doorkeeper 5.1.0.rc1 → 5.1.0.rc2

data/lib/doorkeeper/orm/active_record/application.rb

@@ -45,13 +45,17 @@ module Doorkeeper
       AccessGrant.revoke_all_for(id, resource_owner)
     end
 
-    # We keep a volatile copy of the raw client_secret for initial communication
-    # The stored secret may be mapped and not available in cleartext.
+    # We keep a volatile copy of the raw secret for initial communication
+    # The stored refresh_token may be mapped and not available in cleartext.
+    #
+    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+    # while hashing strategies do not, so you cannot rely on this value
+    # returning a present value for persisted tokens.
     def plaintext_secret
-      if perform_secret_hashing?
-        @raw_secret
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :secret)
       else
-        secret
+        @raw_secret
       end
     end
 
@@ -65,7 +69,7 @@ module Doorkeeper
       return unless secret.blank?
 
       @raw_secret = UniqueToken.generate
-      self.secret = hashed_or_plain_token(@raw_secret)
+      secret_strategy.store_secret(self, :secret, @raw_secret)
     end
 
     def scopes_match_configured

data/lib/doorkeeper/secret_storing/base.rb

@@ -0,0 +1,63 @@
+module Doorkeeper
+  module SecretStoring
+
+    ##
+    # Base class for secret storing, including common helpers
+    class Base
+      ##
+      # Return the value to be stored by the database
+      # used for looking up a database value.
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        raise NotImplementedError
+      end
+
+      ##
+      # Transform and store the given secret attribute => value
+      # pair used for safely storing the attribute
+      # @param resource The model instance being modified
+      # @param attribute The secret attribute
+      # @param plain_secret The plain secret input / generated
+      def self.store_secret(resource, attribute, plain_secret)
+        transformed_value = self.transform_secret plain_secret
+        resource.public_send :"#{attribute}=", transformed_value
+
+        transformed_value
+      end
+
+      ##
+      # Return the restored value from the database
+      # @param resource The resource instance to act on
+      # @param attribute The secret attribute to restore
+      # as retrieved from the database.
+      def self.restore_secret(resource, attribute)
+        raise NotImplementedError
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+
+      ##
+      # Determines what secrets this strategy is applicable for
+      def self.validate_for(model)
+        valid = %i[token application]
+        return true if valid.include?(model.to_sym)
+
+        raise ArgumentError, "'#{name}' can not be used for #{model}."
+      end
+
+      ##
+      # Securely compare the given +input+ value with a +stored+ value
+      # processed by +transform_secret+.
+      def self.secret_matches?(input, stored)
+        transformed_input = transform_secret(input)
+        ActiveSupport::SecurityUtils.secure_compare transformed_input, stored
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/bcrypt.rb

@@ -0,0 +1,59 @@
+module Doorkeeper
+  module SecretStoring
+
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class BCrypt < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        ::BCrypt::Password.create(plain_secret.to_s)
+      end
+
+      ##
+      # Securely compare the given +input+ value with a +stored+ value
+      # processed by +transform_secret+.
+      def self.secret_matches?(input, stored)
+        ::BCrypt::Password.new(stored.to_s) == input.to_s
+      rescue ::BCrypt::Errors::InvalidHash
+        false
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+
+      ##
+      # Determines what secrets this strategy is applicable for
+      def self.validate_for(model)
+        unless model.to_sym == :application
+          raise ArgumentError,
+                "'#{name}' can only be used for storing application secrets."
+        end
+
+        unless bcrypt_present?
+          raise ArgumentError,
+                "'#{name}' requires the 'bcrypt' gem being loaded."
+        end
+
+        true
+      end
+
+      ##
+      # Test if we can require the BCrypt gem
+      def self.bcrypt_present?
+        require 'bcrypt'
+        true
+      rescue LoadError
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/plain.rb

