doorkeeper 5.1.0.rc1 → 5.1.0.rc2

data/spec/dummy/config/application.rb

@@ -1,6 +1,17 @@
 require File.expand_path('boot', __dir__)
 
-require 'rails/all'
+require "rails"
+
+%w[
+  action_controller/railtie
+  action_view/railtie
+  sprockets/railtie
+].each do |railtie|
+  begin
+    require railtie
+  rescue LoadError
+  end
+end
 
 Bundler.require(*Rails.groups)
 

data/spec/lib/config_spec.rb

@@ -207,6 +207,31 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
+  describe 'token_reuse_limit' do
+    it 'is 100 by default' do
+      expect(subject.token_reuse_limit).to eq(100)
+    end
+
+    it 'can change the value' do
+      Doorkeeper.configure do
+        token_reuse_limit 90
+      end
+
+      expect(subject.token_reuse_limit).to eq(90)
+    end
+
+    it 'sets the value to 100 if invalid value is being set' do
+      expect(Rails.logger).to receive(:warn).with(/will be set to default 100/)
+
+      Doorkeeper.configure do
+        reuse_access_token
+        token_reuse_limit 110
+      end
+
+      expect(subject.token_reuse_limit).to eq(100)
+    end
+  end
+
   describe 'enforce_configured_scopes' do
     it 'is false by default' do
       expect(subject.enforce_configured_scopes?).to eq(false)
@@ -457,6 +482,22 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
+  describe 'default_generator_method' do
+    it "is :urlsafe_base64 by default" do
+      expect(Doorkeeper.configuration.default_generator_method)
+        .to eq(:urlsafe_base64)
+    end
+
+    it 'can change the value' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        default_generator_method :hex
+      end
+
+      expect(subject.default_generator_method).to eq(:hex)
+    end
+  end
+
   describe 'base_controller' do
     context 'default' do
       it { expect(Doorkeeper.configuration.base_controller).to eq('ActionController::Base') }
@@ -542,71 +583,114 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
-  describe 'hash_application_secrets' do
-    it 'is disabled by default' do
-      expect(subject.hash_application_secrets?).to eq(false)
-      expect(::Doorkeeper::Application.perform_secret_hashing?).to eq(false)
+  describe 'token_secret_strategy' do
+    it 'is plain by default' do
+      expect(subject.token_secret_strategy).to eq(Doorkeeper::SecretStoring::Plain)
+      expect(subject.token_secret_fallback_strategy).to eq(nil)
     end
 
     context 'when provided' do
       before do
         Doorkeeper.configure do
-          reuse_access_token
-          hash_application_secrets
+          hash_token_secrets
         end
       end
 
       it 'will enable hashing for applications' do
-        expect(subject.reuse_access_token).to eq(true)
-        expect(subject.hash_application_secrets?).to eq(true)
+        expect(subject.token_secret_strategy).to eq(Doorkeeper::SecretStoring::Sha256Hash)
+        expect(subject.token_secret_fallback_strategy).to eq(nil)
+      end
+    end
 
-        expect(::Doorkeeper::Application.perform_secret_hashing?).to eq(true)
+    context 'when manually provided with invalid constant' do
+      it 'raises an exception' do
+        expect {
+          Doorkeeper.configure do
+            hash_token_secrets using: 'does not exist'
+          end
+        }.to raise_error(NameError)
       end
     end
-  end
 
-  describe 'hash_token_secrets' do
-    it 'is disabled by default' do
-      expect(subject.hash_token_secrets?).to eq(false)
-      expect(::Doorkeeper::AccessToken.perform_secret_hashing?).to eq(false)
-      expect(::Doorkeeper::AccessGrant.perform_secret_hashing?).to eq(false)
+    context 'when manually provided with invalid option' do
+      it 'raises an exception' do
+        expect do
+          Doorkeeper.configure do
+            hash_token_secrets using: 'Doorkeeper::SecretStoring::BCrypt'
+          end
+        end.to raise_error(ArgumentError,
+                           /can only be used for storing application secrets/)
+      end
     end
 
-    context 'when provided' do
-      include_context 'with token hashing enabled'
+    context 'when provided with fallback' do
+      before do
+        Doorkeeper.configure do
+          hash_token_secrets fallback: :plain
+        end
+      end
 
-      it 'will enable hashing for AccessToken and AccessGrant' do
-        expect(subject.hash_token_secrets?).to eq(true)
-        expect(::Doorkeeper::AccessToken.perform_secret_hashing?).to eq(true)
-        expect(::Doorkeeper::AccessGrant.perform_secret_hashing?).to eq(true)
+      it 'will enable hashing for applications' do
+        expect(subject.token_secret_strategy).to eq(Doorkeeper::SecretStoring::Sha256Hash)
+        expect(subject.token_secret_fallback_strategy).to eq(Doorkeeper::SecretStoring::Plain)
+      end
+    end
+
+
+    describe 'hash_token_secrets together with reuse_access_token' do
+      it 'will disable reuse_access_token' do
+        expect(Rails.logger).to receive(:warn).with(/reuse_access_token will be disabled/)
+
+        Doorkeeper.configure do
+          reuse_access_token
+          hash_token_secrets
+        end
+
+        expect(subject.reuse_access_token).to eq(false)
       end
     end
   end
 
