doorkeeper 4.4.3 → 5.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 8d8d3550d8406d4abb224c4960d1d6e8a0c4c706
-  data.tar.gz: b12408cb8b0dc2b14ee69b57798943b5c1bfaa30
+SHA256:
+  metadata.gz: 897eb14bd6b334b3b9f69f5cd54bfe524baddc09b3f96159f29a3c0b32b89d9b
+  data.tar.gz: b7bdd3e4d3cef46cb68fca0ac0bc854b5fa28c170c70a244b331b223d035d16f
 SHA512:
-  metadata.gz: 0674af950f6070d6457e09f73fc89736b092ae6595e484ca6e67e7f126912ea007509d9249fdc4eb01e66bf981c1e49da33712203d8428d10401a43faabd1cfd
-  data.tar.gz: e447513c202dfde4c622b898da2a98dff64272193136fe399b890bb97488e7915156a2588caa6de3566db411f4c7dfa89e88be3a8b8d0a76511251f2f980c382
+  metadata.gz: ff4eb6145d1a432a2cb31055ccf4fcbbaa0d91f3cb8c59ad061ede4d25b6ca345e1b5404c7180816524b5e0c650e359189d42790be61d025eeb940781accac52
+  data.tar.gz: 30463a001c175d07cecda2f760ed669c5c460c6fd0e3ed802b9988c8ca3b15e80fd335022f61b9cec9954d7906c53e160a3462df8988f9f0a756dff2a7452cb1

data/.gitignore

@@ -17,3 +17,4 @@ gemfiles/*.lock
 /doc/
 /rdoc/
 coverage
+*.gem

data/.gitlab-ci.yml

@@ -0,0 +1,16 @@
+dependency_scanning:
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
+    - docker run
+        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
+        --volume "$PWD:/code"
+        --volume /var/run/docker.sock:/var/run/docker.sock
+        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
+  artifacts:
+    paths: [gl-dependency-scanning-report.json]

data/.travis.yml

@@ -8,6 +8,7 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
+  - ruby-2.6.0-preview1
 
 before_install:
   - gem update --system # Need for Ruby 2.5.0. https://github.com/travis-ci/travis-ci/issues/8978
@@ -21,6 +22,12 @@ gemfile:
   - gemfiles/rails_master.gemfile
 
 matrix:
+  fast_finish: true
+  # Run Danger only once
+  include:
+    - rvm: 2.5
+      gemfile: gemfiles/rails_5_2.gemfile
+      script: bundle exec danger
   exclude:
     - gemfile: gemfiles/rails_5_0.gemfile
       rvm: 2.1

data/Appraisals

@@ -4,12 +4,12 @@ end
 
 appraise "rails-5-0" do
   gem "rails", "~> 5.0.0"
-  gem "rspec-rails", "~> 3.5"
+  gem "rspec-rails", "~> 3.7"
 end
 
 appraise "rails-5-1" do
   gem "rails", "~> 5.1.0"
-  gem "rspec-rails", "~> 3.5"
+  gem "rspec-rails", "~> 3.7"
 end
 
