doorkeeper 5.1.0.rc1 → 5.1.0.rc2

data/lib/doorkeeper/models/application_mixin.rb

@@ -1,40 +1,16 @@
 # frozen_string_literal: true
 
-require 'bcrypt'
-
 module Doorkeeper
   module ApplicationMixin
     extend ActiveSupport::Concern
 
     include OAuth::Helpers
     include Models::Orderable
-    include Models::Hashable
+    include Models::SecretStorable
     include Models::Scopes
 
-    included do
-      # Use BCrypt as the hashing function for applications
-      self.secret_hash_function = lambda do |plain_token|
-        BCrypt::Password.create(plain_token.to_s)
-      end
-
-      # Also need to override the comparer function for BCrypt
-      self.secret_comparer = lambda do |plain, secret|
-        begin
-          BCrypt::Password.new(secret.to_s) == plain.to_s
-        rescue BCrypt::Errors::InvalidHash
-          false
-        end
-      end
-    end
-
     # :nodoc
     module ClassMethods
-      # We want to perform secret hashing whenever the user
-      # enables the configuration option +hash_application_secrets+
-      def perform_secret_hashing?
-        Doorkeeper.configuration.hash_application_secrets?
-      end
-
       # Returns an instance of the Doorkeeper::Application with
       # specific UID and secret.
       #
@@ -65,6 +41,20 @@ module Doorkeeper
       def by_uid(uid)
         find_by(uid: uid.to_s)
       end
+
+      ##
+      # Determines the secret storing transformer
+      # Unless configured otherwise, uses the plain secret strategy
+      def secret_strategy
+        ::Doorkeeper.configuration.application_secret_strategy
+      end
+
+      ##
+      # Determine the fallback storing strategy
+      # Unless configured, there will be no fallback
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.application_secret_fallback_strategy
+      end
     end
 
     # Set an application's valid redirect URIs.
@@ -90,12 +80,12 @@ module Doorkeeper
       return false if input.nil? || secret.nil?
 
       # When matching the secret by comparer function, all is well.
-      return true if self.class.secret_matches?(input, secret)
+      return true if secret_strategy.secret_matches?(input, secret)
 
       # When fallback lookup is enabled, ensure applications
       # with plain secrets can still be found
-      if Doorkeeper.configuration.fallback_to_plain_secrets?
-        ActiveSupport::SecurityUtils.secure_compare(input, secret)
+      if fallback_secret_strategy
+        fallback_secret_strategy.secret_matches?(input, secret)
       else
         false
       end

data/lib/doorkeeper/models/concerns/expirable.rb

@@ -24,10 +24,11 @@ module Doorkeeper
 
       # Expiration time (date time of creation + TTL).
       #
-      # @return [Time] expiration time in UTC
+      # @return [Time, nil] expiration time in UTC
+      #   or nil if the object never expires.
       #
       def expires_at
-        created_at + expires_in.seconds
+        expires_in && created_at + expires_in.seconds
       end
     end
   end

data/lib/doorkeeper/models/concerns/reusable.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module Reusable
+      # Indicates whether the object is reusable (i.e. It is not expired and
+      # has not crossed reuse_limit).
+      #
+      # @return [Boolean] true if can be reused and false in other case
+      def reusable?
+        return false if expired?
+        return true unless expires_in
+
+        threshold_limit = 100 - Doorkeeper.configuration.token_reuse_limit
+        expires_in_seconds >= threshold_limit * expires_in / 100
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/scopes.rb

@@ -7,6 +7,10 @@ module Doorkeeper
         OAuth::Scopes.from_string(scopes_string)
       end
 
+      def scopes=(value)
+        super Array(value).join(' ')
+      end
+
       def scopes_string
         self[:scopes]
       end

