RubyGems - doorkeeper - Versions diffs - 4.4.3 → 5.0.0 - Mend

doorkeeper 4.4.3 → 5.0.0

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (181) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/.gitlab-ci.yml +16 -0
data/.travis.yml +2 -0
data/Appraisals +2 -2
data/Gemfile +1 -1
data/NEWS.md +61 -8
data/README.md +92 -9
data/Rakefile +6 -0
data/UPGRADE.md +2 -0
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +4 -3
data/app/controllers/doorkeeper/application_metal_controller.rb +4 -0
data/app/controllers/doorkeeper/applications_controller.rb +42 -22
data/app/controllers/doorkeeper/authorizations_controller.rb +55 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +19 -2
data/app/controllers/doorkeeper/tokens_controller.rb +2 -6
data/app/helpers/doorkeeper/dashboard_helper.rb +7 -7
data/app/validators/redirect_uri_validator.rb +3 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
data/app/views/doorkeeper/applications/_form.html.erb +25 -24
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +17 -7
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +6 -6
data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
data/app/views/doorkeeper/authorizations/new.html.erb +4 -0
data/app/views/layouts/doorkeeper/admin.html.erb +15 -15
data/config/locales/en.yml +10 -1
data/doorkeeper.gemspec +18 -20
data/gemfiles/rails_5_2.gemfile +1 -1
data/gemfiles/rails_master.gemfile +4 -1
data/lib/doorkeeper/config.rb +75 -39
data/lib/doorkeeper/engine.rb +4 -0
data/lib/doorkeeper/errors.rb +2 -5
data/lib/doorkeeper/grape/helpers.rb +1 -1
data/lib/doorkeeper/helpers/controller.rb +7 -2
data/lib/doorkeeper/models/access_grant_mixin.rb +71 -0
data/lib/doorkeeper/models/access_token_mixin.rb +39 -22
data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
data/lib/doorkeeper/oauth/authorization/code.rb +31 -8
data/lib/doorkeeper/oauth/authorization/context.rb +15 -0
data/lib/doorkeeper/oauth/authorization/token.rb +36 -14
data/lib/doorkeeper/oauth/authorization_code_request.rb +27 -2
data/lib/doorkeeper/oauth/base_request.rb +20 -9
data/lib/doorkeeper/oauth/client/credentials.rb +1 -1
data/lib/doorkeeper/oauth/client.rb +0 -2
data/lib/doorkeeper/oauth/client_credentials/creator.rb +2 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +6 -3
data/lib/doorkeeper/oauth/client_credentials/validation.rb +4 -6
data/lib/doorkeeper/oauth/client_credentials_request.rb +0 -4
data/lib/doorkeeper/oauth/error_response.rb +11 -3
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +0 -8
data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +41 -11
data/lib/doorkeeper/oauth/refresh_token_request.rb +6 -1
data/lib/doorkeeper/oauth/scopes.rb +1 -1
data/lib/doorkeeper/oauth/token.rb +5 -2
data/lib/doorkeeper/oauth/token_introspection.rb +2 -2
data/lib/doorkeeper/oauth/token_response.rb +4 -2
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/application.rb +22 -14
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +26 -0
data/lib/doorkeeper/orm/active_record.rb +2 -0
data/lib/doorkeeper/rails/helpers.rb +2 -4
data/lib/doorkeeper/rails/routes.rb +14 -6
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +6 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/authorization_code.rb +0 -2
data/lib/doorkeeper/request/client_credentials.rb +0 -2
data/lib/doorkeeper/request/code.rb +0 -2
data/lib/doorkeeper/request/password.rb +0 -2
data/lib/doorkeeper/request/refresh_token.rb +0 -2
data/lib/doorkeeper/request/token.rb +0 -2
data/lib/doorkeeper/request.rb +28 -35
data/lib/doorkeeper/version.rb +5 -25
data/lib/doorkeeper.rb +19 -17
data/lib/generators/doorkeeper/application_owner_generator.rb +23 -18
data/lib/generators/doorkeeper/confidential_applications_generator.rb +32 -0
data/lib/generators/doorkeeper/install_generator.rb +17 -9
data/lib/generators/doorkeeper/migration_generator.rb +23 -18
data/lib/generators/doorkeeper/pkce_generator.rb +32 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +29 -24
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +6 -0
data/lib/generators/doorkeeper/templates/initializer.rb +76 -11
data/lib/generators/doorkeeper/views_generator.rb +3 -1
data/spec/controllers/application_metal_controller_spec.rb +50 -0
data/spec/controllers/applications_controller_spec.rb +126 -13
data/spec/controllers/authorizations_controller_spec.rb +277 -47
data/spec/controllers/protected_resources_controller_spec.rb +16 -16
data/spec/controllers/token_info_controller_spec.rb +4 -12
data/spec/controllers/tokens_controller_spec.rb +13 -15
