doorkeeper 4.4.3 → 5.0.3

data/spec/requests/applications/applications_request_spec.rb

@@ -1,8 +1,9 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Adding applications' do
   context 'in application form' do
     background do
+      i_am_logged_in
       visit '/oauth/applications/new'
     end
 
@@ -20,29 +21,123 @@ feature 'Adding applications' do
       click_button 'Submit'
       i_should_see 'Whoops! Check your form for possible errors'
     end
+
+    scenario "adding app ignoring bad scope" do
+      config_is_set("enforce_configured_scopes", false)
+
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: "https://example.com"
+      fill_in "doorkeeper_application[scopes]", with: "blahblah"
+
+      click_button "Submit"
+      i_should_see "Application created"
+      i_should_see "My Application"
+    end
+
+    scenario "adding app validating bad scope" do
+      config_is_set("enforce_configured_scopes", true)
+
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: "https://example.com"
+      fill_in "doorkeeper_application[scopes]", with: "blahblah"
+
+      click_button "Submit"
+      i_should_see "Whoops! Check your form for possible errors"
+    end
+
+    scenario "adding app validating scope, blank scope is accepted" do
+      config_is_set("enforce_configured_scopes", true)
+
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: "https://example.com"
+      fill_in "doorkeeper_application[scopes]", with: ""
+
+      click_button "Submit"
+      i_should_see "Application created"
+      i_should_see "My Application"
+    end
+
+    scenario "adding app validating scope, multiple scopes configured" do
+      config_is_set("enforce_configured_scopes", true)
+      scopes = Doorkeeper::OAuth::Scopes.from_array(%w[read write admin])
+      config_is_set("optional_scopes", scopes)
+
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: "https://example.com"
+      fill_in "doorkeeper_application[scopes]", with: "read write"
+
+      click_button "Submit"
+      i_should_see "Application created"
+      i_should_see "My Application"
+    end
+
+    scenario "adding app validating scope, bad scope with multiple scopes configured" do
+      config_is_set("enforce_configured_scopes", true)
+      scopes = Doorkeeper::OAuth::Scopes.from_array(%w[read write admin])
+      config_is_set("optional_scopes", scopes)
+
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: "https://example.com"
+      fill_in "doorkeeper_application[scopes]", with: "read blah"
+
+      click_button "Submit"
+      i_should_see "Whoops! Check your form for possible errors"
+      i_should_see Regexp.new(
+        I18n.t('activerecord.errors.models.doorkeeper/application.attributes.scopes.not_match_configured'),
+        true
+      )
+    end
   end
 end
 
 feature 'Listing applications' do
   background do
+    i_am_logged_in
+
     FactoryBot.create :application, name: 'Oauth Dude'
     FactoryBot.create :application, name: 'Awesome App'
   end
 
   scenario 'application list' do
     visit '/oauth/applications'
+
     i_should_see 'Awesome App'
     i_should_see 'Oauth Dude'
   end
 end
 
+feature 'Renders assets' do
+  scenario 'admin stylesheets' do
+    visit '/assets/doorkeeper/admin/application.css'
+
+    i_should_see 'Bootstrap'
+    i_should_see '.doorkeeper-admin'
+  end
+
+  scenario 'application stylesheets' do
+    visit '/assets/doorkeeper/application.css'
+
+    i_should_see 'Bootstrap'
+    i_should_see '#oauth-permissions'
+    i_should_see '#container'
+  end
+end
+
 feature 'Show application' do
   given :app do
+    i_am_logged_in
+
     FactoryBot.create :application, name: 'Just another oauth app'
   end
 
   scenario 'visiting application page' do
     visit "/oauth/applications/#{app.id}"
+
     i_should_see 'Just another oauth app'
   end
 end
@@ -53,12 +148,15 @@ feature 'Edit application' do
   end
 
   background do
+    i_am_logged_in
+
     visit "/oauth/applications/#{app.id}/edit"
   end
 
   scenario 'updating a valid app' do
     fill_in 'doorkeeper_application[name]', with: 'Serious app'
     click_button 'Submit'
+
     i_should_see 'Application updated'
     i_should_see 'Serious app'
     i_should_not_see 'OMG my app'
@@ -67,21 +165,27 @@ feature 'Edit application' do
   scenario 'updating an invalid app' do
     fill_in 'doorkeeper_application[name]', with: ''
     click_button 'Submit'
+
     i_should_see 'Whoops! Check your form for possible errors'
   end
 end
 
 feature 'Remove application' do
   background do
+    i_am_logged_in
+
     @app = FactoryBot.create :application
   end
 
