doorkeeper 4.4.3 → 5.0.0.rc1

data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class AddConfidentialToApplications < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb

@@ -0,0 +1,6 @@
+class EnablePkce < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :oauth_access_grants, :code_challenge, :string, null: true
+    add_column :oauth_access_grants, :code_challenge_method, :string, null: true
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -4,56 +4,89 @@ Doorkeeper.configure do
 
   # This block will be called to check whether the resource owner is authenticated or not.
   resource_owner_authenticator do
-    fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
+    raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
     # Put your resource owner authentication logic here.
     # Example implementation:
     #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
   end
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # If you want to restrict access to the web interface for adding oauth authorized applications,
+  # you need to declare the block below.
+  #
   # admin_authenticator do
   #   # Put your admin authentication logic here.
   #   # Example implementation:
   #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
   # end
 
+  # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
+  # want to use API mode that will skip all the views management and change the way how
+  # Doorkeeper responds to a requests.
+  #
+  # api_only
+
+  # Enforce token request content type to application/x-www-form-urlencoded.
+  # It is not enabled by default to not break prior versions of the gem.
+  #
+  # enforce_content_type
+
   # Authorization Code expiration time (default 10 minutes).
+  #
   # authorization_code_expires_in 10.minutes
 
   # Access token expiration time (default 2 hours).
   # If you want to disable expiration, set this to nil.
+  #
   # access_token_expires_in 2.hours
 
-  # Assign a custom TTL for implicit grants.
-  # custom_access_token_expires_in do |oauth_client|
-  #   oauth_client.application.additional_settings.implicit_oauth_expiration
+  # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
+  # option if defined. `context` has the following properties available
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #
+  # custom_access_token_expires_in do |context|
+  #   context.client.application.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  #
   # access_token_generator '::Doorkeeper::JWT'
 
   # The controller Doorkeeper::ApplicationController inherits from.
   # Defaults to ActionController::Base.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  #
   # base_controller 'ApplicationController'
 
   # Reuse access token for the same resource owner within an application (disabled by default)
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
+  #
   # reuse_access_token
 
   # Issue access tokens with refresh token (disabled by default)
+  #
   # use_refresh_token
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (disabled by default)
+  #
+  # enforce_configured_scopes
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
   # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
+  #
   # enable_application_owner confirmation: false
 
   # Define access token scopes for your provider
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+  #
   # default_scopes  :public
   # optional_scopes :write, :update
 
@@ -62,6 +95,7 @@ Doorkeeper.configure do
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
   # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
   # for more information on customization
+  #
   # client_credentials :from_basic, :from_params
 
   # Change the way access token is authenticated from the request object.
@@ -69,6 +103,7 @@ Doorkeeper.configure do
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
   # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
   # for more information on customization
+  #
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
   # Change the native redirect uri for client apps
@@ -90,8 +125,8 @@ Doorkeeper.configure do
   #
   # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
 
-  # Specify what redirect URI's you want to block during creation. Any redirect
-  # URI is whitelisted by default.
+  # Specify what redirect URI's you want to block during Application creation.
+  # Any redirect URI is whitelisted by default.
   #
   # You can use this option in order to forbid URI's with 'javascript' scheme
   # for example.
@@ -127,13 +162,29 @@ Doorkeeper.configure do
   #   puts "AFTER HOOK FIRED! #{request}, #{response}"
   # end
 
+  # Hook into Authorization flow in order to implement Single Sign Out
+  # or add ny other functionality.
+  #
+  # before_successful_authorization do |controller|
+  #   Rails.logger.info(params.inspect)
+  # end
+  #
+  # after_successful_authorization do |controller|
+  #   controller.session[:logout_urls] <<
+  #     Doorkeeper::Application
+  #       .find_by(controller.request.params.slice(:redirect_uri))
+  #       .logout_uri
+  # end
+
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.
+  #
   # skip_authorization do |resource_owner, client|
   #   client.superapp? or resource_owner.admin?
   # end
 
   # WWW-Authenticate Realm (default "Doorkeeper").
+  #
   # realm "Doorkeeper"
 end

data/lib/generators/doorkeeper/views_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Generators
     class ViewsGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('../../../../app/views', __FILE__)
+      source_root File.expand_path('../../../app/views', __dir__)
 
       desc 'Copies default Doorkeeper views and layouts to your application.'
 

