doorkeeper 4.2.6 → 5.5.4

data/lib/doorkeeper/models/concerns/orderable.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module Orderable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def ordered_by(attribute, direction = :asc)
+          order(attribute => direction)
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/ownership.rb

@@ -1,20 +1,17 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Ownership
       extend ActiveSupport::Concern
 
       included do
-        belongs_to_options = { polymorphic: true }
-        if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
-          belongs_to_options[:optional] = true
-        end
-
-        belongs_to :owner, belongs_to_options
+        belongs_to :owner, polymorphic: true, optional: true
         validates :owner, presence: true, if: :validate_owner?
       end
 
       def validate_owner?
-        Doorkeeper.configuration.confirm_application_owner?
+        Doorkeeper.config.confirm_application_owner?
       end
     end
   end

data/lib/doorkeeper/models/concerns/resource_ownerable.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module ResourceOwnerable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Searches for record by Resource Owner considering Doorkeeper
+        # configuration for resource owner association.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [Doorkeeper::AccessGrant, Doorkeeper::AccessToken]
+        #   collection of records
+        #
+        def by_resource_owner(resource_owner)
+          if Doorkeeper.configuration.polymorphic_resource_owner?
+            where(resource_owner: resource_owner)
+          else
+            where(resource_owner_id: resource_owner_id_for(resource_owner))
+          end
+        end
+
+        protected
+
+        # Backward compatible way to retrieve resource owner itself (if
+        # polymorphic association enabled) or just it's ID.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [ActiveRecord::Base, Integer]
+        #   instance of Resource Owner or it's ID
+        #
+        def resource_owner_id_for(resource_owner)
+          if resource_owner.respond_to?(:to_key)
+            resource_owner.id
+          else
+            resource_owner
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/reusable.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module Reusable
+      # Indicates whether the object is reusable (i.e. It is not expired and
+      # has not crossed reuse_limit).
+      #
+      # @return [Boolean] true if can be reused and false in other case
+      def reusable?
+        return false if expired?
+        return true unless expires_in
+
+        threshold_limit = 100 - Doorkeeper.config.token_reuse_limit
+        expires_in_seconds >= threshold_limit * expires_in / 100
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Revocable
@@ -7,7 +9,7 @@ module Doorkeeper
       # @param clock [Time] time object
       #
       def revoke(clock = Time)
-        update_attribute :revoked_at, clock.now.utc
+        update_attribute(:revoked_at, clock.now.utc)
       end
 
       # Indicates whether the object has been revoked.
@@ -17,32 +19,6 @@ module Doorkeeper
       def revoked?
         !!(revoked_at && revoked_at <= Time.now.utc)
       end
-
-      # Revokes token with `:refresh_token` equal to `:previous_refresh_token`
-      # and clears `:previous_refresh_token` attribute.
-      #
-      def revoke_previous_refresh_token!
-        return unless refresh_token_revoked_on_use?
-        old_refresh_token.revoke if old_refresh_token
-        update_attribute :previous_refresh_token, ""
-      end
-
-      private
-
-      # Searches for Access Token record with `:refresh_token` equal to
-      # `:previous_refresh_token` value.
-      #
-      # @return [Doorkeeper::AccessToken, nil]
-      #   Access Token record or nil if nothing found
-      #
-      def old_refresh_token
-        @old_refresh_token ||=
-          AccessToken.by_refresh_token(previous_refresh_token)
-      end
-
-      def refresh_token_revoked_on_use?
-        AccessToken.refresh_token_revoked_on_use?
-      end
     end
   end
 end

data/lib/doorkeeper/models/concerns/scopes.rb

@@ -1,8 +1,18 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Models
     module Scopes
       def scopes
-        OAuth::Scopes.from_string(self[:scopes])
+        OAuth::Scopes.from_string(scopes_string)
+      end
+
+      def scopes=(value)
+        if value.is_a?(Array)
+          super(Doorkeeper::OAuth::Scopes.from_array(value).to_s)
+        else
+          super(Doorkeeper::OAuth::Scopes.from_string(value.to_s).to_s)
+        end
       end
 
