # active, does not exist on this server, or the protected resource is
+      # not allowed to introspect this particular token, then the
+      # authorization server MUST return an introspection response with the
+      # "active" field set to "false".  Note that to avoid disclosing too
+      # much of the authorization server's state to a third party, the
+      # authorization server SHOULD NOT include any additional information
+      # about an inactive token, including why the token is inactive.
+      #
+      # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
+      #
+      def failure_response
+        {
+          active: false
+        }
+      end
+
+      # Boolean indicator of whether or not the presented token
+      # is currently active.  The specifics of a token's "active" state
+      # will vary depending on the implementation of the authorization
+      # server and the information it keeps about its tokens, but a "true"
+      # value return for the "active" property will generally indicate
+      # that a given token has been issued by this authorization server,
+      # has not been revoked by the resource owner, and is within its
+      # given time window of validity (e.g., after its issuance time and
+      # before its expiration time).
+      #
+      # Any other error is considered an "inactive" token.
+      #
+      # * The token requested does not exist or is invalid
+      # * The token expired
+      # * The token was issued to a different client than is making this request
+      #
+      def active?
+        if authorized_client
+          valid_token? && authorized_for_client?
+        else
+          valid_token?
+        end
+      end
+
+      # Token can be valid only if it is not expired or revoked.
+      def valid_token?
+        @token.present? && @token.accessible?
+      end
+
+      # If token doesn't belong to some client, then it is public.
+      # Otherwise in it required for token to be connected to the same client.
+      def authorized_for_client?
+        if @token.application.present?
+          @token.application == authorized_client.application
+        else
+          true
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -1,5 +1,5 @@
 module Doorkeeper
-  class AccessGrant < ActiveRecord::Base
+  class AccessGrant < BaseRecord
     self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}".to_sym
 
     include AccessGrantMixin

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -1,21 +1,9 @@
 module Doorkeeper
-  class AccessToken < ActiveRecord::Base
+  class AccessToken < BaseRecord
     self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}".to_sym
 
     include AccessTokenMixin
 
-    # Deletes all the Access Tokens created for the specific
-    # Application and Resource Owner.
-    #
-    # @param application_id [Integer] Application ID
-    # @param resource_owner [ActiveRecord::Base] Resource Owner model instance
-    #
-    def self.delete_all_for(application_id, resource_owner)
-      where(application_id: application_id,
-            resource_owner_id: resource_owner.id).delete_all
-    end
-    private_class_method :delete_all_for
-
     # Searches for not revoked Access Tokens associated with the
     # specific Resource Owner.
     #
@@ -29,18 +17,8 @@ module Doorkeeper
       where(resource_owner_id: resource_owner.id, revoked_at: nil)
     end
 
-    # ORM-specific order method.
-    def self.order_method
-      :order
-    end
-
     def self.refresh_token_revoked_on_use?
       column_names.include?('previous_refresh_token')
     end
-
-    # ORM-specific DESC order for `:created_at` column.
-    def self.created_at_desc
-      'created_at desc'
-    end
   end
 end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -1,5 +1,5 @@
 module Doorkeeper
-  class Application < ActiveRecord::Base
+  class Application < BaseRecord
     self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}".to_sym
 
     include ApplicationMixin

data/lib/doorkeeper/orm/active_record/base_record.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  class BaseRecord < ActiveRecord::Base
+    self.abstract_class = true
+
+    def self.ordered_by(attribute, direction = :asc)
+      order(attribute => direction)
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record.rb

@@ -1,22 +1,34 @@
+require 'active_support/lazy_load_hooks'
+
 module Doorkeeper
   module Orm
     module ActiveRecord
       def self.initialize_models!
-        require 'doorkeeper/orm/active_record/access_grant'
-        require 'doorkeeper/orm/active_record/access_token'
-        require 'doorkeeper/orm/active_record/application'
+        lazy_load do
+          require 'doorkeeper/orm/active_record/base_record'
+          require 'doorkeeper/orm/active_record/access_grant'
+          require 'doorkeeper/orm/active_record/access_token'
+          require 'doorkeeper/orm/active_record/application'
 
