RubyGems - doorkeeper - Versions diffs - 4.2.6 → 4.3.0 - Mend

doorkeeper 4.2.6 → 4.3.0

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (120) hide show

checksums.yaml +4 -4
data/.github/ISSUE_TEMPLATE.md +19 -0
data/.github/PULL_REQUEST_TEMPLATE.md +17 -0
data/.gitignore +1 -1
data/.hound.yml +2 -13
data/.rubocop.yml +13 -0
data/.travis.yml +13 -5
data/Appraisals +6 -2
data/CODE_OF_CONDUCT.md +46 -0
data/Gemfile +1 -1
data/NEWS.md +24 -0
data/README.md +39 -9
data/SECURITY.md +13 -0
data/app/controllers/doorkeeper/application_controller.rb +1 -5
data/app/controllers/doorkeeper/applications_controller.rb +14 -1
data/app/controllers/doorkeeper/tokens_controller.rb +13 -1
data/app/helpers/doorkeeper/dashboard_helper.rb +4 -2
data/app/validators/redirect_uri_validator.rb +12 -2
data/app/views/doorkeeper/applications/_form.html.erb +1 -1
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/config/locales/en.yml +3 -5
data/doorkeeper.gemspec +4 -3
data/gemfiles/rails_4_2.gemfile +6 -4
data/gemfiles/rails_5_0.gemfile +4 -4
data/gemfiles/rails_5_1.gemfile +6 -7
data/gemfiles/rails_5_2.gemfile +12 -0
data/gemfiles/rails_master.gemfile +14 -0
data/lib/doorkeeper.rb +1 -0
data/lib/doorkeeper/config.rb +55 -55
data/lib/doorkeeper/engine.rb +3 -3
data/lib/doorkeeper/grape/helpers.rb +13 -8
data/lib/doorkeeper/helpers/controller.rb +8 -4
data/lib/doorkeeper/models/access_token_mixin.rb +14 -7
data/lib/doorkeeper/models/application_mixin.rb +11 -6
data/lib/doorkeeper/models/concerns/expirable.rb +7 -5
data/lib/doorkeeper/oauth/authorization/token.rb +22 -18
data/lib/doorkeeper/oauth/authorization_code_request.rb +6 -1
data/lib/doorkeeper/oauth/base_request.rb +5 -5
data/lib/doorkeeper/oauth/client.rb +2 -2
data/lib/doorkeeper/oauth/client/credentials.rb +2 -2
data/lib/doorkeeper/oauth/error.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +1 -2
data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -3
data/lib/doorkeeper/oauth/password_access_token_request.rb +1 -0
data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -0
data/lib/doorkeeper/oauth/scopes.rb +18 -8
data/lib/doorkeeper/oauth/token.rb +1 -1
data/lib/doorkeeper/oauth/token_introspection.rb +128 -0
data/lib/doorkeeper/orm/active_record.rb +20 -8
data/lib/doorkeeper/orm/active_record/access_grant.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_token.rb +1 -23
data/lib/doorkeeper/orm/active_record/application.rb +1 -1
data/lib/doorkeeper/orm/active_record/base_record.rb +11 -0
data/lib/doorkeeper/rails/helpers.rb +5 -6
data/lib/doorkeeper/rails/routes.rb +9 -7
data/lib/doorkeeper/request.rb +7 -1
data/lib/doorkeeper/validations.rb +3 -2
data/lib/doorkeeper/version.rb +13 -1
data/lib/generators/doorkeeper/application_owner_generator.rb +11 -2
data/lib/generators/doorkeeper/migration_generator.rb +13 -1
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +7 -1
data/lib/generators/doorkeeper/templates/{add_owner_to_application_migration.rb → add_owner_to_application_migration.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +19 -3
data/lib/generators/doorkeeper/templates/{migration.rb → migration.rb.erb} +1 -1
data/spec/controllers/applications_controller_spec.rb +15 -4
data/spec/controllers/authorizations_controller_spec.rb +5 -5
data/spec/controllers/protected_resources_controller_spec.rb +28 -19
data/spec/controllers/token_info_controller_spec.rb +17 -13
data/spec/controllers/tokens_controller_spec.rb +138 -4
data/spec/dummy/config/initializers/doorkeeper.rb +1 -1
data/spec/dummy/config/initializers/{active_record_belongs_to_required_by_default.rb → new_framework_defaults.rb} +1 -1
data/spec/dummy/config/initializers/secret_token.rb +0 -1
data/spec/factories.rb +1 -1
data/spec/generators/application_owner_generator_spec.rb +24 -5
data/spec/generators/migration_generator_spec.rb +24 -3
data/spec/generators/previous_refresh_token_generator_spec.rb +57 -0
data/spec/grape/grape_integration_spec.rb +135 -0
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +115 -12
data/spec/lib/models/revocable_spec.rb +2 -2
data/spec/lib/oauth/authorization_code_request_spec.rb +39 -11
data/spec/lib/oauth/base_request_spec.rb +2 -7
data/spec/lib/oauth/client_credentials/creator_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_integration_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_request_spec.rb +1 -0
data/spec/lib/oauth/code_request_spec.rb +1 -3
data/spec/lib/oauth/helpers/uri_checker_spec.rb +5 -0
data/spec/lib/oauth/invalid_token_response_spec.rb +1 -1
data/spec/lib/oauth/password_access_token_request_spec.rb +9 -3
data/spec/lib/oauth/refresh_token_request_spec.rb +19 -7
data/spec/lib/oauth/scopes_spec.rb +28 -1
data/spec/lib/oauth/token_request_spec.rb +6 -8
data/spec/lib/server_spec.rb +10 -0
data/spec/models/doorkeeper/access_grant_spec.rb +1 -1
data/spec/models/doorkeeper/access_token_spec.rb +72 -48
data/spec/models/doorkeeper/application_spec.rb +51 -18
data/spec/requests/applications/applications_request_spec.rb +5 -5
data/spec/requests/endpoints/token_spec.rb +8 -1
data/spec/requests/flows/authorization_code_spec.rb +1 -0
data/spec/requests/flows/client_credentials_spec.rb +1 -1
data/spec/requests/flows/implicit_grant_errors_spec.rb +2 -2
data/spec/requests/flows/refresh_token_spec.rb +4 -4
data/spec/requests/flows/revoke_token_spec.rb +15 -15
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +1 -1
data/spec/routing/custom_controller_routes_spec.rb +4 -0
data/spec/routing/default_routes_spec.rb +5 -1
data/spec/spec_helper_integration.rb +15 -4
data/spec/support/dependencies/factory_girl.rb +2 -2
data/spec/support/helpers/access_token_request_helper.rb +1 -1
data/spec/support/helpers/model_helper.rb +9 -4
data/spec/support/helpers/request_spec_helper.rb +7 -3
data/spec/support/helpers/url_helper.rb +8 -8
data/spec/support/shared/controllers_shared_context.rb +2 -6
data/spec/support/shared/models_shared_examples.rb +4 -4
data/spec/validators/redirect_uri_validator_spec.rb +51 -6
data/spec/version/version_spec.rb +15 -0
metadata +42 -13