data/spec/dummy/app/assets/config/manifest.js +2 -0
data/spec/dummy/config/environments/test.rb +4 -5
data/spec/dummy/config/initializers/doorkeeper.rb +10 -5
data/spec/dummy/config/initializers/new_framework_defaults.rb +4 -0
data/spec/dummy/config/routes.rb +3 -42
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +6 -0
data/spec/dummy/db/migrate/{20180210183654_add_confidential_to_application.rb → 20180210183654_add_confidential_to_applications.rb} +1 -1
data/spec/dummy/db/schema.rb +36 -36
data/spec/generators/application_owner_generator_spec.rb +1 -1
data/spec/generators/confidential_applications_generator_spec.rb +45 -0
data/spec/generators/install_generator_spec.rb +1 -1
data/spec/generators/migration_generator_spec.rb +1 -1
data/spec/generators/pkce_generator_spec.rb +43 -0
data/spec/generators/previous_refresh_token_generator_spec.rb +1 -1
data/spec/generators/views_generator_spec.rb +1 -1
data/spec/grape/grape_integration_spec.rb +1 -1
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +80 -31
data/spec/lib/doorkeeper_spec.rb +1 -126
data/spec/lib/models/expirable_spec.rb +0 -3
data/spec/lib/models/revocable_spec.rb +0 -2
data/spec/lib/models/scopes_spec.rb +0 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -4
data/spec/lib/oauth/authorization_code_request_spec.rb +9 -2
data/spec/lib/oauth/base_request_spec.rb +40 -2
data/spec/lib/oauth/base_response_spec.rb +1 -1
data/spec/lib/oauth/client/credentials_spec.rb +1 -3
data/spec/lib/oauth/client_credentials/creator_spec.rb +5 -1
data/spec/lib/oauth/client_credentials/issuer_spec.rb +26 -7
data/spec/lib/oauth/client_credentials/validation_spec.rb +2 -3
data/spec/lib/oauth/client_credentials_integration_spec.rb +1 -1
data/spec/lib/oauth/client_credentials_request_spec.rb +3 -5
data/spec/lib/oauth/client_spec.rb +0 -3
data/spec/lib/oauth/code_request_spec.rb +4 -2
data/spec/lib/oauth/error_response_spec.rb +0 -3
data/spec/lib/oauth/error_spec.rb +0 -2
data/spec/lib/oauth/forbidden_token_response_spec.rb +1 -4
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -3
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +5 -7
data/spec/lib/oauth/invalid_token_response_spec.rb +1 -4
data/spec/lib/oauth/password_access_token_request_spec.rb +37 -2
data/spec/lib/oauth/pre_authorization_spec.rb +33 -4
data/spec/lib/oauth/refresh_token_request_spec.rb +11 -7
data/spec/lib/oauth/scopes_spec.rb +0 -3
data/spec/lib/oauth/token_request_spec.rb +4 -5
data/spec/lib/oauth/token_response_spec.rb +0 -1
data/spec/lib/oauth/token_spec.rb +37 -14
data/spec/lib/orm/active_record/stale_records_cleaner_spec.rb +79 -0
data/spec/lib/request/strategy_spec.rb +0 -1
data/spec/lib/server_spec.rb +1 -1
data/spec/models/doorkeeper/access_grant_spec.rb +44 -1
data/spec/models/doorkeeper/access_token_spec.rb +66 -22
data/spec/models/doorkeeper/application_spec.rb +14 -47
data/spec/requests/applications/applications_request_spec.rb +134 -1
data/spec/requests/applications/authorized_applications_spec.rb +1 -1
data/spec/requests/endpoints/authorization_spec.rb +1 -1
data/spec/requests/endpoints/token_spec.rb +7 -5
data/spec/requests/flows/authorization_code_errors_spec.rb +1 -1
data/spec/requests/flows/authorization_code_spec.rb +197 -1
data/spec/requests/flows/client_credentials_spec.rb +46 -6
data/spec/requests/flows/implicit_grant_errors_spec.rb +1 -1
data/spec/requests/flows/implicit_grant_spec.rb +38 -11
data/spec/requests/flows/password_spec.rb +56 -2
data/spec/requests/flows/refresh_token_spec.rb +2 -2
data/spec/requests/flows/revoke_token_spec.rb +11 -11
data/spec/requests/flows/skip_authorization_spec.rb +16 -11
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +1 -1
data/spec/routing/custom_controller_routes_spec.rb +59 -7
data/spec/routing/default_routes_spec.rb +2 -2
data/spec/routing/scoped_routes_spec.rb +16 -2
data/spec/spec_helper.rb +54 -3
data/spec/spec_helper_integration.rb +2 -74
data/spec/support/dependencies/{factory_girl.rb → factory_bot.rb} +0 -0
data/spec/support/doorkeeper_rspec.rb +19 -0
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/request_spec_helper.rb +10 -2
data/spec/support/helpers/url_helper.rb +7 -3
data/spec/support/http_method_shim.rb +12 -16
data/spec/validators/redirect_uri_validator_spec.rb +7 -1
data/spec/version/version_spec.rb +3 -3
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +37 -33
data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
data/spec/controllers/application_metal_controller.rb +0 -10

