doorkeeper 4.4.0 → 5.6.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (284) hide show
  1. checksums.yaml +5 -5
  2. data/{NEWS.md → CHANGELOG.md} +471 -16
  3. data/README.md +108 -403
  4. data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
  5. data/app/controllers/doorkeeper/application_controller.rb +8 -5
  6. data/app/controllers/doorkeeper/application_metal_controller.rb +7 -11
  7. data/app/controllers/doorkeeper/applications_controller.rb +62 -27
  8. data/app/controllers/doorkeeper/authorizations_controller.rb +112 -18
  9. data/app/controllers/doorkeeper/authorized_applications_controller.rb +22 -3
  10. data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
  11. data/app/controllers/doorkeeper/tokens_controller.rb +104 -35
  12. data/app/helpers/doorkeeper/dashboard_helper.rb +9 -7
  13. data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
  14. data/app/views/doorkeeper/applications/_form.html.erb +27 -26
  15. data/app/views/doorkeeper/applications/edit.html.erb +1 -1
  16. data/app/views/doorkeeper/applications/index.html.erb +17 -7
  17. data/app/views/doorkeeper/applications/new.html.erb +1 -1
  18. data/app/views/doorkeeper/applications/show.html.erb +38 -17
  19. data/app/views/doorkeeper/authorizations/error.html.erb +4 -2
  20. data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
  21. data/app/views/doorkeeper/authorizations/new.html.erb +16 -10
  22. data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
  23. data/config/locales/en.yml +28 -5
  24. data/lib/doorkeeper/config/abstract_builder.rb +28 -0
  25. data/lib/doorkeeper/config/option.rb +82 -0
  26. data/lib/doorkeeper/config/validations.rb +53 -0
  27. data/lib/doorkeeper/config.rb +477 -142
  28. data/lib/doorkeeper/engine.rb +17 -4
  29. data/lib/doorkeeper/errors.rb +25 -16
  30. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  31. data/lib/doorkeeper/grant_flow/flow.rb +44 -0
  32. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  33. data/lib/doorkeeper/grant_flow.rb +45 -0
  34. data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
  35. data/lib/doorkeeper/grape/helpers.rb +13 -7
  36. data/lib/doorkeeper/helpers/controller.rb +43 -10
  37. data/lib/doorkeeper/models/access_grant_mixin.rb +97 -3
  38. data/lib/doorkeeper/models/access_token_mixin.rb +273 -67
  39. data/lib/doorkeeper/models/application_mixin.rb +50 -5
  40. data/lib/doorkeeper/models/concerns/accessible.rb +2 -0
  41. data/lib/doorkeeper/models/concerns/expirable.rb +7 -3
  42. data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +88 -0
  43. data/lib/doorkeeper/models/concerns/orderable.rb +2 -0
  44. data/lib/doorkeeper/models/concerns/ownership.rb +4 -7
  45. data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +30 -0
  46. data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  47. data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
  48. data/lib/doorkeeper/models/concerns/revocable.rb +3 -27
  49. data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
  50. data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
  51. data/lib/doorkeeper/oauth/authorization/code.rb +54 -12
  52. data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
  53. data/lib/doorkeeper/oauth/authorization/token.rb +64 -24
  54. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +7 -5
  55. data/lib/doorkeeper/oauth/authorization_code_request.rb +69 -11
  56. data/lib/doorkeeper/oauth/base_request.rb +36 -24
  57. data/lib/doorkeeper/oauth/base_response.rb +2 -0
  58. data/lib/doorkeeper/oauth/client/credentials.rb +5 -5
  59. data/lib/doorkeeper/oauth/client.rb +10 -11
  60. data/lib/doorkeeper/oauth/client_credentials/creator.rb +44 -4
  61. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +16 -9
  62. data/lib/doorkeeper/oauth/client_credentials/validator.rb +55 -0
  63. data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -11
  64. data/lib/doorkeeper/oauth/code_request.rb +8 -12
  65. data/lib/doorkeeper/oauth/code_response.rb +27 -15
  66. data/lib/doorkeeper/oauth/error.rb +3 -1
  67. data/lib/doorkeeper/oauth/error_response.rb +34 -14
  68. data/lib/doorkeeper/oauth/forbidden_token_response.rb +11 -3
  69. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -18
  70. data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
  71. data/lib/doorkeeper/oauth/helpers/uri_checker.rb +42 -6
  72. data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  73. data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
  74. data/lib/doorkeeper/oauth/invalid_token_response.rb +29 -4
  75. data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
  76. data/lib/doorkeeper/oauth/password_access_token_request.rb +43 -10
  77. data/lib/doorkeeper/oauth/pre_authorization.rb +136 -26
  78. data/lib/doorkeeper/oauth/refresh_token_request.rb +67 -31
  79. data/lib/doorkeeper/oauth/scopes.rb +8 -4
  80. data/lib/doorkeeper/oauth/token.rb +12 -8
  81. data/lib/doorkeeper/oauth/token_introspection.rb +99 -25
  82. data/lib/doorkeeper/oauth/token_request.rb +8 -20
  83. data/lib/doorkeeper/oauth/token_response.rb +13 -10
  84. data/lib/doorkeeper/oauth.rb +13 -0
  85. data/lib/doorkeeper/orm/active_record/access_grant.rb +5 -30
  86. data/lib/doorkeeper/orm/active_record/access_token.rb +5 -43
  87. data/lib/doorkeeper/orm/active_record/application.rb +6 -57
  88. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +63 -0
  89. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +77 -0
  90. data/lib/doorkeeper/orm/active_record/mixins/application.rb +210 -0
  91. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
  92. data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +36 -0
  93. data/lib/doorkeeper/orm/active_record.rb +31 -20
  94. data/lib/doorkeeper/rails/helpers.rb +10 -8