data/spec/controllers/authorizations_controller_spec.rb CHANGED

@@ -3,7 +3,7 @@ require 'spec_helper_integration'
 describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
   include AuthorizationRequestHelper
-  if Rails::VERSION::MAJOR == 5
+  if Rails::VERSION::MAJOR >= 5
     class ActionDispatch::TestResponse
       def query_params
         @_query_params ||= begin
@@ -27,9 +27,9 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     I18n.translate key, scope: [:doorkeeper, :errors, :messages]
   end
-  let(:client)        { FactoryGirl.create :application }
+  let(:client)        { FactoryBot.create :application }
   let(:user)          { User.create!(name: 'Joe', password: 'sekret') }
-  let(:access_token)  { FactoryGirl.build :access_token, resource_owner_id: user.id, application_id: client.id }
+  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id }
   before do
     allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["implicit"])
@@ -144,7 +144,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
   describe 'GET #new code request with native url and skip_authorization true' do
     before do
       allow(Doorkeeper.configuration).to receive(:grant_flows).
-        and_return(%w(authorization_code))
+        and_return(%w[authorization_code])
       allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
         true
       end)
@@ -154,7 +154,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     it 'should redirect immediately' do
       expect(response).to be_redirect
-      expect(response.location).to match(/oauth\/authorize\//)
+      expect(response.location).to match(/oauth\/authorize\/native\?code=#{Doorkeeper::AccessGrant.first.token}/)
     end
     it 'should issue a grant' do

