doorkeeper 4.4.3 → 5.0.0.rc1

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -1,15 +1,8 @@
 require 'spec_helper'
-require 'uri'
-require 'doorkeeper/oauth/helpers/uri_checker'
 
 module Doorkeeper::OAuth::Helpers
   describe URIChecker do
     describe '.valid?' do
-      it 'is valid for native uris' do
-        uri = 'urn:ietf:wg:oauth:2.0:oob'
-        expect(URIChecker.valid?(uri)).to be_truthy
-      end
-
       it 'is valid for valid uris' do
         uri = 'http://app.co'
         expect(URIChecker.valid?(uri)).to be_truthy
@@ -49,6 +42,11 @@ module Doorkeeper::OAuth::Helpers
         uri = '   '
         expect(URIChecker.valid?(uri)).to be_falsey
       end
+
+      it 'is valid for native uris' do
+        uri = 'urn:ietf:wg:oauth:2.0:oob'
+        expect(URIChecker.valid?(uri)).to be_truthy
+      end
     end
 
     describe '.matches?' do

data/spec/lib/oauth/invalid_token_response_spec.rb

@@ -1,12 +1,9 @@
 require 'spec_helper'
-require 'active_model'
-require 'doorkeeper'
-require 'doorkeeper/oauth/invalid_token_response'
 
 module Doorkeeper::OAuth
   describe InvalidTokenResponse do
     describe "#name" do
-      it  { expect(subject.name).to eq(:invalid_token) }
+      it { expect(subject.name).to eq(:invalid_token) }
     end
 
     describe "#status" do

data/spec/lib/oauth/password_access_token_request_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper::OAuth
   describe PasswordAccessTokenRequest do
@@ -8,7 +8,9 @@ module Doorkeeper::OAuth
         default_scopes: Doorkeeper::OAuth::Scopes.new,
         access_token_expires_in: 2.hours,
         refresh_token_enabled?: false,
-        custom_access_token_expires_in: ->(_app) { nil }
+        custom_access_token_expires_in: lambda { |context|
+          context.grant_type == Doorkeeper::OAuth::PASSWORD ? 1234 : nil
+        }
       )
     end
     let(:client) { FactoryBot.create(:application) }
@@ -22,6 +24,7 @@ module Doorkeeper::OAuth
       expect do
         subject.authorize
       end.to change { client.reload.access_tokens.count }.by(1)
+      expect(client.reload.access_tokens.sort_by(&:created_at).last.expires_in).to eq(1234)
     end
 
     it 'issues a new token without a client' do
@@ -92,5 +95,37 @@ module Doorkeeper::OAuth
         expect(Doorkeeper::AccessToken.last.scopes).to include('public')
       end
     end
+
+    describe 'with custom expiry' do
+      let(:server) do
+        double(
+          :server,
+          default_scopes: Doorkeeper::OAuth::Scopes.new,
+          access_token_expires_in: 2.hours,
+          refresh_token_enabled?: false,
+          custom_access_token_expires_in: lambda { |context|
+            context.scopes.exists?('public') ? 222 : nil
+          }
+        )
+      end
+
+      it 'checks scopes' do
+        subject = PasswordAccessTokenRequest.new(server, client, owner, scope: 'public')
+        allow(server).to receive(:scopes).and_return(Doorkeeper::OAuth::Scopes.from_string('public'))
+        expect do
+          subject.authorize
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
+        expect(Doorkeeper::AccessToken.last.expires_in).to eq(222)
+      end
+
+      it 'falls back to the default otherwise' do
+        subject = PasswordAccessTokenRequest.new(server, client, owner, scope: 'private')
+        allow(server).to receive(:scopes).and_return(Doorkeeper::OAuth::Scopes.from_string('private'))
+        expect do
+          subject.authorize
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
+        expect(Doorkeeper::AccessToken.last.expires_in).to eq(2.hours)
+      end
+    end
   end
 end

