doorkeeper 4.4.0 → 5.6.6

data/lib/doorkeeper/config.rb

@@ -1,54 +1,18 @@
-module Doorkeeper
-  class MissingConfiguration < StandardError
-    # Defines a MissingConfiguration error for a missing Doorkeeper
-    # configuration
-    def initialize
-      super('Configuration for doorkeeper missing. Do you have doorkeeper initializer?')
-    end
-  end
+# frozen_string_literal: true
 
-  def self.configure(&block)
-    @config = Config::Builder.new(&block).build
-    setup_orm_adapter
-    setup_orm_models
-    setup_application_owner if @config.enable_application_owner?
-  end
-
-  def self.configuration
-    @config || (fail MissingConfiguration)
-  end
-
-  def self.setup_orm_adapter
-    @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => e
-    fail e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.squish
-[doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
-trying to load it.
-
-You probably need to add the related gem for this adapter to work with
-doorkeeper.
-      ERROR_MSG
-  end
-
-  def self.setup_orm_models
-    @orm_adapter.initialize_models!
-  end
-
-  def self.setup_application_owner
-    @orm_adapter.initialize_application_owner!
-  end
+require "doorkeeper/config/abstract_builder"
+require "doorkeeper/config/option"
+require "doorkeeper/config/validations"
 
+module Doorkeeper
+  # Doorkeeper option DSL could be reused in extensions to build their own
+  # configurations. To use the Option DSL gems need to define `builder_class` method
+  # that returns configuration Builder class. This exception raises when they don't
+  # define it.
+  #
   class Config
-    class Builder
-      def initialize(&block)
-        @config = Config.new
-        instance_eval(&block)
-      end
-
-      def build
-        @config
-      end
-
+    # Default Doorkeeper configuration builder
+    class Builder < AbstractBuilder
       # Provide support for an owner to be assigned to each registered
       # application (disabled by default)
       # Optional parameter confirmation: true (default false) if you want
@@ -83,6 +47,13 @@ doorkeeper.
         @config.instance_variable_set(:@optional_scopes, OAuth::Scopes.from_array(scopes))
       end
 
+      # Define scopes_by_grant_type to limit certain scope to certain grant_type
+      # @param { Hash } with grant_types as keys.
+      # Default set to {} i.e. no limitation on scopes usage
+      def scopes_by_grant_type(hash = {})
+        @config.instance_variable_set(:@scopes_by_grant_type, hash)
+      end
+
       # Change the way client credentials are retrieved from the request object.
       # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
       # falls back to the `:client_id` and `:client_secret` params from the
@@ -90,7 +61,7 @@ doorkeeper.
       #
       # @param methods [Array] Define client credentials
       def client_credentials(*methods)
-        @config.instance_variable_set(:@client_credentials, methods)
+        @config.instance_variable_set(:@client_credentials_methods, methods)
       end
 
       # Change the way access token is authenticated from the request object.
@@ -103,9 +74,12 @@ doorkeeper.
         @config.instance_variable_set(:@access_token_methods, methods)
       end
 
-      # Issue access tokens with refresh token (disabled by default)
-      def use_refresh_token
-        @config.instance_variable_set(:@refresh_token_enabled, true)
+      # Issue access tokens with refresh token (disabled if not set)
+      def use_refresh_token(enabled = true, &block)
+        @config.instance_variable_set(
+          :@refresh_token_enabled,
+          block || enabled,
+        )
       end
 
       # Reuse access token for the same resource owner within an application
@@ -114,95 +88,201 @@ doorkeeper.
       def reuse_access_token
         @config.instance_variable_set(:@reuse_access_token, true)
       end
-    end
 
