RubyGems - doorkeeper - Versions diffs - 4.2.6 → 5.0.0.rc1 - Mend

doorkeeper 4.2.6 → 5.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (205) hide show

checksums.yaml +4 -4
data/.github/ISSUE_TEMPLATE.md +25 -0
data/.github/PULL_REQUEST_TEMPLATE.md +17 -0
data/.gitignore +2 -1
data/.hound.yml +2 -13
data/.rubocop.yml +17 -0
data/.travis.yml +19 -5
data/Appraisals +8 -4
data/CODE_OF_CONDUCT.md +46 -0
data/Gemfile +1 -1
data/NEWS.md +77 -0
data/README.md +169 -34
data/Rakefile +6 -0
data/SECURITY.md +15 -0
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +2 -5
data/app/controllers/doorkeeper/application_metal_controller.rb +4 -0
data/app/controllers/doorkeeper/applications_controller.rb +47 -13
data/app/controllers/doorkeeper/authorizations_controller.rb +55 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +15 -1
data/app/controllers/doorkeeper/tokens_controller.rb +15 -7
data/app/helpers/doorkeeper/dashboard_helper.rb +8 -6
data/app/validators/redirect_uri_validator.rb +13 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
data/app/views/doorkeeper/applications/_form.html.erb +31 -19
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +18 -6
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +8 -5
data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
data/app/views/doorkeeper/authorizations/new.html.erb +4 -0
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/app/views/layouts/doorkeeper/admin.html.erb +15 -15
data/config/locales/en.yml +18 -6
data/doorkeeper.gemspec +6 -5
data/gemfiles/rails_4_2.gemfile +6 -4
data/gemfiles/rails_5_0.gemfile +4 -4
data/gemfiles/rails_5_1.gemfile +6 -7
data/gemfiles/rails_5_2.gemfile +12 -0
data/gemfiles/rails_master.gemfile +14 -0
data/lib/doorkeeper/config.rb +107 -68
data/lib/doorkeeper/engine.rb +7 -3
data/lib/doorkeeper/errors.rb +2 -5
data/lib/doorkeeper/grape/helpers.rb +14 -9
data/lib/doorkeeper/helpers/controller.rb +15 -6
data/lib/doorkeeper/models/access_grant_mixin.rb +52 -23
data/lib/doorkeeper/models/access_token_mixin.rb +51 -52
data/lib/doorkeeper/models/application_mixin.rb +16 -30
data/lib/doorkeeper/models/concerns/expirable.rb +7 -5
data/lib/doorkeeper/models/concerns/orderable.rb +13 -0
data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
data/lib/doorkeeper/oauth/authorization/code.rb +31 -8
data/lib/doorkeeper/oauth/authorization/context.rb +15 -0
data/lib/doorkeeper/oauth/authorization/token.rb +41 -20
data/lib/doorkeeper/oauth/authorization_code_request.rb +33 -3
data/lib/doorkeeper/oauth/base_request.rb +22 -7
data/lib/doorkeeper/oauth/client/credentials.rb +6 -4
data/lib/doorkeeper/oauth/client.rb +2 -2
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +6 -1
data/lib/doorkeeper/oauth/client_credentials/validation.rb +4 -2
data/lib/doorkeeper/oauth/error.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +11 -4
data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +0 -8
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +15 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +3 -4
data/lib/doorkeeper/oauth/password_access_token_request.rb +8 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +45 -13
data/lib/doorkeeper/oauth/refresh_token_request.rb +7 -1
data/lib/doorkeeper/oauth/scopes.rb +19 -9
data/lib/doorkeeper/oauth/token.rb +6 -3
data/lib/doorkeeper/oauth/token_introspection.rb +128 -0
data/lib/doorkeeper/oauth/token_response.rb +4 -2
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/access_grant.rb +27 -0