  95. data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  96. data/lib/doorkeeper/rails/routes/mapper.rb +4 -2
  97. data/lib/doorkeeper/rails/routes/mapping.rb +9 -7
  98. data/lib/doorkeeper/rails/routes/registry.rb +45 -0
  99. data/lib/doorkeeper/rails/routes.rb +45 -25
  100. data/lib/doorkeeper/rake/db.rake +40 -0
  101. data/lib/doorkeeper/rake/setup.rake +6 -0
  102. data/lib/doorkeeper/rake.rb +14 -0
  103. data/lib/doorkeeper/request/authorization_code.rb +6 -4
  104. data/lib/doorkeeper/request/client_credentials.rb +3 -3
  105. data/lib/doorkeeper/request/code.rb +1 -1
  106. data/lib/doorkeeper/request/password.rb +4 -3
  107. data/lib/doorkeeper/request/refresh_token.rb +6 -5
  108. data/lib/doorkeeper/request/strategy.rb +4 -2
  109. data/lib/doorkeeper/request/token.rb +1 -1
  110. data/lib/doorkeeper/request.rb +61 -34
  111. data/lib/doorkeeper/secret_storing/base.rb +64 -0
  112. data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
  113. data/lib/doorkeeper/secret_storing/plain.rb +33 -0
  114. data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
  115. data/lib/doorkeeper/server.rb +9 -11
  116. data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
  117. data/lib/doorkeeper/validations.rb +2 -0
  118. data/lib/doorkeeper/version.rb +7 -29
  119. data/lib/doorkeeper.rb +180 -65
  120. data/lib/generators/doorkeeper/application_owner_generator.rb +24 -18
  121. data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
  122. data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  123. data/lib/generators/doorkeeper/install_generator.rb +19 -9
  124. data/lib/generators/doorkeeper/migration_generator.rb +23 -18
  125. data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
  126. data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +28 -22
  127. data/{spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb → lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb} +2 -2
  128. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
  129. data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
  130. data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
  131. data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  132. data/lib/generators/doorkeeper/templates/initializer.rb +402 -32
  133. data/lib/generators/doorkeeper/templates/migration.rb.erb +47 -18
  134. data/lib/generators/doorkeeper/views_generator.rb +8 -4
  135. data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
  136. metadata +97 -309
  137. data/.coveralls.yml +0 -1
  138. data/.github/ISSUE_TEMPLATE.md +0 -25
  139. data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
  140. data/.gitignore +0 -19
  141. data/.hound.yml +0 -2
  142. data/.rspec +0 -1
  143. data/.rubocop.yml +0 -17
  144. data/.travis.yml +0 -38
  145. data/Appraisals +0 -18
  146. data/CODE_OF_CONDUCT.md +0 -46
  147. data/CONTRIBUTING.md +0 -47
  148. data/Gemfile +0 -10
  149. data/RELEASING.md +0 -10
  150. data/Rakefile +0 -20
  151. data/SECURITY.md +0 -15
  152. data/app/validators/redirect_uri_validator.rb +0 -44
  153. data/doorkeeper.gemspec +0 -32
  154. data/gemfiles/rails_4_2.gemfile +0 -13
  155. data/gemfiles/rails_5_0.gemfile +0 -12
  156. data/gemfiles/rails_5_1.gemfile +0 -12
  157. data/gemfiles/rails_5_2.gemfile +0 -12
  158. data/gemfiles/rails_master.gemfile +0 -14
  159. data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
  160. data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
  161. data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
  162. data/spec/controllers/application_metal_controller.rb +0 -10
  163. data/spec/controllers/applications_controller_spec.rb +0 -69
  164. data/spec/controllers/authorizations_controller_spec.rb +0 -218
  165. data/spec/controllers/protected_resources_controller_spec.rb +0 -309
  166. data/spec/controllers/token_info_controller_spec.rb +0 -56
  167. data/spec/controllers/tokens_controller_spec.rb +0 -274
  168. data/spec/dummy/Rakefile +0 -7
  169. data/spec/dummy/app/controllers/application_controller.rb +0 -3
  170. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
  171. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
  172. data/spec/dummy/app/controllers/home_controller.rb +0 -17
  173. data/spec/dummy/app/controllers/metal_controller.rb +0 -11
  174. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
  175. data/spec/dummy/app/helpers/application_helper.rb +0 -5
  176. data/spec/dummy/app/models/user.rb +0 -5
  177. data/spec/dummy/app/views/home/index.html.erb +0 -0
  178. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  179. data/spec/dummy/config/application.rb +0 -23
  180. data/spec/dummy/config/boot.rb +0 -9
  181. data/spec/dummy/config/database.yml +0 -15
  182. data/spec/dummy/config/environment.rb +0 -5
  183. data/spec/dummy/config/environments/development.rb +0 -29
  184. data/spec/dummy/config/environments/production.rb +0 -62
  185. data/spec/dummy/config/environments/test.rb +0 -44
  186. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
  187. data/spec/dummy/config/initializers/doorkeeper.rb +0 -107
  188. data/spec/dummy/config/initializers/new_framework_defaults.rb +0 -6
  189. data/spec/dummy/config/initializers/secret_token.rb +0 -8
  190. data/spec/dummy/config/initializers/session_store.rb +0 -8
  191. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
  192. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  193. data/spec/dummy/config/routes.rb +0 -52
  194. data/spec/dummy/config.ru +0 -4
  195. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  196. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  197. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -62
  198. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  199. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  200. data/spec/dummy/db/schema.rb +0 -68
