doorkeeper 4.2.6 → 5.0.0.rc1

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -1,29 +1,40 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
 require 'rails/generators/active_record'
 
-class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
-  include Rails::Generators::Migration
-  source_root File.expand_path('../templates', __FILE__)
-  desc 'Support revoke refresh token on access token use'
+module Doorkeeper
+  class PreviousRefreshTokenGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Support revoke refresh token on access token use'
 
-  def self.next_migration_number(path)
-    ActiveRecord::Generators::Base.next_migration_number(path)
-  end
+    def self.next_migration_number(path)
+      ActiveRecord::Generators::Base.next_migration_number(path)
+    end
 
-  def previous_refresh_token
-    if no_previous_refresh_token_column?
-      migration_template(
-        'add_previous_refresh_token_to_access_tokens.rb',
-        'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
-      )
+    def previous_refresh_token
+      if no_previous_refresh_token_column?
+        migration_template(
+          'add_previous_refresh_token_to_access_tokens.rb.erb',
+          'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
+        )
+      end
     end
-  end
 
-  private
+    private
 
-  def no_previous_refresh_token_column?
-    !ActiveRecord::Base.connection.column_exists?(
-      :oauth_access_tokens,
-      :previous_refresh_token
-    )
+    def migration_version
+      if ActiveRecord::VERSION::MAJOR >= 5
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
+    end
+
+    def no_previous_refresh_token_column?
+      !ActiveRecord::Base.connection.column_exists?(
+        :oauth_access_tokens,
+        :previous_refresh_token
+      )
+    end
   end
 end

data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class AddConfidentialToApplications < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/{add_owner_to_application_migration.rb → add_owner_to_application_migration.rb.erb}

@@ -1,4 +1,4 @@
-class AddOwnerToApplication < ActiveRecord::Migration
+class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true
     add_column :oauth_applications, :owner_type, :string, null: true

data/lib/generators/doorkeeper/templates/{add_previous_refresh_token_to_access_tokens.rb → add_previous_refresh_token_to_access_tokens.rb.erb}

@@ -1,4 +1,4 @@
-class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column(
       :oauth_access_tokens,

data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb

@@ -0,0 +1,6 @@
+class EnablePkce < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :oauth_access_grants, :code_challenge, :string, null: true
+    add_column :oauth_access_grants, :code_challenge_method, :string, null: true
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -4,69 +4,106 @@ Doorkeeper.configure do
 
   # This block will be called to check whether the resource owner is authenticated or not.
   resource_owner_authenticator do
-    fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
+    raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
     # Put your resource owner authentication logic here.
     # Example implementation:
     #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
   end
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # If you want to restrict access to the web interface for adding oauth authorized applications,
+  # you need to declare the block below.
+  #
   # admin_authenticator do
   #   # Put your admin authentication logic here.
   #   # Example implementation:
   #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
   # end
 
+  # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
+  # want to use API mode that will skip all the views management and change the way how
+  # Doorkeeper responds to a requests.
+  #
+  # api_only
+
+  # Enforce token request content type to application/x-www-form-urlencoded.
+  # It is not enabled by default to not break prior versions of the gem.
+  #
+  # enforce_content_type
+
   # Authorization Code expiration time (default 10 minutes).
+  #
   # authorization_code_expires_in 10.minutes
 
   # Access token expiration time (default 2 hours).
   # If you want to disable expiration, set this to nil.
+  #
   # access_token_expires_in 2.hours
 
-  # Assign a custom TTL for implicit grants.
-  # custom_access_token_expires_in do |oauth_client|
-  #   oauth_client.application.additional_settings.implicit_oauth_expiration
+  # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
+  # option if defined. `context` has the following properties available
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #
+  # custom_access_token_expires_in do |context|
+  #   context.client.application.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  #
   # access_token_generator '::Doorkeeper::JWT'
 
   # The controller Doorkeeper::ApplicationController inherits from.
   # Defaults to ActionController::Base.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  #
   # base_controller 'ApplicationController'
 
   # Reuse access token for the same resource owner within an application (disabled by default)
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
+  #
   # reuse_access_token
 
