doorkeeper 4.4.0 → 5.6.6

data/spec/requests/flows/authorization_code_spec.rb

@@ -1,149 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Authorization Code Flow' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
-    create_resource_owner
-    sign_in
-  end
-
-  scenario 'resource owner authorizes the client' do
-    visit authorization_endpoint_url(client: @client)
-    click_on 'Authorize'
-
-    access_grant_should_exist_for(@client, @resource_owner)
-
-    i_should_be_on_client_callback(@client)
-
-    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
-    url_should_not_have_param('state')
-    url_should_not_have_param('error')
-  end
-
-  scenario 'resource owner authorizes using test url' do
-    @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
-    @client.save!
-    visit authorization_endpoint_url(client: @client)
-    click_on 'Authorize'
-
-    access_grant_should_exist_for(@client, @resource_owner)
-
-    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
-    i_should_see 'Authorization code:'
-    i_should_see Doorkeeper::AccessGrant.first.token
-  end
-
-  scenario 'resource owner authorizes the client with state parameter set' do
-    visit authorization_endpoint_url(client: @client, state: 'return-me')
-    click_on 'Authorize'
-    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
-    url_should_have_param('state', 'return-me')
-  end
-
-  scenario 'resource owner requests an access token with authorization code' do
-    visit authorization_endpoint_url(client: @client)
-    click_on 'Authorize'
-
-    authorization_code = Doorkeeper::AccessGrant.first.token
-    create_access_token authorization_code, @client
-
-    access_token_should_exist_for(@client, @resource_owner)
-
-    should_not_have_json 'error'
-
-    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_have_json 'token_type', 'bearer'
-    should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
-  end
-
-  context 'with scopes' do
-    background do
-      default_scopes_exist :public
-      optional_scopes_exist :write
-    end
-
-    scenario 'resource owner authorizes the client with default scopes' do
-      visit authorization_endpoint_url(client: @client)
-      click_on 'Authorize'
-      access_grant_should_exist_for(@client, @resource_owner)
-      access_grant_should_have_scopes :public
-    end
-
-    scenario 'resource owner authorizes the client with required scopes' do
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-      access_grant_should_have_scopes :public, :write
-    end
-
-    scenario 'resource owner authorizes the client with required scopes (without defaults)' do
-      visit authorization_endpoint_url(client: @client, scope: 'write')
-      click_on 'Authorize'
-      access_grant_should_have_scopes :write
-    end
-
-    scenario 'new access token matches required scopes' do
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      create_access_token authorization_code, @client
-
-      access_token_should_exist_for(@client, @resource_owner)
-      access_token_should_have_scopes :public, :write
-    end
-
-    scenario 'returns new token if scopes have changed' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scope: 'public')
-      click_on 'Authorize'
-
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      create_access_token authorization_code, @client
-
-      expect(Doorkeeper::AccessToken.count).to be(2)
-
-      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
-    end
-
-    scenario 'resource owner authorizes the client with extra scopes' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
-
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      create_access_token authorization_code, @client
-
-      expect(Doorkeeper::AccessToken.count).to be(2)
-
-      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
-      access_token_should_have_scopes :public, :write
-    end
-  end
-end
-
-describe 'Authorization Code Flow' do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-
-  context 'issuing a refresh token' do
-    before do
-      authorization_code_exists application: @client
-    end
-
-    it 'second of simultaneous client requests get an error for revoked acccess token' do
-      authorization_code = Doorkeeper::AccessGrant.first.token
-      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:revoked?).and_return(false, true)
-
-      post token_endpoint_url(code: authorization_code, client: @client)
-
-      should_not_have_json 'access_token'
-      should_have_json 'error', 'invalid_grant'
-    end
-  end
-end