-    module Option
-      # Defines configuration option
-      #
-      # When you call option, it defines two methods. One method will take place
-      # in the +Config+ class and the other method will take place in the
-      # +Builder+ class.
-      #
-      # The +name+ parameter will set both builder method and config attribute.
-      # If the +:as+ option is defined, the builder method will be the specified
-      # option while the config attribute will be the +name+ parameter.
-      #
-      # If you want to introduce another level of config DSL you can
-      # define +builder_class+ parameter.
-      # Builder should take a block as the initializer parameter and respond to function +build+
-      # that returns the value of the config attribute.
-      #
-      # ==== Options
-      #
-      # * [:+as+] Set the builder method that goes inside +configure+ block
-      # * [+:default+] The default value in case no option was set
-      #
-      # ==== Examples
+      # Choose to use the url path for native autorization codes 
+      # Enabling this flag sets the authorization code response route for
+      # native redirect uris to oauth/authorize/<code>. The default is
+      # oauth/authorize/native?code=<code>.
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+      def use_url_path_for_native_authorization
+        @config.instance_variable_set(:@use_url_path_for_native_authorization, true)
+      end
+
+      # TODO: maybe make it more generic for other flows too?
+      # Only allow one valid access token obtained via client credentials
+      # per client. If a new access token is obtained before the old one
+      # expired, the old one gets revoked (disabled by default)
+      def revoke_previous_client_credentials_token
+        @config.instance_variable_set(:@revoke_previous_client_credentials_token, true)
+      end
+
+      # Use an API mode for applications generated with --api argument
+      # It will skip applications controller, disable forgery protection
+      def api_only
+        @config.instance_variable_set(:@api_only, true)
+      end
+
+      # Enables polymorphic Resource Owner association for Access Grant and
+      # Access Token models. Requires additional database columns to be setup.
+      def use_polymorphic_resource_owner
+        @config.instance_variable_set(:@polymorphic_resource_owner, true)
+      end
+
+      # Forbids creating/updating applications with arbitrary scopes that are
+      # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+      # (disabled by default)
+      def enforce_configured_scopes
+        @config.instance_variable_set(:@enforce_configured_scopes, true)
+      end
+
+      # Enforce request content type as the spec requires:
+      # disabled by default for backward compatibility.
+      def enforce_content_type
+        @config.instance_variable_set(:@enforce_content_type, true)
+      end
+
+      # Allow optional hashing of input tokens before persisting them.
+      # Will be used for hashing of input token and grants.
       #
-      #    option :name
-      #    option :name, as: :set_name
-      #    option :name, default: 'My Name'
-      #    option :scopes builder_class: ScopesBuilder
+      # @param using
+      #   Provide a different secret storage implementation class for tokens
+      # @param fallback
+      #   Provide a fallback secret storage implementation class for tokens
+      #   or use :plain to fallback to plain tokens
+      def hash_token_secrets(using: nil, fallback: nil)
+        default = "::Doorkeeper::SecretStoring::Sha256Hash"
+        configure_secrets_for :token,
+                              using: using || default,
+                              fallback: fallback
+      end
+
+      # Allow optional hashing of application secrets before persisting them.
+      # Will be used for hashing of input token and grants.
       #
-      def option(name, options = {})
-        attribute = options[:as] || name
-        attribute_builder = options[:builder_class]
-
-        Builder.instance_eval do
-          remove_method name if method_defined?(name)
-          define_method name do |*args, &block|
-            # TODO: is builder_class option being used?
-            value = if attribute_builder
-                      attribute_builder.new(&block).build
-                    else
-                      block ? block : args.first
-                    end
-
-            @config.instance_variable_set(:"@#{attribute}", value)
-          end
-        end
+      # @param using
+      #   Provide a different secret storage implementation for applications
+      # @param fallback
+      #   Provide a fallback secret storage implementation for applications
+      #   or use :plain to fallback to plain application secrets
+      def hash_application_secrets(using: nil, fallback: nil)
+        default = "::Doorkeeper::SecretStoring::Sha256Hash"
+        configure_secrets_for :application,
+                              using: using || default,
+                              fallback: fallback
+      end
+
+      private
 
