doorkeeper 4.2.6 → 5.0.0.rc1

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -13,7 +13,9 @@ module Doorkeeper
         validate :scopes, error: :invalid_scope
 
         def initialize(server, request)
-          @server, @request, @client = server, request, request.client
+          @server = server
+          @request = request
+          @client = request.client
 
           validate
         end
@@ -25,7 +27,7 @@ module Doorkeeper
         end
 
         def validate_scopes
-          return true unless @request.scopes.present?
+          return true if @request.scopes.blank?
 
           application_scopes = if @client.present?
                                  @client.application.scopes

data/lib/doorkeeper/oauth/error.rb

@@ -1,10 +1,10 @@
 module Doorkeeper
   module OAuth
-    class Error < Struct.new(:name, :state)
+    Error = Struct.new(:name, :state) do
       def description
         I18n.translate(
           name,
-          scope: [:doorkeeper, :errors, :messages],
+          scope: %i[doorkeeper errors messages],
           default: :server_error
         )
       end

data/lib/doorkeeper/oauth/error_response.rb

@@ -4,8 +4,13 @@ module Doorkeeper
       include OAuth::Helpers
 
       def self.from_request(request, attributes = {})
-        state = request.state if request.respond_to?(:state)
-        new(attributes.merge(name: request.error, state: state))
+        new(
+          attributes.merge(
+            name: request.error,
+            state: request.try(:state),
+            redirect_uri: request.try(:redirect_uri)
+          )
+        )
       end
 
       delegate :name, :description, :state, to: :@error
@@ -42,10 +47,12 @@ module Doorkeeper
       end
 
       def headers
-        { 'Cache-Control' => 'no-store',
+        {
+          'Cache-Control' => 'no-store',
           'Pragma' => 'no-cache',
           'Content-Type' => 'application/json; charset=utf-8',
-          'WWW-Authenticate' => authenticate_info }
+          'WWW-Authenticate' => authenticate_info
+        }
       end
 
       protected

data/lib/doorkeeper/oauth/forbidden_token_response.rb

@@ -21,7 +21,7 @@ module Doorkeeper
       end
 
       def description
-        scope = { scope: [:doorkeeper, :scopes] }
+        scope = { scope: %i[doorkeeper scopes] }
         @description ||= @scopes.map { |r| I18n.translate r, scope }.join('\n')
       end
     end

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -17,10 +17,6 @@ module Doorkeeper
               @valid_scopes.has_scopes?(parsed_scopes)
           end
 
-          def match?
-            valid? && parsed_scopes.has_scopes?(@valid_scopes)
-          end
-
           private
 
           def valid_scopes(server_scopes, application_scopes)
@@ -35,10 +31,6 @@ module Doorkeeper
         def self.valid?(scope_str, server_scopes, application_scopes = nil)
           Validator.new(scope_str, server_scopes, application_scopes).valid?
         end
-
-        def self.match?(scope_str, server_scopes, application_scopes = nil)
-          Validator.new(scope_str, server_scopes, application_scopes).match?
-        end
       end
     end
   end

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -3,6 +3,7 @@ module Doorkeeper
     module Helpers
       module URIChecker
         def self.valid?(url)
+          return true if native_uri?(url)
           uri = as_uri(url)
           uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
         rescue URI::InvalidURIError
@@ -12,6 +13,13 @@ module Doorkeeper
         def self.matches?(url, client_url)
           url = as_uri(url)
           client_url = as_uri(client_url)
+
+          if client_url.query.present?
+            return false unless query_matches?(url.query, client_url.query)
+            # Clear out queries so rest of URI can be tested. This allows query
+            # params to be in the request but order not mattering.
+            client_url.query = nil
+          end
           url.query = nil
           url == client_url
         end
@@ -24,6 +32,13 @@ module Doorkeeper
           URI.parse(url)
         end
 
+        def self.query_matches?(query, client_query)
+          return true if client_query.nil? && query.nil?
+          return false if client_query.nil? || query.nil?
+          # Will return true independent of query order
+          client_query.split('&').sort == query.split('&').sort
+        end
+
         def self.native_uri?(url)
           url == Doorkeeper.configuration.native_redirect_uri
         end

data/lib/doorkeeper/oauth/invalid_token_response.rb

@@ -4,10 +4,9 @@ module Doorkeeper
       attr_reader :reason
 
       def self.from_access_token(access_token, attributes = {})
-        reason = case
-                 when access_token.try(:revoked?)
+        reason = if access_token.try(:revoked?)
                    :revoked
-                 when access_token.try(:expired?)
+                 elsif access_token.try(:expired?)
                    :expired
                  else
                    :unknown
@@ -22,7 +21,7 @@ module Doorkeeper
       end
 
