RubyGems - doorkeeper - Versions diffs - 4.4.3 → 5.0.3 - Mend

doorkeeper 4.4.3 → 5.0.3

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (223) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.gitlab-ci.yml +16 -0
data/.travis.yml +7 -0
data/Appraisals +2 -2
data/Dangerfile +64 -0
data/Gemfile +1 -1
data/NEWS.md +98 -8
data/README.md +110 -12
data/Rakefile +6 -0
data/UPGRADE.md +2 -0
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +6 -3
data/app/controllers/doorkeeper/application_metal_controller.rb +6 -0
data/app/controllers/doorkeeper/applications_controller.rb +46 -24
data/app/controllers/doorkeeper/authorizations_controller.rb +55 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +21 -2
data/app/controllers/doorkeeper/token_info_controller.rb +2 -0
data/app/controllers/doorkeeper/tokens_controller.rb +4 -6
data/app/helpers/doorkeeper/dashboard_helper.rb +9 -7
data/app/validators/redirect_uri_validator.rb +5 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
data/app/views/doorkeeper/applications/_form.html.erb +25 -24
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +17 -7
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +6 -6
data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
data/app/views/doorkeeper/authorizations/new.html.erb +4 -0
data/app/views/layouts/doorkeeper/admin.html.erb +15 -15
data/config/locales/en.yml +10 -1
data/doorkeeper.gemspec +25 -26
data/gemfiles/rails_5_2.gemfile +1 -1
data/gemfiles/rails_master.gemfile +4 -1
data/lib/doorkeeper/config.rb +81 -40
data/lib/doorkeeper/engine.rb +6 -0
data/lib/doorkeeper/errors.rb +17 -3
data/lib/doorkeeper/grape/authorization_decorator.rb +2 -0
data/lib/doorkeeper/grape/helpers.rb +3 -1
data/lib/doorkeeper/helpers/controller.rb +9 -2
data/lib/doorkeeper/models/access_grant_mixin.rb +73 -0
data/lib/doorkeeper/models/access_token_mixin.rb +44 -25
data/lib/doorkeeper/models/application_mixin.rb +2 -0
data/lib/doorkeeper/models/concerns/accessible.rb +2 -0
data/lib/doorkeeper/models/concerns/expirable.rb +2 -0
data/lib/doorkeeper/models/concerns/orderable.rb +2 -0
data/lib/doorkeeper/models/concerns/ownership.rb +2 -0
data/lib/doorkeeper/models/concerns/revocable.rb +2 -0
data/lib/doorkeeper/models/concerns/scopes.rb +3 -1
data/lib/doorkeeper/oauth/authorization/code.rb +33 -8
data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
data/lib/doorkeeper/oauth/authorization/token.rb +38 -14
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +2 -0
data/lib/doorkeeper/oauth/authorization_code_request.rb +29 -2
data/lib/doorkeeper/oauth/base_request.rb +22 -9
data/lib/doorkeeper/oauth/base_response.rb +2 -0
data/lib/doorkeeper/oauth/client/credentials.rb +3 -1
data/lib/doorkeeper/oauth/client.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/creator.rb +4 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +7 -2
data/lib/doorkeeper/oauth/client_credentials/validation.rb +5 -5
data/lib/doorkeeper/oauth/client_credentials_request.rb +1 -3
data/lib/doorkeeper/oauth/code_request.rb +2 -0
data/lib/doorkeeper/oauth/code_response.rb +2 -0
data/lib/doorkeeper/oauth/error.rb +2 -0
data/lib/doorkeeper/oauth/error_response.rb +21 -3
data/lib/doorkeeper/oauth/forbidden_token_response.rb +9 -2
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -0
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +5 -2
data/lib/doorkeeper/oauth/invalid_token_response.rb +18 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +9 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +43 -11
data/lib/doorkeeper/oauth/refresh_token_request.rb +16 -3
data/lib/doorkeeper/oauth/scopes.rb +3 -1
data/lib/doorkeeper/oauth/token.rb +7 -2