-        if Doorkeeper.configuration.active_record_options[:establish_connection]
-          [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application].each do |c|
-            c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+          if Doorkeeper.configuration.active_record_options[:establish_connection]
+            [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application].each do |model|
+              options = Doorkeeper.configuration.active_record_options[:establish_connection]
+              model.establish_connection(options)
+            end
           end
         end
       end
 
       def self.initialize_application_owner!
-        require 'doorkeeper/models/concerns/ownership'
+        lazy_load do
+          require 'doorkeeper/models/concerns/ownership'
+
+          Doorkeeper::Application.send :include, Doorkeeper::Models::Ownership
+        end
+      end
 
-        Doorkeeper::Application.send :include, Doorkeeper::Models::Ownership
+      def self.lazy_load(&block)
+        ActiveSupport.on_load(:active_record, {}, &block)
       end
     end
   end

data/lib/doorkeeper/rails/helpers.rb

@@ -9,11 +9,9 @@ module Doorkeeper
         end
       end
 
-      def doorkeeper_unauthorized_render_options(error: nil)
-      end
+      def doorkeeper_unauthorized_render_options(**); end
 
-      def doorkeeper_forbidden_render_options(error: nil)
-      end
+      def doorkeeper_forbidden_render_options(**); end
 
       def valid_doorkeeper_token?
         doorkeeper_token && doorkeeper_token.acceptable?(@_doorkeeper_scopes)
@@ -23,14 +21,15 @@ module Doorkeeper
 
       def doorkeeper_render_error
         error = doorkeeper_error
-        headers.merge! error.headers.reject { |k| "Content-Type" == k }
+        headers.merge!(error.headers.reject { |k| k == "Content-Type" })
         doorkeeper_render_error_with(error)
       end
 
       def doorkeeper_render_error_with(error)
         options = doorkeeper_render_options(error) || {}
         status = doorkeeper_status_for_error(
-          error, options.delete(:respond_not_found_when_forbidden))
+          error, options.delete(:respond_not_found_when_forbidden)
+        )
         if options.blank?
           head status
         else

data/lib/doorkeeper/rails/routes.rb

@@ -5,7 +5,6 @@ module Doorkeeper
   module Rails
     class Routes # :nodoc:
       module Helper
-        # TODO: options hash is not being used
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
@@ -27,6 +26,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
+          map_route(:tokens, :introspect_routes)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -36,20 +36,18 @@ module Doorkeeper
       private
 
       def map_route(name, method)
-        unless @mapping.skipped?(name)
-          send method, @mapping[name]
-        end
+        send(method, @mapping[name]) unless @mapping.skipped?(name)
       end
 
       def authorization_routes(mapping)
         routes.resource(
           :authorization,
           path: 'authorize',
-          only: [:create, :destroy],
+          only: %i[create destroy],
           as: mapping[:as],
           controller: mapping[:controllers]
         ) do
-          routes.get '/:code', action: :show, on: :member
+          routes.get '/native', action: :show, on: :member
           routes.get '/', action: :new, on: :member
         end
       end
@@ -67,6 +65,10 @@ module Doorkeeper
         routes.post 'revoke', controller: mapping[:controllers], action: :revoke
       end
 
+      def introspect_routes(mapping)
+        routes.post 'introspect', controller: mapping[:controllers], action: :introspect
+      end
+
       def token_info_routes(mapping)
         routes.resource(
           :token_info,
@@ -81,7 +83,7 @@ module Doorkeeper
       end
 
       def authorized_applications_routes(mapping)
-        routes.resources :authorized_applications, only: [:index, :destroy], controller: mapping[:controllers]
+        routes.resources :authorized_applications, only: %i[index destroy], controller: mapping[:controllers]
       end
     end
   end

data/lib/doorkeeper/request.rb

@@ -24,7 +24,7 @@ module Doorkeeper
     def get_strategy(grant_or_request_type, available)
       fail Errors::MissingRequestStrategy unless grant_or_request_type.present?
       fail NameError unless available.include?(grant_or_request_type.to_s)
-      "Doorkeeper::Request::#{grant_or_request_type.to_s.camelize}".constantize
+      strategy_class(grant_or_request_type)
     end
 
