doorkeeper 5.0.3 → 5.1.0.rc1

data/lib/doorkeeper/helpers/controller.rb

@@ -55,8 +55,9 @@ module Doorkeeper
       end
 
       def enforce_content_type
-        return if request.content_type == 'application/x-www-form-urlencoded'
-        render json: {}, status: :unsupported_media_type
+        if (request.put? || request.post? || request.patch?) && request.content_type != 'application/x-www-form-urlencoded'
+          render json: {}, status: :unsupported_media_type
+        end
       end
     end
   end

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -9,6 +9,7 @@ module Doorkeeper
     include Models::Revocable
     include Models::Accessible
     include Models::Orderable
+    include Models::Hashable
     include Models::Scopes
 
     # never uses pkce, if pkce migrations were not generated
@@ -30,7 +31,13 @@ module Doorkeeper
       #   if there is no record with such token
       #
       def by_token(token)
-        find_by(token: token.to_s)
+        find_by_plaintext_token(:token, token)
+      end
+
+      # We want to perform secret hashing whenever the user
+      # enables the configuration option +hash_token_secrets+
+      def perform_secret_hashing?
+        Doorkeeper.configuration.hash_token_secrets?
       end
 
       # Revokes AccessGrant records that have not been revoked and associated

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -9,20 +9,21 @@ module Doorkeeper
     include Models::Revocable
     include Models::Accessible
     include Models::Orderable
+    include Models::Hashable
     include Models::Scopes
 
     module ClassMethods
       # Returns an instance of the Doorkeeper::AccessToken with
-      # specific token value.
+      # specific plain text token value.
       #
       # @param token [#to_s]
-      #   token value (any object that responds to `#to_s`)
+      #   Plain text token value (any object that responds to `#to_s`)
       #
       # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
       #   if there is no record with such token
       #
       def by_token(token)
-        find_by(token: token.to_s)
+        find_by_plaintext_token(:token, token)
       end
 
       # Returns an instance of the Doorkeeper::AccessToken
@@ -35,7 +36,13 @@ module Doorkeeper
       #   if there is no record with such refresh token
       #
       def by_refresh_token(refresh_token)
-        find_by(refresh_token: refresh_token.to_s)
+        find_by_plaintext_token(:refresh_token, refresh_token)
+      end
+
+      # We want to perform secret hashing whenever the user
+      # enables the configuration option +hash_token_secrets+
+      def perform_secret_hashing?
+        Doorkeeper.configuration.hash_token_secrets?
       end
 
       # Revokes AccessToken records that have not been revoked and associated
@@ -98,9 +105,9 @@ module Doorkeeper
 
         (token_scopes.sort == param_scopes.sort) &&
           Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
-            param_scopes.to_s,
-            Doorkeeper.configuration.scopes,
-            app_scopes
+            scope_str: param_scopes.to_s,
+            server_scopes: Doorkeeper.configuration.scopes,
+            app_scopes: app_scopes
           )
       end
 
@@ -219,6 +226,26 @@ module Doorkeeper
       accessible? && includes_scope?(*scopes)
     end
 
+    # We keep a volatile copy of the raw refresh token for initial communication
+    # The stored refresh_token may be mapped and not available in cleartext.
+    def plaintext_refresh_token
+      if perform_secret_hashing?
+        @raw_refresh_token
+      else
+        refresh_token
+      end
+    end
+
+    # We keep a volatile copy of the raw token for initial communication
+    # The stored refresh_token may be mapped and not available in cleartext.
+    def plaintext_token
+      if perform_secret_hashing?
+        @raw_token
+      else
+        token
+      end
+    end
+
     private
 
     # Generates refresh token with UniqueToken generator.
@@ -226,7 +253,8 @@ module Doorkeeper
     # @return [String] refresh token value
     #
     def generate_refresh_token
-      self.refresh_token = UniqueToken.generate
+      @raw_refresh_token = UniqueToken.generate
+      self.refresh_token = hashed_or_plain_token(@raw_refresh_token)
     end
 
     # Generates and sets the token value with the
@@ -242,13 +270,16 @@ module Doorkeeper
     def generate_token
       self.created_at ||= Time.now.utc
 
-      self.token = token_generator.generate(
+      @raw_token = token_generator.generate(
         resource_owner_id: resource_owner_id,
         scopes: scopes,
         application: application,
         expires_in: expires_in,
         created_at: created_at
       )
+
+      self.token = hashed_or_plain_token(@raw_token)
+      @raw_token
     end
 
     def token_generator

data/lib/doorkeeper/models/application_mixin.rb

@@ -1,14 +1,40 @@
 # frozen_string_literal: true
 
+require 'bcrypt'
+
 module Doorkeeper
   module ApplicationMixin
     extend ActiveSupport::Concern
 
     include OAuth::Helpers
     include Models::Orderable
+    include Models::Hashable
     include Models::Scopes
 