data/spec/controllers/protected_resources_controller_spec.rb CHANGED

@@ -9,11 +9,9 @@ module ControllerActions
     render plain: 'show'
   end
-  def doorkeeper_unauthorized_render_options(*)
-  end
+  def doorkeeper_unauthorized_render_options(*); end
-  def doorkeeper_forbidden_render_options(*)
-  end
+  def doorkeeper_forbidden_render_options(*); end
 end
 describe 'doorkeeper authorize filter' do
@@ -74,12 +72,12 @@ describe 'doorkeeper authorize filter' do
     context 'with valid token', token: :valid do
       it 'allows into index action' do
         get :index, access_token: token_string
-        expect(response).to be_success
+        expect(response).to be_successful
       end
       it 'allows into show action' do
         get :show, id: '4', access_token: token_string
-        expect(response).to be_success
+        expect(response).to be_successful
       end
     end
@@ -109,15 +107,16 @@ describe 'doorkeeper authorize filter' do
     it 'allows if the token has particular scopes' do
       token = double(Doorkeeper::AccessToken,
-                     accessible?: true, scopes: %w(write public),
+                     accessible?: true, scopes: %w[write public],
                      previous_refresh_token: "",
                      revoke_previous_refresh_token!: true)
       expect(token).to receive(:acceptable?).with([:write]).and_return(true)
       expect(
         Doorkeeper::AccessToken
       ).to receive(:by_token).with(token_string).and_return(token)
       get :index, access_token: token_string
-      expect(response).to be_success
+      expect(response).to be_successful
     end
     it 'does not allow if the token does not include given scope' do
@@ -129,6 +128,7 @@ describe 'doorkeeper authorize filter' do
         Doorkeeper::AccessToken
       ).to receive(:by_token).with(token_string).and_return(token)
       expect(token).to receive(:acceptable?).with([:write]).and_return(false)
       get :index, access_token: token_string
       expect(response.status).to eq 403
       expect(response.header).to_not include('WWW-Authenticate')
@@ -146,14 +146,17 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
           def doorkeeper_unauthorized_render_options(error: nil)
             { json: ActiveSupport::JSON.encode(error_message: error.description) }
           end
         end
       end
       after do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
           def doorkeeper_unauthorized_render_options(error: nil)
           end
         end
@@ -164,9 +167,9 @@ describe 'doorkeeper authorize filter' do
         expect(response.status).to eq 401
         expect(response.content_type).to eq('application/json')
         expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
-        parsed_body = JSON.parse(response.body)
-        expect(parsed_body).not_to be_nil
-        expect(parsed_body['error_message']).to match('token is invalid')
+        expect(json_response).not_to be_nil
+        expect(json_response['error_message']).to match('token is invalid')
       end
     end
@@ -174,16 +177,18 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
-          def doorkeeper_unauthorized_render_options(error: nil)
+          def doorkeeper_unauthorized_render_options(**)
             { plain: 'Unauthorized' }
           end
         end
       end
       after do
         module ControllerActions
           remove_method :doorkeeper_unauthorized_render_options
-          def doorkeeper_unauthorized_render_options(error: nil)
-          end
+          def doorkeeper_unauthorized_render_options(error: nil); end
         end
       end
@@ -206,8 +211,8 @@ describe 'doorkeeper authorize filter' do
     after do
       module ControllerActions
         remove_method :doorkeeper_forbidden_render_options
-        def doorkeeper_forbidden_render_options(*)
-        end
+        def doorkeeper_forbidden_render_options(*); end
       end
     end
@@ -223,12 +228,14 @@ describe 'doorkeeper authorize filter' do
              expired?: false, previous_refresh_token: "",
              revoke_previous_refresh_token!: true)
     end
     let(:token_string) { '1A2DUWE' }
     context 'with a JSON custom render' do
       before do
         module ControllerActions
           remove_method :doorkeeper_forbidden_render_options
           def doorkeeper_forbidden_render_options(*)
             { json: { error_message: 'Forbidden' } }
           end
@@ -240,9 +247,9 @@ describe 'doorkeeper authorize filter' do
         expect(response.header).to_not include('WWW-Authenticate')
         expect(response.content_type).to eq('application/json')
         expect(response.status).to eq 403
-        parsed_body = JSON.parse(response.body)
-        expect(parsed_body).not_to be_nil
-        expect(parsed_body['error_message']).to match('Forbidden')
+        expect(json_response).not_to be_nil
+        expect(json_response['error_message']).to match('Forbidden')
       end
     end
@@ -267,6 +274,7 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_forbidden_render_options
           def doorkeeper_forbidden_render_options(*)
             { plain: 'Forbidden' }
           end
@@ -285,6 +293,7 @@ describe 'doorkeeper authorize filter' do
       before do
         module ControllerActions
           remove_method :doorkeeper_forbidden_render_options
           def doorkeeper_forbidden_render_options(*)
             { respond_not_found_when_forbidden: true, plain: 'Not Found' }
           end

