RubyGems - doorkeeper - Versions diffs - 5.1.0.rc1 → 5.1.0.rc2 - Mend

doorkeeper 5.1.0.rc1 → 5.1.0.rc2

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (65) hide show

checksums.yaml +4 -4
data/.travis.yml +11 -2
data/Appraisals +29 -3
data/Gemfile +13 -5
data/NEWS.md +52 -15
data/README.md +68 -487
data/app/controllers/doorkeeper/token_info_controller.rb +1 -1
data/app/controllers/doorkeeper/tokens_controller.rb +1 -1
data/doorkeeper.gemspec +3 -2
data/gemfiles/rails_4_2.gemfile +8 -5
data/gemfiles/rails_5_0.gemfile +9 -6
data/gemfiles/rails_5_1.gemfile +9 -6
data/gemfiles/rails_5_2.gemfile +9 -6
data/gemfiles/rails_6_0.gemfile +16 -0
data/gemfiles/rails_master.gemfile +8 -10
data/lib/doorkeeper.rb +7 -1
data/lib/doorkeeper/config.rb +110 -24
data/lib/doorkeeper/models/access_grant_mixin.rb +15 -7
data/lib/doorkeeper/models/access_token_mixin.rb +29 -16
data/lib/doorkeeper/models/application_mixin.rb +18 -28
data/lib/doorkeeper/models/concerns/expirable.rb +3 -2
data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
data/lib/doorkeeper/models/concerns/scopes.rb +4 -0
data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
data/lib/doorkeeper/oauth/authorization/token.rb +3 -1
data/lib/doorkeeper/oauth/error_response.rb +5 -1
data/lib/doorkeeper/oauth/helpers/unique_token.rb +12 -1
data/lib/doorkeeper/oauth/invalid_token_response.rb +4 -0
data/lib/doorkeeper/oauth/token_introspection.rb +72 -6
data/lib/doorkeeper/orm/active_record/access_grant.rb +9 -8
data/lib/doorkeeper/orm/active_record/application.rb +10 -6
data/lib/doorkeeper/secret_storing/base.rb +63 -0
data/lib/doorkeeper/secret_storing/bcrypt.rb +59 -0
data/lib/doorkeeper/secret_storing/plain.rb +33 -0
data/lib/doorkeeper/secret_storing/sha256_hash.rb +25 -0
data/lib/doorkeeper/version.rb +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +62 -20
data/spec/controllers/authorizations_controller_spec.rb +3 -3
data/spec/controllers/token_info_controller_spec.rb +1 -1
data/spec/controllers/tokens_controller_spec.rb +78 -30
data/spec/dummy/config/application.rb +12 -1
data/spec/lib/config_spec.rb +119 -35
data/spec/lib/models/expirable_spec.rb +12 -0
data/spec/lib/models/reusable_spec.rb +40 -0
data/spec/lib/models/scopes_spec.rb +13 -1
data/spec/lib/models/secret_storable_spec.rb +113 -0
data/spec/lib/oauth/authorization_code_request_spec.rb +18 -1
data/spec/lib/oauth/client_credentials/creator_spec.rb +51 -7
data/spec/lib/oauth/error_response_spec.rb +7 -1
data/spec/lib/oauth/password_access_token_request_spec.rb +11 -1
data/spec/lib/oauth/token_request_spec.rb +16 -1
data/spec/lib/secret_storing/base_spec.rb +60 -0
data/spec/lib/secret_storing/bcrypt_spec.rb +49 -0
data/spec/lib/secret_storing/plain_spec.rb +44 -0
data/spec/lib/secret_storing/sha256_hash_spec.rb +48 -0
data/spec/models/doorkeeper/application_spec.rb +23 -4
data/spec/requests/flows/authorization_code_spec.rb +3 -3
data/spec/requests/flows/client_credentials_spec.rb +2 -2
data/spec/requests/flows/implicit_grant_spec.rb +1 -1
data/spec/requests/flows/password_spec.rb +3 -3
data/spec/routing/custom_controller_routes_spec.rb +4 -0
data/spec/support/shared/hashing_shared_context.rb +12 -5
metadata +51 -21
data/lib/doorkeeper/models/concerns/hashable.rb +0 -137
data/spec/lib/models/hashable_spec.rb +0 -183