+    included do
+      # Use BCrypt as the hashing function for applications
+      self.secret_hash_function = lambda do |plain_token|
+        BCrypt::Password.create(plain_token.to_s)
+      end
+
+      # Also need to override the comparer function for BCrypt
+      self.secret_comparer = lambda do |plain, secret|
+        begin
+          BCrypt::Password.new(secret.to_s) == plain.to_s
+        rescue BCrypt::Errors::InvalidHash
+          false
+        end
+      end
+    end
+
+    # :nodoc
     module ClassMethods
+      # We want to perform secret hashing whenever the user
+      # enables the configuration option +hash_application_secrets+
+      def perform_secret_hashing?
+        Doorkeeper.configuration.hash_application_secrets?
+      end
+
       # Returns an instance of the Doorkeeper::Application with
       # specific UID and secret.
       #
@@ -25,7 +51,7 @@ module Doorkeeper
         app = by_uid(uid)
         return unless app
         return app if secret.blank? && !app.confidential?
-        return unless app.secret == secret
+        return unless app.secret_matches?(secret)
         app
       end
 
@@ -49,5 +75,30 @@ module Doorkeeper
     def redirect_uri=(uris)
       super(uris.is_a?(Array) ? uris.join("\n") : uris)
     end
+
+    # Check whether the given plain text secret matches our stored secret
+    #
+    # @param input [#to_s] Plain secret provided by user
+    #        (any object that responds to `#to_s`)
+    #
+    # @return [true] Whether the given secret matches the stored secret
+    #                of this application.
+    #
+    def secret_matches?(input)
+      # return false if either is nil, since secure_compare depends on strings
+      # but Application secrets MAY be nil depending on confidentiality.
+      return false if input.nil? || secret.nil?
+
+      # When matching the secret by comparer function, all is well.
+      return true if self.class.secret_matches?(input, secret)
+
+      # When fallback lookup is enabled, ensure applications
+      # with plain secrets can still be found
+      if Doorkeeper.configuration.fallback_to_plain_secrets?
+        ActiveSupport::SecurityUtils.secure_compare(input, secret)
+      else
+        false
+      end
+    end
   end
 end

data/lib/doorkeeper/models/concerns/hashable.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    ##
+    # Hashable finder to provide lookups for input plaintext values which are
+    # mapped to their hashes before lookup.
+    module Hashable
+      extend ActiveSupport::Concern
+
+      delegate :perform_secret_hashing?,
+               :hashed_or_plain_token,
+               to: :class
+
+      # :nodoc
+      module ClassMethods
+        # Allow to override the hashing method by the including module
+        attr_accessor :secret_hash_function, :secret_comparer
+
+        # Compare the given plaintext with the secret
+        #
+        # @param input [String]
+        #   The plain input to compare.
+        #
+        # @param secret [String]
+        #   The secret value to compare with.
+        #
+        # @return [Boolean]
+        #   If hashing is enabled: Whether the secret equals hashed input
+        #   If hashing is disabled: Whether input matches secret
+        #
+        def secret_matches?(input, secret)
+          unless perform_secret_hashing?
+            return ActiveSupport::SecurityUtils.secure_compare input, secret
+          end
+
+          (secret_comparer || method(:default_comparer))
+            .call(input, secret)
+        end
+
+        # Returns an instance of the Doorkeeper::AccessToken with
+        # specific token value.
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param token [#to_s]
+        #   token value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_plaintext_token(attr, token)
+          token = token.to_s
+
+          find_by(attr => hashed_or_plain_token(token)) ||
+            find_by_fallback_token(attr, token)
+        end
+
+        # Allow looking up previously plain tokens as a fallback
+        # IFF respective options are enabled
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param token [#to_s]
+        #   token value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_fallback_token(attr, token)
+          return nil unless perform_secret_hashing?
+          return nil unless Doorkeeper.configuration.fallback_to_plain_secrets?
+
+          find_by(attr => token).tap do |fallback|
+            upgrade_fallback_value fallback, attr
+          end
+        end
+
+        # Hash the given input token
+        #
+        # @param plain_token [String]
+        #   The plain text token to hash.
+        #
+        # @return [String]
+        #   IFF secret hashing enabled, the hashed token,
+        #   otherwise returns the plain token.
+        def hashed_or_plain_token(plain_token)
+          if perform_secret_hashing?
+            (secret_hash_function || method(:default_hash_function))
+              .call plain_token
+          else
+            plain_token
+          end
+        end
+
+        # Allow implementations in ORMs to replace a plain
+        # value falling back to to avoid it remaining as plain text.
+        #
+        # @param instance
+        #   An instance of this model with a plain value token.
+        #
+        # @param attr
+        #   The token attribute to upgrade
+        #
+        def upgrade_fallback_value(instance, attr)
+          plain_token = instance.public_send attr
+          instance.update_column(attr, hashed_or_plain_token(plain_token))
+        end
+
+        # Including classes can override this function to
+        # disable or enable secret hashing dynamically
+        def perform_secret_hashing?
+          true
+        end
+
+        # Return a default hashing function to be used when including
+        # module or user does not specify what to use
+        # @param plain_token [String]
+        #   The plain text token to hash.
+        #
+        # @return [String] Hashed plain text token
+        #
+        def default_hash_function(plain_token)
+          ::Digest::SHA256.hexdigest plain_token
+        end
+
+        # Return a default comparer for the given hash function
+        def default_comparer(plain, secret)
+          hashed = hashed_or_plain_token(plain)
+          ActiveSupport::SecurityUtils.secure_compare hashed, secret
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/scopes.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   module Models
     module Scopes
       def scopes
-        OAuth::Scopes.from_string(self[:scopes])
+        OAuth::Scopes.from_string(scopes_string)
       end
 