data/lib/doorkeeper/oauth/token_introspection.rb +4 -2
data/lib/doorkeeper/oauth/token_request.rb +2 -0
data/lib/doorkeeper/oauth/token_response.rb +6 -2
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/application.rb +75 -12
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +26 -0
data/lib/doorkeeper/orm/active_record.rb +4 -0
data/lib/doorkeeper/rails/helpers.rb +6 -4
data/lib/doorkeeper/rails/routes/mapper.rb +2 -0
data/lib/doorkeeper/rails/routes/mapping.rb +2 -0
data/lib/doorkeeper/rails/routes.rb +23 -8
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +6 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/authorization_code.rb +1 -1
data/lib/doorkeeper/request/client_credentials.rb +1 -1
data/lib/doorkeeper/request/code.rb +1 -1
data/lib/doorkeeper/request/password.rb +1 -1
data/lib/doorkeeper/request/refresh_token.rb +1 -1
data/lib/doorkeeper/request/strategy.rb +2 -0
data/lib/doorkeeper/request/token.rb +1 -1
data/lib/doorkeeper/request.rb +29 -34
data/lib/doorkeeper/server.rb +2 -0
data/lib/doorkeeper/stale_records_cleaner.rb +20 -0
data/lib/doorkeeper/validations.rb +2 -0
data/lib/doorkeeper/version.rb +6 -24
data/lib/doorkeeper.rb +20 -17
data/lib/generators/doorkeeper/application_owner_generator.rb +23 -18
data/lib/generators/doorkeeper/confidential_applications_generator.rb +32 -0
data/lib/generators/doorkeeper/install_generator.rb +17 -9
data/lib/generators/doorkeeper/migration_generator.rb +23 -18
data/lib/generators/doorkeeper/pkce_generator.rb +32 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +29 -24
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +6 -0
data/lib/generators/doorkeeper/templates/initializer.rb +96 -13
data/lib/generators/doorkeeper/templates/migration.rb.erb +2 -3
data/lib/generators/doorkeeper/views_generator.rb +3 -1
data/spec/controllers/application_metal_controller_spec.rb +50 -0
data/spec/controllers/applications_controller_spec.rb +123 -14
data/spec/controllers/authorizations_controller_spec.rb +334 -51
data/spec/controllers/protected_resources_controller_spec.rb +60 -18
data/spec/controllers/token_info_controller_spec.rb +4 -12
data/spec/controllers/tokens_controller_spec.rb +17 -20
data/spec/dummy/Rakefile +1 -1
data/spec/dummy/app/assets/config/manifest.js +2 -0
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +1 -1
data/spec/dummy/app/controllers/home_controller.rb +1 -2
data/spec/dummy/config/application.rb +1 -1
data/spec/dummy/config/boot.rb +2 -4
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/environments/test.rb +5 -6
data/spec/dummy/config/initializers/doorkeeper.rb +12 -6
data/spec/dummy/config/initializers/new_framework_defaults.rb +2 -0
data/spec/dummy/config/initializers/secret_token.rb +1 -1
data/spec/dummy/config/routes.rb +3 -42
data/spec/dummy/config.ru +1 -1
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +4 -4
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +1 -1
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +6 -0
data/spec/dummy/db/migrate/{20180210183654_add_confidential_to_application.rb → 20180210183654_add_confidential_to_applications.rb} +1 -1
data/spec/dummy/db/schema.rb +36 -36
data/spec/dummy/script/rails +4 -3
data/spec/factories.rb +6 -6
data/spec/generators/application_owner_generator_spec.rb +1 -1
data/spec/generators/confidential_applications_generator_spec.rb +45 -0
data/spec/generators/install_generator_spec.rb +5 -2
data/spec/generators/migration_generator_spec.rb +1 -1
data/spec/generators/pkce_generator_spec.rb +43 -0
data/spec/generators/previous_refresh_token_generator_spec.rb +1 -1
data/spec/generators/templates/routes.rb +0 -1
data/spec/generators/views_generator_spec.rb +2 -2
data/spec/grape/grape_integration_spec.rb +2 -2
