RubyGems - doorkeeper - Versions diffs - 4.2.6 → 4.3.0 - Mend

doorkeeper 4.2.6 → 4.3.0

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (120) hide show

checksums.yaml +4 -4
data/.github/ISSUE_TEMPLATE.md +19 -0
data/.github/PULL_REQUEST_TEMPLATE.md +17 -0
data/.gitignore +1 -1
data/.hound.yml +2 -13
data/.rubocop.yml +13 -0
data/.travis.yml +13 -5
data/Appraisals +6 -2
data/CODE_OF_CONDUCT.md +46 -0
data/Gemfile +1 -1
data/NEWS.md +24 -0
data/README.md +39 -9
data/SECURITY.md +13 -0
data/app/controllers/doorkeeper/application_controller.rb +1 -5
data/app/controllers/doorkeeper/applications_controller.rb +14 -1
data/app/controllers/doorkeeper/tokens_controller.rb +13 -1
data/app/helpers/doorkeeper/dashboard_helper.rb +4 -2
data/app/validators/redirect_uri_validator.rb +12 -2
data/app/views/doorkeeper/applications/_form.html.erb +1 -1
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/config/locales/en.yml +3 -5
data/doorkeeper.gemspec +4 -3
data/gemfiles/rails_4_2.gemfile +6 -4
data/gemfiles/rails_5_0.gemfile +4 -4
data/gemfiles/rails_5_1.gemfile +6 -7
data/gemfiles/rails_5_2.gemfile +12 -0
data/gemfiles/rails_master.gemfile +14 -0
data/lib/doorkeeper.rb +1 -0
data/lib/doorkeeper/config.rb +55 -55
data/lib/doorkeeper/engine.rb +3 -3
data/lib/doorkeeper/grape/helpers.rb +13 -8
data/lib/doorkeeper/helpers/controller.rb +8 -4
data/lib/doorkeeper/models/access_token_mixin.rb +14 -7
data/lib/doorkeeper/models/application_mixin.rb +11 -6
data/lib/doorkeeper/models/concerns/expirable.rb +7 -5
data/lib/doorkeeper/oauth/authorization/token.rb +22 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +6 -1
data/lib/doorkeeper/oauth/base_request.rb +5 -5
data/lib/doorkeeper/oauth/client.rb +2 -2
data/lib/doorkeeper/oauth/client/credentials.rb +2 -2
data/lib/doorkeeper/oauth/error.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +1 -2
data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -3
data/lib/doorkeeper/oauth/password_access_token_request.rb +1 -0
data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -0
data/lib/doorkeeper/oauth/scopes.rb +18 -8
data/lib/doorkeeper/oauth/token.rb +1 -1
data/lib/doorkeeper/oauth/token_introspection.rb +128 -0
data/lib/doorkeeper/orm/active_record.rb +20 -8
data/lib/doorkeeper/orm/active_record/access_grant.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_token.rb +1 -23
data/lib/doorkeeper/orm/active_record/application.rb +1 -1
data/lib/doorkeeper/orm/active_record/base_record.rb +11 -0
data/lib/doorkeeper/rails/helpers.rb +5 -6
data/lib/doorkeeper/rails/routes.rb +9 -7
data/lib/doorkeeper/request.rb +7 -1
data/lib/doorkeeper/validations.rb +3 -2
data/lib/doorkeeper/version.rb +13 -1
data/lib/generators/doorkeeper/application_owner_generator.rb +11 -2
data/lib/generators/doorkeeper/migration_generator.rb +13 -1
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +7 -1
data/lib/generators/doorkeeper/templates/{add_owner_to_application_migration.rb → add_owner_to_application_migration.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +19 -3