-        define_method attribute do |*_args|
-          if instance_variable_defined?(:"@#{attribute}")
-            instance_variable_get(:"@#{attribute}")
-          else
-            options[:default]
-          end
+      # Configure the secret storing functionality
+      def configure_secrets_for(type, using:, fallback:)
+        raise ArgumentError, "Invalid type #{type}" if %i[application token].exclude?(type)
+
+        @config.instance_variable_set(:"@#{type}_secret_strategy", using.constantize)
+
+        if fallback.nil?
+          return
+        elsif fallback.to_sym == :plain
+          fallback = "::Doorkeeper::SecretStoring::Plain"
         end
 
-        public attribute
+        @config.instance_variable_set(:"@#{type}_secret_fallback_strategy", fallback.constantize)
       end
     end
 
+    # Replace with `default: Builder` when we drop support of Rails < 5.2
+    mattr_reader(:builder_class) { Builder }
+
     extend Option
+    include Validations
 
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
-             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
+             ::Rails.logger.warn(
+               I18n.t("doorkeeper.errors.messages.resource_owner_authenticator_not_configured"),
+             )
+
              nil
            end)
 
     option :admin_authenticator,
            as: :authenticate_admin,
-           default: ->(_routes) {}
+           default: (lambda do |_routes|
+             ::Rails.logger.warn(
+               I18n.t("doorkeeper.errors.messages.admin_authenticator_not_configured"),
+             )
+
+             head :forbidden
+           end)
 
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
-             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.credential_flow_not_configured'))
+             ::Rails.logger.warn(
+               I18n.t("doorkeeper.errors.messages.credential_flow_not_configured"),
+             )
+
              nil
            end)
-    option :before_successful_strategy_response, default: ->(_request) {}
-    option :after_successful_strategy_response,
-           default: ->(_request, _response) {}
+
+    # Hooks for authorization
+    option :before_successful_authorization,      default: ->(_controller, _context = nil) {}
+    option :after_successful_authorization,       default: ->(_controller, _context = nil) {}
+    # Hooks for strategies responses
+    option :before_successful_strategy_response,  default: ->(_request) {}
+    option :after_successful_strategy_response,   default: ->(_request, _response) {}
+    # Allows to customize Token Introspection response
+    option :custom_introspection_response,        default: ->(_token, _context) { {} }
+
     option :skip_authorization,             default: ->(_routes) {}
     option :access_token_expires_in,        default: 7200
-    option :custom_access_token_expires_in, default: ->(_app) { nil }
+    option :custom_access_token_expires_in, default: ->(_context) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
-    option :native_redirect_uri,            default: 'urn:ietf:wg:oauth:2.0:oob'
-    option :active_record_options,          default: {}
+    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :grant_flows,                    default: %w[authorization_code client_credentials]
+    option :handle_auth_errors,             default: :render
+    option :token_lookup_batch_size,        default: 10_000
+    # Sets the token_reuse_limit
+    # It will be used only when reuse_access_token option in enabled
+    # By default it will be 100
+    # It will be used for token reusablity to some threshold percentage
+    # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
+    option :token_reuse_limit,              default: 100
+
+    # Don't require client authentication for password grants. If client credentials
+    # are present they will still be validated, and the grant rejected if the credentials
+    # are invalid.
+    #
+    # This is discouraged. Spec says that password grants always require a client.
+    #
+    # See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422
+    # and https://github.com/doorkeeper-gem/doorkeeper/pull/1420
+    #
+    # Since many applications use this unsafe behavior in the wild, this is kept as a
+    # not-recommended option. You should be aware that you are not following the OAuth
+    # spec, and understand the security implications of doing so.
+    option :skip_client_authentication_for_password_grant,
+           default: false
+
+    # Hook to allow arbitrary user-client authorization
+    option :authorize_resource_owner_for_client,
+           default: ->(_client, _resource_owner) { true }
+
+    # Allows to customize OAuth grant flows that +each+ application support.
+    # You can configure a custom block (or use a class respond to `#call`) that must
+    # return `true` in case Application instance supports requested OAuth grant flow
+    # during the authorization request to the server. This configuration +doesn't+
+    # set flows per application, it only allows to check if application supports
+    # specific grant flow.
+    #
+    # For example you can add an additional database column to `oauth_applications` table,
+    # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+    # be used with this application there. Then when authorization requested Doorkeeper
+    # will call this block to check if specific Application (passed with client_id and/or
+    # client_secret) is allowed to perform the request for the specific grant type
+    # (authorization, password, client_credentials, etc).
+    #
+    # Example of the block:
+    #
+    #   ->(flow, client) { client.grant_flows.include?(flow) }
+    #
+    # In case this option invocation result is `false`, Doorkeeper server returns
+    # :unauthorized_client error and stops the request.
+    #
+    # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+    # @return [Boolean] `true` if allow or `false` if forbid the request
+    #
+    option :allow_grant_flow_for_client,    default: ->(_grant_flow, _client) { true }
 