       def description
-        scope = { scope: [:doorkeeper, :errors, :messages, :invalid_token] }
+        scope = { scope: %i[doorkeeper errors messages invalid_token] }
         @description ||= I18n.translate @reason, scope
       end
     end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -16,25 +16,29 @@ module Doorkeeper
         @client          = client
         @parameters      = parameters
         @original_scopes = parameters[:scope]
+        @grant_type      = Doorkeeper::OAuth::PASSWORD
       end
 
       private
 
       def before_successful_response
         find_or_create_access_token(client, resource_owner.id, scopes, server)
+        super
       end
 
       def validate_scopes
-        return true unless @original_scopes.present?
-        ScopeChecker.valid? @original_scopes, server.scopes, client.try(:scopes)
+        client_scopes = client.try(:scopes)
+        return true if scopes.blank?
+
+        ScopeChecker.valid?(scopes.to_s, server.scopes, client_scopes)
       end
 
       def validate_resource_owner
-        !!resource_owner
+        !resource_owner.nil?
       end
 
       def validate_client
-        !parameters[:client_id] || !!client
+        !parameters[:client_id] || !client.nil?
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -7,17 +7,21 @@ module Doorkeeper
       validate :client, error: :invalid_client
       validate :scopes, error: :invalid_scope
       validate :redirect_uri, error: :invalid_redirect_uri
+      validate :code_challenge_method, error: :invalid_code_challenge_method
 
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state
+      attr_accessor :server, :client, :response_type, :redirect_uri, :state,
+                    :code_challenge, :code_challenge_method
       attr_writer   :scope
 
       def initialize(server, client, attrs = {})
-        @server        = server
-        @client        = client
-        @response_type = attrs[:response_type]
-        @redirect_uri  = attrs[:redirect_uri]
-        @scope         = attrs[:scope]
-        @state         = attrs[:state]
+        @server                = server
+        @client                = client
+        @response_type         = attrs[:response_type]
+        @redirect_uri          = attrs[:redirect_uri]
+        @scope                 = attrs[:scope]
+        @state                 = attrs[:state]
+        @code_challenge        = attrs[:code_challenge]
+        @code_challenge_method = attrs[:code_challenge_method]
       end
 
       def authorizable?
@@ -29,15 +33,36 @@ module Doorkeeper
       end
 
       def scope
-        @scope.presence || server.default_scopes.to_s
+        @scope.presence || build_scopes
       end
 
       def error_response
         OAuth::ErrorResponse.from_request(self)
       end
 
+      def as_json(_options)
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t('doorkeeper.pre_authorization.status')
+        }
+      end
+
       private
 
+      def build_scopes
+        client_scopes = client.application.scopes
+        if client_scopes.blank?
+          server.default_scopes.to_s
+        else
+          (server.default_scopes & client_scopes).to_s
+        end
+      end
+
       def validate_response_type
         server.authorization_response_types.include? response_type
       end
@@ -47,7 +72,8 @@ module Doorkeeper
       end
 
       def validate_scopes
-        return true unless scope.present?
+        return true if scope.blank?
+
         Helpers::ScopeChecker.valid?(
           scope,
           server.scopes,
@@ -55,11 +81,17 @@ module Doorkeeper
         )
       end
 
-      # TODO: test uri should be matched against the client's one
       def validate_redirect_uri
-        return false unless redirect_uri.present?
-        Helpers::URIChecker.native_uri?(redirect_uri) ||
-          Helpers::URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
+        return false if redirect_uri.blank?
+
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          client.redirect_uri
+        )
+      end
+
+      def validate_code_challenge_method
+        !code_challenge.present? || (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
     end
   end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -35,6 +35,7 @@ module Doorkeeper
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
+        super
       end
 
       def refresh_token_revoked_on_use?
@@ -64,7 +65,12 @@ module Doorkeeper
       end
 
       def access_token_expires_in
-        Authorization::Token.access_token_expires_in(server, client)
+        Authorization::Token.access_token_expires_in(
+          server,
+          client,
+          Doorkeeper::OAuth::REFRESH_TOKEN,
+          scopes
+        )
       end
 
       def validate_token_presence

data/lib/doorkeeper/oauth/scopes.rb

@@ -41,24 +41,34 @@ module Doorkeeper
       end
 
       def has_scopes?(scopes)
-        scopes.all? { |s| exists?(s) }
+        scopes.all? { |scope| exists?(scope) }
       end
 
       def +(other)
-        if other.is_a? Scopes
-          self.class.from_array(all + other.all)
-        else
-          super(other)
-        end
+        self.class.from_array(all + to_array(other))
       end
 
       def <=>(other)
-        map(&:to_s).sort <=> other.map(&:to_s).sort
+        if other.respond_to?(:map)
+          map(&:to_s).sort <=> other.map(&:to_s).sort
+        else
+          super
+        end
       end
 
       def &(other)
-        other_array = other.present? ? other.all : []
-        self.class.from_array(all & other_array)
+        self.class.from_array(all & to_array(other))
+      end
+
+      private
+
+      def to_array(other)
+        case other
+        when Scopes
+          other.all
+        else
+          other.to_a
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/token.rb