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -1,13 +1,13 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper::OAuth
   describe PreAuthorization do
-    let(:server) {
+    let(:server) do
       server = Doorkeeper.configuration
       allow(server).to receive(:default_scopes).and_return(Scopes.new)
       allow(server).to receive(:scopes).and_return(Scopes.from_string('public profile'))
       server
-    }
+    end
 
     let(:application) do
       application = double :application
@@ -133,11 +133,16 @@ module Doorkeeper::OAuth
       end
 
       it 'invalidates redirect_uri when it does\'n match with the client' do
-        subject.redirect_uri = native_redirect_uri
+        subject.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
         expect(subject).not_to be_authorizable
       end
     end
 
+    it 'matches the redirect uri against client\'s one' do
+      subject.redirect_uri = 'http://nothesame.com'
+      expect(subject).not_to be_authorizable
+    end
+
     it 'stores the state' do
       expect(subject.state).to eq('save-this')
     end
@@ -156,5 +161,29 @@ module Doorkeeper::OAuth
       subject.redirect_uri = nil
       expect(subject).not_to be_authorizable
     end
+
+    describe "as_json" do
+      let(:client_id) { "client_uid_123" }
+      let(:client_name) { "Acme Co." }
+
+      before do
+        allow(client).to receive(:uid).and_return client_id
+        allow(client).to receive(:name).and_return client_name
+      end
+
+      let(:json) { subject.as_json({}) }
+
+      it { is_expected.to respond_to :as_json }
+
+      it "returns correct values" do
+        expect(json[:client_id]).to eq client_id
+        expect(json[:redirect_uri]).to eq subject.redirect_uri
+        expect(json[:state]).to eq subject.state
+        expect(json[:response_type]).to eq subject.response_type
+        expect(json[:scope]).to eq subject.scope
+        expect(json[:client_name]).to eq client_name
+        expect(json[:status]).to eq I18n.t('doorkeeper.pre_authorization.status')
+      end
+    end
   end
 end

data/spec/lib/oauth/refresh_token_request_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper::OAuth
   describe RefreshTokenRequest do
@@ -9,7 +9,7 @@ module Doorkeeper::OAuth
     let(:server) do
       double :server,
              access_token_expires_in: 2.minutes,
-             custom_access_token_expires_in: -> (_oauth_client) { nil }
+             custom_access_token_expires_in: ->(_context) { nil }
     end
 
     let(:refresh_token) do
@@ -30,7 +30,9 @@ module Doorkeeper::OAuth
     it 'issues a new token for the client with custom expires_in' do
       server = double :server,
                       access_token_expires_in: 2.minutes,
-                      custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+                      custom_access_token_expires_in: lambda { |context|
+                        context.grant_type == Doorkeeper::OAuth::REFRESH_TOKEN ? 1234 : nil
+                      }
 
       allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
 
@@ -85,7 +87,9 @@ module Doorkeeper::OAuth
       let(:server) do
         double :server,
                access_token_expires_in: 2.minutes,
-               custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+               custom_access_token_expires_in: lambda { |context|
+                 context.grant_type == Doorkeeper::OAuth::REFRESH_TOKEN ? 1234 : nil
+               }
       end
 
       before do
@@ -131,13 +135,13 @@ module Doorkeeper::OAuth
 
       it 'transfers scopes from the old token to the new token' do
         subject.authorize
-        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public, :write])
+        expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public write])
       end
 
       it 'reduces scopes to the provided scopes' do
         parameters[:scopes] = 'public'
         subject.authorize
-        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public])
+        expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public])
       end
 
       it 'validates that scopes are included in the original access token' do
@@ -151,7 +155,7 @@ module Doorkeeper::OAuth
         parameters[:scopes] = 'public update'
         parameters[:scope] = 'public'
         subject.authorize
-        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public])
+        expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public])
       end
 
       it 'uses params[:scope] in favor of scopes if present (invalid)' do

data/spec/lib/oauth/scopes_spec.rb

@@ -1,7 +1,4 @@
 require 'spec_helper'
-require 'active_support/core_ext/module/delegation'
-require 'active_support/core_ext/string'
-require 'doorkeeper/oauth/scopes'
 