data/app/controllers/doorkeeper/token_info_controller.rb CHANGED

@@ -6,7 +6,7 @@ module Doorkeeper
       if doorkeeper_token && doorkeeper_token.accessible?
         render json: doorkeeper_token, status: :ok
       else
-        error = OAuth::ErrorResponse.new(name: :invalid_request)
+        error = OAuth::InvalidTokenResponse.new
         response.headers.merge!(error.headers)
         render json: error.body, status: error.status
       end

data/app/controllers/doorkeeper/tokens_controller.rb CHANGED

@@ -33,7 +33,7 @@ module Doorkeeper
       if introspection.authorized?
         render json: introspection.to_json, status: 200
       else
-        error = OAuth::ErrorResponse.new(name: introspection.error)
+        error = introspection.error_response
         response.headers.merge!(error.headers)
         render json: error.body, status: error.status
       end

data/doorkeeper.gemspec CHANGED

@@ -19,13 +19,14 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'railties', '>= 4.2'
   gem.required_ruby_version = '>= 2.1'
-  gem.add_development_dependency 'capybara', '~> 2.18'
+  gem.add_development_dependency 'appraisal'
+  gem.add_development_dependency 'capybara'
   gem.add_development_dependency 'coveralls'
   gem.add_development_dependency 'danger', '~> 5.0'
-  gem.add_development_dependency 'grape'
   gem.add_development_dependency 'database_cleaner', '~> 1.6'
   gem.add_development_dependency 'factory_bot', '~> 4.8'
   gem.add_development_dependency 'generator_spec', '~> 0.9.3'
+  gem.add_development_dependency 'grape'
   gem.add_development_dependency 'rake', '>= 11.3.0'
   gem.add_development_dependency 'rspec-rails'
 end

data/gemfiles/rails_4_2.gemfile CHANGED

@@ -3,12 +3,15 @@
 source "https://rubygems.org"
 gem "rails", "~> 4.2.0"
-gem "bcrypt", "~> 3.1"
-gem "appraisal"
+gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
+gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
+gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
+gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
+gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
-gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
-# Older Grape requires Ruby >= 2.2.2
-gem "grape", '~> 0.16', '< 0.19.2'
+gem "grape", "~> 0.16", "< 0.19.2"
 gemspec path: "../"

data/gemfiles/rails_5_0.gemfile CHANGED

@@ -2,12 +2,15 @@
 source "https://rubygems.org"
-gem "rails", "~> 5.0.0"
-gem "bcrypt", "~> 3.1"
-gem "appraisal"
-gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
-gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "rails", "~> 5.0.0", ">= 5.0.7.2"
+gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
+gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
+gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
+gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
+gem "bcrypt", "~> 3.1", require: false
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
-gem "rspec-rails", "~> 3.5"
 gemspec path: "../"

data/gemfiles/rails_5_1.gemfile CHANGED

@@ -2,12 +2,15 @@
 source "https://rubygems.org"
-gem "rails", "~> 5.1.0"
-gem "bcrypt", "~> 3.1"
-gem "appraisal"
-gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
-gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "rails", "~> 5.1.0", ">= 5.1.6.2"
+gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
+gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
+gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
+gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
+gem "bcrypt", "~> 3.1", require: false
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
-gem "rspec-rails", "~> 3.7"
 gemspec path: "../"

data/gemfiles/rails_5_2.gemfile CHANGED

@@ -2,12 +2,15 @@
 source "https://rubygems.org"
-gem "rails", "~> 5.2.0"
-gem "bcrypt", "~> 3.1"
-gem "appraisal"
-gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
-gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "rails", "~> 5.2.2", ">= 5.2.2.1"
+gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
+gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
+gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
+gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
+gem "bcrypt", "~> 3.1", require: false
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
-gem "rspec-rails", "~> 3.7"
 gemspec path: "../"

data/gemfiles/rails_6_0.gemfile ADDED

@@ -0,0 +1,16 @@
+# This file was generated by Appraisal
+source "https://rubygems.org"
+gem "rails", "~> 6.0.0.beta3"
+gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
+gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
+gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
+gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
+gem "bcrypt", "~> 3.1", require: false
+gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
+gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
+gemspec path: "../"

