doorkeeper 5.0.3 → 5.1.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +7 -3
- data/Dangerfile +5 -2
- data/Gemfile +3 -1
- data/NEWS.md +20 -13
- data/README.md +1 -1
- data/app/controllers/doorkeeper/applications_controller.rb +3 -3
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
- data/app/controllers/doorkeeper/tokens_controller.rb +6 -6
- data/app/views/doorkeeper/applications/show.html.erb +1 -1
- data/app/views/layouts/doorkeeper/admin.html.erb +5 -3
- data/bin/console +15 -0
- data/gemfiles/rails_4_2.gemfile +1 -0
- data/gemfiles/rails_5_0.gemfile +1 -0
- data/gemfiles/rails_5_1.gemfile +1 -0
- data/gemfiles/rails_5_2.gemfile +2 -1
- data/gemfiles/rails_master.gemfile +1 -0
- data/lib/doorkeeper.rb +1 -0
- data/lib/doorkeeper/config.rb +73 -6
- data/lib/doorkeeper/helpers/controller.rb +3 -2
- data/lib/doorkeeper/models/access_grant_mixin.rb +8 -1
- data/lib/doorkeeper/models/access_token_mixin.rb +40 -9
- data/lib/doorkeeper/models/application_mixin.rb +52 -1
- data/lib/doorkeeper/models/concerns/hashable.rb +137 -0
- data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
- data/lib/doorkeeper/oauth/authorization/code.rb +1 -1
- data/lib/doorkeeper/oauth/authorization/token.rb +1 -1
- data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -1
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +4 -3
- data/lib/doorkeeper/oauth/code_response.rb +2 -2
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -8
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +32 -0
- data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -2
- data/lib/doorkeeper/oauth/pre_authorization.rb +8 -3
- data/lib/doorkeeper/oauth/refresh_token_request.rb +4 -1
- data/lib/doorkeeper/oauth/token_response.rb +2 -2
- data/lib/doorkeeper/orm/active_record/access_grant.rb +22 -2
- data/lib/doorkeeper/orm/active_record/application.rb +12 -53
- data/lib/doorkeeper/version.rb +3 -3
- data/lib/generators/doorkeeper/templates/initializer.rb +41 -1
- data/spec/controllers/application_metal_controller_spec.rb +18 -4
- data/spec/controllers/tokens_controller_spec.rb +7 -11
- data/spec/dummy/app/controllers/application_controller.rb +1 -1
- data/spec/factories.rb +3 -3
- data/spec/lib/config_spec.rb +84 -0
- data/spec/lib/models/hashable_spec.rb +183 -0
- data/spec/lib/oauth/base_request_spec.rb +7 -7
- data/spec/lib/oauth/client_credentials/validation_spec.rb +3 -0
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +52 -17
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +20 -2
- data/spec/lib/oauth/password_access_token_request_spec.rb +32 -11
- data/spec/lib/oauth/pre_authorization_spec.rb +24 -0
- data/spec/lib/oauth/token_response_spec.rb +13 -13
- data/spec/lib/oauth/token_spec.rb +14 -0
- data/spec/models/doorkeeper/access_grant_spec.rb +61 -0
- data/spec/models/doorkeeper/access_token_spec.rb +123 -0
- data/spec/models/doorkeeper/application_spec.rb +227 -295
- data/spec/requests/flows/authorization_code_spec.rb +40 -0
- data/spec/requests/flows/password_spec.rb +4 -2
- data/spec/requests/flows/revoke_token_spec.rb +14 -30
- data/spec/spec_helper.rb +2 -1
- data/spec/support/ruby_2_6_rails_4_2_patch.rb +14 -0
- data/spec/support/shared/hashing_shared_context.rb +29 -0
- metadata +12 -4
@@ -21,6 +21,33 @@ feature 'Authorization Code Flow' do
|
|
21
21
|
url_should_not_have_param('error')
|
22
22
|
end
|
23
23
|
|
24
|
+
context 'with grant hashing enabled' do
|
25
|
+
background do
|
26
|
+
config_is_set(:hash_token_secrets) { true }
|
27
|
+
end
|
28
|
+
|
29
|
+
scenario 'Authorization Code Flow with hashing' do
|
30
|
+
@client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
|
31
|
+
@client.save!
