doorkeeper 4.4.3 → 5.0.0

data/lib/doorkeeper.rb

@@ -2,18 +2,28 @@ require 'doorkeeper/version'
 require 'doorkeeper/engine'
 require 'doorkeeper/config'
 
+require 'doorkeeper/request/strategy'
+require 'doorkeeper/request/authorization_code'
+require 'doorkeeper/request/client_credentials'
+require 'doorkeeper/request/code'
+require 'doorkeeper/request/password'
+require 'doorkeeper/request/refresh_token'
+require 'doorkeeper/request/token'
+
 require 'doorkeeper/errors'
 require 'doorkeeper/server'
 require 'doorkeeper/request'
 require 'doorkeeper/validations'
 
 require 'doorkeeper/oauth/authorization/code'
+require 'doorkeeper/oauth/authorization/context'
 require 'doorkeeper/oauth/authorization/token'
 require 'doorkeeper/oauth/authorization/uri_builder'
 require 'doorkeeper/oauth/helpers/scope_checker'
 require 'doorkeeper/oauth/helpers/uri_checker'
 require 'doorkeeper/oauth/helpers/unique_token'
 
+require 'doorkeeper/oauth'
 require 'doorkeeper/oauth/scopes'
 require 'doorkeeper/oauth/error'
 require 'doorkeeper/oauth/base_response'
@@ -25,6 +35,13 @@ require 'doorkeeper/oauth/base_request'
 require 'doorkeeper/oauth/authorization_code_request'
 require 'doorkeeper/oauth/refresh_token_request'
 require 'doorkeeper/oauth/password_access_token_request'
+
+require 'doorkeeper/oauth/client_credentials/validation'
+require 'doorkeeper/oauth/client_credentials/creator'
+require 'doorkeeper/oauth/client_credentials/issuer'
+require 'doorkeeper/oauth/client_credentials/validation'
+require 'doorkeeper/oauth/client/credentials'
+
 require 'doorkeeper/oauth/client_credentials_request'
 require 'doorkeeper/oauth/code_request'
 require 'doorkeeper/oauth/token_request'
@@ -49,26 +66,11 @@ require 'doorkeeper/helpers/controller'
 require 'doorkeeper/rails/routes'
 require 'doorkeeper/rails/helpers'
 
-require 'doorkeeper/orm/active_record'
+require 'doorkeeper/rake'
 
-require 'active_support/deprecation'
+require 'doorkeeper/orm/active_record'
 
 module Doorkeeper
-  def self.configured?
-    ActiveSupport::Deprecation.warn "Method `Doorkeeper#configured?` has been deprecated without replacement."
-    @config.present?
-  end
-
-  def self.database_installed?
-    ActiveSupport::Deprecation.warn "Method `Doorkeeper#database_installed?` has been deprecated without replacement."
-    [AccessToken, AccessGrant, Application].all?(&:table_exists?)
-  end
-
-  def self.installed?
-    ActiveSupport::Deprecation.warn "Method `Doorkeeper#installed?` has been deprecated without replacement."
-    configured? && database_installed?
-  end
-
   def self.authenticate(request, methods = Doorkeeper.configuration.access_token_methods)
     OAuth::Token.authenticate(request, *methods)
   end

data/lib/generators/doorkeeper/application_owner_generator.rb

@@ -1,27 +1,32 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
 require 'rails/generators/active_record'
 
-class Doorkeeper::ApplicationOwnerGenerator < Rails::Generators::Base
-  include Rails::Generators::Migration
-  source_root File.expand_path('../templates', __FILE__)
-  desc 'Provide support for client application ownership.'
+module Doorkeeper
+  class ApplicationOwnerGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Provide support for client application ownership.'
 
-  def application_owner
-    migration_template(
-      'add_owner_to_application_migration.rb.erb',
-      'db/migrate/add_owner_to_application.rb',
-      migration_version: migration_version
-    )
-  end
+    def application_owner
+      migration_template(
+        'add_owner_to_application_migration.rb.erb',
+        'db/migrate/add_owner_to_application.rb',
+        migration_version: migration_version
+      )
+    end
 
-  def self.next_migration_number(dirname)
-    ActiveRecord::Generators::Base.next_migration_number(dirname)
-  end
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
 
-  private
+    private
 
-  def migration_version
-    if ActiveRecord::VERSION::MAJOR >= 5
-      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    def migration_version
+      if ActiveRecord::VERSION::MAJOR >= 5
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
     end
   end
 end

data/lib/generators/doorkeeper/confidential_applications_generator.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+require 'rails/generators/active_record'
+
+module Doorkeeper
+  class ConfidentialApplicationsGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Add confidential column to Doorkeeper applications'
+
+    def pkce
+      migration_template(
+        'add_confidential_to_applications.rb.erb',
+        'db/migrate/add_confidential_to_applications.rb',
+        migration_version: migration_version
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      if ActiveRecord::VERSION::MAJOR >= 5
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
+    end
+  end
+end

data/lib/generators/doorkeeper/install_generator.rb

@@ -1,12 +1,20 @@
-class Doorkeeper::InstallGenerator < ::Rails::Generators::Base
-  include Rails::Generators::Migration
-  source_root File.expand_path('../templates', __FILE__)
-  desc 'Installs Doorkeeper.'
+# frozen_string_literal: true
 