data/lib/doorkeeper/orm/active_record/access_token.rb +21 -20
data/lib/doorkeeper/orm/active_record/application.rb +34 -0
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +26 -0
data/lib/doorkeeper/orm/active_record.rb +21 -8
data/lib/doorkeeper/rails/helpers.rb +7 -10
data/lib/doorkeeper/rails/routes.rb +21 -7
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +6 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/password.rb +1 -11
data/lib/doorkeeper/request.rb +29 -23
data/lib/doorkeeper/validations.rb +3 -2
data/lib/doorkeeper/version.rb +14 -1
data/lib/doorkeeper.rb +6 -17
data/lib/generators/doorkeeper/application_owner_generator.rb +26 -12
data/lib/generators/doorkeeper/confidential_applications_generator.rb +32 -0
data/lib/generators/doorkeeper/install_generator.rb +17 -9
data/lib/generators/doorkeeper/migration_generator.rb +26 -9
data/lib/generators/doorkeeper/pkce_generator.rb +32 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +31 -20
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/{add_owner_to_application_migration.rb → add_owner_to_application_migration.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +6 -0
data/lib/generators/doorkeeper/templates/initializer.rb +88 -10
data/lib/generators/doorkeeper/templates/{migration.rb → migration.rb.erb} +2 -1
data/lib/generators/doorkeeper/views_generator.rb +3 -1
data/spec/controllers/application_metal_controller_spec.rb +50 -0
data/spec/controllers/applications_controller_spec.rb +141 -17
data/spec/controllers/authorizations_controller_spec.rb +255 -20
data/spec/controllers/protected_resources_controller_spec.rb +44 -35
data/spec/controllers/token_info_controller_spec.rb +17 -21
data/spec/controllers/tokens_controller_spec.rb +142 -10
data/spec/dummy/app/assets/config/manifest.js +2 -0
data/spec/dummy/config/environments/test.rb +4 -5
data/spec/dummy/config/initializers/doorkeeper.rb +18 -1
data/spec/dummy/config/initializers/{active_record_belongs_to_required_by_default.rb → new_framework_defaults.rb} +5 -1
data/spec/dummy/config/initializers/secret_token.rb +0 -1
data/spec/dummy/config/routes.rb +3 -42
data/spec/dummy/db/migrate/20111122132257_create_users.rb +3 -1
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +3 -1
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +3 -1
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +3 -1
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +3 -1
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +6 -0
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +13 -0
data/spec/dummy/db/schema.rb +38 -37
data/spec/factories.rb +1 -1
data/spec/generators/application_owner_generator_spec.rb +25 -6
data/spec/generators/confidential_applications_generator_spec.rb +45 -0
data/spec/generators/install_generator_spec.rb +1 -1
data/spec/generators/migration_generator_spec.rb +25 -4
data/spec/generators/pkce_generator_spec.rb +43 -0
data/spec/generators/previous_refresh_token_generator_spec.rb +57 -0
data/spec/generators/views_generator_spec.rb +1 -1
data/spec/grape/grape_integration_spec.rb +135 -0
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +2 -2
data/spec/lib/config_spec.rb +170 -22
data/spec/lib/doorkeeper_spec.rb +1 -126
data/spec/lib/models/expirable_spec.rb +0 -3
data/spec/lib/models/revocable_spec.rb +2 -4
data/spec/lib/models/scopes_spec.rb +0 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -4
data/spec/lib/oauth/authorization_code_request_spec.rb +63 -13