 module Doorkeeper::OAuth
   describe Scopes do

data/spec/lib/oauth/token_request_spec.rb

@@ -1,10 +1,9 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper::OAuth
   describe TokenRequest do
     let :application do
-      scopes = double(all: ['public'])
-      double(:application, id: 9990, scopes: scopes)
+      FactoryBot.create(:application, scopes: "public")
     end
 
     let :pre_auth do
@@ -51,8 +50,8 @@ module Doorkeeper::OAuth
       before do
         Doorkeeper.configure do
           orm DOORKEEPER_ORM
-          custom_access_token_expires_in do |_oauth_client|
-            1234
+          custom_access_token_expires_in do |context|
+            context.grant_type == Doorkeeper::OAuth::IMPLICIT ? 1234 : nil
           end
         end
       end

data/spec/lib/oauth/token_response_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'doorkeeper/oauth/token_response'
 
 module Doorkeeper::OAuth
   describe TokenResponse do

data/spec/lib/oauth/token_spec.rb

@@ -1,6 +1,4 @@
 require 'spec_helper'
-require 'active_support/core_ext/string'
-require 'doorkeeper/oauth/token'
 
 module Doorkeeper
   unless defined?(AccessToken)
@@ -14,7 +12,7 @@ module Doorkeeper
         let(:request) { double.as_null_object }
 
         let(:method) do
-          ->(request) { return 'token-value' }
+          ->(*) { 'token-value' }
         end
 
         it 'accepts anything that responds to #call' do
@@ -96,19 +94,44 @@ module Doorkeeper
       end
 
       describe :authenticate do
-        it 'calls the finder if token was returned' do
-          token = ->(_r) { 'token' }
-          expect(AccessToken).to receive(:by_token).with('token')
-          Token.authenticate double, token
+        context 'refresh tokens are disabled (default)' do
+          context 'refresh tokens are enabled' do
+            it 'does not revoke previous refresh_token if token was found' do
+              token = ->(_r) { 'token' }
+              expect(
+                AccessToken
+              ).to receive(:by_token).with('token').and_return(token)
+              expect(token).not_to receive(:revoke_previous_refresh_token!)
+              Token.authenticate double, token
+            end
+          end
+
+          it 'calls the finder if token was returned' do
+            token = ->(_r) { 'token' }
+            expect(AccessToken).to receive(:by_token).with('token')
+            Token.authenticate double, token
+          end
         end
 
-        it 'revokes previous refresh_token if token was found' do
-          token = ->(_r) { 'token' }
-          expect(
-            AccessToken
-          ).to receive(:by_token).with('token').and_return(token)
-          expect(token).to receive(:revoke_previous_refresh_token!)
-          Token.authenticate double, token
+        context 'refresh tokens are enabled' do
+          before do
+            Doorkeeper.configure { use_refresh_token }
+          end
+
+          it 'revokes previous refresh_token if token was found' do
+            token = ->(_r) { 'token' }
+            expect(
+              AccessToken
+            ).to receive(:by_token).with('token').and_return(token)
+            expect(token).to receive(:revoke_previous_refresh_token!)
+            Token.authenticate double, token
+          end
+
+          it 'calls the finder if token was returned' do
+            token = ->(_r) { 'token' }
+            expect(AccessToken).to receive(:by_token).with('token')
+            Token.authenticate double, token
+          end
         end
       end
     end