-  def install
-    template 'initializer.rb', 'config/initializers/doorkeeper.rb'
-    copy_file File.expand_path('../../../../config/locales/en.yml', __FILE__), 'config/locales/doorkeeper.en.yml'
-    route 'use_doorkeeper'
-    readme 'README'
+require 'rails/generators'
+require 'rails/generators/active_record'
+
+module Doorkeeper
+  class InstallGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Installs Doorkeeper.'
+
+    def install
+      template 'initializer.rb', 'config/initializers/doorkeeper.rb'
+      copy_file File.expand_path('../../../config/locales/en.yml', __dir__),
+                'config/locales/doorkeeper.en.yml'
+      route 'use_doorkeeper'
+      readme 'README'
+    end
   end
 end

data/lib/generators/doorkeeper/migration_generator.rb

@@ -1,27 +1,32 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
 require 'rails/generators/active_record'
 
-class Doorkeeper::MigrationGenerator < ::Rails::Generators::Base
-  include Rails::Generators::Migration
-  source_root File.expand_path('../templates', __FILE__)
-  desc 'Installs Doorkeeper migration file.'
+module Doorkeeper
+  class MigrationGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Installs Doorkeeper migration file.'
 
-  def install
-    migration_template(
-      'migration.rb.erb',
-      'db/migrate/create_doorkeeper_tables.rb',
-      migration_version: migration_version
-    )
-  end
+    def install
+      migration_template(
+        'migration.rb.erb',
+        'db/migrate/create_doorkeeper_tables.rb',
+        migration_version: migration_version
+      )
+    end
 
-  def self.next_migration_number(dirname)
-    ActiveRecord::Generators::Base.next_migration_number(dirname)
-  end
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
 
-  private
+    private
 
-  def migration_version
-    if ActiveRecord::VERSION::MAJOR >= 5
-      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    def migration_version
+      if ActiveRecord::VERSION::MAJOR >= 5
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
     end
   end
 end

data/lib/generators/doorkeeper/pkce_generator.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+require 'rails/generators/active_record'
+
+module Doorkeeper
+  class PkceGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Provide support for PKCE.'
+
+    def pkce
+      migration_template(
+        'enable_pkce_migration.rb.erb',
+        'db/migrate/enable_pkce.rb',
+        migration_version: migration_version
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      if ActiveRecord::VERSION::MAJOR >= 5
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
+    end
+  end
+end

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -1,35 +1,40 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
 require 'rails/generators/active_record'
 
-class Doorkeeper::PreviousRefreshTokenGenerator < Rails::Generators::Base
-  include Rails::Generators::Migration
-  source_root File.expand_path('../templates', __FILE__)
-  desc 'Support revoke refresh token on access token use'
+module Doorkeeper
+  class PreviousRefreshTokenGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path('templates', __dir__)
+    desc 'Support revoke refresh token on access token use'
 
-  def self.next_migration_number(path)
-    ActiveRecord::Generators::Base.next_migration_number(path)
-  end
+    def self.next_migration_number(path)
+      ActiveRecord::Generators::Base.next_migration_number(path)
+    end
 
-  def previous_refresh_token
-    if no_previous_refresh_token_column?
-      migration_template(
-        'add_previous_refresh_token_to_access_tokens.rb.erb',
-        'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
-      )
+    def previous_refresh_token
+      if no_previous_refresh_token_column?
+        migration_template(
+          'add_previous_refresh_token_to_access_tokens.rb.erb',
+          'db/migrate/add_previous_refresh_token_to_access_tokens.rb'
+        )
+      end
     end
-  end
 
-  private
+    private
 
-  def migration_version
-    if ActiveRecord::VERSION::MAJOR >= 5
-      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    def migration_version
+      if ActiveRecord::VERSION::MAJOR >= 5
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
     end
-  end
 
-  def no_previous_refresh_token_column?
-    !ActiveRecord::Base.connection.column_exists?(
-      :oauth_access_tokens,
-      :previous_refresh_token
-    )
+    def no_previous_refresh_token_column?
+      !ActiveRecord::Base.connection.column_exists?(
+        :oauth_access_tokens,
+        :previous_refresh_token
+      )
+    end
   end
 end

data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class AddConfidentialToApplications < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true
+    )
+  end
+end

data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb

@@ -0,0 +1,6 @@
+class EnablePkce < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :oauth_access_grants, :code_challenge, :string, null: true
+    add_column :oauth_access_grants, :code_challenge_method, :string, null: true
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -4,56 +4,103 @@ Doorkeeper.configure do
 
