doorkeeper 4.4.0 → 5.6.6

data/spec/models/doorkeeper/application_spec.rb

@@ -1,286 +0,0 @@
-require 'spec_helper_integration'
-
-module Doorkeeper
-  describe Application do
-    let(:require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', true) }
-    let(:unset_require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', false) }
-    let(:new_application) { FactoryBot.build(:application) }
-
-    let(:uid) { SecureRandom.hex(8) }
-    let(:secret) { SecureRandom.hex(8) }
-
-    context 'application_owner is enabled' do
-      before do
-        Doorkeeper.configure do
-          orm DOORKEEPER_ORM
-          enable_application_owner
-        end
-      end
-
-      context 'application owner is not required' do
-        before(:each) do
-          unset_require_owner
-        end
-
-        it 'is valid given valid attributes' do
-          expect(new_application).to be_valid
-        end
-      end
-
-      context 'application owner is required' do
-        before(:each) do
-          require_owner
-          @owner = FactoryBot.build_stubbed(:doorkeeper_testing_user)
-        end
-
-        it 'is invalid without an owner' do
-          expect(new_application).not_to be_valid
-        end
-
-        it 'is valid with an owner' do
-          new_application.owner = @owner
-          expect(new_application).to be_valid
-        end
-      end
-    end
-
-    it 'is invalid without a name' do
-      new_application.name = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'is invalid without determining confidentiality' do
-      new_application.confidential = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'generates uid on create' do
-      expect(new_application.uid).to be_nil
-      new_application.save
-      expect(new_application.uid).not_to be_nil
-    end
-
-    it 'generates uid on create if an empty string' do
-      new_application.uid = ''
-      new_application.save
-      expect(new_application.uid).not_to be_blank
-    end
-
-    it 'generates uid on create unless one is set' do
-      new_application.uid = uid
-      new_application.save
-      expect(new_application.uid).to eq(uid)
-    end
-
-    it 'is invalid without uid' do
-      new_application.save
-      new_application.uid = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'is invalid without redirect_uri' do
-      new_application.save
-      new_application.redirect_uri = nil
-      expect(new_application).not_to be_valid
-    end
-
-    it 'checks uniqueness of uid' do
-      app1 = FactoryBot.create(:application)
-      app2 = FactoryBot.create(:application)
-      app2.uid = app1.uid
-      expect(app2).not_to be_valid
-    end
-
-    it 'expects database to throw an error when uids are the same' do
-      app1 = FactoryBot.create(:application)
-      app2 = FactoryBot.create(:application)
-      app2.uid = app1.uid
-      expect { app2.save!(validate: false) }.to raise_error(uniqueness_error)
-    end
-
-    it 'generate secret on create' do
-      expect(new_application.secret).to be_nil
-      new_application.save
-      expect(new_application.secret).not_to be_nil
-    end
-
-    it 'generate secret on create if is blank string' do
-      new_application.secret = ''
-      new_application.save
-      expect(new_application.secret).not_to be_blank
-    end
-
-    it 'generate secret on create unless one is set' do
-      new_application.secret = secret
-      new_application.save
-      expect(new_application.secret).to eq(secret)
-    end
-
-    it 'is invalid without secret' do
-      new_application.save
-      new_application.secret = nil
-      expect(new_application).not_to be_valid
-    end
-
-    describe 'destroy related models on cascade' do
-      before(:each) do
-        new_application.save
-      end
-
-      it 'should destroy its access grants' do
-        FactoryBot.create(:access_grant, application: new_application)
-        expect { new_application.destroy }.to change { Doorkeeper::AccessGrant.count }.by(-1)
-      end
-
-      it 'should destroy its access tokens' do
-        FactoryBot.create(:access_token, application: new_application)
-        FactoryBot.create(:access_token, application: new_application, revoked_at: Time.now.utc)
-        expect do
-          new_application.destroy
-        end.to change { Doorkeeper::AccessToken.count }.by(-2)
-      end
-    end
-
-    describe :ordered_by do
-      let(:applications) { FactoryBot.create_list(:application, 5) }
-
-      context 'when a direction is not specified' do
-        it 'calls order with a default order of asc' do
-          names = applications.map(&:name).sort
-          expect(Application.ordered_by(:name).map(&:name)).to eq(names)
-        end
-      end
-
-      context 'when a direction is specified' do
-        it 'calls order with specified direction' do
-          names = applications.map(&:name).sort.reverse
-          expect(Application.ordered_by(:name, :desc).map(&:name)).to eq(names)
-        end
-      end
-    end
-
-    describe "#redirect_uri=" do