-  describe 'fallback_to_plain_secrets' do
-    it 'is disabled by default' do
-      expect(subject.fallback_to_plain_secrets?).to eq(false)
+  describe 'application_secret_strategy' do
+    it 'is plain by default' do
+      expect(subject.application_secret_strategy).to eq(Doorkeeper::SecretStoring::Plain)
+      expect(subject.application_secret_fallback_strategy).to eq(nil)
     end
 
     context 'when provided' do
-      include_context 'with token hashing and fallback lookup enabled'
+      before do
+        Doorkeeper.configure do
+          hash_application_secrets
+        end
+      end
 
-      it 'will enable fallbacks' do
-        expect(subject.fallback_to_plain_secrets?).to eq(true)
+      it 'will enable hashing for applications' do
+        expect(subject.application_secret_strategy).to eq(Doorkeeper::SecretStoring::Sha256Hash)
+        expect(subject.application_secret_fallback_strategy).to eq(nil)
       end
     end
-  end
 
-  describe 'hash_token_secrets together with reuse_access_token' do
-    it 'will disable reuse_access_token' do
-      expect(Rails.logger).to receive(:warn).with(/reuse_access_token will be disabled/)
+    context 'when manually provided with invalid constant' do
+      it 'raises an exception' do
+        expect {
+          Doorkeeper.configure do
+            hash_application_secrets using: 'does not exist'
+          end
+        }.to raise_error(NameError)
+      end
+    end
 
-      Doorkeeper.configure do
-        reuse_access_token
-        hash_token_secrets
+    context 'when provided with fallback' do
+      before do
+        Doorkeeper.configure do
+          hash_application_secrets fallback: :plain
+        end
       end
 
-      expect(subject.reuse_access_token).to eq(false)
+      it 'will enable hashing for applications' do
+        expect(subject.application_secret_strategy).to eq(Doorkeeper::SecretStoring::Sha256Hash)
+        expect(subject.application_secret_fallback_strategy).to eq(Doorkeeper::SecretStoring::Plain)
+      end
     end
   end
 end

data/spec/lib/models/expirable_spec.rb

@@ -44,4 +44,16 @@ describe 'Expirable' do
       expect(subject.expires_in_seconds).to be_nil
     end
   end
+
+  describe :expires_at do
+    it 'should return the expiration time of the token' do
+      allow(subject).to receive(:expires_in).and_return(2.minutes)
+      expect(subject.expires_at).to be_a(Time)
+    end
+
+    it 'should return nil when expires_in is nil' do
+      allow(subject).to receive(:expires_in).and_return(nil)
+      expect(subject.expires_at).to be_nil
+    end
+  end
 end

data/spec/lib/models/reusable_spec.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Reusable' do
+  subject do
+    Class.new do
+      include Doorkeeper::Models::Reusable
+    end.new
+  end
+
+  describe :reusable? do
+    it 'is reusable if its expires_in is nil' do
+      allow(subject).to receive(:expired?).and_return(false)
+      allow(subject).to receive(:expires_in).and_return(nil)
+      expect(subject).to be_reusable
+    end
+
+    it 'is reusable if its expiry has crossed reusable limit' do
+      allow(subject).to receive(:expired?).and_return(false)
+      allow(Doorkeeper.configuration).to receive(:token_reuse_limit).and_return(90)
+      allow(subject).to receive(:expires_in).and_return(100.seconds)
+      allow(subject).to receive(:expires_in_seconds).and_return(20.seconds)
+      expect(subject).to be_reusable
+    end
+
+    it 'is not reusable if its expiry has crossed reusable limit' do
+      allow(subject).to receive(:expired?).and_return(false)
+      allow(Doorkeeper.configuration).to receive(:token_reuse_limit).and_return(90)
+      allow(subject).to receive(:expires_in).and_return(100.seconds)
+      allow(subject).to receive(:expires_in_seconds).and_return(5.seconds)
+      expect(subject).not_to be_reusable
+    end
+
+    it 'is not reusable if it is already expired' do
+      allow(subject).to receive(:expired?).and_return(true)
+      expect(subject).not_to be_reusable
+    end
+  end
+end

data/spec/lib/models/scopes_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe 'Doorkeeper::Models::Scopes' do
   subject do
-    Class.new(Hash) do
+    Class.new(Struct.new(:scopes)) do
       include Doorkeeper::Models::Scopes
     end.new
   end
@@ -21,6 +21,18 @@ describe 'Doorkeeper::Models::Scopes' do
     end
   end
 