  201. data/spec/dummy/public/404.html +0 -26
  202. data/spec/dummy/public/422.html +0 -26
  203. data/spec/dummy/public/500.html +0 -26
  204. data/spec/dummy/public/favicon.ico +0 -0
  205. data/spec/dummy/script/rails +0 -6
  206. data/spec/factories.rb +0 -28
  207. data/spec/generators/application_owner_generator_spec.rb +0 -41
  208. data/spec/generators/install_generator_spec.rb +0 -31
  209. data/spec/generators/migration_generator_spec.rb +0 -41
  210. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -57
  211. data/spec/generators/templates/routes.rb +0 -3
  212. data/spec/generators/views_generator_spec.rb +0 -27
  213. data/spec/grape/grape_integration_spec.rb +0 -135
  214. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
  215. data/spec/lib/config_spec.rb +0 -437
  216. data/spec/lib/doorkeeper_spec.rb +0 -150
  217. data/spec/lib/models/expirable_spec.rb +0 -50
  218. data/spec/lib/models/revocable_spec.rb +0 -59
  219. data/spec/lib/models/scopes_spec.rb +0 -43
  220. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -41
  221. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -108
  222. data/spec/lib/oauth/base_request_spec.rb +0 -155
  223. data/spec/lib/oauth/base_response_spec.rb +0 -45
  224. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  225. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
  226. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
  227. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
  228. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  229. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -105
  230. data/spec/lib/oauth/client_spec.rb +0 -39
  231. data/spec/lib/oauth/code_request_spec.rb +0 -43
  232. data/spec/lib/oauth/code_response_spec.rb +0 -34
  233. data/spec/lib/oauth/error_response_spec.rb +0 -61
  234. data/spec/lib/oauth/error_spec.rb +0 -23
  235. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
  236. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
  237. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
  238. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -213
  239. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -56
  240. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -96
  241. data/spec/lib/oauth/pre_authorization_spec.rb +0 -155
  242. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -166
  243. data/spec/lib/oauth/scopes_spec.rb +0 -149
  244. data/spec/lib/oauth/token_request_spec.rb +0 -96
  245. data/spec/lib/oauth/token_response_spec.rb +0 -85
  246. data/spec/lib/oauth/token_spec.rb +0 -116
  247. data/spec/lib/request/strategy_spec.rb +0 -53
  248. data/spec/lib/server_spec.rb +0 -59
  249. data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
  250. data/spec/models/doorkeeper/access_token_spec.rb +0 -418
  251. data/spec/models/doorkeeper/application_spec.rb +0 -286
  252. data/spec/requests/applications/applications_request_spec.rb +0 -94
  253. data/spec/requests/applications/authorized_applications_spec.rb +0 -30
  254. data/spec/requests/endpoints/authorization_spec.rb +0 -71
  255. data/spec/requests/endpoints/token_spec.rb +0 -71
  256. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -76
  257. data/spec/requests/flows/authorization_code_spec.rb +0 -149
  258. data/spec/requests/flows/client_credentials_spec.rb +0 -86
  259. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
  260. data/spec/requests/flows/implicit_grant_spec.rb +0 -61
  261. data/spec/requests/flows/password_spec.rb +0 -197
  262. data/spec/requests/flows/refresh_token_spec.rb +0 -174
  263. data/spec/requests/flows/revoke_token_spec.rb +0 -157
  264. data/spec/requests/flows/skip_authorization_spec.rb +0 -59
  265. data/spec/requests/protected_resources/metal_spec.rb +0 -14
  266. data/spec/requests/protected_resources/private_api_spec.rb +0 -81
  267. data/spec/routing/custom_controller_routes_spec.rb +0 -75
  268. data/spec/routing/default_routes_spec.rb +0 -39
  269. data/spec/routing/scoped_routes_spec.rb +0 -31
  270. data/spec/spec_helper.rb +0 -4
  271. data/spec/spec_helper_integration.rb +0 -74
  272. data/spec/support/dependencies/factory_girl.rb +0 -2
  273. data/spec/support/helpers/access_token_request_helper.rb +0 -11
  274. data/spec/support/helpers/authorization_request_helper.rb +0 -41
  275. data/spec/support/helpers/config_helper.rb +0 -9
  276. data/spec/support/helpers/model_helper.rb +0 -72
  277. data/spec/support/helpers/request_spec_helper.rb +0 -88
  278. data/spec/support/helpers/url_helper.rb +0 -56
  279. data/spec/support/http_method_shim.rb +0 -38
  280. data/spec/support/orm/active_record.rb +0 -3
  281. data/spec/support/shared/controllers_shared_context.rb +0 -65
  282. data/spec/support/shared/models_shared_examples.rb +0 -52
  283. data/spec/validators/redirect_uri_validator_spec.rb +0 -123
  284. data/spec/version/version_spec.rb +0 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: f0d71c132c7d1ccefc8c14eb694b17390f294153
4
- data.tar.gz: db67a65aac1502b753acb20ea125fa4b5a87b613
2
+ SHA256:
3
+ metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
4
+ data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
5
5
  SHA512:
6
- metadata.gz: fd03d7d674e053e08d4eaaa5b71d60290983d1d0376bddf4eacd01c903bffbf495dac6d3c56ff4e42cd91a47084eebb8332332553e239eb964cf79a0949087d0
7
- data.tar.gz: 12873f75f22927c542c3d3bd739b5b1ec1ed0b89135bd1e492106e5d94d4485f8ca0fc89b6dcedf1d5a8707d9ff3cfc9f6c4d539a51a86c7dd23633477adfc57
6
+ metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
7
+ data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2
@@ -1,13 +1,471 @@
1
- # News
1
+ # Changelog
2
+
3
+ See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
4
+ upgrade guides.
2
5
 
