RubyGems - doorkeeper - Versions diffs - 4.2.6 → 5.0.0.rc1 - Mend

doorkeeper 4.2.6 → 5.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (205) hide show

checksums.yaml +4 -4
data/.github/ISSUE_TEMPLATE.md +25 -0
data/.github/PULL_REQUEST_TEMPLATE.md +17 -0
data/.gitignore +2 -1
data/.hound.yml +2 -13
data/.rubocop.yml +17 -0
data/.travis.yml +19 -5
data/Appraisals +8 -4
data/CODE_OF_CONDUCT.md +46 -0
data/Gemfile +1 -1
data/NEWS.md +77 -0
data/README.md +169 -34
data/Rakefile +6 -0
data/SECURITY.md +15 -0
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +2 -5
data/app/controllers/doorkeeper/application_metal_controller.rb +4 -0
data/app/controllers/doorkeeper/applications_controller.rb +47 -13
data/app/controllers/doorkeeper/authorizations_controller.rb +55 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +15 -1
data/app/controllers/doorkeeper/tokens_controller.rb +15 -7
data/app/helpers/doorkeeper/dashboard_helper.rb +8 -6
data/app/validators/redirect_uri_validator.rb +13 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
data/app/views/doorkeeper/applications/_form.html.erb +31 -19
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +18 -6
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +8 -5
data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
data/app/views/doorkeeper/authorizations/new.html.erb +4 -0
data/app/views/doorkeeper/authorized_applications/index.html.erb +0 -1
data/app/views/layouts/doorkeeper/admin.html.erb +15 -15
data/config/locales/en.yml +18 -6
data/doorkeeper.gemspec +6 -5
data/gemfiles/rails_4_2.gemfile +6 -4
data/gemfiles/rails_5_0.gemfile +4 -4
data/gemfiles/rails_5_1.gemfile +6 -7
data/gemfiles/rails_5_2.gemfile +12 -0
data/gemfiles/rails_master.gemfile +14 -0
data/lib/doorkeeper/config.rb +107 -68
data/lib/doorkeeper/engine.rb +7 -3
data/lib/doorkeeper/errors.rb +2 -5
data/lib/doorkeeper/grape/helpers.rb +14 -9
data/lib/doorkeeper/helpers/controller.rb +15 -6
data/lib/doorkeeper/models/access_grant_mixin.rb +52 -23
data/lib/doorkeeper/models/access_token_mixin.rb +51 -52
data/lib/doorkeeper/models/application_mixin.rb +16 -30
data/lib/doorkeeper/models/concerns/expirable.rb +7 -5
data/lib/doorkeeper/models/concerns/orderable.rb +13 -0
data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
data/lib/doorkeeper/oauth/authorization/code.rb +31 -8
data/lib/doorkeeper/oauth/authorization/context.rb +15 -0
data/lib/doorkeeper/oauth/authorization/token.rb +41 -20
data/lib/doorkeeper/oauth/authorization_code_request.rb +33 -3
data/lib/doorkeeper/oauth/base_request.rb +22 -7
data/lib/doorkeeper/oauth/client/credentials.rb +6 -4
data/lib/doorkeeper/oauth/client.rb +2 -2
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +6 -1
data/lib/doorkeeper/oauth/client_credentials/validation.rb +4 -2
data/lib/doorkeeper/oauth/error.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +11 -4
data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +0 -8
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +15 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +3 -4
data/lib/doorkeeper/oauth/password_access_token_request.rb +8 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +45 -13
data/lib/doorkeeper/oauth/refresh_token_request.rb +7 -1
data/lib/doorkeeper/oauth/scopes.rb +19 -9
data/lib/doorkeeper/oauth/token.rb +6 -3
data/lib/doorkeeper/oauth/token_introspection.rb +128 -0
data/lib/doorkeeper/oauth/token_response.rb +4 -2
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/access_grant.rb +27 -0