@@ -3,7 +3,7 @@ module Doorkeeper
     class Token
       class << self
         def from_request(request, *methods)
-          methods.inject(nil) do |credentials, method|
+          methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
             break credentials unless credentials.blank?
@@ -11,9 +11,12 @@ module Doorkeeper
         end
 
         def authenticate(request, *methods)
-          if token = from_request(request, *methods)
+          if (token = from_request(request, *methods))
             access_token = AccessToken.by_token(token)
-            access_token.revoke_previous_refresh_token! if access_token
+            refresh_token_enabled = Doorkeeper.configuration.refresh_token_enabled?
+            if access_token.present? && refresh_token_enabled
+              access_token.revoke_previous_refresh_token!
+            end
             access_token
           end
         end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -0,0 +1,128 @@
+module Doorkeeper
+  module OAuth
+    # RFC7662 OAuth 2.0 Token Introspection
+    #
+    # @see https://tools.ietf.org/html/rfc7662
+    class TokenIntrospection
+      attr_reader :server, :token
+      attr_reader :error
+
+      def initialize(server, token)
+        @server = server
+        @token = token
+
+        authorize!
+      end
+
+      def authorized?
+        @error.blank?
+      end
+
+      def to_json
+        active? ? success_response : failure_response
+      end
+
+      private
+
+      # If the protected resource uses OAuth 2.0 client credentials to
+      # authenticate to the introspection endpoint and its credentials are
+      # invalid, the authorization server responds with an HTTP 401
+      # (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].
+      #
+      # Endpoint must first validate the authentication.
+      # If the authentication is invalid, the endpoint should respond with
+      # an HTTP 401 status code and an invalid_client response.
+      #
+      # @see https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
+      #
+      def authorize!
+        # Requested client authorization
+        if server.credentials
+          @error = :invalid_client unless authorized_client
+        else
+          # Requested bearer token authorization
+          @error = :invalid_request unless authorized_token
+        end
+      end
+
+      # Client Authentication
+      def authorized_client
+        @authorized_client ||= server.credentials && server.client
+      end
+
+      # Bearer Token Authentication
+      def authorized_token
+        @authorized_token ||=
+          OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
+      end
+
+      # 2.2. Introspection Response
+      def success_response
+        {
+          active: true,
+          scope: @token.scopes_string,
+          client_id: @token.try(:application).try(:uid),
+          token_type: @token.token_type,
+          exp: @token.expires_at.to_i,
+          iat: @token.created_at.to_i
+        }
+      end
+
+      # If the introspection call is properly authorized but the token is not
+      # active, does not exist on this server, or the protected resource is
+      # not allowed to introspect this particular token, then the
+      # authorization server MUST return an introspection response with the
+      # "active" field set to "false".  Note that to avoid disclosing too
+      # much of the authorization server's state to a third party, the
+      # authorization server SHOULD NOT include any additional information
+      # about an inactive token, including why the token is inactive.
+      #
+      # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
+      #
+      def failure_response
+        {
+          active: false
+        }
+      end
+
+      # Boolean indicator of whether or not the presented token
+      # is currently active.  The specifics of a token's "active" state
+      # will vary depending on the implementation of the authorization
+      # server and the information it keeps about its tokens, but a "true"
+      # value return for the "active" property will generally indicate
+      # that a given token has been issued by this authorization server,
+      # has not been revoked by the resource owner, and is within its
+      # given time window of validity (e.g., after its issuance time and
+      # before its expiration time).
+      #
+      # Any other error is considered an "inactive" token.
+      #
+      # * The token requested does not exist or is invalid
+      # * The token expired
+      # * The token was issued to a different client than is making this request
+      #
+      def active?
+        if authorized_client
+          valid_token? && authorized_for_client?
+        else
+          valid_token?
+        end
+      end
+
+      # Token can be valid only if it is not expired or revoked.
+      def valid_token?
+        @token.present? && @token.accessible?
+      end
+
+      # If token doesn't belong to some client, then it is public.
+      # Otherwise in it required for token to be connected to the same client.
+      def authorized_for_client?
+        if @token.application.present?
+          @token.application == authorized_client.application
+        else
+          true
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/token_response.rb