3
6
  User-visible changes worth mentioning.
4
7
 
5
- ## master
8
+ ## main
9
+
10
+ - [#ID] Add your PR description here.
11
+
12
+ ## 5.6.6
13
+
14
+ - [#1644] Update HTTP headers.
15
+ - [#1646] Block public clients automatic authorization skip.
16
+ - [#1648] Add custom token attributes to Refresh Token Request.
17
+ - [#1649] Fixed custom_access_token_attributes related errors.
18
+
19
+ # 5.6.5
20
+
21
+ - [#1602] Allow custom data to be stored inside access grants/tokens.
22
+ - [#1634] Code refactoring for custom token attributes.
23
+ - [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
24
+
25
+ # 5.6.4
26
+
27
+ - [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
28
+
29
+ # 5.6.3
30
+
31
+ - [#1622] Drop support for Rubies 2.5 and 2.6
32
+ - [#1605] Fix URI validation for Ruby 3.2+.
33
+ - [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
34
+ - [#1626] Remove deprecated `active_record_options` config option.
35
+ - [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
36
+ - [#1630] Special case unique index creation for refresh_token on SQL Server.
37
+ - [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
38
+
39
+ ## 5.6.2
40
+
41
+ - [#1604] Fix fetching of the application when custom application_class defined.
42
+
43
+ ## 5.6.1
44
+
45
+ - [#1593] Add support for Trilogy ActiveRecord adapter.
46
+ - [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
47
+ - [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
48
+
49
+ ## 5.6.0
50
+
51
+ - [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
52
+
53
+ ## 5.6.0.rc2
54
+
55
+ - [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
56
+ application scopes when using client credentials.
57
+ - [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
58
+
59
+ ## 5.6.0.rc1
60
+
61
+ - [#1551] Change lazy loading for ORM to be Ruby standard autoload.
62
+ - [#1552] Remove duplicate IDs on Auth form to improve accessibility.
63
+ - [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
64
+
65
+ **[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
66
+ only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
67
+ `reuse_access_token` option is to check for existing _active_ token (see configuration option description).
68
+
69
+ ## 5.5.4
70
+
71
+ - [#1535] Revert changes introduced in #1528 to allow query params in `redirect_uri` as per the spec.
72
+
73
+ ## 5.5.3
74
+
75
+ - [#1528] Don't allow extra query params in redirect_uri.
76
+ - [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
77
+ - [#1531] Disable `strict-loading` for Doorkeeper models by default.
78
+ - [#1532] Add support for Rails 7.
79
+
80
+ ## 5.5.2
81
+
82
+ - [#1502] Drop support for Ruby 2.4 because of EOL.
83
+ - [#1504] Updated the url fragment in the comment for code documentation.
84
+ - [#1512] Fix form behavior when response mode is form_post.
85
+ - [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
86
+
87
+ ## 5.5.1
88
+
89
+ - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
90
+ - [#1495] Fix `respond_to` undefined in API-only mode
91
+ - [#1488] Verify client authentication for Resource Owner Password Grant when
92
+ `config.skip_client_authentication_for_password_grant` is set and the client credentials
93
+ are sent in a HTTP Basic auth header.
94
+
95
+ ## 5.5.0
96
+
97
+ - [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
98
+ - [#1478] Fix ownership association and Rake tasks when custom models configured.
99
+ - [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
100
+
101
+ ## 5.5.0.rc2
102
+
103
+ - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
104
+
105
+ **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
106
+ `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
107
+
108
+ - [#1472] Fix `establish_connection` configuration for custom defined models.
109
+ - [#1471] Add support for Ruby 3.0.
110
+ - [#1469] Check if `redirect_uri` exists.
111
+ - [#1465] Memoize nil doorkeeper_token.
112
+ - [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
113
+ - [#1457] Make owner_id a bigint for newly-generated owner migrations
114
+ - [#1452] Empty previous_refresh_token only if present.
115
+ - [#1440] Validate empty host in redirect_uri.
116
+ - [#1438] Add form post response mode.
117
+ - [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
118
+
119
+ ## 5.5.0.rc1
120
+
121
+ - [#1435] Make error response not redirectable when client is unauthorized
122
+ - [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
123
+ - [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
124
+ - [#1416] Don't add introspection route if token introspection completely disabled.
125
+ - [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
126
+ - [#1415] Ignore PKCE params for non-PKCE grants.
127
+ - [#1418] Add ability to register custom OAuth Grant Flows.
128
+ - [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
129
+
130
+ **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
131
+ have it before and use client credentials in HTTP Basic auth if you previously used this grant
132
+ flow without client authentication. To opt out of this you could set the
133
+ `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
134