data/lib/doorkeeper/orm/active_record/access_token.rb +21 -20
data/lib/doorkeeper/orm/active_record/application.rb +34 -0
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +26 -0
data/lib/doorkeeper/orm/active_record.rb +21 -8
data/lib/doorkeeper/rails/helpers.rb +7 -10
data/lib/doorkeeper/rails/routes.rb +21 -7
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +6 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/password.rb +1 -11
data/lib/doorkeeper/request.rb +29 -23
data/lib/doorkeeper/validations.rb +3 -2
data/lib/doorkeeper/version.rb +14 -1
data/lib/doorkeeper.rb +6 -17
data/lib/generators/doorkeeper/application_owner_generator.rb +26 -12
data/lib/generators/doorkeeper/confidential_applications_generator.rb +32 -0
data/lib/generators/doorkeeper/install_generator.rb +17 -9
data/lib/generators/doorkeeper/migration_generator.rb +26 -9
data/lib/generators/doorkeeper/pkce_generator.rb +32 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +31 -20
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/{add_owner_to_application_migration.rb → add_owner_to_application_migration.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb} +1 -1
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +6 -0
data/lib/generators/doorkeeper/templates/initializer.rb +88 -10
data/lib/generators/doorkeeper/templates/{migration.rb → migration.rb.erb} +2 -1
data/lib/generators/doorkeeper/views_generator.rb +3 -1
data/spec/controllers/application_metal_controller_spec.rb +50 -0
data/spec/controllers/applications_controller_spec.rb +141 -17
data/spec/controllers/authorizations_controller_spec.rb +255 -20
data/spec/controllers/protected_resources_controller_spec.rb +44 -35
data/spec/controllers/token_info_controller_spec.rb +17 -21
data/spec/controllers/tokens_controller_spec.rb +142 -10
data/spec/dummy/app/assets/config/manifest.js +2 -0
data/spec/dummy/config/environments/test.rb +4 -5
data/spec/dummy/config/initializers/doorkeeper.rb +18 -1
data/spec/dummy/config/initializers/{active_record_belongs_to_required_by_default.rb → new_framework_defaults.rb} +5 -1
data/spec/dummy/config/initializers/secret_token.rb +0 -1
data/spec/dummy/config/routes.rb +3 -42
data/spec/dummy/db/migrate/20111122132257_create_users.rb +3 -1
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +3 -1
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +3 -1
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +3 -1
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +3 -1
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +6 -0
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +13 -0
data/spec/dummy/db/schema.rb +38 -37
data/spec/factories.rb +1 -1
data/spec/generators/application_owner_generator_spec.rb +25 -6
data/spec/generators/confidential_applications_generator_spec.rb +45 -0
data/spec/generators/install_generator_spec.rb +1 -1
data/spec/generators/migration_generator_spec.rb +25 -4
data/spec/generators/pkce_generator_spec.rb +43 -0
data/spec/generators/previous_refresh_token_generator_spec.rb +57 -0
data/spec/generators/views_generator_spec.rb +1 -1
data/spec/grape/grape_integration_spec.rb +135 -0
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +2 -2
data/spec/lib/config_spec.rb +170 -22
data/spec/lib/doorkeeper_spec.rb +1 -126
data/spec/lib/models/expirable_spec.rb +0 -3
data/spec/lib/models/revocable_spec.rb +2 -4
data/spec/lib/models/scopes_spec.rb +0 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -4