     # Allows to forbid specific Application redirect URI's by custom rules.
     # Doesn't forbid any URI by default.
@@ -215,7 +295,7 @@ doorkeeper.
     #
     # @param realm [String] ("Doorkeeper") Authentication realm
     #
-    option :realm,                          default: 'Doorkeeper'
+    option :realm,                          default: "Doorkeeper"
 
     # Forces the usage of the HTTPS protocol in non-native redirect uris
     # (enabled by default in non-development environments). OAuth2
@@ -232,39 +312,205 @@ doorkeeper.
     #
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
 
-
     # Use a custom class for generating the access token.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
     #
     # @param access_token_generator [String]
     #   the name of the access token generator class
     #
     option :access_token_generator,
-           default: 'Doorkeeper::OAuth::Helpers::UniqueToken'
+           default: "Doorkeeper::OAuth::Helpers::UniqueToken"
+
+    # Allows additional data to be received when granting access to an Application, and for this
+    # additional data to be sent with subsequently generated access tokens. The access grant and
+    # access token models will both need to respond to the specified attribute names.
+    #
+    # @param attributes [Array] The array of custom attribute names to be saved
+    #
+    option :custom_access_token_attributes,
+           default: []
+
+    # Use a custom class for generating the application secret.
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-application-secret-generator
+    #
+    # @param application_secret_generator [String]
+    #   the name of the application secret generator class
+    #
+    option :application_secret_generator,
+           default: "Doorkeeper::OAuth::Helpers::UniqueToken"
+
+    # Default access token generator is a SecureRandom class from Ruby stdlib.
+    # This option defines which method will be used to generate a unique token value.
+    #
+    # @param default_generator_method [Symbol]
+    #   the method name of the default access token generator
+    #
+    option :default_generator_method, default: :urlsafe_base64
 
     # The controller Doorkeeper::ApplicationController inherits from.
     # Defaults to ActionController::Base.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
     #
     # @param base_controller [String] the name of the base controller
     option :base_controller,
-           default: 'ActionController::Base'
+           default: (lambda do
+             api_only ? "ActionController::API" : "ActionController::Base"
+           end)
+
+    # The controller Doorkeeper::ApplicationMetalController inherits from.
+    # Defaults to ActionController::API.
+    #
+    # @param base_metal_controller [String] the name of the base controller
+    option :base_metal_controller,
+           default: "ActionController::API"
+
+    option :access_token_class,
+           default: "Doorkeeper::AccessToken"
+
+    option :access_grant_class,
+           default: "Doorkeeper::AccessGrant"
 