data/gemfiles/rails_master.gemfile CHANGED

@@ -2,17 +2,15 @@
 source "https://rubygems.org"
-gem "rails", git: 'https://github.com/rails/rails'
-gem "arel", git: 'https://github.com/rails/arel'
-gem "appraisal"
-gem "bcrypt", "~> 3.1"
+gem "rails", git: "https://github.com/rails/rails"
+gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
+gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
+gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
+gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
+gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
-gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
+gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
-%w[rspec-core rspec-expectations rspec-mocks rspec-rails rspec-support].each do |lib|
-  gem lib, git: "https://github.com/rspec/#{lib}.git", branch: 'master'
-end
 gemspec path: "../"

data/lib/doorkeeper.rb CHANGED

@@ -51,12 +51,18 @@ require 'doorkeeper/oauth/token_introspection'
 require 'doorkeeper/oauth/invalid_token_response'
 require 'doorkeeper/oauth/forbidden_token_response'
+require 'doorkeeper/secret_storing/base'
+require 'doorkeeper/secret_storing/plain'
+require 'doorkeeper/secret_storing/sha256_hash'
+require 'doorkeeper/secret_storing/bcrypt'
 require 'doorkeeper/models/concerns/orderable'
 require 'doorkeeper/models/concerns/scopes'
 require 'doorkeeper/models/concerns/expirable'
+require 'doorkeeper/models/concerns/reusable'
 require 'doorkeeper/models/concerns/revocable'
 require 'doorkeeper/models/concerns/accessible'
-require 'doorkeeper/models/concerns/hashable'
+require 'doorkeeper/models/concerns/secret_storable'
 require 'doorkeeper/models/access_grant_mixin'
 require 'doorkeeper/models/access_token_mixin'