data/spec/lib/oauth/base_request_spec.rb +19 -10
data/spec/lib/oauth/base_response_spec.rb +1 -1
data/spec/lib/oauth/client/credentials_spec.rb +5 -5
data/spec/lib/oauth/client_credentials/creator_spec.rb +6 -2
data/spec/lib/oauth/client_credentials/issuer_spec.rb +26 -7
data/spec/lib/oauth/client_credentials/validation_spec.rb +2 -3
data/spec/lib/oauth/client_credentials_integration_spec.rb +2 -2
data/spec/lib/oauth/client_credentials_request_spec.rb +4 -5
data/spec/lib/oauth/client_spec.rb +0 -3
data/spec/lib/oauth/code_request_spec.rb +5 -5
data/spec/lib/oauth/error_response_spec.rb +0 -3
data/spec/lib/oauth/error_spec.rb +1 -3
data/spec/lib/oauth/forbidden_token_response_spec.rb +1 -4
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -3
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +115 -3
data/spec/lib/oauth/invalid_token_response_spec.rb +2 -5
data/spec/lib/oauth/password_access_token_request_spec.rb +46 -5
data/spec/lib/oauth/pre_authorization_spec.rb +40 -6
data/spec/lib/oauth/refresh_token_request_spec.rb +30 -14
data/spec/lib/oauth/scopes_spec.rb +28 -4
data/spec/lib/oauth/token_request_spec.rb +10 -13
data/spec/lib/oauth/token_response_spec.rb +0 -1
data/spec/lib/oauth/token_spec.rb +37 -14
data/spec/lib/orm/active_record/stale_records_cleaner_spec.rb +79 -0
data/spec/lib/request/strategy_spec.rb +0 -1
data/spec/lib/server_spec.rb +10 -0
data/spec/models/doorkeeper/access_grant_spec.rb +2 -2
data/spec/models/doorkeeper/access_token_spec.rb +118 -60
data/spec/models/doorkeeper/application_spec.rb +101 -23
data/spec/requests/applications/applications_request_spec.rb +94 -6
data/spec/requests/applications/authorized_applications_spec.rb +1 -1
data/spec/requests/endpoints/authorization_spec.rb +1 -1
data/spec/requests/endpoints/token_spec.rb +15 -6
data/spec/requests/flows/authorization_code_errors_spec.rb +1 -1
data/spec/requests/flows/authorization_code_spec.rb +198 -1
data/spec/requests/flows/client_credentials_spec.rb +73 -5
data/spec/requests/flows/implicit_grant_errors_spec.rb +3 -3
data/spec/requests/flows/implicit_grant_spec.rb +38 -11
data/spec/requests/flows/password_spec.rb +160 -24
data/spec/requests/flows/refresh_token_spec.rb +6 -6
data/spec/requests/flows/revoke_token_spec.rb +26 -26
data/spec/requests/flows/skip_authorization_spec.rb +16 -11
data/spec/requests/protected_resources/metal_spec.rb +2 -2
data/spec/requests/protected_resources/private_api_spec.rb +2 -2
data/spec/routing/custom_controller_routes_spec.rb +63 -7
data/spec/routing/default_routes_spec.rb +6 -2
data/spec/routing/scoped_routes_spec.rb +16 -2
data/spec/spec_helper.rb +54 -3
data/spec/spec_helper_integration.rb +2 -63
data/spec/support/dependencies/factory_bot.rb +2 -0
data/spec/support/doorkeeper_rspec.rb +19 -0
data/spec/support/helpers/access_token_request_helper.rb +1 -1
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/model_helper.rb +9 -4
data/spec/support/helpers/request_spec_helper.rb +10 -6
data/spec/support/helpers/url_helper.rb +15 -10
data/spec/support/http_method_shim.rb +12 -16
data/spec/support/shared/controllers_shared_context.rb +2 -6
data/spec/support/shared/models_shared_examples.rb +4 -4
data/spec/validators/redirect_uri_validator_spec.rb +58 -7
data/spec/version/version_spec.rb +15 -0
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +73 -19
data/spec/controllers/application_metal_controller.rb +0 -10
data/spec/support/dependencies/factory_girl.rb +0 -2

