doorkeeper 4.3.2 → 4.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c3122dbcfcc7470b2460319fee999036c26810c3
-  data.tar.gz: 9c0096009a2af6d32074d63711fb72a2078101a1
+  metadata.gz: 8d8d3550d8406d4abb224c4960d1d6e8a0c4c706
+  data.tar.gz: b12408cb8b0dc2b14ee69b57798943b5c1bfaa30
 SHA512:
-  metadata.gz: 7178420e74461146ac3525056a9398e51df2e659107532e1e8577e90359d474a96b1275d99f05dc85b43f692ab9eda1e49bb1edc91c80f906d59318c5e788163
-  data.tar.gz: 5c6a9177e6efd616f7345bc26e15a978ae7d89295600356bf9ec922a0c94f0da1b47fe827328d7edcbcafe0855761a17a77851d3a1b9155d0c8608917c3e4610
+  metadata.gz: 0674af950f6070d6457e09f73fc89736b092ae6595e484ca6e67e7f126912ea007509d9249fdc4eb01e66bf981c1e49da33712203d8428d10401a43faabd1cfd
+  data.tar.gz: e447513c202dfde4c622b898da2a98dff64272193136fe399b890bb97488e7915156a2588caa6de3566db411f4c7dfa89e88be3a8b8d0a76511251f2f980c382

data/.rubocop.yml

@@ -2,6 +2,10 @@ AllCops:
   Exclude:
     - "spec/dummy/db/*"
 
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*
+
 LineLength:
   Exclude:
     - spec/**/*

data/NEWS.md

@@ -4,6 +4,23 @@ User-visible changes worth mentioning.
 
 ## master
 
+## 4.4.3
+- [#1143] Adds a config option opt_out_native_route_change to opt out of the
+  breaking api changed introduced in
+  https://github.com/doorkeeper-gem/doorkeeper/pull/1003
+
+## 4.4.2
+- [#1130] Backport fix for native redirect_uri from 5.x.
+
+## 4.4.1
+
+- [#1127] Backport token type to comply with the RFC6750 specification.
+- [#1125] Backport Quote surround I18n yes/no keys
+
+## 4.4.0
+
+- [#1120] Backport security fix from 5.x for token revocation when using public clients
+
 ## 4.3.2
 
 - [#1053] Support authorizing with query params in the request `redirect_uri` if explicitly present in app's `Application#redirect_uri`

data/app/controllers/doorkeeper/applications_controller.rb

@@ -57,7 +57,8 @@ module Doorkeeper
     end
 
     def application_params
-      params.require(:doorkeeper_application).permit(:name, :redirect_uri, :scopes)
+      params.require(:doorkeeper_application).
+        permit(:name, :redirect_uri, :scopes, :confidential)
     end
   end
 end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -58,16 +58,15 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      if token.present?
-        # Client is confidential, therefore client authentication & authorization
-        # is required
-        if token.application_id?
-          # We authorize client by checking token's application
-          server.client && server.client.application == token.application
-        else
-          # Client is public, authentication unnecessary
-          true
-        end
+      return unless token.present?
+      # Client is confidential, therefore client authentication & authorization
+      # is required
+      if token.application_id? && token.application.confidential?
+        # We authorize client by checking token's application
+        server.client && server.client.application == token.application
+      else
+        # Client is public, authentication unnecessary
+        true
       end
     end
 

data/app/views/doorkeeper/applications/_form.html.erb

@@ -27,6 +27,17 @@
     </div>
   <% end %>
 
+  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:confidential].present?}" do %>
+    <%= f.label :confidential, class: 'col-sm-2 control-label' %>
+    <div class="col-sm-10">
+      <%= f.check_box :confidential, class: 'form-control', disabled: !Doorkeeper::Application.supports_confidentiality? %>
+      <%= doorkeeper_errors_for application, :confidential %>
+      <span class="help-block">
+        <%= t('doorkeeper.applications.help.confidential') %>
+      </span>
+    </div>
+  <% end %>
+
   <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:scopes].present?}" do %>
     <%= f.label :scopes, class: 'col-sm-2 control-label' %>
     <div class="col-sm-10">