@@ -0,0 +1,33 @@
+module Doorkeeper
+  module SecretStoring
+
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class Plain < Base
+
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        plain_secret
+      end
+
+      ##
+      # Return the restored value from the database
+      # @param resource The resource instance to act on
+      # @param attribute The secret attribute to restore
+      # as retrieved from the database.
+      def self.restore_secret(resource, attribute)
+        resource.public_send attribute
+      end
+
+      ##
+      # Plain values obviously allow restoring
+      def self.allows_restoring_secrets?
+        true
+      end
+    end
+  end
+end

data/lib/doorkeeper/secret_storing/sha256_hash.rb

@@ -0,0 +1,25 @@
+module Doorkeeper
+  module SecretStoring
+
+    ##
+    # Plain text secret storing, which is the default
+    # but also provides fallback lookup if
+    # other secret storing mechanisms are enabled.
+    class Sha256Hash < Base
+      ##
+      # Return the value to be stored by the database
+      # @param plain_secret The plain secret input / generated
+      def self.transform_secret(plain_secret)
+        ::Digest::SHA256.hexdigest plain_secret
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/version.rb

@@ -10,7 +10,7 @@ module Doorkeeper
     MAJOR = 5
     MINOR = 1
     TINY = 0
-    PRE = 'rc1'
+    PRE = 'rc2'
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -64,7 +64,7 @@ Doorkeeper.configure do
 
   # The controller Doorkeeper::ApplicationController inherits from.
   # Defaults to ActionController::Base.
-  # See https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+  # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
   #
   # base_controller 'ApplicationController'
 
@@ -79,35 +79,59 @@ Doorkeeper.configure do
   #
   # reuse_access_token
 
+  # Set a limit for token_reuse if using reuse_access_token option
+  #
+  # This option limits token_reusability to some extent.
+  # If not set then access_token will be reused unless it expires.
+  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
+  #
+  # This option should be a percentage(i.e. (0,100])
+  #
+  # token_reuse_limit 100
+
   # Hash access and refresh tokens before persisting them.
-  # Note: This will disable the possibility to use +reuse_access_token+
+  # This will disable the possibility to use +reuse_access_token+
   # since plain values can no longer be retrieved.
   #
+  # Note: If you are already a user of doorkeeper and have existing tokens
+  # in your installation, they will be invalid without enabling the additional
+  # setting `fallback_to_plain_secrets` below.
+  #
   # hash_token_secrets
+  # By default, token secrets will be hashed using the
+  # +Doorkeeper::Hashing::SHA256+ strategy.
+  #
+  # If you wish to use another hashing implementation, you can override
+  # this strategy as follows:
+  #
+  # hash_token_secrets using: '::Doorkeeper::Hashing::MyCustomHashImpl'
+  #
+  # Keep in mind that changing the hashing function will invalidate all existing
+  # secrets, if there are any.
 
   # Hash application secrets before persisting them.
   #
   # hash_application_secrets
+  #
+  # By default, applications will be hashed
+  # with the +Doorkeeper::SecretStoring::SHA256+ strategy.
+  #
+  # If you wish to use bcrypt for application secret hashing, uncomment
+  # this line instead:
+  #
+  # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
 
   # When the above option is enabled,
   # and a hashed token or secret is not found,
-  # look up the plain text token as a fallback.
+  # you can allow to fall back to another strategy.
+  # For users upgrading doorkeeper and wishing to enable hashing,
+  # you will probably want to enable the fallback to plain tokens.
   #
   # This will ensure that old access tokens and secrets
-  # will remain valid even if the hashing above is enabled
+  # will remain valid even if the hashing above is enabled.
   #
   # fallback_to_plain_secrets
 
-  #
-  # Since old values will not be re-hashed, lookups to tokens and secrets
-  # will fall back to plain value comparison so any existing tokens will
-  # not be invalidated.
-  #
-  # For example, to use SHA256 digests on plain values, uncomment these lines:
-  # hash_secrets do |plain_value|
-  #   Digest::SHA256.hexdigest plain_value
-  # end
-
   # Issue access tokens with refresh token (disabled by default), you may also
   # pass a block which accepts `context` to customize when to give a refresh
   # token or not. Similar to `custom_access_token_expires_in`, `context` has
@@ -119,12 +143,6 @@ Doorkeeper.configure do
   #
   # use_refresh_token
 
-  # Forbids creating/updating applications with arbitrary scopes that are
-  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
-  # (disabled by default)
-  #
-  # enforce_configured_scopes
-
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
@@ -148,6 +166,12 @@ Doorkeeper.configure do
   #
   # scopes_by_grant_type password: [:write], client_credentials: [:update]
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (disabled by default)
+  #
+  # enforce_configured_scopes
+
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:client_id` and `:client_secret` params from the `params` object.
@@ -205,6 +229,24 @@ Doorkeeper.configure do
   #
   # handle_auth_errors :raise
 