   scenario 'deleting an application from list' do
     visit '/oauth/applications'
+
     i_should_see @app.name
+
     within(:css, "tr#application_#{@app.id}") do
       click_button 'Destroy'
     end
+
     i_should_see 'Application deleted'
     i_should_not_see @app.name
   end
@@ -89,6 +193,35 @@ feature 'Remove application' do
   scenario 'deleting an application from show' do
     visit "/oauth/applications/#{@app.id}"
     click_button 'Destroy'
+
     i_should_see 'Application deleted'
   end
 end
+
+context 'when admin authenticator block is default' do
+  let(:app) { FactoryBot.create :application, name: 'app' }
+
+  feature 'application list' do
+    scenario 'fails with forbidden' do
+      visit '/oauth/applications'
+
+      should_have_status 403
+    end
+  end
+
+  feature 'adding an app' do
+    scenario 'fails with forbidden' do
+      visit '/oauth/applications/new'
+
+      should_have_status 403
+    end
+  end
+
+  feature 'editing an app' do
+    scenario 'fails with forbidden' do
+      visit "/oauth/applications/#{app.id}/edit"
+
+      should_have_status 403
+    end
+  end
+end

data/spec/requests/applications/authorized_applications_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Authorized applications' do
   background do

data/spec/requests/endpoints/authorization_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Authorization endpoint' do
   background do
@@ -60,11 +60,11 @@ feature 'Authorization endpoint' do
 
     scenario 'raises exception on forged requests' do
       allowing_forgery_protection do
-        expect {
+        expect do
           page.driver.post authorization_endpoint_url(client_id: @client.uid,
                                                       redirect_uri: @client.redirect_uri,
                                                       response_type:  'code')
-        }.to raise_error(ActionController::InvalidAuthenticityToken)
+        end.to raise_error(ActionController::InvalidAuthenticityToken)
       end
     end
   end

data/spec/requests/endpoints/token_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Token endpoint' do
   before do
@@ -21,10 +21,12 @@ describe 'Token endpoint' do
   end
 
   it 'accepts client credentials with basic auth header' do
-    post token_endpoint_url(
-      code: @authorization.token,
-      redirect_uri: @client.redirect_uri
-    ), {}, 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client)
+    post token_endpoint_url,
+         params: {
+           code: @authorization.token,
+           redirect_uri: @client.redirect_uri
+         },
+         headers: { 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client) }
 
     should_have_json 'access_token', Doorkeeper::AccessToken.first.token
   end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Authorization Code Flow Errors' do
   let(:client_params) { {} }
@@ -57,7 +57,7 @@ describe 'Authorization Code Flow Errors', 'after authorization' do
     # Second attempt with same token
     expect do
       post token_endpoint_url(code: @authorization.token, client: @client)
-    end.to_not change { Doorkeeper::AccessToken.count }
+    end.to_not(change { Doorkeeper::AccessToken.count })
 
     should_not_have_json 'access_token'
     should_have_json 'error', 'invalid_grant'

data/spec/requests/flows/authorization_code_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Authorization Code Flow' do
   background do
@@ -39,6 +39,7 @@ feature 'Authorization Code Flow' do
     click_on 'Authorize'
     url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
     url_should_have_param('state', 'return-me')
+    url_should_not_have_param('code_challenge_method')
   end
 
   scenario 'resource owner requests an access token with authorization code' do
@@ -57,6 +58,259 @@ feature 'Authorization Code Flow' do
     should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
   end
 
