doorkeeper 4.4.3 → 5.5.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/{NEWS.md → CHANGELOG.md} +393 -19
- data/README.md +97 -393
- data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
- data/app/controllers/doorkeeper/application_controller.rb +8 -5
- data/app/controllers/doorkeeper/application_metal_controller.rb +7 -11
- data/app/controllers/doorkeeper/applications_controller.rb +62 -27
- data/app/controllers/doorkeeper/authorizations_controller.rb +97 -17
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +22 -3
- data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
- data/app/controllers/doorkeeper/tokens_controller.rb +98 -32
- data/app/helpers/doorkeeper/dashboard_helper.rb +9 -7
- data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
- data/app/views/doorkeeper/applications/_form.html.erb +27 -26
- data/app/views/doorkeeper/applications/edit.html.erb +1 -1
- data/app/views/doorkeeper/applications/index.html.erb +17 -7
- data/app/views/doorkeeper/applications/new.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +38 -17
- data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
- data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
- data/app/views/doorkeeper/authorizations/new.html.erb +6 -0
- data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
- data/config/locales/en.yml +23 -3
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +82 -0
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/config.rb +471 -140
- data/lib/doorkeeper/engine.rb +8 -2
- data/lib/doorkeeper/errors.rb +25 -16
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
- data/lib/doorkeeper/grape/helpers.rb +13 -7
- data/lib/doorkeeper/helpers/controller.rb +43 -10
- data/lib/doorkeeper/models/access_grant_mixin.rb +97 -3
- data/lib/doorkeeper/models/access_token_mixin.rb +272 -66
- data/lib/doorkeeper/models/application_mixin.rb +50 -5
- data/lib/doorkeeper/models/concerns/accessible.rb +2 -0
- data/lib/doorkeeper/models/concerns/expirable.rb +7 -3
- data/lib/doorkeeper/models/concerns/orderable.rb +2 -0
- data/lib/doorkeeper/models/concerns/ownership.rb +4 -7
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +3 -27
- data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
- data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
- data/lib/doorkeeper/oauth/authorization/code.rb +48 -12
- data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
- data/lib/doorkeeper/oauth/authorization/token.rb +58 -24
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +7 -5
- data/lib/doorkeeper/oauth/authorization_code_request.rb +58 -10
- data/lib/doorkeeper/oauth/base_request.rb +35 -24
- data/lib/doorkeeper/oauth/base_response.rb +2 -0
- data/lib/doorkeeper/oauth/client/credentials.rb +5 -5
- data/lib/doorkeeper/oauth/client.rb +10 -11
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +47 -4
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +16 -9
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +56 -0
- data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -11
- data/lib/doorkeeper/oauth/code_request.rb +8 -12
- data/lib/doorkeeper/oauth/code_response.rb +27 -15
- data/lib/doorkeeper/oauth/error.rb +3 -1
- data/lib/doorkeeper/oauth/error_response.rb +35 -14
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +10 -3
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -18
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +42 -7
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +29 -4
- data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
- data/lib/doorkeeper/oauth/password_access_token_request.rb +43 -10
- data/lib/doorkeeper/oauth/pre_authorization.rb +133 -26
- data/lib/doorkeeper/oauth/refresh_token_request.rb +59 -31
- data/lib/doorkeeper/oauth/scopes.rb +8 -4
- data/lib/doorkeeper/oauth/token.rb +12 -8
- data/lib/doorkeeper/oauth/token_introspection.rb +97 -23
- data/lib/doorkeeper/oauth/token_request.rb +8 -20
- data/lib/doorkeeper/oauth/token_response.rb +14 -10
- data/lib/doorkeeper/oauth.rb +13 -0