     def authorization_response_types
@@ -36,5 +36,11 @@ module Doorkeeper
       Doorkeeper.configuration.token_grant_types
     end
     private_class_method :token_grant_types
+
+    def strategy_class(grant_or_request_type)
+      strategy_class_name = grant_or_request_type.to_s.tr(' ', '_').camelize
+      "Doorkeeper::Request::#{strategy_class_name}".constantize
+    end
+    private_class_method :strategy_class
   end
 end

data/lib/doorkeeper/validations.rb

@@ -6,9 +6,10 @@ module Doorkeeper
 
     def validate
       @error = nil
+
       self.class.validations.each do |validation|
+        @error = validation[:options][:error] unless send("validate_#{validation[:attribute]}")
         break if @error
-        @error = validation.last unless send("validate_#{validation.first}")
       end
     end
 
@@ -19,7 +20,7 @@ module Doorkeeper
 
     module ClassMethods
       def validate(attribute, options = {})
-        validations << [attribute, options[:error]]
+        validations << { attribute: attribute, options: options }
       end
 
       def validations

data/lib/doorkeeper/version.rb

@@ -1,3 +1,15 @@
 module Doorkeeper
-  VERSION = "4.2.5".freeze
+  def self.gem_version
+    Gem::Version.new VERSION::STRING
+  end
+
+  module VERSION
+    # Semantic versioning
+    MAJOR = 4
+    MINOR = 3
+    TINY = 0
+
+    # Full version number
+    STRING = [MAJOR, MINOR, TINY].compact.join('.')
+  end
 end

data/lib/doorkeeper.rb

@@ -30,6 +30,7 @@ require 'doorkeeper/oauth/code_request'
 require 'doorkeeper/oauth/token_request'
 require 'doorkeeper/oauth/client'
 require 'doorkeeper/oauth/token'
+require 'doorkeeper/oauth/token_introspection'
 require 'doorkeeper/oauth/invalid_token_response'
 require 'doorkeeper/oauth/forbidden_token_response'
 

data/lib/generators/doorkeeper/application_owner_generator.rb

@@ -7,12 +7,21 @@ class Doorkeeper::ApplicationOwnerGenerator < Rails::Generators::Base
 
   def application_owner
     migration_template(
-      'add_owner_to_application_migration.rb',
-      'db/migrate/add_owner_to_application.rb'
+      'add_owner_to_application_migration.rb.erb',
+      'db/migrate/add_owner_to_application.rb',
+      migration_version: migration_version
     )
   end
 
   def self.next_migration_number(dirname)
     ActiveRecord::Generators::Base.next_migration_number(dirname)
   end
+
+  private
+
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
 end

data/lib/generators/doorkeeper/migration_generator.rb

@@ -6,10 +6,22 @@ class Doorkeeper::MigrationGenerator < ::Rails::Generators::Base
   desc 'Installs Doorkeeper migration file.'
 
   def install
-    migration_template 'migration.rb', 'db/migrate/create_doorkeeper_tables.rb'
+    migration_template(
+      'migration.rb.erb',
+      'db/migrate/create_doorkeeper_tables.rb',
+      migration_version: migration_version
+    )
   end
 
   def self.next_migration_number(dirname)
     ActiveRecord::Generators::Base.next_migration_number(dirname)
   end
+
+  private
+
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
 end

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -12,7 +12,7 @@ class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
   def previous_refresh_token
     if no_previous_refresh_token_column?
       migration_template(
-        'add_previous_refresh_token_to_access_tokens.rb',
+        'add_previous_refresh_token_to_access_tokens.rb.erb',
         'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
       )
     end
@@ -20,6 +20,12 @@ class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
 
   private
 
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+
   def no_previous_refresh_token_column?
     !ActiveRecord::Base.connection.column_exists?(
       :oauth_access_tokens,

data/lib/generators/doorkeeper/templates/{add_owner_to_application_migration.rb → add_owner_to_application_migration.rb.erb}

@@ -1,4 +1,4 @@
-class AddOwnerToApplication < ActiveRecord::Migration
+class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true
     add_column :oauth_applications, :owner_type, :string, null: true

data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb}

@@ -1,4 +1,4 @@
-class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column(
       :oauth_access_tokens,