doorkeeper 4.2.6 → 5.5.4

data/spec/models/doorkeeper/application_spec.rb

@@ -1,179 +0,0 @@
-require 'spec_helper_integration'
-
-module Doorkeeper
-  describe Application do
-    let(:require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', true) }
-    let(:unset_require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', false) }
-    let(:new_application) { FactoryGirl.build(:application) }
-
-    let(:uid) { SecureRandom.hex(8) }
-    let(:secret) { SecureRandom.hex(8) }
-
-    context 'application_owner is enabled' do
-      before do
-        Doorkeeper.configure do
-          orm DOORKEEPER_ORM
-          enable_application_owner
-        end
-      end
-
-      context 'application owner is not required' do
-        before(:each) do
-          unset_require_owner
-        end
-
-        it 'is valid given valid attributes' do
-          expect(new_application).to be_valid
-        end
-      end
-
-      context 'application owner is required' do
-        before(:each) do
-          require_owner
-          @owner = FactoryGirl.build_stubbed(:doorkeeper_testing_user)
-        end
-
-        it 'is invalid without an owner' do
-          expect(new_application).not_to be_valid
-        end
-
-        it 'is valid with an owner' do
-          new_application.owner = @owner
-          expect(new_application).to be_valid
-        end
-      end
-    end
-
-    it 'is invalid without a name' do
-      new_application.name = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'generates uid on create' do
-      expect(new_application.uid).to be_nil
-      new_application.save
-      expect(new_application.uid).not_to be_nil
-    end
-
-    it 'generates uid on create if an empty string' do
-      new_application.uid = ''
-      new_application.save
-      expect(new_application.uid).not_to be_blank
-    end
-
-    it 'generates uid on create unless one is set' do
-      new_application.uid = uid
-      new_application.save
-      expect(new_application.uid).to eq(uid)
-    end
-
-    it 'is invalid without uid' do
-      new_application.save
-      new_application.uid = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'is invalid without redirect_uri' do
-      new_application.save
-      new_application.redirect_uri = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'checks uniqueness of uid' do
-      app1 = FactoryGirl.create(:application)
-      app2 = FactoryGirl.create(:application)
-      app2.uid = app1.uid
-      expect(app2).not_to be_valid
-    end
-
-    it 'expects database to throw an error when uids are the same' do
-      app1 = FactoryGirl.create(:application)
-      app2 = FactoryGirl.create(:application)
-      app2.uid = app1.uid
-      expect { app2.save!(validate: false) }.to raise_error(uniqueness_error)
-    end
-
-    it 'generate secret on create' do
-      expect(new_application.secret).to be_nil
-      new_application.save
-      expect(new_application.secret).not_to be_nil
-    end
-
-    it 'generate secret on create if is blank string' do
-      new_application.secret = ''
-      new_application.save
-      expect(new_application.secret).not_to be_blank
-    end
-
-    it 'generate secret on create unless one is set' do
-      new_application.secret = secret
-      new_application.save
-      expect(new_application.secret).to eq(secret)
-    end
-
-    it 'is invalid without secret' do
-      new_application.save
-      new_application.secret = nil
-      expect(new_application).not_to be_valid
-    end
-
-    describe 'destroy related models on cascade' do
-      before(:each) do
-        new_application.save
-      end
-
-      it 'should destroy its access grants' do
-        FactoryGirl.create(:access_grant, application: new_application)
-        expect { new_application.destroy }.to change { Doorkeeper::AccessGrant.count }.by(-1)
-      end
-
-      it 'should destroy its access tokens' do
-        FactoryGirl.create(:access_token, application: new_application)
-        FactoryGirl.create(:access_token, application: new_application, revoked_at: Time.now.utc)
-        expect do
-          new_application.destroy
-        end.to change { Doorkeeper::AccessToken.count }.by(-2)
-      end
-    end
-
-    describe :authorized_for do
-      let(:resource_owner) { double(:resource_owner, id: 10) }
-
-      it 'is empty if the application is not authorized for anyone' do
-        expect(Application.authorized_for(resource_owner)).to be_empty
-      end
-
-      it 'returns only application for a specific resource owner' do
-        FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id + 1)
-        token = FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id)
-        expect(Application.authorized_for(resource_owner)).to eq([token.application])
-      end
-
-      it 'excludes revoked tokens' do
-        FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id, revoked_at: 2.days.ago)
-        expect(Application.authorized_for(resource_owner)).to be_empty
-      end
-
-      it 'returns all applications that have been authorized' do
-        token1 = FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id)
-        token2 = FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id)
-        expect(Application.authorized_for(resource_owner)).to eq([token1.application, token2.application])
-      end
-
-      it 'returns only one application even if it has been authorized twice' do
-        application = FactoryGirl.create(:application)
-        FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id, application: application)
-        FactoryGirl.create(:access_token, resource_owner_id: resource_owner.id, application: application)
-        expect(Application.authorized_for(resource_owner)).to eq([application])
-      end
-    end
-
-    describe :authenticate do
-      it 'finds the application via uid/secret' do
-        app = FactoryGirl.create :application
-        authenticated = Application.by_uid_and_secret(app.uid, app.secret)
-        expect(authenticated).to eq(app)
-      end
-    end
-  end
-end