data/lib/doorkeeper/config.rb CHANGED

@@ -126,6 +126,15 @@ module Doorkeeper
         @config.instance_variable_set(:@reuse_access_token, true)
       end
+      # Sets the token_reuse_limit
+      # It will be used only when reuse_access_token option in enabled
+      # By default it will be 100
+      # It will be used for token reusablity to some threshold percentage
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
+      def token_reuse_limit(percentage)
+        @config.instance_variable_set(:@token_reuse_limit, percentage)
+      end
       # Use an API mode for applications generated with --api argument
       # It will skip applications controller, disable forgery protection
       def api_only
@@ -147,20 +156,53 @@ module Doorkeeper
       # Allow optional hashing of input tokens before persisting them.
       # Will be used for hashing of input token and grants.
-      def hash_token_secrets
-        @config.instance_variable_set(:@hash_token_secrets, true)
+      #
+      # @param using
+      #   Provide a different secret storage implementation class for tokens
+      # @param fallback
+      #   Provide a fallback secret storage implementation class for tokens
+      #   or use :plain to fallback to plain tokens
+      def hash_token_secrets(using: nil, fallback: nil)
+        default = '::Doorkeeper::SecretStoring::Sha256Hash'
+        configure_secrets_for :token,
+                              using: using || default,
+                              fallback: fallback
       end
       # Allow optional hashing of application secrets before persisting them.
       # Will be used for hashing of input token and grants.
-      def hash_application_secrets
-        @config.instance_variable_set(:@hash_application_secrets, true)
+      #
+      # @param using
+      #   Provide a different secret storage implementation for applications
+      # @param fallback
+      #   Provide a fallback secret storage implementation for applications
+      #   or use :plain to fallback to plain application secrets
+      def hash_application_secrets(using: nil, fallback: nil)
+        default = '::Doorkeeper::SecretStoring::Sha256Hash'
+        configure_secrets_for :application,
+                              using: using || default,
+                              fallback: fallback
       end
-      # Allow plain value lookup when using +hash_token_secrets+
-      # or +hash_application_secrets+ to avoid disrupting application experience
-      def fallback_to_plain_secrets
-        @config.instance_variable_set(:@fallback_to_plain_secrets, true)
+      private
+      # Configure the secret storing functionality
+      def configure_secrets_for(type, using:, fallback:)
+        unless %i[application token].include?(type)
+          raise ArgumentError, "Invalid type #{type}"
+        end
+        @config.instance_variable_set(:"@#{type}_secret_strategy",
+                                      using.constantize)
+        if fallback.nil?
+          return
+        elsif fallback.to_sym == :plain
+          fallback = '::Doorkeeper::SecretStoring::Plain'
+        end
+        @config.instance_variable_set(:"@#{type}_secret_fallback_strategy",
+                                      fallback.constantize)
       end
     end
@@ -252,11 +294,16 @@ module Doorkeeper
              nil
            end)
-    option :before_successful_authorization, default: ->(_context) {}
-    option :after_successful_authorization, default: ->(_context) {}
-    option :before_successful_strategy_response, default: ->(_request) {}
-    option :after_successful_strategy_response,
-           default: ->(_request, _response) {}
+    # Hooks for authorization
+    option :before_successful_authorization,      default: ->(_context) {}
+    option :after_successful_authorization,       default: ->(_context) {}
+    # Hooks for strategies responses
+    option :before_successful_strategy_response,  default: ->(_request) {}
+    option :after_successful_strategy_response,   default: ->(_request, _response) {}
+    # Allows to customize Token Introspection response
+    option :custom_introspection_response,        default: ->(_token, _context) { {} }
     option :skip_authorization,             default: ->(_routes) {}
     option :access_token_expires_in,        default: 7200
     option :custom_access_token_expires_in, default: ->(_context) { nil }
@@ -304,6 +351,15 @@ module Doorkeeper
     option :access_token_generator,
            default: 'Doorkeeper::OAuth::Helpers::UniqueToken'
+    # Default access token generator is a SecureRandom class from Ruby stdlib.
+    # This option defines which method will be used to generate a unique token value.
+    #
+    # @param access_token_generator [String]
+    #   the name of the access token generator class
+    #
+    option :default_generator_method,  default: :urlsafe_base64
     # The controller Doorkeeper::ApplicationController inherits from.
     # Defaults to ActionController::Base.
     # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
@@ -319,6 +375,8 @@ module Doorkeeper
     # Return the valid subset of this configuration
     def validate
       validate_reuse_access_token_value
+      validate_token_reuse_limit
+      validate_secret_strategies
     end
     def api_only
@@ -337,6 +395,10 @@ module Doorkeeper
       end
     end
+    def token_reuse_limit
+      @token_reuse_limit ||= 100
+    end
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end
@@ -353,16 +415,20 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
-    def hash_token_secrets?
-      option_set? :hash_token_secrets
+    def token_secret_strategy
+      @token_secret_strategy ||= ::Doorkeeper::SecretStoring::Plain
+    end
+    def token_secret_fallback_strategy
+      @token_secret_fallback_strategy
     end
-    def hash_application_secrets?
-      option_set? :hash_application_secrets
+    def application_secret_strategy
+      @application_secret_strategy ||= ::Doorkeeper::SecretStoring::Plain
     end
-    def fallback_to_plain_secrets?
-      option_set? :fallback_to_plain_secrets
+    def application_secret_fallback_strategy
+      @application_secret_fallback_strategy
     end
     def default_scopes
@@ -424,18 +490,38 @@ module Doorkeeper
       types
     end
-    # Determine whether +reuse_access_token+ and +hash_token_secrets+
-    # have both been activated.
+    # Determine whether +reuse_access_token+ and a non-restorable
+    # +token_secret_strategy+ have both been activated.
     #
     # In that case, disable reuse_access_token value and warn the user.
     def validate_reuse_access_token_value
-      return unless hash_token_secrets? && reuse_access_token
+      strategy = token_secret_strategy
+      return if !reuse_access_token || strategy.allows_restoring_secrets?
       ::Rails.logger.warn(
-        'You are configured both reuse_access_token AND hash_token_secrets. ' \
-        'This combination is unsupported. reuse_access_token will be disabled'
+        "You have configured both reuse_access_token " \
+        "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
+        "This combination is unsupported. reuse_access_token will be disabled"
       )
       @reuse_access_token = false
     end
+    # Validate that the provided strategies are valid for
+    # tokens and applications
+    def validate_secret_strategies
+      token_secret_strategy.validate_for :token
+      application_secret_strategy.validate_for :application
+    end
+    def validate_token_reuse_limit
+      return if !reuse_access_token ||
+                (token_reuse_limit > 0 && token_reuse_limit <= 100)
+      ::Rails.logger.warn(
+        'You have configured an invalid value for token_reuse_limit option. ' \
+        'It will be set to default 100'
+      )
+      @token_reuse_limit = 100
+    end
   end
 end