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +105 -39
data/spec/lib/doorkeeper_spec.rb +6 -131
data/spec/lib/models/expirable_spec.rb +0 -3
data/spec/lib/models/revocable_spec.rb +0 -2
data/spec/lib/models/scopes_spec.rb +0 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -4
data/spec/lib/oauth/authorization_code_request_spec.rb +17 -7
data/spec/lib/oauth/base_request_spec.rb +49 -11
data/spec/lib/oauth/base_response_spec.rb +1 -1
data/spec/lib/oauth/client/credentials_spec.rb +2 -4
data/spec/lib/oauth/client_credentials/creator_spec.rb +5 -1
data/spec/lib/oauth/client_credentials/issuer_spec.rb +24 -7
data/spec/lib/oauth/client_credentials/validation_spec.rb +4 -4
data/spec/lib/oauth/client_credentials_integration_spec.rb +2 -2
data/spec/lib/oauth/client_credentials_request_spec.rb +3 -5
data/spec/lib/oauth/client_spec.rb +0 -3
data/spec/lib/oauth/code_request_spec.rb +5 -3
data/spec/lib/oauth/code_response_spec.rb +1 -1
data/spec/lib/oauth/error_response_spec.rb +0 -3
data/spec/lib/oauth/error_spec.rb +0 -2
data/spec/lib/oauth/forbidden_token_response_spec.rb +1 -4
data/spec/lib/oauth/helpers/scope_checker_spec.rb +8 -11
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +22 -13
data/spec/lib/oauth/invalid_token_response_spec.rb +1 -4
data/spec/lib/oauth/password_access_token_request_spec.rb +53 -6
data/spec/lib/oauth/pre_authorization_spec.rb +33 -4
data/spec/lib/oauth/refresh_token_request_spec.rb +22 -14
data/spec/lib/oauth/scopes_spec.rb +0 -3
data/spec/lib/oauth/token_request_spec.rb +8 -9
data/spec/lib/oauth/token_response_spec.rb +0 -1
data/spec/lib/oauth/token_spec.rb +40 -14
data/spec/lib/request/strategy_spec.rb +0 -1
data/spec/lib/server_spec.rb +7 -7
data/spec/lib/stale_records_cleaner_spec.rb +89 -0
data/spec/models/doorkeeper/access_grant_spec.rb +44 -1
data/spec/models/doorkeeper/access_token_spec.rb +80 -32
data/spec/models/doorkeeper/application_spec.rb +293 -221
data/spec/requests/applications/applications_request_spec.rb +134 -1
data/spec/requests/applications/authorized_applications_spec.rb +1 -1
data/spec/requests/endpoints/authorization_spec.rb +3 -3
data/spec/requests/endpoints/token_spec.rb +7 -5
data/spec/requests/flows/authorization_code_errors_spec.rb +2 -2
data/spec/requests/flows/authorization_code_spec.rb +258 -2
data/spec/requests/flows/client_credentials_spec.rb +46 -6
data/spec/requests/flows/implicit_grant_errors_spec.rb +3 -3
data/spec/requests/flows/implicit_grant_spec.rb +38 -11
data/spec/requests/flows/password_spec.rb +61 -3
data/spec/requests/flows/refresh_token_spec.rb +59 -2
data/spec/requests/flows/revoke_token_spec.rb +20 -20
data/spec/requests/flows/skip_authorization_spec.rb +16 -11
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +3 -3
data/spec/routing/custom_controller_routes_spec.rb +59 -7
data/spec/routing/default_routes_spec.rb +2 -2
data/spec/routing/scoped_routes_spec.rb +16 -2
data/spec/spec_helper.rb +54 -3
data/spec/spec_helper_integration.rb +2 -74
data/spec/support/dependencies/{factory_girl.rb → factory_bot.rb} +0 -0
data/spec/support/doorkeeper_rspec.rb +20 -0
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/model_helper.rb +8 -4
data/spec/support/helpers/request_spec_helper.rb +10 -2
data/spec/support/helpers/url_helper.rb +18 -14
data/spec/support/http_method_shim.rb +12 -16
data/spec/support/shared/controllers_shared_context.rb +56 -0
data/spec/validators/redirect_uri_validator_spec.rb +9 -3
data/spec/version/version_spec.rb +3 -3
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +54 -35
data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
data/spec/controllers/application_metal_controller.rb +0 -10