data/app/views/doorkeeper/applications/index.html.erb

@@ -9,6 +9,7 @@
   <tr>
     <th><%= t('.name') %></th>
     <th><%= t('.callback_url') %></th>
+    <th><%= t('.confidential') %></th>
     <th></th>
     <th></th>
   </tr>
@@ -18,6 +19,7 @@
     <tr id="application_<%= application.id %>">
       <td><%= link_to application.name, oauth_application_path(application) %></td>
       <td><%= application.redirect_uri %></td>
+      <td><%= application.confidential? ? t('doorkeeper.applications.index.confidentiality.yes') : t('doorkeeper.applications.index.confidentiality.no') %></td>
       <td><%= link_to t('doorkeeper.applications.buttons.edit'), edit_oauth_application_path(application), class: 'btn btn-link' %></td>
       <td><%= render 'delete_form', application: application %></td>
     </tr>

data/app/views/doorkeeper/applications/show.html.erb

@@ -13,6 +13,9 @@
     <h4><%= t('.scopes') %>:</h4>
     <p><code id="scopes"><%= @application.scopes %></code></p>
 
+    <h4><%= t('.confidential') %>:</h4>
+    <p><code id="confidential"><%= @application.confidential? %></code></p>
+
     <h4><%= t('.callback_urls') %>:</h4>
 
     <table>

data/config/locales/en.yml

@@ -28,6 +28,7 @@ en:
       form:
         error: 'Whoops! Check your form for possible errors'
       help:
+        confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
         redirect_uri: 'Use one line per URI'
         native_redirect_uri: 'Use %{native_redirect_uri} if you want to add localhost URIs for development purposes'
         scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
@@ -38,6 +39,10 @@ en:
         new: 'New Application'
         name: 'Name'
         callback_url: 'Callback URL'
+        confidential: 'Confidential?'
+        confidentiality:
+          'yes': 'Yes'
+          'no': 'No'
       new:
         title: 'New Application'
       show:
@@ -45,6 +50,7 @@ en:
         application_id: 'Application Id'
         secret: 'Secret'
         scopes: 'Scopes'
+        confidential: 'Confidential'
         callback_urls: 'Callback urls'
         actions: 'Actions'
 

data/doorkeeper.gemspec

@@ -27,4 +27,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency "generator_spec", "~> 0.9.3"
   s.add_development_dependency "rake", ">= 11.3.0"
   s.add_development_dependency "rspec-rails"
+
+  s.post_install_message = Doorkeeper::CVE_2018_1000211_WARNING
 end

data/lib/doorkeeper/config.rb

@@ -114,6 +114,15 @@ doorkeeper.
       def reuse_access_token
         @config.instance_variable_set(:@reuse_access_token, true)
       end
+
+      # Opt out of breaking api change to the native authorization code flow.
+      # Opting out sets the authorization code response route for native
+      # redirect uris to oauth/authorize/<code>. The default is
+      # oauth/authorize/native?code=<code>.
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+      def opt_out_native_route_change
+        @config.instance_variable_set(:@opt_out_native_route_change, true)
+      end
     end
 
     module Option
@@ -295,6 +304,11 @@ doorkeeper.
       @token_grant_types ||= calculate_token_grant_types
     end
 
+    def native_authorization_code_route
+      @opt_out_native_route_change ||= false
+      @opt_out_native_route_change ? '/:code' : '/native'
+    end
+
     private
 
     # Determines what values are acceptable for 'response_type' param in

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -156,7 +156,7 @@ module Doorkeeper
     #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
     #
     def token_type
-      'bearer'
+      'Bearer'
     end
 
     def use_refresh_token?