data/lib/doorkeeper/errors.rb CHANGED Viewed

@@ -36,10 +36,7 @@ module Doorkeeper
       end
     end
-    class UnableToGenerateToken < DoorkeeperError
-    end
-    class TokenGeneratorNotFound < DoorkeeperError
-    end
+    UnableToGenerateToken = Class.new(DoorkeeperError)
+    TokenGeneratorNotFound = Class.new(DoorkeeperError)
   end
 end

data/lib/doorkeeper/grape/helpers.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module Doorkeeper
       end
       def doorkeeper_token
-        @_doorkeeper_token ||= OAuth::Token.authenticate(
+        @doorkeeper_token ||= OAuth::Token.authenticate(
           decorated_request,
           *Doorkeeper.configuration.access_token_methods
         )

data/lib/doorkeeper/helpers/controller.rb CHANGED Viewed

@@ -30,11 +30,11 @@ module Doorkeeper
       # :doc:
       def doorkeeper_token
-        @token ||= OAuth::Token.authenticate request, *config_methods
+        @doorkeeper_token ||= OAuth::Token.authenticate request, *config_methods
       end
       def config_methods
-        @methods ||= Doorkeeper.configuration.access_token_methods
+        @config_methods ||= Doorkeeper.configuration.access_token_methods
       end
       def get_error_response_from_exception(exception)
@@ -51,6 +51,11 @@ module Doorkeeper
       def skip_authorization?
         !!instance_exec([@server.current_resource_owner, @pre_auth.client], &Doorkeeper.configuration.skip_authorization)
       end
+      def enforce_content_type
+        return if request.content_type == 'application/x-www-form-urlencoded'
+        render json: {}, status: :unsupported_media_type
+      end
     end
   end
 end