 appraise "rails-master" do

data/Dangerfile

@@ -0,0 +1,64 @@
+CHANGELOG_FILE = 'NEWS.md'
+GITHUB_REPO = 'https://github.com/doorkeeper-gem/doorkeeper'
+
+def changelog_changed?
+  git.modified_files.include?(CHANGELOG_FILE) || git.added_files.include?(CHANGELOG_FILE)
+end
+
+def changelog_entry_example
+  pr_number = github.pr_json['number']
+  pr_title = github.pr_title
+                   .sub(/[?.!,;]?$/, '')
+                   .capitalize
+
+  "- [##{pr_number}]: #{pr_title}."
+end
+
+# --------------------------------------------------------------------------------------------------------------------
+# Has any changes happened inside the actual library code?
+# --------------------------------------------------------------------------------------------------------------------
+has_app_changes = !git.modified_files.grep(/lib/).empty?
+has_spec_changes = !git.modified_files.grep(/spec/).empty?
+
+# --------------------------------------------------------------------------------------------------------------------
+# You've made changes to lib, but didn't write any tests?
+# --------------------------------------------------------------------------------------------------------------------
+if has_app_changes && !has_spec_changes
+  warn("There're library changes, but not tests. That's OK as long as you're refactoring existing code.", sticky: false)
+end
+
+# --------------------------------------------------------------------------------------------------------------------
+# You've made changes to specs, but no library code has changed?
+# --------------------------------------------------------------------------------------------------------------------
+if !has_app_changes && has_spec_changes
+  message('We really appreciate pull requests that demonstrate issues, even without a fix. That said, the next step is to try and fix the failing tests!', sticky: false)
+end
+
+# Mainly to encourage writing up some reasoning about the PR, rather than
+# just leaving a title
+if github.pr_body.length < 10
+  fail "Please provide a summary in the Pull Request description"
+end
+
+# --------------------------------------------------------------------------------------------------------------------
+# Have you updated CHANGELOG.md?
+# --------------------------------------------------------------------------------------------------------------------
+# Add a CHANGELOG entry for app changes
+if has_app_changes && !changelog_changed?
+  markdown <<-MARKDOWN
+Here's an example of a #{CHANGELOG_FILE} entry:
+```markdown
+#{changelog_entry_example}
+```
+  MARKDOWN
+
+  fail("Please include a changelog entry. \nYou can find it at [#{CHANGELOG_FILE}](#{GITHUB_REPO}/blob/master/#{CHANGELOG_FILE}).")
+end
+
+if git.commits.any? { |commit| commit.message =~ /^Merge branch '#{github.branch_for_base}'/ }
+  warn('Please rebase to get rid of the merge commits in this PR')
+end
+
+if git.commits.length > 1
+  warn('Please squash all your commits to a single one')
+end

data/Gemfile

@@ -1,6 +1,6 @@
 source "https://rubygems.org"
 
-gem "rails", "~> 5.1"
+gem "rails", "~> 5.2"
 
 gem "appraisal"
 

data/NEWS.md

@@ -1,25 +1,111 @@
 # News
 
-User-visible changes worth mentioning.
+See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
+upgrade guides.
 
-## master
+User-visible changes worth mentioning.
 
+## 5.0.3
+
+[#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
+        Fixes information disclosure vulnerability (CVE-2020-10187).
+
+## 5.0.2
+
+- [#1158] Fix initializer template: change `handle_auth_errors` option
+- [#1157] Remove redundant index from migration template.
+
+## 5.0.1
+
+- [#1140] Allow rendering custom errors from exceptions (issue #844). Originally opened as [#944].
+- [#1138] Revert regression bug (check for token expiration in Authorizations controller so authorization
+  triggers every time)
+- [#1149] Fix for `URIChecker#valid_for_authorization?` false negative when query is blank, but `?` present.
+- [#1151] Fix Refresh Token strategy: add proper validation of client credentials both for Public & Private clients.
+- [#1152] Fix migration template: change resource owner data type from integer to Rails generic `references`
+- [#1154] Refactor `StaleRecordsCleaner` to be ORM agnostic.
+
+## 5.0.0
+
+- [#1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.
+
+## 5.0.0.rc2
+
+- [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
+  configured by developers..
+- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
+  hitting the `AuthorizedApplicationController#destroy` route.
+- [#1114] Make token info endpoint's attributes consistent with token creation
+- [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
+- [#1122] Fix AuthorizationsController#new error response to be in JSON format
+
+## 5.0.0.rc1
+
+- [#1103] Allow customizing use_refresh_token
+- [#1089] Removed enable_pkce_without_secret configuration option
+- [#1102] Expiration time based on scopes
+- [#1099] All the configuration variables in `Doorkeeper.configuration` now
+  always return a non-nil value (`true` or `false`)
+- [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
+  in `doorkeeper.rb`
+- [#996] Expiration Time Base On Grant Type
+- [#997] Allow PKCE authorization_code flow as specified in RFC7636
+- [#907] Fix lookup for matching tokens in certain edge-cases
+- [#992] Add API option to use Doorkeeper without management views for API only
+  Rails applications (`api_only`)
+- [#1045] Validate redirect_uri as the native URI when making authorization code requests
+- [#1048] Remove deprecated `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
+  `Doorkeeper#installed?` method
+- [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
+  either public or private/confidential
+  
+  **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
+    You need to manually change `confidential` column to `false` if you are using public clients,
+    in other case your mobile (or other) applications will not be able to authorize.
+    See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
+  
+- [#1010] Add configuration to enforce configured scopes (`default_scopes` and
+  `optional_scopes`) for applications
+- [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
+- [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
+- [#1069] Upgrade Bootstrap to 4 for Admin
+- [#1068] Add rake task to cleanup databases that can become large over time
+- [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
+  subclasses to use the response object.
+- [#1075] Call `before_successful_authorization` and `after_successful_authorization` hooks
+  on `create` action as well as `new`
+- [#1082] Fix #916: remember routes mapping and use it required places (fix error with
+  customized Token Info route).
+- [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
+  not present in the application scopes (use scopes intersection).
+- [#1076] Add config to enforce content type to application/x-www-form-urlencoded
+- Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
+  SSL redirect_uri.
+  
 ## 4.4.3
-- [#1143] Adds a config option opt_out_native_route_change to opt out of the
-  breaking api changed introduced in
-  https://github.com/doorkeeper-gem/doorkeeper/pull/1003
+  
+- [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
+  changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
 
