doorkeeper 4.4.3 → 5.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.travis.yml +2 -0
- data/Appraisals +2 -2
- data/Gemfile +1 -1
- data/NEWS.md +36 -17
- data/README.md +85 -3
- data/Rakefile +6 -0
- data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
- data/app/controllers/doorkeeper/application_controller.rb +4 -3
- data/app/controllers/doorkeeper/application_metal_controller.rb +4 -0
- data/app/controllers/doorkeeper/applications_controller.rb +42 -22
- data/app/controllers/doorkeeper/authorizations_controller.rb +55 -12
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +15 -1
- data/app/controllers/doorkeeper/tokens_controller.rb +12 -15
- data/app/helpers/doorkeeper/dashboard_helper.rb +7 -7
- data/app/validators/redirect_uri_validator.rb +3 -2
- data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
- data/app/views/doorkeeper/applications/_form.html.erb +25 -24
- data/app/views/doorkeeper/applications/edit.html.erb +1 -1
- data/app/views/doorkeeper/applications/index.html.erb +17 -7
- data/app/views/doorkeeper/applications/new.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +6 -6
- data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
- data/app/views/doorkeeper/authorizations/new.html.erb +4 -0
- data/app/views/layouts/doorkeeper/admin.html.erb +15 -15
- data/config/locales/en.yml +9 -1
- data/doorkeeper.gemspec +0 -2
- data/gemfiles/rails_5_2.gemfile +1 -1
- data/lib/doorkeeper/config.rb +58 -35
- data/lib/doorkeeper/engine.rb +4 -0
- data/lib/doorkeeper/errors.rb +2 -5
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +7 -2
- data/lib/doorkeeper/models/access_grant_mixin.rb +56 -0
- data/lib/doorkeeper/models/access_token_mixin.rb +38 -21
- data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
- data/lib/doorkeeper/oauth/authorization/code.rb +31 -8
- data/lib/doorkeeper/oauth/authorization/context.rb +15 -0
- data/lib/doorkeeper/oauth/authorization/token.rb +23 -6
- data/lib/doorkeeper/oauth/authorization_code_request.rb +27 -2
- data/lib/doorkeeper/oauth/base_request.rb +18 -8
- data/lib/doorkeeper/oauth/client/credentials.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +6 -1
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +4 -2
- data/lib/doorkeeper/oauth/error_response.rb +11 -3
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +0 -8
- data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -4
- data/lib/doorkeeper/oauth/pre_authorization.rb +41 -11
- data/lib/doorkeeper/oauth/refresh_token_request.rb +6 -1
- data/lib/doorkeeper/oauth/scopes.rb +1 -1
- data/lib/doorkeeper/oauth/token.rb +5 -2
- data/lib/doorkeeper/oauth/token_introspection.rb +2 -2
- data/lib/doorkeeper/oauth/token_response.rb +4 -2
- data/lib/doorkeeper/oauth.rb +13 -0
- data/lib/doorkeeper/orm/active_record/application.rb +13 -16
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +26 -0
- data/lib/doorkeeper/orm/active_record.rb +2 -0
- data/lib/doorkeeper/rails/helpers.rb +2 -4
- data/lib/doorkeeper/rails/routes.rb +14 -6
- data/lib/doorkeeper/rake/db.rake +40 -0
- data/lib/doorkeeper/rake/setup.rake +6 -0
- data/lib/doorkeeper/rake.rb +14 -0
- data/lib/doorkeeper/request.rb +28 -28
- data/lib/doorkeeper/version.rb +5 -25
- data/lib/doorkeeper.rb +4 -17
- data/lib/generators/doorkeeper/application_owner_generator.rb +23 -18
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +32 -0
- data/lib/generators/doorkeeper/install_generator.rb +17 -9
- data/lib/generators/doorkeeper/migration_generator.rb +23 -18
- data/lib/generators/doorkeeper/pkce_generator.rb +32 -0
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +29 -24
- data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +6 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +60 -9