data/spec/lib/oauth/refresh_token_request_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 module Doorkeeper::OAuth
   describe RefreshTokenRequest do
@@ -9,7 +9,7 @@ module Doorkeeper::OAuth
     let(:server) do
       double :server,
              access_token_expires_in: 2.minutes,
-             custom_access_token_expires_in: -> (_oauth_client) { nil }
+             custom_access_token_expires_in: ->(_context) { nil }
     end
     let(:refresh_token) do
@@ -24,20 +24,22 @@ module Doorkeeper::OAuth
     it 'issues a new token for the client' do
       expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
       # #sort_by used for MongoDB ORM extensions for valid ordering
-      expect(client.reload.access_tokens.sort_by(&:created_at).last.expires_in).to eq(120)
+      expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(120)
     end
     it 'issues a new token for the client with custom expires_in' do
       server = double :server,
                       access_token_expires_in: 2.minutes,
-                      custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+                      custom_access_token_expires_in: lambda { |context|
+                        context.grant_type == Doorkeeper::OAuth::REFRESH_TOKEN ? 1234 : nil
+                      }
       allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
       RefreshTokenRequest.new(server, refresh_token, credentials).authorize
       # #sort_by used for MongoDB ORM extensions for valid ordering
-      expect(client.reload.access_tokens.sort_by(&:created_at).last.expires_in).to eq(1234)
+      expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(1234)
     end
     it 'revokes the previous token' do
@@ -45,8 +47,12 @@ module Doorkeeper::OAuth
     end
     it "calls configured request callback methods" do
-      expect(Doorkeeper.configuration.before_successful_strategy_response).to receive(:call).with(subject).once
-      expect(Doorkeeper.configuration.after_successful_strategy_response).to receive(:call).with(subject, instance_of(Doorkeeper::OAuth::TokenResponse)).once
+      expect(Doorkeeper.configuration.before_successful_strategy_response)
+        .to receive(:call).with(subject).once
+      expect(Doorkeeper.configuration.after_successful_strategy_response)
+        .to receive(:call).with(subject, instance_of(Doorkeeper::OAuth::TokenResponse)).once
       subject.authorize
     end
@@ -85,7 +91,9 @@ module Doorkeeper::OAuth
       let(:server) do
         double :server,
                access_token_expires_in: 2.minutes,
-               custom_access_token_expires_in: ->(_oauth_client) { 1234 }
+               custom_access_token_expires_in: lambda { |context|
+                 context.grant_type == Doorkeeper::OAuth::REFRESH_TOKEN ? 1234 : nil
+               }
       end
       before do
@@ -105,7 +113,7 @@ module Doorkeeper::OAuth
         subject.authorize
         expect(
           # #sort_by used for MongoDB ORM extensions for valid ordering
-          client.access_tokens.sort_by(&:created_at).last.previous_refresh_token
+          client.access_tokens.max_by(&:created_at).previous_refresh_token
         ).to eq(refresh_token.refresh_token)
       end
     end
@@ -123,21 +131,21 @@ module Doorkeeper::OAuth
     context 'with scopes' do
       let(:refresh_token) do
         FactoryBot.create :access_token,
-                           use_refresh_token: true,
-                           scopes: 'public write'
+                          use_refresh_token: true,
+                          scopes: 'public write'
       end
       let(:parameters) { {} }
       subject { RefreshTokenRequest.new server, refresh_token, credentials, parameters }
       it 'transfers scopes from the old token to the new token' do
         subject.authorize
-        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public, :write])
+        expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public write])
       end
       it 'reduces scopes to the provided scopes' do
         parameters[:scopes] = 'public'
         subject.authorize
-        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public])
+        expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public])
       end
       it 'validates that scopes are included in the original access token' do
@@ -151,7 +159,7 @@ module Doorkeeper::OAuth
         parameters[:scopes] = 'public update'
         parameters[:scope] = 'public'
         subject.authorize
-        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public])
+        expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public])
       end
       it 'uses params[:scope] in favor of scopes if present (invalid)' do