data/lib/doorkeeper/config.rb CHANGED Viewed

@@ -15,19 +15,19 @@ module Doorkeeper
   end
   def self.configuration
-    @config || (fail MissingConfiguration)
+    @config || (raise MissingConfiguration)
   end
   def self.setup_orm_adapter
     @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => e
-    fail e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.squish
-[doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
-trying to load it.
-You probably need to add the related gem for this adapter to work with
-doorkeeper.
-      ERROR_MSG
+  rescue NameError => error
+    raise error, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+      [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
+      trying to load it.
+      You probably need to add the related gem for this adapter to work with
+      doorkeeper.
+    ERROR_MSG
   end
   def self.setup_orm_models
@@ -59,12 +59,12 @@ doorkeeper.
       # @option opts[Boolean] :confirmation (false)
       #   Set confirm_application_owner variable
       def enable_application_owner(opts = {})
-        @config.instance_variable_set('@enable_application_owner', true)
+        @config.instance_variable_set(:@enable_application_owner, true)
         confirm_application_owner if opts[:confirmation].present? && opts[:confirmation]
       end
       def confirm_application_owner
-        @config.instance_variable_set('@confirm_application_owner', true)
+        @config.instance_variable_set(:@confirm_application_owner, true)
       end
       # Define default access token scopes for your provider
@@ -72,7 +72,7 @@ doorkeeper.
       # @param scopes [Array] Default set of access (OAuth::Scopes.new)
       # token scopes
       def default_scopes(*scopes)
-        @config.instance_variable_set('@default_scopes', OAuth::Scopes.from_array(scopes))
+        @config.instance_variable_set(:@default_scopes, OAuth::Scopes.from_array(scopes))
       end
       # Define default access token scopes for your provider
@@ -80,7 +80,7 @@ doorkeeper.
       # @param scopes [Array] Optional set of access (OAuth::Scopes.new)
       # token scopes
       def optional_scopes(*scopes)
-        @config.instance_variable_set('@optional_scopes', OAuth::Scopes.from_array(scopes))
+        @config.instance_variable_set(:@optional_scopes, OAuth::Scopes.from_array(scopes))
       end
       # Change the way client credentials are retrieved from the request object.
@@ -90,7 +90,7 @@ doorkeeper.
       #
       # @param methods [Array] Define client credentials
       def client_credentials(*methods)
-        @config.instance_variable_set('@client_credentials', methods)
+        @config.instance_variable_set(:@client_credentials_methods, methods)
       end
       # Change the way access token is authenticated from the request object.
@@ -100,57 +100,38 @@ doorkeeper.
       #
       # @param methods [Array] Define access token methods
       def access_token_methods(*methods)
-        @config.instance_variable_set('@access_token_methods', methods)
+        @config.instance_variable_set(:@access_token_methods, methods)
       end
       # Issue access tokens with refresh token (disabled by default)
       def use_refresh_token
-        @config.instance_variable_set('@refresh_token_enabled', true)
-      end
-      # WWW-Authenticate Realm (default "Doorkeeper").
-      #
-      # @param realm [String] ("Doorkeeper") Authentication realm
-      def realm(realm)
-        @config.instance_variable_set('@realm', realm)
+        @config.instance_variable_set(:@refresh_token_enabled, true)
       end
       # Reuse access token for the same resource owner within an application
       # (disabled by default)
       # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
       def reuse_access_token
-        @config.instance_variable_set("@reuse_access_token", true)
+        @config.instance_variable_set(:@reuse_access_token, true)
       end
-      # Forces the usage of the HTTPS protocol in non-native redirect uris
-      # (enabled by default in non-development environments). OAuth2
-      # delegates security in communication to the HTTPS protocol so it is
-      # wise to keep this enabled.
-      #
-      # @param [Boolean] boolean value for the parameter, true by default in
-      # non-development environment
-      def force_ssl_in_redirect_uri(boolean)
-        @config.instance_variable_set("@force_ssl_in_redirect_uri", boolean)
+      # Use an API mode for applications generated with --api argument
+      # It will skip applications controller, disable forgery protection
+      def api_only
+        @config.instance_variable_set(:@api_only, true)
       end
-      # Use a custom class for generating the access token.
-      # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
-      #
-      # @param access_token_generator [String]
-      #   the name of the access token generator class
-      def access_token_generator(access_token_generator)
-        @config.instance_variable_set(
-          '@access_token_generator', access_token_generator
-        )
+      # Forbids creating/updating applications with arbitrary scopes that are
+      # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+      # (disabled by default)
+      def enforce_configured_scopes
+        @config.instance_variable_set(:@enforce_configured_scopes, true)
       end
-      # The controller Doorkeeper::ApplicationController inherits from.
-      # Defaults to ActionController::Base.
-      # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
-      #
-      # @param base_controller [String] the name of the base controller
-      def base_controller(base_controller)
-        @config.instance_variable_set('@base_controller', base_controller)
