doorkeeper 4.4.3 → 5.0.0

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -16,6 +16,7 @@ module Doorkeeper
         @client          = client
         @parameters      = parameters
         @original_scopes = parameters[:scope]
+        @grant_type      = Doorkeeper::OAuth::PASSWORD
       end
 
       private
@@ -26,16 +27,18 @@ module Doorkeeper
       end
 
       def validate_scopes
-        return true unless @original_scopes.present?
-        ScopeChecker.valid? @original_scopes, server.scopes, client.try(:scopes)
+        client_scopes = client.try(:scopes)
+        return true if scopes.blank?
+
+        ScopeChecker.valid?(scopes.to_s, server.scopes, client_scopes)
       end
 
       def validate_resource_owner
-        !!resource_owner
+        !resource_owner.nil?
       end
 
       def validate_client
-        !parameters[:client_id] || !!client
+        !parameters[:client_id] || !client.nil?
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -7,17 +7,21 @@ module Doorkeeper
       validate :client, error: :invalid_client
       validate :scopes, error: :invalid_scope
       validate :redirect_uri, error: :invalid_redirect_uri
+      validate :code_challenge_method, error: :invalid_code_challenge_method
 
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state
+      attr_accessor :server, :client, :response_type, :redirect_uri, :state,
+                    :code_challenge, :code_challenge_method
       attr_writer   :scope
 
       def initialize(server, client, attrs = {})
-        @server        = server
-        @client        = client
-        @response_type = attrs[:response_type]
-        @redirect_uri  = attrs[:redirect_uri]
-        @scope         = attrs[:scope]
-        @state         = attrs[:state]
+        @server                = server
+        @client                = client
+        @response_type         = attrs[:response_type]
+        @redirect_uri          = attrs[:redirect_uri]
+        @scope                 = attrs[:scope]
+        @state                 = attrs[:state]
+        @code_challenge        = attrs[:code_challenge]
+        @code_challenge_method = attrs[:code_challenge_method]
       end
 
       def authorizable?
@@ -29,15 +33,36 @@ module Doorkeeper
       end
 
       def scope
-        @scope.presence || server.default_scopes.to_s
+        @scope.presence || build_scopes
       end
 
       def error_response
         OAuth::ErrorResponse.from_request(self)
       end
 
+      def as_json(_options)
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t('doorkeeper.pre_authorization.status')
+        }
+      end
+
       private
 
+      def build_scopes
+        client_scopes = client.application.scopes
+        if client_scopes.blank?
+          server.default_scopes.to_s
+        else
+          (server.default_scopes & client_scopes).to_s
+        end
+      end
+
       def validate_response_type
         server.authorization_response_types.include? response_type
       end
@@ -47,7 +72,8 @@ module Doorkeeper
       end
 
       def validate_scopes
-        return true unless scope.present?
+        return true if scope.blank?
+
         Helpers::ScopeChecker.valid?(
           scope,
           server.scopes,
@@ -55,14 +81,18 @@ module Doorkeeper
         )
       end
 
-      # TODO: test uri should be matched against the client's one
       def validate_redirect_uri
         return false if redirect_uri.blank?
 
         Helpers::URIChecker.valid_for_authorization?(
-          redirect_uri, client.redirect_uri
+          redirect_uri,
+          client.redirect_uri
         )
       end
+
+      def validate_code_challenge_method
+        !code_challenge.present? || (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -65,7 +65,12 @@ module Doorkeeper
       end
 
       def access_token_expires_in
-        Authorization::Token.access_token_expires_in(server, client)
+        context = Authorization::Token.build_context(
+          client,
+          Doorkeeper::OAuth::REFRESH_TOKEN,
+          scopes
+        )
+        Authorization::Token.access_token_expires_in(server, context)
       end
 
       def validate_token_presence

data/lib/doorkeeper/oauth/scopes.rb

@@ -41,7 +41,7 @@ module Doorkeeper
       end
 
       def has_scopes?(scopes)
-        scopes.all? { |s| exists?(s) }
+        scopes.all? { |scope| exists?(scope) }
       end
 
       def +(other)

data/lib/doorkeeper/oauth/token.rb

@@ -3,7 +3,7 @@ module Doorkeeper
     class Token
       class << self
         def from_request(request, *methods)
-          methods.inject(nil) do |credentials, method|
+          methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
             break credentials unless credentials.blank?
@@ -13,7 +13,10 @@ module Doorkeeper
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
             access_token = AccessToken.by_token(token)
-            access_token.revoke_previous_refresh_token! if access_token
+            refresh_token_enabled = Doorkeeper.configuration.refresh_token_enabled?
+            if access_token.present? && refresh_token_enabled
+              access_token.revoke_previous_refresh_token!
+            end
             access_token
           end
         end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -47,12 +47,12 @@ module Doorkeeper
 
