RubyGems - doorkeeper - Versions diffs - 4.4.3 → 5.0.3 - Mend

doorkeeper 4.4.3 → 5.0.3

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (223) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.gitlab-ci.yml +16 -0
data/.travis.yml +7 -0
data/Appraisals +2 -2
data/Dangerfile +64 -0
data/Gemfile +1 -1
data/NEWS.md +98 -8
data/README.md +110 -12
data/Rakefile +6 -0
data/UPGRADE.md +2 -0
data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
data/app/controllers/doorkeeper/application_controller.rb +6 -3
data/app/controllers/doorkeeper/application_metal_controller.rb +6 -0
data/app/controllers/doorkeeper/applications_controller.rb +46 -24
data/app/controllers/doorkeeper/authorizations_controller.rb +55 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +21 -2
data/app/controllers/doorkeeper/token_info_controller.rb +2 -0
data/app/controllers/doorkeeper/tokens_controller.rb +4 -6
data/app/helpers/doorkeeper/dashboard_helper.rb +9 -7
data/app/validators/redirect_uri_validator.rb +5 -2
data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
data/app/views/doorkeeper/applications/_form.html.erb +25 -24
data/app/views/doorkeeper/applications/edit.html.erb +1 -1
data/app/views/doorkeeper/applications/index.html.erb +17 -7
data/app/views/doorkeeper/applications/new.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +6 -6
data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
data/app/views/doorkeeper/authorizations/new.html.erb +4 -0
data/app/views/layouts/doorkeeper/admin.html.erb +15 -15
data/config/locales/en.yml +10 -1
data/doorkeeper.gemspec +25 -26
data/gemfiles/rails_5_2.gemfile +1 -1
data/gemfiles/rails_master.gemfile +4 -1
data/lib/doorkeeper/config.rb +81 -40
data/lib/doorkeeper/engine.rb +6 -0
data/lib/doorkeeper/errors.rb +17 -3
data/lib/doorkeeper/grape/authorization_decorator.rb +2 -0
data/lib/doorkeeper/grape/helpers.rb +3 -1
data/lib/doorkeeper/helpers/controller.rb +9 -2
data/lib/doorkeeper/models/access_grant_mixin.rb +73 -0
data/lib/doorkeeper/models/access_token_mixin.rb +44 -25
data/lib/doorkeeper/models/application_mixin.rb +2 -0
data/lib/doorkeeper/models/concerns/accessible.rb +2 -0
data/lib/doorkeeper/models/concerns/expirable.rb +2 -0
data/lib/doorkeeper/models/concerns/orderable.rb +2 -0
data/lib/doorkeeper/models/concerns/ownership.rb +2 -0
data/lib/doorkeeper/models/concerns/revocable.rb +2 -0
data/lib/doorkeeper/models/concerns/scopes.rb +3 -1
data/lib/doorkeeper/oauth/authorization/code.rb +33 -8
data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
data/lib/doorkeeper/oauth/authorization/token.rb +38 -14
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +2 -0
data/lib/doorkeeper/oauth/authorization_code_request.rb +29 -2
data/lib/doorkeeper/oauth/base_request.rb +22 -9
data/lib/doorkeeper/oauth/base_response.rb +2 -0
data/lib/doorkeeper/oauth/client/credentials.rb +3 -1
data/lib/doorkeeper/oauth/client.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/creator.rb +4 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +7 -2
data/lib/doorkeeper/oauth/client_credentials/validation.rb +5 -5
data/lib/doorkeeper/oauth/client_credentials_request.rb +1 -3
data/lib/doorkeeper/oauth/code_request.rb +2 -0
data/lib/doorkeeper/oauth/code_response.rb +2 -0
data/lib/doorkeeper/oauth/error.rb +2 -0
data/lib/doorkeeper/oauth/error_response.rb +21 -3
data/lib/doorkeeper/oauth/forbidden_token_response.rb +9 -2
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -0
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +5 -2
data/lib/doorkeeper/oauth/invalid_token_response.rb +18 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +9 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +43 -11
data/lib/doorkeeper/oauth/refresh_token_request.rb +16 -3
data/lib/doorkeeper/oauth/scopes.rb +3 -1
data/lib/doorkeeper/oauth/token.rb +7 -2