+ this is in violation of the OAuth spec and represents a security risk.
135
+ All the users of your provider application now need to include client credentials when they use
136
+ this grant flow.
137
+
138
+ - [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
139
+ configuration option to allow resource owner based Access Tokens TTL.
140
+
141
+ ## 5.4.0
142
+
143
+ - [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
144
+
145
+ ## 5.4.0.rc2
146
+
147
+ - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
148
+ Fixes information disclosure vulnerability (CVE-2020-10187).
149
+
150
+ **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
151
+ if you previously used `#to_json` serialization with custom options or attributes or rely on
152
+ JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
153
+ is a breaking change which restricts serialized attributes to a very small set of columns.
154
+
155
+ - [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
156
+ - [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
157
+ custom configured application model.
158
+ - [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
159
+ option (fixes #1398).
160
+ - [#1402] Handle trying authorization with client credentials.
161
+
162
+ ## 5.4.0.rc1
163
+ - [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
164
+ - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
165
+ - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
166
+ models (`use_polymorphic_resource_owner` configuration option).
167
+
168
+ **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
169
+ have such - since now Doorkeeper passes Resource Owner instance to every objects and not
170
+ just it's ID. See PR description for details.
171
+
172
+ - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
173
+ - [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
174
+ `Stack level too deep` error with AMS (fix #1312).
175
+ - [#1358] Deprecate `active_record_options` configuration option.
176
+ - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
177
+ in external extensions.
178
+ - [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
179
+ - [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
180
+ - [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
181
+
182
+ **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
183
+ (for public clients) and `client_secret` (for private clients). Please update your apps to include that
184
+ info in the revocation request payload.
185
+
186
+ - [#1373] Make Doorkeeper routes mapper reusable in extensions.
187
+ - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
188
+ - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
189
+ - [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
190
+ - [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
191
+ - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
192
+ - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
193
+
194
+ ## 5.3.3
195
+
196
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
197
+
198
+ ## 5.3.2
199
+
200
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
201
+ Fixes information disclosure vulnerability (CVE-2020-10187).
202
+
203
+ ## 5.3.1
204
+
205
+ - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
206
+
207
+ ## 5.3.0
208
+
209
+ - [#1339] Validate Resource Owner in `PasswordAccessTokenRequest` against `nil` and `false` values.
210
+ - [#1341] Fix `refresh_token_revoked_on_use` with `hash_token_secrets` enabled.
211
+ - [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.
212
+ - [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.
213
+ - [#1346] Refactor `Doorkeeper::Application#to_json` into convenient `#as_json` (fix #1344).
214
+ - [#1349] Fix `Doorkeeper::Application` AR associations using an incorrect foreign key name when using a custom class.
215
+ - [#1318] Make existing token revocation for client credentials optional and disable it by default.
216
+
217
+ **[IMPORTANT]** This is a change compared to the behaviour of version 5.2.
218
+ If you were relying on access tokens being revoked once the same client
219
+ requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
220
+ initialization file.
221
+
222
+ ## 5.2.6
223
+
224
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
225
+
226
+ ## 5.2.5
227
+
228
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
229
+ Fixes information disclosure vulnerability (CVE-2020-10187).
230
+
231
+ ## 5.2.4
232
+
233
+ - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
234
+
235
+ ## 5.2.3
236
+
237
+ - [#1334] Remove `application_secret` flash helper and `redirect_to` keyword.
238
+ - [#1331] Move redirect_uri_validator to where it is used (`Application` model).
239
+ - [#1326] Move response_type check in pre_authorization to a method to be easily to override.
240
+ - [#1329] Fix `find_in_batches` order warning.
241
+
242
+ ## 5.2.2
243
+
244
+ - [#1320] Call configured `authenticate_resource_owner` method once per request.
245
+ - [#1315] Allow generation of new secret with `Doorkeeper::Application#renew_secret`.
246
+ - [#1309] Allow `Doorkeeper::Application#to_json` to work without arguments.
247
+
248
+ ## 5.2.1
249
+
250
+ - [#1308] Fix flash types for `api_only` mode (no flashes for `ActionController::API`).