data/lib/generators/doorkeeper/templates/{migration.rb → migration.rb.erb} +1 -1
data/spec/controllers/applications_controller_spec.rb +15 -4
data/spec/controllers/authorizations_controller_spec.rb +5 -5
data/spec/controllers/protected_resources_controller_spec.rb +28 -19
data/spec/controllers/token_info_controller_spec.rb +17 -13
data/spec/controllers/tokens_controller_spec.rb +138 -4
data/spec/dummy/config/initializers/doorkeeper.rb +1 -1
data/spec/dummy/config/initializers/{active_record_belongs_to_required_by_default.rb → new_framework_defaults.rb} +1 -1
data/spec/dummy/config/initializers/secret_token.rb +0 -1
data/spec/factories.rb +1 -1
data/spec/generators/application_owner_generator_spec.rb +24 -5
data/spec/generators/migration_generator_spec.rb +24 -3
data/spec/generators/previous_refresh_token_generator_spec.rb +57 -0
data/spec/grape/grape_integration_spec.rb +135 -0
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +115 -12
data/spec/lib/models/revocable_spec.rb +2 -2
data/spec/lib/oauth/authorization_code_request_spec.rb +39 -11
data/spec/lib/oauth/base_request_spec.rb +2 -7
data/spec/lib/oauth/client_credentials/creator_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_integration_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_request_spec.rb +1 -0
data/spec/lib/oauth/code_request_spec.rb +1 -3
data/spec/lib/oauth/helpers/uri_checker_spec.rb +5 -0
data/spec/lib/oauth/invalid_token_response_spec.rb +1 -1
data/spec/lib/oauth/password_access_token_request_spec.rb +9 -3
data/spec/lib/oauth/refresh_token_request_spec.rb +19 -7
data/spec/lib/oauth/scopes_spec.rb +28 -1
data/spec/lib/oauth/token_request_spec.rb +6 -8
data/spec/lib/server_spec.rb +10 -0
data/spec/models/doorkeeper/access_grant_spec.rb +1 -1
data/spec/models/doorkeeper/access_token_spec.rb +72 -48
data/spec/models/doorkeeper/application_spec.rb +51 -18
data/spec/requests/applications/applications_request_spec.rb +5 -5
data/spec/requests/endpoints/token_spec.rb +8 -1
data/spec/requests/flows/authorization_code_spec.rb +1 -0
data/spec/requests/flows/client_credentials_spec.rb +1 -1
data/spec/requests/flows/implicit_grant_errors_spec.rb +2 -2
data/spec/requests/flows/refresh_token_spec.rb +4 -4
data/spec/requests/flows/revoke_token_spec.rb +15 -15
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +1 -1
data/spec/routing/custom_controller_routes_spec.rb +4 -0
data/spec/routing/default_routes_spec.rb +5 -1
data/spec/spec_helper_integration.rb +15 -4
data/spec/support/dependencies/factory_girl.rb +2 -2
data/spec/support/helpers/access_token_request_helper.rb +1 -1
data/spec/support/helpers/model_helper.rb +9 -4
data/spec/support/helpers/request_spec_helper.rb +7 -3
data/spec/support/helpers/url_helper.rb +8 -8
data/spec/support/shared/controllers_shared_context.rb +2 -6
data/spec/support/shared/models_shared_examples.rb +4 -4
data/spec/validators/redirect_uri_validator_spec.rb +51 -6
data/spec/version/version_spec.rb +15 -0
metadata +42 -13