data/spec/lib/oauth/scopes_spec.rb CHANGED Viewed

@@ -1,7 +1,4 @@
 require 'spec_helper'
-require 'active_support/core_ext/module/delegation'
-require 'active_support/core_ext/string'
-require 'doorkeeper/oauth/scopes'
 module Doorkeeper::OAuth
   describe Scopes do

data/spec/lib/oauth/token_request_spec.rb CHANGED Viewed

@@ -1,10 +1,9 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 module Doorkeeper::OAuth
   describe TokenRequest do
     let :application do
-      scopes = double(all: ['public'])
-      double(:application, id: 9990, scopes: scopes)
+      FactoryBot.create(:application, scopes: 'public')
     end
     let :pre_auth do
@@ -39,7 +38,7 @@ module Doorkeeper::OAuth
     it 'does not create token when not authorizable' do
       allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect { subject.authorize }.not_to change { Doorkeeper::AccessToken.count }
+      expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
     end
     it 'returns a error response' do
@@ -51,8 +50,8 @@ module Doorkeeper::OAuth
       before do
         Doorkeeper.configure do
           orm DOORKEEPER_ORM
-          custom_access_token_expires_in do |_oauth_client|
-            1234
+          custom_access_token_expires_in do |context|
+            context.grant_type == Doorkeeper::OAuth::IMPLICIT ? 1234 : nil
           end
         end
       end
@@ -75,7 +74,7 @@ module Doorkeeper::OAuth
       it 'creates a new token if scopes do not match' do
         allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
         FactoryBot.create(:access_token, application_id: pre_auth.client.id,
-                           resource_owner_id: owner.id, scopes: '')
+                                         resource_owner_id: owner.id, scopes: '')
         expect do
           subject.authorize
         end.to change { Doorkeeper::AccessToken.count }.by(1)
@@ -87,9 +86,9 @@ module Doorkeeper::OAuth
         allow(application.scopes).to receive(:all?).and_return(true)
         FactoryBot.create(:access_token, application_id: pre_auth.client.id,
-                           resource_owner_id: owner.id, scopes: 'public')
+                                         resource_owner_id: owner.id, scopes: 'public')
-        expect { subject.authorize }.not_to change { Doorkeeper::AccessToken.count }
+        expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
       end
     end
   end

data/spec/lib/oauth/token_response_spec.rb CHANGED Viewed

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'doorkeeper/oauth/token_response'
 module Doorkeeper::OAuth
   describe TokenResponse do

data/spec/lib/oauth/token_spec.rb CHANGED Viewed

@@ -1,6 +1,4 @@
 require 'spec_helper'
-require 'active_support/core_ext/string'
-require 'doorkeeper/oauth/token'
 module Doorkeeper
   unless defined?(AccessToken)
@@ -14,7 +12,7 @@ module Doorkeeper
         let(:request) { double.as_null_object }
         let(:method) do
-          ->(request) { return 'token-value' }
+          ->(*) { 'token-value' }
         end
         it 'accepts anything that responds to #call' do
@@ -96,19 +94,47 @@ module Doorkeeper
       end
       describe :authenticate do
-        it 'calls the finder if token was returned' do
-          token = ->(_r) { 'token' }
-          expect(AccessToken).to receive(:by_token).with('token')
-          Token.authenticate double, token
+        context 'refresh tokens are disabled (default)' do
+          context 'refresh tokens are enabled' do
+            it 'does not revoke previous refresh_token if token was found' do
+              token = ->(_r) { 'token' }
+              expect(
+                AccessToken
+              ).to receive(:by_token).with('token').and_return(token)
+              expect(token).not_to receive(:revoke_previous_refresh_token!)
+              Token.authenticate double, token
+            end
+          end
+          it 'calls the finder if token was returned' do
+            token = ->(_r) { 'token' }
+            expect(AccessToken).to receive(:by_token).with('token')
+            Token.authenticate double, token
+          end
         end
-        it 'revokes previous refresh_token if token was found' do
-          token = ->(_r) { 'token' }
-          expect(
-            AccessToken
-          ).to receive(:by_token).with('token').and_return(token)
-          expect(token).to receive(:revoke_previous_refresh_token!)
-          Token.authenticate double, token
+        context 'refresh tokens are enabled' do
+          before do
+            Doorkeeper.configure do
+              orm DOORKEEPER_ORM
+              use_refresh_token
+            end
+          end
+          it 'revokes previous refresh_token if token was found' do
+            token = ->(_r) { 'token' }
+            expect(
+              AccessToken
+            ).to receive(:by_token).with('token').and_return(token)
+            expect(token).to receive(:revoke_previous_refresh_token!)
+            Token.authenticate double, token
+          end
+          it 'calls the finder if token was returned' do
+            token = ->(_r) { 'token' }
+            expect(AccessToken).to receive(:by_token).with('token')
+            Token.authenticate double, token
+          end
         end
       end
     end

data/spec/lib/request/strategy_spec.rb CHANGED Viewed

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'doorkeeper/request/strategy'
 module Doorkeeper
   module Request