- data/lib/doorkeeper/orm/active_record/access_grant.rb +5 -30
- data/lib/doorkeeper/orm/active_record/access_token.rb +5 -43
- data/lib/doorkeeper/orm/active_record/application.rb +6 -57
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +68 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +59 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +198 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +33 -0
- data/lib/doorkeeper/orm/active_record.rb +27 -9
- data/lib/doorkeeper/rails/helpers.rb +10 -8
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +4 -2
- data/lib/doorkeeper/rails/routes/mapping.rb +9 -7
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +37 -30
- data/lib/doorkeeper/rake/db.rake +40 -0
- data/lib/doorkeeper/rake/setup.rake +11 -0
- data/lib/doorkeeper/rake.rb +14 -0
- data/lib/doorkeeper/request/authorization_code.rb +6 -4
- data/lib/doorkeeper/request/client_credentials.rb +3 -3
- data/lib/doorkeeper/request/code.rb +1 -1
- data/lib/doorkeeper/request/password.rb +4 -3
- data/lib/doorkeeper/request/refresh_token.rb +6 -5
- data/lib/doorkeeper/request/strategy.rb +4 -2
- data/lib/doorkeeper/request/token.rb +1 -1
- data/lib/doorkeeper/request.rb +61 -34
- data/lib/doorkeeper/secret_storing/base.rb +64 -0
- data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
- data/lib/doorkeeper/secret_storing/plain.rb +33 -0
- data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
- data/lib/doorkeeper/server.rb +9 -11
- data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
- data/lib/doorkeeper/validations.rb +2 -0
- data/lib/doorkeeper/version.rb +7 -29
- data/lib/doorkeeper.rb +111 -64
- data/lib/generators/doorkeeper/application_owner_generator.rb +24 -18
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/install_generator.rb +19 -9
- data/lib/generators/doorkeeper/migration_generator.rb +23 -18
- data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +28 -22
- data/{spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb → lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb} +2 -2
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +382 -30
- data/lib/generators/doorkeeper/templates/migration.rb.erb +35 -16
- data/lib/generators/doorkeeper/views_generator.rb +8 -4
- data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
- metadata +95 -309
- data/.coveralls.yml +0 -1
- data/.github/ISSUE_TEMPLATE.md +0 -25
- data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
- data/.gitignore +0 -19
- data/.hound.yml +0 -2
- data/.rspec +0 -1
- data/.rubocop.yml +0 -17
- data/.travis.yml +0 -38
- data/Appraisals +0 -18
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -47
- data/Gemfile +0 -10
- data/RELEASING.md +0 -10
- data/Rakefile +0 -20
- data/SECURITY.md +0 -15
- data/app/validators/redirect_uri_validator.rb +0 -44
- data/doorkeeper.gemspec +0 -32
- data/gemfiles/rails_4_2.gemfile +0 -13
- data/gemfiles/rails_5_0.gemfile +0 -12
- data/gemfiles/rails_5_1.gemfile +0 -12
- data/gemfiles/rails_5_2.gemfile +0 -12
- data/gemfiles/rails_master.gemfile +0 -14
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
- data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
- data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
- data/spec/controllers/application_metal_controller.rb +0 -10
- data/spec/controllers/applications_controller_spec.rb +0 -69
- data/spec/controllers/authorizations_controller_spec.rb +0 -250
- data/spec/controllers/protected_resources_controller_spec.rb +0 -309
- data/spec/controllers/token_info_controller_spec.rb +0 -56
- data/spec/controllers/tokens_controller_spec.rb +0 -274
- data/spec/dummy/Rakefile +0 -7
- data/spec/dummy/app/controllers/application_controller.rb +0 -3
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
- data/spec/dummy/app/controllers/home_controller.rb +0 -17
- data/spec/dummy/app/controllers/metal_controller.rb +0 -11
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
- data/spec/dummy/app/helpers/application_helper.rb +0 -5
- data/spec/dummy/app/models/user.rb +0 -5
