doorkeeper 4.4.3 → 5.0.3

data/spec/requests/flows/implicit_grant_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Implicit Grant Flow (feature spec)' do
   background do
@@ -17,6 +17,29 @@ feature 'Implicit Grant Flow (feature spec)' do
 
     i_should_be_on_client_callback @client
   end
+
+  context 'when application scopes are present and no scope is passed' do
+    background do
+      @client.update_attributes(scopes: 'public write read')
+    end
+
+    scenario 'access token has no scopes' do
+      default_scopes_exist :admin
+      visit authorization_endpoint_url(client: @client, response_type: 'token')
+      click_on 'Authorize'
+      access_token_should_exist_for @client, @resource_owner
+      token = Doorkeeper::AccessToken.first
+      expect(token.scopes).to be_empty
+    end
+
+    scenario 'access token has scopes which are common in application scopees and default scopes' do
+      default_scopes_exist :public, :write
+      visit authorization_endpoint_url(client: @client, response_type: 'token')
+      click_on 'Authorize'
+      access_token_should_exist_for @client, @resource_owner
+      access_token_should_have_scopes :public, :write
+    end
+  end
 end
 
 describe 'Implicit Grant Flow (request spec)' do
@@ -34,11 +57,13 @@ describe 'Implicit Grant Flow (request spec)' do
       token = client_is_authorized(@client, @resource_owner)
 
       post "/oauth/authorize",
-           client_id: @client.uid,
-           state: '',
-           redirect_uri: @client.redirect_uri,
-           response_type: 'token',
-           commit: 'Authorize'
+           params: {
+             client_id: @client.uid,
+             state: '',
+             redirect_uri: @client.redirect_uri,
+             response_type: 'token',
+             commit: 'Authorize'
+           }
 
       expect(response.location).not_to include(token.token)
     end
@@ -49,11 +74,13 @@ describe 'Implicit Grant Flow (request spec)' do
       token = client_is_authorized(@client, @resource_owner)
 
       post "/oauth/authorize",
-           client_id: @client.uid,
-           state: '',
-           redirect_uri: @client.redirect_uri,
-           response_type: 'token',
-           commit: 'Authorize'
+           params: {
+             client_id: @client.uid,
+             state: '',
+             redirect_uri: @client.redirect_uri,
+             response_type: 'token',
+             commit: 'Authorize'
+           }
 
       expect(response.location).to include(token.token)
     end

data/spec/requests/flows/password_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Resource Owner Password Credentials Flow not set up' do
   before do
@@ -7,7 +7,7 @@ describe 'Resource Owner Password Credentials Flow not set up' do
   end
 
   context 'with valid user credentials' do
-    it 'doesn\'t issue new token' do
+    it 'does not issue new token' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to_not(change { Doorkeeper::AccessToken.count })
@@ -57,7 +57,11 @@ describe 'Resource Owner Password Credentials Flow' do
         context "when client_secret incorrect" do
           it "should not issue new token" do
             expect do
-              post password_token_endpoint_url(client_id: @client.uid, client_secret: 'foobar', resource_owner: @resource_owner)
+              post password_token_endpoint_url(
+                client_id: @client.uid,
+                client_secret: 'foobar',
+                resource_owner: @resource_owner
+              )
             end.not_to(change { Doorkeeper::AccessToken.count })
 
             expect(response).not_to be_ok
@@ -140,6 +144,60 @@ describe 'Resource Owner Password Credentials Flow' do
     end
   end
 