data/spec/lib/server_spec.rb CHANGED Viewed

@@ -22,9 +22,9 @@ describe Doorkeeper::Server do
     context 'when only Authorization Code strategy is enabled' do
       before do
-        allow(Doorkeeper.configuration).
-          to receive(:grant_flows).
-          and_return(['authorization_code'])
+        allow(Doorkeeper.configuration)
+          .to receive(:grant_flows)
+          .and_return(['authorization_code'])
       end
       it 'raises error when using the disabled Implicit strategy' do
@@ -46,10 +46,10 @@ describe Doorkeeper::Server do
       subject.authorization_request :code
     end
-    it 'builds the request with composit strategy name' do
-      allow(Doorkeeper.configuration).
-        to receive(:authorization_response_types).
-        and_return(['id_token token'])
+    it 'builds the request with composite strategy name' do
+      allow(Doorkeeper.configuration)
+        .to receive(:authorization_response_types)
+        .and_return(['id_token token'])
       stub_const 'Doorkeeper::Request::IdTokenToken', fake_class
       expect(fake_class).to receive(:new).with(subject)

data/spec/lib/stale_records_cleaner_spec.rb ADDED Viewed

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+require 'spec_helper'
+describe Doorkeeper::StaleRecordsCleaner do
+  let(:cleaner) { described_class.new(model) }
+  let(:models_by_name) do
+    {
+      access_token: Doorkeeper::AccessToken,
+      access_grant: Doorkeeper::AccessGrant
+    }
+  end
+  context 'when ORM has no cleaner class' do
+    it 'raises an error' do
+      allow_any_instance_of(Doorkeeper::Config).to receive(:orm).and_return('hibernate')
+      expect do
+        described_class.for(Doorkeeper::AccessToken)
+      end.to raise_error(Doorkeeper::Errors::NoOrmCleaner, /has no cleaner/)
+    end
+  end
+  %i[access_token access_grant].each do |model_name|
+    context "(#{model_name})" do
+      let(:model) { models_by_name.fetch(model_name) }
+      describe '#clean_revoked' do
+        subject { cleaner.clean_revoked }
+        context 'with revoked record' do
+          before do
+            FactoryBot.create model_name, revoked_at: Time.current - 1.minute
+          end
+          it 'removes the record' do
+            expect { subject }.to change { model.count }.to(0)
+          end
+        end
+        context 'with record revoked in the future' do
+          before do
+            FactoryBot.create model_name, revoked_at: Time.current + 1.minute
+          end
+          it 'keeps the record' do
+            expect { subject }.not_to(change { model.count })
+          end
+        end
+        context 'with unrevoked record' do
+          before do
+            FactoryBot.create model_name, revoked_at: nil
+          end
+          it 'keeps the record' do
+            expect { subject }.not_to(change { model.count })
+          end
+        end
+      end
+      describe '#clean_expired' do
+        subject { cleaner.clean_expired(ttl) }
+        let(:ttl) { 500 }
+        let(:expiry_border) { ttl.seconds.ago }
+        context 'with record that is expired' do
+          before do
+            FactoryBot.create model_name, created_at: expiry_border - 1.minute
+          end
+          it 'removes the record' do
+            expect { subject }.to change { model.count }.to(0)
+          end
+        end
+        context 'with record that is not expired' do
+          before do
+            FactoryBot.create model_name, created_at: expiry_border + 1.minute
+          end
+          it 'keeps the record' do
+            expect { subject }.not_to(change { model.count })
+          end
+        end
+      end
+    end
+  end
+end

data/spec/models/doorkeeper/access_grant_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 describe Doorkeeper::AccessGrant do
   subject { FactoryBot.build(:access_grant) }
@@ -33,4 +33,47 @@ describe Doorkeeper::AccessGrant do
       expect(subject).not_to be_valid
     end
   end
+  describe '.revoke_all_for' do
+    let(:resource_owner) { double(id: 100) }
+    let(:application) { FactoryBot.create :application }
+    let(:default_attributes) do
+      {
+        application: application,
+        resource_owner_id: resource_owner.id
+      }
+    end
+    it 'revokes all tokens for given application and resource owner' do
+      FactoryBot.create :access_grant, default_attributes
+      described_class.revoke_all_for(application.id, resource_owner)
+      described_class.all.each do |token|
+        expect(token).to be_revoked
+      end
+    end
+    it 'matches application' do
+      access_grant_for_different_app = FactoryBot.create(
+        :access_grant,
+        default_attributes.merge(application: FactoryBot.create(:application))
+      )
+      described_class.revoke_all_for(application.id, resource_owner)
+      expect(access_grant_for_different_app.reload).not_to be_revoked
+    end
+    it 'matches resource owner' do
+      access_grant_for_different_owner = FactoryBot.create(
+        :access_grant,
+        default_attributes.merge(resource_owner_id: 90)
+      )
+      described_class.revoke_all_for application.id, resource_owner
+      expect(access_grant_for_different_owner.reload).not_to be_revoked
+    end
+  end
 end