data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED Viewed

@@ -9,6 +9,15 @@ module Doorkeeper
     include Models::Orderable
     include Models::Scopes
+    # never uses pkce, if pkce migrations were not generated
+    def uses_pkce?
+      pkce_supported? && code_challenge.present?
+    end
+    def pkce_supported?
+      respond_to? :code_challenge
+    end
     module ClassMethods
       # Searches for Doorkeeper::AccessGrant record with the
       # specific token value.
@@ -21,6 +30,68 @@ module Doorkeeper
       def by_token(token)
         find_by(token: token.to_s)
       end
+      # Revokes AccessGrant records that have not been revoked and associated
+      # with the specific Application and Resource Owner.
+      #
+      # @param application_id [Integer]
+      #   ID of the Application
+      # @param resource_owner [ActiveRecord::Base]
+      #   instance of the Resource Owner model
+      #
+      def revoke_all_for(application_id, resource_owner, clock = Time)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner.id,
+              revoked_at: nil).
+          update_all(revoked_at: clock.now.utc)
+      end
+      # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
+      # https://tools.ietf.org/html/rfc7636#appendix-A
+      #   Appendix A.  Notes on Implementing Base64url Encoding without Padding
+      #
+      #   This appendix describes how to implement a base64url-encoding
+      #   function without padding, based upon the standard base64-encoding
+      #   function that uses padding.
+      #
+      #       To be concrete, example C# code implementing these functions is shown
+      #   below.  Similar code could be used in other languages.
+      #
+      #   static string base64urlencode(byte [] arg)
+      #   {
+      #       string s = Convert.ToBase64String(arg); // Regular base64 encoder
+      #       s = s.Split('=')[0]; // Remove any trailing '='s
+      #       s = s.Replace('+', '-'); // 62nd char of encoding
+      #       s = s.Replace('/', '_'); // 63rd char of encoding
+      #       return s;
+      #   }
+      #
+      #   An example correspondence between unencoded and encoded values
+      #   follows.  The octet sequence below encodes into the string below,
+      #   which when decoded, reproduces the octet sequence.
+      #
+      #   3 236 255 224 193
+      #
+      #   A-z_4ME
+      #
+      # https://ruby-doc.org/stdlib-2.1.3/libdoc/base64/rdoc/Base64.html#method-i-urlsafe_encode64
+      #
+      # urlsafe_encode64(bin)
+      # Returns the Base64-encoded version of bin. This method complies with
+      # “Base 64 Encoding with URL and Filename Safe Alphabet” in RFC 4648.
+      # The alphabet uses '-' instead of '+' and '_' instead of '/'.
+      # @param code_verifier [#to_s] a one time use value (any object that responds to `#to_s`)
+      #
+      # @return [#to_s] An encoded code challenge based on the provided verifier suitable for PKCE validation
+      def generate_code_challenge(code_verifier)
+        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
+        padded_result.split('=')[0] # Remove any trailing '='
+      end
+      def pkce_supported?
+        new.pkce_supported?
+      end
     end
   end
 end

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -70,30 +70,34 @@ module Doorkeeper
                             else
                               resource_owner_or_id
                             end
-        token = last_authorized_token_for(application.try(:id), resource_owner_id)
-        if token && scopes_match?(token.scopes, scopes, application.try(:scopes))
-          token
+        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
+        tokens.detect do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
         end
       end
-      # Checks whether the token scopes match the scopes from the parameters or
-      # Application scopes (if present).
+      # Checks whether the token scopes match the scopes from the parameters
       #
       # @param token_scopes [#to_s]
       #   set of scopes (any object that responds to `#to_s`)
-      # @param param_scopes [String]
+      # @param param_scopes [Doorkeeper::OAuth::Scopes]
       #   scopes from params
-      # @param app_scopes [String]
+      # @param app_scopes [Doorkeeper::OAuth::Scopes]
       #   Application scopes
       #
-      # @return [Boolean] true if all scopes are blank or matches
+      # @return [Boolean] true if the param scopes match the token scopes,
+      #   and all the param scopes are defined in the application (or in the
+      #   server configuration if the application doesn't define any scopes),
       #   and false in other cases
       #
       def scopes_match?(token_scopes, param_scopes, app_scopes)
-        (!token_scopes.present? && !param_scopes.present?) ||
-          Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
-            token_scopes.to_s,
-            param_scopes,
+        return true if token_scopes.empty? && param_scopes.empty?
+        (token_scopes.sort == param_scopes.sort) &&
+          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+            param_scopes.to_s,
+            Doorkeeper.configuration.scopes,
             app_scopes
           )
       end
@@ -118,9 +122,8 @@ module Doorkeeper
       def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
         if Doorkeeper.configuration.reuse_access_token
           access_token = matching_token_for(application, resource_owner_id, scopes)
-          if access_token && !access_token.expired?
-            return access_token
-          end
+          return access_token if access_token && !access_token.expired?
         end
         create!(
@@ -132,7 +135,7 @@ module Doorkeeper
         )
       end
-      # Looking for not revoked Access Token record that belongs to specific
+      # Looking for not revoked Access Token records that belongs to specific
       # Application and Resource Owner.
       #
       # @param application_id [Integer]
@@ -140,14 +143,28 @@ module Doorkeeper
       # @param resource_owner_id [Integer]
       #   ID of the Resource Owner model instance
       #
+      # @return [Doorkeeper::AccessToken] array of matching AccessToken objects
+      #
+      def authorized_tokens_for(application_id, resource_owner_id)
+        ordered_by(:created_at, :desc)
+          .where(application_id: application_id,
+                 resource_owner_id: resource_owner_id,
+                 revoked_at: nil)
+      end
+      # Convenience method for backwards-compatibility, return the last
+      # matching token for the given Application and Resource Owner.
+      #
+      # @param application_id [Integer]
+      #   ID of the Application model instance
+      # @param resource_owner_id [Integer]
+      #   ID of the Resource Owner model instance
+      #
       # @return [Doorkeeper::AccessToken, nil] matching AccessToken object or
       #   nil if nothing was found
       #
       def last_authorized_token_for(application_id, resource_owner_id)
-        ordered_by(:created_at, :desc).
-          find_by(application_id: application_id,
-                  resource_owner_id: resource_owner_id,
-                  revoked_at: nil)
+        authorized_tokens_for(application_id, resource_owner_id).first
       end
     end
@@ -170,8 +187,8 @@ module Doorkeeper
     def as_json(_options = {})
       {
         resource_owner_id:  resource_owner_id,
-        scopes:             scopes,
-        expires_in_seconds: expires_in_seconds,
+        scope:              scopes,
+        expires_in:         expires_in_seconds,
         application:        { uid: application.try(:uid) },
         created_at:         created_at.to_i
       }