+  # Customize token introspection response.
+  # Allows to add your own fields to default one that are required by the OAuth spec
+  # for the introspection response. It could be `sub`, `aud` and so on.
+  # This configuration option can be a proc, lambda or any Ruby object responds
+  # to `.call` method and result of it's invocation must be a Hash.
+  #
+  # custom_introspection_response do |token, context|
+  #   {
+  #     "sub": "Z5O3upPC88QrAjx00dis",
+  #     "aud": "https://protected.example.net/resource",
+  #     "username": User.find(token.resource_owner_id).username
+  #   }
+  # end
+  #
+  # or
+  #
+  # custom_introspection_response CustomIntrospectionResponder
+
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
   #

data/spec/controllers/authorizations_controller_spec.rb

@@ -91,7 +91,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it "includes access token in fragment" do
-      expect(redirect_uri.match(/access_token=([a-f0-9]+)&?/)[1]).to eq(Doorkeeper::AccessToken.first.token)
+      expect(redirect_uri.match(/access_token=([a-zA-Z0-9\-_]+)&?/)[1]).to eq(Doorkeeper::AccessToken.first.token)
     end
 
     it "includes token type in fragment" do
@@ -165,7 +165,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     let(:redirect_uri) { response_json_body['redirect_uri'] }
 
     it 'renders 400 error' do
-      expect(response.status).to eq 401
+      expect(response.status).to eq 400
     end
 
     it 'includes correct redirect URI' do
@@ -408,7 +408,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
       expect(redirect_uri.match(/token_type=(\w+)&?/)[1]).to eq "Bearer"
       expect(redirect_uri.match(/expires_in=(\d+)&?/)[1].to_i).to eq 1234
       expect(
-        redirect_uri.match(/access_token=([a-f0-9]+)&?/)[1]
+        redirect_uri.match(/access_token=([a-zA-Z0-9\-_]+)&?/)[1]
       ).to eq Doorkeeper::AccessToken.first.token
     end
 

data/spec/controllers/token_info_controller_spec.rb

@@ -40,7 +40,7 @@ describe Doorkeeper::TokenInfoController do
         get :show
 
         expect(response.body).to eq(
-          Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request, status: :unauthorized).body.to_json
+          Doorkeeper::OAuth::InvalidTokenResponse.new.body.to_json
         )
       end
     end

data/spec/controllers/tokens_controller_spec.rb

@@ -20,7 +20,7 @@ describe Doorkeeper::TokensController do
 
       post :create
 
-      expect(response.status).to eq 401
+      expect(response.status).to eq 400
       expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
     end
   end
@@ -49,7 +49,7 @@ describe Doorkeeper::TokensController do
         "error"             => custom_message,
         "error_description" => "Authorization custom message"
       }
-      expect(response.status).to eq 401
+      expect(response.status).to eq 400
       expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
       expect(JSON.parse(response.body)).to eq expected_response_body
     end
@@ -130,28 +130,26 @@ describe Doorkeeper::TokensController do
   end
 
   describe 'when requested token introspection' do
-    context 'authorized using Bearer token' do
-      let(:client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: client) }
+    let(:client) { FactoryBot.create(:application) }
+    let(:access_token) { FactoryBot.create(:access_token, application: client) }
+    let(:token_for_introspection) { FactoryBot.create(:access_token, application: client) }
 
+    context 'authorized using valid Bearer token' do
       it 'responds with full token introspection' do
         request.headers['Authorization'] = "Bearer #{access_token.token}"
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         should_have_json 'active', true
         expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
       end
     end
 
-    context 'authorized using Client Authentication' do
-      let(:client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: client) }
-
+    context 'authorized using valid Client Authentication' do
       it 'responds with full token introspection' do
         request.headers['Authorization'] = basic_auth_header_for_client(client)
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         should_have_json 'active', true
         expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
@@ -159,14 +157,37 @@ describe Doorkeeper::TokensController do
       end
     end
 
