doorkeeper 5.0.3 → 5.1.0.rc1

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -1,6 +1,25 @@
 # frozen_string_literal: true
+require 'ipaddr'
 
 module Doorkeeper
+  module IPAddrLoopback
+    def loopback?
+      case @family
+      when Socket::AF_INET
+        @addr & 0xff000000 == 0x7f000000
+      when Socket::AF_INET6
+        @addr == 1
+      else
+        raise AddressFamilyError, "unsupported address family"
+      end
+    end
+  end
+
+  # For backward compatibility with old rubies
+  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5.0")
+    IPAddr.send(:include, Doorkeeper::IPAddrLoopback)
+  end
+
   module OAuth
     module Helpers
       module URIChecker
@@ -23,10 +42,23 @@ module Doorkeeper
             client_url.query = nil
           end
 
+          # RFC8252, Paragraph 7.3
+          # @see https://tools.ietf.org/html/rfc8252#section-7.3
+          if loopback_uri?(url) && loopback_uri?(client_url)
+            url.port = nil
+            client_url.port = nil
+          end
+
           url.query = nil
           url == client_url
         end
 
+        def self.loopback_uri?(uri)
+          IPAddr.new(uri.host).loopback?
+        rescue IPAddr::Error
+          false
+        end
+
         def self.valid_for_authorization?(url, client_url)
           valid?(url) && client_url.split.any? { |other_url| matches?(url, other_url) }
         end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -32,7 +32,12 @@ module Doorkeeper
         client_scopes = client.try(:scopes)
         return true if scopes.blank?
 
-        ScopeChecker.valid?(scopes.to_s, server.scopes, client_scopes)
+        ScopeChecker.valid?(
+          scope_str: scopes.to_s,
+          server_scopes: server.scopes,
+          app_scopes: client_scopes,
+          grant_type: grant_type
+        )
       end
 
       def validate_resource_owner
@@ -40,7 +45,7 @@ module Doorkeeper
       end
 
       def validate_client
-        !parameters[:client_id] || !client.nil?
+        !parameters[:client_id] || client.present?
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -77,12 +77,17 @@ module Doorkeeper
         return true if scope.blank?
 
         Helpers::ScopeChecker.valid?(
-          scope,
-          server.scopes,
-          client.application.scopes
+          scope_str: scope,
+          server_scopes: server.scopes,
+          app_scopes: client.application.scopes,
+          grant_type: grant_type
         )
       end
 
+      def grant_type
+        response_type == 'code' ? AUTHORIZATION_CODE : IMPLICIT
+      end
+
       def validate_redirect_uri
         return false if redirect_uri.blank?
 

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -99,7 +99,10 @@ module Doorkeeper
 
       def validate_scope
         if @original_scopes.present?
-          ScopeChecker.valid?(@original_scopes, refresh_token.scopes)
+          ScopeChecker.valid?(
+            scope_str: @original_scopes,
+            server_scopes: refresh_token.scopes
+          )
         else
           true
         end

data/lib/doorkeeper/oauth/token_response.rb

@@ -11,10 +11,10 @@ module Doorkeeper
 
       def body
         {
-          'access_token'  => token.token,
+          'access_token'  => token.plaintext_token,
           'token_type'    => token.token_type,
           'expires_in'    => token.expires_in_seconds,
-          'refresh_token' => token.refresh_token,
+          'refresh_token' => token.plaintext_refresh_token,
           'scope'         => token.scopes_string,
           'created_at'    => token.created_at.to_i
         }.reject { |_, value| value.blank? }

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -16,11 +16,30 @@ module Doorkeeper
 
     belongs_to :application, belongs_to_options
 
-    validates :resource_owner_id, :application_id, :token, :expires_in, :redirect_uri, presence: true
+    validates :resource_owner_id,
+              :application_id,
+              :token,
+              :expires_in,
+              :redirect_uri,
+              presence: true
+
     validates :token, uniqueness: true
 
     before_validation :generate_token, on: :create
 
+    # Keep a reference to the generated token during generation
+    # of this access grant. The actual token may be mapped by
+    # the configuration hasher and may not be available in plaintext.
+    #
+    # If hash tokens are enabled, this will return nil on fetched tokens
+    def plaintext_token
+      if perform_secret_hashing?
+        @raw_token
+      else
+        token
+      end
+    end
+
     private
 
     # Generates token value with UniqueToken class.
@@ -28,7 +47,8 @@ module Doorkeeper
     # @return [String] token value
     #
     def generate_token
-      self.token = UniqueToken.generate
+      @raw_token = UniqueToken.generate
+      self.token = hashed_or_plain_token(@raw_token)
     end
   end
 end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -45,26 +45,13 @@ module Doorkeeper
       AccessGrant.revoke_all_for(id, resource_owner)
     end
 