data/spec/controllers/application_metal_controller_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper_integration'
+
+describe Doorkeeper::ApplicationMetalController do
+  controller(Doorkeeper::ApplicationMetalController) do
+    def index
+      render json: {}, status: 200
+    end
+  end
+
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+
+    expect(i).to eq 1
+  end
+
+  describe 'enforce_content_type' do
+    before { allow(Doorkeeper.configuration).to receive(:enforce_content_type).and_return(flag) }
+
+    context 'enabled' do
+      let(:flag) { true }
+
+      it '200 for the correct media type' do
+        get :index, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 415 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 415
+      end
+    end
+
+    context 'disabled' do
+      let(:flag) { false }
+
+      it 'returns a 200 for the correct media type' do
+        get :index, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 200 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 200
+      end
+    end
+  end
+end

data/spec/controllers/applications_controller_spec.rb

@@ -1,7 +1,99 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper
   describe ApplicationsController do
+    context 'JSON API' do
+      render_views
+
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+      end
+
+      it 'creates an application' do
+        expect do
+          post :create, params: {
+             doorkeeper_application: {
+               name: 'Example',
+               redirect_uri: 'https://example.com'
+             }, format: :json
+           }
+        end.to change { Doorkeeper::Application.count }
+
+        expect(response).to be_successful
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+
+        expect(json_response['name']).to eq('Example')
+        expect(json_response['redirect_uri']).to eq('https://example.com')
+      end
+
+      it 'returns validation errors on wrong create params' do
+        expect do
+          post :create, params: {
+             doorkeeper_application: {
+               name: 'Example'
+             }, format: :json
+           }
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status(422)
+
+        expect(json_response).to include('errors')
+      end
+
+      it 'returns application info' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        get :show, params: { id: application.id, format: :json }
+
+        expect(response).to be_successful
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+      end
+
+      it 'updates application' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            name: 'Example App',
+            redirect_uri: 'https://example.com'
+          }, format: :json
+        }
+
+        expect(application.reload.name).to eq 'Example App'
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+      end
+
+      it 'returns validation errors on wrong update params' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            name: 'Example App',
+            redirect_uri: 'localhost:3000'
+          }, format: :json
+        }
+
+        expect(response).to have_http_status(422)
+
+        expect(json_response).to include('errors')
+      end
+
+      it 'destroys an application' do
+        application = FactoryBot.create(:application)
+
+        delete :destroy, params: { id: application.id, format: :json }
+
+        expect(response).to have_http_status(204)
+        expect(Application.count).to be_zero
+      end
+    end
+
     context 'when admin is not authenticated' do
       before do
         allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(proc do
@@ -16,9 +108,13 @@ module Doorkeeper
 
       it 'does not create application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
+          post :create,
+               params: {
+                 doorkeeper_application: {
+                   name: 'Example',
+                   redirect_uri: 'https://example.com'
+                 }
+               }
         end.not_to change { Doorkeeper::Application.count }
       end
     end
@@ -34,34 +130,51 @@ module Doorkeeper
         first_application = FactoryBot.create(:application)
         second_application = FactoryBot.create(:application)
         expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+
         get :index
+
         expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
         expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
       end
 
       it 'creates application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
+          post :create,
+               params: {
+                 doorkeeper_application: {
+                   name: 'Example',
+                   redirect_uri: 'https://example.com'
+                 }
+               }
         end.to change { Doorkeeper::Application.count }.by(1)
+
         expect(response).to be_redirect
       end
 
       it 'does not allow mass assignment of uid or secret' do
         application = FactoryBot.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          uid: '1A2B3C4D',
-          secret: '1A2B3C4D' }
+        put :update,
+            params: {
+              id: application.id,
+              doorkeeper_application: {
+                uid: '1A2B3C4D',
+                secret: '1A2B3C4D'
+              }
+            }
 
         expect(application.reload.uid).not_to eq '1A2B3C4D'
       end
 
       it 'updates application' do
         application = FactoryBot.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          name: 'Example',
-          redirect_uri: 'https://example.com' }
+        put :update,
+            params: {
+              id: application.id, doorkeeper_application: {
+                name: 'Example',
+                redirect_uri: 'https://example.com'
+              }
+            }
+
         expect(application.reload.name).to eq 'Example'
       end
     end