       def scopes_string
@@ -10,7 +20,7 @@ module Doorkeeper
       end
 
       def includes_scope?(*required_scopes)
-        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s.to_s) }
+        required_scopes.blank? || required_scopes.any? { |scope| scopes.exists?(scope.to_s) }
       end
     end
   end

data/lib/doorkeeper/models/concerns/secret_storable.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    ##
+    # Storable finder to provide lookups for input plaintext values which are
+    # mapped to their stored versions (e.g., hashing, encryption) before lookup.
+    module SecretStorable
+      extend ActiveSupport::Concern
+
+      delegate :secret_strategy,
+               :fallback_secret_strategy,
+               to: :class
+
+      # :nodoc
+      module ClassMethods
+        # Compare the given plaintext with the secret
+        #
+        # @param input [String]
+        #   The plain input to compare.
+        #
+        # @param secret [String]
+        #   The secret value to compare with.
+        #
+        # @return [Boolean]
+        #   Whether input matches secret as per the secret strategy
+        #
+        delegate :secret_matches?, to: :secret_strategy
+
+        # Returns an instance of the Doorkeeper::AccessToken with
+        # specific token value.
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param token [#to_s]
+        #   token value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_plaintext_token(attr, token)
+          token = token.to_s
+
+          find_by(attr => secret_strategy.transform_secret(token)) ||
+            find_by_fallback_token(attr, token)
+        end
+
+        # Allow looking up previously plain tokens as a fallback
+        # IFF a fallback strategy has been defined
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param plain_secret [#to_s]
+        #   plain secret value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_fallback_token(attr, plain_secret)
+          return nil unless fallback_secret_strategy
+
+          # Use the previous strategy to look up
+          stored_token = fallback_secret_strategy.transform_secret(plain_secret)
+          find_by(attr => stored_token).tap do |resource|
+            return nil unless resource
+
+            upgrade_fallback_value resource, attr, plain_secret
+          end
+        end
+
+        # Allow implementations in ORMs to replace a plain
+        # value falling back to to avoid it remaining as plain text.
+        #
+        # @param instance
+        #   An instance of this model with a plain value token.
+        #
+        # @param attr
+        #   The secret attribute name to upgrade.
+        #
+        # @param plain_secret
+        #   The plain secret to upgrade.
+        #
+        def upgrade_fallback_value(instance, attr, plain_secret)
+          upgraded = secret_strategy.store_secret(instance, attr, plain_secret)
+          instance.update(attr => upgraded)
+        end
+
+        ##
+        # Determines the secret storing transformer
+        # Unless configured otherwise, uses the plain secret strategy
+        def secret_strategy
+          ::Doorkeeper::SecretStoring::Plain
+        end
+
+        ##
+        # Determine the fallback storing strategy
+        # Unless configured, there will be no fallback
+        def fallback_secret_strategy
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -1,30 +1,66 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     module Authorization
       class Code
-        attr_accessor :pre_auth, :resource_owner, :token
+        attr_reader :pre_auth, :resource_owner, :token
 
         def initialize(pre_auth, resource_owner)
-          @pre_auth       = pre_auth
+          @pre_auth = pre_auth
           @resource_owner = resource_owner
         end
 