data/spec/lib/oauth/authorization_code_request_spec.rb +63 -13
data/spec/lib/oauth/base_request_spec.rb +19 -10
data/spec/lib/oauth/base_response_spec.rb +1 -1
data/spec/lib/oauth/client/credentials_spec.rb +5 -5
data/spec/lib/oauth/client_credentials/creator_spec.rb +6 -2
data/spec/lib/oauth/client_credentials/issuer_spec.rb +26 -7
data/spec/lib/oauth/client_credentials/validation_spec.rb +2 -3
data/spec/lib/oauth/client_credentials_integration_spec.rb +2 -2
data/spec/lib/oauth/client_credentials_request_spec.rb +4 -5
data/spec/lib/oauth/client_spec.rb +0 -3
data/spec/lib/oauth/code_request_spec.rb +5 -5
data/spec/lib/oauth/error_response_spec.rb +0 -3
data/spec/lib/oauth/error_spec.rb +1 -3
data/spec/lib/oauth/forbidden_token_response_spec.rb +1 -4
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -3
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +115 -3
data/spec/lib/oauth/invalid_token_response_spec.rb +2 -5
data/spec/lib/oauth/password_access_token_request_spec.rb +46 -5
data/spec/lib/oauth/pre_authorization_spec.rb +40 -6
data/spec/lib/oauth/refresh_token_request_spec.rb +30 -14
data/spec/lib/oauth/scopes_spec.rb +28 -4
data/spec/lib/oauth/token_request_spec.rb +10 -13
data/spec/lib/oauth/token_response_spec.rb +0 -1
data/spec/lib/oauth/token_spec.rb +37 -14
data/spec/lib/orm/active_record/stale_records_cleaner_spec.rb +79 -0
data/spec/lib/request/strategy_spec.rb +0 -1
data/spec/lib/server_spec.rb +10 -0
data/spec/models/doorkeeper/access_grant_spec.rb +2 -2
data/spec/models/doorkeeper/access_token_spec.rb +118 -60
data/spec/models/doorkeeper/application_spec.rb +101 -23
data/spec/requests/applications/applications_request_spec.rb +94 -6
data/spec/requests/applications/authorized_applications_spec.rb +1 -1
data/spec/requests/endpoints/authorization_spec.rb +1 -1
data/spec/requests/endpoints/token_spec.rb +15 -6
data/spec/requests/flows/authorization_code_errors_spec.rb +1 -1
data/spec/requests/flows/authorization_code_spec.rb +198 -1
data/spec/requests/flows/client_credentials_spec.rb +73 -5
data/spec/requests/flows/implicit_grant_errors_spec.rb +3 -3
data/spec/requests/flows/implicit_grant_spec.rb +38 -11
data/spec/requests/flows/password_spec.rb +160 -24
data/spec/requests/flows/refresh_token_spec.rb +6 -6
data/spec/requests/flows/revoke_token_spec.rb +26 -26
data/spec/requests/flows/skip_authorization_spec.rb +16 -11
data/spec/requests/protected_resources/metal_spec.rb +2 -2
data/spec/requests/protected_resources/private_api_spec.rb +2 -2
data/spec/routing/custom_controller_routes_spec.rb +63 -7
data/spec/routing/default_routes_spec.rb +6 -2
data/spec/routing/scoped_routes_spec.rb +16 -2
data/spec/spec_helper.rb +54 -3
data/spec/spec_helper_integration.rb +2 -63
data/spec/support/dependencies/factory_bot.rb +2 -0
data/spec/support/doorkeeper_rspec.rb +19 -0
data/spec/support/helpers/access_token_request_helper.rb +1 -1
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/model_helper.rb +9 -4
data/spec/support/helpers/request_spec_helper.rb +10 -6
data/spec/support/helpers/url_helper.rb +15 -10
data/spec/support/http_method_shim.rb +12 -16
data/spec/support/shared/controllers_shared_context.rb +2 -6
data/spec/support/shared/models_shared_examples.rb +4 -4
data/spec/validators/redirect_uri_validator_spec.rb +58 -7
data/spec/version/version_spec.rb +15 -0
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +73 -19
data/spec/controllers/application_metal_controller.rb +0 -10
data/spec/support/dependencies/factory_girl.rb +0 -2