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -23
- data/spec/dummy/config/boot.rb +0 -9
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -29
- data/spec/dummy/config/environments/production.rb +0 -62
- data/spec/dummy/config/environments/test.rb +0 -44
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -112
- data/spec/dummy/config/initializers/new_framework_defaults.rb +0 -6
- data/spec/dummy/config/initializers/secret_token.rb +0 -8
- data/spec/dummy/config/initializers/session_store.rb +0 -8
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -52
- data/spec/dummy/config.ru +0 -4
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -62
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -6
- data/spec/factories.rb +0 -28
- data/spec/generators/application_owner_generator_spec.rb +0 -41
- data/spec/generators/install_generator_spec.rb +0 -31
- data/spec/generators/migration_generator_spec.rb +0 -41
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -57
- data/spec/generators/templates/routes.rb +0 -3
- data/spec/generators/views_generator_spec.rb +0 -27
- data/spec/grape/grape_integration_spec.rb +0 -135
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
- data/spec/lib/config_spec.rb +0 -462
- data/spec/lib/doorkeeper_spec.rb +0 -150
- data/spec/lib/models/expirable_spec.rb +0 -50
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -43
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -41
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -123
- data/spec/lib/oauth/base_request_spec.rb +0 -155
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -105
- data/spec/lib/oauth/client_spec.rb +0 -39
- data/spec/lib/oauth/code_request_spec.rb +0 -43
- data/spec/lib/oauth/code_response_spec.rb +0 -34
- data/spec/lib/oauth/error_response_spec.rb +0 -61
- data/spec/lib/oauth/error_spec.rb +0 -23
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -218
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -56
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -96
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -160
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -166
- data/spec/lib/oauth/scopes_spec.rb +0 -149
- data/spec/lib/oauth/token_request_spec.rb +0 -96
- data/spec/lib/oauth/token_response_spec.rb +0 -85
- data/spec/lib/oauth/token_spec.rb +0 -116
- data/spec/lib/request/strategy_spec.rb +0 -53
- data/spec/lib/server_spec.rb +0 -59
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
- data/spec/models/doorkeeper/access_token_spec.rb +0 -418
- data/spec/models/doorkeeper/application_spec.rb +0 -303
- data/spec/requests/applications/applications_request_spec.rb +0 -94
- data/spec/requests/applications/authorized_applications_spec.rb +0 -30
- data/spec/requests/endpoints/authorization_spec.rb +0 -71
- data/spec/requests/endpoints/token_spec.rb +0 -71
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -76
- data/spec/requests/flows/authorization_code_spec.rb +0 -149
- data/spec/requests/flows/client_credentials_spec.rb +0 -86
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
- data/spec/requests/flows/implicit_grant_spec.rb +0 -61
- data/spec/requests/flows/password_spec.rb +0 -197
- data/spec/requests/flows/refresh_token_spec.rb +0 -174
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -59
- data/spec/requests/protected_resources/metal_spec.rb +0 -14
- data/spec/requests/protected_resources/private_api_spec.rb +0 -81
- data/spec/routing/custom_controller_routes_spec.rb +0 -75
- data/spec/routing/default_routes_spec.rb +0 -39
- data/spec/routing/scoped_routes_spec.rb +0 -31
- data/spec/spec_helper.rb +0 -4
- data/spec/spec_helper_integration.rb +0 -74
- data/spec/support/dependencies/factory_girl.rb +0 -2
- data/spec/support/helpers/access_token_request_helper.rb +0 -11
- data/spec/support/helpers/authorization_request_helper.rb +0 -41
- data/spec/support/helpers/config_helper.rb +0 -9
- data/spec/support/helpers/model_helper.rb +0 -72
- data/spec/support/helpers/request_spec_helper.rb +0 -88
- data/spec/support/helpers/url_helper.rb +0 -56