data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED

@@ -9,7 +9,7 @@ module Doorkeeper
     include Models::Revocable
     include Models::Accessible
     include Models::Orderable
-    include Models::Hashable
+    include Models::SecretStorable
     include Models::Scopes
     # never uses pkce, if pkce migrations were not generated
@@ -34,12 +34,6 @@ module Doorkeeper
         find_by_plaintext_token(:token, token)
       end
-      # We want to perform secret hashing whenever the user
-      # enables the configuration option +hash_token_secrets+
-      def perform_secret_hashing?
-        Doorkeeper.configuration.hash_token_secrets?
-      end
       # Revokes AccessGrant records that have not been revoked and associated
       # with the specific Application and Resource Owner.
       #
@@ -101,6 +95,20 @@ module Doorkeeper
       def pkce_supported?
         new.pkce_supported?
       end
+      ##
+      # Determines the secret storing transformer
+      # Unless configured otherwise, uses the plain secret strategy
+      def secret_strategy
+        ::Doorkeeper.configuration.token_secret_strategy
+      end
+      ##
+      # Determine the fallback storing strategy
+      # Unless configured, there will be no fallback
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.token_secret_fallback_strategy
+      end
     end
   end
 end

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED

@@ -6,10 +6,11 @@ module Doorkeeper
     include OAuth::Helpers
     include Models::Expirable
+    include Models::Reusable
     include Models::Revocable
     include Models::Accessible
     include Models::Orderable
-    include Models::Hashable
+    include Models::SecretStorable
     include Models::Scopes
     module ClassMethods
@@ -39,12 +40,6 @@ module Doorkeeper
         find_by_plaintext_token(:refresh_token, refresh_token)
       end
-      # We want to perform secret hashing whenever the user
-      # enables the configuration option +hash_token_secrets+
-      def perform_secret_hashing?
-        Doorkeeper.configuration.hash_token_secrets?
-      end
       # Revokes AccessToken records that have not been revoked and associated
       # with the specific Application and Resource Owner.
       #
@@ -132,7 +127,7 @@ module Doorkeeper
         if Doorkeeper.configuration.reuse_access_token
           access_token = matching_token_for(application, resource_owner_id, scopes)
-          return access_token if access_token && !access_token.expired?
+          return access_token if access_token && access_token.reusable?
         end
         create!(
@@ -175,6 +170,20 @@ module Doorkeeper
       def last_authorized_token_for(application_id, resource_owner_id)
         authorized_tokens_for(application_id, resource_owner_id).first
       end
+      ##
+      # Determines the secret storing transformer
+      # Unless configured otherwise, uses the plain secret strategy
+      def secret_strategy
+        ::Doorkeeper.configuration.token_secret_strategy
+      end
+      ##
+      # Determine the fallback storing strategy
+      # Unless configured, there will be no fallback
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.token_secret_fallback_strategy
+      end
     end
     # Access Token type: Bearer.
@@ -229,20 +238,24 @@ module Doorkeeper
     # We keep a volatile copy of the raw refresh token for initial communication
     # The stored refresh_token may be mapped and not available in cleartext.
     def plaintext_refresh_token
-      if perform_secret_hashing?
-        @raw_refresh_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :refresh_token)
       else
-        refresh_token
+        @raw_refresh_token
       end
     end
     # We keep a volatile copy of the raw token for initial communication
     # The stored refresh_token may be mapped and not available in cleartext.
+    #
+    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+    # while hashing strategies do not, so you cannot rely on this value
+    # returning a present value for persisted tokens.
     def plaintext_token
-      if perform_secret_hashing?
-        @raw_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :token)
       else
-        token
+        @raw_token
       end
     end
@@ -254,7 +267,7 @@ module Doorkeeper
     #
     def generate_refresh_token
       @raw_refresh_token = UniqueToken.generate
-      self.refresh_token = hashed_or_plain_token(@raw_refresh_token)
+      secret_strategy.store_secret(self, :refresh_token, @raw_refresh_token)
     end
     # Generates and sets the token value with the
@@ -278,7 +291,7 @@ module Doorkeeper
         created_at: created_at
       )
-      self.token = hashed_or_plain_token(@raw_token)
+      secret_strategy.store_secret(self, :token, @raw_token)
       @raw_token
     end