+  describe :scopes= do
+    it 'accepts String' do
+      subject.scopes = 'private admin'
+      expect(subject.scopes_string).to eq('private admin')
+    end
+
+    it 'accepts Array' do
+      subject.scopes = %w[private admin]
+      expect(subject.scopes_string).to eq('private admin')
+    end
+  end
+
   describe :scopes_string do
     it 'is a `Scopes` class' do
       expect(subject.scopes_string).to eq('public admin')

data/spec/lib/models/secret_storable_spec.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'SecretStorable' do
+  let(:clazz) do
+    Class.new do
+      include Doorkeeper::Models::SecretStorable
+
+      def self.find_by(*)
+        raise 'stub this'
+      end
+
+      def update_column(*)
+        raise 'stub this'
+      end
+
+      def token
+        raise 'stub this'
+      end
+    end
+  end
+  let(:strategy) { clazz.secret_strategy }
+
+  describe :find_by_plaintext_token do
+    subject { clazz.send(:find_by_plaintext_token, 'attr', 'input') }
+
+    it 'forwards to the secret_strategy' do
+      expect(strategy)
+        .to receive(:transform_secret)
+        .with('input')
+        .and_return 'found'
+
+      expect(clazz)
+        .to receive(:find_by)
+        .with('attr' => 'found')
+        .and_return 'result'
+
+
+      expect(subject).to eq 'result'
+    end
+
+    it 'calls find_by_fallback_token if not found' do
+      expect(clazz)
+        .to receive(:find_by)
+        .with('attr' => 'input')
+        .and_return nil
+
+      expect(clazz)
+        .to receive(:find_by_fallback_token)
+        .with('attr', 'input')
+        .and_return 'fallback'
+
+      expect(subject).to eq 'fallback'
+    end
+  end
+
+  describe :find_by_fallback_token do
+    subject { clazz.send(:find_by_fallback_token, 'attr', 'input') }
+    let(:fallback) { double(::Doorkeeper::SecretStoring::Plain) }
+
+    it 'returns nil if none defined' do
+      expect(clazz.fallback_secret_strategy).to eq nil
+      expect(subject).to eq nil
+    end
+
+    context 'if a fallback strategy is defined' do
+      let(:resource) { double('Token model') }
+      before do
+        allow(clazz).to receive(:fallback_secret_strategy).and_return(fallback)
+      end
+
+      it 'calls the strategy for lookup' do
+        expect(clazz)
+          .to receive(:find_by)
+          .with('attr' => 'fallback')
+          .and_return(resource)
+
+        expect(fallback)
+          .to receive(:transform_secret)
+          .with('input')
+          .and_return('fallback')
+
+        # store_secret will call the resource
+        expect(resource)
+          .to receive(:attr=)
+          .with('new value')
+
+        # It will upgrade the secret automtically using the current strategy
+        expect(strategy)
+          .to receive(:transform_secret)
+          .with('input')
+          .and_return('new value')
+
+        expect(resource).to receive(:update).with('attr' => 'new value')
+        expect(subject).to eq resource
+      end
+    end
+  end
+
+
+  describe :secret_strategy do
+    it 'defaults to plain strategy' do
+      expect(strategy).to eq Doorkeeper::SecretStoring::Plain
+    end
+  end
+
+  describe :fallback_secret_strategy do
+    it 'defaults to nil' do
+      expect(clazz.fallback_secret_strategy).to eq nil
+    end
+  end
+end

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -73,7 +73,7 @@ module Doorkeeper::OAuth
       expect(subject.error).to eq(:invalid_grant)
     end
 
-    it 'skips token creation if there is a matching one' do
+    it 'skips token creation if there is a matching one reusable' do
       scopes = grant.scopes
 
       Doorkeeper.configure do
@@ -88,6 +88,23 @@ module Doorkeeper::OAuth
       expect { subject.authorize }.to_not(change { Doorkeeper::AccessToken.count })
     end
 
+    it 'creates token if there is a matching one but non reusable' do
+      scopes = grant.scopes
+
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        reuse_access_token
+        default_scopes(*scopes)
+      end
+
+      FactoryBot.create(:access_token, application_id: client.id,
+                                       resource_owner_id: grant.resource_owner_id, scopes: grant.scopes.to_s)
+
+      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:reusable?).and_return(false)
+
+      expect { subject.authorize }.to change { Doorkeeper::AccessToken.count }.by(1)
+    end
+
     it "calls configured request callback methods" do
       expect(Doorkeeper.configuration.before_successful_strategy_response)
         .to receive(:call).with(subject).once