+      # Enforce request content type as the spec requires:
+      # disabled by default for backward compatibility.
+      def enforce_content_type
+        @config.instance_variable_set(:@enforce_content_type, true)
       end
     end
@@ -210,10 +191,6 @@ doorkeeper.
         public attribute
       end
-      def extended(base)
-        base.send(:private, :option)
-      end
     end
     extend Option
@@ -221,48 +198,110 @@ doorkeeper.
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
-             logger.warn(I18n.translate('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
+             ::Rails.logger.warn(
+               I18n.t('doorkeeper.errors.messages.resource_owner_authenticator_not_configured')
+             )
              nil
            end)
     option :admin_authenticator,
            as: :authenticate_admin,
            default: ->(_routes) {}
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
-             warn(I18n.translate('doorkeeper.errors.messages.credential_flow_not_configured'))
+             ::Rails.logger.warn(
+               I18n.t('doorkeeper.errors.messages.credential_flow_not_configured')
+             )
              nil
            end)
+    option :before_successful_authorization, default: ->(_context) {}
+    option :after_successful_authorization, default: ->(_context) {}
+    option :before_successful_strategy_response, default: ->(_request) {}
+    option :after_successful_strategy_response,
+           default: ->(_request, _response) {}
     option :skip_authorization,             default: ->(_routes) {}
     option :access_token_expires_in,        default: 7200
-    option :custom_access_token_expires_in, default: ->(_app) { nil }
+    option :custom_access_token_expires_in, default: ->(_context) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: 'urn:ietf:wg:oauth:2.0:oob'
     option :active_record_options,          default: {}
+    option :grant_flows,                    default: %w[authorization_code client_credentials]
+    # Allows to forbid specific Application redirect URI's by custom rules.
+    # Doesn't forbid any URI by default.
+    #
+    # @param forbid_redirect_uri [Proc] Block or any object respond to #call
+    #
+    option :forbid_redirect_uri,            default: ->(_uri) { false }
+    # WWW-Authenticate Realm (default "Doorkeeper").
+    #
+    # @param realm [String] ("Doorkeeper") Authentication realm
+    #
     option :realm,                          default: 'Doorkeeper'
+    # Forces the usage of the HTTPS protocol in non-native redirect uris
+    # (enabled by default in non-development environments). OAuth2
+    # delegates security in communication to the HTTPS protocol so it is
+    # wise to keep this enabled.
+    #
+    # @param [Boolean] boolean_or_block value for the parameter, true by default in
+    # non-development environment
+    #
+    # @yield [uri] Conditional usage of SSL redirect uris.
+    # @yieldparam [URI] Redirect URI
+    # @yieldreturn [Boolean] Indicates necessity of usage of the HTTPS protocol
+    #   in non-native redirect uris
+    #
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
-    option :grant_flows,                    default: %w(authorization_code client_credentials)
+    # Use a custom class for generating the access token.
+    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    #
+    # @param access_token_generator [String]
+    #   the name of the access token generator class
+    #
     option :access_token_generator,
            default: 'Doorkeeper::OAuth::Helpers::UniqueToken'
+    # The controller Doorkeeper::ApplicationController inherits from.
+    # Defaults to ActionController::Base.
+    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    #
+    # @param base_controller [String] the name of the base controller
     option :base_controller,
            default: 'ActionController::Base'
     attr_reader :reuse_access_token
+    attr_reader :api_only
+    attr_reader :enforce_content_type
+    def api_only
+      @api_only ||= false
+    end
+    def enforce_content_type
+      @enforce_content_type ||= false
+    end
     def refresh_token_enabled?
-      @refresh_token_enabled ||= false
-      !!@refresh_token_enabled
+      !!(defined?(@refresh_token_enabled) && @refresh_token_enabled)
+    end
+    def enforce_configured_scopes?
+      !!(defined?(@enforce_configured_scopes) && @enforce_configured_scopes)
     end
     def enable_application_owner?
-      @enable_application_owner ||= false
-      !!@enable_application_owner
+      !!(defined?(@enable_application_owner) && @enable_application_owner)
     end
     def confirm_application_owner?
-      @confirm_application_owner ||= false
-      !!@confirm_application_owner
+      !!(defined?(@confirm_application_owner) && @confirm_application_owner)
     end
     def default_scopes
@@ -278,19 +317,19 @@ doorkeeper.
     end
     def client_credentials_methods
-      @client_credentials ||= [:from_basic, :from_params]
+      @client_credentials_methods ||= %i[from_basic from_params]
     end
     def access_token_methods
-      @access_token_methods ||= [:from_bearer_authorization, :from_access_token_param, :from_bearer_param]
+      @access_token_methods ||= %i[from_bearer_authorization from_access_token_param from_bearer_param]
     end
     def authorization_response_types
-      @authorization_response_types ||= calculate_authorization_response_types
+      @authorization_response_types ||= calculate_authorization_response_types.freeze
     end
     def token_grant_types
-      @token_grant_types ||= calculate_token_grant_types
+      @token_grant_types ||= calculate_token_grant_types.freeze
     end
     private