- data/lib/generators/doorkeeper/views_generator.rb +3 -1
- data/spec/controllers/application_metal_controller_spec.rb +50 -0
- data/spec/controllers/applications_controller_spec.rb +126 -13
- data/spec/controllers/authorizations_controller_spec.rb +252 -49
- data/spec/controllers/protected_resources_controller_spec.rb +16 -16
- data/spec/controllers/token_info_controller_spec.rb +4 -12
- data/spec/controllers/tokens_controller_spec.rb +19 -73
- data/spec/dummy/app/assets/config/manifest.js +2 -0
- data/spec/dummy/config/environments/test.rb +4 -5
- data/spec/dummy/config/initializers/doorkeeper.rb +5 -4
- data/spec/dummy/config/initializers/new_framework_defaults.rb +4 -0
- data/spec/dummy/config/routes.rb +3 -42
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +6 -0
- data/spec/dummy/db/migrate/{20180210183654_add_confidential_to_application.rb → 20180210183654_add_confidential_to_applications.rb} +1 -1
- data/spec/dummy/db/schema.rb +36 -36
- data/spec/generators/application_owner_generator_spec.rb +1 -1
- data/spec/generators/confidential_applications_generator_spec.rb +45 -0
- data/spec/generators/install_generator_spec.rb +1 -1
- data/spec/generators/migration_generator_spec.rb +1 -1
- data/spec/generators/pkce_generator_spec.rb +43 -0
- data/spec/generators/previous_refresh_token_generator_spec.rb +1 -1
- data/spec/generators/views_generator_spec.rb +1 -1
- data/spec/grape/grape_integration_spec.rb +1 -1
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
- data/spec/lib/config_spec.rb +51 -31
- data/spec/lib/doorkeeper_spec.rb +1 -126
- data/spec/lib/models/expirable_spec.rb +0 -3
- data/spec/lib/models/revocable_spec.rb +0 -2
- data/spec/lib/models/scopes_spec.rb +0 -4
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -4
- data/spec/lib/oauth/authorization_code_request_spec.rb +9 -2
- data/spec/lib/oauth/base_request_spec.rb +16 -2
- data/spec/lib/oauth/base_response_spec.rb +1 -1
- data/spec/lib/oauth/client/credentials_spec.rb +1 -3
- data/spec/lib/oauth/client_credentials/creator_spec.rb +5 -1
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +26 -7
- data/spec/lib/oauth/client_credentials/validation_spec.rb +2 -3
- data/spec/lib/oauth/client_credentials_integration_spec.rb +1 -1
- data/spec/lib/oauth/client_credentials_request_spec.rb +3 -5
- data/spec/lib/oauth/client_spec.rb +0 -3
- data/spec/lib/oauth/code_request_spec.rb +4 -2
- data/spec/lib/oauth/error_response_spec.rb +0 -3
- data/spec/lib/oauth/error_spec.rb +0 -2
- data/spec/lib/oauth/forbidden_token_response_spec.rb +1 -4
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -3
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -1
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +5 -7
- data/spec/lib/oauth/invalid_token_response_spec.rb +1 -4
- data/spec/lib/oauth/password_access_token_request_spec.rb +37 -2
- data/spec/lib/oauth/pre_authorization_spec.rb +33 -4
- data/spec/lib/oauth/refresh_token_request_spec.rb +11 -7
- data/spec/lib/oauth/scopes_spec.rb +0 -3
- data/spec/lib/oauth/token_request_spec.rb +4 -5
- data/spec/lib/oauth/token_response_spec.rb +0 -1
- data/spec/lib/oauth/token_spec.rb +37 -14
- data/spec/lib/orm/active_record/stale_records_cleaner_spec.rb +79 -0
- data/spec/lib/request/strategy_spec.rb +0 -1
- data/spec/lib/server_spec.rb +1 -1
- data/spec/models/doorkeeper/access_grant_spec.rb +1 -1
- data/spec/models/doorkeeper/access_token_spec.rb +50 -16
- data/spec/models/doorkeeper/application_spec.rb +1 -47
- data/spec/requests/applications/applications_request_spec.rb +89 -1
- data/spec/requests/applications/authorized_applications_spec.rb +1 -1
- data/spec/requests/endpoints/authorization_spec.rb +1 -1