data/lib/doorkeeper/models/application_mixin.rb

@@ -10,6 +10,9 @@ module Doorkeeper
       # Returns an instance of the Doorkeeper::Application with
       # specific UID and secret.
       #
+      # Public/Non-confidential applications will only find by uid if secret is
+      # blank.
+      #
       # @param uid [#to_s] UID (any object that responds to `#to_s`)
       # @param secret [#to_s] secret (any object that responds to `#to_s`)
       #
@@ -17,7 +20,11 @@ module Doorkeeper
       #   if there is no record with such credentials
       #
       def by_uid_and_secret(uid, secret)
-        find_by(uid: uid.to_s, secret: secret.to_s)
+        app = by_uid(uid)
+        return unless app
+        return app if secret.blank? && !app.confidential?
+        return unless app.secret == secret
+        app
       end
 
       # Returns an instance of the Doorkeeper::Application with specific UID.

data/lib/doorkeeper/oauth/client/credentials.rb

@@ -23,8 +23,10 @@ module Doorkeeper
           end
         end
 
+        # Public clients may have their secret blank, but "credentials" are
+        # still present
         def blank?
-          uid.blank? || secret.blank?
+          uid.blank?
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -3,6 +3,7 @@ module Doorkeeper
     module Helpers
       module URIChecker
         def self.valid?(url)
+          return true if native_uri?(url)
           uri = as_uri(url)
           uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
         rescue URI::InvalidURIError

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -57,9 +57,11 @@ module Doorkeeper
 
       # TODO: test uri should be matched against the client's one
       def validate_redirect_uri
-        return false unless redirect_uri.present?
-        Helpers::URIChecker.native_uri?(redirect_uri) ||
-          Helpers::URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
+        return false if redirect_uri.blank?
+
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri, client.redirect_uri
+        )
       end
     end
   end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -11,6 +11,7 @@ module Doorkeeper
     validates :name, :secret, :uid, presence: true
     validates :uid, uniqueness: true
     validates :redirect_uri, redirect_uri: true
+    validates :confidential, inclusion: { in: [true, false] }
 
     before_validation :generate_uid, :generate_secret, on: :create
 
@@ -31,6 +32,22 @@ module Doorkeeper
       where(id: resource_access_tokens.select(:application_id).distinct)
     end
 
+    # Fallback to existing, default behaviour of assuming all apps to be
+    # confidential if the migration hasn't been run
+    def confidential
+      return super if self.class.supports_confidentiality?
+      ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
+        'CVE-2018-1000211. Please follow instructions outlined in ' \
+        'Doorkeeper::CVE_2018_1000211_WARNING'
+      true
+    end
+
+    alias_method :confidential?, :confidential
+
+    def self.supports_confidentiality?
+      column_names.include?('confidential')
+    end
+
     private
 
     def generate_uid

data/lib/doorkeeper/rails/routes.rb

@@ -47,7 +47,7 @@ module Doorkeeper
           as: mapping[:as],
           controller: mapping[:controllers]
         ) do
-          routes.get '/native', action: :show, on: :member
+          routes.get native_authorization_code_route, action: :show, on: :member
           routes.get '/', action: :new, on: :member
         end
       end
@@ -85,6 +85,10 @@ module Doorkeeper
       def authorized_applications_routes(mapping)
         routes.resources :authorized_applications, only: %i[index destroy], controller: mapping[:controllers]
       end
+
+      def native_authorization_code_route
+        Doorkeeper.configuration.native_authorization_code_route
+      end
     end
   end
 end

data/lib/doorkeeper/request/password.rb

@@ -3,7 +3,7 @@ require 'doorkeeper/request/strategy'
 module Doorkeeper
   module Request
     class Password < Strategy
-      delegate :credentials, :resource_owner, :parameters, to: :server
+      delegate :credentials, :resource_owner, :parameters, :client, to: :server
 
       def request
         @request ||= OAuth::PasswordAccessTokenRequest.new(
@@ -13,16 +13,6 @@ module Doorkeeper
           parameters
         )
       end
-
-      private
-
-      def client
-        if credentials
-          server.client
-        elsif parameters[:client_id]
-          server.client_via_uid
-        end
-      end
     end
   end
 end