- data/spec/support/http_method_shim.rb +0 -38
- data/spec/support/orm/active_record.rb +0 -3
- data/spec/support/shared/controllers_shared_context.rb +0 -65
- data/spec/support/shared/models_shared_examples.rb +0 -52
- data/spec/validators/redirect_uri_validator_spec.rb +0 -123
- data/spec/version/version_spec.rb +0 -15
|
@@ -1,197 +0,0 @@
|
|
|
1
|
-
require 'spec_helper_integration'
|
|
2
|
-
|
|
3
|
-
describe 'Resource Owner Password Credentials Flow not set up' do
|
|
4
|
-
before do
|
|
5
|
-
client_exists
|
|
6
|
-
create_resource_owner
|
|
7
|
-
end
|
|
8
|
-
|
|
9
|
-
context 'with valid user credentials' do
|
|
10
|
-
it 'doesn\'t issue new token' do
|
|
11
|
-
expect do
|
|
12
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
13
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
14
|
-
end
|
|
15
|
-
end
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
describe 'Resource Owner Password Credentials Flow' do
|
|
19
|
-
let(:client_attributes) { {} }
|
|
20
|
-
|
|
21
|
-
before do
|
|
22
|
-
config_is_set(:grant_flows, ["password"])
|
|
23
|
-
config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
|
|
24
|
-
client_exists(client_attributes)
|
|
25
|
-
create_resource_owner
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
context 'with valid user credentials' do
|
|
29
|
-
context "with non-confidential/public client" do
|
|
30
|
-
let(:client_attributes) { { confidential: false } }
|
|
31
|
-
|
|
32
|
-
context "when client_secret absent" do
|
|
33
|
-
it "should issue new token" do
|
|
34
|
-
expect do
|
|
35
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
36
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
37
|
-
|
|
38
|
-
token = Doorkeeper::AccessToken.first
|
|
39
|
-
|
|
40
|
-
expect(token.application_id).to eq @client.id
|
|
41
|
-
should_have_json 'access_token', token.token
|
|
42
|
-
end
|
|
43
|
-
end
|
|
44
|
-
|
|
45
|
-
context "when client_secret present" do
|
|
46
|
-
it "should issue new token" do
|
|
47
|
-
expect do
|
|
48
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
49
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
50
|
-
|
|
51
|
-
token = Doorkeeper::AccessToken.first
|
|
52
|
-
|
|
53
|
-
expect(token.application_id).to eq @client.id
|
|
54
|
-
should_have_json 'access_token', token.token
|
|
55
|
-
end
|
|
56
|
-
|
|
57
|
-
context "when client_secret incorrect" do
|
|
58
|
-
it "should not issue new token" do
|
|
59
|
-
expect do
|
|
60
|
-
post password_token_endpoint_url(client_id: @client.uid, client_secret: 'foobar', resource_owner: @resource_owner)
|
|
61
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
62
|
-
|
|
63
|
-
expect(response).not_to be_ok
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
end
|
|
67
|
-
end
|
|
68
|
-
|
|
69
|
-
context "with confidential/private client" do
|
|
70
|
-
it "should issue new token" do
|
|
71
|
-
expect do
|
|
72
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
73
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
74
|
-
|
|
75
|
-
token = Doorkeeper::AccessToken.first
|
|
76
|
-
|
|
77
|
-
expect(token.application_id).to eq @client.id
|
|
78
|
-
should_have_json 'access_token', token.token
|
|
79
|
-
end
|
|
80
|
-
|
|
81
|
-
context "when client_secret absent" do
|
|
82
|
-
it "should not issue new token" do
|
|
83
|
-
expect do
|
|
84
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
85
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
86
|
-
|
|
87
|
-
expect(response).not_to be_ok
|
|
88
|
-
end
|
|
89
|
-
end
|
|
90
|
-
end
|
|
91
|
-
|
|
92
|
-
it 'should issue new token without client credentials' do
|
|
93
|
-
expect do
|
|
94
|
-
post password_token_endpoint_url(resource_owner: @resource_owner)
|
|
95
|
-
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
|
96
|
-
|
|
97
|
-
token = Doorkeeper::AccessToken.first
|
|
98
|
-
|
|
99
|
-
expect(token.application_id).to be_nil
|
|
100
|
-
should_have_json 'access_token', token.token
|
|
101
|
-
end
|
|
102
|
-
|
|
103
|
-
it 'should issue a refresh token if enabled' do