data/spec/models/doorkeeper/access_token_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 module Doorkeeper
   describe AccessToken do
@@ -13,8 +13,7 @@ module Doorkeeper
     end
     module CustomGeneratorArgs
-      def self.generate
-      end
+      def self.generate; end
     end
     describe :generate_token do
@@ -42,7 +41,7 @@ module Doorkeeper
         end
         token = FactoryBot.create :access_token
-        expect(token.token).to match(%r{custom_generator_token_\d+})
+        expect(token.token).to match(/custom_generator_token_\d+/)
       end
       it 'allows the custom generator to access the application details' do
@@ -62,7 +61,7 @@ module Doorkeeper
         end
         token = FactoryBot.create :access_token
-        expect(token.token).to match(%r{custom_generator_token_Application \d+})
+        expect(token.token).to match(/custom_generator_token_Application \d+/)
       end
       it 'allows the custom generator to access the scopes' do
@@ -144,7 +143,7 @@ module Doorkeeper
         end
         module CustomGeneratorArgs
-          def self.generate(opts = {})
+          def self.generate(_opts = {})
             raise LoadError, 'custom behaviour'
           end
         end
@@ -214,11 +213,9 @@ module Doorkeeper
     end
     describe '#same_credential?' do
       context 'with default parameters' do
         let(:resource_owner_id) { 100 }
-        let(:application)    { FactoryBot.create :application }
+        let(:application) { FactoryBot.create :application }
         let(:default_attributes) do
           { application: application, resource_owner_id: resource_owner_id }
         end
@@ -233,7 +230,11 @@ module Doorkeeper
         context 'the second token has same owner and different app' do
           let(:other_application) { FactoryBot.create :application }
-          let(:access_token2) { FactoryBot.create :access_token, application: other_application, resource_owner_id: resource_owner_id }
+          let(:access_token2) do
+            FactoryBot.create :access_token,
+                              application: other_application,
+                              resource_owner_id: resource_owner_id
+          end
           it 'fail' do
             expect(access_token1.same_credential?(access_token2)).to be_falsey
@@ -241,9 +242,10 @@ module Doorkeeper
         end
         context 'the second token has different owner and different app' do
           let(:other_application) { FactoryBot.create :application }
-          let(:access_token2) { FactoryBot.create :access_token, application: other_application, resource_owner_id: 42 }
+          let(:access_token2) do
+            FactoryBot.create :access_token, application: other_application, resource_owner_id: 42
+          end
           it 'fail' do
             expect(access_token1.same_credential?(access_token2)).to be_falsey
@@ -251,7 +253,9 @@ module Doorkeeper
         end
         context 'the second token has different owner and same app' do
-          let(:access_token2) { FactoryBot.create :access_token, application: application, resource_owner_id: 42 }
+          let(:access_token2) do
+            FactoryBot.create :access_token, application: application, resource_owner_id: 42
+          end
           it 'fail' do
             expect(access_token1.same_credential?(access_token2)).to be_falsey
@@ -306,15 +310,25 @@ module Doorkeeper
       end
       it 'matches application' do
-        FactoryBot.create :access_token, default_attributes.merge(application: FactoryBot.create(:application))
+        access_token_for_different_app = FactoryBot.create(
+          :access_token,
+          default_attributes.merge(application: FactoryBot.create(:application))
+        )
         AccessToken.revoke_all_for application.id, resource_owner
-        expect(AccessToken.all).not_to be_empty
+        expect(access_token_for_different_app.reload).not_to be_revoked
       end
       it 'matches resource owner' do
-        FactoryBot.create :access_token, default_attributes.merge(resource_owner_id: 90)
+        access_token_for_different_owner = FactoryBot.create(
+          :access_token,
+          default_attributes.merge(resource_owner_id: 90)
+        )
         AccessToken.revoke_all_for application.id, resource_owner
-        expect(AccessToken.all).not_to be_empty
+        expect(access_token_for_different_owner.reload).not_to be_revoked
       end
     end
@@ -330,6 +344,10 @@ module Doorkeeper
         }
       end
+      before do
+        default_scopes_exist(*scopes.all)
+      end