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -6,32 +6,8 @@ module Doorkeeper
     include Models::Expirable
     include Models::Revocable
     include Models::Accessible
+    include Models::Orderable
     include Models::Scopes
-    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
-    included do
-      belongs_to_options = {
-        class_name: 'Doorkeeper::Application',
-        inverse_of: :access_tokens
-      }
-      if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
-        belongs_to_options[:optional] = true
-      end
-      belongs_to :application, belongs_to_options
-      validates :token, presence: true, uniqueness: true
-      validates :refresh_token, uniqueness: true, if: :use_refresh_token?
-      # @attr_writer [Boolean, nil] use_refresh_token
-      #   indicates the possibility of using refresh token
-      attr_writer :use_refresh_token
-      before_validation :generate_token, on: :create
-      before_validation :generate_refresh_token,
-                        on: :create,
-                        if: :use_refresh_token?
-    end
     module ClassMethods
       # Returns an instance of the Doorkeeper::AccessToken with
@@ -68,11 +44,11 @@ module Doorkeeper
       # @param resource_owner [ActiveRecord::Base]
       #   instance of the Resource Owner model
       #
-      def revoke_all_for(application_id, resource_owner)
+      def revoke_all_for(application_id, resource_owner, clock = Time)
         where(application_id: application_id,
               resource_owner_id: resource_owner.id,
               revoked_at: nil).
-          each(&:revoke)
+          update_all(revoked_at: clock.now.utc)
       end
       # Looking for not expired Access Token with a matching set of scopes
@@ -94,30 +70,34 @@ module Doorkeeper
                             else
                               resource_owner_or_id
                             end
-        token = last_authorized_token_for(application.try(:id), resource_owner_id)
-        if token && scopes_match?(token.scopes, scopes, application.try(:scopes))
-          token
+        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
+        tokens.detect do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
         end
       end
-      # Checks whether the token scopes match the scopes from the parameters or
-      # Application scopes (if present).
+      # Checks whether the token scopes match the scopes from the parameters
       #
       # @param token_scopes [#to_s]
       #   set of scopes (any object that responds to `#to_s`)
-      # @param param_scopes [String]
+      # @param param_scopes [Doorkeeper::OAuth::Scopes]
       #   scopes from params
-      # @param app_scopes [String]
+      # @param app_scopes [Doorkeeper::OAuth::Scopes]
       #   Application scopes
       #
-      # @return [Boolean] true if all scopes and blank or matches
+      # @return [Boolean] true if the param scopes match the token scopes,
+      #   and all the param scopes are defined in the application (or in the
+      #   server configuration if the application doesn't define any scopes),
       #   and false in other cases
       #
       def scopes_match?(token_scopes, param_scopes, app_scopes)
-        (!token_scopes.present? && !param_scopes.present?) ||
-          Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
-            token_scopes.to_s,
-            param_scopes,
+        return true if token_scopes.empty? && param_scopes.empty?
+        (token_scopes.sort == param_scopes.sort) &&
+          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+            param_scopes.to_s,
+            Doorkeeper.configuration.scopes,
             app_scopes
           )
       end
@@ -142,9 +122,8 @@ module Doorkeeper
       def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
         if Doorkeeper.configuration.reuse_access_token
           access_token = matching_token_for(application, resource_owner_id, scopes)
-          if access_token && !access_token.expired?
-            return access_token
-          end
+          return access_token if access_token && !access_token.expired?
         end
         create!(
@@ -156,7 +135,7 @@ module Doorkeeper
         )
       end
-      # Looking for not revoked Access Token record that belongs to specific
+      # Looking for not revoked Access Token records that belongs to specific
       # Application and Resource Owner.
       #
       # @param application_id [Integer]
@@ -164,14 +143,28 @@ module Doorkeeper
       # @param resource_owner_id [Integer]
       #   ID of the Resource Owner model instance
       #
+      # @return [Doorkeeper::AccessToken] array of matching AccessToken objects
+      #
+      def authorized_tokens_for(application_id, resource_owner_id)
+        ordered_by(:created_at, :desc)
+          .where(application_id: application_id,
+                 resource_owner_id: resource_owner_id,
+                 revoked_at: nil)
+      end
+      # Convenience method for backwards-compatibility, return the last
+      # matching token for the given Application and Resource Owner.
+      #
+      # @param application_id [Integer]
+      #   ID of the Application model instance
+      # @param resource_owner_id [Integer]
+      #   ID of the Resource Owner model instance
+      #
       # @return [Doorkeeper::AccessToken, nil] matching AccessToken object or
       #   nil if nothing was found
       #
       def last_authorized_token_for(application_id, resource_owner_id)
-        send(order_method, created_at_desc).
-          find_by(application_id: application_id,
-                  resource_owner_id: resource_owner_id,
-                  revoked_at: nil)
+        authorized_tokens_for(application_id, resource_owner_id).first
       end
     end
@@ -231,7 +224,7 @@ module Doorkeeper
     # @return [String] refresh token value
     #
     def generate_refresh_token
-      write_attribute :refresh_token, UniqueToken.generate
+      self.refresh_token = UniqueToken.generate
     end
     # Generates and sets the token value with the
@@ -247,18 +240,24 @@ module Doorkeeper
     def generate_token
       self.created_at ||= Time.now.utc
-      generator = Doorkeeper.configuration.access_token_generator.constantize
-      self.token = generator.generate(
+      self.token = token_generator.generate(
         resource_owner_id: resource_owner_id,
         scopes: scopes,
         application: application,
         expires_in: expires_in,
         created_at: created_at
       )
-    rescue NoMethodError
+    end
+    def token_generator
+      generator_name = Doorkeeper.configuration.access_token_generator
+      generator = generator_name.constantize
+      return generator if generator.respond_to?(:generate)
       raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
     rescue NameError
-      raise Errors::TokenGeneratorNotFound, "#{generator} not found"
+      raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
     end
   end
 end