data/lib/doorkeeper/helpers/controller.rb CHANGED

@@ -5,11 +5,13 @@ module Doorkeeper
     module Controller
       private
-      def authenticate_resource_owner! # :doc:
+      # :doc:
+      def authenticate_resource_owner!
         current_resource_owner
       end
-      def current_resource_owner # :doc:
+      # :doc:
+      def current_resource_owner
         instance_eval(&Doorkeeper.configuration.authenticate_resource_owner)
       end
@@ -17,7 +19,8 @@ module Doorkeeper
         instance_eval(&Doorkeeper.configuration.resource_owner_from_credentials)
       end
-      def authenticate_admin! # :doc:
+      # :doc:
+      def authenticate_admin!
         instance_eval(&Doorkeeper.configuration.authenticate_admin)
       end
@@ -25,7 +28,8 @@ module Doorkeeper
         @server ||= Server.new(self)
       end
-      def doorkeeper_token # :doc:
+      # :doc:
+      def doorkeeper_token
         @token ||= OAuth::Token.authenticate request, *config_methods
       end

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED

@@ -68,11 +68,11 @@ module Doorkeeper
       # @param resource_owner [ActiveRecord::Base]
       #   instance of the Resource Owner model
       #
-      def revoke_all_for(application_id, resource_owner)
+      def revoke_all_for(application_id, resource_owner, clock = Time)
         where(application_id: application_id,
               resource_owner_id: resource_owner.id,
               revoked_at: nil).
-          each(&:revoke)
+          update_all(revoked_at: clock.now.utc)
       end
       # Looking for not expired Access Token with a matching set of scopes
@@ -168,7 +168,7 @@ module Doorkeeper
       #   nil if nothing was found
       #
       def last_authorized_token_for(application_id, resource_owner_id)
-        send(order_method, created_at_desc).
+        ordered_by(:created_at, :desc).
           find_by(application_id: application_id,
                   resource_owner_id: resource_owner_id,
                   revoked_at: nil)
@@ -247,7 +247,11 @@ module Doorkeeper
     def generate_token
       self.created_at ||= Time.now.utc
-      generator = Doorkeeper.configuration.access_token_generator.constantize
+      generator = token_generator
+      unless generator.respond_to?(:generate)
+        raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+      end
       self.token = generator.generate(
         resource_owner_id: resource_owner_id,
         scopes: scopes,
@@ -255,10 +259,13 @@ module Doorkeeper
         expires_in: expires_in,
         created_at: created_at
       )
-    rescue NoMethodError
-      raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+    end
+    def token_generator
+      generator_name = Doorkeeper.configuration.access_token_generator
+      generator_name.constantize
     rescue NameError
-      raise Errors::TokenGeneratorNotFound, "#{generator} not found"
+      raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
     end
   end
 end

data/lib/doorkeeper/models/application_mixin.rb CHANGED

@@ -43,6 +43,15 @@ module Doorkeeper
       end
     end
+    # Set an application's valid redirect URIs.
+    #
+    # @param uris [String, Array] Newline-separated string or array the URI(s)
+    #
+    # @return [String] The redirect URI(s) seperated by newlines.
+    def redirect_uri=(uris)
+      super(uris.is_a?(Array) ? uris.join("\n") : uris)
+    end
     private
     def has_scopes?
@@ -51,15 +60,11 @@ module Doorkeeper
     end
     def generate_uid
-      if uid.blank?
-        self.uid = UniqueToken.generate
-      end
+      self.uid = UniqueToken.generate if uid.blank?
     end
     def generate_secret
-      if secret.blank?
-        self.secret = UniqueToken.generate
-      end
+      self.secret = UniqueToken.generate if secret.blank?
     end
   end
 end

data/lib/doorkeeper/models/concerns/expirable.rb CHANGED

@@ -6,7 +6,7 @@ module Doorkeeper
       #
       # @return [Boolean] true if object expired and false in other case
       def expired?
-        expires_in && Time.now.utc > expired_time
+        expires_in && Time.now.utc > expires_at
       end
       # Calculates expiration time in seconds.
@@ -15,14 +15,16 @@ module Doorkeeper
       #   or nil if object never expires.
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now.utc
+        expires = expires_at - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
-      private
-      def expired_time
+      # Expiration time (date time of creation + TTL).
+      #
+      # @return [Time] expiration time in UTC
+      #
+      def expires_at
         created_at + expires_in.seconds
       end
     end

data/lib/doorkeeper/oauth/authorization/token.rb CHANGED

@@ -4,19 +4,33 @@ module Doorkeeper
       class Token
         attr_accessor :pre_auth, :resource_owner, :token
+        class << self
+          def access_token_expires_in(server, pre_auth_or_oauth_client)
+            if (expiration = custom_expiration(server, pre_auth_or_oauth_client))
+              expiration
+            else
+              server.access_token_expires_in
+            end
+          end
+          private
+          def custom_expiration(server, pre_auth_or_oauth_client)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
+                             pre_auth_or_oauth_client.client
+                           else
+                             pre_auth_or_oauth_client
+                           end
+            server.custom_access_token_expires_in.call(oauth_client)
+          end
+        end
         def initialize(pre_auth, resource_owner)
           @pre_auth       = pre_auth
           @resource_owner = resource_owner
         end
-        def self.access_token_expires_in(server, pre_auth_or_oauth_client)
-          if expiration = custom_expiration(server, pre_auth_or_oauth_client)
-            expiration
-          else
-            server.access_token_expires_in
-          end
-        end
         def issue_token
           @token ||= AccessToken.find_or_create_for(
             pre_auth.client,
@@ -37,16 +51,6 @@ module Doorkeeper
         private
-        def self.custom_expiration(server, pre_auth_or_oauth_client)
-          oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
-                           pre_auth_or_oauth_client.client
-                         else
-                           pre_auth_or_oauth_client
-                         end
-          server.custom_access_token_expires_in.call(oauth_client)
-        end
         def configuration
           Doorkeeper.configuration
         end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED

@@ -4,6 +4,7 @@ module Doorkeeper
       validate :attributes,   error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
+      # @see https://tools.ietf.org/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
       attr_accessor :server, :grant, :client, :redirect_uri, :access_token
@@ -28,6 +29,7 @@ module Doorkeeper
                                       grant.scopes,
                                       server)
         end
+        super
       end
       def validate_attributes
@@ -44,7 +46,10 @@ module Doorkeeper
       end
       def validate_redirect_uri
-        grant.redirect_uri == redirect_uri
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          grant.redirect_uri
+        )
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb CHANGED

@@ -5,6 +5,7 @@ module Doorkeeper
       def authorize
         validate
         if valid?
           before_successful_response
           @response = TokenResponse.new(access_token)
@@ -37,14 +38,13 @@ module Doorkeeper
           resource_owner_id,
           scopes,
           Authorization::Token.access_token_expires_in(server, client),
-          server.refresh_token_enabled?)
+          server.refresh_token_enabled?
+        )
       end
-      def before_successful_response
-      end
+      def before_successful_response; end
-      def after_successful_response
-      end
+      def after_successful_response; end
     end
   end
 end

data/lib/doorkeeper/oauth/client.rb CHANGED

@@ -12,7 +12,7 @@ module Doorkeeper
       end
       def self.find(uid, method = Application.method(:by_uid))
-        if application = method.call(uid)
+        if (application = method.call(uid))
           new(application)
         end
       end
@@ -20,7 +20,7 @@ module Doorkeeper
       def self.authenticate(credentials, method = Application.method(:by_uid_and_secret))
         return false if credentials.blank?
-        if application = method.call(credentials.uid, credentials.secret)
+        if (application = method.call(credentials.uid, credentials.secret))
           new(application)
         end
       end

data/lib/doorkeeper/oauth/client/credentials.rb CHANGED

@@ -1,7 +1,7 @@
 module Doorkeeper
   module OAuth
     class Client
-      class Credentials < Struct.new(:uid, :secret)
+      Credentials = Struct.new(:uid, :secret) do
         class << self
           def from_request(request, *credentials_methods)
             credentials_methods.inject(nil) do |credentials, method|
@@ -18,7 +18,7 @@ module Doorkeeper
           def from_basic(request)
             authorization = request.authorization
             if authorization.present? && authorization =~ /^Basic (.*)/m
-              Base64.decode64($1).split(/:/, 2)
+              Base64.decode64(Regexp.last_match(1)).split(/:/, 2)
             end
           end
         end

data/lib/doorkeeper/oauth/error.rb CHANGED

@@ -1,10 +1,10 @@
 module Doorkeeper
   module OAuth
-    class Error < Struct.new(:name, :state)
+    Error = Struct.new(:name, :state) do
       def description
         I18n.translate(
           name,
-          scope: [:doorkeeper, :errors, :messages],
+          scope: %i[doorkeeper errors messages],
           default: :server_error
         )
       end

data/lib/doorkeeper/oauth/error_response.rb CHANGED

@@ -4,8 +4,7 @@ module Doorkeeper
       include OAuth::Helpers
       def self.from_request(request, attributes = {})
-        state = request.state if request.respond_to?(:state)
-        new(attributes.merge(name: request.error, state: state))
+        new(attributes.merge(name: request.error, state: request.try(:state)))
       end
       delegate :name, :description, :state, to: :@error

data/lib/doorkeeper/oauth/forbidden_token_response.rb CHANGED

@@ -21,7 +21,7 @@ module Doorkeeper
       end
       def description
-        scope = { scope: [:doorkeeper, :scopes] }
+        scope = { scope: %i[doorkeeper scopes] }
         @description ||= @scopes.map { |r| I18n.translate r, scope }.join('\n')
       end
     end

data/lib/doorkeeper/oauth/invalid_token_response.rb CHANGED

@@ -4,10 +4,9 @@ module Doorkeeper
       attr_reader :reason
       def self.from_access_token(access_token, attributes = {})
-        reason = case
-                 when access_token.try(:revoked?)
+        reason = if access_token.try(:revoked?)
                    :revoked
-                 when access_token.try(:expired?)
+                 elsif access_token.try(:expired?)
                    :expired
                  else
                    :unknown

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED

@@ -22,6 +22,7 @@ module Doorkeeper
       def before_successful_response
         find_or_create_access_token(client, resource_owner.id, scopes, server)
+        super
       end
       def validate_scopes

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED

@@ -35,6 +35,7 @@ module Doorkeeper
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
+        super
       end
       def refresh_token_revoked_on_use?