data/spec/requests/flows/client_credentials_spec.rb

@@ -1,86 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Client Credentials Request' do
-  let(:client) { FactoryBot.create :application }
-
-  context 'a valid request' do
-    it 'authorizes the client and returns the token response' do
-      headers = authorization client.uid, client.secret
-      params  = { grant_type: 'client_credentials' }
-
-      post '/oauth/token', params, headers
-
-      should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-      should_have_json_within 'expires_in', Doorkeeper.configuration.access_token_expires_in, 1
-      should_not_have_json 'scope'
-      should_not_have_json 'refresh_token'
-
-      should_not_have_json 'error'
-      should_not_have_json 'error_description'
-    end
-
-    context 'with scopes' do
-      before do
-        optional_scopes_exist :write
-        default_scopes_exist :public
-      end
-
-      it 'adds the scope to the token an returns in the response' do
-        headers = authorization client.uid, client.secret
-        params  = { grant_type: 'client_credentials', scope: 'write' }
-
-        post '/oauth/token', params, headers
-
-        should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-        should_have_json 'scope', 'write'
-      end
-
-      context 'that are default' do
-        it 'adds the scope to the token an returns in the response' do
-          headers = authorization client.uid, client.secret
-          params  = { grant_type: 'client_credentials', scope: 'public' }
-
-          post '/oauth/token', params, headers
-
-          should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-          should_have_json 'scope', 'public'
-        end
-      end
-
-      context 'that are invalid' do
-        it 'does not authorize the client and returns the error' do
-          headers = authorization client.uid, client.secret
-          params  = { grant_type: 'client_credentials', scope: 'random' }
-
-          post '/oauth/token', params, headers
-
-          should_have_json 'error', 'invalid_scope'
-          should_have_json 'error_description', translated_error_message(:invalid_scope)
-          should_not_have_json 'access_token'
-
-          expect(response.status).to eq(401)
-        end
-      end
-    end
-  end
-
-  context 'an invalid request' do
-    it 'does not authorize the client and returns the error' do
-      headers = {}
-      params  = { grant_type: 'client_credentials' }
-
-      post '/oauth/token', params, headers
-
-      should_have_json 'error', 'invalid_client'
-      should_have_json 'error_description', translated_error_message(:invalid_client)
-      should_not_have_json 'access_token'
-
-      expect(response.status).to eq(401)
-    end
-  end
-
-  def authorization(username, password)
-    credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
-    { 'HTTP_AUTHORIZATION' => credentials }
-  end
-end

data/spec/requests/flows/implicit_grant_errors_spec.rb

@@ -1,32 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Implicit Grant Flow Errors' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    config_is_set(:grant_flows, ["implicit"])
-    client_exists
-    create_resource_owner
-    sign_in
-  end
-
-  after do
-    access_token_should_not_exist
-  end
-
-  [
-    [:client_id,     :invalid_client],
-    [:redirect_uri,  :invalid_redirect_uri]
-  ].each do |error|
-    scenario "displays #{error.last} error for invalid #{error.first}" do
-      visit authorization_endpoint_url(client: @client, error.first => 'invalid', response_type: 'token')
-      i_should_not_see 'Authorize'
-      i_should_see_translated_error_message error.last
-    end
-
-    scenario "displays #{error.last} error when #{error.first} is missing" do
-      visit authorization_endpoint_url(client: @client, error.first => '', response_type: 'token')
-      i_should_not_see 'Authorize'
-      i_should_see_translated_error_message error.last
-    end
-  end
-end