       def scopes_string

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -16,7 +16,7 @@ module Doorkeeper
         end
 
         def native_redirect
-          { action: :show, code: token.token }
+          { action: :show, code: token.plaintext_token }
         end
 
         def configuration

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -62,7 +62,7 @@ module Doorkeeper
           {
             controller: controller,
             action: :show,
-            access_token: token.token
+            access_token: token.plaintext_token
           }
         end
 

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -49,7 +49,7 @@ module Doorkeeper
       end
 
       def validate_client
-        !client.nil?
+        client.present?
       end
 
       def validate_grant

data/lib/doorkeeper/oauth/client.rb

@@ -18,7 +18,7 @@ module Doorkeeper
       end
 
       def self.authenticate(credentials, method = Application.method(:by_uid_and_secret))
-        return false if credentials.blank?
+        return if credentials.blank?
 
         if (application = method.call(credentials.uid, credentials.secret))
           new(application)

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -34,9 +34,10 @@ module Doorkeeper
                                end
 
           ScopeChecker.valid?(
-            @request.scopes.to_s,
-            @server.scopes,
-            application_scopes
+            scope_str: @request.scopes.to_s,
+            server_scopes: @server.scopes,
+            app_scopes: application_scopes,
+            grant_type: Doorkeeper::OAuth::CLIENT_CREDENTIALS
           )
         end
       end

data/lib/doorkeeper/oauth/code_response.rb

@@ -23,7 +23,7 @@ module Doorkeeper
         elsif response_on_fragment
           Authorization::URIBuilder.uri_with_fragment(
             pre_auth.redirect_uri,
-            access_token: auth.token.token,
+            access_token: auth.token.plaintext_token,
             token_type: auth.token.token_type,
             expires_in: auth.token.expires_in_seconds,
             state: pre_auth.state
@@ -31,7 +31,7 @@ module Doorkeeper
         else
           Authorization::URIBuilder.uri_with_query(
             pre_auth.redirect_uri,
-            code: auth.token.token,
+            code: auth.token.plaintext_token,
             state: pre_auth.state
           )
         end

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -7,31 +7,46 @@ module Doorkeeper
         class Validator
           attr_reader :parsed_scopes, :scope_str
 
-          def initialize(scope_str, server_scopes, application_scopes)
+          def initialize(scope_str, server_scopes, app_scopes, grant_type)
             @parsed_scopes = OAuth::Scopes.from_string(scope_str)
             @scope_str = scope_str
-            @valid_scopes = valid_scopes(server_scopes, application_scopes)
+            @valid_scopes = valid_scopes(server_scopes, app_scopes)
+
+            if grant_type
+              @scopes_by_grant_type = Doorkeeper.configuration.scopes_by_grant_type[grant_type.to_sym]
+            end
           end
 
           def valid?
             scope_str.present? &&
               scope_str !~ /[\n\r\t]/ &&
-              @valid_scopes.has_scopes?(parsed_scopes)
+              @valid_scopes.has_scopes?(parsed_scopes) &&
+              permitted_to_grant_type?
           end
 
           private
 
-          def valid_scopes(server_scopes, application_scopes)
-            if application_scopes.present?
-              application_scopes
+          def valid_scopes(server_scopes, app_scopes)
+            if app_scopes.present?
+              app_scopes
             else
               server_scopes
             end
           end
+
+          def permitted_to_grant_type?
+            return true unless @scopes_by_grant_type
+
+            OAuth::Scopes.from_array(@scopes_by_grant_type)
+                         .has_scopes?(parsed_scopes)
+          end
         end
 
-        def self.valid?(scope_str, server_scopes, application_scopes = nil)
-          Validator.new(scope_str, server_scopes, application_scopes).valid?
+        def self.valid?(scope_str:, server_scopes:, app_scopes: nil, grant_type: nil)
+          Validator.new(scope_str,
+                        server_scopes,
+                        app_scopes,
+                        grant_type).valid?
         end
       end
     end