data/lib/doorkeeper/oauth/scopes.rb CHANGED

@@ -45,20 +45,30 @@ module Doorkeeper
       end
       def +(other)
-        if other.is_a? Scopes
-          self.class.from_array(all + other.all)
-        else
-          super(other)
-        end
+        self.class.from_array(all + to_array(other))
       end
       def <=>(other)
-        map(&:to_s).sort <=> other.map(&:to_s).sort
+        if other.respond_to?(:map)
+          map(&:to_s).sort <=> other.map(&:to_s).sort
+        else
+          super
+        end
       end
       def &(other)
-        other_array = other.present? ? other.all : []
-        self.class.from_array(all & other_array)
+        self.class.from_array(all & to_array(other))
+      end
+      private
+      def to_array(other)
+        case other
+        when Scopes
+          other.all
+        else
+          other.to_a
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/token.rb CHANGED

@@ -11,7 +11,7 @@ module Doorkeeper
         end
         def authenticate(request, *methods)
-          if token = from_request(request, *methods)
+          if (token = from_request(request, *methods))
             access_token = AccessToken.by_token(token)
             access_token.revoke_previous_refresh_token! if access_token
             access_token

data/lib/doorkeeper/oauth/token_introspection.rb ADDED

@@ -0,0 +1,128 @@
+module Doorkeeper
+  module OAuth
+    # RFC7662 OAuth 2.0 Token Introspection
+    #
+    # @see https://tools.ietf.org/html/rfc7662
+    class TokenIntrospection
+      attr_reader :server, :token
+      attr_reader :error
+      def initialize(server, token)
+        @server = server
+        @token = token
+        authorize!
+      end
+      def authorized?
+        @error.blank?
+      end
+      def to_json
+        active? ? success_response : failure_response
+      end
+      private
+      # If the protected resource uses OAuth 2.0 client credentials to
+      # authenticate to the introspection endpoint and its credentials are
+      # invalid, the authorization server responds with an HTTP 401
+      # (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].
+      #
+      # Endpoint must first validate the authentication.
+      # If the authentication is invalid, the endpoint should respond with
+      # an HTTP 401 status code and an invalid_client response.
+      #
+      # @see https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
+      #
+      def authorize!
+        # Requested client authorization
+        if server.credentials
+          @error = :invalid_client unless authorized_client
+        else
+          # Requested bearer token authorization
+          @error = :invalid_request unless authorized_token
+        end
+      end
+      # Client Authentication
+      def authorized_client
+        @_authorized_client ||= server.credentials && server.client
+      end
+      # Bearer Token Authentication
+      def authorized_token
+        @_authorized_token ||=
+          OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
+      end
+      # 2.2. Introspection Response
+      def success_response
+        {
+          active: true,
+          scope: @token.scopes_string,
+          client_id: @token.try(:application).try(:uid),
+          token_type: @token.token_type,
+          exp: @token.expires_at.to_i,
+          iat: @token.created_at.to_i
+        }
+      end
+      # If the introspection call is properly authorized but the token is not
+      # active, does not exist on this server, or the protected resource is
+      # not allowed to introspect this particular token, then the
+      # authorization server MUST return an introspection response with the
+      # "active" field set to "false".  Note that to avoid disclosing too
+      # much of the authorization server's state to a third party, the
+      # authorization server SHOULD NOT include any additional information
+      # about an inactive token, including why the token is inactive.
+      #
+      # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
+      #
+      def failure_response
+        {
+          active: false
+        }
+      end
+      # Boolean indicator of whether or not the presented token
+      # is currently active.  The specifics of a token's "active" state
+      # will vary depending on the implementation of the authorization
+      # server and the information it keeps about its tokens, but a "true"
+      # value return for the "active" property will generally indicate
+      # that a given token has been issued by this authorization server,
+      # has not been revoked by the resource owner, and is within its
+      # given time window of validity (e.g., after its issuance time and
+      # before its expiration time).
+      #
+      # Any other error is considered an "inactive" token.
+      #
+      # * The token requested does not exist or is invalid
+      # * The token expired
+      # * The token was issued to a different client than is making this request
+      #
+      def active?
+        if authorized_client
+          valid_token? && authorized_for_client?
+        else
+          valid_token?
+        end
+      end
+      # Token can be valid only if it is not expired or revoked.
+      def valid_token?
+        @token.present? && @token.accessible?
+      end
+      # If token doesn't belong to some client, then it is public.
+      # Otherwise in it required for token to be connected to the same client.
+      def authorized_for_client?
+        if @token.application.present?
+          @token.application == authorized_client.application
+        else
+          true
+        end
+      end
+    end
+  end
+end