- data/spec/requests/endpoints/token_spec.rb +7 -5
- data/spec/requests/flows/authorization_code_errors_spec.rb +1 -1
- data/spec/requests/flows/authorization_code_spec.rb +198 -2
- data/spec/requests/flows/client_credentials_spec.rb +46 -6
- data/spec/requests/flows/implicit_grant_errors_spec.rb +1 -1
- data/spec/requests/flows/implicit_grant_spec.rb +38 -11
- data/spec/requests/flows/password_spec.rb +56 -2
- data/spec/requests/flows/refresh_token_spec.rb +2 -2
- data/spec/requests/flows/revoke_token_spec.rb +11 -11
- data/spec/requests/flows/skip_authorization_spec.rb +16 -11
- data/spec/requests/protected_resources/metal_spec.rb +1 -1
- data/spec/requests/protected_resources/private_api_spec.rb +1 -1
- data/spec/routing/custom_controller_routes_spec.rb +59 -7
- data/spec/routing/default_routes_spec.rb +2 -2
- data/spec/routing/scoped_routes_spec.rb +16 -2
- data/spec/spec_helper.rb +54 -3
- data/spec/spec_helper_integration.rb +2 -74
- data/spec/support/dependencies/{factory_girl.rb → factory_bot.rb} +0 -0
- data/spec/support/doorkeeper_rspec.rb +19 -0
- data/spec/support/helpers/authorization_request_helper.rb +4 -4
- data/spec/support/helpers/request_spec_helper.rb +2 -2
- data/spec/support/helpers/url_helper.rb +7 -3
- data/spec/support/http_method_shim.rb +12 -16
- data/spec/validators/redirect_uri_validator_spec.rb +7 -1
- data/spec/version/version_spec.rb +3 -3
- data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
- metadata +33 -31
- data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
- data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
- data/spec/controllers/application_metal_controller.rb +0 -10
@@ -0,0 +1,13 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Doorkeeper
|
4
|
+
module OAuth
|
5
|
+
GRANT_TYPES = [
|
6
|
+
AUTHORIZATION_CODE = 'authorization_code'.freeze,
|
7
|
+
IMPLICIT = 'implicit'.freeze,
|
8
|
+
PASSWORD = 'password'.freeze,
|
9
|
+
CLIENT_CREDENTIALS = 'client_credentials'.freeze,
|
10
|
+
REFRESH_TOKEN = 'refresh_token'.freeze
|
11
|
+
].freeze
|
12
|
+
end
|
13
|
+
end
|
@@ -13,6 +13,8 @@ module Doorkeeper
|
|
13
13
|
validates :redirect_uri, redirect_uri: true
|
14
14
|
validates :confidential, inclusion: { in: [true, false] }
|
15
15
|
|
16
|
+
validate :scopes_match_configured, if: :enforce_scopes?
|
17
|
+
|
16
18
|
before_validation :generate_uid, :generate_secret, on: :create
|
17
19
|
|
18
20
|
has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: 'AccessToken'
|
@@ -32,22 +34,6 @@ module Doorkeeper
|
|
32
34
|
where(id: resource_access_tokens.select(:application_id).distinct)
|
33
35
|
end
|
34
36
|
|
35
|
-
# Fallback to existing, default behaviour of assuming all apps to be
|
36
|
-
# confidential if the migration hasn't been run
|
37
|
-
def confidential
|
38
|
-
return super if self.class.supports_confidentiality?
|
39
|
-
ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
|
40
|
-
'CVE-2018-1000211. Please follow instructions outlined in ' \
|
41
|
-
'Doorkeeper::CVE_2018_1000211_WARNING'
|
42
|
-
true
|
43
|
-
end
|
44
|
-
|
45
|
-
alias_method :confidential?, :confidential
|
46
|
-
|
47
|
-
def self.supports_confidentiality?
|
48
|
-
column_names.include?('confidential')
|
49
|
-
end
|
50
|
-
|
51
37
|
private
|
52
38
|
|
53
39
|
def generate_uid
|
@@ -57,5 +43,16 @@ module Doorkeeper
|
|
57
43
|
def generate_secret
|
58
44
|
self.secret = UniqueToken.generate if secret.blank?
|
59
45
|
end
|
46
|
+
|
47
|
+
def scopes_match_configured
|
48
|
+
if scopes.present? &&
|
49
|
+
!ScopeChecker.valid?(scopes.to_s, Doorkeeper.configuration.scopes)
|
50
|
+
errors.add(:scopes, :not_match_configured)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
def enforce_scopes?