-      context "when array of valid redirect_uris" do
-        it "should join by newline" do
-          new_application.redirect_uri = ['http://localhost/callback1', 'http://localhost/callback2']
-          expect(new_application.redirect_uri).to eq("http://localhost/callback1\nhttp://localhost/callback2")
-        end
-      end
-      context "when string of valid redirect_uris" do
-        it "should store as-is" do
-          new_application.redirect_uri = "http://localhost/callback1\nhttp://localhost/callback2"
-          expect(new_application.redirect_uri).to eq("http://localhost/callback1\nhttp://localhost/callback2")
-        end
-      end
-    end
-
-    describe :authorized_for do
-      let(:resource_owner) { double(:resource_owner, id: 10) }
-
-      it 'is empty if the application is not authorized for anyone' do
-        expect(Application.authorized_for(resource_owner)).to be_empty
-      end
-
-      it 'returns only application for a specific resource owner' do
-        FactoryBot.create(:access_token, resource_owner_id: resource_owner.id + 1)
-        token = FactoryBot.create(:access_token, resource_owner_id: resource_owner.id)
-        expect(Application.authorized_for(resource_owner)).to eq([token.application])
-      end
-
-      it 'excludes revoked tokens' do
-        FactoryBot.create(:access_token, resource_owner_id: resource_owner.id, revoked_at: 2.days.ago)
-        expect(Application.authorized_for(resource_owner)).to be_empty
-      end
-
-      it 'returns all applications that have been authorized' do
-        token1 = FactoryBot.create(:access_token, resource_owner_id: resource_owner.id)
-        token2 = FactoryBot.create(:access_token, resource_owner_id: resource_owner.id)
-        expect(Application.authorized_for(resource_owner)).to eq([token1.application, token2.application])
-      end
-
-      it 'returns only one application even if it has been authorized twice' do
-        application = FactoryBot.create(:application)
-        FactoryBot.create(:access_token, resource_owner_id: resource_owner.id, application: application)
-        FactoryBot.create(:access_token, resource_owner_id: resource_owner.id, application: application)
-        expect(Application.authorized_for(resource_owner)).to eq([application])
-      end
-    end
-
-    describe :by_uid_and_secret do
-      context "when application is private/confidential" do
-        it "finds the application via uid/secret" do
-          app = FactoryBot.create :application
-          authenticated = Application.by_uid_and_secret(app.uid, app.secret)
-          expect(authenticated).to eq(app)
-        end
-        context "when secret is wrong" do
-          it "should not find the application" do
-            app = FactoryBot.create :application
-            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
-            expect(authenticated).to eq(nil)
-          end
-        end
-      end
-
-      context "when application is public/non-confidential" do
-        context "when secret is blank" do
-          it "should find the application" do
-            app = FactoryBot.create :application, confidential: false
-            authenticated = Application.by_uid_and_secret(app.uid, nil)
-            expect(authenticated).to eq(app)
-          end
-        end
-        context "when secret is wrong" do
-          it "should not find the application" do
-            app = FactoryBot.create :application, confidential: false
-            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
-            expect(authenticated).to eq(nil)
-          end
-        end
-      end
-    end
-
-    describe :confidential? do
-      subject { FactoryBot.create(:application, confidential: confidential).confidential? }
-
-      context 'when application is private/confidential' do
-        let(:confidential) { true }
-        it { expect(subject).to eq(true) }
-      end
-
-      context 'when application is public/non-confidential' do
-        let(:confidential) { false }
-        it { expect(subject).to eq(false) }
-      end
-    end
-
-    describe :confidential do
-      subject { FactoryBot.create(:application, confidential: confidential).confidential }
-
-      context 'when application is private/confidential' do
-        let(:confidential) { true }
-        it { expect(subject).to eq(true) }
-      end
-
-      context 'when application is public/non-confidential' do
-        let(:confidential) { false }
-        it { expect(subject).to eq(false) }
-      end
-    end
-
-    describe :supports_confidentiality? do
-      context 'when no column' do
-        it 'returns false' do
-          expect(Application).to receive(:column_names).and_return(%w[foo bar])
-          expect(Application.supports_confidentiality?).to eq(false)
-        end
-      end
-      context 'when column' do
-        it 'returns true' do
-          expect(Application).to receive(:column_names).and_return(%w[foo bar confidential])
-          expect(Application.supports_confidentiality?).to eq(true)
-        end
-      end
-    end
-  end
-end