data/lib/doorkeeper/version.rb

@@ -1,4 +1,25 @@
 module Doorkeeper
+  CVE_2018_1000211_WARNING = <<-HEREDOC.freeze
+
+
+  WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
+
+  There is no breaking change in this release, however to take advantage of the security fix you must:
+
+    1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
+    2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
+    3. Update their `confidential` column to `false` for those public apps
+
+  This is a backported security release.
+
+  For more information:
+
+    * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
+    * https://github.com/doorkeeper-gem/doorkeeper/issues/891
+
+
+HEREDOC
+
   def self.gem_version
     Gem::Version.new VERSION::STRING
   end
@@ -6,8 +27,8 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 4
-    MINOR = 3
-    TINY = 2
+    MINOR = 4
+    TINY = 3
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY].compact.join('.')

data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'rails/generators/active_record'
+
+module Doorkeeper
+  class AddClientConfidentialityGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Adds a migration to fix CVE-2018-1000211.'
+
+    def install
+      migration_template(
+        'add_confidential_to_application_migration.rb.erb',
+        'db/migrate/add_confidential_to_doorkeeper_application.rb',
+        migration_version: migration_version
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ::ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      if ::ActiveRecord::VERSION::MAJOR >= 5
+        "[#{::ActiveRecord::VERSION::MAJOR}.#{::ActiveRecord::VERSION::MINOR}]"
+      end
+    end
+  end
+end

data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb

@@ -0,0 +1,11 @@
+class AddConfidentialToDoorkeeperApplication < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true # maintaining backwards compatibility: require secrets
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -6,6 +6,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       t.string  :secret,       null: false
       t.text    :redirect_uri, null: false
       t.string  :scopes,       null: false, default: ''
+      t.boolean :confidential, null: false, default: true
       t.timestamps             null: false
     end
 

data/spec/controllers/authorizations_controller_spec.rb

@@ -54,7 +54,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'includes token type in fragment' do
-      expect(response.query_params['token_type']).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('Bearer')
     end
 
     it 'includes token expiration in fragment' do
@@ -164,6 +164,38 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     it 'should not issue a token' do
       expect(Doorkeeper::AccessToken.count).to be 0
     end
+
+    context 'with opt_out_native_route_change' do
+      around(:each) do |example|
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          opt_out_native_route_change
+        end
+
+        Rails.application.reload_routes!
+
+        example.run
+
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+        end
+
+        Rails.application.reload_routes!
+      end
+
+      it 'should redirect immediately' do
+        expect(response).to be_redirect
+        expect(response.location).to match(/oauth\/authorize\/#{Doorkeeper::AccessGrant.first.token}/)
+      end
+
+      it 'should issue a grant' do
+        expect(Doorkeeper::AccessGrant.count).to be 1
+      end
+
+      it 'should not issue a token' do
+        expect(Doorkeeper::AccessToken.count).to be 0
+      end
+    end
   end
 
   describe 'GET #new with skip_authorization true' do
@@ -184,7 +216,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'includes token type in fragment' do
-      expect(response.query_params['token_type']).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('Bearer')
     end
 
