doorkeeper 5.0.3 → 5.1.0.rc1

data/spec/requests/flows/authorization_code_spec.rb

@@ -21,6 +21,33 @@ feature 'Authorization Code Flow' do
     url_should_not_have_param('error')
   end
 
+  context 'with grant hashing enabled' do
+    background do
+      config_is_set(:hash_token_secrets) { true }
+    end
+
+    scenario 'Authorization Code Flow with hashing' do
+      @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
+      @client.save!
+      visit authorization_endpoint_url(client: @client)
+      click_on 'Authorize'
+
+      access_grant_should_exist_for(@client, @resource_owner)
+
+      code = current_params['code']
+      expect(code).not_to be_nil
+
+      hashed_code = Doorkeeper::AccessGrant.hashed_or_plain_token code
+      expect(hashed_code).to eq Doorkeeper::AccessGrant.first.token
+
+      expect(code).not_to eq(hashed_code)
+
+      i_should_see 'Authorization code:'
+      i_should_see code
+      i_should_not_see hashed_code
+    end
+  end
+
   scenario 'resource owner authorizes using test url' do
     @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
     @client.save!
@@ -71,6 +98,19 @@ feature 'Authorization Code Flow' do
     should_have_json 'error', 'invalid_client'
   end
 
+  scenario 'resource owner requests an access token with authorization code but without client id' do
+    visit authorization_endpoint_url(client: @client)
+    click_on 'Authorize'
+
+    authorization_code = Doorkeeper::AccessGrant.first.token
+    page.driver.post token_endpoint_url(code: authorization_code, client_secret: @client.secret,
+                                        redirect_uri: @client.redirect_uri)
+
+    expect(Doorkeeper::AccessToken.count).to be_zero
+
+    should_have_json 'error', 'invalid_client'
+  end
+
   scenario 'silently authorizes if matching token exists' do
     default_scopes_exist :public, :write
 

data/spec/requests/flows/password_spec.rb

@@ -64,7 +64,8 @@ describe 'Resource Owner Password Credentials Flow' do
               )
             end.not_to(change { Doorkeeper::AccessToken.count })
 
-            expect(response).not_to be_ok
+            expect(response.status).to eq(401)
+            should_have_json 'error', 'invalid_client'
           end
         end
       end
@@ -88,7 +89,8 @@ describe 'Resource Owner Password Credentials Flow' do
             post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
           end.not_to(change { Doorkeeper::AccessToken.count })
 
-          expect(response).not_to be_ok
+          expect(response.status).to eq(401)
+          should_have_json 'error', 'invalid_client'
         end
       end
     end

data/spec/requests/flows/revoke_token_spec.rb

@@ -26,30 +26,28 @@ describe 'Revoke Token Flow' do
       it 'should revoke the access token provided' do
         post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
-        access_token.reload
-
         expect(response).to be_successful
-        expect(access_token.revoked?).to be_truthy
+        expect(access_token.reload.revoked?).to be_truthy
       end
 
       it 'should revoke the refresh token provided' do
         post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
 
-        access_token.reload
-
         expect(response).to be_successful
-        expect(access_token.revoked?).to be_truthy
+        expect(access_token.reload.revoked?).to be_truthy
       end
 
       context 'with invalid token to revoke' do
         it 'should not revoke any tokens and respond successfully' do
-          num_prev_revoked_tokens = Doorkeeper::AccessToken.where(revoked_at: nil).count
-          post revocation_token_endpoint_url, params: { token: 'I_AM_AN_INVALID_TOKEN' }, headers: headers
+          expect do
+            post revocation_token_endpoint_url,
+              params: { token: 'I_AM_AN_INVALID_TOKEN' },
+              headers: headers
+            end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
 
           # The authorization server responds with HTTP status code 200 even if
           # token is invalid
           expect(response).to be_successful
-          expect(Doorkeeper::AccessToken.where(revoked_at: nil).count).to eq(num_prev_revoked_tokens)
         end
       end
 
@@ -62,10 +60,8 @@ describe 'Revoke Token Flow' do
         it 'should not revoke any tokens and respond successfully' do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
-          access_token.reload
-
           expect(response).to be_successful
-          expect(access_token.revoked?).to be_falsey
+          expect(access_token.reload.revoked?).to be_falsey
         end
       end
 
@@ -73,10 +69,8 @@ describe 'Revoke Token Flow' do
         it 'should not revoke any tokens and respond successfully' do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
-          access_token.reload
-
           expect(response).to be_successful
-          expect(access_token.revoked?).to be_falsey
+          expect(access_token.reload.revoked?).to be_falsey
         end
       end
 
@@ -92,10 +86,8 @@ describe 'Revoke Token Flow' do
         it 'should not revoke the token as its unauthorized' do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
-          access_token.reload
-
           expect(response).to be_successful
-          expect(access_token.revoked?).to be_falsey
+          expect(access_token.reload.revoked?).to be_falsey
         end
       end
     end
@@ -111,19 +103,15 @@ describe 'Revoke Token Flow' do
       it 'should revoke the access token provided' do
         post revocation_token_endpoint_url, params: { token: access_token.token }
 
-        access_token.reload
-
         expect(response).to be_successful
-        expect(access_token.revoked?).to be_truthy
+        expect(access_token.reload.revoked?).to be_truthy
       end
 
       it 'should revoke the refresh token provided' do
         post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
 