   # This block will be called to check whether the resource owner is authenticated or not.
   resource_owner_authenticator do
-    fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
+    raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
     # Put your resource owner authentication logic here.
     # Example implementation:
     #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
   end
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
+  # file then you need to declare this block in order to restrict access to the web interface for
+  # adding oauth authorized applications. In other case it will return 403 Forbidden response
+  # every time somebody will try to access the admin web interface.
+  #
   # admin_authenticator do
   #   # Put your admin authentication logic here.
   #   # Example implementation:
-  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
+  #
+  #   if current_user
+  #     head :forbidden unless current_user.admin?
+  #   else
+  #     redirect_to sign_in_url
+  #   end
   # end
 
+  # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
+  # want to use API mode that will skip all the views management and change the way how
+  # Doorkeeper responds to a requests.
+  #
+  # api_only
+
+  # Enforce token request content type to application/x-www-form-urlencoded.
+  # It is not enabled by default to not break prior versions of the gem.
+  #
+  # enforce_content_type
+
   # Authorization Code expiration time (default 10 minutes).
+  #
   # authorization_code_expires_in 10.minutes
 
   # Access token expiration time (default 2 hours).
   # If you want to disable expiration, set this to nil.
+  #
   # access_token_expires_in 2.hours
 
-  # Assign a custom TTL for implicit grants.
-  # custom_access_token_expires_in do |oauth_client|
-  #   oauth_client.application.additional_settings.implicit_oauth_expiration
+  # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
+  # option if defined. `context` has the following properties available
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #
+  # custom_access_token_expires_in do |context|
+  #   context.client.application.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  #
   # access_token_generator '::Doorkeeper::JWT'
 
   # The controller Doorkeeper::ApplicationController inherits from.
   # Defaults to ActionController::Base.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  #
   # base_controller 'ApplicationController'
 
   # Reuse access token for the same resource owner within an application (disabled by default)
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
+  #
   # reuse_access_token
 
-  # Issue access tokens with refresh token (disabled by default)
+  # Issue access tokens with refresh token (disabled by default), you may also
+  # pass a block which accepts `context` to customize when to give a refresh
+  # token or not. Similar to `custom_access_token_expires_in`, `context` has
+  # the properties:
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #
   # use_refresh_token
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (disabled by default)
+  #
+  # enforce_configured_scopes
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
   # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
+  #
   # enable_application_owner confirmation: false
 
   # Define access token scopes for your provider
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+  #
   # default_scopes  :public
   # optional_scopes :write, :update
 
@@ -62,6 +109,7 @@ Doorkeeper.configure do
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
   # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
   # for more information on customization
+  #
   # client_credentials :from_basic, :from_params
 
   # Change the way access token is authenticated from the request object.
@@ -69,6 +117,7 @@ Doorkeeper.configure do
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
   # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
   # for more information on customization
+  #
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
   # Change the native redirect uri for client apps
@@ -90,8 +139,8 @@ Doorkeeper.configure do
   #
   # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
 
-  # Specify what redirect URI's you want to block during creation. Any redirect
-  # URI is whitelisted by default.
+  # Specify what redirect URI's you want to block during Application creation.
+  # Any redirect URI is whitelisted by default.
   #
   # You can use this option in order to forbid URI's with 'javascript' scheme
   # for example.
@@ -127,13 +176,29 @@ Doorkeeper.configure do
   #   puts "AFTER HOOK FIRED! #{request}, #{response}"
   # end
 
+  # Hook into Authorization flow in order to implement Single Sign Out
+  # or add ny other functionality.
+  #
+  # before_successful_authorization do |controller|
+  #   Rails.logger.info(params.inspect)
+  # end
+  #
+  # after_successful_authorization do |controller|
+  #   controller.session[:logout_urls] <<
+  #     Doorkeeper::Application
+  #       .find_by(controller.request.params.slice(:redirect_uri))
+  #       .logout_uri
+  # end
+
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.
+  #
   # skip_authorization do |resource_owner, client|
   #   client.superapp? or resource_owner.admin?
   # end
 
   # WWW-Authenticate Realm (default "Doorkeeper").
+  #
   # realm "Doorkeeper"
 end

data/lib/generators/doorkeeper/views_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Generators
     class ViewsGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('../../../../app/views', __FILE__)
+      source_root File.expand_path('../../../app/views', __dir__)
 
       desc 'Copies default Doorkeeper views and layouts to your application.'
 

data/spec/controllers/application_metal_controller_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper_integration'
+
+describe Doorkeeper::ApplicationMetalController do
+  controller(Doorkeeper::ApplicationMetalController) do
+    def index
+      render json: {}, status: 200
+    end
+  end
+
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+
+    expect(i).to eq 1
+  end
+
+  describe 'enforce_content_type' do
+    before { allow(Doorkeeper.configuration).to receive(:enforce_content_type).and_return(flag) }
+
+    context 'enabled' do
+      let(:flag) { true }
+
+      it '200 for the correct media type' do
+        get :index, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 415 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 415
+      end
+    end
+
+    context 'disabled' do
+      let(:flag) { false }
+
+      it 'returns a 200 for the correct media type' do
+        get :index, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 200 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 200
+      end
+    end
+  end
+end