+  
 ## 4.4.2
-- [#1130] Backport fix for native redirect_uri from 5.x.
 
+- [#1130] Backport fix for native redirect_uri from 5.x.
+  
 ## 4.4.1
 
 - [#1127] Backport token type to comply with the RFC6750 specification.
 - [#1125] Backport Quote surround I18n yes/no keys
-
+  
 ## 4.4.0
-
+  
 - [#1120] Backport security fix from 5.x for token revocation when using public clients
+  
+  **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
+  You need to manually change `confidential` column to `false` if you are using public clients,
+  in other case your mobile (or other) applications will not be able to authorize.
+  See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
 
 ## 4.3.2
 
@@ -48,6 +134,10 @@ User-visible changes worth mentioning.
 - [#985] Generate valid migration files for Rails >= 5
 - [#972] Replace Struct subclassing with block-form initialization
 - [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
+
+  **[IMPORTANT]**: Previously authorization code response route was `/oauth/authorize/<code>`,
+  now it is `oauth/authorize/native?code=<code>` (in order to help applications to automatically find the code value).
+
 - [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
   object.
 - [#1019] Remove translation not in use: `invalid_resource_owner`.

data/README.md

@@ -1,14 +1,14 @@
-# Doorkeeper - awesome OAuth 2 provider for your Rails app.
+# Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
 [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
-[![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
+[![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 
-Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider
-functionality to your Rails or Grape application.
+Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
+functionality to your Ruby on Rails or Grape application.
 
 Supported features:
 
@@ -19,15 +19,20 @@ Supported features:
   - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
   - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
   - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
+  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 
+See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-tos--tutorials) in order to
+learn how to use the gem or integrate it with other solutions / gems.
+
 ## Documentation valid for `master` branch
 
 Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases
 
-- See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- See the [Wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- See [upgrade guides](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions)
 - For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
 - See [SECURITY.md](SECURITY.md) for this project's security disclose
   policy
@@ -44,9 +49,12 @@ https://github.com/doorkeeper-gem/doorkeeper/releases
     - [MongoDB](#mongodb)
     - [Sequel](#sequel)
     - [Couchbase](#couchbase)
+  - [API mode](#api-mode)
   - [Routes](#routes)
   - [Authenticating](#authenticating)
   - [Internationalization (I18n)](#internationalization-i18n)
+  - [Customizing errors](#customizing-errors)
+  - [Rake Tasks](#rake-tasks)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
   - [Ruby on Rails controllers](#ruby-on-rails-controllers)
   - [Grape endpoints](#grape-endpoints)
@@ -103,12 +111,26 @@ for each table that includes a `resource_owner_id` column:
 add_foreign_key :table_name, :users, column: :resource_owner_id
 ```
 
+If you want to enable [PKCE flow] for mobile apps, you need to generate another
+migration:
+
+[PKCE flow]: https://tools.ietf.org/html/rfc7636
+
+```sh
+    rails generate doorkeeper:pkce
+```
+
 Then run migrations:
 