     it 'includes token expiration in fragment' do

data/spec/controllers/tokens_controller_spec.rb

@@ -59,15 +59,67 @@ describe Doorkeeper::TokensController do
     end
   end
 
-  describe 'when revoke authorization has failed' do
-    # http://tools.ietf.org/html/rfc7009#section-2.2
-    it 'returns no error response' do
-      token = double(:token, authorize: false, application_id?: true)
-      allow(controller).to receive(:token) { token }
+  # http://tools.ietf.org/html/rfc7009#section-2.2
+  describe 'revoking tokens' do
+    let(:client) { FactoryBot.create(:application) }
+    let(:access_token) { FactoryBot.create(:access_token, application: client) }
+
+    before(:each) do
+      allow(controller).to receive(:token) { access_token }
+    end
+
+    context 'when associated app is public' do
+      let(:client) { FactoryBot.create(:application, confidential: false) }
+
+      it 'returns 200' do
+        post :revoke
+
+        expect(response.status).to eq 200
+      end
+
+      it 'revokes the access token' do
+        post :revoke
+
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+    end
+
+    context 'when associated app is confidential' do
+      let(:client) { FactoryBot.create(:application, confidential: true) }
+      let(:oauth_client) { Doorkeeper::OAuth::Client.new(client) }
 
-      post :revoke
+      before(:each) do
+        allow_any_instance_of(Doorkeeper::Server).to receive(:client) { oauth_client }
+      end
+
+      it 'returns 200' do
+        post :revoke
+
+        expect(response.status).to eq 200
+      end
+
+      it 'revokes the access token' do
+        post :revoke
+
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+
+      context 'when authorization fails' do
+        let(:some_other_client) { FactoryBot.create(:application, confidential: true) }
+        let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }
+
+        it 'returns 200' do
+          post :revoke
 
-      expect(response.status).to eq 200
+          expect(response.status).to eq 200
+        end
+
+        it 'does not revoke the access token' do
+          post :revoke
+
+          expect(access_token.reload).to have_attributes(revoked?: false)
+        end
+      end
     end
   end
 

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -29,6 +29,11 @@ Doorkeeper.configure do
   # Issue access tokens with refresh token (disabled by default)
   use_refresh_token
 
+  # Opt out of breaking api change to the native authorization code flow. Opting out sets the authorization
+  # code response route for native redirect uris to oauth/authorize/<code>. The default is oauth/authorize/native?code=<code>.
+  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+  # opt_out_native_route_change
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application

data/spec/dummy/db/migrate/20111122132257_create_users.rb

@@ -1,4 +1,6 @@
-class CreateUsers < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class CreateUsers < ActiveRecord::Migration[4.2]
   def change
     create_table :users do |t|
       t.string :name

data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb

@@ -1,4 +1,6 @@
-class AddPasswordToUsers < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class AddPasswordToUsers < ActiveRecord::Migration[4.2]
   def change
     add_column :users, :password, :string
   end

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb

@@ -1,4 +1,6 @@
-class CreateDoorkeeperTables < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
   def change
     create_table :oauth_applications do |t|
       t.string  :name,         null: false

data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb

@@ -1,4 +1,6 @@
-class AddOwnerToApplication < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class AddOwnerToApplication < ActiveRecord::Migration[4.2]
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true
     add_column :oauth_applications, :owner_type, :string, null: true

data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb

@@ -1,4 +1,6 @@
-class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration[4.2]
   def change
     add_column(
       :oauth_access_tokens,

data/spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class AddConfidentialToApplication < ActiveRecord::Migration[5.1]
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true # maintaining backwards compatibility: require secrets
+    )
+  end
+end

data/spec/dummy/db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160320211015) do
+ActiveRecord::Schema.define(version: 20180210183654) do
 
   create_table "oauth_access_grants", force: :cascade do |t|
     t.integer  "resource_owner_id", null: false
@@ -52,6 +52,7 @@ ActiveRecord::Schema.define(version: 20160320211015) do
     t.datetime "updated_at"
     t.integer  "owner_id"
     t.string   "owner_type"
+    t.boolean "confidential", default: true, null: false
   end
 
   add_index "oauth_applications", ["owner_id", "owner_type"], name: "index_oauth_applications_on_owner_id_and_owner_type"

data/spec/lib/config_spec.rb

@@ -162,6 +162,31 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
+  describe 'opt_out_native_route_change' do
+    around(:each) do |example|
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        opt_out_native_route_change
+      end
+
+      Rails.application.reload_routes!
+
+      subject { Doorkeeper.configuration }
+
+      example.run
+
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+      end
+
+      Rails.application.reload_routes!
+    end
+
+    it 'sets the native authorization code route /:code' do
+      expect(subject.native_authorization_code_route).to eq('/:code')
+    end
+  end
+
   describe 'client_credentials' do
     it 'has defaults order' do
       expect(subject.client_credentials_methods).to eq([:from_basic, :from_params])