|
55
|
+
Doorkeeper.configuration.enforce_configured_scopes?
|
56
|
+
end
|
60
57
|
end
|
61
58
|
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Doorkeeper
|
4
|
+
module Orm
|
5
|
+
module ActiveRecord
|
6
|
+
class StaleRecordsCleaner
|
7
|
+
def initialize(base_scope)
|
8
|
+
@base_scope = base_scope
|
9
|
+
end
|
10
|
+
|
11
|
+
def clean_revoked
|
12
|
+
table = @base_scope.arel_table
|
13
|
+
@base_scope.where.not(revoked_at: nil)
|
14
|
+
.where(table[:revoked_at].lt(Time.current))
|
15
|
+
.delete_all
|
16
|
+
end
|
17
|
+
|
18
|
+
def clean_expired(ttl)
|
19
|
+
table = @base_scope.arel_table
|
20
|
+
@base_scope.where(table[:created_at].lt(Time.current - ttl))
|
21
|
+
.delete_all
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -4,9 +4,7 @@ module Doorkeeper
|
|
4
4
|
def doorkeeper_authorize!(*scopes)
|
5
5
|
@_doorkeeper_scopes = scopes.presence || Doorkeeper.configuration.default_scopes
|
6
6
|
|
7
|
-
unless valid_doorkeeper_token?
|
8
|
-
doorkeeper_render_error
|
9
|
-
end
|
7
|
+
doorkeeper_render_error unless valid_doorkeeper_token?
|
10
8
|
end
|
11
9
|
|
12
10
|
def doorkeeper_unauthorized_render_options(**); end
|
@@ -68,7 +66,7 @@ module Doorkeeper
|
|
68
66
|
end
|
69
67
|
|
70
68
|
def doorkeeper_token
|
71
|
-
@
|
69
|
+
@doorkeeper_token ||= OAuth::Token.authenticate(
|
72
70
|
request,
|
73
71
|
*Doorkeeper.configuration.access_token_methods
|
74
72
|
)
|
@@ -4,6 +4,10 @@ require 'doorkeeper/rails/routes/mapper'
|
|
4
4
|
module Doorkeeper
|
5
5
|
module Rails
|
6
6
|
class Routes # :nodoc:
|
7
|
+
mattr_reader :mapping do
|
8
|
+
{}
|
9
|
+
end
|
10
|
+
|
7
11
|
module Helper
|
8
12
|
def use_doorkeeper(options = {}, &block)
|
9
13
|
Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
|
@@ -19,6 +23,10 @@ module Doorkeeper
|
|
19
23
|
def initialize(routes, &block)
|
20
24
|
@routes = routes
|
21
25
|
@mapping = Mapper.new.map(&block)
|
26
|
+
|
27
|
+
if Doorkeeper.configuration.api_only
|
28
|
+
@mapping.skips.push(:applications, :authorized_applications)
|
29
|
+
end
|
22
30
|
end
|
23
31
|
|
24
32
|
def generate_routes!(options)
|
@@ -36,7 +44,11 @@ module Doorkeeper
|
|
36
44
|
private
|
37
45
|
|
38
46
|
def map_route(name, method)
|
39
|
-
|
47
|
+
unless @mapping.skipped?(name)
|
48
|
+
send(method, @mapping[name])
|
49
|
+
|
50
|
+
mapping[name] = @mapping[name]
|
51
|
+
end
|
40
52
|
end
|
41
53
|
|
42
54
|
def authorization_routes(mapping)
|
@@ -47,7 +59,7 @@ module Doorkeeper
|
|
47
59
|
as: mapping[:as],
|
48
60
|
controller: mapping[:controllers]
|
49
61
|
) do
|
50
|
-
routes.get
|
62
|
+
routes.get '/native', action: :show, on: :member
|
51
63
|
routes.get '/', action: :new, on: :member
|
52
64
|
end
|
53
65
|
end
|
@@ -85,10 +97,6 @@ module Doorkeeper
|
|
85
97
|