 ```sh
 rake db:migrate
 ```
 
+Ensure to use non-confidential apps for pkce. PKCE is created, because
+you cannot trust its apps' secret. So whatever app needs pkce: it means, it cannot
+be a confidential app by design.
+
+
 Remember to add associations to your model so the related records are deleted.
 If you don't do this an `ActiveRecord::InvalidForeignKey`-error will be raised
 when you try to destroy a model with related access grants or access tokens.
@@ -146,6 +168,24 @@ Use [doorkeeper-couchbase] extension if you are using Couchbase database.
 
 [doorkeeper-couchbase]: https://github.com/acaprojects/doorkeeper-couchbase
 
+### API mode
+
+By default Doorkeeper uses full Rails stack to provide all the OAuth 2 functionality
+with additional features like administration area for managing applications. By the
+way, starting from Doorkeeper 5 you can use API mode for your [API only Rails 5 applications](http://edgeguides.rubyonrails.org/api_app.html).
+All you need is just to configure the gem to work in desired mode:
+
+``` ruby
+Doorkeeper.configure do
+  # ...
+
+  api_only
+end
+```
+
+Keep in mind, that in this mode you will not be able to access `Applications` or
+`Authorized Applications` controllers because they will be skipped. CSRF protections (which are otherwise enabled) will be skipped, and all the redirects will be returned as JSON response with corresponding locations.
+
 ### Routes
 
 The installation script will also automatically add the Doorkeeper routes into
@@ -198,7 +238,44 @@ You may want to check other ways of authentication
 
 ### Internationalization (I18n)
 
-See language files in [the I18n repository](https://github.com/doorkeeper-gem/doorkeeper-i18n).
+Doorkeeper support multiple languages. See language files in
+[the I18n repository](https://github.com/doorkeeper-gem/doorkeeper-i18n).
+
+### Customizing errors
+
+If you don't want to use default Doorkeeper error responses you can raise and rescue it's
+exceptions. All you need is to set configuration option `handle_auth_errors` to `:raise`.
+In this case Doorkeeper will raise `Doorkeeper::Errors::TokenForbidden`,
+`Doorkeeper::Errors::TokenExpired`, `Doorkeeper::Errors::TokenRevoked` or other exceptions
+that you need to care about.
+
+### Rake Tasks
+
+If you are using `rake`, you can load rake tasks provided by this gem, by adding
+the following line to your `Rakefile`:
+
+```ruby
+Doorkeeper::Rake.load_tasks
+```
+
+#### Cleaning up
+
+By default Doorkeeper is retaining expired and revoked access tokens and grants.
+This allows to keep an audit log of those records, but it also leads to the
+corresponding tables to grow large over the lifetime of your application.
+
+If you are concerned about those tables growing too large,
+you can regularly run the following rake task to remove stale entries
+from the database:
+
+```rake
+rake doorkeeper:db:cleanup
+```
+
+Note that this will remove tokens that are expired according to the configured TTL
+in `Doorkeeper.configuration.access_token_expires_in`. The specific `expires_in`
+value of each access token **is not considered**. The same is true for access
+grants.
 
 ## Protecting resources with OAuth (a.k.a your API endpoint)
 
@@ -210,7 +287,9 @@ protect. For example:
 
 ``` ruby
 class Api::V1::ProductsController < Api::V1::ApiController
-  before_action :doorkeeper_authorize! # Require access token for all actions
+  before_action :doorkeeper_authorize! # Requires access token for all actions
+  
+  # before_action -> { doorkeeper_authorize! :read, :write }
 
   # your actions
 end
@@ -305,7 +384,7 @@ end
 Please note that there is a logical OR between multiple required scopes. In the
 above example, `doorkeeper_authorize! :admin, :write` means that the access
 token is required to have either `:admin` scope or `:write` scope, but does not
-need have both of them.
+need to have both of them.
 