|
32
|
+
visit authorization_endpoint_url(client: @client)
|
33
|
+
click_on 'Authorize'
|
34
|
+
|
35
|
+
access_grant_should_exist_for(@client, @resource_owner)
|
36
|
+
|
37
|
+
code = current_params['code']
|
38
|
+
expect(code).not_to be_nil
|
39
|
+
|
40
|
+
hashed_code = Doorkeeper::AccessGrant.hashed_or_plain_token code
|
41
|
+
expect(hashed_code).to eq Doorkeeper::AccessGrant.first.token
|
42
|
+
|
43
|
+
expect(code).not_to eq(hashed_code)
|
44
|
+
|
45
|
+
i_should_see 'Authorization code:'
|
46
|
+
i_should_see code
|
47
|
+
i_should_not_see hashed_code
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
24
51
|
scenario 'resource owner authorizes using test url' do
|
25
52
|
@client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
|
26
53
|
@client.save!
|
@@ -71,6 +98,19 @@ feature 'Authorization Code Flow' do
|
|
71
98
|
should_have_json 'error', 'invalid_client'
|
72
99
|
end
|
73
100
|
|
101
|
+
scenario 'resource owner requests an access token with authorization code but without client id' do
|
102
|
+
visit authorization_endpoint_url(client: @client)
|
103
|
+
click_on 'Authorize'
|
104
|
+
|
105
|
+
authorization_code = Doorkeeper::AccessGrant.first.token
|
106
|
+
page.driver.post token_endpoint_url(code: authorization_code, client_secret: @client.secret,
|
107
|
+
redirect_uri: @client.redirect_uri)
|
108
|
+
|
109
|
+
expect(Doorkeeper::AccessToken.count).to be_zero
|
110
|
+
|
111
|
+
should_have_json 'error', 'invalid_client'
|
112
|
+
end
|
113
|
+
|
74
114
|
scenario 'silently authorizes if matching token exists' do
|
75
115
|
default_scopes_exist :public, :write
|
76
116
|
|
@@ -64,7 +64,8 @@ describe 'Resource Owner Password Credentials Flow' do
|
|
64
64
|
)
|
65
65
|
end.not_to(change { Doorkeeper::AccessToken.count })
|
66
66
|
|
67
|
-
expect(response).
|
67
|
+
expect(response.status).to eq(401)
|
68
|
+
should_have_json 'error', 'invalid_client'
|
68
69
|
end
|
69
70
|
end
|
70
71
|
end
|
@@ -88,7 +89,8 @@ describe 'Resource Owner Password Credentials Flow' do
|
|
88
89
|
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
89
90
|
end.not_to(change { Doorkeeper::AccessToken.count })
|
90
91
|
|
91
|
-
expect(response).
|
92
|
+
expect(response.status).to eq(401)
|
93
|
+
should_have_json 'error', 'invalid_client'
|
92
94
|
end
|
93
95
|
end
|
94
96
|
end
|
@@ -26,30 +26,28 @@ describe 'Revoke Token Flow' do
|
|
26
26
|
it 'should revoke the access token provided' do
|
27
27
|
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
28
28
|
|
29
|
-
access_token.reload
|
30
|
-
|
31
29
|
expect(response).to be_successful
|
32
|
-
expect(access_token.revoked?).to be_truthy
|
30
|
+
expect(access_token.reload.revoked?).to be_truthy
|
33
31
|
end
|
34
32
|
|
35
33
|
it 'should revoke the refresh token provided' do
|
36
34
|
post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
|
37
35
|
|
38
|
-
access_token.reload
|
39
|
-
|
40
36
|
expect(response).to be_successful
|
41
|
-
expect(access_token.revoked?).to be_truthy
|
37
|
+
expect(access_token.reload.revoked?).to be_truthy
|
42
38
|
end
|
43
39
|
|
44
40
|
context 'with invalid token to revoke' do
|
45
41
|
it 'should not revoke any tokens and respond successfully' do
|
46
|
-
|
47
|
-
|
42
|
+
expect do
|
43
|
+
post revocation_token_endpoint_url,
|
44
|
+
params: { token: 'I_AM_AN_INVALID_TOKEN' },
|
45
|
+
headers: headers
|
46
|
+
end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
|
48
47
|
|
49
48
|
# The authorization server responds with HTTP status code 200 even if
|
50
49
|
# token is invalid
|
51
50
|
expect(response).to be_successful
|
52
|
-
expect(Doorkeeper::AccessToken.where(revoked_at: nil).count).to eq(num_prev_revoked_tokens)
|
53
51
|
end
|
54
52
|
end
|
55
53
|
|
@@ -62,10 +60,8 @@ describe 'Revoke Token Flow' do
|
|
62
60
|
it 'should not revoke any tokens and respond successfully' do
|
63
61
|
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
64
62
|
|
65
|
-
access_token.reload
|
66
|
-
|
67
63
|
expect(response).to be_successful
|
68
|
-
expect(access_token.revoked?).to be_falsey
|
64
|
+
expect(access_token.reload.revoked?).to be_falsey
|
69
65
|
end
|
70
66
|
end
|
71
67
|
|
@@ -73,10 +69,8 @@ describe 'Revoke Token Flow' do
|
|
73
69
|
it 'should not revoke any tokens and respond successfully' do
|
74
70
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