data/spec/requests/flows/implicit_grant_spec.rb

@@ -1,61 +0,0 @@
-require 'spec_helper_integration'
-
-feature 'Implicit Grant Flow (feature spec)' do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    config_is_set(:grant_flows, ["implicit"])
-    client_exists
-    create_resource_owner
-    sign_in
-  end
-
-  scenario 'resource owner authorizes the client' do
-    visit authorization_endpoint_url(client: @client, response_type: 'token')
-    click_on 'Authorize'
-
-    access_token_should_exist_for @client, @resource_owner
-
-    i_should_be_on_client_callback @client
-  end
-end
-
-describe 'Implicit Grant Flow (request spec)' do
-  before do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    config_is_set(:grant_flows, ["implicit"])
-    client_exists
-    create_resource_owner
-  end
-
-  context 'token reuse' do
-    it 'should return a new token each request' do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
-
-      token = client_is_authorized(@client, @resource_owner)
-
-      post "/oauth/authorize",
-           client_id: @client.uid,
-           state: '',
-           redirect_uri: @client.redirect_uri,
-           response_type: 'token',
-           commit: 'Authorize'
-
-      expect(response.location).not_to include(token.token)
-    end
-
-    it 'should return the same token if it is still accessible' do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-
-      token = client_is_authorized(@client, @resource_owner)
-
-      post "/oauth/authorize",
-           client_id: @client.uid,
-           state: '',
-           redirect_uri: @client.redirect_uri,
-           response_type: 'token',
-           commit: 'Authorize'
-
-      expect(response.location).to include(token.token)
-    end
-  end
-end

data/spec/requests/flows/password_spec.rb

@@ -1,197 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Resource Owner Password Credentials Flow not set up' do
-  before do
-    client_exists
-    create_resource_owner
-  end
-
-  context 'with valid user credentials' do
-    it 'doesn\'t issue new token' do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-end
-
-describe 'Resource Owner Password Credentials Flow' do
-  let(:client_attributes) { {} }
-
-  before do
-    config_is_set(:grant_flows, ["password"])
-    config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists(client_attributes)
-    create_resource_owner
-  end
-
-  context 'with valid user credentials' do
-    context "with non-confidential/public client" do
-      let(:client_attributes) { { confidential: false } }
-
-      context "when client_secret absent" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-          token = Doorkeeper::AccessToken.first
-
-          expect(token.application_id).to eq @client.id
-          should_have_json 'access_token', token.token
-        end
-      end
-
-      context "when client_secret present" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-          token = Doorkeeper::AccessToken.first
-
-          expect(token.application_id).to eq @client.id
-          should_have_json 'access_token', token.token
-        end
-
-        context "when client_secret incorrect" do
-          it "should not issue new token" do
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, client_secret: 'foobar', resource_owner: @resource_owner)
-            end.not_to(change { Doorkeeper::AccessToken.count })
-
-            expect(response).not_to be_ok
-          end
-        end
-      end
-    end
-
-    context "with confidential/private client" do
-      it "should issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-        token = Doorkeeper::AccessToken.first
-
-        expect(token.application_id).to eq @client.id
-        should_have_json 'access_token', token.token
-      end
-
-      context "when client_secret absent" do
-        it "should not issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.not_to(change { Doorkeeper::AccessToken.count })
-
-          expect(response).not_to be_ok
-        end
-      end
-    end
-
-    it 'should issue new token without client credentials' do
-      expect do
-        post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to(change { Doorkeeper::AccessToken.count }.by(1))
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to be_nil
-      should_have_json 'access_token', token.token
-    end
-
-    it 'should issue a refresh token if enabled' do
-      config_is_set(:refresh_token_enabled, true)
-
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-
-      token = Doorkeeper::AccessToken.first
-
-      should_have_json 'refresh_token', token.refresh_token
-    end
-
-    it 'should return the same token if it is still accessible' do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-
-      client_is_authorized(@client, @resource_owner)
-
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-
-      expect(Doorkeeper::AccessToken.count).to be(1)
-      should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    end
-
-    context 'with valid, default scope' do
-      before do
-        default_scopes_exist :public
-      end
-
-      it 'should issue new token' do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: 'public')
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-        token = Doorkeeper::AccessToken.first
-
-        expect(token.application_id).to eq @client.id
-        should_have_json 'access_token', token.token
-        should_have_json 'scope', 'public'
-      end
-    end
-  end
-
-  context 'with invalid scopes' do
-    subject do
-      post password_token_endpoint_url(client: @client,
-                                       resource_owner: @resource_owner,
-                                       scope: 'random')
-    end
-
-    it 'should not issue new token' do
-      expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
-    end
-
-    it 'should return invalid_scope error' do
-      subject
-      should_have_json 'error', 'invalid_scope'
-      should_have_json 'error_description', translated_error_message(:invalid_scope)
-      should_not_have_json 'access_token'
-
-      expect(response.status).to eq(401)
-    end
-  end
-
-  context 'with invalid user credentials' do
-    it 'should not issue new token with bad password' do
-      expect do
-        post password_token_endpoint_url(client: @client,
-                                         resource_owner_username: @resource_owner.name,
-                                         resource_owner_password: 'wrongpassword')
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-
-    it 'should not issue new token without credentials' do
-      expect do
-        post password_token_endpoint_url(client: @client)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-
-  context 'with invalid confidential client credentials' do
-    it 'should not issue new token with bad client credentials' do
-      expect do
-        post password_token_endpoint_url(client_id: @client.uid,
-                                         client_secret: 'bad_secret',
-                                         resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-
-  context 'with invalid public client id' do
-    it 'should not issue new token with bad client id' do
-      expect do
-        post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-end