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -104,5 +104,20 @@ module Doorkeeper::OAuth
         expect(subject.error).to eq(:invalid_grant)
       end
     end
+
+    context "when redirect_uri is the native one" do
+      let(:redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
+
+      it "invalidates when redirect_uri of the grant is not native" do
+        subject.validate
+        expect(subject.error).to eq(:invalid_grant)
+      end
+
+      it "validates when redirect_uri of the grant is also native" do
+        allow(grant).to receive(:redirect_uri) { redirect_uri }
+        subject.validate
+        expect(subject.error).to eq(nil)
+      end
+    end
   end
 end

data/spec/lib/oauth/client/credentials_spec.rb

@@ -7,9 +7,11 @@ class Doorkeeper::OAuth::Client
     let(:client_id) { 'some-uid' }
     let(:client_secret) { 'some-secret' }
 
-    it 'is blank when any of the credentials is blank' do
+    it 'is blank when the uid in credentials is blank' do
+      expect(Credentials.new(nil, nil)).to be_blank
       expect(Credentials.new(nil, 'something')).to be_blank
-      expect(Credentials.new('something', nil)).to be_blank
+      expect(Credentials.new('something', nil)).to be_present
+      expect(Credentials.new('something', 'something')).to be_present
     end
 
     describe :from_request do

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -5,6 +5,11 @@ require 'doorkeeper/oauth/helpers/uri_checker'
 module Doorkeeper::OAuth::Helpers
   describe URIChecker do
     describe '.valid?' do
+      it 'is valid for native uris' do
+        uri = 'urn:ietf:wg:oauth:2.0:oob'
+        expect(URIChecker.valid?(uri)).to be_truthy
+      end
+
       it 'is valid for valid uris' do
         uri = 'http://app.co'
         expect(URIChecker.valid?(uri)).to be_truthy

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -123,14 +123,19 @@ module Doorkeeper::OAuth
       expect(subject.scopes).to eq(Scopes.from_string('default'))
     end
 
-    it 'accepts test uri' do
-      subject.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
-      expect(subject).to be_authorizable
-    end
+    context 'with native redirect uri' do
+      let(:native_redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
 
-    it 'matches the redirect uri against client\'s one' do
-      subject.redirect_uri = 'http://nothesame.com'
-      expect(subject).not_to be_authorizable
+      it 'accepts redirect_uri when it matches with the client' do
+        subject.redirect_uri = native_redirect_uri
+        allow(subject.client).to receive(:redirect_uri) { native_redirect_uri }
+        expect(subject).to be_authorizable
+      end
+
+      it 'invalidates redirect_uri when it does\'n match with the client' do
+        subject.redirect_uri = native_redirect_uri
+        expect(subject).not_to be_authorizable
+      end
     end
 
     it 'stores the state' do

data/spec/models/doorkeeper/application_spec.rb

@@ -49,6 +49,11 @@ module Doorkeeper
       expect(new_application).not_to be_valid
     end
 
+    it 'is invalid without determining confidentiality' do
+      new_application.confidential = nil
+      expect(new_application).not_to be_valid
+    end
+
     it 'generates uid on create' do
       expect(new_application.uid).to be_nil
       new_application.save
@@ -201,11 +206,97 @@ module Doorkeeper
       end
     end
 