75
71
|
|
76
|
-
access_token.reload
|
77
|
-
|
78
72
|
expect(response).to be_successful
|
79
|
-
expect(access_token.revoked?).to be_falsey
|
73
|
+
expect(access_token.reload.revoked?).to be_falsey
|
80
74
|
end
|
81
75
|
end
|
82
76
|
|
@@ -92,10 +86,8 @@ describe 'Revoke Token Flow' do
|
|
92
86
|
it 'should not revoke the token as its unauthorized' do
|
93
87
|
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
94
88
|
|
95
|
-
access_token.reload
|
96
|
-
|
97
89
|
expect(response).to be_successful
|
98
|
-
expect(access_token.revoked?).to be_falsey
|
90
|
+
expect(access_token.reload.revoked?).to be_falsey
|
99
91
|
end
|
100
92
|
end
|
101
93
|
end
|
@@ -111,19 +103,15 @@ describe 'Revoke Token Flow' do
|
|
111
103
|
it 'should revoke the access token provided' do
|
112
104
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
113
105
|
|
114
|
-
access_token.reload
|
115
|
-
|
116
106
|
expect(response).to be_successful
|
117
|
-
expect(access_token.revoked?).to be_truthy
|
107
|
+
expect(access_token.reload.revoked?).to be_truthy
|
118
108
|
end
|
119
109
|
|
120
110
|
it 'should revoke the refresh token provided' do
|
121
111
|
post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
|
122
112
|
|
123
|
-
access_token.reload
|
124
|
-
|
125
113
|
expect(response).to be_successful
|
126
|
-
expect(access_token.revoked?).to be_truthy
|
114
|
+
expect(access_token.reload.revoked?).to be_truthy
|
127
115
|
end
|
128
116
|
|
129
117
|
context 'with a valid token issued for a confidential client' do
|
@@ -137,19 +125,15 @@ describe 'Revoke Token Flow' do
|
|
137
125
|
it 'should not revoke the access token provided' do
|
138
126
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
139
127
|
|
140
|
-
access_token.reload
|
141
|
-
|
142
128
|
expect(response).to be_successful
|
143
|
-
expect(access_token.revoked?).to be_falsey
|
129
|
+
expect(access_token.reload.revoked?).to be_falsey
|
144
130
|
end
|
145
131
|
|
146
132
|
it 'should not revoke the refresh token provided' do
|
147
133
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
148
134
|
|
149
|
-
access_token.reload
|
150
|
-
|
151
135
|
expect(response).to be_successful
|
152
|
-
expect(access_token.revoked?).to be_falsey
|
136
|
+
expect(access_token.reload.revoked?).to be_falsey
|
153
137
|
end
|
154
138
|
end
|
155
139
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -28,7 +28,8 @@ end
|
|
28
28
|
Doorkeeper::RSpec.print_configuration_info
|
29
29
|
|
30
30
|
# Remove after dropping support of Rails 4.2
|
31
|
-
require "#{File.dirname(__FILE__)}/support/http_method_shim
|
31
|
+
require "#{File.dirname(__FILE__)}/support/http_method_shim"
|
32
|
+
require "#{File.dirname(__FILE__)}/support/ruby_2_6_rails_4_2_patch"
|
32
33
|
|
33
34
|
require "support/orm/#{DOORKEEPER_ORM}"
|
34
35
|
|
@@ -0,0 +1,14 @@
|
|
1
|
+
if RUBY_VERSION >= '2.6.0'
|
2
|
+
if Rails::VERSION::MAJOR < 5
|
3
|
+
class ActionController::TestResponse < ActionDispatch::TestResponse
|
4
|
+
def recycle!
|
5
|
+
# hack to avoid MonitorMixin double-initialize error:
|
6
|
+
@mon_mutex_owner_object_id = nil
|
7
|
+
@mon_mutex = nil
|
8
|
+
initialize
|
9
|
+
end
|
10
|
+
end
|
11
|
+
else
|
12
|
+
puts "Monkeypatch for ActionController::TestResponse no longer needed"
|
13
|
+
end
|
14
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
shared_context 'with token hashing enabled' do
|
4
|
+
let(:hashed_or_plain_token_func) { Doorkeeper::AccessToken.method(:hashed_or_plain_token) }
|
5
|
+
before do
|
6
|
+
Doorkeeper.configure do
|
7
|
+
hash_token_secrets
|
8
|
+
end
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
12
|
+
shared_context 'with token hashing and fallback lookup enabled' do
|
13
|
+
let(:hashed_or_plain_token_func) { Doorkeeper::AccessToken.method(:hashed_or_plain_token) }
|
14
|
+
before do
|
15
|
+
Doorkeeper.configure do
|
16
|
+
hash_token_secrets
|
17
|
+
fallback_to_plain_secrets
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
shared_context 'with application hashing enabled' do
|
23
|
+
let(:hashed_or_plain_token_func) { Doorkeeper::Application.method(:hashed_or_plain_token) }
|
24
|
+
before do
|
25
|
+
Doorkeeper.configure do
|
26
|
+
hash_application_secrets
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: doorkeeper
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.0.