data/spec/lib/orm/active_record/stale_records_cleaner_spec.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner do
+  let(:cleaner) { described_class.new(model) }
+  let(:models_by_name) do
+    {
+      access_token: Doorkeeper::AccessToken,
+      access_grant: Doorkeeper::AccessGrant
+    }
+  end
+
+  %i[access_token access_grant].each do |model_name|
+    context "(#{model_name})" do
+      let(:model) { models_by_name.fetch(model_name) }
+
+      describe '#clean_revoked' do
+        subject { cleaner.clean_revoked }
+
+        context 'with revoked record' do
+          before do
+            FactoryBot.create model_name, revoked_at: Time.current - 1.minute
+          end
+
+          it 'removes the record' do
+            expect { subject }.to change { model.count }.to(0)
+          end
+        end
+
+        context 'with record revoked in the future' do
+          before do
+            FactoryBot.create model_name, revoked_at: Time.current + 1.minute
+          end
+
+          it 'keeps the record' do
+            expect { subject }.not_to change { model.count }
+          end
+        end
+
+        context 'with unrevoked record' do
+          before do
+            FactoryBot.create model_name, revoked_at: nil
+          end
+
+          it 'keeps the record' do
+            expect { subject }.not_to change { model.count }
+          end
+        end
+      end
+
+      describe '#clean_expired' do
+        subject { cleaner.clean_expired(ttl) }
+        let(:ttl) { 500 }
+        let(:expiry_border) { ttl.seconds.ago }
+
+        context 'with record that is expired' do
+          before do
+            FactoryBot.create model_name, created_at: expiry_border - 1.minute
+          end
+
+          it 'removes the record' do
+            expect { subject }.to change { model.count }.to(0)
+          end
+        end
+
+        context 'with record that is not expired' do
+          before do
+            FactoryBot.create model_name, created_at: expiry_border + 1.minute
+          end
+
+          it 'keeps the record' do
+            expect { subject }.not_to change { model.count }
+          end
+        end
+      end
+    end
+  end
+end

data/spec/lib/request/strategy_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'doorkeeper/request/strategy'
 
 module Doorkeeper
   module Request

data/spec/lib/server_spec.rb

@@ -46,7 +46,7 @@ describe Doorkeeper::Server do
       subject.authorization_request :code
     end
 
-    it 'builds the request with composit strategy name' do
+    it 'builds the request with composite strategy name' do
       allow(Doorkeeper.configuration).
         to receive(:authorization_response_types).
         and_return(['id_token token'])

data/spec/models/doorkeeper/access_grant_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe Doorkeeper::AccessGrant do
   subject { FactoryBot.build(:access_grant) }

data/spec/models/doorkeeper/access_token_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper
   describe AccessToken do
@@ -144,7 +144,7 @@ module Doorkeeper
         end
 
         module CustomGeneratorArgs
-          def self.generate(opts = {})
+          def self.generate(_opts = {})
             raise LoadError, 'custom behaviour'
           end
         end
@@ -218,7 +218,7 @@ module Doorkeeper
       context 'with default parameters' do
 
         let(:resource_owner_id) { 100 }
-        let(:application)    { FactoryBot.create :application }
+        let(:application) { FactoryBot.create :application }
         let(:default_attributes) do
           { application: application, resource_owner_id: resource_owner_id }
         end
@@ -330,6 +330,10 @@ module Doorkeeper
         }
       end
 
+      before do
+        default_scopes_exist(*scopes.all)
+      end
+
       it 'returns only one token' do
         token = FactoryBot.create :access_token, default_attributes
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
@@ -355,37 +359,45 @@ module Doorkeeper
         expect(last_token).to be_nil
       end
 
-      it 'matches the application' do
+      it "excludes tokens with a different application" do
         FactoryBot.create :access_token, default_attributes.merge(application: FactoryBot.create(:application))
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
 
-      it 'matches the resource owner' do
+      it "excludes tokens with a different resource owner" do
         FactoryBot.create :access_token, default_attributes.merge(resource_owner_id: 2)
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
 
-      it 'matches token with fewer scopes' do
+      it "excludes tokens with fewer scopes" do
         FactoryBot.create :access_token, default_attributes.merge(scopes: 'public')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
 
-      it 'matches token with different scopes' do
+      it 'excludes tokens with different scopes' do
         FactoryBot.create :access_token, default_attributes.merge(scopes: 'public email')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
 
-      it 'matches token with more scopes' do
+      it 'excludes tokens with additional scopes' do
         FactoryBot.create :access_token, default_attributes.merge(scopes: 'public write email')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
 