-    # Represents client as set of it's attributes in JSON format.
-    # This is the right way how we want to override ActiveRecord #to_json.
-    #
-    # Respects privacy settings and serializes minimum set of attributes
-    # for public/private clients and full set for authorized owners.
-    #
-    # @return [Hash] entity attributes for JSON
-    #
-    def as_json(options = {})
-      # if application belongs to some owner we need to check if it's the same as
-      # the one passed in the options or check if we render the client as an owner
-      if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
-         options[:as_owner]
-        # Owners can see all the client attributes, fallback to ActiveModel serialization
-        super
+    # We keep a volatile copy of the raw client_secret for initial communication
+    # The stored secret may be mapped and not available in cleartext.
+    def plaintext_secret
+      if perform_secret_hashing?
+        @raw_secret
       else
-        # if application has no owner or it's owner doesn't match one from the options
-        # we render only minimum set of attributes that could be exposed to a public
-        only = extract_serializable_attributes(options)
-        super(options.merge(only: only))
+        secret
       end
     end
 
@@ -75,12 +62,16 @@ module Doorkeeper
     end
 
     def generate_secret
-      self.secret = UniqueToken.generate if secret.blank?
+      return unless secret.blank?
+
+      @raw_secret = UniqueToken.generate
+      self.secret = hashed_or_plain_token(@raw_secret)
     end
 
     def scopes_match_configured
       if scopes.present? &&
-         !ScopeChecker.valid?(scopes.to_s, Doorkeeper.configuration.scopes)
+         !ScopeChecker.valid?(scope_str: scopes.to_s,
+                              server_scopes: Doorkeeper.configuration.scopes)
         errors.add(:scopes, :not_match_configured)
       end
     end
@@ -88,37 +79,5 @@ module Doorkeeper
     def enforce_scopes?
       Doorkeeper.configuration.enforce_configured_scopes?
     end
-
-    # Helper method to extract collection of serializable attribute names
-     # considering serialization options (like `only`, `except` and so on).
-     #
-     # @param options [Hash] serialization options
-     #
-     # @return [Array<String>]
-     #   collection of attributes to be serialized using #as_json
-     #
-     def extract_serializable_attributes(options = {})
-       opts = options.try(:dup) || {}
-       only = Array.wrap(opts[:only]).map(&:to_s)
-
-       only = if only.blank?
-                serializable_attributes
-              else
-                only & serializable_attributes
-              end
-
-       only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
-       only.uniq
-     end
-
-     # Collection of attributes that could be serialized for public.
-     # Override this method if you need additional attributes to be serialized.
-     #
-     # @return [Array<String>] collection of serializable attributes
-     def serializable_attributes
-       attributes = %w[id name created_at]
-       attributes << "uid" unless confidential?
-       attributes
-     end
   end
 end

data/lib/doorkeeper/version.rb

@@ -8,9 +8,9 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 0
-    TINY = 3
-    PRE = nil
+    MINOR = 1
+    TINY = 0
+    PRE = 'rc1'
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -75,8 +75,39 @@ Doorkeeper.configure do
   # doesn't updates existing token expiration time, it will create a new token instead.
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
   #
+  # You can not enable this option together with +hash_token_secrets+.
+  #
   # reuse_access_token
 
+  # Hash access and refresh tokens before persisting them.
+  # Note: This will disable the possibility to use +reuse_access_token+
+  # since plain values can no longer be retrieved.
+  #
+  # hash_token_secrets
+
+  # Hash application secrets before persisting them.
+  #
+  # hash_application_secrets
+
+  # When the above option is enabled,
+  # and a hashed token or secret is not found,
+  # look up the plain text token as a fallback.
+  #
+  # This will ensure that old access tokens and secrets
+  # will remain valid even if the hashing above is enabled
+  #
+  # fallback_to_plain_secrets
+
+  #
+  # Since old values will not be re-hashed, lookups to tokens and secrets
+  # will fall back to plain value comparison so any existing tokens will
+  # not be invalidated.
+  #
+  # For example, to use SHA256 digests on plain values, uncomment these lines:
+  # hash_secrets do |plain_value|
+  #   Digest::SHA256.hexdigest plain_value
+  # end
+
   # Issue access tokens with refresh token (disabled by default), you may also
   # pass a block which accepts `context` to customize when to give a refresh
   # token or not. Similar to `custom_access_token_expires_in`, `context` has
@@ -108,6 +139,15 @@ Doorkeeper.configure do
   # default_scopes  :public
   # optional_scopes :write, :update
 
+  # Define scopes_by_grant_type to restrict only certain scopes for grant_type
+  # By default, all the scopes will be available for all the grant types.
+  #
+  # Keys to this hash should be the name of grant_type and
+  # values should be the array of scopes for that grant type.
+  # Note: scopes should be from configured_scopes(i.e. deafult or optional)
+  #
+  # scopes_by_grant_type password: [:write], client_credentials: [:update]
+
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
@@ -195,7 +235,7 @@ Doorkeeper.configure do
   # end
 