data/lib/doorkeeper/models/concerns/scopes.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module Doorkeeper
       end
       def includes_scope?(*required_scopes)
-        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s.to_s) }
+        required_scopes.blank? || required_scopes.any? { |scope| scopes.exists?(scope.to_s) }
       end
     end
   end

data/lib/doorkeeper/oauth/authorization/code.rb CHANGED Viewed

@@ -5,18 +5,12 @@ module Doorkeeper
         attr_accessor :pre_auth, :resource_owner, :token
         def initialize(pre_auth, resource_owner)
-          @pre_auth       = pre_auth
+          @pre_auth = pre_auth
           @resource_owner = resource_owner
         end
         def issue_token
-          @token ||= AccessGrant.create!(
-            application_id: pre_auth.client.id,
-            resource_owner_id: resource_owner.id,
-            expires_in: configuration.authorization_code_expires_in,
-            redirect_uri: pre_auth.redirect_uri,
-            scopes: pre_auth.scopes.to_s
-          )
+          @token ||= AccessGrant.create! access_grant_attributes
         end
         def native_redirect
@@ -26,6 +20,35 @@ module Doorkeeper
         def configuration
           Doorkeeper.configuration
         end
+        private
+        def authorization_code_expires_in
+          configuration.authorization_code_expires_in
+        end
+        def access_grant_attributes
+          pkce_attributes.merge application_id: pre_auth.client.id,
+                                resource_owner_id: resource_owner.id,
+                                expires_in: authorization_code_expires_in,
+                                redirect_uri: pre_auth.redirect_uri,
+                                scopes: pre_auth.scopes.to_s
+        end
+        def pkce_attributes
+          return {} unless pkce_supported?
+          {
+            code_challenge: pre_auth.code_challenge,
+            code_challenge_method: pre_auth.code_challenge_method
+          }
+        end
+        # ensures firstly, if migration with additional pcke columns was
+        # generated and migrated
+        def pkce_supported?
+          Doorkeeper::AccessGrant.pkce_supported?
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/authorization/context.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module Doorkeeper
+  module OAuth
+    module Authorization
+      class Context
+        attr_reader :client, :grant_type, :scopes
+        def initialize(client, grant_type, scopes)
+          @client     = client
+          @grant_type = grant_type
+          @scopes     = scopes
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb CHANGED Viewed