data/lib/doorkeeper/oauth/token_introspection.rb +4 -2
data/lib/doorkeeper/oauth/token_request.rb +2 -0
data/lib/doorkeeper/oauth/token_response.rb +6 -2
data/lib/doorkeeper/oauth.rb +13 -0
data/lib/doorkeeper/orm/active_record/application.rb +75 -12
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +26 -0
data/lib/doorkeeper/orm/active_record.rb +4 -0
data/lib/doorkeeper/rails/helpers.rb +6 -4
data/lib/doorkeeper/rails/routes/mapper.rb +2 -0
data/lib/doorkeeper/rails/routes/mapping.rb +2 -0
data/lib/doorkeeper/rails/routes.rb +23 -8
data/lib/doorkeeper/rake/db.rake +40 -0
data/lib/doorkeeper/rake/setup.rake +6 -0
data/lib/doorkeeper/rake.rb +14 -0
data/lib/doorkeeper/request/authorization_code.rb +1 -1
data/lib/doorkeeper/request/client_credentials.rb +1 -1
data/lib/doorkeeper/request/code.rb +1 -1
data/lib/doorkeeper/request/password.rb +1 -1
data/lib/doorkeeper/request/refresh_token.rb +1 -1
data/lib/doorkeeper/request/strategy.rb +2 -0
data/lib/doorkeeper/request/token.rb +1 -1
data/lib/doorkeeper/request.rb +29 -34
data/lib/doorkeeper/server.rb +2 -0
data/lib/doorkeeper/stale_records_cleaner.rb +20 -0
data/lib/doorkeeper/validations.rb +2 -0
data/lib/doorkeeper/version.rb +6 -24
data/lib/doorkeeper.rb +20 -17
data/lib/generators/doorkeeper/application_owner_generator.rb +23 -18
data/lib/generators/doorkeeper/confidential_applications_generator.rb +32 -0
data/lib/generators/doorkeeper/install_generator.rb +17 -9
data/lib/generators/doorkeeper/migration_generator.rb +23 -18
data/lib/generators/doorkeeper/pkce_generator.rb +32 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +29 -24
data/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +6 -0
data/lib/generators/doorkeeper/templates/initializer.rb +96 -13
data/lib/generators/doorkeeper/templates/migration.rb.erb +2 -3
data/lib/generators/doorkeeper/views_generator.rb +3 -1
data/spec/controllers/application_metal_controller_spec.rb +50 -0
data/spec/controllers/applications_controller_spec.rb +123 -14
data/spec/controllers/authorizations_controller_spec.rb +334 -51
data/spec/controllers/protected_resources_controller_spec.rb +60 -18
data/spec/controllers/token_info_controller_spec.rb +4 -12
data/spec/controllers/tokens_controller_spec.rb +17 -20
data/spec/dummy/Rakefile +1 -1
data/spec/dummy/app/assets/config/manifest.js +2 -0
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +1 -1
data/spec/dummy/app/controllers/home_controller.rb +1 -2
data/spec/dummy/config/application.rb +1 -1
data/spec/dummy/config/boot.rb +2 -4
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/environments/test.rb +5 -6
data/spec/dummy/config/initializers/doorkeeper.rb +12 -6
data/spec/dummy/config/initializers/new_framework_defaults.rb +2 -0
data/spec/dummy/config/initializers/secret_token.rb +1 -1
data/spec/dummy/config/routes.rb +3 -42
data/spec/dummy/config.ru +1 -1
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +4 -4
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +1 -1
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +6 -0
data/spec/dummy/db/migrate/{20180210183654_add_confidential_to_application.rb → 20180210183654_add_confidential_to_applications.rb} +1 -1
data/spec/dummy/db/schema.rb +36 -36
data/spec/dummy/script/rails +4 -3
data/spec/factories.rb +6 -6
data/spec/generators/application_owner_generator_spec.rb +1 -1
data/spec/generators/confidential_applications_generator_spec.rb +45 -0
data/spec/generators/install_generator_spec.rb +5 -2
data/spec/generators/migration_generator_spec.rb +1 -1
data/spec/generators/pkce_generator_spec.rb +43 -0
data/spec/generators/previous_refresh_token_generator_spec.rb +1 -1
data/spec/generators/templates/routes.rb +0 -1
data/spec/generators/views_generator_spec.rb +2 -2
data/spec/grape/grape_integration_spec.rb +2 -2