+  context 'when application scopes are present and differs from configured default scopes and no scope is passed' do
+    before do
+      default_scopes_exist :public
+      @client.update_attributes(scopes: 'abc')
+    end
+
+    it 'issues new token without any scope' do
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      expect(token.scopes).to be_empty
+      should_have_json 'access_token', token.token
+      should_not_have_json 'scope'
+    end
+  end
+
+  context 'when application scopes contain some of the default scopes and no scope is passed' do
+    before do
+      @client.update_attributes(scopes: 'read write public')
+    end
+
+    it 'issues new token with one default scope that are present in application scopes' do
+      default_scopes_exist :public, :admin
+
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+      should_have_json 'scope', 'public'
+    end
+
+    it 'issues new token with multiple default scopes that are present in application scopes' do
+      default_scopes_exist :public, :read, :update
+
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+      should_have_json 'scope', 'public read'
+    end
+  end
+
   context 'with invalid scopes' do
     subject do
       post password_token_endpoint_url(client: @client,

data/spec/requests/flows/refresh_token_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Refresh Token Flow' do
   before do
@@ -6,6 +6,7 @@ describe 'Refresh Token Flow' do
       orm DOORKEEPER_ORM
       use_refresh_token
     end
+
     client_exists
   end
 
@@ -14,7 +15,7 @@ describe 'Refresh Token Flow' do
       authorization_code_exists application: @client
     end
 
-    it 'client gets the refresh token and refreshses it' do
+    it 'client gets the refresh token and refreshes it' do
       post token_endpoint_url(code: @authorization.token, client: @client)
 
       token = Doorkeeper::AccessToken.first
@@ -95,6 +96,62 @@ describe 'Refresh Token Flow' do
       end
     end
 
+    context "public & private clients" do
+      let(:public_client) do
+        FactoryBot.create(
+          :application,
+          confidential: false
+        )
+      end
+
+      let(:token_for_private_client) do
+        FactoryBot.create(
+          :access_token,
+          application: @client,
+          resource_owner_id: 1,
+          use_refresh_token: true
+        )
+      end
+
+      let(:token_for_public_client) do
+        FactoryBot.create(
+          :access_token,
+          application: public_client,
+          resource_owner_id: 1,
+          use_refresh_token: true
+        )
+      end
+
+      it 'issues a new token without client_secret when refresh token was issued to a public client' do
+        post refresh_token_endpoint_url(
+          client_id: public_client.uid,
+          refresh_token: token_for_public_client.refresh_token
+        )
+
+        new_token = Doorkeeper::AccessToken.last
+        should_have_json 'access_token',  new_token.token
+        should_have_json 'refresh_token', new_token.refresh_token
+      end
+
+      it 'returns an error without credentials' do
+        post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
+
+        should_not_have_json 'refresh_token'
+        should_have_json 'error', 'invalid_grant'
+      end
+
+      it 'returns an error with wrong credentials' do
+        post refresh_token_endpoint_url(
+          client_id: '1',
+          client_secret: '1',
+          refresh_token: token_for_private_client.refresh_token
+        )
+
+        should_not_have_json 'refresh_token'
+        should_have_json 'error', 'invalid_client'
+      end
+    end
+
     it 'client gets an error for invalid refresh token' do
       post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
       should_not_have_json 'refresh_token'

data/spec/requests/flows/revoke_token_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Revoke Token Flow' do
   before do
@@ -10,9 +10,9 @@ describe 'Revoke Token Flow' do
     let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
     let(:access_token) do
       FactoryBot.create(:access_token,
-                         application: client_application,
-                         resource_owner_id: resource_owner.id,
-                         use_refresh_token: true)
+                        application: client_application,
+                        resource_owner_id: resource_owner.id,
+                        use_refresh_token: true)
     end
 
     context 'with authenticated, confidential OAuth 2.0 client/application' do
@@ -24,7 +24,7 @@ describe 'Revoke Token Flow' do
       end
 
       it 'should revoke the access token provided' do
-        post revocation_token_endpoint_url, { token: access_token.token }, headers
+        post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
         access_token.reload
 
@@ -33,7 +33,7 @@ describe 'Revoke Token Flow' do
       end
 
       it 'should revoke the refresh token provided' do
-        post revocation_token_endpoint_url, { token: access_token.refresh_token }, headers
+        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
 
         access_token.reload
 
@@ -44,7 +44,7 @@ describe 'Revoke Token Flow' do
       context 'with invalid token to revoke' do
         it 'should not revoke any tokens and respond successfully' do
           num_prev_revoked_tokens = Doorkeeper::AccessToken.where(revoked_at: nil).count
-          post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALID_TOKEN' }, headers
+          post revocation_token_endpoint_url, params: { token: 'I_AM_AN_INVALID_TOKEN' }, headers: headers
 