data/spec/requests/applications/applications_request_spec.rb

@@ -1,94 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Adding applications' do
-  context 'in application form' do
-    background do
-      visit '/oauth/applications/new'
-    end
-
-    scenario 'adding a valid app' do
-      fill_in 'doorkeeper_application[name]', with: 'My Application'
-      fill_in 'doorkeeper_application[redirect_uri]',
-              with: 'https://example.com'
-
-      click_button 'Submit'
-      i_should_see 'Application created'
-      i_should_see 'My Application'
-    end
-
-    scenario 'adding invalid app' do
-      click_button 'Submit'
-      i_should_see 'Whoops! Check your form for possible errors'
-    end
-  end
-end
-
-feature 'Listing applications' do
-  background do
-    FactoryGirl.create :application, name: 'Oauth Dude'
-    FactoryGirl.create :application, name: 'Awesome App'
-  end
-
-  scenario 'application list' do
-    visit '/oauth/applications'
-    i_should_see 'Awesome App'
-    i_should_see 'Oauth Dude'
-  end
-end
-
-feature 'Show application' do
-  given :app do
-    FactoryGirl.create :application, name: 'Just another oauth app'
-  end
-
-  scenario 'visiting application page' do
-    visit "/oauth/applications/#{app.id}"
-    i_should_see 'Just another oauth app'
-  end
-end
-
-feature 'Edit application' do
-  let :app do
-    FactoryGirl.create :application, name: 'OMG my app'
-  end
-
-  background do
-    visit "/oauth/applications/#{app.id}/edit"
-  end
-
-  scenario 'updating a valid app' do
-    fill_in 'doorkeeper_application[name]', with: 'Serious app'
-    click_button 'Submit'
-    i_should_see 'Application updated'
-    i_should_see 'Serious app'
-    i_should_not_see 'OMG my app'
-  end
-
-  scenario 'updating an invalid app' do
-    fill_in 'doorkeeper_application[name]', with: ''
-    click_button 'Submit'
-    i_should_see 'Whoops! Check your form for possible errors'
-  end
-end
-
-feature 'Remove application' do
-  background do
-    @app = FactoryGirl.create :application
-  end
-
-  scenario 'deleting an application from list' do
-    visit '/oauth/applications'
-    i_should_see @app.name
-    within(:css, "tr#application_#{@app.id}") do
-      click_button 'Destroy'
-    end
-    i_should_see 'Application deleted'
-    i_should_not_see @app.name
-  end
-
-  scenario 'deleting an application from show' do
-    visit "/oauth/applications/#{@app.id}"
-    click_button 'Destroy'
-    i_should_see 'Application deleted'
-  end
-end

data/spec/requests/applications/authorized_applications_spec.rb

@@ -1,30 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorized applications' do
-  background do
-    @user   = User.create!(name: 'Joe', password: 'sekret')
-    @client = client_exists(name: 'Amazing Client App')
-    resource_owner_is_authenticated @user
-    client_is_authorized @client, @user
-  end
-
-  scenario 'display user\'s authorized applications' do
-    visit '/oauth/authorized_applications'
-    i_should_see 'Amazing Client App'
-  end
-
-  scenario 'do not display other user\'s authorized applications' do
-    client = client_exists(name: 'Another Client App')
-    client_is_authorized client, User.create!(name: 'Joe', password: 'sekret')
-    visit '/oauth/authorized_applications'
-    i_should_not_see 'Another Client App'
-  end
-
-  scenario 'user revoke access to application' do
-    visit '/oauth/authorized_applications'
-    i_should_see 'Amazing Client App'
-    click_on 'Revoke'
-    i_should_see 'Application revoked'
-    i_should_not_see 'Amazing Client App'
-  end
-end