data/lib/doorkeeper/models/application_mixin.rb CHANGED Viewed

@@ -3,24 +3,16 @@ module Doorkeeper
     extend ActiveSupport::Concern
     include OAuth::Helpers
+    include Models::Orderable
     include Models::Scopes
-    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
-    included do
-      has_many :access_grants, dependent: :delete_all, class_name: 'Doorkeeper::AccessGrant'
-      has_many :access_tokens, dependent: :delete_all, class_name: 'Doorkeeper::AccessToken'
-      validates :name, :secret, :uid, presence: true
-      validates :uid, uniqueness: true
-      validates :redirect_uri, redirect_uri: true
-      before_validation :generate_uid, :generate_secret, on: :create
-    end
     module ClassMethods
       # Returns an instance of the Doorkeeper::Application with
       # specific UID and secret.
       #
+      # Public/Non-confidential applications will only find by uid if secret is
+      # blank.
+      #
       # @param uid [#to_s] UID (any object that responds to `#to_s`)
       # @param secret [#to_s] secret (any object that responds to `#to_s`)
       #
@@ -28,7 +20,11 @@ module Doorkeeper
       #   if there is no record with such credentials
       #
       def by_uid_and_secret(uid, secret)
-        find_by(uid: uid.to_s, secret: secret.to_s)
+        app = by_uid(uid)
+        return unless app
+        return app if secret.blank? && !app.confidential?
+        return unless app.secret == secret
+        app
       end
       # Returns an instance of the Doorkeeper::Application with specific UID.
@@ -43,23 +39,13 @@ module Doorkeeper
       end
     end
-    private
-    def has_scopes?
-      Doorkeeper.configuration.orm != :active_record ||
-        Doorkeeper::Application.column_names.include?("scopes")
-    end
-    def generate_uid
-      if uid.blank?
-        self.uid = UniqueToken.generate
-      end
-    end
-    def generate_secret
-      if secret.blank?
-        self.secret = UniqueToken.generate
-      end
+    # Set an application's valid redirect URIs.
+    #
+    # @param uris [String, Array] Newline-separated string or array the URI(s)
+    #
+    # @return [String] The redirect URI(s) seperated by newlines.
+    def redirect_uri=(uris)
+      super(uris.is_a?(Array) ? uris.join("\n") : uris)
     end
   end
 end

data/lib/doorkeeper/models/concerns/expirable.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Doorkeeper
       #
       # @return [Boolean] true if object expired and false in other case
       def expired?
-        expires_in && Time.now.utc > expired_time
+        expires_in && Time.now.utc > expires_at
       end
       # Calculates expiration time in seconds.
@@ -15,14 +15,16 @@ module Doorkeeper
       #   or nil if object never expires.
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now.utc
+        expires = expires_at - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
-      private
-      def expired_time
+      # Expiration time (date time of creation + TTL).
+      #
+      # @return [Time] expiration time in UTC
+      #
+      def expires_at
         created_at + expires_in.seconds
       end
     end

data/lib/doorkeeper/models/concerns/orderable.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module Doorkeeper
+  module Models
+    module Orderable
+      extend ActiveSupport::Concern
+      module ClassMethods
+        def ordered_by(attribute, direction = :asc)
+          order(attribute => direction)
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/scopes.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module Doorkeeper
       end
       def includes_scope?(*required_scopes)
-        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s.to_s) }
+        required_scopes.blank? || required_scopes.any? { |scope| scopes.exists?(scope.to_s) }
       end
     end
   end