@@ -23,9 +23,11 @@ module Doorkeeper
       end
 
       def headers
-        { 'Cache-Control' => 'no-store',
+        {
+          'Cache-Control' => 'no-store',
           'Pragma' => 'no-cache',
-          'Content-Type' => 'application/json; charset=utf-8' }
+          'Content-Type' => 'application/json; charset=utf-8'
+        }
       end
     end
   end

data/lib/doorkeeper/oauth.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    GRANT_TYPES = [
+      AUTHORIZATION_CODE = 'authorization_code'.freeze,
+      IMPLICIT = 'implicit'.freeze,
+      PASSWORD = 'password'.freeze,
+      CLIENT_CREDENTIALS = 'client_credentials'.freeze,
+      REFRESH_TOKEN = 'refresh_token'.freeze
+    ].freeze
+  end
+end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -3,5 +3,32 @@ module Doorkeeper
     self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}".to_sym
 
     include AccessGrantMixin
+    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
+
+    belongs_to_options = {
+      class_name: 'Doorkeeper::Application',
+      inverse_of: :access_grants
+    }
+
+    if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
+      belongs_to_options[:optional] = true
+    end
+
+    belongs_to :application, belongs_to_options
+
+    validates :resource_owner_id, :application_id, :token, :expires_in, :redirect_uri, presence: true
+    validates :token, uniqueness: true
+
+    before_validation :generate_token, on: :create
+
+    private
+
+    # Generates token value with UniqueToken class.
+    #
+    # @return [String] token value
+    #
+    def generate_token
+      self.token = UniqueToken.generate
+    end
   end
 end

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -3,18 +3,29 @@ module Doorkeeper
     self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}".to_sym
 
     include AccessTokenMixin
+    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
 
-    # Deletes all the Access Tokens created for the specific
-    # Application and Resource Owner.
-    #
-    # @param application_id [Integer] Application ID
-    # @param resource_owner [ActiveRecord::Base] Resource Owner model instance
-    #
-    def self.delete_all_for(application_id, resource_owner)
-      where(application_id: application_id,
-            resource_owner_id: resource_owner.id).delete_all
+    belongs_to_options = {
+      class_name: 'Doorkeeper::Application',
+      inverse_of: :access_tokens
+    }
+
+    if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
+      belongs_to_options[:optional] = true
     end
-    private_class_method :delete_all_for
+
+    belongs_to :application, belongs_to_options
+
+    validates :token, presence: true, uniqueness: true
+    validates :refresh_token, uniqueness: true, if: :use_refresh_token?
+
+    # @attr_writer [Boolean, nil] use_refresh_token
+    #   indicates the possibility of using refresh token
+    attr_writer :use_refresh_token
+
+    before_validation :generate_token, on: :create
+    before_validation :generate_refresh_token,
+                      on: :create, if: :use_refresh_token?
 
     # Searches for not revoked Access Tokens associated with the
     # specific Resource Owner.
@@ -29,18 +40,8 @@ module Doorkeeper
       where(resource_owner_id: resource_owner.id, revoked_at: nil)
     end
 
-    # ORM-specific order method.
-    def self.order_method
-      :order
-    end
-
     def self.refresh_token_revoked_on_use?
       column_names.include?('previous_refresh_token')
     end
-
-    # ORM-specific DESC order for `:created_at` column.
-    def self.created_at_desc
-      'created_at desc'
-    end
   end
 end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -3,6 +3,19 @@ module Doorkeeper
     self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}".to_sym
 
     include ApplicationMixin
+    include ActiveModel::MassAssignmentSecurity if defined?(::ProtectedAttributes)
+
+    has_many :access_grants, dependent: :delete_all, class_name: 'Doorkeeper::AccessGrant'
+    has_many :access_tokens, dependent: :delete_all, class_name: 'Doorkeeper::AccessToken'
+
+    validates :name, :secret, :uid, presence: true
+    validates :uid, uniqueness: true
+    validates :redirect_uri, redirect_uri: true
+    validates :confidential, inclusion: { in: [true, false] }
+
+    validate :scopes_match_configured, if: :enforce_scopes?
+
+    before_validation :generate_uid, :generate_secret, on: :create
 
     has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: 'AccessToken'
     has_many :authorized_applications, through: :authorized_tokens, source: :application
@@ -20,5 +33,26 @@ module Doorkeeper
       resource_access_tokens = AccessToken.active_for(resource_owner)
       where(id: resource_access_tokens.select(:application_id).distinct)
     end
+
+    private
+
+    def generate_uid
+      self.uid = UniqueToken.generate if uid.blank?
+    end
+
+    def generate_secret
+      self.secret = UniqueToken.generate if secret.blank?
+    end
+
+    def scopes_match_configured
+      if scopes.present? &&
+         !ScopeChecker.valid?(scopes.to_s, Doorkeeper.configuration.scopes)
+        errors.add(:scopes, :not_match_configured)
+      end
+    end
+
+    def enforce_scopes?
+      Doorkeeper.configuration.enforce_configured_scopes?
+    end
   end
 end