|
|
104
|
-
config_is_set(:refresh_token_enabled, true)
|
|
105
|
-
|
|
106
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
107
|
-
|
|
108
|
-
token = Doorkeeper::AccessToken.first
|
|
109
|
-
|
|
110
|
-
should_have_json 'refresh_token', token.refresh_token
|
|
111
|
-
end
|
|
112
|
-
|
|
113
|
-
it 'should return the same token if it is still accessible' do
|
|
114
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
|
115
|
-
|
|
116
|
-
client_is_authorized(@client, @resource_owner)
|
|
117
|
-
|
|
118
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
119
|
-
|
|
120
|
-
expect(Doorkeeper::AccessToken.count).to be(1)
|
|
121
|
-
should_have_json 'access_token', Doorkeeper::AccessToken.first.token
|
|
122
|
-
end
|
|
123
|
-
|
|
124
|
-
context 'with valid, default scope' do
|
|
125
|
-
before do
|
|
126
|
-
default_scopes_exist :public
|
|
127
|
-
end
|
|
128
|
-
|
|
129
|
-
it 'should issue new token' do
|
|
130
|
-
expect do
|
|
131
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: 'public')
|
|
132
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
133
|
-
|
|
134
|
-
token = Doorkeeper::AccessToken.first
|
|
135
|
-
|
|
136
|
-
expect(token.application_id).to eq @client.id
|
|
137
|
-
should_have_json 'access_token', token.token
|
|
138
|
-
should_have_json 'scope', 'public'
|
|
139
|
-
end
|
|
140
|
-
end
|
|
141
|
-
end
|
|
142
|
-
|
|
143
|
-
context 'with invalid scopes' do
|
|
144
|
-
subject do
|
|
145
|
-
post password_token_endpoint_url(client: @client,
|
|
146
|
-
resource_owner: @resource_owner,
|
|
147
|
-
scope: 'random')
|
|
148
|
-
end
|
|
149
|
-
|
|
150
|
-
it 'should not issue new token' do
|
|
151
|
-
expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
|
|
152
|
-
end
|
|
153
|
-
|
|
154
|
-
it 'should return invalid_scope error' do
|
|
155
|
-
subject
|
|
156
|
-
should_have_json 'error', 'invalid_scope'
|
|
157
|
-
should_have_json 'error_description', translated_error_message(:invalid_scope)
|
|
158
|
-
should_not_have_json 'access_token'
|
|
159
|
-
|
|
160
|
-
expect(response.status).to eq(401)
|
|
161
|
-
end
|
|
162
|
-
end
|
|
163
|
-
|
|
164
|
-
context 'with invalid user credentials' do
|
|
165
|
-
it 'should not issue new token with bad password' do
|
|
166
|
-
expect do
|
|
167
|
-
post password_token_endpoint_url(client: @client,
|
|
168
|
-
resource_owner_username: @resource_owner.name,
|
|
169
|
-
resource_owner_password: 'wrongpassword')
|
|
170
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
171
|
-
end
|
|
172
|
-
|
|
173
|
-
it 'should not issue new token without credentials' do
|
|
174
|
-
expect do
|
|
175
|
-
post password_token_endpoint_url(client: @client)
|
|
176
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
177
|
-
end
|
|
178
|
-
end
|
|
179
|
-
|
|
180
|
-
context 'with invalid confidential client credentials' do
|
|
181
|
-
it 'should not issue new token with bad client credentials' do
|
|
182
|
-
expect do
|
|
183
|
-
post password_token_endpoint_url(client_id: @client.uid,
|
|
184
|
-
client_secret: 'bad_secret',
|
|
185
|
-
resource_owner: @resource_owner)
|
|
186
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
187
|
-
end
|
|
188
|
-
end
|
|
189
|
-
|
|
190
|
-
context 'with invalid public client id' do
|
|
191
|
-
it 'should not issue new token with bad client id' do
|
|
192
|
-
expect do
|
|
193
|
-
post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
|
|
194
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
195
|
-
end
|
|
196
|
-
end
|
|
197
|
-
end
|
|
@@ -1,174 +0,0 @@
|
|
|
1
|
-
require 'spec_helper_integration'
|
|
2
|
-
|
|
3
|
-
describe 'Refresh Token Flow' do
|
|
4
|
-
before do
|
|
5
|
-
Doorkeeper.configure do
|
|
6
|
-
orm DOORKEEPER_ORM
|
|
7
|
-
use_refresh_token
|
|
8
|
-
end
|
|
9
|
-
client_exists
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
context 'issuing a refresh token' do
|
|
13
|
-
before do
|
|
14
|
-
authorization_code_exists application: @client
|
|
15
|
-
end
|
|
16
|
-
|
|
17
|
-