       # Client Authentication
       def authorized_client
-        @_authorized_client ||= server.credentials && server.client
+        @authorized_client ||= server.credentials && server.client
       end
 
       # Bearer Token Authentication
       def authorized_token
-        @_authorized_token ||=
+        @authorized_token ||=
           OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
       end
 

data/lib/doorkeeper/oauth/token_response.rb

@@ -23,9 +23,11 @@ module Doorkeeper
       end
 
       def headers
-        { 'Cache-Control' => 'no-store',
+        {
+          'Cache-Control' => 'no-store',
           'Pragma' => 'no-cache',
-          'Content-Type' => 'application/json; charset=utf-8' }
+          'Content-Type' => 'application/json; charset=utf-8'
+        }
       end
     end
   end

data/lib/doorkeeper/oauth.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    GRANT_TYPES = [
+      AUTHORIZATION_CODE = 'authorization_code'.freeze,
+      IMPLICIT = 'implicit'.freeze,
+      PASSWORD = 'password'.freeze,
+      CLIENT_CREDENTIALS = 'client_credentials'.freeze,
+      REFRESH_TOKEN = 'refresh_token'.freeze
+    ].freeze
+  end
+end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -13,6 +13,8 @@ module Doorkeeper
     validates :redirect_uri, redirect_uri: true
     validates :confidential, inclusion: { in: [true, false] }
 
+    validate :scopes_match_configured, if: :enforce_scopes?
+
     before_validation :generate_uid, :generate_secret, on: :create
 
     has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: 'AccessToken'
@@ -32,20 +34,15 @@ module Doorkeeper
       where(id: resource_access_tokens.select(:application_id).distinct)
     end
 
-    # Fallback to existing, default behaviour of assuming all apps to be
-    # confidential if the migration hasn't been run
-    def confidential
-      return super if self.class.supports_confidentiality?
-      ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
-        'CVE-2018-1000211. Please follow instructions outlined in ' \
-        'Doorkeeper::CVE_2018_1000211_WARNING'
-      true
-    end
-
-    alias_method :confidential?, :confidential
-
-    def self.supports_confidentiality?
-      column_names.include?('confidential')
+    # Revokes AccessToken and AccessGrant records that have not been revoked and
+    # associated with the specific Application and Resource Owner.
+    #
+    # @param resource_owner [ActiveRecord::Base]
+    #   instance of the Resource Owner model
+    #
+    def self.revoke_tokens_and_grants_for(id, resource_owner)
+      AccessToken.revoke_all_for(id, resource_owner)
+      AccessGrant.revoke_all_for(id, resource_owner)
     end
 
     private
@@ -57,5 +54,16 @@ module Doorkeeper
     def generate_secret
       self.secret = UniqueToken.generate if secret.blank?
     end
+
+    def scopes_match_configured
+      if scopes.present? &&
+         !ScopeChecker.valid?(scopes.to_s, Doorkeeper.configuration.scopes)
+        errors.add(:scopes, :not_match_configured)
+      end
+    end
+
+    def enforce_scopes?
+      Doorkeeper.configuration.enforce_configured_scopes?
+    end
   end
 end

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Orm
+    module ActiveRecord
+      class StaleRecordsCleaner
+        def initialize(base_scope)
+          @base_scope = base_scope
+        end
+
+        def clean_revoked
+          table = @base_scope.arel_table
+          @base_scope.where.not(revoked_at: nil)
+                     .where(table[:revoked_at].lt(Time.current))
+                     .delete_all
+        end
+
+        def clean_expired(ttl)
+          table = @base_scope.arel_table
+          @base_scope.where(table[:created_at].lt(Time.current - ttl))
+                     .delete_all
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record.rb