def authorized_applications_routes(mapping)
|
86
98
|
routes.resources :authorized_applications, only: %i[index destroy], controller: mapping[:controllers]
|
87
99
|
end
|
88
|
-
|
89
|
-
def native_authorization_code_route
|
90
|
-
Doorkeeper.configuration.native_authorization_code_route
|
91
|
-
end
|
92
100
|
end
|
93
101
|
end
|
94
102
|
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
namespace :doorkeeper do
|
4
|
+
namespace :db do
|
5
|
+
desc 'Removes stale data from doorkeeper related database tables'
|
6
|
+
task cleanup: [
|
7
|
+
'doorkeeper:db:cleanup:revoked_tokens',
|
8
|
+
'doorkeeper:db:cleanup:expired_tokens',
|
9
|
+
'doorkeeper:db:cleanup:revoked_grants',
|
10
|
+
'doorkeeper:db:cleanup:expired_grants'
|
11
|
+
]
|
12
|
+
|
13
|
+
namespace :cleanup do
|
14
|
+
desc 'Removes stale access tokens'
|
15
|
+
task revoked_tokens: 'doorkeeper:setup' do
|
16
|
+
cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(Doorkeeper::AccessToken)
|
17
|
+
cleaner.clean_revoked
|
18
|
+
end
|
19
|
+
|
20
|
+
desc 'Removes expired (TTL passed) access tokens'
|
21
|
+
task expired_tokens: 'doorkeeper:setup' do
|
22
|
+
expirable_tokens = Doorkeeper::AccessToken.where(refresh_token: nil)
|
23
|
+
cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(expirable_tokens)
|
24
|
+
cleaner.clean_expired(Doorkeeper.configuration.access_token_expires_in)
|
25
|
+
end
|
26
|
+
|
27
|
+
desc 'Removes stale access grants'
|
28
|
+
task revoked_grants: 'doorkeeper:setup' do
|
29
|
+
cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
|
30
|
+
cleaner.clean_revoked
|
31
|
+
end
|
32
|
+
|
33
|
+
desc 'Removes expired (TTL passed) access grants'
|
34
|
+
task expired_grants: 'doorkeeper:setup' do
|
35
|
+
cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
|
36
|
+
cleaner.clean_expired(Doorkeeper.configuration.authorization_code_expires_in)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
data/lib/doorkeeper/request.rb
CHANGED
@@ -7,40 +7,40 @@ require 'doorkeeper/request/token'
|
|
7
7
|
|
8
8
|
module Doorkeeper
|
9
9
|
module Request
|
10
|
-
|
10
|
+
class << self
|
11
|
+
def authorization_strategy(response_type)
|
12
|
+
get_strategy(response_type, authorization_response_types)
|
13
|
+
rescue NameError
|
14
|
+
raise Errors::InvalidAuthorizationStrategy
|
15
|
+
end
|
11
16
|
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
+
def token_strategy(grant_type)
|
18
|
+
get_strategy(grant_type, token_grant_types)
|
19
|
+
rescue NameError
|
20
|
+
raise Errors::InvalidTokenStrategy
|
21
|
+
end
|
17
22
|
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
raise Errors::InvalidTokenStrategy
|
22
|
-
end
|
23
|
+
def get_strategy(grant_or_request_type, available)
|
24
|
+
raise Errors::MissingRequestStrategy if grant_or_request_type.blank?