it 'client gets the refresh token and refreshses it' do
|
|
18
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
|
19
|
-
|
|
20
|
-
token = Doorkeeper::AccessToken.first
|
|
21
|
-
|
|
22
|
-
should_have_json 'access_token', token.token
|
|
23
|
-
should_have_json 'refresh_token', token.refresh_token
|
|
24
|
-
|
|
25
|
-
expect(@authorization.reload).to be_revoked
|
|
26
|
-
|
|
27
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
|
|
28
|
-
|
|
29
|
-
new_token = Doorkeeper::AccessToken.last
|
|
30
|
-
should_have_json 'access_token', new_token.token
|
|
31
|
-
should_have_json 'refresh_token', new_token.refresh_token
|
|
32
|
-
|
|
33
|
-
expect(token.token).not_to eq(new_token.token)
|
|
34
|
-
expect(token.refresh_token).not_to eq(new_token.refresh_token)
|
|
35
|
-
end
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
context 'refreshing the token' do
|
|
39
|
-
before do
|
|
40
|
-
@token = FactoryBot.create(
|
|
41
|
-
:access_token,
|
|
42
|
-
application: @client,
|
|
43
|
-
resource_owner_id: 1,
|
|
44
|
-
use_refresh_token: true
|
|
45
|
-
)
|
|
46
|
-
end
|
|
47
|
-
|
|
48
|
-
context "refresh_token revoked on use" do
|
|
49
|
-
it 'client request a token with refresh token' do
|
|
50
|
-
post refresh_token_endpoint_url(
|
|
51
|
-
client: @client, refresh_token: @token.refresh_token
|
|
52
|
-
)
|
|
53
|
-
should_have_json(
|
|
54
|
-
'refresh_token', Doorkeeper::AccessToken.last.refresh_token
|
|
55
|
-
)
|
|
56
|
-
expect(@token.reload).not_to be_revoked
|
|
57
|
-
end
|
|
58
|
-
|
|
59
|
-
it 'client request a token with expired access token' do
|
|
60
|
-
@token.update_attribute :expires_in, -100
|
|
61
|
-
post refresh_token_endpoint_url(
|
|
62
|
-
client: @client, refresh_token: @token.refresh_token
|
|
63
|
-
)
|
|
64
|
-
should_have_json(
|
|
65
|
-
'refresh_token', Doorkeeper::AccessToken.last.refresh_token
|
|
66
|
-
)
|
|
67
|
-
expect(@token.reload).not_to be_revoked
|
|
68
|
-
end
|
|
69
|
-
end
|
|
70
|
-
|
|
71
|
-
context "refresh_token revoked on refresh_token request" do
|
|
72
|
-
before do
|
|
73
|
-
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
|
74
|
-
end
|
|
75
|
-
|
|
76
|
-
it 'client request a token with refresh token' do
|
|
77
|
-
post refresh_token_endpoint_url(
|
|
78
|
-
client: @client, refresh_token: @token.refresh_token
|
|
79
|
-
)
|
|
80
|
-
should_have_json(
|
|
81
|
-
'refresh_token', Doorkeeper::AccessToken.last.refresh_token
|
|
82
|
-
)
|
|
83
|
-
expect(@token.reload).to be_revoked
|
|
84
|
-
end
|
|
85
|
-
|
|
86
|
-
it 'client request a token with expired access token' do
|
|
87
|
-
@token.update_attribute :expires_in, -100
|
|
88
|
-
post refresh_token_endpoint_url(
|
|
89
|
-
client: @client, refresh_token: @token.refresh_token
|
|
90
|
-
)
|
|
91
|
-
should_have_json(
|
|
92
|
-
'refresh_token', Doorkeeper::AccessToken.last.refresh_token
|
|
93
|
-
)
|
|
94
|
-
expect(@token.reload).to be_revoked
|
|
95
|
-
end
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
it 'client gets an error for invalid refresh token' do
|
|
99
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
|
|
100
|
-
should_not_have_json 'refresh_token'
|
|
101
|
-
should_have_json 'error', 'invalid_grant'
|
|
102
|
-
end
|
|
103
|
-
|
|
104
|
-
it 'client gets an error for revoked access token' do
|
|
105
|
-
@token.revoke
|
|
106
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
|
107
|
-
should_not_have_json 'refresh_token'
|
|
108
|
-
should_have_json 'error', 'invalid_grant'
|
|
109
|
-
end
|
|
110
|
-
|
|
111
|
-
it 'second of simultaneous client requests get an error for revoked access token' do
|
|
112
|
-
allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
|
|
113
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
|
114
|
-
|
|
115
|
-
should_not_have_json 'refresh_token'
|
|
116
|
-
should_have_json 'error', 'invalid_request'
|
|
117
|
-
end
|
|
118
|
-
end
|
|
119
|
-
|
|
120
|
-
context 'refreshing the token with multiple sessions (devices)' do
|
|
121
|
-
before do
|
|
122
|
-
# enable password auth to simulate other devices
|