-    attr_reader :reuse_access_token
+    option :application_class,
+           default: "Doorkeeper::Application"
+
+    # Allows to set blank redirect URIs for Applications in case
+    # server configured to use URI-less grant flows.
+    #
+    option :allow_blank_redirect_uri,
+           default: (lambda do |grant_flows, _application|
+             grant_flows.exclude?("authorization_code") &&
+               grant_flows.exclude?("implicit")
+           end)
+
+    # Configure protection of token introspection request.
+    # By default this configuration allows to introspect a token by
+    # another token of the same application, or to introspect the token
+    # that belongs to authorized client, or access token has been introspected
+    # is a public one (doesn't belong to any client)
+    #
+    # You can define any custom rule you need or just disable token
+    # introspection at all.
+    #
+    # @param token [Doorkeeper::AccessToken]
+    #   token to be introspected
+    #
+    # @param authorized_client [Doorkeeper::Application]
+    #   authorized client (if request is authorized using Basic auth with
+    #   Client Credentials for example)
+    #
+    # @param authorized_token [Doorkeeper::AccessToken]
+    #   Bearer token used to authorize the request
+    #
+    option :allow_token_introspection,
+           default: (lambda do |token, authorized_client, authorized_token|
+             if authorized_token
+               authorized_token.application == token&.application
+             elsif token.application
+               authorized_client == token.application
+             else
+               true
+             end
+           end)
+
+    attr_reader :reuse_access_token,
+                :token_secret_fallback_strategy,
+                :application_secret_fallback_strategy
+
+    def clear_cache!
+      %i[
+        application_model
+        access_token_model
+        access_grant_model
+      ].each do |var|
+        remove_instance_variable("@#{var}") if instance_variable_defined?("@#{var}")
+      end
+    end
+
+    # Doorkeeper Access Token model class.
+    #
+    # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+    #
+    def access_token_model
+      @access_token_model ||= access_token_class.constantize
+    end
+
+    # Doorkeeper Access Grant model class.
+    #
+    # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+    #
+    def access_grant_model
+      @access_grant_model ||= access_grant_class.constantize
+    end
+
+    # Doorkeeper Application model class.
+    #
+    # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+    #
+    def application_model
+      @application_model ||= application_class.constantize
+    end
+
+    def api_only
+      @api_only ||= false
+    end
+
+    def enforce_content_type
+      @enforce_content_type ||= false
+    end
 
     def refresh_token_enabled?
-      @refresh_token_enabled ||= false
-      !!@refresh_token_enabled
+      if defined?(@refresh_token_enabled)
+        @refresh_token_enabled
+      else
+        false
+      end
+    end
+
+    def resolve_controller(name)
+      config_option = public_send(:"#{name}_controller")
+      controller_name = if config_option.respond_to?(:call)
+                          instance_exec(&config_option)
+                        else
+                          config_option
+                        end
+
+      controller_name.constantize
+    end
+
+    def revoke_previous_client_credentials_token?
+      option_set? :revoke_previous_client_credentials_token
+    end
+
+    def enforce_configured_scopes?
+      option_set? :enforce_configured_scopes
     end
 
     def enable_application_owner?
-      @enable_application_owner ||= false
-      !!@enable_application_owner
+      option_set? :enable_application_owner
+    end
+
+    def polymorphic_resource_owner?
+      option_set? :polymorphic_resource_owner
     end
 
     def confirm_application_owner?
-      @confirm_application_owner ||= false
-      !!@confirm_application_owner
+      option_set? :confirm_application_owner
+    end
+
+    def raise_on_errors?
+      handle_auth_errors == :raise
+    end
+
+    def application_secret_hashed?
+      instance_variable_defined?(:"@application_secret_strategy")
+    end
+
+    def token_secret_strategy
+      @token_secret_strategy ||= ::Doorkeeper::SecretStoring::Plain
+    end
+
+    def application_secret_strategy
+      @application_secret_strategy ||= ::Doorkeeper::SecretStoring::Plain
     end
 
     def default_scopes
@@ -279,41 +525,130 @@ doorkeeper.
       @scopes ||= default_scopes + optional_scopes
     end
 
+    def scopes_by_grant_type
+      @scopes_by_grant_type ||= {}
+    end
+
     def client_credentials_methods
-      @client_credentials ||= %i[from_basic from_params]
+      @client_credentials_methods ||= %i[from_basic from_params]
     end
 