   # Issue access tokens with refresh token (disabled by default)
+  #
   # use_refresh_token
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (disabled by default)
+  #
+  # enforce_configured_scopes
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
   # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
+  #
   # enable_application_owner confirmation: false
 
   # Define access token scopes for your provider
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+  #
   # default_scopes  :public
   # optional_scopes :write, :update
 
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
-  # Check out the wiki for more information on customization
+  # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
+  # for more information on customization
+  #
   # client_credentials :from_basic, :from_params
 
   # Change the way access token is authenticated from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
-  # Check out the wiki for more information on customization
+  # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
+  # for more information on customization
+  #
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
   # Change the native redirect uri for client apps
@@ -80,7 +117,21 @@ Doorkeeper.configure do
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
   #
+  # Callable objects such as proc, lambda, block or any object that responds to
+  # #call can be used in order to allow conditional checks (to allow non-SSL
+  # redirects to localhost for example).
+  #
   # force_ssl_in_redirect_uri !Rails.env.development?
+  #
+  # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
+
+  # Specify what redirect URI's you want to block during Application creation.
+  # Any redirect URI is whitelisted by default.
+  #
+  # You can use this option in order to forbid URI's with 'javascript' scheme
+  # for example.
+  #
+  # forbid_redirect_uri { |uri| uri.scheme.to_s.downcase == 'javascript' }
 
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
@@ -98,15 +149,42 @@ Doorkeeper.configure do
   #   http://tools.ietf.org/html/rfc6819#section-4.4.2
   #   http://tools.ietf.org/html/rfc6819#section-4.4.3
   #
-  # grant_flows %w(authorization_code client_credentials)
+  # grant_flows %w[authorization_code client_credentials]
+
+  # Hook into the strategies' request & response life-cycle in case your
+  # application needs advanced customization or logging:
+  #
+  # before_successful_strategy_response do |request|
+  #   puts "BEFORE HOOK FIRED! #{request}"
+  # end
+  #
+  # after_successful_strategy_response do |request, response|
+  #   puts "AFTER HOOK FIRED! #{request}, #{response}"
+  # end
+
+  # Hook into Authorization flow in order to implement Single Sign Out
+  # or add ny other functionality.
+  #
+  # before_successful_authorization do |controller|
+  #   Rails.logger.info(params.inspect)
+  # end
+  #
+  # after_successful_authorization do |controller|
+  #   controller.session[:logout_urls] <<
+  #     Doorkeeper::Application
+  #       .find_by(controller.request.params.slice(:redirect_uri))
+  #       .logout_uri
+  # end
 
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.
+  #
   # skip_authorization do |resource_owner, client|
   #   client.superapp? or resource_owner.admin?
   # end
 
   # WWW-Authenticate Realm (default "Doorkeeper").
+  #
   # realm "Doorkeeper"
 end

data/lib/generators/doorkeeper/templates/{migration.rb → migration.rb.erb}

@@ -1,4 +1,4 @@
-class CreateDoorkeeperTables < ActiveRecord::Migration
+class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
       t.string  :name,         null: false
@@ -6,6 +6,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration
       t.string  :secret,       null: false
       t.text    :redirect_uri, null: false
       t.string  :scopes,       null: false, default: ''
+      t.boolean :confidential, null: false, default: true
       t.timestamps             null: false
     end
 

data/lib/generators/doorkeeper/views_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Generators
     class ViewsGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('../../../../app/views', __FILE__)
+      source_root File.expand_path('../../../app/views', __dir__)
 
       desc 'Copies default Doorkeeper views and layouts to your application.'
 