-        def issue_token
-          @token ||= AccessGrant.create!(
+        def issue_token!
+          return @token if defined?(@token)
+
+          @token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
+        end
+
+        def oob_redirect
+          { action: :show, code: token.plaintext_token }
+        end
+
+        def access_grant?
+          true
+        end
+
+        private
+
+        def authorization_code_expires_in
+          Doorkeeper.config.authorization_code_expires_in
+        end
+
+        def access_grant_attributes
+          attributes = {
             application_id: pre_auth.client.id,
-            resource_owner_id: resource_owner.id,
-            expires_in: configuration.authorization_code_expires_in,
+            expires_in: authorization_code_expires_in,
             redirect_uri: pre_auth.redirect_uri,
-            scopes: pre_auth.scopes.to_s
-          )
+            scopes: pre_auth.scopes.to_s,
+          }
+
+          if Doorkeeper.config.polymorphic_resource_owner?
+            attributes[:resource_owner] = resource_owner
+          else
+            attributes[:resource_owner_id] = resource_owner.id
+          end
+
+          pkce_attributes.merge(attributes)
         end
 
-        def native_redirect
-          { action: :show, code: token.token }
+        def pkce_attributes
+          return {} unless pkce_supported?
+
+          {
+            code_challenge: pre_auth.code_challenge,
+            code_challenge_method: pre_auth.code_challenge_method,
+          }
         end
 
-        def configuration
-          Doorkeeper.configuration
+        # Ensures firstly, if migration with additional PKCE columns was
+        # generated and migrated
+        def pkce_supported?
+          Doorkeeper.config.access_grant_model.pkce_supported?
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/context.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    module Authorization
+      class Context
+        attr_reader :client, :grant_type, :resource_owner, :scopes
+
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -1,54 +1,92 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     module Authorization
       class Token
-        attr_accessor :pre_auth, :resource_owner, :token
+        attr_reader :pre_auth, :resource_owner, :token
+
+        class << self
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes, resource_owner)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
+                             pre_auth_or_oauth_client.application
+                           elsif pre_auth_or_oauth_client.respond_to?(:client)
+                             pre_auth_or_oauth_client.client
+                           else
+                             pre_auth_or_oauth_client
+                           end
+
+            Doorkeeper::OAuth::Authorization::Context.new(
+              client: oauth_client,
+              grant_type: grant_type,
+              scopes: scopes,
+              resource_owner: resource_owner,
+            )
+          end
+
+          def access_token_expires_in(configuration, context)
+            if configuration.option_defined?(:custom_access_token_expires_in)
+              expiration = configuration.custom_access_token_expires_in.call(context)
+              return nil if expiration == Float::INFINITY
+
+              expiration || configuration.access_token_expires_in
+            else
+              configuration.access_token_expires_in
+            end
+          end
+
+          def refresh_token_enabled?(server, context)
+            if server.refresh_token_enabled?.respond_to?(:call)
+              server.refresh_token_enabled?.call(context)
+            else
+              !!server.refresh_token_enabled?
+            end
+          end
+        end
 
         def initialize(pre_auth, resource_owner)
           @pre_auth       = pre_auth
           @resource_owner = resource_owner
         end
 
-        def self.access_token_expires_in(server, pre_auth_or_oauth_client)
-          if expiration = custom_expiration(server, pre_auth_or_oauth_client)
-            expiration
-          else
-            server.access_token_expires_in
-          end
-        end
+        def issue_token!
+          return @token if defined?(@token)
 
-        def issue_token
-          @token ||= AccessToken.find_or_create_for(
+          context = self.class.build_context(
             pre_auth.client,
-            resource_owner.id,
+            Doorkeeper::OAuth::IMPLICIT,
             pre_auth.scopes,
-            self.class.access_token_expires_in(configuration, pre_auth),
-            false
+            resource_owner,
+          )
+
+          @token = Doorkeeper.config.access_token_model.find_or_create_for(
+            application: pre_auth.client,
+            resource_owner: resource_owner,
+            scopes: pre_auth.scopes,
+            expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
+            use_refresh_token: false,
           )
         end
 
-        def native_redirect
+        def oob_redirect
           {
-            controller: 'doorkeeper/token_info',
+            controller: controller,
             action: :show,
-            access_token: token.token
+            access_token: token.plaintext_token,
           }
         end
 