data/lib/doorkeeper/oauth/authorization/code.rb CHANGED Viewed

@@ -5,18 +5,12 @@ module Doorkeeper
         attr_accessor :pre_auth, :resource_owner, :token
         def initialize(pre_auth, resource_owner)
-          @pre_auth       = pre_auth
+          @pre_auth = pre_auth
           @resource_owner = resource_owner
         end
         def issue_token
-          @token ||= AccessGrant.create!(
-            application_id: pre_auth.client.id,
-            resource_owner_id: resource_owner.id,
-            expires_in: configuration.authorization_code_expires_in,
-            redirect_uri: pre_auth.redirect_uri,
-            scopes: pre_auth.scopes.to_s
-          )
+          @token ||= AccessGrant.create! access_grant_attributes
         end
         def native_redirect
@@ -26,6 +20,35 @@ module Doorkeeper
         def configuration
           Doorkeeper.configuration
         end
+        private
+        def authorization_code_expires_in
+          configuration.authorization_code_expires_in
+        end
+        def access_grant_attributes
+          pkce_attributes.merge application_id: pre_auth.client.id,
+                                resource_owner_id: resource_owner.id,
+                                expires_in: authorization_code_expires_in,
+                                redirect_uri: pre_auth.redirect_uri,
+                                scopes: pre_auth.scopes.to_s
+        end
+        def pkce_attributes
+          return {} unless pkce_supported?
+          {
+            code_challenge: pre_auth.code_challenge,
+            code_challenge_method: pre_auth.code_challenge_method
+          }
+        end
+        # ensures firstly, if migration with additional pcke columns was
+        # generated and migrated
+        def pkce_supported?
+          Doorkeeper::AccessGrant.pkce_supported?
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/authorization/context.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module Doorkeeper
+  module OAuth
+    module Authorization
+      class Context
+        attr_reader :client, :grant_type, :scopes
+        def initialize(client, grant_type, scopes)
+          @client     = client
+          @grant_type = grant_type
+          @scopes     = scopes
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb CHANGED Viewed

@@ -4,32 +4,56 @@ module Doorkeeper
       class Token
         attr_accessor :pre_auth, :resource_owner, :token
+        class << self
+          def access_token_expires_in(server, pre_auth_or_oauth_client, grant_type, scopes)
+            if (expiration = custom_expiration(server, pre_auth_or_oauth_client, grant_type, scopes))
+              expiration
+            else
+              server.access_token_expires_in
+            end
+          end
+          private
+          def custom_expiration(server, pre_auth_or_oauth_client, grant_type, scopes)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
+                             pre_auth_or_oauth_client.client
+                           else
+                             pre_auth_or_oauth_client
+                           end
+            context = Doorkeeper::OAuth::Authorization::Context.new(
+              oauth_client,
+              grant_type,
+              scopes
+            )
+            server.custom_access_token_expires_in.call(context)
+          end
+        end
         def initialize(pre_auth, resource_owner)
           @pre_auth       = pre_auth
           @resource_owner = resource_owner
         end
-        def self.access_token_expires_in(server, pre_auth_or_oauth_client)
-          if expiration = custom_expiration(server, pre_auth_or_oauth_client)
-            expiration
-          else
-            server.access_token_expires_in
-          end
-        end
         def issue_token
           @token ||= AccessToken.find_or_create_for(
             pre_auth.client,
             resource_owner.id,
             pre_auth.scopes,
-            self.class.access_token_expires_in(configuration, pre_auth),
+            self.class.access_token_expires_in(
+              configuration,
+              pre_auth,
+              Doorkeeper::OAuth::IMPLICIT,
+              pre_auth.scopes
+            ),
             false
           )
         end
         def native_redirect
           {
-            controller: 'doorkeeper/token_info',
+            controller: controller,
             action: :show,
             access_token: token.token
           }
@@ -37,19 +61,16 @@ module Doorkeeper
         private
-        def self.custom_expiration(server, pre_auth_or_oauth_client)
-          oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
-                           pre_auth_or_oauth_client.client
-                         else
-                           pre_auth_or_oauth_client
-                         end
-          server.custom_access_token_expires_in.call(oauth_client)
-        end
         def configuration
           Doorkeeper.configuration
         end
+        def controller
+          @controller ||= begin
+            mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
+            mapping[:controllers] || 'doorkeeper/token_info'
+          end
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -4,19 +4,28 @@ module Doorkeeper
       validate :attributes,   error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
+      # @see https://tools.ietf.org/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
+      validate :code_verifier, error: :invalid_grant
-      attr_accessor :server, :grant, :client, :redirect_uri, :access_token
+      attr_accessor :server, :grant, :client, :redirect_uri, :access_token,
+                    :code_verifier
       def initialize(server, grant, client, parameters = {})
         @server = server
         @client = client
         @grant  = grant
+        @grant_type = Doorkeeper::OAuth::AUTHORIZATION_CODE
         @redirect_uri = parameters[:redirect_uri]
+        @code_verifier = parameters[:code_verifier]
       end
       private
+      def client_by_uid(parameters)
+        Doorkeeper::Application.by_uid(parameters[:client_id])
+      end
       def before_successful_response
         grant.transaction do
           grant.lock!
@@ -28,14 +37,17 @@ module Doorkeeper
                                       grant.scopes,
                                       server)
         end
+        super
       end
       def validate_attributes
+        return false if grant && grant.uses_pkce? && code_verifier.blank?
+        return false if grant && !grant.pkce_supported? && !code_verifier.blank?
         redirect_uri.present?
       end
       def validate_client
-        !!client
+        !client.nil?
       end
       def validate_grant
@@ -44,7 +56,25 @@ module Doorkeeper
       end
       def validate_redirect_uri
-        grant.redirect_uri == redirect_uri
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          grant.redirect_uri
+        )
+      end
+      # if either side (server or client) request pkce, check the verifier
+      # against the DB - if pkce is supported
+      def validate_code_verifier
+        return true unless grant.uses_pkce? || code_verifier
+        return false unless grant.pkce_supported?
+        if grant.code_challenge_method == 'S256'
+          grant.code_challenge == AccessGrant.generate_code_challenge(code_verifier)
+        elsif grant.code_challenge_method == 'plain'
+          grant.code_challenge == code_verifier
+        else
+          false
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb CHANGED Viewed

