doorkeeper 4.4.3 → 5.0.3

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -4,56 +4,107 @@ Doorkeeper.configure do
 
   # This block will be called to check whether the resource owner is authenticated or not.
   resource_owner_authenticator do
-    fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
+    raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
     # Put your resource owner authentication logic here.
     # Example implementation:
     #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
   end
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
+  # file then you need to declare this block in order to restrict access to the web interface for
+  # adding oauth authorized applications. In other case it will return 403 Forbidden response
+  # every time somebody will try to access the admin web interface.
+  #
   # admin_authenticator do
   #   # Put your admin authentication logic here.
   #   # Example implementation:
-  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
+  #
+  #   if current_user
+  #     head :forbidden unless current_user.admin?
+  #   else
+  #     redirect_to sign_in_url
+  #   end
   # end
 
+  # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
+  # want to use API mode that will skip all the views management and change the way how
+  # Doorkeeper responds to a requests.
+  #
+  # api_only
+
+  # Enforce token request content type to application/x-www-form-urlencoded.
+  # It is not enabled by default to not break prior versions of the gem.
+  #
+  # enforce_content_type
+
   # Authorization Code expiration time (default 10 minutes).
+  #
   # authorization_code_expires_in 10.minutes
 
   # Access token expiration time (default 2 hours).
   # If you want to disable expiration, set this to nil.
+  #
   # access_token_expires_in 2.hours
 
-  # Assign a custom TTL for implicit grants.
-  # custom_access_token_expires_in do |oauth_client|
-  #   oauth_client.application.additional_settings.implicit_oauth_expiration
+  # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
+  # option if defined. `context` has the following properties available
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #
+  # custom_access_token_expires_in do |context|
+  #   context.client.application.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  #
   # access_token_generator '::Doorkeeper::JWT'
 
   # The controller Doorkeeper::ApplicationController inherits from.
   # Defaults to ActionController::Base.
-  # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  # See https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  #
   # base_controller 'ApplicationController'
 
-  # Reuse access token for the same resource owner within an application (disabled by default)
+  # Reuse access token for the same resource owner within an application (disabled by default).
+  #
+  # This option protects your application from creating new tokens before old valid one becomes
+  # expired so your database doesn't bloat. Keep in mind that when this option is `on` Doorkeeper
+  # doesn't updates existing token expiration time, it will create a new token instead.
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
+  #
   # reuse_access_token
 
-  # Issue access tokens with refresh token (disabled by default)
+  # Issue access tokens with refresh token (disabled by default), you may also
+  # pass a block which accepts `context` to customize when to give a refresh
+  # token or not. Similar to `custom_access_token_expires_in`, `context` has
+  # the properties:
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #
   # use_refresh_token
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (disabled by default)
+  #
+  # enforce_configured_scopes
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
   # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
+  #
   # enable_application_owner confirmation: false
 
   # Define access token scopes for your provider
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+  #
   # default_scopes  :public
   # optional_scopes :write, :update
 
@@ -62,6 +113,7 @@ Doorkeeper.configure do
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
   # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
   # for more information on customization
+  #
   # client_credentials :from_basic, :from_params
 
   # Change the way access token is authenticated from the request object.
@@ -69,10 +121,12 @@ Doorkeeper.configure do
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
   # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
   # for more information on customization
+  #
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
   # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
+  # When clients register with the following redirect uri, they won't be redirected to any server and
+  # the authorizationcode will be displayed within the provider
   # The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
   # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
   #
@@ -90,14 +144,27 @@ Doorkeeper.configure do
   #
   # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
 
-  # Specify what redirect URI's you want to block during creation. Any redirect
-  # URI is whitelisted by default.
+  # Specify what redirect URI's you want to block during Application creation.
+  # Any redirect URI is whitelisted by default.
   #
   # You can use this option in order to forbid URI's with 'javascript' scheme
   # for example.
   #
   # forbid_redirect_uri { |uri| uri.scheme.to_s.downcase == 'javascript' }
 
+  # Specify how authorization errors should be handled.
+  # By default, doorkeeper renders json errors when access token
+  # is invalid, expired, revoked or has invalid scopes.
+  #
+  # If you want to render error response yourself (i.e. rescue exceptions),
+  # set  handle_auth_errors to `:raise` and rescue Doorkeeper::Errors::InvalidToken
+  # or following specific errors:
+  #
+  #   Doorkeeper::Errors::TokenForbidden, Doorkeeper::Errors::TokenExpired,
+  #   Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
+  #
+  # handle_auth_errors :raise
+
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
   #
@@ -127,13 +194,29 @@ Doorkeeper.configure do
   #   puts "AFTER HOOK FIRED! #{request}, #{response}"
   # end
 
+  # Hook into Authorization flow in order to implement Single Sign Out
+  # or add ny other functionality.
+  #
+  # before_successful_authorization do |controller|
+  #   Rails.logger.info(params.inspect)
+  # end
+  #
+  # after_successful_authorization do |controller|
+  #   controller.session[:logout_urls] <<
+  #     Doorkeeper::Application
+  #       .find_by(controller.request.params.slice(:redirect_uri))
+  #       .logout_uri
+  # end
+
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.
+  #
   # skip_authorization do |resource_owner, client|
   #   client.superapp? or resource_owner.admin?
   # end
 