+    context 'using custom introspection response' do
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          custom_introspection_response do |_token, _context|
+            {
+              sub: 'Z5O3upPC88QrAjx00dis',
+              aud: 'https://protected.example.net/resource'
+            }
+          end
+        end
+      end
+
+      it 'responds with full token introspection' do
+        request.headers['Authorization'] = "Bearer #{access_token.token}"
+
+        post :introspect, params: { token: token_for_introspection.token }
+
+        expect(json_response).to include('client_id', 'token_type', 'exp', 'iat', 'sub', 'aud')
+        should_have_json 'sub', 'Z5O3upPC88QrAjx00dis'
+        should_have_json 'aud', 'https://protected.example.net/resource'
+      end
+    end
+
     context 'public access token' do
-      let(:client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: nil) }
+      let(:token_for_introspection) { FactoryBot.create(:access_token, application: nil) }
 
       it 'responds with full token introspection' do
         request.headers['Authorization'] = basic_auth_header_for_client(client)
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         should_have_json 'active', true
         expect(json_response).to include('client_id', 'token_type', 'exp', 'iat')
@@ -175,14 +196,12 @@ describe Doorkeeper::TokensController do
     end
 
     context 'token was issued to a different client than is making this request' do
-      let(:client) { FactoryBot.create(:application) }
       let(:different_client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: client) }
 
       it 'responds with only active state' do
         request.headers['Authorization'] = basic_auth_header_for_client(different_client)
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         expect(response).to be_successful
 
@@ -191,6 +210,36 @@ describe Doorkeeper::TokensController do
       end
     end
 
+    context 'authorized using invalid Bearer token' do
+      let(:token_for_introspection) do
+        FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
+      end
+
+      it 'responds with invalid token error' do
+        request.headers['Authorization'] = "Bearer #{token_for_introspection.token}"
+
+        post :introspect, params: { token: access_token.token }
+
+        response_status_should_be 401
+
+        should_not_have_json 'active'
+        should_have_json 'error', 'invalid_token'
+      end
+    end
+
+    context 'authorized using the Bearer token that need to be introspected' do
+      it 'responds with invalid token error' do
+        request.headers['Authorization'] = "Bearer #{access_token.token}"
+
+        post :introspect, params: { token: access_token.token }
+
+        response_status_should_be 401
+
+        should_not_have_json 'active'
+        should_have_json 'error', 'invalid_token'
+      end
+    end
+
     context 'using invalid credentials to authorize' do
       let(:client) { double(uid: '123123', secret: '666999') }
       let(:access_token) { FactoryBot.create(:access_token) }
@@ -209,9 +258,6 @@ describe Doorkeeper::TokensController do
     end
 
     context 'using wrong token value' do
-      let(:client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: client) }
-
       it 'responds with only active state' do
         request.headers['Authorization'] = basic_auth_header_for_client(client)
 
@@ -222,14 +268,15 @@ describe Doorkeeper::TokensController do
       end
     end
 
-    context 'when requested Access Token expired' do
-      let(:client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: client, created_at: 1.year.ago) }
+    context 'when requested access token expired' do
+      let(:token_for_introspection) do
+        FactoryBot.create(:access_token, application: client, created_at: 1.year.ago)
+      end
 
       it 'responds with only active state' do
         request.headers['Authorization'] = basic_auth_header_for_client(client)
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         should_have_json 'active', false
         expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
@@ -237,13 +284,14 @@ describe Doorkeeper::TokensController do
     end
 
     context 'when requested Access Token revoked' do
-      let(:client) { FactoryBot.create(:application) }
-      let(:access_token) { FactoryBot.create(:access_token, application: client, revoked_at: 1.year.ago) }
+      let(:token_for_introspection) do
+        FactoryBot.create(:access_token, application: client, revoked_at: 1.year.ago)
+      end
 
       it 'responds with only active state' do
         request.headers['Authorization'] = basic_auth_header_for_client(client)
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         should_have_json 'active', false
         expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat')
@@ -251,13 +299,13 @@ describe Doorkeeper::TokensController do
     end
 
     context 'unauthorized (no bearer token or client credentials)' do
-      let(:access_token) { FactoryBot.create(:access_token) }
+      let(:token_for_introspection) { FactoryBot.create(:access_token) }
 
       it 'responds with invalid_request error' do
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         expect(response).not_to be_successful
-        response_status_should_be 401
+        response_status_should_be 400
 
         should_not_have_json 'active'
         should_have_json 'error', 'invalid_request'