|
4
|
+
version: 5.1.0.rc1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Felipe Elias Philipp
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date:
|
14
|
+
date: 2019-01-17 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: railties
|
@@ -205,6 +205,7 @@ files:
|
|
205
205
|
- app/views/doorkeeper/authorized_applications/index.html.erb
|
206
206
|
- app/views/layouts/doorkeeper/admin.html.erb
|
207
207
|
- app/views/layouts/doorkeeper/application.html.erb
|
208
|
+
- bin/console
|
208
209
|
- config/locales/en.yml
|
209
210
|
- doorkeeper.gemspec
|
210
211
|
- gemfiles/rails_4_2.gemfile
|
@@ -224,6 +225,7 @@ files:
|
|
224
225
|
- lib/doorkeeper/models/application_mixin.rb
|
225
226
|
- lib/doorkeeper/models/concerns/accessible.rb
|
226
227
|
- lib/doorkeeper/models/concerns/expirable.rb
|
228
|
+
- lib/doorkeeper/models/concerns/hashable.rb
|
227
229
|
- lib/doorkeeper/models/concerns/orderable.rb
|
228
230
|
- lib/doorkeeper/models/concerns/ownership.rb
|
229
231
|
- lib/doorkeeper/models/concerns/revocable.rb
|
@@ -358,6 +360,7 @@ files:
|
|
358
360
|
- spec/lib/config_spec.rb
|
359
361
|
- spec/lib/doorkeeper_spec.rb
|
360
362
|
- spec/lib/models/expirable_spec.rb
|
363
|
+
- spec/lib/models/hashable_spec.rb
|
361
364
|
- spec/lib/models/revocable_spec.rb
|
362
365
|
- spec/lib/models/scopes_spec.rb
|
363
366
|
- spec/lib/oauth/authorization/uri_builder_spec.rb
|
@@ -423,7 +426,9 @@ files:
|
|
423
426
|
- spec/support/helpers/url_helper.rb
|
424
427
|
- spec/support/http_method_shim.rb
|
425
428
|
- spec/support/orm/active_record.rb
|
429
|
+
- spec/support/ruby_2_6_rails_4_2_patch.rb
|
426
430
|
- spec/support/shared/controllers_shared_context.rb
|
431
|
+
- spec/support/shared/hashing_shared_context.rb
|
427
432
|
- spec/support/shared/models_shared_examples.rb
|
428
433
|
- spec/validators/redirect_uri_validator_spec.rb
|
429
434
|
- spec/version/version_spec.rb
|
@@ -443,9 +448,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
443
448
|
version: '2.1'
|
444
449
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
445
450
|
requirements:
|
446
|
-
- - "
|
451
|
+
- - ">"
|
447
452
|
- !ruby/object:Gem::Version
|
448
|
-
version:
|
453
|
+
version: 1.3.1
|
449
454
|
requirements: []
|
450
455
|
rubygems_version: 3.0.2
|
451
456
|
signing_key:
|
@@ -513,6 +518,7 @@ test_files:
|
|
513
518
|
- spec/lib/config_spec.rb
|
514
519
|
- spec/lib/doorkeeper_spec.rb
|
515
520
|
- spec/lib/models/expirable_spec.rb
|
521
|
+
- spec/lib/models/hashable_spec.rb
|
516
522
|
- spec/lib/models/revocable_spec.rb
|
517
523
|
- spec/lib/models/scopes_spec.rb
|
518
524
|
- spec/lib/oauth/authorization/uri_builder_spec.rb
|
@@ -578,7 +584,9 @@ test_files:
|
|
578
584
|
- spec/support/helpers/url_helper.rb
|
579
585
|
- spec/support/http_method_shim.rb
|
580
586
|
- spec/support/orm/active_record.rb
|
587
|
+
- spec/support/ruby_2_6_rails_4_2_patch.rb
|
581
588
|
- spec/support/shared/controllers_shared_context.rb
|
589
|
+
- spec/support/shared/hashing_shared_context.rb
|
582
590
|
- spec/support/shared/models_shared_examples.rb
|
583
591
|
- spec/validators/redirect_uri_validator_spec.rb
|
584
592
|
- spec/version/version_spec.rb
|