251
+ - [#1306] Fix interpolation of `missing_param` I18n.
252
+
253
+ ## 5.2.0
254
+
255
+ - [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
256
+ when `api_mode` enabled (fixes #1302).
257
+
258
+ ## 5.2.0.rc3
259
+
260
+ - [#1298] Slice strong params so doesn't error with Rails forms.
261
+ - [#1300] Limiting access to attributes of pre_authorization.
262
+ - [#1296] Adding client_id to strong parameters.
263
+
264
+ **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
265
+
266
+ - [#1293] Move ar specific redirect uri validator to ar orm directory.
267
+ - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
268
+ the PreAuthorization response.
269
+ - [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
270
+ - [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
271
+ option called `base_metal_controller` (fix #1273).
272
+ - [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
273
+
274
+ ## 5.2.0.rc2
275
+
276
+ - [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
277
+ - [#1271] Reintroduce existing token revocation for client credentials.
278
+
279
+ **[IMPORTANT]** If you rely on being able to fetch multiple access tokens from the same
280
+ client using client credentials flow, you should skip to version 5.3, where this behaviour
281
+ is deactivated by default.
282
+
283
+ - [#1269] Update initializer template documentation.
284
+ - [#1266] Use strong parameters within pre-authorization.
285
+ - [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
286
+ - [#1263] Response properly when introspection fails and fix configurations's user guide.
287
+
288
+ ## 5.2.0.rc1
289
+
290
+ - [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
291
+ - [#1257] Add constraint configuration when using client authentication on introspection endpoint.
292
+ - [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
293
+ - [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
294
+ - [#1248] Display the Application Secret in HTML after creating a new application even when `hash_application_secrets` is used.
295
+ - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
296
+ - [#1238] Better support for native app with support for custom scheme and localhost redirection.
297
+
298
+ ## 5.1.2
299
+
300
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
301
+
302
+ ## 5.1.1
303
+
304
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
305
+ Fixes information disclosure vulnerability (CVE-2020-10187).
306
+
307
+ ## 5.1.0
308
+
309
+ - [#1243] Add nil check operator in token checking at token introspection.
310
+ - [#1241] Explaining foreign key options for resource owner in a single place
311
+ - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
312
+ - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
313
+ - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
314
+ option using `Float::INFINITY` return value.
315
+ - [#1224] Do not try to store token if not found by fallback hashing strategy.
316
+ - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
317
+ - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
318
+
319
+ ## 5.1.0.rc2
320
+
321
+ - [#1208] Unify hashing implementation into secret storing strategies
322
+
323
+ **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
324
+ your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
325
+ `hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt`.
326
+
327
+ - [#1216] Add nil check to `expires_at` method.
328
+ - [#1215] Fix deprecates for Rails 6.
329
+ - [#1214] Scopes field accepts array.
330
+ - [#1209] Fix tokens validation for Token Introspection request.
331
+ - [#1202] Use correct HTTP status codes for error responses.
332
+
333
+ **[IMPORTANT]**: this change might break your application if you were relying on the previous
334
+ 401 status codes, this is now a 400 by default, or a 401 for `invalid_client` and `invalid_token` errors.
335
+
336
+ - [#1201] Fix custom TTL block `client` parameter to always be an `Doorkeeper::Application` instance.
337
+
338
+ **[IMPORTANT]**: those who defined `custom_access_token_expires_in` configuration option need to check
339
+ their block implementation: if you are using `oauth_client.application` to get `Doorkeeper::Application`
340
+ instance, then you need to replace it with just `oauth_client`.
341
+
342
+ - [#1200] Increase default Doorkeeper access token value complexity (`urlsafe_base64` instead of just `hex`)
343
+ matching RFC6749/RFC6750.
344
+
345
+ **[IMPORTANT]**: this change have possible side-effects in case you have custom database constraints for
346
+ access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
347
+ token value validations, or you are using database with case-insensitive WHERE clause like MySQL
348
+ (you can face some collisions). Before this change access token value matched `[a-f0-9]` regex, and now
349
+ it matches `[a-zA-Z0-9\-_]`. In case you have such restrictions and your don't use custom token generator
350
+ please change configuration option `default_generator_method` to `:hex`.
351
+
352
+ - [#1195] Allow to customize Token Introspection response (fixes #1194).
353
+ - [#1189] Option to set `token_reuse_limit`.
354
+ - [#1191] Try to load bcrypt for hashing of application secrets, but add fallback.