@@ -1,5 +1,7 @@
 require 'active_support/lazy_load_hooks'
 
+require 'doorkeeper/orm/active_record/stale_records_cleaner'
+
 module Doorkeeper
   module Orm
     module ActiveRecord

data/lib/doorkeeper/rails/helpers.rb

@@ -4,9 +4,7 @@ module Doorkeeper
       def doorkeeper_authorize!(*scopes)
         @_doorkeeper_scopes = scopes.presence || Doorkeeper.configuration.default_scopes
 
-        unless valid_doorkeeper_token?
-          doorkeeper_render_error
-        end
+        doorkeeper_render_error unless valid_doorkeeper_token?
       end
 
       def doorkeeper_unauthorized_render_options(**); end
@@ -68,7 +66,7 @@ module Doorkeeper
       end
 
       def doorkeeper_token
-        @_doorkeeper_token ||= OAuth::Token.authenticate(
+        @doorkeeper_token ||= OAuth::Token.authenticate(
           request,
           *Doorkeeper.configuration.access_token_methods
         )

data/lib/doorkeeper/rails/routes.rb

@@ -4,6 +4,10 @@ require 'doorkeeper/rails/routes/mapper'
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
+      mattr_reader :mapping do
+        {}
+      end
+
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
@@ -19,6 +23,10 @@ module Doorkeeper
       def initialize(routes, &block)
         @routes = routes
         @mapping = Mapper.new.map(&block)
+
+        if Doorkeeper.configuration.api_only
+          @mapping.skips.push(:applications, :authorized_applications)
+        end
       end
 
       def generate_routes!(options)
@@ -36,7 +44,11 @@ module Doorkeeper
       private
 
       def map_route(name, method)
-        send(method, @mapping[name]) unless @mapping.skipped?(name)
+        return if @mapping.skipped?(name)
+
+        send(method, @mapping[name])
+
+        mapping[name] = @mapping[name]
       end
 
       def authorization_routes(mapping)
@@ -47,7 +59,7 @@ module Doorkeeper
           as: mapping[:as],
           controller: mapping[:controllers]
         ) do
-          routes.get native_authorization_code_route, action: :show, on: :member
+          routes.get '/native', action: :show, on: :member
           routes.get '/', action: :new, on: :member
         end
       end
@@ -85,10 +97,6 @@ module Doorkeeper
       def authorized_applications_routes(mapping)
         routes.resources :authorized_applications, only: %i[index destroy], controller: mapping[:controllers]
       end
-
-      def native_authorization_code_route
-        Doorkeeper.configuration.native_authorization_code_route
-      end
     end
   end
 end

data/lib/doorkeeper/rake/db.rake

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+namespace :doorkeeper do
+  namespace :db do
+    desc 'Removes stale data from doorkeeper related database tables'
+    task cleanup: [
+      'doorkeeper:db:cleanup:revoked_tokens',
+      'doorkeeper:db:cleanup:expired_tokens',
+      'doorkeeper:db:cleanup:revoked_grants',
+      'doorkeeper:db:cleanup:expired_grants'
+    ]
+
+    namespace :cleanup do
+      desc 'Removes stale access tokens'
+      task revoked_tokens: 'doorkeeper:setup' do
+        cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(Doorkeeper::AccessToken)
+        cleaner.clean_revoked
+      end
+
+      desc 'Removes expired (TTL passed) access tokens'
+      task expired_tokens: 'doorkeeper:setup' do
+        expirable_tokens = Doorkeeper::AccessToken.where(refresh_token: nil)
+        cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(expirable_tokens)
+        cleaner.clean_expired(Doorkeeper.configuration.access_token_expires_in)
+      end
+
+      desc 'Removes stale access grants'
+      task revoked_grants: 'doorkeeper:setup' do
+        cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner.clean_revoked
+      end
+
+      desc 'Removes expired (TTL passed) access grants'
+      task expired_grants: 'doorkeeper:setup' do
+        cleaner = Doorkeeper::Orm::ActiveRecord::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner.clean_expired(Doorkeeper.configuration.authorization_code_expires_in)
+      end
+    end
+  end
+end

data/lib/doorkeeper/rake/setup.rake

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+namespace :doorkeeper do
+  task setup: :environment do
+  end
+end