@@ -5,24 +5,34 @@ module Doorkeeper
         attr_accessor :pre_auth, :resource_owner, :token
         class << self
-          def access_token_expires_in(server, pre_auth_or_oauth_client)
-            if (expiration = custom_expiration(server, pre_auth_or_oauth_client))
-              expiration
-            else
-              server.access_token_expires_in
-            end
-          end
-          private
-          def custom_expiration(server, pre_auth_or_oauth_client)
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes)
             oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
                              pre_auth_or_oauth_client.client
                            else
                              pre_auth_or_oauth_client
                            end
-            server.custom_access_token_expires_in.call(oauth_client)
+            Doorkeeper::OAuth::Authorization::Context.new(
+              oauth_client,
+              grant_type,
+              scopes
+            )
+          end
+          def access_token_expires_in(server, context)
+            if (expiration = server.custom_access_token_expires_in.call(context))
+              expiration
+            else
+              server.access_token_expires_in
+            end
+          end
+          def refresh_token_enabled?(server, context)
+            if server.refresh_token_enabled?.respond_to? :call
+              server.refresh_token_enabled?.call(context)
+            else
+              !!server.refresh_token_enabled?
+            end
           end
         end
@@ -32,18 +42,23 @@ module Doorkeeper
         end
         def issue_token
+          context = self.class.build_context(
+            pre_auth.client,
+            Doorkeeper::OAuth::IMPLICIT,
+            pre_auth.scopes
+          )
           @token ||= AccessToken.find_or_create_for(
             pre_auth.client,
             resource_owner.id,
             pre_auth.scopes,
-            self.class.access_token_expires_in(configuration, pre_auth),
+            self.class.access_token_expires_in(configuration, context),
             false
           )
         end
         def native_redirect
           {
-            controller: 'doorkeeper/token_info',
+            controller: controller,
             action: :show,
             access_token: token.token
           }
@@ -54,6 +69,13 @@ module Doorkeeper
         def configuration
           Doorkeeper.configuration
         end
+        def controller
+          @controller ||= begin
+            mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
+            mapping[:controllers] || 'doorkeeper/token_info'
+          end
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -6,18 +6,26 @@ module Doorkeeper
       validate :grant,        error: :invalid_grant
       # @see https://tools.ietf.org/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
+      validate :code_verifier, error: :invalid_grant
-      attr_accessor :server, :grant, :client, :redirect_uri, :access_token
+      attr_accessor :server, :grant, :client, :redirect_uri, :access_token,
+                    :code_verifier
       def initialize(server, grant, client, parameters = {})
         @server = server
         @client = client
         @grant  = grant
+        @grant_type = Doorkeeper::OAuth::AUTHORIZATION_CODE
         @redirect_uri = parameters[:redirect_uri]
+        @code_verifier = parameters[:code_verifier]
       end
       private
+      def client_by_uid(parameters)
+        Doorkeeper::Application.by_uid(parameters[:client_id])
+      end
       def before_successful_response
         grant.transaction do
           grant.lock!
@@ -33,11 +41,13 @@ module Doorkeeper
       end
       def validate_attributes
+        return false if grant && grant.uses_pkce? && code_verifier.blank?
+        return false if grant && !grant.pkce_supported? && !code_verifier.blank?
         redirect_uri.present?
       end
       def validate_client
-        !!client
+        !client.nil?
       end
       def validate_grant
@@ -51,6 +61,21 @@ module Doorkeeper
           grant.redirect_uri
         )
       end
+      # if either side (server or client) request pkce, check the verifier
+      # against the DB - if pkce is supported
+      def validate_code_verifier
+        return true unless grant.uses_pkce? || code_verifier
+        return false unless grant.pkce_supported?
+        if grant.code_challenge_method == 'S256'
+          grant.code_challenge == AccessGrant.generate_code_challenge(code_verifier)
+        elsif grant.code_challenge_method == 'plain'
+          grant.code_challenge == code_verifier
+        else
+          false
+        end
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/base_request.rb CHANGED Viewed

@@ -3,6 +3,8 @@ module Doorkeeper
     class BaseRequest
       include Validations
+      attr_reader :grant_type
       def authorize
         validate
@@ -17,11 +19,7 @@ module Doorkeeper
       end
       def scopes
-        @scopes ||= if @original_scopes.present?
-                      OAuth::Scopes.from_string(@original_scopes)
-                    else
-                      default_scopes
-                    end
+        @scopes ||= build_scopes
       end
       def default_scopes
@@ -33,12 +31,13 @@ module Doorkeeper
       end
       def find_or_create_access_token(client, resource_owner_id, scopes, server)
+        context = Authorization::Token.build_context(client, grant_type, scopes)
         @access_token = AccessToken.find_or_create_for(
           client,
           resource_owner_id,
           scopes,
-          Authorization::Token.access_token_expires_in(server, client),
-          server.refresh_token_enabled?
+          Authorization::Token.access_token_expires_in(server, context),
+          Authorization::Token.refresh_token_enabled?(server, context)
         )
       end
@@ -47,8 +46,20 @@ module Doorkeeper
       end
       def after_successful_response
-        Doorkeeper.configuration.after_successful_strategy_response.
-          call(self, @response)
+        Doorkeeper.configuration.after_successful_strategy_response.call(self, @response)
+      end
+      private
+      def build_scopes
+        if @original_scopes.present?
+          OAuth::Scopes.from_string(@original_scopes)
+        else
+          client_scopes = @client.try(:scopes)
+          return default_scopes if client_scopes.blank?
+          default_scopes & @client.scopes
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/client/credentials.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Doorkeeper
       Credentials = Struct.new(:uid, :secret) do
         class << self
           def from_request(request, *credentials_methods)
-            credentials_methods.inject(nil) do |credentials, method|
+            credentials_methods.inject(nil) do |_, method|
               method = self.method(method) if method.is_a?(Symbol)
               credentials = Credentials.new(*method.call(request))
               break credentials unless credentials.blank?