data/spec/requests/applications/applications_request_spec.rb

@@ -1,94 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Adding applications' do
-  context 'in application form' do
-    background do
-      visit '/oauth/applications/new'
-    end
-
-    scenario 'adding a valid app' do
-      fill_in 'doorkeeper_application[name]', with: 'My Application'
-      fill_in 'doorkeeper_application[redirect_uri]',
-              with: 'https://example.com'
-
-      click_button 'Submit'
-      i_should_see 'Application created'
-      i_should_see 'My Application'
-    end
-
-    scenario 'adding invalid app' do
-      click_button 'Submit'
-      i_should_see 'Whoops! Check your form for possible errors'
-    end
-  end
-end
-
-feature 'Listing applications' do
-  background do
-    FactoryBot.create :application, name: 'Oauth Dude'
-    FactoryBot.create :application, name: 'Awesome App'
-  end
-
-  scenario 'application list' do
-    visit '/oauth/applications'
-    i_should_see 'Awesome App'
-    i_should_see 'Oauth Dude'
-  end
-end
-
-feature 'Show application' do
-  given :app do
-    FactoryBot.create :application, name: 'Just another oauth app'
-  end
-
-  scenario 'visiting application page' do
-    visit "/oauth/applications/#{app.id}"
-    i_should_see 'Just another oauth app'
-  end
-end
-
-feature 'Edit application' do
-  let :app do
-    FactoryBot.create :application, name: 'OMG my app'
-  end
-
-  background do
-    visit "/oauth/applications/#{app.id}/edit"
-  end
-
-  scenario 'updating a valid app' do
-    fill_in 'doorkeeper_application[name]', with: 'Serious app'
-    click_button 'Submit'
-    i_should_see 'Application updated'
-    i_should_see 'Serious app'
-    i_should_not_see 'OMG my app'
-  end
-
-  scenario 'updating an invalid app' do
-    fill_in 'doorkeeper_application[name]', with: ''
-    click_button 'Submit'
-    i_should_see 'Whoops! Check your form for possible errors'
-  end
-end
-
-feature 'Remove application' do
-  background do
-    @app = FactoryBot.create :application
-  end
-
-  scenario 'deleting an application from list' do
-    visit '/oauth/applications'
-    i_should_see @app.name
-    within(:css, "tr#application_#{@app.id}") do
-      click_button 'Destroy'
-    end
-    i_should_see 'Application deleted'
-    i_should_not_see @app.name
-  end
-
-  scenario 'deleting an application from show' do
-    visit "/oauth/applications/#{@app.id}"
-    click_button 'Destroy'
-    i_should_see 'Application deleted'
-  end
-end

data/spec/requests/applications/authorized_applications_spec.rb

@@ -1,30 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorized applications' do
-  background do
-    @user   = User.create!(name: 'Joe', password: 'sekret')
-    @client = client_exists(name: 'Amazing Client App')
-    resource_owner_is_authenticated @user
-    client_is_authorized @client, @user
-  end
-
-  scenario 'display user\'s authorized applications' do
-    visit '/oauth/authorized_applications'
-    i_should_see 'Amazing Client App'
-  end
-
-  scenario 'do not display other user\'s authorized applications' do
-    client = client_exists(name: 'Another Client App')
-    client_is_authorized client, User.create!(name: 'Joe', password: 'sekret')
-    visit '/oauth/authorized_applications'
-    i_should_not_see 'Another Client App'
-  end
-
-  scenario 'user revoke access to application' do
-    visit '/oauth/authorized_applications'
-    i_should_see 'Amazing Client App'
-    click_on 'Revoke'
-    i_should_see 'Application revoked'
-    i_should_not_see 'Amazing Client App'
-  end
-end

data/spec/requests/endpoints/authorization_spec.rb

@@ -1,71 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorization endpoint' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists(name: 'MyApp')
-  end
-
-  scenario 'requires resource owner to be authenticated' do
-    visit authorization_endpoint_url(client: @client)
-    i_should_see 'Sign in'
-    i_should_be_on '/'
-  end
-
-  context 'with authenticated resource owner' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'displays the authorization form' do
-      visit authorization_endpoint_url(client: @client)
-      i_should_see 'Authorize MyApp to use your account?'
-    end
-
-    scenario 'displays all requested scopes' do
-      default_scopes_exist :public
-      optional_scopes_exist :write
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      i_should_see 'Access your public data'
-      i_should_see 'Update your data'
-    end
-  end
-
-  context 'with a invalid request' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'displays the related error' do
-      visit authorization_endpoint_url(client: @client, response_type: '')
-      i_should_not_see 'Authorize'
-      i_should_see_translated_error_message :unsupported_response_type
-    end
-
-    scenario "displays unsupported_response_type error when using a disabled response type" do
-      config_is_set(:grant_flows, ['implicit'])
-      visit authorization_endpoint_url(client: @client, response_type: 'code')
-      i_should_not_see "Authorize"
-      i_should_see_translated_error_message :unsupported_response_type
-    end
-  end
-
-  context 'forgery protection enabled' do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario 'raises exception on forged requests' do
-      allowing_forgery_protection do
-        expect {
-          page.driver.post authorization_endpoint_url(client_id: @client.uid,
-                                                      redirect_uri: @client.redirect_uri,
-                                                      response_type:  'code')
-        }.to raise_error(ActionController::InvalidAuthenticityToken)
-      end
-    end
-  end
-end