data/spec/controllers/token_info_controller_spec.rb CHANGED

@@ -1,26 +1,23 @@
 require 'spec_helper_integration'
 describe Doorkeeper::TokenInfoController do
-  describe 'when requesting tokeninfo with valid token' do
-    let(:doorkeeper_token) { FactoryGirl.create(:access_token) }
+  describe 'when requesting token info with valid token' do
+    let(:doorkeeper_token) { FactoryBot.create(:access_token) }
     before(:each) do
       allow(controller).to receive(:doorkeeper_token) { doorkeeper_token }
     end
-    def do_get
-      get :show
-    end
     describe 'successful request' do
       it 'responds with tokeninfo' do
-        do_get
+        get :show
         expect(response.body).to eq(doorkeeper_token.to_json)
       end
       it 'responds with a 200 status' do
-        do_get
+        get :show
         expect(response.status).to eq 200
       end
     end
@@ -29,8 +26,10 @@ describe Doorkeeper::TokenInfoController do
       before(:each) do
         allow(controller).to receive(:doorkeeper_token).and_return(nil)
       end
       it 'responds with 401 when doorkeeper_token is not valid' do
-        do_get
+        get :show
         expect(response.status).to eq 401
         expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
       end
@@ -38,14 +37,19 @@ describe Doorkeeper::TokenInfoController do
       it 'responds with 401 when doorkeeper_token is invalid, expired or revoked' do
         allow(controller).to receive(:doorkeeper_token).and_return(doorkeeper_token)
         allow(doorkeeper_token).to receive(:accessible?).and_return(false)
-        do_get
+        get :show
         expect(response.status).to eq 401
         expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
       end
       it 'responds body message for error' do
-        do_get
-        expect(response.body).to eq(Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request, status: :unauthorized).body.to_json)
+        get :show
+        expect(response.body).to eq(
+          Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request, status: :unauthorized).body.to_json
+        )
       end
     end
   end