data/spec/requests/flows/refresh_token_spec.rb

@@ -1,174 +0,0 @@
-require 'spec_helper_integration'
-
-describe 'Refresh Token Flow' do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-
-  context 'issuing a refresh token' do
-    before do
-      authorization_code_exists application: @client
-    end
-
-    it 'client gets the refresh token and refreshses it' do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-
-      token = Doorkeeper::AccessToken.first
-
-      should_have_json 'access_token',  token.token
-      should_have_json 'refresh_token', token.refresh_token
-
-      expect(@authorization.reload).to be_revoked
-
-      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
-
-      new_token = Doorkeeper::AccessToken.last
-      should_have_json 'access_token',  new_token.token
-      should_have_json 'refresh_token', new_token.refresh_token
-
-      expect(token.token).not_to         eq(new_token.token)
-      expect(token.refresh_token).not_to eq(new_token.refresh_token)
-    end
-  end
-
-  context 'refreshing the token' do
-    before do
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: 1,
-        use_refresh_token: true
-      )
-    end
-
-    context "refresh_token revoked on use" do
-      it 'client request a token with refresh token' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-
-      it 'client request a token with expired access token' do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-
-    context "refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-
-      it 'client request a token with refresh token' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).to be_revoked
-      end
-
-      it 'client request a token with expired access token' do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).to be_revoked
-      end
-    end
-
-    it 'client gets an error for invalid refresh token' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_grant'
-    end
-
-    it 'client gets an error for revoked access token' do
-      @token.revoke
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_grant'
-    end
-
-    it 'second of simultaneous client requests get an error for revoked access token' do
-      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_request'
-    end
-  end
-
-  context 'refreshing the token with multiple sessions (devices)' do
-    before do
-      # enable password auth to simulate other devices
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) do
-        User.authenticate! params[:username], params[:password]
-      end
-      create_resource_owner
-      _another_token = post password_token_endpoint_url(
-        client: @client, resource_owner: @resource_owner
-      )
-      last_token.update_attribute :created_at, 5.seconds.ago
-
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: @resource_owner.id,
-        use_refresh_token: true
-      )
-      @token.update_attribute :expires_in, -100
-    end
-
-    context "refresh_token revoked on use" do
-      it 'client request a token after creating another token with the same user' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-
-        should_have_json 'refresh_token', last_token.refresh_token
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-
-    context "refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-
-      it 'client request a token after creating another token with the same user' do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-
-        should_have_json 'refresh_token', last_token.refresh_token
-        expect(@token.reload).to be_revoked
-      end
-    end
-
-    def last_token
-      Doorkeeper::AccessToken.last_authorized_token_for(
-        @client.id, @resource_owner.id
-      )
-    end
-  end
-end