-        access_token.reload
-
         expect(response).to be_successful
-        expect(access_token.revoked?).to be_truthy
+        expect(access_token.reload.revoked?).to be_truthy
       end
 
       context 'with a valid token issued for a confidential client' do
@@ -137,19 +125,15 @@ describe 'Revoke Token Flow' do
         it 'should not revoke the access token provided' do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
-          access_token.reload
-
           expect(response).to be_successful
-          expect(access_token.revoked?).to be_falsey
+          expect(access_token.reload.revoked?).to be_falsey
         end
 
         it 'should not revoke the refresh token provided' do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
-          access_token.reload
-
           expect(response).to be_successful
-          expect(access_token.revoked?).to be_falsey
+          expect(access_token.reload.revoked?).to be_falsey
         end
       end
     end

data/spec/spec_helper.rb

@@ -28,7 +28,8 @@ end
 Doorkeeper::RSpec.print_configuration_info
 
 # Remove after dropping support of Rails 4.2
-require "#{File.dirname(__FILE__)}/support/http_method_shim.rb"
+require "#{File.dirname(__FILE__)}/support/http_method_shim"
+require "#{File.dirname(__FILE__)}/support/ruby_2_6_rails_4_2_patch"
 
 require "support/orm/#{DOORKEEPER_ORM}"
 

data/spec/support/ruby_2_6_rails_4_2_patch.rb

@@ -0,0 +1,14 @@
+if RUBY_VERSION >= '2.6.0'
+  if Rails::VERSION::MAJOR < 5
+    class ActionController::TestResponse < ActionDispatch::TestResponse
+      def recycle!
+        # hack to avoid MonitorMixin double-initialize error:
+        @mon_mutex_owner_object_id = nil
+        @mon_mutex = nil
+        initialize
+      end
+    end
+  else
+    puts "Monkeypatch for ActionController::TestResponse no longer needed"
+  end
+end

data/spec/support/shared/hashing_shared_context.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+shared_context 'with token hashing enabled' do
+  let(:hashed_or_plain_token_func) { Doorkeeper::AccessToken.method(:hashed_or_plain_token) }
+  before do
+    Doorkeeper.configure do
+      hash_token_secrets
+    end
+  end
+end
+
+shared_context 'with token hashing and fallback lookup enabled' do
+  let(:hashed_or_plain_token_func) { Doorkeeper::AccessToken.method(:hashed_or_plain_token) }
+  before do
+    Doorkeeper.configure do
+      hash_token_secrets
+      fallback_to_plain_secrets
+    end
+  end
+end
+
+shared_context 'with application hashing enabled' do
+  let(:hashed_or_plain_token_func) { Doorkeeper::Application.method(:hashed_or_plain_token) }
+  before do
+    Doorkeeper.configure do
+      hash_application_secrets
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.0.3
+  version: 5.1.0.rc1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-05 00:00:00.000000000 Z
+date: 2019-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -205,6 +205,7 @@ files:
 - app/views/doorkeeper/authorized_applications/index.html.erb
 - app/views/layouts/doorkeeper/admin.html.erb
 - app/views/layouts/doorkeeper/application.html.erb
+- bin/console
 - config/locales/en.yml
 - doorkeeper.gemspec
 - gemfiles/rails_4_2.gemfile
@@ -224,6 +225,7 @@ files:
 - lib/doorkeeper/models/application_mixin.rb
 - lib/doorkeeper/models/concerns/accessible.rb
 - lib/doorkeeper/models/concerns/expirable.rb
+- lib/doorkeeper/models/concerns/hashable.rb
 - lib/doorkeeper/models/concerns/orderable.rb
 - lib/doorkeeper/models/concerns/ownership.rb
 - lib/doorkeeper/models/concerns/revocable.rb
@@ -358,6 +360,7 @@ files:
 - spec/lib/config_spec.rb
 - spec/lib/doorkeeper_spec.rb
 - spec/lib/models/expirable_spec.rb
+- spec/lib/models/hashable_spec.rb
 - spec/lib/models/revocable_spec.rb
 - spec/lib/models/scopes_spec.rb
 - spec/lib/oauth/authorization/uri_builder_spec.rb
@@ -423,7 +426,9 @@ files:
 - spec/support/helpers/url_helper.rb
 - spec/support/http_method_shim.rb
 - spec/support/orm/active_record.rb
+- spec/support/ruby_2_6_rails_4_2_patch.rb
 - spec/support/shared/controllers_shared_context.rb
+- spec/support/shared/hashing_shared_context.rb
 - spec/support/shared/models_shared_examples.rb
 - spec/validators/redirect_uri_validator_spec.rb
 - spec/version/version_spec.rb
@@ -443,9 +448,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.2
 signing_key: 
@@ -513,6 +518,7 @@ test_files:
 - spec/lib/config_spec.rb
 - spec/lib/doorkeeper_spec.rb
 - spec/lib/models/expirable_spec.rb
+- spec/lib/models/hashable_spec.rb
 - spec/lib/models/revocable_spec.rb
 - spec/lib/models/scopes_spec.rb
 - spec/lib/oauth/authorization/uri_builder_spec.rb
@@ -578,7 +584,9 @@ test_files:
 - spec/support/helpers/url_helper.rb
 - spec/support/http_method_shim.rb
 - spec/support/orm/active_record.rb
+- spec/support/ruby_2_6_rails_4_2_patch.rb
 - spec/support/shared/controllers_shared_context.rb
+- spec/support/shared/hashing_shared_context.rb
 - spec/support/shared/models_shared_examples.rb
 - spec/validators/redirect_uri_validator_spec.rb
 - spec/version/version_spec.rb