   # WWW-Authenticate Realm (default "Doorkeeper").
+  #
   # realm "Doorkeeper"
 end

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -13,7 +13,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     add_index :oauth_applications, :uid, unique: true
 
     create_table :oauth_access_grants do |t|
-      t.integer  :resource_owner_id, null: false
+      t.references :resource_owner,  null: false
       t.references :application,     null: false
       t.string   :token,             null: false
       t.integer  :expires_in,        null: false
@@ -31,7 +31,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     )
 
     create_table :oauth_access_tokens do |t|
-      t.integer  :resource_owner_id
+      t.references :resource_owner, index: true
       t.references :application
 
       # If you use a custom token generator you may need to change this column
@@ -58,7 +58,6 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     end
 
     add_index :oauth_access_tokens, :token, unique: true
-    add_index :oauth_access_tokens, :resource_owner_id
     add_index :oauth_access_tokens, :refresh_token, unique: true
     add_foreign_key(
       :oauth_access_tokens,

data/lib/generators/doorkeeper/views_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Generators
     class ViewsGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('../../../../app/views', __FILE__)
+      source_root File.expand_path('../../../app/views', __dir__)
 
       desc 'Copies default Doorkeeper views and layouts to your application.'
 

data/spec/controllers/application_metal_controller_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper_integration'
+
+describe Doorkeeper::ApplicationMetalController do
+  controller(Doorkeeper::ApplicationMetalController) do
+    def index
+      render json: {}, status: 200
+    end
+  end
+
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+
+    expect(i).to eq 1
+  end
+
+  describe 'enforce_content_type' do
+    before { allow(Doorkeeper.configuration).to receive(:enforce_content_type).and_return(flag) }
+
+    context 'enabled' do
+      let(:flag) { true }
+
+      it '200 for the correct media type' do
+        get :index, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 415 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 415
+      end
+    end
+
+    context 'disabled' do
+      let(:flag) { false }
+
+      it 'returns a 200 for the correct media type' do
+        get :index, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 200 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 200
+      end
+    end
+  end
+end

data/spec/controllers/applications_controller_spec.rb

@@ -1,7 +1,99 @@
-require 'spec_helper_integration'
+require 'spec_helper'
 
 module Doorkeeper
   describe ApplicationsController do
+    context 'JSON API' do
+      render_views
+
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+      end
+
+      it 'creates an application' do
+        expect do
+          post :create, params: {
+            doorkeeper_application: {
+              name: 'Example',
+              redirect_uri: 'https://example.com'
+            }, format: :json
+          }
+        end.to(change { Doorkeeper::Application.count })
+
+        expect(response).to be_successful
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+
+        expect(json_response['name']).to eq('Example')
+        expect(json_response['redirect_uri']).to eq('https://example.com')
+      end
+
+      it 'returns validation errors on wrong create params' do
+        expect do
+          post :create, params: {
+            doorkeeper_application: {
+              name: 'Example'
+            }, format: :json
+          }
+        end.not_to(change { Doorkeeper::Application.count })
+
+        expect(response).to have_http_status(422)
+
+        expect(json_response).to include('errors')
+      end
+
+      it 'returns application info' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        get :show, params: { id: application.id, format: :json }
+
+        expect(response).to be_successful
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+      end
+
+      it 'updates application' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            name: 'Example App',
+            redirect_uri: 'https://example.com'
+          }, format: :json
+        }
+
+        expect(application.reload.name).to eq 'Example App'
+
+        expect(json_response).to include('id', 'name', 'uid', 'secret', 'redirect_uri', 'scopes')
+      end
+
+      it 'returns validation errors on wrong update params' do
+        application = FactoryBot.create(:application, name: 'Change me')
+
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            name: 'Example App',
+            redirect_uri: 'localhost:3000'
+          }, format: :json
+        }
+
+        expect(response).to have_http_status(422)
+
+        expect(json_response).to include('errors')
+      end
+
+      it 'destroys an application' do
+        application = FactoryBot.create(:application)
+
+        delete :destroy, params: { id: application.id, format: :json }
+
+        expect(response).to have_http_status(204)
+        expect(Application.count).to be_zero
+      end
+    end
+
     context 'when admin is not authenticated' do
       before do
         allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(proc do
@@ -16,10 +108,13 @@ module Doorkeeper
 
       it 'does not create application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
-        end.not_to change { Doorkeeper::Application.count }
+          post :create, params: {
+            doorkeeper_application: {
+              name: 'Example',
+              redirect_uri: 'https://example.com'
+            }
+          }
+        end.not_to(change { Doorkeeper::Application.count })
       end
     end
 
@@ -34,34 +129,48 @@ module Doorkeeper
         first_application = FactoryBot.create(:application)
         second_application = FactoryBot.create(:application)
         expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+
         get :index
+
         expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
         expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
       end
 
       it 'creates application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
+          post :create, params: {
+            doorkeeper_application: {
+              name: 'Example',
+              redirect_uri: 'https://example.com'
+            }
+          }
         end.to change { Doorkeeper::Application.count }.by(1)
+
         expect(response).to be_redirect
       end
 
       it 'does not allow mass assignment of uid or secret' do
         application = FactoryBot.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          uid: '1A2B3C4D',
-          secret: '1A2B3C4D' }
+        put :update, params: {
+          id: application.id,
+          doorkeeper_application: {
+            uid: '1A2B3C4D',
+            secret: '1A2B3C4D'
+          }
+        }
 
         expect(application.reload.uid).not_to eq '1A2B3C4D'
       end
 
       it 'updates application' do
         application = FactoryBot.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          name: 'Example',
-          redirect_uri: 'https://example.com' }
+        put :update, params: {
+          id: application.id, doorkeeper_application: {
+            name: 'Example',
+            redirect_uri: 'https://example.com'
+          }
+        }
+
         expect(application.reload.name).to eq 'Example'
       end
     end