|
25
|
+
raise NameError unless available.include?(grant_or_request_type.to_s)
|
23
26
|
|
24
|
-
|
25
|
-
|
26
|
-
fail NameError unless available.include?(grant_or_request_type.to_s)
|
27
|
-
strategy_class(grant_or_request_type)
|
28
|
-
end
|
27
|
+
build_strategy_class(grant_or_request_type)
|
28
|
+
end
|
29
29
|
|
30
|
-
|
31
|
-
Doorkeeper.configuration.authorization_response_types
|
32
|
-
end
|
33
|
-
private_class_method :authorization_response_types
|
30
|
+
private
|
34
31
|
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
32
|
+
def authorization_response_types
|
33
|
+
Doorkeeper.configuration.authorization_response_types
|
34
|
+
end
|
35
|
+
|
36
|
+
def token_grant_types
|
37
|
+
Doorkeeper.configuration.token_grant_types
|
38
|
+
end
|
39
39
|
|
40
|
-
|
41
|
-
|
42
|
-
|
40
|
+
def build_strategy_class(grant_or_request_type)
|
41
|
+
strategy_class_name = grant_or_request_type.to_s.tr(' ', '_').camelize
|
42
|
+
"Doorkeeper::Request::#{strategy_class_name}".constantize
|
43
|
+
end
|
43
44
|
end
|
44
|
-
private_class_method :strategy_class
|
45
45
|
end
|
46
46
|
end
|
data/lib/doorkeeper/version.rb
CHANGED
@@ -1,36 +1,16 @@
|
|
1
1
|
module Doorkeeper
|
2
|
-
CVE_2018_1000211_WARNING = <<-HEREDOC.freeze
|
3
|
-
|
4
|
-
|
5
|
-
WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
|
6
|
-
|
7
|
-
There is no breaking change in this release, however to take advantage of the security fix you must:
|
8
|
-
|
9
|
-
1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
|
10
|
-
2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
|
11
|
-
3. Update their `confidential` column to `false` for those public apps
|
12
|
-
|
13
|
-
This is a backported security release.
|
14
|
-
|
15
|
-
For more information:
|
16
|
-
|
17
|
-
* https://github.com/doorkeeper-gem/doorkeeper/pull/1119
|
18
|
-
* https://github.com/doorkeeper-gem/doorkeeper/issues/891
|
19
|
-
|
20
|
-
|
21
|
-
HEREDOC
|
22
|
-
|
23
2
|
def self.gem_version
|
24
3
|
Gem::Version.new VERSION::STRING
|
25
4
|
end
|
26
5
|
|
27
6
|
module VERSION
|
28
7
|
# Semantic versioning
|
29
|
-
MAJOR =
|
30
|
-
MINOR =
|
31
|
-
TINY =
|
8
|
+
MAJOR = 5
|
9
|
+
MINOR = 0
|
10
|
+
TINY = 0
|
11
|
+
PRE = 'rc1'
|
32
12
|
|
33
13
|
# Full version number
|
34
|
-
STRING = [MAJOR, MINOR, TINY].compact.join('.')
|
14
|
+
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
|
35
15
|
end
|
36
16
|
end
|
data/lib/doorkeeper.rb
CHANGED
@@ -8,12 +8,14 @@ require 'doorkeeper/request'
|
|
8
8
|
require 'doorkeeper/validations'
|
9
9
|
|
10
10
|
require 'doorkeeper/oauth/authorization/code'
|
11
|
+
require 'doorkeeper/oauth/authorization/context'
|
11
12
|
require 'doorkeeper/oauth/authorization/token'
|
12
13
|
require 'doorkeeper/oauth/authorization/uri_builder'
|
13
14
|
require 'doorkeeper/oauth/helpers/scope_checker'
|
14
15
|
require 'doorkeeper/oauth/helpers/uri_checker'
|
15
16
|
require 'doorkeeper/oauth/helpers/unique_token'
|
16
17
|
|
18
|
+
require 'doorkeeper/oauth'
|
17
19
|
require 'doorkeeper/oauth/scopes'
|
18
20
|
require 'doorkeeper/oauth/error'
|
19
21
|
require 'doorkeeper/oauth/base_response'
|
@@ -49,26 +51,11 @@ require 'doorkeeper/helpers/controller'
|
|
49
51
|
require 'doorkeeper/rails/routes'
|
50
52
|
require 'doorkeeper/rails/helpers'
|
51
53
|
|
52
|
-
require 'doorkeeper/
|
54
|
+
require 'doorkeeper/rake'
|
53
55
|
|
54
|
-
require '
|
56
|
+
require 'doorkeeper/orm/active_record'
|
55
57
|
|
56
58
|
module Doorkeeper
|
57
|
-
def self.configured?
|
58
|
-
ActiveSupport::Deprecation.warn "Method `Doorkeeper#configured?` has been deprecated without replacement."
|
59
|
-
@config.present?
|
60
|
-
end
|
61
|
-
|
62
|
-
def self.database_installed?
|
63
|
-
ActiveSupport::Deprecation.warn "Method `Doorkeeper#database_installed?` has been deprecated without replacement."
|
64
|
-
[AccessToken, AccessGrant, Application].all?(&:table_exists?)