355
+
356
+ ## 5.1.0.rc1
357
+
358
+ - [#1188] Use `params` instead of `request.POST` in tokens controller (fixes #1183).
359
+ - [#1182] Fix loopback IP redirect URIs to conform with RFC8252, p. 7.3 (fixes #1170).
360
+ - [#1179] Authorization Code Grant Flow without client id returns invalid_client error.
361
+ - [#1177] Allow to limit `scopes` for certain `grant_types`
362
+ - [#1176] Fix test factory support for `factory_bot_rails`
363
+ - [#1175] Internal refactor: use `scopes_string` inside `scopes`.
364
+ - [#1168] Allow optional hashing of tokens and secrets.
365
+ - [#1164] Fix error when `root_path` is not defined.
366
+ - [#1162] Fix `enforce_content_type` for requests without body.
367
+
368
+ ## 5.0.3
369
+
370
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
371
+ Fixes information disclosure vulnerability (CVE-2020-10187).
372
+
373
+ ## 5.0.2
374
+
375
+ - [#1158] Fix initializer template: change `handle_auth_errors` option
376
+ - [#1157] Remove redundant index from migration template.
377
+
378
+ ## 5.0.1
379
+
380
+ - [#1154] Refactor `StaleRecordsCleaner` to be ORM agnostic.
381
+ - [#1152] Fix migration template: change resource owner data type from integer to Rails generic `references`
382
+ - [#1151] Fix Refresh Token strategy: add proper validation of client credentials both for Public & Private clients.
383
+ - [#1149] Fix for `URIChecker#valid_for_authorization?` false negative when query is blank, but `?` present.
384
+ - [#1140] Allow rendering custom errors from exceptions (issue #844). Originally opened as [#944].
385
+ - [#1138] Revert regression bug (check for token expiration in Authorizations controller so authorization
386
+ triggers every time)
387
+
388
+ ## 5.0.0
389
+
390
+ - [#1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.
391
+
392
+ ## 5.0.0.rc2
393
+
394
+ - [#1122] Fix AuthorizationsController#new error response to be in JSON format
395
+ - [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
396
+ - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
397
+ hitting the `AuthorizedApplicationController#destroy` route.
398
+ - [#1114] Make token info endpoint's attributes consistent with token creation
399
+ - [#1108] Simple formatting of callback URLs when listing oauth applications
400
+ - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
401
+ configured by developers.
402
+
403
+ ## 5.0.0.rc1
404
+
405
+ - [#1103] Allow customizing use_refresh_token
406
+ - [#1089] Removed enable_pkce_without_secret configuration option
407
+ - [#1102] Expiration time based on scopes
408
+ - [#1099] All the configuration variables in `Doorkeeper.configuration` now
409
+ always return a non-nil value (`true` or `false`)
410
+ - [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
411
+ in `doorkeeper.rb`
412
+ - [#996] Expiration Time Base On Grant Type
413
+ - [#997] Allow PKCE authorization_code flow as specified in RFC7636
414
+ - [#907] Fix lookup for matching tokens in certain edge-cases
415
+ - [#992] Add API option to use Doorkeeper without management views for API only
416
+ Rails applications (`api_only`)
417
+ - [#1045] Validate redirect_uri as the native URI when making authorization code requests
418
+ - [#1048] Remove deprecated `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
419
+ `Doorkeeper#installed?` method
420
+ - [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
421
+ either public or private/confidential
422
+
423
+ **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
424
+ You need to manually change `confidential` column to `false` if you are using public clients,
425
+ in other case your mobile (or other) applications will not be able to authorize.
426
+ See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
427
+
428
+ - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
429
+ `optional_scopes`) for applications
430
+ - [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
431
+ - [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
432
+ - [#1069] Upgrade Bootstrap to 4 for Admin
433
+ - [#1068] Add rake task to cleanup databases that can become large over time
434
+ - [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
435
+ subclasses to use the response object.
436
+ - [#1075] Call `before_successful_authorization` and `after_successful_authorization` hooks
437
+ on `create` action as well as `new`
438
+ - [#1082] Fix #916: remember routes mapping and use it required places (fix error with
439
+ customized Token Info route).
440
+ - [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
441
+ not present in the application scopes (use scopes intersection).
442
+ - [#1076] Add config to enforce content type to application/x-www-form-urlencoded
443
+ - Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
444
+ SSL redirect_uri.
445
+
446
+ ## 4.4.3
447
+
448
+ - [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
449
+ changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
450
+
451
+ ## 4.4.2
452
+
453
+ - [#1130] Backport fix for native redirect_uri from 5.x.
454
+
455
+ ## 4.4.1
456
+
457
+ - [#1127] Backport token type to comply with the RFC6750 specification.
458
+ - [#1125] Backport Quote surround I18n yes/no keys
6
459
 