+  scenario 'resource owner requests an access token with authorization code but without secret' do
+    visit authorization_endpoint_url(client: @client)
+    click_on 'Authorize'
+
+    authorization_code = Doorkeeper::AccessGrant.first.token
+    page.driver.post token_endpoint_url(code: authorization_code, client_id: @client.uid,
+                                        redirect_uri: @client.redirect_uri)
+
+    expect(Doorkeeper::AccessToken.count).to be_zero
+
+    should_have_json 'error', 'invalid_client'
+  end
+
+  scenario 'silently authorizes if matching token exists' do
+    default_scopes_exist :public, :write
+
+    access_token_exists application: @client,
+                        expires_in: -100, # even expired token
+                        resource_owner_id: @resource_owner.id,
+                        scopes: 'public write'
+
+    visit authorization_endpoint_url(client: @client, scope: 'public write')
+
+    response_status_should_be 200
+    i_should_not_see 'Authorize'
+  end
+
+  context 'with PKCE' do
+    context 'plain' do
+      let(:code_challenge) { 'a45a9fea-0676-477e-95b1-a40f72ac3cfb' }
+      let(:code_verifier) { 'a45a9fea-0676-477e-95b1-a40f72ac3cfb' }
+
+      scenario 'resource owner authorizes the client with code_challenge parameter set' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'plain'
+        )
+        click_on 'Authorize'
+
+        url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
+        url_should_not_have_param('code_challenge_method')
+        url_should_not_have_param('code_challenge')
+      end
+
+      scenario 'mobile app requests an access token with authorization code but not pkce token' do
+        visit authorization_endpoint_url(client: @client)
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client, code_verifier
+
+        should_have_json 'error', 'invalid_grant'
+      end
+
+      scenario 'mobile app requests an access token with authorization code and plain code challenge method' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'plain'
+        )
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client, code_verifier
+
+        access_token_should_exist_for(@client, @resource_owner)
+
+        should_not_have_json 'error'
+
+        should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+        should_have_json 'token_type', 'Bearer'
+        should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
+      end
+
+      scenario 'mobile app requests an access token with authorization code and code_challenge' do
+        visit authorization_endpoint_url(client: @client,
+                                         code_challenge: code_verifier,
+                                         code_challenge_method: 'plain')
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client, code_verifier: nil
+
+        should_not_have_json 'access_token'
+        should_have_json 'error', 'invalid_grant'
+      end
+    end
+
+    context 's256' do
+      let(:code_challenge) { 'Oz733NtQ0rJP8b04fgZMJMwprn6Iw8sMCT_9bR1q4tA' }
+      let(:code_verifier) { 'a45a9fea-0676-477e-95b1-a40f72ac3cfb' }
+
+      scenario 'resource owner authorizes the client with code_challenge parameter set' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+
+        url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
+        url_should_not_have_param('code_challenge_method')
+        url_should_not_have_param('code_challenge')
+      end
+
+      scenario 'mobile app requests an access token with authorization code and S256 code challenge method' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client, code_verifier
+
+        access_token_should_exist_for(@client, @resource_owner)
+
+        should_not_have_json 'error'
+
+        should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+        should_have_json 'token_type', 'Bearer'
+        should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
+      end
+
+      scenario 'mobile app requests an access token with authorization code and without code_verifier' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client
+        should_have_json 'error', 'invalid_request'
+        should_not_have_json 'access_token'
+      end
+
+      scenario 'mobile app requests an access token with authorization code and without secret' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        page.driver.post token_endpoint_url(code: authorization_code, client_id: @client.uid,
+                                            redirect_uri: @client.redirect_uri, code_verifier: code_verifier)
+        should_have_json 'error', 'invalid_client'
+        should_not_have_json 'access_token'
+      end
+
+      scenario 'mobile app requests an access token with authorization code and without secret but is marked as not confidential' do
+        @client.update_attribute :confidential, false
+        visit authorization_endpoint_url(client: @client, code_challenge: code_challenge, code_challenge_method: 'S256')
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        page.driver.post token_endpoint_url(
+          code: authorization_code,
+          client_id: @client.uid,
+          redirect_uri: @client.redirect_uri,
+          code_verifier: code_verifier
+        )
+        should_not_have_json 'error'
+
+        should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+        should_have_json 'token_type', 'Bearer'
+        should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
+      end
+
+      scenario 'mobile app requests an access token with authorization code but no code verifier' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client
+
+        should_not_have_json 'access_token'
+        should_have_json 'error', 'invalid_request'
+      end
+
+      scenario 'mobile app requests an access token with authorization code with wrong verifier' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        create_access_token authorization_code, @client, 'incorrect-code-verifier'
+
+        should_not_have_json 'access_token'
+        should_have_json 'error', 'invalid_grant'
+      end
+
+      scenario 'code_challenge_mehthod in token request is totally ignored' do
+        visit authorization_endpoint_url(
+          client: @client,
+          code_challenge: code_challenge,
+          code_challenge_method: 'S256'
+        )
+        click_on 'Authorize'
+
+        authorization_code = current_params['code']
+        page.driver.post token_endpoint_url(
+          code: authorization_code,
+          client: @client,
+          code_verifier: code_challenge,
+          code_challenge_method: 'plain'
+        )
+
+        should_not_have_json 'access_token'
+        should_have_json 'error', 'invalid_grant'
+      end
+
+      scenario 'expects to set code_challenge_method explicitely without fallback' do
+        visit authorization_endpoint_url(client: @client, code_challenge: code_challenge)
+        expect(page).to have_content('The code challenge method must be plain or S256.')
+      end
+    end
+  end
+
+  context 'when application scopes are present and no scope is passed' do
+    background do
+      @client.update_attributes(scopes: 'public write read')
+    end
+
+    scenario 'access grant has no scope' do
+      default_scopes_exist :admin
+      visit authorization_endpoint_url(client: @client)
+      click_on 'Authorize'
+      access_grant_should_exist_for(@client, @resource_owner)
+      grant = Doorkeeper::AccessGrant.first
+      expect(grant.scopes).to be_empty
+    end
+
+    scenario 'access grant have scopes which are common in application scopees and default scopes' do
+      default_scopes_exist :public, :write
+      visit authorization_endpoint_url(client: @client)
+      click_on 'Authorize'
+      access_grant_should_exist_for(@client, @resource_owner)
+      access_grant_should_have_scopes :public, :write
+    end
+  end
+
   context 'with scopes' do
     background do
       default_scopes_exist :public
@@ -128,6 +382,7 @@ describe 'Authorization Code Flow' do
       orm DOORKEEPER_ORM
       use_refresh_token
     end
+
     client_exists
   end
 