data/lib/doorkeeper/engine.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|
-      parameters = %w(client_secret code authentication_token access_token refresh_token)
+      parameters = %w[client_secret code authentication_token access_token refresh_token]
       app.config.filter_parameters << /^(#{Regexp.union parameters})$/
     end
@@ -17,10 +17,14 @@ module Doorkeeper
     if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
       initializer 'doorkeeper.assets.precompile' do |app|
-        app.config.assets.precompile += %w(
+        # Force users to use:
+        #    //= link doorkeeper/admin/application.css
+        # in Doorkeeper 5 for Sprockets 4 instead of precompile.
+        # Add note to official docs & Wiki
+        app.config.assets.precompile += %w[
           doorkeeper/application.css
           doorkeeper/admin/application.css
-        )
+        ]
       end
     end
   end

data/lib/doorkeeper/errors.rb CHANGED Viewed

@@ -36,10 +36,7 @@ module Doorkeeper
       end
     end
-    class UnableToGenerateToken < DoorkeeperError
-    end
-    class TokenGeneratorNotFound < DoorkeeperError
-    end
+    UnableToGenerateToken = Class.new(DoorkeeperError)
+    TokenGeneratorNotFound = Class.new(DoorkeeperError)
   end
 end

data/lib/doorkeeper/grape/helpers.rb CHANGED Viewed

@@ -9,7 +9,7 @@ module Doorkeeper
       # endpoint specific scopes > parameter scopes > default scopes
       def doorkeeper_authorize!(*scopes)
-        endpoint_scopes = env["api.endpoint"].route_setting(:scopes)
+        endpoint_scopes = endpoint.route_setting(:scopes) || endpoint.options[:route_options][:scopes]
         scopes = if endpoint_scopes
                    Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
                  elsif scopes && !scopes.empty?
@@ -20,20 +20,18 @@ module Doorkeeper
       end
       def doorkeeper_render_error_with(error)
-        status_code = case error.status
-                      when :unauthorized
-                        401
-                      when :forbidden
-                        403
-                      end
+        status_code = error_status_codes[error.status]
         error!({ error: error.description }, status_code, error.headers)
       end
       private
+      def endpoint
+        env['api.endpoint']
+      end
       def doorkeeper_token
-        @_doorkeeper_token ||= OAuth::Token.authenticate(
+        @doorkeeper_token ||= OAuth::Token.authenticate(
           decorated_request,
           *Doorkeeper.configuration.access_token_methods
         )
@@ -42,6 +40,13 @@ module Doorkeeper
       def decorated_request
         AuthorizationDecorator.new(request)
       end
+      def error_status_codes
+        {
+          unauthorized: 401,
+          forbidden: 403
+        }
+      end
     end
   end
 end