data/lib/doorkeeper/rake.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rake
+    class << self
+      def load_tasks
+        glob = File.join(File.absolute_path(__dir__), 'rake', '*.rake')
+        Dir[glob].each do |rake_file|
+          load rake_file
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/authorization_code.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class AuthorizationCode < Strategy

data/lib/doorkeeper/request/client_credentials.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class ClientCredentials < Strategy

data/lib/doorkeeper/request/code.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class Code < Strategy

data/lib/doorkeeper/request/password.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class Password < Strategy

data/lib/doorkeeper/request/refresh_token.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class RefreshToken < Strategy

data/lib/doorkeeper/request/token.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class Token < Strategy

data/lib/doorkeeper/request.rb

@@ -1,46 +1,39 @@
-require 'doorkeeper/request/authorization_code'
-require 'doorkeeper/request/client_credentials'
-require 'doorkeeper/request/code'
-require 'doorkeeper/request/password'
-require 'doorkeeper/request/refresh_token'
-require 'doorkeeper/request/token'
-
 module Doorkeeper
   module Request
-    module_function
+    class << self
+      def authorization_strategy(response_type)
+        get_strategy(response_type, authorization_response_types)
+      rescue NameError
+        raise Errors::InvalidAuthorizationStrategy
+      end
 
-    def authorization_strategy(response_type)
-      get_strategy response_type, authorization_response_types
-    rescue NameError
-      raise Errors::InvalidAuthorizationStrategy
-    end
+      def token_strategy(grant_type)
+        get_strategy(grant_type, token_grant_types)
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
+      end
 
-    def token_strategy(grant_type)
-      get_strategy grant_type, token_grant_types
-    rescue NameError
-      raise Errors::InvalidTokenStrategy
-    end
+      def get_strategy(grant_or_request_type, available)
+        raise Errors::MissingRequestStrategy if grant_or_request_type.blank?
+        raise NameError unless available.include?(grant_or_request_type.to_s)
 
-    def get_strategy(grant_or_request_type, available)
-      fail Errors::MissingRequestStrategy unless grant_or_request_type.present?
-      fail NameError unless available.include?(grant_or_request_type.to_s)
-      strategy_class(grant_or_request_type)
-    end
+        build_strategy_class(grant_or_request_type)
+      end
 
-    def authorization_response_types
-      Doorkeeper.configuration.authorization_response_types
-    end
-    private_class_method :authorization_response_types
+      private
 
-    def token_grant_types
-      Doorkeeper.configuration.token_grant_types
-    end
-    private_class_method :token_grant_types
+      def authorization_response_types
+        Doorkeeper.configuration.authorization_response_types
+      end
+
+      def token_grant_types
+        Doorkeeper.configuration.token_grant_types
+      end
 
-    def strategy_class(grant_or_request_type)
-      strategy_class_name = grant_or_request_type.to_s.tr(' ', '_').camelize
-      "Doorkeeper::Request::#{strategy_class_name}".constantize
+      def build_strategy_class(grant_or_request_type)
+        strategy_class_name = grant_or_request_type.to_s.tr(' ', '_').camelize
+        "Doorkeeper::Request::#{strategy_class_name}".constantize
+      end
     end
-    private_class_method :strategy_class
   end
 end

data/lib/doorkeeper/version.rb

@@ -1,36 +1,16 @@
 module Doorkeeper
-  CVE_2018_1000211_WARNING = <<-HEREDOC.freeze
-
-
-  WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
-
-  There is no breaking change in this release, however to take advantage of the security fix you must:
-
-    1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
-    2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
-    3. Update their `confidential` column to `false` for those public apps
-
-  This is a backported security release.
-
-  For more information:
-
-    * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
-    * https://github.com/doorkeeper-gem/doorkeeper/issues/891
-
-
-HEREDOC
-
   def self.gem_version
     Gem::Version.new VERSION::STRING
   end
 
   module VERSION
     # Semantic versioning
-    MAJOR = 4
-    MINOR = 4
-    TINY = 3
+    MAJOR = 5
+    MINOR = 0
+    TINY = 0
+    PRE = nil
 
     # Full version number
-    STRING = [MAJOR, MINOR, TINY].compact.join('.')
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
 end