|
123
|
-
config_is_set(:grant_flows, ["password"])
|
|
124
|
-
config_is_set(:resource_owner_from_credentials) do
|
|
125
|
-
User.authenticate! params[:username], params[:password]
|
|
126
|
-
end
|
|
127
|
-
create_resource_owner
|
|
128
|
-
_another_token = post password_token_endpoint_url(
|
|
129
|
-
client: @client, resource_owner: @resource_owner
|
|
130
|
-
)
|
|
131
|
-
last_token.update_attribute :created_at, 5.seconds.ago
|
|
132
|
-
|
|
133
|
-
@token = FactoryBot.create(
|
|
134
|
-
:access_token,
|
|
135
|
-
application: @client,
|
|
136
|
-
resource_owner_id: @resource_owner.id,
|
|
137
|
-
use_refresh_token: true
|
|
138
|
-
)
|
|
139
|
-
@token.update_attribute :expires_in, -100
|
|
140
|
-
end
|
|
141
|
-
|
|
142
|
-
context "refresh_token revoked on use" do
|
|
143
|
-
it 'client request a token after creating another token with the same user' do
|
|
144
|
-
post refresh_token_endpoint_url(
|
|
145
|
-
client: @client, refresh_token: @token.refresh_token
|
|
146
|
-
)
|
|
147
|
-
|
|
148
|
-
should_have_json 'refresh_token', last_token.refresh_token
|
|
149
|
-
expect(@token.reload).not_to be_revoked
|
|
150
|
-
end
|
|
151
|
-
end
|
|
152
|
-
|
|
153
|
-
context "refresh_token revoked on refresh_token request" do
|
|
154
|
-
before do
|
|
155
|
-
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
|
156
|
-
end
|
|
157
|
-
|
|
158
|
-
it 'client request a token after creating another token with the same user' do
|
|
159
|
-
post refresh_token_endpoint_url(
|
|
160
|
-
client: @client, refresh_token: @token.refresh_token
|
|
161
|
-
)
|
|
162
|
-
|
|
163
|
-
should_have_json 'refresh_token', last_token.refresh_token
|
|
164
|
-
expect(@token.reload).to be_revoked
|
|
165
|
-
end
|
|
166
|
-
end
|
|
167
|
-
|
|
168
|
-
def last_token
|
|
169
|
-
Doorkeeper::AccessToken.last_authorized_token_for(
|
|
170
|
-
@client.id, @resource_owner.id
|
|
171
|
-
)
|
|
172
|
-
end
|
|
173
|
-
end
|
|
174
|
-
end
|
|
@@ -1,157 +0,0 @@
|
|
|
1
|
-
require 'spec_helper_integration'
|
|
2
|
-
|
|
3
|
-
describe 'Revoke Token Flow' do
|
|
4
|
-
before do
|
|
5
|
-
Doorkeeper.configure { orm DOORKEEPER_ORM }
|
|
6
|
-
end
|
|
7
|
-
|
|
8
|
-
context 'with default parameters' do
|
|
9
|
-
let(:client_application) { FactoryBot.create :application }
|
|
10
|
-
let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
|
|
11
|
-
let(:access_token) do
|
|
12
|
-
FactoryBot.create(:access_token,
|
|
13
|
-
application: client_application,
|
|
14
|
-
resource_owner_id: resource_owner.id,
|
|
15
|
-
use_refresh_token: true)
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
context 'with authenticated, confidential OAuth 2.0 client/application' do
|
|
19
|
-
let(:headers) do
|
|
20
|
-
client_id = client_application.uid
|
|
21
|
-
client_secret = client_application.secret
|
|
22
|
-
credentials = Base64.encode64("#{client_id}:#{client_secret}")
|
|
23
|
-
{ 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
it 'should revoke the access token provided' do
|
|
27
|
-
post revocation_token_endpoint_url, { token: access_token.token }, headers
|
|
28
|
-
|
|
29
|
-
access_token.reload
|
|
30
|
-
|
|
31
|
-
expect(response).to be_successful
|
|
32
|
-
expect(access_token.revoked?).to be_truthy
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
it 'should revoke the refresh token provided' do
|
|
36
|
-
post revocation_token_endpoint_url, { token: access_token.refresh_token }, headers
|
|
37
|
-
|
|
38
|
-
access_token.reload
|
|
39
|
-
|
|
40
|
-
expect(response).to be_successful
|
|
41
|
-
expect(access_token.revoked?).to be_truthy
|
|
42
|
-
end
|
|
43
|
-
|
|
44
|
-
context 'with invalid token to revoke' do
|
|
45
|
-
it 'should not revoke any tokens and respond successfully' do
|
|
46
|
-
num_prev_revoked_tokens = Doorkeeper::AccessToken.where(revoked_at: nil).count
|
|
47
|
-
post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALID_TOKEN' }, headers
|
|
48
|
-
|
|
49
|
-
# The authorization server responds with HTTP status code 200 even if
|
|