data/lib/doorkeeper/helpers/controller.rb CHANGED Viewed

@@ -5,11 +5,13 @@ module Doorkeeper
     module Controller
       private
-      def authenticate_resource_owner! # :doc:
+      # :doc:
+      def authenticate_resource_owner!
         current_resource_owner
       end
-      def current_resource_owner # :doc:
+      # :doc:
+      def current_resource_owner
         instance_eval(&Doorkeeper.configuration.authenticate_resource_owner)
       end
@@ -17,7 +19,8 @@ module Doorkeeper
         instance_eval(&Doorkeeper.configuration.resource_owner_from_credentials)
       end
-      def authenticate_admin! # :doc:
+      # :doc:
+      def authenticate_admin!
         instance_eval(&Doorkeeper.configuration.authenticate_admin)
       end
@@ -25,12 +28,13 @@ module Doorkeeper
         @server ||= Server.new(self)
       end
-      def doorkeeper_token # :doc:
-        @token ||= OAuth::Token.authenticate request, *config_methods
+      # :doc:
+      def doorkeeper_token
+        @doorkeeper_token ||= OAuth::Token.authenticate request, *config_methods
       end
       def config_methods
-        @methods ||= Doorkeeper.configuration.access_token_methods
+        @config_methods ||= Doorkeeper.configuration.access_token_methods
       end
       def get_error_response_from_exception(exception)
@@ -47,6 +51,11 @@ module Doorkeeper
       def skip_authorization?
         !!instance_exec([@server.current_resource_owner, @pre_auth.client], &Doorkeeper.configuration.skip_authorization)
       end
+      def enforce_content_type
+        return if request.content_type == 'application/x-www-form-urlencoded'
+        render json: {}, status: :unsupported_media_type
+      end
     end
   end
 end

data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED Viewed

@@ -6,24 +6,16 @@ module Doorkeeper
     include Models::Expirable
     include Models::Revocable
     include Models::Accessible
+    include Models::Orderable
     include Models::Scopes
-    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
-    included do
-      belongs_to_options = {
-        class_name: 'Doorkeeper::Application',
-        inverse_of: :access_grants
-      }
-      if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
-        belongs_to_options[:optional] = true
-      end
-      belongs_to :application, belongs_to_options
-      validates :resource_owner_id, :application_id, :token, :expires_in, :redirect_uri, presence: true
-      validates :token, uniqueness: true
+    # never uses pkce, if pkce migrations were not generated
+    def uses_pkce?
+      pkce_supported? && code_challenge.present?
+    end
-      before_validation :generate_token, on: :create
+    def pkce_supported?
+      respond_to? :code_challenge
     end
     module ClassMethods
@@ -38,16 +30,53 @@ module Doorkeeper
       def by_token(token)
         find_by(token: token.to_s)
       end
-    end
-    private
+      # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
+      # https://tools.ietf.org/html/rfc7636#appendix-A
+      #   Appendix A.  Notes on Implementing Base64url Encoding without Padding
+      #
+      #   This appendix describes how to implement a base64url-encoding
+      #   function without padding, based upon the standard base64-encoding
+      #   function that uses padding.
+      #
+      #       To be concrete, example C# code implementing these functions is shown
+      #   below.  Similar code could be used in other languages.
+      #
+      #   static string base64urlencode(byte [] arg)
+      #   {
+      #       string s = Convert.ToBase64String(arg); // Regular base64 encoder
+      #       s = s.Split('=')[0]; // Remove any trailing '='s
+      #       s = s.Replace('+', '-'); // 62nd char of encoding
+      #       s = s.Replace('/', '_'); // 63rd char of encoding
+      #       return s;
+      #   }
+      #
+      #   An example correspondence between unencoded and encoded values
+      #   follows.  The octet sequence below encodes into the string below,
+      #   which when decoded, reproduces the octet sequence.
+      #
+      #   3 236 255 224 193
+      #
+      #   A-z_4ME
+      #
+      # https://ruby-doc.org/stdlib-2.1.3/libdoc/base64/rdoc/Base64.html#method-i-urlsafe_encode64
+      #
+      # urlsafe_encode64(bin)
+      # Returns the Base64-encoded version of bin. This method complies with
+      # “Base 64 Encoding with URL and Filename Safe Alphabet” in RFC 4648.
+      # The alphabet uses '-' instead of '+' and '_' instead of '/'.
-    # Generates token value with UniqueToken class.
-    #
-    # @return [String] token value
-    #
-    def generate_token
-      self.token = UniqueToken.generate
+      # @param code_verifier [#to_s] a one time use value (any object that responds to `#to_s`)
+      #
+      # @return [#to_s] An encoded code challenge based on the provided verifier suitable for PKCE validation
+      def generate_code_challenge(code_verifier)
+        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
+        padded_result.split('=')[0] # Remove any trailing '='
+      end
+      def pkce_supported?
+        new.pkce_supported?
+      end
     end
   end
 end