data/spec/requests/endpoints/authorization_spec.rb

@@ -1,71 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorization endpoint' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists(name: 'MyApp')
-  end
-
-  scenario 'requires resource owner to be authenticated' do
-    visit authorization_endpoint_url(client: @client)
-    i_should_see 'Sign in'
-    i_should_be_on '/'
-  end
-
-  context 'with authenticated resource owner' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'displays the authorization form' do
-      visit authorization_endpoint_url(client: @client)
-      i_should_see 'Authorize MyApp to use your account?'
-    end
-
-    scenario 'displays all requested scopes' do
-      default_scopes_exist :public
-      optional_scopes_exist :write
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      i_should_see 'Access your public data'
-      i_should_see 'Update your data'
-    end
-  end
-
-  context 'with a invalid request' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'displays the related error' do
-      visit authorization_endpoint_url(client: @client, response_type: '')
-      i_should_not_see 'Authorize'
-      i_should_see_translated_error_message :unsupported_response_type
-    end
-
-    scenario "displays unsupported_response_type error when using a disabled response type" do
-      config_is_set(:grant_flows, ['implicit'])
-      visit authorization_endpoint_url(client: @client, response_type: 'code')
-      i_should_not_see "Authorize"
-      i_should_see_translated_error_message :unsupported_response_type
-    end
-  end
-
-  context 'forgery protection enabled' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'raises exception on forged requests' do
-      allowing_forgery_protection do
-        expect {
-          page.driver.post authorization_endpoint_url(client_id: @client.uid,
-                                                      redirect_uri: @client.redirect_uri,
-                                                      response_type:  'code')
-        }.to raise_error(ActionController::InvalidAuthenticityToken)
-      end
-    end
-  end
-end

data/spec/requests/endpoints/token_spec.rb

@@ -1,64 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Token endpoint' do
-  before do
-    client_exists
-    authorization_code_exists application: @client, scopes: 'public'
-  end
-
-  it 'respond with correct headers' do
-    post token_endpoint_url(code: @authorization.token, client: @client)
-    should_have_header 'Pragma', 'no-cache'
-    should_have_header 'Cache-Control', 'no-store'
-    should_have_header 'Content-Type', 'application/json; charset=utf-8'
-  end
-
-  it 'accepts client credentials with basic auth header' do
-    post token_endpoint_url(
-      code: @authorization.token,
-      redirect_uri: @client.redirect_uri
-    ), {}, 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client)
-
-    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-  end
-
-  it 'returns null for expires_in when a permanent token is set' do
-    config_is_set(:access_token_expires_in, nil)
-    post token_endpoint_url(code: @authorization.token, client: @client)
-    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_not_have_json 'expires_in'
-  end
-
-  it 'returns unsupported_grant_type for invalid grant_type param' do
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'nothing')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'unsupported_grant_type'
-    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
-  end
-
-  it 'returns unsupported_grant_type for disabled grant flows' do
-    config_is_set(:grant_flows, ['implicit'])
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'authorization_code')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'unsupported_grant_type'
-    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
-  end
-
-  it 'returns unsupported_grant_type when refresh_token is not in use' do
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'refresh_token')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'unsupported_grant_type'
-    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
-  end
-
-  it 'returns invalid_request if grant_type is missing' do
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: '')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'invalid_request'
-    should_have_json 'error_description', translated_error_message('invalid_request')
-  end
-end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -1,76 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorization Code Flow Errors' do
-  let(:client_params) { {} }
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists client_params
-    create_resource_owner
-    sign_in
-  end
-
-  after do
-    access_grant_should_not_exist
-  end
-
-  context "with a client trying to xss resource owner" do
-    let(:client_name) { "<div id='xss'>XSS</div>" }
-    let(:client_params) { { name: client_name } }
-    scenario "resource owner visit authorization endpoint" do
-      visit authorization_endpoint_url(client: @client)
-      expect(page).not_to have_css("#xss")
-    end
-  end
-
-  context 'when access was denied' do
-    scenario 'redirects with error' do
-      visit authorization_endpoint_url(client: @client)
-      click_on 'Deny'
-
-      i_should_be_on_client_callback @client
-      url_should_not_have_param 'code'
-      url_should_have_param 'error', 'access_denied'
-      url_should_have_param 'error_description', translated_error_message(:access_denied)
-    end
-
-    scenario 'redirects with state parameter' do
-      visit authorization_endpoint_url(client: @client, state: 'return-this')
-      click_on 'Deny'
-
-      i_should_be_on_client_callback @client
-      url_should_not_have_param 'code'
-      url_should_have_param 'state', 'return-this'
-    end
-  end
-end
-
-describe 'Authorization Code Flow Errors', 'after authorization' do
-  before do
-    client_exists
-    authorization_code_exists application: @client
-  end
-
-  it 'returns :invalid_grant error when posting an already revoked grant code' do
-    # First successful request
-    post token_endpoint_url(code: @authorization.token, client: @client)
-
-    # Second attempt with same token
-    expect do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-    end.to_not change { Doorkeeper::AccessToken.count }
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'invalid_grant'
-    should_have_json 'error_description', translated_error_message('invalid_grant')
-  end
-
-  it 'returns :invalid_grant error for invalid grant code' do
-    post token_endpoint_url(code: 'invalid', client: @client)
-
-    access_token_should_not_exist
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'invalid_grant'
-    should_have_json 'error_description', translated_error_message('invalid_grant')
-  end
-end