data/spec/requests/endpoints/token_spec.rb

@@ -1,71 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Token endpoint' do
-  before do
-    client_exists
-    authorization_code_exists application: @client, scopes: 'public'
-  end
-
-  it 'respond with correct headers' do
-    post token_endpoint_url(code: @authorization.token, client: @client)
-    should_have_header 'Pragma', 'no-cache'
-
-    # Rails 5.2 changed headers
-    if ::Rails::VERSION::MAJOR >= 5 && ::Rails::VERSION::MINOR >= 2 || ::Rails::VERSION::MAJOR >= 6
-      should_have_header 'Cache-Control', 'private, no-store'
-    else
-      should_have_header 'Cache-Control', 'no-store'
-    end
-
-    should_have_header 'Content-Type', 'application/json; charset=utf-8'
-  end
-
-  it 'accepts client credentials with basic auth header' do
-    post token_endpoint_url(
-      code: @authorization.token,
-      redirect_uri: @client.redirect_uri
-    ), {}, 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client)
-
-    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-  end
-
-  it 'returns null for expires_in when a permanent token is set' do
-    config_is_set(:access_token_expires_in, nil)
-    post token_endpoint_url(code: @authorization.token, client: @client)
-    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_not_have_json 'expires_in'
-  end
-
-  it 'returns unsupported_grant_type for invalid grant_type param' do
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'nothing')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'unsupported_grant_type'
-    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
-  end
-
-  it 'returns unsupported_grant_type for disabled grant flows' do
-    config_is_set(:grant_flows, ['implicit'])
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'authorization_code')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'unsupported_grant_type'
-    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
-  end
-
-  it 'returns unsupported_grant_type when refresh_token is not in use' do
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'refresh_token')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'unsupported_grant_type'
-    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
-  end
-
-  it 'returns invalid_request if grant_type is missing' do
-    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: '')
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'invalid_request'
-    should_have_json 'error_description', translated_error_message('invalid_request')
-  end
-end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -1,76 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorization Code Flow Errors' do
-  let(:client_params) { {} }
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists client_params
-    create_resource_owner
-    sign_in
-  end
-
-  after do
-    access_grant_should_not_exist
-  end
-
-  context "with a client trying to xss resource owner" do
-    let(:client_name) { "<div id='xss'>XSS</div>" }
-    let(:client_params) { { name: client_name } }
-    scenario "resource owner visit authorization endpoint" do
-      visit authorization_endpoint_url(client: @client)
-      expect(page).not_to have_css("#xss")
-    end
-  end
-
-  context 'when access was denied' do
-    scenario 'redirects with error' do
-      visit authorization_endpoint_url(client: @client)
-      click_on 'Deny'
-
-      i_should_be_on_client_callback @client
-      url_should_not_have_param 'code'
-      url_should_have_param 'error', 'access_denied'
-      url_should_have_param 'error_description', translated_error_message(:access_denied)
-    end
-
-    scenario 'redirects with state parameter' do
-      visit authorization_endpoint_url(client: @client, state: 'return-this')
-      click_on 'Deny'
-
-      i_should_be_on_client_callback @client
-      url_should_not_have_param 'code'
-      url_should_have_param 'state', 'return-this'
-    end
-  end
-end
-
-describe 'Authorization Code Flow Errors', 'after authorization' do
-  before do
-    client_exists
-    authorization_code_exists application: @client
-  end
-
-  it 'returns :invalid_grant error when posting an already revoked grant code' do
-    # First successful request
-    post token_endpoint_url(code: @authorization.token, client: @client)
-
-    # Second attempt with same token
-    expect do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-    end.to_not change { Doorkeeper::AccessToken.count }
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'invalid_grant'
-    should_have_json 'error_description', translated_error_message('invalid_grant')
-  end
-
-  it 'returns :invalid_grant error for invalid grant code' do
-    post token_endpoint_url(code: 'invalid', client: @client)
-
-    access_token_should_not_exist
-
-    should_not_have_json 'access_token'
-    should_have_json 'error', 'invalid_grant'
-    should_have_json 'error_description', translated_error_message('invalid_grant')
-  end
-end