data/lib/doorkeeper/models/concerns/secret_storable.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    ##
+    # Storable finder to provide lookups for input plaintext values which are
+    # mapped to their stored versions (e.g., hashing, encryption) before lookup.
+    module SecretStorable
+      extend ActiveSupport::Concern
+
+      delegate :secret_strategy,
+               :fallback_secret_strategy,
+               to: :class
+
+      # :nodoc
+      module ClassMethods
+        # Compare the given plaintext with the secret
+        #
+        # @param input [String]
+        #   The plain input to compare.
+        #
+        # @param secret [String]
+        #   The secret value to compare with.
+        #
+        # @return [Boolean]
+        #   Whether input matches secret as per the secret strategy
+        #
+        def secret_matches?(input, secret)
+          secret_strategy.secret_matches?(input, secret)
+        end
+
+        # Returns an instance of the Doorkeeper::AccessToken with
+        # specific token value.
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param token [#to_s]
+        #   token value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_plaintext_token(attr, token)
+          token = token.to_s
+
+          find_by(attr => secret_strategy.transform_secret(token)) ||
+            find_by_fallback_token(attr, token)
+        end
+
+        # Allow looking up previously plain tokens as a fallback
+        # IFF a fallback strategy has been defined
+        #
+        # @param attr [Symbol]
+        #   The token attribute we're looking with.
+        #
+        # @param plain_secret [#to_s]
+        #   plain secret value (any object that responds to `#to_s`)
+        #
+        # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+        #   if there is no record with such token
+        #
+        def find_by_fallback_token(attr, plain_secret)
+          return nil unless fallback_secret_strategy
+
+          # Use the previous strategy to look up
+          stored_token = fallback_secret_strategy.transform_secret(plain_secret)
+          find_by(attr => stored_token).tap do |resource|
+            upgrade_fallback_value resource, attr, plain_secret
+          end
+        end
+
+        # Allow implementations in ORMs to replace a plain
+        # value falling back to to avoid it remaining as plain text.
+        #
+        # @param instance
+        #   An instance of this model with a plain value token.
+        #
+        # @param attr
+        #   The secret attribute name to upgrade.
+        #
+        # @param plain_secret
+        #   The plain secret to upgrade.
+        #
+        def upgrade_fallback_value(instance, attr, plain_secret)
+          upgraded = secret_strategy.store_secret(instance, attr, plain_secret)
+          instance.update(attr => upgraded)
+        end
+
+        ##
+        # Determines the secret storing transformer
+        # Unless configured otherwise, uses the plain secret strategy
+        def secret_strategy
+          ::Doorkeeper::SecretStoring::Plain
+        end
+
+        ##
+        # Determine the fallback storing strategy
+        # Unless configured, there will be no fallback
+        def fallback_secret_strategy
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -8,7 +8,9 @@ module Doorkeeper
 
         class << self
           def build_context(pre_auth_or_oauth_client, grant_type, scopes)
-            oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
+            oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
+                             pre_auth_or_oauth_client.application
+                           elsif pre_auth_or_oauth_client.respond_to?(:client)
                              pre_auth_or_oauth_client.client
                            else
                              pre_auth_or_oauth_client

data/lib/doorkeeper/oauth/error_response.rb

@@ -32,7 +32,11 @@ module Doorkeeper
       end
 
       def status
-        :unauthorized
+        if name == :invalid_client
+          :unauthorized
+        else
+          :bad_request
+        end
       end
 
       def redirectable?

data/lib/doorkeeper/oauth/helpers/unique_token.rb

@@ -5,10 +5,21 @@ module Doorkeeper
     module Helpers
       module UniqueToken
         def self.generate(options = {})
-          generator_method = options.delete(:generator) || SecureRandom.method(:hex)
+          # Access Token value must be 1*VSCHAR or 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
+          #
+          # @see https://tools.ietf.org/html/rfc6749#appendix-A.12
+          # @see https://tools.ietf.org/html/rfc6750#section-2.1
+          #
+          generator_method = options.delete(:generator) || SecureRandom.method(self.generator_method)
           token_size       = options.delete(:size)      || 32
           generator_method.call(token_size)
         end
+
+        # Generator method for default generator class (SecureRandom)
+        #
+        def self.generator_method
+          Doorkeeper.configuration.default_generator_method
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/invalid_token_response.rb

@@ -22,6 +22,10 @@ module Doorkeeper
         @reason = attributes[:reason] || :unknown
       end
 
+      def status
+        :unauthorized
+      end
+
       def description
         scope = { scope: %i[doorkeeper errors messages invalid_token] }
         @description ||= I18n.translate @reason, scope

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -20,6 +20,16 @@ module Doorkeeper
         @error.blank?
       end
 