   # Hook into Authorization flow in order to implement Single Sign Out
-  # or add ny other functionality.
+  # or add any other functionality.
   #
   # before_successful_authorization do |controller|
   #   Rails.logger.info(params.inspect)

data/spec/controllers/application_metal_controller_spec.rb

@@ -7,6 +7,10 @@ describe Doorkeeper::ApplicationMetalController do
     def index
       render json: {}, status: 200
     end
+
+    def create
+      render json: {}, status: 200
+    end
   end
 
   it "lazy run hooks" do
@@ -22,13 +26,18 @@ describe Doorkeeper::ApplicationMetalController do
     context 'enabled' do
       let(:flag) { true }
 
-      it '200 for the correct media type' do
-        get :index, params: {}, as: :url_encoded_form
+      it 'returns a 200 for the requests without body' do
+        get :index, params: {}
         expect(response).to have_http_status 200
       end
 
-      it 'returns a 415 for an incorrect media type' do
-        get :index, as: :json
+      it 'returns a 200 for the requests with body and correct media type' do
+        post :create, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 415 for the requests with body and incorrect media type' do
+        post :create, params: {}, as: :json
         expect(response).to have_http_status 415
       end
     end
@@ -45,6 +54,11 @@ describe Doorkeeper::ApplicationMetalController do
         get :index, as: :json
         expect(response).to have_http_status 200
       end
+
+      it 'returns a 200 for the requests with body and incorrect media type' do
+        post :create, params: {}, as: :json
+        expect(response).to have_http_status 200
+      end
     end
   end
 end

data/spec/controllers/tokens_controller_spec.rb

@@ -28,7 +28,7 @@ describe Doorkeeper::TokensController do
   describe 'when there is a failure due to a custom error' do
     it 'returns the error response with a custom message' do
       # I18n looks for `doorkeeper.errors.messages.custom_message` in locale files
-      custom_message = "my_message"
+      custom_message = 'my_message'
       allow(I18n).to receive(:translate)
         .with(
           custom_message,
@@ -60,21 +60,17 @@ describe Doorkeeper::TokensController do
     let(:client) { FactoryBot.create(:application) }
     let(:access_token) { FactoryBot.create(:access_token, application: client) }
 
-    before(:each) do
-      allow(controller).to receive(:token) { access_token }
-    end
-
     context 'when associated app is public' do
       let(:client) { FactoryBot.create(:application, confidential: false) }
 
       it 'returns 200' do
-        post :revoke
+        post :revoke, params: { token: access_token.token }
 
         expect(response.status).to eq 200
       end
 
       it 'revokes the access token' do
-        post :revoke
+        post :revoke, params: { token: access_token.token }
 
         expect(access_token.reload).to have_attributes(revoked?: true)
       end
@@ -89,13 +85,13 @@ describe Doorkeeper::TokensController do
       end
 
       it 'returns 200' do
-        post :revoke
+        post :revoke, params: { token: access_token.token }
 
         expect(response.status).to eq 200
       end
 
       it 'revokes the access token' do
-        post :revoke
+        post :revoke, params: { token: access_token.token }
 
         expect(access_token.reload).to have_attributes(revoked?: true)
       end
@@ -105,13 +101,13 @@ describe Doorkeeper::TokensController do
         let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }
 
         it 'returns 200' do
-          post :revoke
+          post :revoke, params: { token: access_token.token }
 
           expect(response.status).to eq 200
         end
 
         it 'does not revoke the access token' do
-          post :revoke
+          post :revoke, params: { token: access_token.token }
 
           expect(access_token.reload).to have_attributes(revoked?: false)
         end

data/spec/dummy/app/controllers/application_controller.rb

@@ -1,3 +1,3 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery
+  protect_from_forgery with: :exception
 end

data/spec/factories.rb

@@ -1,5 +1,5 @@
 FactoryBot.define do
-  factory :access_grant, class: Doorkeeper::AccessGrant do
+  factory :access_grant, class: "Doorkeeper::AccessGrant" do
     sequence(:resource_owner_id) { |n| n }
     application
     redirect_uri { 'https://app.com/callback' }
@@ -7,7 +7,7 @@ FactoryBot.define do
     scopes { 'public write' }
   end
 
-  factory :access_token, class: Doorkeeper::AccessToken do
+  factory :access_token, class: "Doorkeeper::AccessToken" do
     sequence(:resource_owner_id) { |n| n }
     application
     expires_in { 2.hours }
@@ -17,7 +17,7 @@ FactoryBot.define do
     end
   end
 
-  factory :application, class: Doorkeeper::Application do
+  factory :application, class: "Doorkeeper::Application" do
     sequence(:name) { |n| "Application #{n}" }
     redirect_uri { 'https://app.com/callback' }
   end