|
65
|
-
end
|
66
|
-
|
67
|
-
def self.installed?
|
68
|
-
ActiveSupport::Deprecation.warn "Method `Doorkeeper#installed?` has been deprecated without replacement."
|
69
|
-
configured? && database_installed?
|
70
|
-
end
|
71
|
-
|
72
59
|
def self.authenticate(request, methods = Doorkeeper.configuration.access_token_methods)
|
73
60
|
OAuth::Token.authenticate(request, *methods)
|
74
61
|
end
|
@@ -1,27 +1,32 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails/generators'
|
1
4
|
require 'rails/generators/active_record'
|
2
5
|
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
6
|
+
module Doorkeeper
|
7
|
+
class ApplicationOwnerGenerator < ::Rails::Generators::Base
|
8
|
+
include ::Rails::Generators::Migration
|
9
|
+
source_root File.expand_path('templates', __dir__)
|
10
|
+
desc 'Provide support for client application ownership.'
|
7
11
|
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
12
|
+
def application_owner
|
13
|
+
migration_template(
|
14
|
+
'add_owner_to_application_migration.rb.erb',
|
15
|
+
'db/migrate/add_owner_to_application.rb',
|
16
|
+
migration_version: migration_version
|
17
|
+
)
|
18
|
+
end
|
15
19
|
|
16
|
-
|
17
|
-
|
18
|
-
|
20
|
+
def self.next_migration_number(dirname)
|
21
|
+
ActiveRecord::Generators::Base.next_migration_number(dirname)
|
22
|
+
end
|
19
23
|
|
20
|
-
|
24
|
+
private
|
21
25
|
|
22
|
-
|
23
|
-
|
24
|
-
|
26
|
+
def migration_version
|
27
|
+
if ActiveRecord::VERSION::MAJOR >= 5
|
28
|
+
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
29
|
+
end
|
25
30
|
end
|
26
31
|
end
|
27
32
|
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails/generators'
|
4
|
+
require 'rails/generators/active_record'
|
5
|
+
|
6
|
+
module Doorkeeper
|
7
|
+
class ConfidentialApplicationsGenerator < ::Rails::Generators::Base
|
8
|
+
include ::Rails::Generators::Migration
|
9
|
+
source_root File.expand_path('templates', __dir__)
|
10
|
+
desc 'Add confidential column to Doorkeeper applications'
|
11
|
+
|
12
|
+
def pkce
|
13
|
+
migration_template(
|
14
|
+
'add_confidential_to_applications.rb.erb',
|
15
|
+
'db/migrate/add_confidential_to_applications.rb',
|
16
|
+
migration_version: migration_version
|
17
|
+
)
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.next_migration_number(dirname)
|
21
|
+
ActiveRecord::Generators::Base.next_migration_number(dirname)
|
22
|
+
end
|
23
|
+
|
24
|
+
private
|
25
|
+
|
26
|
+
def migration_version
|
27
|
+
if ActiveRecord::VERSION::MAJOR >= 5
|
28
|
+
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -1,12 +1,20 @@
|
|
1
|
-
|
2
|
-
include Rails::Generators::Migration
|
3
|
-
source_root File.expand_path('../templates', __FILE__)
|
4
|
-
desc 'Installs Doorkeeper.'
|
1
|
+
# frozen_string_literal: true
|
5
2
|
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
3
|
+
require 'rails/generators'
|
4
|
+
require 'rails/generators/active_record'
|
5
|
+
|
6
|
+
module Doorkeeper
|
7
|
+
class InstallGenerator < ::Rails::Generators::Base
|
8
|
+
include ::Rails::Generators::Migration
|
9
|
+
source_root File.expand_path('templates', __dir__)
|
10
|
+
desc 'Installs Doorkeeper.'