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
data/spec/lib/config_spec.rb +105 -39
data/spec/lib/doorkeeper_spec.rb +6 -131
data/spec/lib/models/expirable_spec.rb +0 -3
data/spec/lib/models/revocable_spec.rb +0 -2
data/spec/lib/models/scopes_spec.rb +0 -4
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -4
data/spec/lib/oauth/authorization_code_request_spec.rb +17 -7
data/spec/lib/oauth/base_request_spec.rb +49 -11
data/spec/lib/oauth/base_response_spec.rb +1 -1
data/spec/lib/oauth/client/credentials_spec.rb +2 -4
data/spec/lib/oauth/client_credentials/creator_spec.rb +5 -1
data/spec/lib/oauth/client_credentials/issuer_spec.rb +24 -7
data/spec/lib/oauth/client_credentials/validation_spec.rb +4 -4
data/spec/lib/oauth/client_credentials_integration_spec.rb +2 -2
data/spec/lib/oauth/client_credentials_request_spec.rb +3 -5
data/spec/lib/oauth/client_spec.rb +0 -3
data/spec/lib/oauth/code_request_spec.rb +5 -3
data/spec/lib/oauth/code_response_spec.rb +1 -1
data/spec/lib/oauth/error_response_spec.rb +0 -3
data/spec/lib/oauth/error_spec.rb +0 -2
data/spec/lib/oauth/forbidden_token_response_spec.rb +1 -4
data/spec/lib/oauth/helpers/scope_checker_spec.rb +8 -11
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -1
data/spec/lib/oauth/helpers/uri_checker_spec.rb +22 -13
data/spec/lib/oauth/invalid_token_response_spec.rb +1 -4
data/spec/lib/oauth/password_access_token_request_spec.rb +53 -6
data/spec/lib/oauth/pre_authorization_spec.rb +33 -4
data/spec/lib/oauth/refresh_token_request_spec.rb +22 -14
data/spec/lib/oauth/scopes_spec.rb +0 -3
data/spec/lib/oauth/token_request_spec.rb +8 -9
data/spec/lib/oauth/token_response_spec.rb +0 -1
data/spec/lib/oauth/token_spec.rb +40 -14
data/spec/lib/request/strategy_spec.rb +0 -1
data/spec/lib/server_spec.rb +7 -7
data/spec/lib/stale_records_cleaner_spec.rb +89 -0
data/spec/models/doorkeeper/access_grant_spec.rb +44 -1
data/spec/models/doorkeeper/access_token_spec.rb +80 -32
data/spec/models/doorkeeper/application_spec.rb +293 -221
data/spec/requests/applications/applications_request_spec.rb +134 -1
data/spec/requests/applications/authorized_applications_spec.rb +1 -1
data/spec/requests/endpoints/authorization_spec.rb +3 -3
data/spec/requests/endpoints/token_spec.rb +7 -5
data/spec/requests/flows/authorization_code_errors_spec.rb +2 -2
data/spec/requests/flows/authorization_code_spec.rb +258 -2
data/spec/requests/flows/client_credentials_spec.rb +46 -6
data/spec/requests/flows/implicit_grant_errors_spec.rb +3 -3
data/spec/requests/flows/implicit_grant_spec.rb +38 -11
data/spec/requests/flows/password_spec.rb +61 -3
data/spec/requests/flows/refresh_token_spec.rb +59 -2
data/spec/requests/flows/revoke_token_spec.rb +20 -20
data/spec/requests/flows/skip_authorization_spec.rb +16 -11
data/spec/requests/protected_resources/metal_spec.rb +1 -1
data/spec/requests/protected_resources/private_api_spec.rb +3 -3
data/spec/routing/custom_controller_routes_spec.rb +59 -7
data/spec/routing/default_routes_spec.rb +2 -2
data/spec/routing/scoped_routes_spec.rb +16 -2
data/spec/spec_helper.rb +54 -3
data/spec/spec_helper_integration.rb +2 -74
data/spec/support/dependencies/{factory_girl.rb → factory_bot.rb} +0 -0
data/spec/support/doorkeeper_rspec.rb +20 -0
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/model_helper.rb +8 -4
data/spec/support/helpers/request_spec_helper.rb +10 -2
data/spec/support/helpers/url_helper.rb +18 -14
data/spec/support/http_method_shim.rb +12 -16
data/spec/support/shared/controllers_shared_context.rb +56 -0
data/spec/validators/redirect_uri_validator_spec.rb +9 -3
data/spec/version/version_spec.rb +3 -3
data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
metadata +54 -35
data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
data/spec/controllers/application_metal_controller.rb +0 -10