data/spec/controllers/tokens_controller_spec.rb CHANGED

@@ -2,9 +2,7 @@ require 'spec_helper_integration'
 describe Doorkeeper::TokensController do
   describe 'when authorization has succeeded' do
-    let :token do
-      double(:token, authorize: true)
-    end
+    let(:token) { double(:token, authorize: true) }
     before do
       allow(controller).to receive(:token) { token }
@@ -57,7 +55,7 @@ describe Doorkeeper::TokensController do
       }
       expect(response.status).to eq 401
       expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
-      expect(JSON.load(response.body)).to eq expected_response_body
+      expect(JSON.parse(response.body)).to eq expected_response_body
     end
   end
@@ -85,4 +83,140 @@ describe Doorkeeper::TokensController do
       post :create
     end
   end
+  describe 'when requested token introspection' do
+    context 'authorized using Bearer token' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = "Bearer #{access_token.token}"
+        post :introspect, token: access_token.token
+        should_have_json 'active', true
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+    context 'authorized using Client Authentication' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+        post :introspect, token: access_token.token
+        should_have_json 'active', true
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
+        should_have_json 'client_id', client.uid
+      end
+    end
+    context 'public access token' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: nil) }
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+        post :introspect, token: access_token.token
+        should_have_json 'active', true
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
+        should_have_json 'client_id', nil
+      end
+    end
+    context 'token was issued to a different client than is making this request' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:different_client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(different_client)
+        post :introspect, token: access_token.token
+        expect(response).to be_successful
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+    context 'using invalid credentials to authorize' do
+      let(:client) { double(uid: '123123', secret: '666999') }
+      let(:access_token) { FactoryBot.create(:access_token) }
+      it 'responds with invalid_client error' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+        post :introspect, token: access_token.token
+        expect(response).not_to be_successful
+        response_status_should_be 401
+        should_not_have_json 'active'
+        should_have_json 'error', 'invalid_client'
+      end
+    end
+    context 'using wrong token value' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+        post :introspect, token: SecureRandom.hex(16)
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+    context 'when requested Access Token expired' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client, created_at: 1.year.ago) }
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+        post :introspect, token: access_token.token
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+    context 'when requested Access Token revoked' do
+      let(:client) { FactoryBot.create(:application) }
+      let(:access_token) { FactoryBot.create(:access_token, application: client, revoked_at: 1.year.ago) }
+      it 'responds with only active state' do
+        request.headers['Authorization'] = basic_auth_header_for_client(client)
+        post :introspect, token: access_token.token
+        should_have_json 'active', false
+        expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
+      end
+    end
+    context 'unauthorized (no bearer token or client credentials)' do
+      let(:access_token) { FactoryBot.create(:access_token) }
+      it 'responds with invalid_request error' do
+        post :introspect, token: access_token.token
+        expect(response).not_to be_successful
+        response_status_should_be 401
+        should_not_have_json 'active'
+        should_have_json 'error', 'invalid_request'
+      end
+    end
+  end
 end

data/spec/dummy/config/initializers/doorkeeper.rb CHANGED

@@ -82,7 +82,7 @@ Doorkeeper.configure do
   #   http://tools.ietf.org/html/rfc6819#section-4.4.2
   #   http://tools.ietf.org/html/rfc6819#section-4.4.3
   #
-  # grant_flows %w(authorization_code client_credentials)
+  # grant_flows %w[authorization_code client_credentials]
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.

data/spec/dummy/config/initializers/{active_record_belongs_to_required_by_default.rb → new_framework_defaults.rb} RENAMED

@@ -1,6 +1,6 @@
 # Require `belongs_to` associations by default. This is a new Rails 5.0
 # default, so it is introduced as a configuration option to ensure that apps
 # made on earlier versions of Rails are not affected when upgrading.
-if Rails.version.to_i >= 5
+if Rails::VERSION::MAJOR >= 5
   Rails.application.config.active_record.belongs_to_required_by_default = true
 end

data/spec/dummy/config/initializers/secret_token.rb CHANGED

@@ -5,5 +5,4 @@
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
 Dummy::Application.config.secret_key_base =
-  Dummy::Application.config.secret_token =
   'c00157b5a1bb6181792f0f4a8a080485de7bab9987e6cf159dc74c4f0573345c1bfa713b5d756e1491fc0b098567e8a619e2f8d268eda86a20a720d05d633780'

data/spec/factories.rb CHANGED

@@ -1,4 +1,4 @@
-FactoryGirl.define do
+FactoryBot.define do
   factory :access_grant, class: Doorkeeper::AccessGrant do
     sequence(:resource_owner_id) { |n| n }
     application