-    describe :authenticate do
-      it 'finds the application via uid/secret' do
-        app = FactoryBot.create :application
-        authenticated = Application.by_uid_and_secret(app.uid, app.secret)
-        expect(authenticated).to eq(app)
+    describe :by_uid_and_secret do
+      context "when application is private/confidential" do
+        it "finds the application via uid/secret" do
+          app = FactoryBot.create :application
+          authenticated = Application.by_uid_and_secret(app.uid, app.secret)
+          expect(authenticated).to eq(app)
+        end
+        context "when secret is wrong" do
+          it "should not find the application" do
+            app = FactoryBot.create :application
+            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
+            expect(authenticated).to eq(nil)
+          end
+        end
+      end
+
+      context "when application is public/non-confidential" do
+        context "when secret is blank" do
+          it "should find the application" do
+            app = FactoryBot.create :application, confidential: false
+            authenticated = Application.by_uid_and_secret(app.uid, nil)
+            expect(authenticated).to eq(app)
+          end
+        end
+        context "when secret is wrong" do
+          it "should not find the application" do
+            app = FactoryBot.create :application, confidential: false
+            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
+            expect(authenticated).to eq(nil)
+          end
+        end
+      end
+    end
+
+    describe :confidential? do
+      subject { FactoryBot.create(:application, confidential: confidential).confidential? }
+
+      context 'when application is private/confidential' do
+        let(:confidential) { true }
+        it { expect(subject).to eq(true) }
+      end
+
+      context 'when application is public/non-confidential' do
+        let(:confidential) { false }
+        it { expect(subject).to eq(false) }
+      end
+    end
+
+    describe :confidential do
+      subject { FactoryBot.create(:application, confidential: confidential).confidential }
+
+      context 'when application is private/confidential' do
+        let(:confidential) { true }
+        it { expect(subject).to eq(true) }
+      end
+
+      context 'when application is public/non-confidential' do
+        let(:confidential) { false }
+        it { expect(subject).to eq(false) }
+      end
+
+      context 'when the application does not support confidentiality' do
+        let(:confidential) { false }
+
+        before { allow(Application).to receive(:supports_confidentiality?).and_return(false) }
+
+        it 'warns of the CVE' do
+          expect(ActiveSupport::Deprecation).to receive(:warn).with(
+            'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          )
+          Application.new.confidential
+        end
+
+        it { expect(subject).to eq(true) }
+      end
+    end
+
+    describe :supports_confidentiality? do
+      context 'when no column' do
+        it 'returns false' do
+          expect(Application).to receive(:column_names).and_return(%w[foo bar])
+          expect(Application.supports_confidentiality?).to eq(false)
+        end
+      end
+      context 'when column' do
+        it 'returns true' do
+          expect(Application).to receive(:column_names).and_return(%w[foo bar confidential])
+          expect(Application.supports_confidentiality?).to eq(true)
+        end
       end
     end
   end

data/spec/requests/flows/authorization_code_spec.rb

@@ -53,7 +53,7 @@ feature 'Authorization Code Flow' do
     should_not_have_json 'error'
 
     should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_have_json 'token_type', 'bearer'
+    should_have_json 'token_type', 'Bearer'
     should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
   end
 

data/spec/requests/flows/password_spec.rb

@@ -10,46 +10,89 @@ describe 'Resource Owner Password Credentials Flow not set up' do
     it 'doesn\'t issue new token' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 end
 
 describe 'Resource Owner Password Credentials Flow' do
+  let(:client_attributes) { {} }
+
   before do
     config_is_set(:grant_flows, ["password"])
     config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists
+    client_exists(client_attributes)
     create_resource_owner
   end
 
   context 'with valid user credentials' do
-    it 'should issue new token with confidential client' do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+    context "with non-confidential/public client" do
+      let(:client_attributes) { { confidential: false } }
 
-      token = Doorkeeper::AccessToken.first
+      context "when client_secret absent" do
+        it "should issue new token" do
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
 