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class PreAuthorization
@@ -7,17 +9,21 @@ module Doorkeeper
       validate :client, error: :invalid_client
       validate :scopes, error: :invalid_scope
       validate :redirect_uri, error: :invalid_redirect_uri
+      validate :code_challenge_method, error: :invalid_code_challenge_method
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state
+      attr_accessor :server, :client, :response_type, :redirect_uri, :state,
+                    :code_challenge, :code_challenge_method
       attr_writer   :scope
       def initialize(server, client, attrs = {})
-        @server        = server
-        @client        = client
-        @response_type = attrs[:response_type]
-        @redirect_uri  = attrs[:redirect_uri]
-        @scope         = attrs[:scope]
-        @state         = attrs[:state]
+        @server                = server
+        @client                = client
+        @response_type         = attrs[:response_type]
+        @redirect_uri          = attrs[:redirect_uri]
+        @scope                 = attrs[:scope]
+        @state                 = attrs[:state]
+        @code_challenge        = attrs[:code_challenge]
+        @code_challenge_method = attrs[:code_challenge_method]
       end
       def authorizable?
@@ -29,15 +35,36 @@ module Doorkeeper
       end
       def scope
-        @scope.presence || server.default_scopes.to_s
+        @scope.presence || build_scopes
       end
       def error_response
         OAuth::ErrorResponse.from_request(self)
       end
+      def as_json(_options)
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t('doorkeeper.pre_authorization.status')
+        }
+      end
       private
+      def build_scopes
+        client_scopes = client.application.scopes
+        if client_scopes.blank?
+          server.default_scopes.to_s
+        else
+          (server.default_scopes & client_scopes).to_s
+        end
+      end
       def validate_response_type
         server.authorization_response_types.include? response_type
       end
@@ -47,7 +74,8 @@ module Doorkeeper
       end
       def validate_scopes
-        return true unless scope.present?
+        return true if scope.blank?
         Helpers::ScopeChecker.valid?(
           scope,
           server.scopes,
@@ -55,14 +83,18 @@ module Doorkeeper
         )
       end
-      # TODO: test uri should be matched against the client's one
       def validate_redirect_uri
         return false if redirect_uri.blank?
         Helpers::URIChecker.valid_for_authorization?(
-          redirect_uri, client.redirect_uri
+          redirect_uri,
+          client.redirect_uri
         )
       end
+      def validate_code_challenge_method
+        !code_challenge.present? || (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class RefreshTokenRequest < BaseRequest
@@ -65,7 +67,12 @@ module Doorkeeper
       end
       def access_token_expires_in
-        Authorization::Token.access_token_expires_in(server, client)
+        context = Authorization::Token.build_context(
+          client,
+          Doorkeeper::OAuth::REFRESH_TOKEN,
+          scopes
+        )
+        Authorization::Token.access_token_expires_in(server, context)
       end
       def validate_token_presence
@@ -77,11 +84,17 @@ module Doorkeeper
       end
       def validate_client
-        !credentials || !!client
+        return true if credentials.blank?
+        client.present?
       end
+      # @see https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5
+      #
       def validate_client_match
-        !client || refresh_token.application_id == client.id
+        return true if refresh_token.application_id.blank?
+        client && refresh_token.application_id == client.id
       end
       def validate_scope