           # The authorization server responds with HTTP status code 200 even if
           # token is invalid
@@ -60,7 +60,7 @@ describe 'Revoke Token Flow' do
           { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
         end
         it 'should not revoke any tokens and respond successfully' do
-          post revocation_token_endpoint_url, { token: access_token.token }, headers
+          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
           access_token.reload
 
@@ -71,7 +71,7 @@ describe 'Revoke Token Flow' do
 
       context 'with no credentials and a valid token' do
         it 'should not revoke any tokens and respond successfully' do
-          post revocation_token_endpoint_url, { token: access_token.token }
+          post revocation_token_endpoint_url, params: { token: access_token.token }
 
           access_token.reload
 
@@ -90,7 +90,7 @@ describe 'Revoke Token Flow' do
         end
 
         it 'should not revoke the token as its unauthorized' do
-          post revocation_token_endpoint_url, { token: access_token.token }, headers
+          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
           access_token.reload
 
@@ -103,13 +103,13 @@ describe 'Revoke Token Flow' do
     context 'with public OAuth 2.0 client/application' do
       let(:access_token) do
         FactoryBot.create(:access_token,
-                           application: nil,
-                           resource_owner_id: resource_owner.id,
-                           use_refresh_token: true)
+                          application: nil,
+                          resource_owner_id: resource_owner.id,
+                          use_refresh_token: true)
       end
 
       it 'should revoke the access token provided' do
-        post revocation_token_endpoint_url, { token: access_token.token }
+        post revocation_token_endpoint_url, params: { token: access_token.token }
 
         access_token.reload
 
@@ -118,7 +118,7 @@ describe 'Revoke Token Flow' do
       end
 
       it 'should revoke the refresh token provided' do
-        post revocation_token_endpoint_url, { token: access_token.refresh_token }
+        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
 
         access_token.reload
 
@@ -129,13 +129,13 @@ describe 'Revoke Token Flow' do
       context 'with a valid token issued for a confidential client' do
         let(:access_token) do
           FactoryBot.create(:access_token,
-                             application: client_application,
-                             resource_owner_id: resource_owner.id,
-                             use_refresh_token: true)
+                            application: client_application,
+                            resource_owner_id: resource_owner.id,
+                            use_refresh_token: true)
         end
 
         it 'should not revoke the access token provided' do
-          post revocation_token_endpoint_url, { token: access_token.token }
+          post revocation_token_endpoint_url, params: { token: access_token.token }
 
           access_token.reload
 
@@ -144,7 +144,7 @@ describe 'Revoke Token Flow' do
         end
 
         it 'should not revoke the refresh token provided' do
-          post revocation_token_endpoint_url, { token: access_token.token }
+          post revocation_token_endpoint_url, params: { token: access_token.token }
 
           access_token.reload
 

data/spec/requests/flows/skip_authorization_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Skip authorization form' do
   background do
@@ -15,13 +15,24 @@ feature 'Skip authorization form' do
     end
 
     scenario 'skips the authorization and return a new grant code' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client)
+      client_is_authorized(@client, @resource_owner, scopes: "public")
+      visit authorization_endpoint_url(client: @client, scope: "public")
+
+      i_should_not_see "Authorize"
+      client_should_be_authorized @client
+      i_should_be_on_client_callback @client
+      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
+    end
+
+    scenario "skips the authorization if other scopes are not requested" do
+      client_exists scopes: "public read write"
+      client_is_authorized(@client, @resource_owner, scopes: "public")
+      visit authorization_endpoint_url(client: @client, scope: "public")
 
-      i_should_not_see 'Authorize'
+      i_should_not_see "Authorize"
       client_should_be_authorized @client
       i_should_be_on_client_callback @client
-      url_should_have_param 'code', Doorkeeper::AccessGrant.first.token
+      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
     end
 
     scenario 'does not skip authorization when scopes differ (new request has fewer scopes)' do
@@ -43,12 +54,6 @@ feature 'Skip authorization form' do
       access_grant_should_have_scopes :public
     end
 