-        private
-
-        def self.custom_expiration(server, pre_auth_or_oauth_client)
-          oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
-                           pre_auth_or_oauth_client.client
-                         else
-                           pre_auth_or_oauth_client
-                         end
-
-          server.custom_access_token_expires_in.call(oauth_client)
+        def access_token?
+          true
         end
 
-        def configuration
-          Doorkeeper.configuration
+        private
+
+        def controller
+          @controller ||= begin
+            mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
+            mapping[:controllers] || "doorkeeper/token_info"
+          end
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/uri_builder.rb

@@ -1,4 +1,6 @@
-require 'rack/utils'
+# frozen_string_literal: true
+
+require "rack/utils"
 
 module Doorkeeper
   module OAuth
@@ -6,9 +8,9 @@ module Doorkeeper
       class URIBuilder
         class << self
           def uri_with_query(url, parameters = {})
-            uri            = URI.parse(url)
+            uri = URI.parse(url)
             original_query = Rack::Utils.parse_query(uri.query)
-            uri.query      = build_query(original_query.merge(parameters))
+            uri.query = build_query(original_query.merge(parameters))
             uri.to_s
           end
 
@@ -21,8 +23,8 @@ module Doorkeeper
           private
 
           def build_query(parameters = {})
-            parameters = parameters.reject { |_, v| v.blank? }
-            Rack::Utils.build_query parameters
+            parameters.reject! { |_, value| value.blank? }
+            Rack::Utils.build_query(parameters)
           end
         end
       end

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -1,18 +1,25 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :attributes,   error: :invalid_request
+      validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
+      validate :code_verifier, error: :invalid_grant
 
-      attr_accessor :server, :grant, :client, :redirect_uri, :access_token
+      attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
+                  :invalid_request_reason, :missing_param
 
       def initialize(server, grant, client, parameters = {})
         @server = server
         @client = client
         @grant  = grant
+        @grant_type = Doorkeeper::OAuth::AUTHORIZATION_CODE
         @redirect_uri = parameters[:redirect_uri]
+        @code_verifier = parameters[:code_verifier]
       end
 
       private
@@ -23,28 +30,74 @@ module Doorkeeper
           raise Errors::InvalidGrantReuse if grant.revoked?
 
           grant.revoke
-          find_or_create_access_token(grant.application,
-                                      grant.resource_owner_id,
-                                      grant.scopes,
-                                      server)
+
+          find_or_create_access_token(
+            grant.application,
+            resource_owner,
+            grant.scopes,
+            server,
+          )
+        end
+
+        super
+      end
+
+      def resource_owner
+        if Doorkeeper.config.polymorphic_resource_owner?
+          grant.resource_owner
+        else
+          grant.resource_owner_id
         end
       end
 
-      def validate_attributes
-        redirect_uri.present?
+      def pkce_supported?
+        Doorkeeper.config.access_grant_model.pkce_supported?
+      end
+
+      def validate_params
+        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
+                           :code_verifier
+                         elsif redirect_uri.blank?
+                           :redirect_uri
+                         end
+
+        @missing_param.nil?
       end
 
       def validate_client
-        !!client
+        client.present?
       end
 
       def validate_grant
         return false unless grant && grant.application_id == client.id
+
         grant.accessible?
       end
 
       def validate_redirect_uri
-        grant.redirect_uri == redirect_uri
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          grant.redirect_uri,
+        )
+      end
+
+      # if either side (server or client) request PKCE, check the verifier
+      # against the DB - if PKCE is supported
+      def validate_code_verifier
+        return true unless pkce_supported?
+        return grant.code_challenge.blank? if code_verifier.blank?
+
+        if grant.code_challenge_method == "S256"
+          grant.code_challenge == generate_code_challenge(code_verifier)
+        elsif grant.code_challenge_method == "plain"
+          grant.code_challenge == code_verifier
+        else
+          false
+        end
+      end
+
+      def generate_code_challenge(code_verifier)
+        server_config.access_grant_model.generate_code_challenge(code_verifier)
       end
     end
   end