7
460
  ## 4.4.0
8
461
 
9
462
  - [#1120] Backport security fix from 5.x for token revocation when using public clients
10
463
 
464
+ **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
465
+ You need to manually change `confidential` column to `false` if you are using public clients,
466
+ in other case your mobile (or other) applications will not be able to authorize.
467
+ See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
468
+
11
469
  ## 4.3.2
12
470
 
13
471
  - [#1053] Support authorizing with query params in the request `redirect_uri` if explicitly present in app's `Application#redirect_uri`
@@ -35,6 +493,10 @@ User-visible changes worth mentioning.
35
493
  - [#985] Generate valid migration files for Rails >= 5
36
494
  - [#972] Replace Struct subclassing with block-form initialization
37
495
  - [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
496
+
497
+ **[IMPORTANT]**: Previously authorization code response route was `/oauth/authorize/<code>`,
498
+ now it is `oauth/authorize/native?code=<code>` (in order to help applications to automatically find the code value).
499
+
38
500
  - [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
39
501
  object.
40
502
  - [#1019] Remove translation not in use: `invalid_resource_owner`.
@@ -65,7 +527,7 @@ User-visible changes worth mentioning.
65
527
  ## 4.2.0
66
528
 
67
529
  - Security fix: Address CVE-2016-6582, implement token revocation according to
68
- spec (tokens might not be revoked if client follows the spec).
530
+ spec (tokens might not be revoked if client follows the spec).
69
531
  - [#873] Add hooks to Doorkeeper::ApplicationMetalController
70
532
  - [#871] Allow downstream users to better utilize doorkeeper spec factories by
71
533
  eliminating name conflict on `:user` factory.
@@ -99,6 +561,7 @@ User-visible changes worth mentioning.
99
561
  ```
100
562
  rails generate doorkeeper:previous_refresh_token
101
563
  ```
564
+
102
565
  - [#811] Toughen parameters filter with exact match
103
566
  - [#813] Applications admin bugfix
104
567
  - [#799] Fix Ruby Warnings
@@ -192,11 +655,10 @@ User-visible changes worth mentioning.
192
655
  - Removes `doorkeeper_for` deprecation notice.
193
656
  - Remove `applications.scopes` upgrade notice.
194
657
 
195
-
196
658
  ## 2.2.2
197
659
 
198
660
  - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
199
- (happens only when ProtectedAttributes gem is used) in #599
661
+ (happens only when ProtectedAttributes gem is used) in #599
200
662
 
201
663
  ## 2.2.1
202
664
 
@@ -215,7 +677,6 @@ User-visible changes worth mentioning.
215
677
  - [#627] i18n fallbacks to english
216
678
  - Moved CHANGELOG to NEWS.md
217
679
 
218
-
219
680
  ## 2.1.4 - 2015-03-27
220
681
 
221
682
  - [#595] HTTP spec: Add `scope` for refresh token scope param
@@ -223,12 +684,10 @@ User-visible changes worth mentioning.
223
684
  - [#567] Add Grape helpers for easier integration with Grape framework
224
685
  - [#606] Add custom access token expiration support for Client Credentials flow
225
686
 
226
-
227
687
  ## 2.1.3 - 2015-03-01
228
688
 
229
689
  - [#588] Fixes scopes_match? bug that skipped authorization form in some cases
230
690
 
231
-
232
691
  ## 2.1.2 - 2015-02-25
233
692
 
234
693
  - [#574] Remove unused update authorization route.
@@ -237,17 +696,15 @@ User-visible changes worth mentioning.
237
696
  - [#583] Database connection bugfix in certain scenarios.
238
697
  - Testing improvements
239
698
 
240
-
241
699
  ## 2.1.1 - 2015-02-06
242
700
 
243
701
  - Remove `wildcard_redirect_url` option
244
702
  - [#481] Customize token flow OAuth expirations with a config lambda
245
703
  - [#568] TokensController: Memoize strategy.authorize_response result to enable
246
- subclasses to use the response object.
704
+ subclasses to use the response object.
247
705
  - [#571] Fix database initialization issues in some configurations.
248
706
  - Documentation improvements
249
707
 
250
-
251
708
  ## 2.1.0 - 2015-01-13
252
709
 
253
710
  - [#540] Include `created_at` in response.
@@ -267,12 +724,10 @@ User-visible changes worth mentioning.
267
724
  Disables implicit and password grant flows by default.
268
725
  - [#510, #544, 722113f] Revoked refresh token response bugfix.
269
726
 
270
-
271
727
  ## 2.0.1 - 2014-12-17
272
728
 
273
729
  - [#525, #526, #527] Fix `ActiveRecord::NoDatabaseError` on gem load.
274
730
 
275
-
276
731
  ## 2.0.0 - 2014-12-16
277
732
 
278
733
  ### Backward incompatible changes
@@ -406,7 +861,7 @@ User-visible changes worth mentioning.
406
861
  tokens for an application/owner instead of deleting them.
407
862
  - [#333] Rails 4.1 support
408
863
  - internals
409
- - Removes jQuery dependency [fixes #300] [PR #312 is related]
864
+ - Removes jQuery dependency [fixes #300][pr #312 is related]
410
865
  - [#294] Client uid and secret will be generated only if not present.
411
866
  - [#316] Test warnings addressed.
412
867
  - [#338] Rspec 3 syntax.
@@ -524,7 +979,7 @@ Official support for rubinius was removed.
524
979
  - Add support for mongoid
525
980
  - [#78, #128, #137, #138] Application Ownership
526
981
  - [#92] Allow users to skip controllers
527
- - [#99] Remove deprecated warnings for data-* attributes [@towerhe](https://github.com/towerhe)
982
+ - [#99] Remove deprecated warnings for data-\* attributes [@towerhe](https://github.com/towerhe)
528
983
  - [#101] Return existing access_token for PasswordAccessTokenRequest [@benoist](https://github.com/benoist)
529
984
  - [#104] Changed access token scopes example code to default_scopes and optional_scopes [@amkirwan](https://github.com/amkirwan)
530
985
  - [#107] Fix typos in initializer
@@ -586,7 +1041,7 @@ Official support for rubinius was removed.
586
1041
  - [#50] Fix typos [@tomekw](https://github.com/tomekw)
587
1042
  - [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer [@antekpiechnik](https://github.com/antekpiechnik)
588
1043
  - [#62] Typos, .gitignore [@jaimeiniesta](https://github.com/jaimeiniesta)
589
- - [#65] Change _path redirections to _url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
1044
+ - [#65] Change \_path redirections to \_url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
590
1045
  - [#75] Fix unknown method #authenticate_admin! [@mattgreen](https://github.com/mattgreen)
591
1046
  - Remove application link in authorized app view
592
1047