-    scenario 'doesn not skip authorization when scopes are greater' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      i_should_see 'Authorize'
-    end
-
     scenario 'creates grant with new scope when scopes are greater' do
       client_is_authorized(@client, @resource_owner, scopes: 'public')
       visit authorization_endpoint_url(client: @client, scope: 'public write')

data/spec/requests/protected_resources/metal_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'ActionController::Metal API' do
   before do

data/spec/requests/protected_resources/private_api_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 feature 'Private API' do
   background do
@@ -41,10 +41,10 @@ feature 'Private API' do
   end
 
   scenario 'access token with no default scopes' do
-    Doorkeeper.configuration.instance_eval {
+    Doorkeeper.configuration.instance_eval do
       @default_scopes = Doorkeeper::OAuth::Scopes.from_array([:public])
       @scopes = default_scopes + optional_scopes
-    }
+    end
     @token.update_attribute :scopes, 'dummy'
     with_access_token_header @token.token
     visit '/full_protected_resources'

data/spec/routing/custom_controller_routes_spec.rb

@@ -1,27 +1,79 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Custom controller for routes' do
-  it 'GET /space/scope/authorize routes to custom authorizations controller' do
+  before :all do
+    Rails.application.routes.disable_clear_and_finalize = true
+
+    Rails.application.routes.draw do
+      scope 'inner_space' do
+        use_doorkeeper scope: 'scope' do
+          controllers authorizations: 'custom_authorizations',
+                      tokens: 'custom_authorizations',
+                      applications: 'custom_authorizations',
+                      token_info: 'custom_authorizations'
+
+          as authorizations: 'custom_auth',
+             tokens: 'custom_token',
+             token_info: 'custom_token_info'
+        end
+      end
+
+      scope 'space' do
+        use_doorkeeper do
+          controllers authorizations: 'custom_authorizations',
+                      tokens: 'custom_authorizations',
+                      applications: 'custom_authorizations',
+                      token_info: 'custom_authorizations'
+
+          as authorizations: 'custom_auth',
+             tokens: 'custom_token',
+             token_info: 'custom_token_info'
+        end
+      end
+
+      scope 'outer_space' do
+        use_doorkeeper do
+          controllers authorizations: 'custom_authorizations',
+                      tokens: 'custom_authorizations',
+                      token_info: 'custom_authorizations'
+
+          as authorizations: 'custom_auth',
+             tokens: 'custom_token',
+             token_info: 'custom_token_info'
+
+          skip_controllers :tokens, :applications, :token_info
+        end
+      end
+    end
+  end
+
+  after :all do
+    Rails.application.routes.clear!
+
+    load File.expand_path('../dummy/config/routes.rb', __dir__)
+  end
+
+  it 'GET /inner_space/scope/authorize routes to custom authorizations controller' do
     expect(get('/inner_space/scope/authorize')).to route_to('custom_authorizations#new')
   end
 
-  it 'POST /space/scope/authorize routes to custom authorizations controller' do
+  it 'POST /inner_space/scope/authorize routes to custom authorizations controller' do
     expect(post('/inner_space/scope/authorize')).to route_to('custom_authorizations#create')
   end
 
-  it 'DELETE /space/scope/authorize routes to custom authorizations controller' do
+  it 'DELETE /inner_space/scope/authorize routes to custom authorizations controller' do
     expect(delete('/inner_space/scope/authorize')).to route_to('custom_authorizations#destroy')
   end
 
-  it 'POST /space/scope/token routes to tokens controller' do
+  it 'POST /inner_space/scope/token routes to tokens controller' do
     expect(post('/inner_space/scope/token')).to route_to('custom_authorizations#create')
   end
 
-  it 'GET /space/scope/applications routes to applications controller' do
+  it 'GET /inner_space/scope/applications routes to applications controller' do
     expect(get('/inner_space/scope/applications')).to route_to('custom_authorizations#index')
   end
 