@@ -3,8 +3,11 @@ module Doorkeeper
     class BaseRequest
       include Validations
+      attr_reader :grant_type
       def authorize
         validate
         if valid?
           before_successful_response
           @response = TokenResponse.new(access_token)
@@ -16,11 +19,7 @@ module Doorkeeper
       end
       def scopes
-        @scopes ||= if @original_scopes.present?
-                      OAuth::Scopes.from_string(@original_scopes)
-                    else
-                      default_scopes
-                    end
+        @scopes ||= build_scopes
       end
       def default_scopes
@@ -36,14 +35,30 @@ module Doorkeeper
           client,
           resource_owner_id,
           scopes,
-          Authorization::Token.access_token_expires_in(server, client),
-          server.refresh_token_enabled?)
+          Authorization::Token.access_token_expires_in(server, client, grant_type, scopes),
+          server.refresh_token_enabled?
+        )
       end
       def before_successful_response
+        Doorkeeper.configuration.before_successful_strategy_response.call(self)
       end
       def after_successful_response
+        Doorkeeper.configuration.after_successful_strategy_response.call(self, @response)
+      end
+      private
+      def build_scopes
+        if @original_scopes.present?
+          OAuth::Scopes.from_string(@original_scopes)
+        else
+          client_scopes = @client.try(:scopes)
+          return default_scopes if client_scopes.blank?
+          default_scopes & @client.scopes
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/client/credentials.rb CHANGED Viewed

@@ -1,10 +1,10 @@
 module Doorkeeper
   module OAuth
     class Client
-      class Credentials < Struct.new(:uid, :secret)
+      Credentials = Struct.new(:uid, :secret) do
         class << self
           def from_request(request, *credentials_methods)
-            credentials_methods.inject(nil) do |credentials, method|
+            credentials_methods.inject(nil) do |_, method|
               method = self.method(method) if method.is_a?(Symbol)
               credentials = Credentials.new(*method.call(request))
               break credentials unless credentials.blank?
@@ -18,13 +18,15 @@ module Doorkeeper
           def from_basic(request)
             authorization = request.authorization
             if authorization.present? && authorization =~ /^Basic (.*)/m
-              Base64.decode64($1).split(/:/, 2)
+              Base64.decode64(Regexp.last_match(1)).split(/:/, 2)
             end
           end
         end
+        # Public clients may have their secret blank, but "credentials" are
+        # still present
         def blank?
-          uid.blank? || secret.blank?
+          uid.blank?
         end
       end
     end

data/lib/doorkeeper/oauth/client.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Doorkeeper
       end
       def self.find(uid, method = Application.method(:by_uid))
-        if application = method.call(uid)
+        if (application = method.call(uid))
           new(application)
         end
       end
@@ -20,7 +20,7 @@ module Doorkeeper
       def self.authenticate(credentials, method = Application.method(:by_uid_and_secret))
         return false if credentials.blank?
-        if application = method.call(credentials.uid, credentials.secret)
+        if (application = method.call(credentials.uid, credentials.secret))
           new(application)
         end
       end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb CHANGED Viewed

@@ -25,7 +25,12 @@ module Doorkeeper
         private
         def create_token(client, scopes, creator)
-          ttl = Authorization::Token.access_token_expires_in(@server, client)
+          ttl = Authorization::Token.access_token_expires_in(
+            @server,
+            client,
+            Doorkeeper::OAuth::CLIENT_CREDENTIALS,
+            scopes
+          )
           creator.call(
             client,