data/lib/doorkeeper/oauth/client.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-require 'doorkeeper/oauth/client/credentials'
 module Doorkeeper
   module OAuth
     class Client

data/lib/doorkeeper/oauth/client_credentials/creator.rb CHANGED Viewed

@@ -5,7 +5,8 @@ module Doorkeeper
         def call(client, scopes, attributes = {})
           AccessToken.find_or_create_for(
             client, nil, scopes, attributes[:expires_in],
-            attributes[:use_refresh_token])
+            attributes[:use_refresh_token]
+          )
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-require 'doorkeeper/oauth/client_credentials/validation'
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
@@ -25,7 +23,12 @@ module Doorkeeper
         private
         def create_token(client, scopes, creator)
-          ttl = Authorization::Token.access_token_expires_in(@server, client)
+          context = Authorization::Token.build_context(
+            client,
+            Doorkeeper::OAuth::CLIENT_CREDENTIALS,
+            scopes
+          )
+          ttl = Authorization::Token.access_token_expires_in(@server, context)
           creator.call(
             client,

data/lib/doorkeeper/oauth/client_credentials/validation.rb CHANGED Viewed

@@ -1,7 +1,3 @@
-require 'doorkeeper/validations'
-require 'doorkeeper/oauth/scopes'
-require 'doorkeeper/oauth/helpers/scope_checker'
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
@@ -13,7 +9,9 @@ module Doorkeeper
         validate :scopes, error: :invalid_scope
         def initialize(server, request)
-          @server, @request, @client = server, request, request.client
+          @server = server
+          @request = request
+          @client = request.client
           validate
         end
@@ -25,7 +23,7 @@ module Doorkeeper
         end
         def validate_scopes
-          return true unless @request.scopes.present?
+          return true if @request.scopes.blank?
           application_scopes = if @client.present?
                                  @client.application.scopes

data/lib/doorkeeper/oauth/client_credentials_request.rb CHANGED Viewed

@@ -1,7 +1,3 @@
-require 'doorkeeper/oauth/client_credentials/creator'
-require 'doorkeeper/oauth/client_credentials/issuer'
-require 'doorkeeper/oauth/client_credentials/validation'
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -4,7 +4,13 @@ module Doorkeeper
       include OAuth::Helpers
       def self.from_request(request, attributes = {})
-        new(attributes.merge(name: request.error, state: request.try(:state)))
+        new(
+          attributes.merge(
+            name: request.error,
+            state: request.try(:state),
+            redirect_uri: request.try(:redirect_uri)
+          )
+        )
       end
       delegate :name, :description, :state, to: :@error
@@ -41,10 +47,12 @@ module Doorkeeper
       end
       def headers
-        { 'Cache-Control' => 'no-store',
+        {
+          'Cache-Control' => 'no-store',
           'Pragma' => 'no-cache',
           'Content-Type' => 'application/json; charset=utf-8',
-          'WWW-Authenticate' => authenticate_info }
+          'WWW-Authenticate' => authenticate_info
+        }
       end
       protected

data/lib/doorkeeper/oauth/helpers/scope_checker.rb CHANGED Viewed

@@ -17,10 +17,6 @@ module Doorkeeper
               @valid_scopes.has_scopes?(parsed_scopes)
           end
-          def match?
-            valid? && parsed_scopes.has_scopes?(@valid_scopes)
-          end
           private
           def valid_scopes(server_scopes, application_scopes)
@@ -35,10 +31,6 @@ module Doorkeeper
         def self.valid?(scope_str, server_scopes, application_scopes = nil)
           Validator.new(scope_str, server_scopes, application_scopes).valid?
         end
-        def self.match?(scope_str, server_scopes, application_scopes = nil)
-          Validator.new(scope_str, server_scopes, application_scopes).match?
-        end
       end
     end
   end