|
11
|
+
|
12
|
+
def install
|
13
|
+
template 'initializer.rb', 'config/initializers/doorkeeper.rb'
|
14
|
+
copy_file File.expand_path('../../../config/locales/en.yml', __dir__),
|
15
|
+
'config/locales/doorkeeper.en.yml'
|
16
|
+
route 'use_doorkeeper'
|
17
|
+
readme 'README'
|
18
|
+
end
|
11
19
|
end
|
12
20
|
end
|
@@ -1,27 +1,32 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails/generators'
|
1
4
|
require 'rails/generators/active_record'
|
2
5
|
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
6
|
+
module Doorkeeper
|
7
|
+
class MigrationGenerator < ::Rails::Generators::Base
|
8
|
+
include ::Rails::Generators::Migration
|
9
|
+
source_root File.expand_path('templates', __dir__)
|
10
|
+
desc 'Installs Doorkeeper migration file.'
|
7
11
|
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
12
|
+
def install
|
13
|
+
migration_template(
|
14
|
+
'migration.rb.erb',
|
15
|
+
'db/migrate/create_doorkeeper_tables.rb',
|
16
|
+
migration_version: migration_version
|
17
|
+
)
|
18
|
+
end
|
15
19
|
|
16
|
-
|
17
|
-
|
18
|
-
|
20
|
+
def self.next_migration_number(dirname)
|
21
|
+
ActiveRecord::Generators::Base.next_migration_number(dirname)
|
22
|
+
end
|
19
23
|
|
20
|
-
|
24
|
+
private
|
21
25
|
|
22
|
-
|
23
|
-
|
24
|
-
|
26
|
+
def migration_version
|
27
|
+
if ActiveRecord::VERSION::MAJOR >= 5
|
28
|
+
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
29
|
+
end
|
25
30
|
end
|
26
31
|
end
|
27
32
|
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails/generators'
|
4
|
+
require 'rails/generators/active_record'
|
5
|
+
|
6
|
+
module Doorkeeper
|
7
|
+
class PkceGenerator < ::Rails::Generators::Base
|
8
|
+
include ::Rails::Generators::Migration
|
9
|
+
source_root File.expand_path('templates', __dir__)
|
10
|
+
desc 'Provide support for PKCE.'
|
11
|
+
|
12
|
+
def pkce
|
13
|
+
migration_template(
|
14
|
+
'enable_pkce_migration.rb.erb',
|
15
|
+
'db/migrate/enable_pkce.rb',
|
16
|
+
migration_version: migration_version
|
17
|
+
)
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.next_migration_number(dirname)
|
21
|
+
ActiveRecord::Generators::Base.next_migration_number(dirname)
|
22
|
+
end
|
23
|
+
|
24
|
+
private
|
25
|
+
|
26
|
+
def migration_version
|
27
|
+
if ActiveRecord::VERSION::MAJOR >= 5
|
28
|
+
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -1,35 +1,40 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails/generators'
|
1
4
|
require 'rails/generators/active_record'
|
2
5
|
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
6
|
+
module Doorkeeper
|
7
|
+
class PreviousRefreshTokenGenerator < ::Rails::Generators::Base
|
8
|
+
include ::Rails::Generators::Migration
|
9
|
+
source_root File.expand_path('templates', __dir__)
|
10
|
+
desc 'Support revoke refresh token on access token use'
|
7
11
|
|
8
|
-
|
9
|
-
|
10
|
-
|
12
|
+
def self.next_migration_number(path)
|
13
|
+
ActiveRecord::Generators::Base.next_migration_number(path)
|
14
|
+
end
|
11
15
|
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
16
|
+
def previous_refresh_token
|
17
|
+
if no_previous_refresh_token_column?
|
18
|
+
migration_template(
|
19
|
+
'add_previous_refresh_token_to_access_tokens.rb.erb',
|
20
|
+
'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
|
21
|
+
)
|
22
|
+
end
|
18
23
|
end
|
19
|
-
end
|
20
24
|
|
21
|
-
|
25
|
+
private
|
22
26
|
|
23
|
-
|
24
|
-
|
25
|
-
|
27
|
+
def migration_version
|
28
|
+
if ActiveRecord::VERSION::MAJOR >= 5
|
29
|
+
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
30
|
+
end
|
26
31
|
end
|
27
|
-
end
|
28
32
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
33
|
+
def no_previous_refresh_token_column?
|
34
|
+
!ActiveRecord::Base.connection.column_exists?(
|
35
|
+
:oauth_access_tokens,
|
36
|
+
:previous_refresh_token
|
37
|
+
)
|
38
|
+
end
|
34
39
|
end
|
35
40
|
end
|