-      it 'matches application scopes' do
+      it 'excludes tokens with scopes that are not present in server scopes' do
+        FactoryBot.create :access_token, default_attributes.merge(
+          application: application, scopes: 'public read'
+        )
+        last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
+        expect(last_token).to be_nil
+      end
+
+      it 'excludes tokens with scopes that are not present in application scopes' do
         application = FactoryBot.create :application, scopes: "private read"
         FactoryBot.create :access_token, default_attributes.merge(
           application: application
@@ -394,25 +406,47 @@ module Doorkeeper
         expect(last_token).to be_nil
       end
 
-      it 'returns the last created token' do
+      it 'does not match token if empty scope requested and token/app scopes present' do
+        application = FactoryBot.create :application, scopes: "sample:scope"
+        app_params = {
+          application_id: application.id, scopes: "sample:scope",
+          resource_owner_id: 100
+        }
+        FactoryBot.create :access_token, app_params
+        empty_scopes = Doorkeeper::OAuth::Scopes.from_string("")
+        last_token = AccessToken.matching_token_for(application, 100, empty_scopes)
+        expect(last_token).to be_nil
+      end
+
+      it 'matches token if empty scope requested and no token scopes present' do
+        empty_scopes = Doorkeeper::OAuth::Scopes.from_string("")
+        token = FactoryBot.create :access_token, default_attributes.merge(scopes: empty_scopes)
+        last_token = AccessToken.matching_token_for(application, 100, empty_scopes)
+        expect(last_token).to eq(token)
+      end
+
+      it 'returns the last matching token' do
         FactoryBot.create :access_token, default_attributes.merge(created_at: 1.day.ago)
-        token = FactoryBot.create :access_token, default_attributes
+        matching_token = FactoryBot.create :access_token, default_attributes
+        FactoryBot.create :access_token, default_attributes.merge(scopes: 'public')
+
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
-        expect(last_token).to eq(token)
+        expect(last_token).to eq(matching_token)
       end
+    end
 
-      it 'returns as_json hash' do
-        token = FactoryBot.create :access_token, default_attributes
+    describe "#as_json" do
+      it "returns as_json hash" do
+        token = FactoryBot.create :access_token
         token_hash = {
           resource_owner_id:  token.resource_owner_id,
           scopes:             token.scopes,
           expires_in_seconds: token.expires_in_seconds,
           application:        { uid: token.application.uid },
-          created_at:         token.created_at.to_i,
+          created_at:         token.created_at.to_i
         }
         expect(token.as_json).to eq token_hash
       end
     end
-
   end
 end

data/spec/models/doorkeeper/application_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper
   describe Application do
@@ -253,51 +253,5 @@ module Doorkeeper
         it { expect(subject).to eq(false) }
       end
     end
-
-    describe :confidential do
-      subject { FactoryBot.create(:application, confidential: confidential).confidential }
-
-      context 'when application is private/confidential' do
-        let(:confidential) { true }
-        it { expect(subject).to eq(true) }
-      end
-
-      context 'when application is public/non-confidential' do
-        let(:confidential) { false }
-        it { expect(subject).to eq(false) }
-      end
-
-      context 'when the application does not support confidentiality' do
-        let(:confidential) { false }
-
-        before { allow(Application).to receive(:supports_confidentiality?).and_return(false) }
-
-        it 'warns of the CVE' do
-          expect(ActiveSupport::Deprecation).to receive(:warn).with(
-            'You are susceptible to security bug ' \
-            'CVE-2018-1000211. Please follow instructions outlined in ' \
-            'Doorkeeper::CVE_2018_1000211_WARNING'
-          )
-          Application.new.confidential
-        end
-
-        it { expect(subject).to eq(true) }
-      end
-    end
-
-    describe :supports_confidentiality? do
-      context 'when no column' do
-        it 'returns false' do
-          expect(Application).to receive(:column_names).and_return(%w[foo bar])
-          expect(Application.supports_confidentiality?).to eq(false)
-        end
-      end
-      context 'when column' do
-        it 'returns true' do
-          expect(Application).to receive(:column_names).and_return(%w[foo bar confidential])
-          expect(Application.supports_confidentiality?).to eq(true)
-        end
-      end
-    end
   end
 end