-  it 'GET /space/scope/token/info routes to the token_info controller' do
+  it 'GET /inner_space/scope/token/info routes to the token_info controller' do
     expect(get('/inner_space/scope/token/info')).to route_to('custom_authorizations#show')
   end
 

data/spec/routing/default_routes_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Default routes' do
   it 'GET /oauth/authorize routes to authorizations controller' do
@@ -33,7 +33,7 @@ describe 'Default routes' do
     expect(get('/oauth/authorized_applications')).to route_to('doorkeeper/authorized_applications#index')
   end
 
-  it 'GET /oauth/token/info route to authorized tokeninfo controller' do
+  it 'GET /oauth/token/info route to authorized TokenInfo controller' do
     expect(get('/oauth/token/info')).to route_to('doorkeeper/token_info#show')
   end
 end

data/spec/routing/scoped_routes_spec.rb

@@ -1,6 +1,20 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 describe 'Scoped routes' do
+  before :all do
+    Rails.application.routes.disable_clear_and_finalize = true
+
+    Rails.application.routes.draw do
+      use_doorkeeper scope: 'scope'
+    end
+  end
+
+  after :all do
+    Rails.application.routes.clear!
+
+    load File.expand_path('../dummy/config/routes.rb', __dir__)
+  end
+
   it 'GET /scope/authorize routes to authorizations controller' do
     expect(get('/scope/authorize')).to route_to('doorkeeper/authorizations#new')
   end
@@ -25,7 +39,7 @@ describe 'Scoped routes' do
     expect(get('/scope/authorized_applications')).to route_to('doorkeeper/authorized_applications#index')
   end
 
-  it 'GET /scope/token/info route to authorzed tokeninfo controller' do
+  it 'GET /scope/token/info route to authorized TokenInfo controller' do
     expect(get('/scope/token/info')).to route_to('doorkeeper/token_info#show')
   end
 end

data/spec/spec_helper.rb

@@ -1,4 +1,55 @@
-$LOAD_PATH.unshift File.expand_path(File.join(File.dirname(__FILE__), '../lib'))
-$LOAD_PATH.unshift File.expand_path(File.join(File.dirname(__FILE__), '../app'))
+require 'coveralls'
 
-require 'doorkeeper'
+Coveralls.wear!('rails') do
+  add_filter('/spec/')
+  add_filter('/lib/generators/doorkeeper/templates/')
+end
+
+ENV['RAILS_ENV'] ||= 'test'
+
+$LOAD_PATH.unshift File.dirname(__FILE__)
+
+require "#{File.dirname(__FILE__)}/support/doorkeeper_rspec.rb"
+
+DOORKEEPER_ORM = Doorkeeper::RSpec.detect_orm
+
+require 'dummy/config/environment'
+require 'rspec/rails'
+require 'capybara/rspec'
+require 'database_cleaner'
+require 'generator_spec/test_case'
+
+# Load JRuby SQLite3 if in that platform
+if defined? JRUBY_VERSION
+  require 'jdbc/sqlite3'
+  Jdbc::SQLite3.load_driver
+end
+
+Doorkeeper::RSpec.print_configuration_info
+
+# Remove after dropping support of Rails 4.2
+require "#{File.dirname(__FILE__)}/support/http_method_shim.rb"
+
+require "support/orm/#{DOORKEEPER_ORM}"
+
+Dir["#{File.dirname(__FILE__)}/support/{dependencies,helpers,shared}/*.rb"].each { |file| require file }
+
+RSpec.configure do |config|
+  config.infer_spec_type_from_file_location!
+  config.mock_with :rspec
+
+  config.infer_base_class_for_anonymous_controllers = false
+
+  config.include RSpec::Rails::RequestExampleGroup, type: :request
+
+  config.before do
+    DatabaseCleaner.start
+    Doorkeeper.configure { orm DOORKEEPER_ORM }
+  end
+
+  config.after do
+    DatabaseCleaner.clean
+  end
+
+  config.order = 'random'
+end