-      expect(token.application_id).to eq @client.id
-      should_have_json 'access_token', token.token
+          token = Doorkeeper::AccessToken.first
+
+          expect(token.application_id).to eq @client.id
+          should_have_json 'access_token', token.token
+        end
+      end
+
+      context "when client_secret present" do
+        it "should issue new token" do
+          expect do
+            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+          token = Doorkeeper::AccessToken.first
+
+          expect(token.application_id).to eq @client.id
+          should_have_json 'access_token', token.token
+        end
+
+        context "when client_secret incorrect" do
+          it "should not issue new token" do
+            expect do
+              post password_token_endpoint_url(client_id: @client.uid, client_secret: 'foobar', resource_owner: @resource_owner)
+            end.not_to(change { Doorkeeper::AccessToken.count })
+
+            expect(response).not_to be_ok
+          end
+        end
+      end
     end
 
-    it 'should issue new token with public client (only client_id present)' do
-      expect do
-        post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+    context "with confidential/private client" do
+      it "should issue new token" do
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
 
-      token = Doorkeeper::AccessToken.first
+        token = Doorkeeper::AccessToken.first
 
-      expect(token.application_id).to eq @client.id
-      should_have_json 'access_token', token.token
+        expect(token.application_id).to eq @client.id
+        should_have_json 'access_token', token.token
+      end
+
+      context "when client_secret absent" do
+        it "should not issue new token" do
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.not_to(change { Doorkeeper::AccessToken.count })
+
+          expect(response).not_to be_ok
+        end
+      end
     end
 
     it 'should issue new token without client credentials' do
       expect do
         post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+      end.to(change { Doorkeeper::AccessToken.count }.by(1))
 
       token = Doorkeeper::AccessToken.first
 
@@ -124,13 +167,13 @@ describe 'Resource Owner Password Credentials Flow' do
         post password_token_endpoint_url(client: @client,
                                          resource_owner_username: @resource_owner.name,
                                          resource_owner_password: 'wrongpassword')
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
 
     it 'should not issue new token without credentials' do
       expect do
         post password_token_endpoint_url(client: @client)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 
@@ -140,7 +183,7 @@ describe 'Resource Owner Password Credentials Flow' do
         post password_token_endpoint_url(client_id: @client.uid,
                                          client_secret: 'bad_secret',
                                          resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 
@@ -148,7 +191,7 @@ describe 'Resource Owner Password Credentials Flow' do
     it 'should not issue new token with bad client id' do
       expect do
         post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 4.3.2
+  version: 4.4.3
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-28 00:00:00.000000000 Z
+date: 2018-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -259,11 +259,13 @@ files:
 - lib/doorkeeper/server.rb
 - lib/doorkeeper/validations.rb
 - lib/doorkeeper/version.rb
+- lib/generators/doorkeeper/add_client_confidentiality_generator.rb
 - lib/generators/doorkeeper/application_owner_generator.rb
 - lib/generators/doorkeeper/install_generator.rb
 - lib/generators/doorkeeper/migration_generator.rb
 - lib/generators/doorkeeper/previous_refresh_token_generator.rb
 - lib/generators/doorkeeper/templates/README
+- lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb
 - lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb
 - lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb
 - lib/generators/doorkeeper/templates/initializer.rb
@@ -307,6 +309,7 @@ files:
 - spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
 - spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb
 - spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb
+- spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb
 - spec/dummy/db/schema.rb
 - spec/dummy/public/404.html
 - spec/dummy/public/422.html
@@ -397,7 +400,25 @@ homepage: https://github.com/doorkeeper-gem/doorkeeper
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message: |2+
+
+
+    WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
+
+    There is no breaking change in this release, however to take advantage of the security fix you must:
+
+      1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
+      2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
+      3. Update their `confidential` column to `false` for those public apps
+
+    This is a backported security release.
+
+    For more information:
+
+      * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
+      * https://github.com/doorkeeper-gem/doorkeeper/issues/891
+
+
 rdoc_options: []
 require_paths:
 - lib
@@ -456,6 +477,7 @@ test_files:
 - spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
 - spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb
 - spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb
+- spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb
 - spec/dummy/db/schema.rb
 - spec/dummy/public/404.html
 - spec/dummy/public/422.html