data/lib/doorkeeper/oauth/scopes.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class Scopes
@@ -41,7 +43,7 @@ module Doorkeeper
       end
       def has_scopes?(scopes)
-        scopes.all? { |s| exists?(s) }
+        scopes.all? { |scope| exists?(scope) }
       end
       def +(other)

data/lib/doorkeeper/oauth/token.rb CHANGED Viewed

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class Token
       class << self
         def from_request(request, *methods)
-          methods.inject(nil) do |credentials, method|
+          methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
             break credentials unless credentials.blank?
@@ -13,7 +15,10 @@ module Doorkeeper
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
             access_token = AccessToken.by_token(token)
-            access_token.revoke_previous_refresh_token! if access_token
+            refresh_token_enabled = Doorkeeper.configuration.refresh_token_enabled?
+            if access_token.present? && refresh_token_enabled
+              access_token.revoke_previous_refresh_token!
+            end
             access_token
           end
         end

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     # RFC7662 OAuth 2.0 Token Introspection
@@ -47,12 +49,12 @@ module Doorkeeper
       # Client Authentication
       def authorized_client
-        @_authorized_client ||= server.credentials && server.client
+        @authorized_client ||= server.credentials && server.client
       end
       # Bearer Token Authentication
       def authorized_token
-        @_authorized_token ||=
+        @authorized_token ||=
           OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
       end

data/lib/doorkeeper/oauth/token_request.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class TokenRequest

data/lib/doorkeeper/oauth/token_response.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OAuth
     class TokenResponse
@@ -23,9 +25,11 @@ module Doorkeeper
       end
       def headers
-        { 'Cache-Control' => 'no-store',
+        {
+          'Cache-Control' => 'no-store',
           'Pragma' => 'no-cache',
-          'Content-Type' => 'application/json; charset=utf-8' }
+          'Content-Type' => 'application/json; charset=utf-8'
+        }
       end
     end
   end

data/lib/doorkeeper/oauth.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    GRANT_TYPES = [
+      AUTHORIZATION_CODE = 'authorization_code'.freeze,
+      IMPLICIT = 'implicit'.freeze,
+      PASSWORD = 'password'.freeze,
+      CLIENT_CREDENTIALS = 'client_credentials'.freeze,
+      REFRESH_TOKEN = 'refresh_token'.freeze
+    ].freeze
+  end
+end

data/lib/doorkeeper/orm/active_record/application.rb CHANGED Viewed

@@ -13,6 +13,8 @@ module Doorkeeper
     validates :redirect_uri, redirect_uri: true
     validates :confidential, inclusion: { in: [true, false] }
+    validate :scopes_match_configured, if: :enforce_scopes?
     before_validation :generate_uid, :generate_secret, on: :create
     has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: 'AccessToken'
@@ -32,20 +34,38 @@ module Doorkeeper
       where(id: resource_access_tokens.select(:application_id).distinct)
     end
-    # Fallback to existing, default behaviour of assuming all apps to be
-    # confidential if the migration hasn't been run
-    def confidential
-      return super if self.class.supports_confidentiality?
-      ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
-        'CVE-2018-1000211. Please follow instructions outlined in ' \
-        'Doorkeeper::CVE_2018_1000211_WARNING'
-      true
+    # Revokes AccessToken and AccessGrant records that have not been revoked and
+    # associated with the specific Application and Resource Owner.
+    #
+    # @param resource_owner [ActiveRecord::Base]
+    #   instance of the Resource Owner model
+    #
+    def self.revoke_tokens_and_grants_for(id, resource_owner)
+      AccessToken.revoke_all_for(id, resource_owner)
+      AccessGrant.revoke_all_for(id, resource_owner)
     end
-    alias_method :confidential?, :confidential
-    def self.supports_confidentiality?
-      column_names.include?('confidential')
+    # Represents client as set of it's attributes in JSON format.
+    # This is the right way how we want to override ActiveRecord #to_json.
+    #
+    # Respects privacy settings and serializes minimum set of attributes
+    # for public/private clients and full set for authorized owners.
+    #
+    # @return [Hash] entity attributes for JSON
+    #
+    def as_json(options = {})
+      # if application belongs to some owner we need to check if it's the same as
+      # the one passed in the options or check if we render the client as an owner
+      if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
+         options[:as_owner]
+        # Owners can see all the client attributes, fallback to ActiveModel serialization
+        super
+      else
+        # if application has no owner or it's owner doesn't match one from the options
+        # we render only minimum set of attributes that could be exposed to a public
+        only = extract_serializable_attributes(options)
+        super(options.merge(only: only))
+      end
     end
     private
@@ -57,5 +77,48 @@ module Doorkeeper
     def generate_secret
       self.secret = UniqueToken.generate if secret.blank?
     end
+    def scopes_match_configured
+      if scopes.present? &&
+         !ScopeChecker.valid?(scopes.to_s, Doorkeeper.configuration.scopes)
+        errors.add(:scopes, :not_match_configured)
+      end
+    end
+    def enforce_scopes?
+      Doorkeeper.configuration.enforce_configured_scopes?
+    end
+    # Helper method to extract collection of serializable attribute names
+     # considering serialization options (like `only`, `except` and so on).
+     #
+     # @param options [Hash] serialization options
+     #
+     # @return [Array<String>]
+     #   collection of attributes to be serialized using #as_json
+     #
+     def extract_serializable_attributes(options = {})
+       opts = options.try(:dup) || {}
+       only = Array.wrap(opts[:only]).map(&:to_s)
+       only = if only.blank?
+                serializable_attributes
+              else
+                only & serializable_attributes
+              end
+       only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
+       only.uniq
+     end
+     # Collection of attributes that could be serialized for public.
+     # Override this method if you need additional attributes to be serialized.
+     #
+     # @return [Array<String>] collection of serializable attributes
+     def serializable_attributes
+       attributes = %w[id name created_at]
+       attributes << "uid" unless confidential?
+       attributes
+     end
   end
 end