data/spec/requests/flows/authorization_code_spec.rb

@@ -1,148 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorization Code Flow' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
-    create_resource_owner
-    sign_in
-  end
-
-  scenario 'resource owner authorizes the client' do
-    visit authorization_endpoint_url(client: @client)
-    click_on 'Authorize'
-
-    access_grant_should_exist_for(@client, @resource_owner)
-
-    i_should_be_on_client_callback(@client)
-
-    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
-    url_should_not_have_param('state')
-    url_should_not_have_param('error')
-  end
-
-  scenario 'resource owner authorizes using test url' do
-    @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
-    @client.save!
-    visit authorization_endpoint_url(client: @client)
-    click_on 'Authorize'
-
-    access_grant_should_exist_for(@client, @resource_owner)
-
-    i_should_see 'Authorization code:'
-    i_should_see Doorkeeper::AccessGrant.first.token
-  end
-
-  scenario 'resource owner authorizes the client with state parameter set' do
-    visit authorization_endpoint_url(client: @client, state: 'return-me')
-    click_on 'Authorize'
-    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
-    url_should_have_param('state', 'return-me')
-  end
-
-  scenario 'resource owner requests an access token with authorization code' do
-    visit authorization_endpoint_url(client: @client)
-    click_on 'Authorize'
-
-    authorization_code = Doorkeeper::AccessGrant.first.token
-    create_access_token authorization_code, @client
-
-    access_token_should_exist_for(@client, @resource_owner)
-
-    should_not_have_json 'error'
-
-    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_have_json 'token_type', 'bearer'
-    should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
-  end
-
-  context 'with scopes' do
-    background do
-      default_scopes_exist :public
-      optional_scopes_exist :write
-    end
-
-    scenario 'resource owner authorizes the client with default scopes' do
-      visit authorization_endpoint_url(client: @client)
-      click_on 'Authorize'
-      access_grant_should_exist_for(@client, @resource_owner)
-      access_grant_should_have_scopes :public
-    end
-
-    scenario 'resource owner authorizes the client with required scopes' do
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-      access_grant_should_have_scopes :public, :write
-    end
-
-    scenario 'resource owner authorizes the client with required scopes (without defaults)' do
-      visit authorization_endpoint_url(client: @client, scope: 'write')
-      click_on 'Authorize'
-      access_grant_should_have_scopes :write
-    end
-
-    scenario 'new access token matches required scopes' do
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      create_access_token authorization_code, @client
-
-      access_token_should_exist_for(@client, @resource_owner)
-      access_token_should_have_scopes :public, :write
-    end
-
-    scenario 'returns new token if scopes have changed' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scope: 'public')
-      click_on 'Authorize'
-
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      create_access_token authorization_code, @client
-
-      expect(Doorkeeper::AccessToken.count).to be(2)
-
-      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
-    end
-
-    scenario 'resource owner authorizes the client with extra scopes' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      create_access_token authorization_code, @client
-
-      expect(Doorkeeper::AccessToken.count).to be(2)
-
-      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
-      access_token_should_have_scopes :public, :write
-    end
-  end
-end
-
-describe 'Authorization Code Flow' do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-
-  context 'issuing a refresh token' do
-    before do
-      authorization_code_exists application: @client
-    end
-
-    it 'second of simultaneous client requests get an error for revoked acccess token' do
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:revoked?).and_return(false, true)
-
-      post token_endpoint_url(code: authorization_code, client: @client)
-
-      should_not_have_json 'access_token'
-      should_have_json 'error', 'invalid_grant'
-    end
-  end
-end