+      def error_response
+        return if @error.blank?
+
+        if @error == :invalid_token
+          OAuth::InvalidTokenResponse.from_access_token(authorized_token)
+        else
+          OAuth::ErrorResponse.new(name: @error)
+        end
+      end
+
       def to_json
         active? ? success_response : failure_response
       end
@@ -37,13 +47,29 @@ module Doorkeeper
       #
       # @see https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
       #
+      # To prevent token scanning attacks, the endpoint MUST also require
+      # some form of authorization to access this endpoint, such as client
+      # authentication as described in OAuth 2.0 [RFC6749] or a separate
+      # OAuth 2.0 access token such as the bearer token described in OAuth
+      # 2.0 Bearer Token Usage [RFC6750].
+      #
       def authorize!
         # Requested client authorization
         if server.credentials
           @error = :invalid_client unless authorized_client
-        else
+        elsif authorized_token
           # Requested bearer token authorization
-          @error = :invalid_request unless authorized_token
+          #
+          #  If the protected resource uses an OAuth 2.0 bearer token to authorize
+          #  its call to the introspection endpoint and the token used for
+          #  authorization does not contain sufficient privileges or is otherwise
+          #  invalid for this request, the authorization server responds with an
+          #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
+          #  Usage [RFC6750].
+          #
+          @error = :invalid_token if authorized_token_matches_introspected? || !authorized_token.accessible?
+        else
+          @error = :invalid_request
         end
       end
 
@@ -60,14 +86,14 @@ module Doorkeeper
 
       # 2.2. Introspection Response
       def success_response
-        {
+        customize_response(
           active: true,
           scope: @token.scopes_string,
           client_id: @token.try(:application).try(:uid),
           token_type: @token.token_type,
           exp: @token.expires_at.to_i,
           iat: @token.created_at.to_i
-        }
+        )
       end
 
       # If the introspection call is properly authorized but the token is not
@@ -103,6 +129,25 @@ module Doorkeeper
       # * The token expired
       # * The token was issued to a different client than is making this request
       #
+      # Since resource servers using token introspection rely on the
+      # authorization server to determine the state of a token, the
+      # authorization server MUST perform all applicable checks against a
+      # token's state.  For instance, these tests include the following:
+      #
+      #    o  If the token can expire, the authorization server MUST determine
+      #       whether or not the token has expired.
+      #    o  If the token can be issued before it is able to be used, the
+      #       authorization server MUST determine whether or not a token's valid
+      #       period has started yet.
+      #    o  If the token can be revoked after it was issued, the authorization
+      #       server MUST determine whether or not such a revocation has taken
+      #       place.
+      #    o  If the token has been signed, the authorization server MUST
+      #       validate the signature.
+      #    o  If the token can be used only at certain resource servers, the
+      #       authorization server MUST determine whether or not the token can
+      #       be used at the resource server making the introspection call.
+      #
       def active?
         if authorized_client
           valid_token? && authorized_for_client?
@@ -113,18 +158,39 @@ module Doorkeeper
 
       # Token can be valid only if it is not expired or revoked.
       def valid_token?
-        @token.present? && @token.accessible?
+        @token && @token.accessible?
+      end
+
+      # RFC7662 Section 2.1
+      def authorized_token_matches_introspected?
+        authorized_token.token == @token.token
       end
 
       # If token doesn't belong to some client, then it is public.
       # Otherwise in it required for token to be connected to the same client.
       def authorized_for_client?
-        if @token.application.present?
+        if @token.application
           @token.application == authorized_client.application
         else
           true
         end
       end
+
+      # Allows to customize introspection response.
+      # Provides context (controller) and token for generating developer-specific
+      # response.
+      #
+      # @see https://tools.ietf.org/html/rfc7662#section-2.2
+      #
+      def customize_response(response)
+        customized_response = Doorkeeper.configuration.custom_introspection_response.call(
+          token,
+          server.context
+        )
+        return response if customized_response.blank?
+
+        response.merge(customized_response)
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -27,16 +27,17 @@ module Doorkeeper
 
     before_validation :generate_token, on: :create
 
-    # Keep a reference to the generated token during generation
-    # of this access grant. The actual token may be mapped by
-    # the configuration hasher and may not be available in plaintext.
+    # We keep a volatile copy of the raw token for initial communication
+    # The stored refresh_token may be mapped and not available in cleartext.
     #
-    # If hash tokens are enabled, this will return nil on fetched tokens
+    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+    # while hashing strategies do not, so you cannot rely on this value
+    # returning a present value for persisted tokens.
     def plaintext_token
-      if perform_secret_hashing?
-        @raw_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :token)
       else
-        token
+        @raw_token
       end
     end
 
@@ -48,7 +49,7 @@ module Doorkeeper
     #
     def generate_token
       @raw_token = UniqueToken.generate
-      self.token = hashed_or_plain_token(@raw_token)
+      secret_strategy.store_secret(self, :token, @raw_token)
     end
   end
 end