       it 'returns only one token' do
         token = FactoryBot.create :access_token, default_attributes
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
@@ -355,37 +373,45 @@ module Doorkeeper
         expect(last_token).to be_nil
       end
-      it 'matches the application' do
+      it "excludes tokens with a different application" do
         FactoryBot.create :access_token, default_attributes.merge(application: FactoryBot.create(:application))
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
-      it 'matches the resource owner' do
+      it "excludes tokens with a different resource owner" do
         FactoryBot.create :access_token, default_attributes.merge(resource_owner_id: 2)
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
-      it 'matches token with fewer scopes' do
+      it "excludes tokens with fewer scopes" do
         FactoryBot.create :access_token, default_attributes.merge(scopes: 'public')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
-      it 'matches token with different scopes' do
+      it 'excludes tokens with different scopes' do
         FactoryBot.create :access_token, default_attributes.merge(scopes: 'public email')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
-      it 'matches token with more scopes' do
+      it 'excludes tokens with additional scopes' do
         FactoryBot.create :access_token, default_attributes.merge(scopes: 'public write email')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
         expect(last_token).to be_nil
       end
-      it 'matches application scopes' do
+      it 'excludes tokens with scopes that are not present in server scopes' do
+        FactoryBot.create :access_token, default_attributes.merge(
+          application: application, scopes: 'public read'
+        )
+        last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
+        expect(last_token).to be_nil
+      end
+      it 'excludes tokens with scopes that are not present in application scopes' do
         application = FactoryBot.create :application, scopes: "private read"
         FactoryBot.create :access_token, default_attributes.merge(
           application: application
@@ -394,25 +420,47 @@ module Doorkeeper
         expect(last_token).to be_nil
       end
-      it 'returns the last created token' do
+      it 'does not match token if empty scope requested and token/app scopes present' do
+        application = FactoryBot.create :application, scopes: "sample:scope"
+        app_params = {
+          application_id: application.id, scopes: "sample:scope",
+          resource_owner_id: 100
+        }
+        FactoryBot.create :access_token, app_params
+        empty_scopes = Doorkeeper::OAuth::Scopes.from_string("")
+        last_token = AccessToken.matching_token_for(application, 100, empty_scopes)
+        expect(last_token).to be_nil
+      end
+      it 'matches token if empty scope requested and no token scopes present' do
+        empty_scopes = Doorkeeper::OAuth::Scopes.from_string("")
+        token = FactoryBot.create :access_token, default_attributes.merge(scopes: empty_scopes)
+        last_token = AccessToken.matching_token_for(application, 100, empty_scopes)
+        expect(last_token).to eq(token)
+      end
+      it 'returns the last matching token' do
         FactoryBot.create :access_token, default_attributes.merge(created_at: 1.day.ago)
-        token = FactoryBot.create :access_token, default_attributes
+        matching_token = FactoryBot.create :access_token, default_attributes
+        FactoryBot.create :access_token, default_attributes.merge(scopes: 'public')
         last_token = AccessToken.matching_token_for(application, resource_owner_id, scopes)
-        expect(last_token).to eq(token)
+        expect(last_token).to eq(matching_token)
       end
+    end
-      it 'returns as_json hash' do
-        token = FactoryBot.create :access_token, default_attributes
+    describe "#as_json" do
+      it "returns as_json hash" do
+        token = FactoryBot.create :access_token
         token_hash = {
           resource_owner_id:  token.resource_owner_id,
-          scopes:             token.scopes,
-          expires_in_seconds: token.expires_in_seconds,
+          scope:              token.scopes,
+          expires_in:         token.expires_in_seconds,
           application:        { uid: token.application.uid },
-          created_at:         token.created_at.to_i,
+          created_at:         token.created_at.to_i
         }
         expect(token.as_json).to eq token_hash
       end
     end
   end
 end