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Orm
+    module ActiveRecord
+      class StaleRecordsCleaner
+        def initialize(base_scope)
+          @base_scope = base_scope
+        end
+        def clean_revoked
+          table = @base_scope.arel_table
+          @base_scope.where.not(revoked_at: nil)
+                     .where(table[:revoked_at].lt(Time.current))
+                     .delete_all
+        end
+        def clean_expired(ttl)
+          table = @base_scope.arel_table
+          @base_scope.where(table[:created_at].lt(Time.current - ttl))
+                     .delete_all
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record.rb CHANGED Viewed

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
 require 'active_support/lazy_load_hooks'
+require 'doorkeeper/orm/active_record/stale_records_cleaner'
 module Doorkeeper
   module Orm
     module ActiveRecord

data/lib/doorkeeper/rails/helpers.rb CHANGED Viewed

@@ -1,12 +1,12 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Rails
     module Helpers
       def doorkeeper_authorize!(*scopes)
         @_doorkeeper_scopes = scopes.presence || Doorkeeper.configuration.default_scopes
-        unless valid_doorkeeper_token?
-          doorkeeper_render_error
-        end
+        doorkeeper_render_error unless valid_doorkeeper_token?
       end
       def doorkeeper_unauthorized_render_options(**); end
@@ -21,6 +21,8 @@ module Doorkeeper
       def doorkeeper_render_error
         error = doorkeeper_error
+        error.raise_exception! if Doorkeeper.configuration.raise_on_errors?
         headers.merge!(error.headers.reject { |k| k == "Content-Type" })
         doorkeeper_render_error_with(error)
       end
@@ -68,7 +70,7 @@ module Doorkeeper
       end
       def doorkeeper_token
-        @_doorkeeper_token ||= OAuth::Token.authenticate(
+        @doorkeeper_token ||= OAuth::Token.authenticate(
           request,
           *Doorkeeper.configuration.access_token_methods
         )

data/lib/doorkeeper/rails/routes/mapper.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Rails
     class Routes # :nodoc:

data/lib/doorkeeper/rails/routes/mapping.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Rails
     class Routes # :nodoc:

data/lib/doorkeeper/rails/routes.rb CHANGED Viewed

@@ -1,9 +1,15 @@
+# frozen_string_literal: true
 require 'doorkeeper/rails/routes/mapping'
 require 'doorkeeper/rails/routes/mapper'
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
+      mattr_reader :mapping do
+        {}
+      end
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
@@ -19,6 +25,10 @@ module Doorkeeper
       def initialize(routes, &block)
         @routes = routes
         @mapping = Mapper.new.map(&block)
+        if Doorkeeper.configuration.api_only
+          @mapping.skips.push(:applications, :authorized_applications)
+        end
       end
       def generate_routes!(options)
@@ -36,7 +46,11 @@ module Doorkeeper
       private
       def map_route(name, method)
-        send(method, @mapping[name]) unless @mapping.skipped?(name)
+        return if @mapping.skipped?(name)
+        send(method, @mapping[name])
+        mapping[name] = @mapping[name]
       end
       def authorization_routes(mapping)
@@ -47,7 +61,7 @@ module Doorkeeper
           as: mapping[:as],
           controller: mapping[:controllers]
         ) do
-          routes.get native_authorization_code_route, action: :show, on: :member
+          routes.get '/native', action: :show, on: :member
           routes.get '/', action: :new, on: :member
         end
       end
@@ -79,15 +93,16 @@ module Doorkeeper
       end
       def application_routes(mapping)
-        routes.resources :doorkeeper_applications, controller: mapping[:controllers], as: :applications, path: 'applications'
+        routes.resources :doorkeeper_applications,
+                         controller: mapping[:controllers],
+                         as: :applications,
+                         path: 'applications'
       end
       def authorized_applications_routes(mapping)
-        routes.resources :authorized_applications, only: %i[index destroy], controller: mapping[:controllers]
-      end
-      def native_authorization_code_route
-        Doorkeeper.configuration.native_authorization_code_route
+        routes.resources :authorized_applications,
+                         only: %i[index destroy],
+                         controller: mapping[:controllers]
       end
     end
   end

data/lib/doorkeeper/rake/db.rake ADDED Viewed

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+namespace :doorkeeper do
+  namespace :db do
+    desc 'Removes stale data from doorkeeper related database tables'
+    task cleanup: [
+      'doorkeeper:db:cleanup:revoked_tokens',
+      'doorkeeper:db:cleanup:expired_tokens',
+      'doorkeeper:db:cleanup:revoked_grants',
+      'doorkeeper:db:cleanup:expired_grants'
+    ]
+    namespace :cleanup do
+      desc 'Removes stale access tokens'
+      task revoked_tokens: 'doorkeeper:setup' do
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessToken)
+        cleaner.clean_revoked
+      end
+      desc 'Removes expired (TTL passed) access tokens'
+      task expired_tokens: 'doorkeeper:setup' do
+        expirable_tokens = Doorkeeper::AccessToken.where(refresh_token: nil)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(expirable_tokens)
+        cleaner.clean_expired(Doorkeeper.configuration.access_token_expires_in)
+      end
+      desc 'Removes stale access grants'
+      task revoked_grants: 'doorkeeper:setup' do
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner.clean_revoked
+      end
+      desc 'Removes expired (TTL passed) access grants'
+      task expired_grants: 'doorkeeper:setup' do
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner.clean_expired(Doorkeeper.configuration.authorization_code_expires_in)
+      end
+    end
+  end
+end

data/lib/doorkeeper/rake/setup.rake ADDED Viewed

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+namespace :doorkeeper do
+  task setup: :environment do
+  end
+end

data/lib/doorkeeper/rake.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Rake
+    class << self
+      def load_tasks
+        glob = File.join(File.absolute_path(__dir__), 'rake', '*.rake')
+        Dir[glob].each do |rake_file|
+          load rake_file
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/authorization_code.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 module Doorkeeper
   module Request

data/lib/doorkeeper/request/client_credentials.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 module Doorkeeper
   module Request

data/lib/doorkeeper/request/code.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 module Doorkeeper
   module Request

data/lib/doorkeeper/request/password.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 module Doorkeeper
   module Request

data/lib/doorkeeper/request/refresh_token.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 module Doorkeeper
   module Request

data/lib/doorkeeper/request/strategy.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module Request
     class Strategy

data/lib/doorkeeper/request/token.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'doorkeeper/request/strategy'
+# frozen_string_literal: true
 module Doorkeeper
   module Request