 If you want to require the access token to have multiple scopes at the same
 time, use multiple `doorkeeper_authorize!`, for example:
@@ -381,8 +460,11 @@ token owner.
 
 ### Applications list
 
-By default, the applications list (`/oauth/applications`) is publicly available.
-To protect the endpoint you should uncomment these lines:
+By default, the applications list (`/oauth/applications`) is publicly available (before 5.0 release).
+Starting from Doorkeeper 5.0 it returns 403 Forbidden if `admin_authenticator` option is not configured
+by developers.
+
+To change the protection rules of this endpoint you should uncomment these lines:
 
 ```ruby
 # config/initializers/doorkeeper.rb
@@ -399,6 +481,22 @@ customize the controller used by the list or skip the controller all together.
 For more information see the page
 [in the wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
 
+By default, everybody can create application with any scopes. However,
+you can enforce users to create applications only with configured scopes
+(`default_scopes` and `optional_scopes` from the Doorkeeper initializer):
+
+```ruby
+# config/initializers/doorkeeper.rb
+Doorkeeper.configure do
+  # ...
+
+  default_scopes :read, :write
+  optional_scopes :create, :update
+
+  enforce_configured_scopes
+end
+```
+
 ## Other customizations
 
 - [Associate users to OAuth applications (ownership)](https://github.com/doorkeeper-gem/doorkeeper/wiki/Associate-users-to-OAuth-applications-%28ownership%29)
@@ -412,7 +510,7 @@ Doorkeeper 4.3.0 it uses [ActiveSupport lazy loading hooks](http://api.rubyonrai
 to load models. There are [known issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1043)
 with the `factory_bot_rails` gem (it executes factories building before `ActiveRecord::Base`
 is initialized using hooks in gem railtie, so you can catch a `uninitialized constant` error).
-It is recommended to use pure `factory_bot` gem to solve this problem. 
+It is recommended to use pure `factory_bot` gem to solve this problem.
 
 ## Upgrading
 
@@ -429,7 +527,7 @@ To run the local engine server:
 
 ```
 bundle install
-bundle exec rails server
+bundle exec rake doorkeeper:server
 ````
 
 By default, it uses the latest Rails version with ActiveRecord. To run the

data/Rakefile

@@ -15,6 +15,12 @@ namespace :doorkeeper do
     cd 'spec/dummy'
     system 'bundle exec rails g doorkeeper:install --force'
   end
+
+  desc 'Runs local test server'
+  task :server do
+    cd 'spec/dummy'
+    system 'bundle exec rails server'
+  end
 end
 
 Bundler::GemHelper.install_tasks

data/UPGRADE.md

@@ -0,0 +1,2 @@
+See [Upgrade Guides](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions)
+in the project Wiki.

data/app/assets/stylesheets/doorkeeper/admin/application.css

@@ -5,6 +5,6 @@
  *= require_tree .
 */
 
-td {
-  vertical-align: middle !important;
+.doorkeeper-admin .form-group > .field_with_errors {
+  width: 16.66667%;
 }

data/app/controllers/doorkeeper/application_controller.rb

@@ -1,11 +1,14 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class ApplicationController <
     Doorkeeper.configuration.base_controller.constantize
 
     include Helpers::Controller
 
-    protect_from_forgery with: :exception
-
-    helper 'doorkeeper/dashboard'
+    unless Doorkeeper.configuration.api_only
+      protect_from_forgery with: :exception
+      helper 'doorkeeper/dashboard'
+    end
   end
 end

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class ApplicationMetalController < ActionController::Metal
     MODULES = [
@@ -5,6 +7,7 @@ module Doorkeeper
       AbstractController::Rendering,
       ActionController::Rendering,
       ActionController::Renderers::All,
+      AbstractController::Callbacks,
       Helpers::Controller
     ].freeze
 
@@ -12,6 +15,9 @@ module Doorkeeper
       include mod
     end
 
+    before_action :enforce_content_type,
+                  if: -> { Doorkeeper.configuration.enforce_content_type }
+
     ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end
 end