data/spec/controllers/application_metal_controller_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper_integration'
+
+describe Doorkeeper::ApplicationMetalController do
+  controller(Doorkeeper::ApplicationMetalController) do
+    def index
+      render json: {}, status: 200
+    end
+  end
+
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+
+    expect(i).to eq 1
+  end
+
+  describe 'enforce_content_type' do
+    before { allow(Doorkeeper.configuration).to receive(:enforce_content_type).and_return(flag) }
+
+    context 'enabled' do
+      let(:flag) { true }
+
+      it '200 for the correct media type' do
+        get :index, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 415 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 415
+      end
+    end
+
+    context 'disabled' do
+      let(:flag) { false }
+
+      it 'returns a 200 for the correct media type' do
+        get :index, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 200 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 200
+      end
+    end
+  end
+end

data/spec/controllers/applications_controller_spec.rb

@@ -1,7 +1,99 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper
   describe ApplicationsController do
+    context 'JSON API' do
+      render_views
+
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+      end
+
+      it 'creates an application' do
+        expect do
+          post :create, params: {
+             doorkeeper_application: {
+               name: 'Example',
+               redirect_uri: 'https://example.com'
+             }, format: :json
+           }
+        end.to change { Doorkeeper::Application.count }
+
+        expect(response).to be_successful
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+
+        expect(json_response['name']).to eq('Example')
+        expect(json_response['redirect_uri']).to eq('https://example.com')
+      end
+
+      it 'returns validation errors on wrong create params' do
+        expect do
+          post :create, params: {
+             doorkeeper_application: {
+               name: 'Example'
+             }, format: :json
+           }
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status(422)
+
+        expect(json_response).to include('errors')
+      end
+
+      it 'returns application info' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        get :show, params: { id: application.id, format: :json }
+
+        expect(response).to be_successful
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+      end
+
+      it 'updates application' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            name: 'Example App',
+            redirect_uri: 'https://example.com'
+          }, format: :json
+        }
+
+        expect(application.reload.name).to eq 'Example App'
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+      end
+
+      it 'returns validation errors on wrong update params' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            name: 'Example App',
+            redirect_uri: 'localhost:3000'
+          }, format: :json
+        }
+
+        expect(response).to have_http_status(422)
+
+        expect(json_response).to include('errors')
+      end
+
+      it 'destroys an application' do
+        application = FactoryBot.create(:application)
+
+        delete :destroy, params: { id: application.id, format: :json }
+
+        expect(response).to have_http_status(204)
+        expect(Application.count).to be_zero
+      end
+    end
+
     context 'when admin is not authenticated' do
       before do
         allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(proc do
@@ -16,41 +108,73 @@ module Doorkeeper
 
       it 'does not create application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
-        end.to_not change { Doorkeeper::Application.count }
+          post :create,
+               params: {
+                 doorkeeper_application: {
+                   name: 'Example',
+                   redirect_uri: 'https://example.com'
+                 }
+               }
+        end.not_to change { Doorkeeper::Application.count }
       end
     end
 
     context 'when admin is authenticated' do
+      render_views
+
       before do
-        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(arg) { true })
+        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+      end
+
+      it 'sorts applications by created_at' do
+        first_application = FactoryBot.create(:application)
+        second_application = FactoryBot.create(:application)
+        expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+
+        get :index
+
+        expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
+        expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
       end
 
       it 'creates application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
+          post :create,
+               params: {
+                 doorkeeper_application: {
+                   name: 'Example',
+                   redirect_uri: 'https://example.com'
+                 }
+               }
         end.to change { Doorkeeper::Application.count }.by(1)
+
         expect(response).to be_redirect
       end
 
       it 'does not allow mass assignment of uid or secret' do
-        application = FactoryGirl.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          uid: '1A2B3C4D',
-          secret: '1A2B3C4D' }
+        application = FactoryBot.create(:application)
+        put :update,
+            params: {
+              id: application.id,
+              doorkeeper_application: {
+                uid: '1A2B3C4D',
+                secret: '1A2B3C4D'
+              }
+            }
 
         expect(application.reload.uid).not_to eq '1A2B3C4D'
       end
 
       it 'updates application' do
-        application = FactoryGirl.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          name: 'Example',
-          redirect_uri: 'https://example.com' }
+        application = FactoryBot.create(:application)
+        put :update,
+            params: {
+              id: application.id, doorkeeper_application: {
+                name: 'Example',
+                redirect_uri: 'https://example.com'
+              }
+            }
+
         expect(application.reload.name).to eq 'Example'
       end
     end