     def access_token_methods
-      @access_token_methods ||= %i[from_bearer_authorization from_access_token_param from_bearer_param]
+      @access_token_methods ||= %i[
+        from_bearer_authorization
+        from_access_token_param
+        from_bearer_param
+      ]
+    end
+
+    def enabled_grant_flows
+      @enabled_grant_flows ||= calculate_grant_flows.map { |name| Doorkeeper::GrantFlow.get(name) }.compact
+    end
+
+    def authorization_response_flows
+      @authorization_response_flows ||= enabled_grant_flows.select(&:handles_response_type?) +
+                                        deprecated_authorization_flows
+    end
+
+    def token_grant_flows
+      @token_grant_flows ||= calculate_token_grant_flows
     end
 
     def authorization_response_types
-      @authorization_response_types ||= calculate_authorization_response_types
+      authorization_response_flows.map(&:response_type_matches)
     end
 
     def token_grant_types
-      @token_grant_types ||= calculate_token_grant_types
+      token_grant_flows.map(&:grant_type_matches)
     end
 
-    private
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_token_grant_types_resolver
+      @deprecated_token_grant_types ||= calculate_token_grant_types
+    end
+    
+    def native_authorization_code_route
+      @use_url_path_for_native_authorization = false unless defined?(@use_url_path_for_native_authorization)
+      @use_url_path_for_native_authorization ? '/:code' : '/native'
+    end
 
-    # Determines what values are acceptable for 'response_type' param in
-    # authorization request endpoint, and return them as an array of strings.
-    #
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_authorization_flows
+      response_types = calculate_authorization_response_types
+
+      if response_types.any?
+        ::Kernel.warn <<~WARNING
+          Please, don't patch Doorkeeper::Config#calculate_authorization_response_types method.
+          Register your custom grant flows using the public API:
+          `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+        WARNING
+      end
+
+      response_types.map do |response_type|
+        Doorkeeper::GrantFlow::FallbackFlow.new(response_type, response_type_matches: response_type)
+      end
+    end
+
+    # [NOTE]: deprecated and will be removed soon
     def calculate_authorization_response_types
-      types = []
-      types << 'code'  if grant_flows.include? 'authorization_code'
-      types << 'token' if grant_flows.include? 'implicit'
-      types
+      []
     end
 
-    # Determines what values are acceptable for 'grant_type' param token
-    # request endpoint, and return them in array.
-    #
+    # [NOTE]: deprecated and will be removed soon
     def calculate_token_grant_types
-      types = grant_flows - ['implicit']
-      types << 'refresh_token' if refresh_token_enabled?
+      types = grant_flows - ["implicit"]
+      types << "refresh_token" if refresh_token_enabled?
       types
     end
+
+    # Calculates grant flows configured by the user in Doorkeeper
+    # configuration considering registered aliases that is exposed
+    # to single or multiple other flows.
+    #
+    def calculate_grant_flows
+      configured_flows = grant_flows.map(&:to_s)
+      aliases = Doorkeeper::GrantFlow.aliases.keys.map(&:to_s)
+
+      flows = configured_flows - aliases
+      aliases.each do |flow_alias|
+        next unless configured_flows.include?(flow_alias)
+
+        flows.concat(Doorkeeper::GrantFlow.expand_alias(flow_alias))
+      end
+
+      flows.flatten.uniq
+    end
+
+    def allow_blank_redirect_uri?(application = nil)
+      if allow_blank_redirect_uri.respond_to?(:call)
+        allow_blank_redirect_uri.call(grant_flows, application)
+      else
+        allow_blank_redirect_uri
+      end
+    end
+
+    def allow_grant_flow_for_client?(grant_flow, client)
+      return true unless option_defined?(:allow_grant_flow_for_client)
+
+      allow_grant_flow_for_client.call(grant_flow, client)
+    end
+
+    def option_defined?(name)
+      instance_variable_defined?("@#{name}")
+    end
+
+    private
+
+    # Helper to read boolearized configuration option
+    def option_set?(instance_key)
+      var = instance_variable_get("@#{instance_key}")
+      !!(defined?(var) && var)
+    end
+
+    def calculate_token_grant_flows
+      flows = enabled_grant_flows.select(&:handles_grant_type?)
+      flows << Doorkeeper::GrantFlow.get("refresh_token") if refresh_token_enabled?
+      flows
+    end
   end
 end