50
|
-
# token is invalid
|
|
51
|
-
expect(response).to be_successful
|
|
52
|
-
expect(Doorkeeper::AccessToken.where(revoked_at: nil).count).to eq(num_prev_revoked_tokens)
|
|
53
|
-
end
|
|
54
|
-
end
|
|
55
|
-
|
|
56
|
-
context 'with bad credentials and a valid token' do
|
|
57
|
-
let(:headers) do
|
|
58
|
-
client_id = client_application.uid
|
|
59
|
-
credentials = Base64.encode64("#{client_id}:poop")
|
|
60
|
-
{ 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
|
|
61
|
-
end
|
|
62
|
-
it 'should not revoke any tokens and respond successfully' do
|
|
63
|
-
post revocation_token_endpoint_url, { token: access_token.token }, headers
|
|
64
|
-
|
|
65
|
-
access_token.reload
|
|
66
|
-
|
|
67
|
-
expect(response).to be_successful
|
|
68
|
-
expect(access_token.revoked?).to be_falsey
|
|
69
|
-
end
|
|
70
|
-
end
|
|
71
|
-
|
|
72
|
-
context 'with no credentials and a valid token' do
|
|
73
|
-
it 'should not revoke any tokens and respond successfully' do
|
|
74
|
-
post revocation_token_endpoint_url, { token: access_token.token }
|
|
75
|
-
|
|
76
|
-
access_token.reload
|
|
77
|
-
|
|
78
|
-
expect(response).to be_successful
|
|
79
|
-
expect(access_token.revoked?).to be_falsey
|
|
80
|
-
end
|
|
81
|
-
end
|
|
82
|
-
|
|
83
|
-
context 'with valid token for another client application' do
|
|
84
|
-
let(:other_client_application) { FactoryBot.create :application }
|
|
85
|
-
let(:headers) do
|
|
86
|
-
client_id = other_client_application.uid
|
|
87
|
-
client_secret = other_client_application.secret
|
|
88
|
-
credentials = Base64.encode64("#{client_id}:#{client_secret}")
|
|
89
|
-
{ 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
|
|
90
|
-
end
|
|
91
|
-
|
|
92
|
-
it 'should not revoke the token as its unauthorized' do
|
|
93
|
-
post revocation_token_endpoint_url, { token: access_token.token }, headers
|
|
94
|
-
|
|
95
|
-
access_token.reload
|
|
96
|
-
|
|
97
|
-
expect(response).to be_successful
|
|
98
|
-
expect(access_token.revoked?).to be_falsey
|
|
99
|
-
end
|
|
100
|
-
end
|
|
101
|
-
end
|
|
102
|
-
|
|
103
|
-
context 'with public OAuth 2.0 client/application' do
|
|
104
|
-
let(:access_token) do
|
|
105
|
-
FactoryBot.create(:access_token,
|
|
106
|
-
application: nil,
|
|
107
|
-
resource_owner_id: resource_owner.id,
|
|
108
|
-
use_refresh_token: true)
|
|
109
|
-
end
|
|
110
|
-
|
|
111
|
-
it 'should revoke the access token provided' do
|
|
112
|
-
post revocation_token_endpoint_url, { token: access_token.token }
|
|
113
|
-
|
|
114
|
-
access_token.reload
|
|
115
|
-
|
|
116
|
-
expect(response).to be_successful
|
|
117
|
-
expect(access_token.revoked?).to be_truthy
|
|
118
|
-
end
|
|
119
|
-
|
|
120
|
-
it 'should revoke the refresh token provided' do
|
|
121
|
-
post revocation_token_endpoint_url, { token: access_token.refresh_token }
|
|
122
|
-
|
|
123
|
-
access_token.reload
|
|
124
|
-
|
|
125
|
-
expect(response).to be_successful
|
|
126
|
-
expect(access_token.revoked?).to be_truthy
|
|
127
|
-
end
|
|
128
|
-
|
|
129
|
-
context 'with a valid token issued for a confidential client' do
|
|
130
|
-
let(:access_token) do
|
|
131
|
-
FactoryBot.create(:access_token,
|
|
132
|
-
application: client_application,
|
|
133
|
-
resource_owner_id: resource_owner.id,
|
|
134
|
-
use_refresh_token: true)
|
|
135
|
-
end
|
|
136
|
-
|
|
137
|
-
it 'should not revoke the access token provided' do
|
|
138
|
-
post revocation_token_endpoint_url, { token: access_token.token }
|
|
139
|
-
|
|
140
|
-
access_token.reload
|
|
141
|
-
|
|
142
|
-
expect(response).to be_successful
|
|
143
|
-
expect(access_token.revoked?).to be_falsey
|
|
144
|
-
end
|
|
145
|
-
|
|
146
|
-
it 'should not revoke the refresh token provided' do
|
|
147
|
-
post revocation_token_endpoint_url, { token: access_token.token }
|
|
148
|
-
|
|
149
|
-
access_token.reload
|
|
150
|
-
|
|
151
|
-
expect(response).to be_successful
|
|
152
|
-
expect(access_token.revoked?).to be_falsey
|
|
153
|
-
end
|
|
154
|
-
end
|
|
155
|
-
end
|
|
156
|
-
end
|
|
157
|
-
end
|