@@ -138,7 +393,8 @@ describe 'Authorization Code Flow' do
 
     it 'second of simultaneous client requests get an error for revoked acccess token' do
       authorization_code = Doorkeeper::AccessGrant.first.token
-      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:revoked?).and_return(false, true)
+      allow_any_instance_of(Doorkeeper::AccessGrant)
+        .to receive(:revoked?).and_return(false, true)
 
       post token_endpoint_url(code: authorization_code, client: @client)
 

data/spec/requests/flows/client_credentials_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Client Credentials Request' do
   let(:client) { FactoryBot.create :application }
@@ -8,7 +8,7 @@ describe 'Client Credentials Request' do
       headers = authorization client.uid, client.secret
       params  = { grant_type: 'client_credentials' }
 
-      post '/oauth/token', params, headers
+      post '/oauth/token', params: params, headers: headers
 
       should_have_json 'access_token', Doorkeeper::AccessToken.first.token
       should_have_json_within 'expires_in', Doorkeeper.configuration.access_token_expires_in, 1
@@ -29,7 +29,7 @@ describe 'Client Credentials Request' do
         headers = authorization client.uid, client.secret
         params  = { grant_type: 'client_credentials', scope: 'write' }
 
-        post '/oauth/token', params, headers
+        post '/oauth/token', params: params, headers: headers
 
         should_have_json 'access_token', Doorkeeper::AccessToken.first.token
         should_have_json 'scope', 'write'
@@ -40,7 +40,7 @@ describe 'Client Credentials Request' do
           headers = authorization client.uid, client.secret
           params  = { grant_type: 'client_credentials', scope: 'public' }
 
-          post '/oauth/token', params, headers
+          post '/oauth/token', params: params, headers: headers
 
           should_have_json 'access_token', Doorkeeper::AccessToken.first.token
           should_have_json 'scope', 'public'
@@ -52,7 +52,7 @@ describe 'Client Credentials Request' do
           headers = authorization client.uid, client.secret
           params  = { grant_type: 'client_credentials', scope: 'random' }
 
-          post '/oauth/token', params, headers
+          post '/oauth/token', params: params, headers: headers
 
           should_have_json 'error', 'invalid_scope'
           should_have_json 'error_description', translated_error_message(:invalid_scope)
@@ -64,12 +64,52 @@ describe 'Client Credentials Request' do
     end
   end
 
+  context 'when application scopes contain some of the default scopes and no scope is passed' do
+    before do
+      client.update_attributes(scopes: 'read write public')
+    end
+
+    it 'issues new token with one default scope that are present in application scopes' do
+      default_scopes_exist :public
+
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: 'client_credentials' }
+
+      expect do
+        post '/oauth/token', params: params, headers: headers
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq client.id
+      should_have_json 'access_token', token.token
+      should_have_json 'scope', 'public'
+    end
+
+    it 'issues new token with multiple default scopes that are present in application scopes' do
+      default_scopes_exist :public, :read, :update
+
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: 'client_credentials' }
+
+      expect do
+        post '/oauth/token', params: params, headers: headers
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq client.id
+      should_have_json 'access_token', token.token
+      should_have_json 'scope', 'public read'
+    end
+  end
+
   context 'an invalid request' do
     it 'does not authorize the client and returns the error' do
       headers = {}
       params  = { grant_type: 'client_credentials' }
 
-      post '/oauth/token', params, headers
+      post '/oauth/token', params: params, headers: headers
 
       should_have_json 'error', 'invalid_client'
       should_have_json 'error_description', translated_error_message(:invalid_client)

data/spec/requests/flows/implicit_grant_errors_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Implicit Grant Flow Errors' do
   background do
@@ -14,8 +14,8 @@ feature 'Implicit Grant Flow Errors' do
   end
 
   [
-    [:client_id,     :invalid_client],
-    [:redirect_uri,  :invalid_redirect_uri]
+    %i[client_id invalid_client],
+    %i[redirect_uri invalid_redirect_uri]
   ].each do |error|
     scenario "displays #{error.last} error for invalid #{error.first}" do
       visit authorization_endpoint_url(client: @client, error.first => 'invalid', response_type: 'token')