doorkeeper 5.1.0.rc1 → 5.1.0.rc2

data/spec/lib/oauth/client_credentials/creator_spec.rb

@@ -15,15 +15,59 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
       end.to change { Doorkeeper::AccessToken.count }.by(1)
     end
 
-    context "when reuse_access_token is true" do
-      it "returns the existing valid token" do
-        allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-        existing_token = subject.call(client, scopes)
+    context 'when reuse_access_token is true' do
+      context 'when expiration is disabled' do
+        it 'returns the existing valid token' do
+          allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+          existing_token = subject.call(client, scopes)
 
-        result = subject.call(client, scopes)
+          result = subject.call(client, scopes)
+
+          expect(Doorkeeper::AccessToken.count).to eq(1)
+          expect(result).to eq(existing_token)
+        end
+      end
+
+      context 'when existing token has not crossed token_reuse_limit' do
+        it 'returns the existing valid token' do
+          allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+          allow(Doorkeeper.configuration).to receive(:token_reuse_limit).and_return(50)
+          existing_token = subject.call(client, scopes, expires_in: 1000)
+
+          allow_any_instance_of(Doorkeeper::AccessToken).to receive(:expires_in_seconds).and_return(600)
+          result = subject.call(client, scopes, expires_in: 1000)
+
+          expect(Doorkeeper::AccessToken.count).to eq(1)
+          expect(result).to eq(existing_token)
+        end
+      end
+
+      context 'when existing token has crossed token_reuse_limit' do
+        it "returns a new token" do
+          allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+          allow(Doorkeeper.configuration).to receive(:token_reuse_limit).and_return(50)
+          existing_token = subject.call(client, scopes, expires_in: 1000)
+
+          allow_any_instance_of(Doorkeeper::AccessToken).to receive(:expires_in_seconds).and_return(400)
+          result = subject.call(client, scopes, expires_in: 1000)
+
+          expect(Doorkeeper::AccessToken.count).to eq(2)
+          expect(result).not_to eq(existing_token)
+        end
+      end
+
+      context 'when existing token has been expired' do
+        it "returns a new token" do
+          allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+          allow(Doorkeeper.configuration).to receive(:token_reuse_limit).and_return(50)
+          existing_token = subject.call(client, scopes, expires_in: 1000)
+
+          allow_any_instance_of(Doorkeeper::AccessToken).to receive(:expired?).and_return(true)
+          result = subject.call(client, scopes, expires_in: 1000)
 
-        expect(Doorkeeper::AccessToken.count).to eq(1)
-        expect(result).to eq(existing_token)
+          expect(Doorkeeper::AccessToken.count).to eq(2)
+          expect(result).not_to eq(existing_token)
+        end
       end
     end
 

data/spec/lib/oauth/error_response_spec.rb

@@ -3,7 +3,13 @@ require 'spec_helper'
 module Doorkeeper::OAuth
   describe ErrorResponse do
     describe '#status' do
-      it 'should have a status of unauthorized' do
+      it 'should have a status of bad_request' do
+        expect(subject.status).to eq(:bad_request)
+      end
+
+      it 'should have a status of unauthorized for an invalid_client error' do
+        subject = described_class.new(name: :invalid_client)
+
         expect(subject.status).to eq(:unauthorized)
       end
     end

data/spec/lib/oauth/password_access_token_request_spec.rb

@@ -64,7 +64,7 @@ module Doorkeeper::OAuth
       end.to change { Doorkeeper::AccessToken.count }.by(1)
     end
 
-    it 'skips token creation if there is already one' do
+    it 'skips token creation if there is already one reusable' do
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
       FactoryBot.create(:access_token, application_id: client.id, resource_owner_id: owner.id)
 
@@ -73,6 +73,16 @@ module Doorkeeper::OAuth
       end.not_to(change { Doorkeeper::AccessToken.count })
     end
 
+    it 'creates token when there is already one but non reusable' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+      FactoryBot.create(:access_token, application_id: client.id, resource_owner_id: owner.id)
+      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:reusable?).and_return(false)
+
+      expect do
+        subject.authorize
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+    end
+
     it "calls configured request callback methods" do
       expect(Doorkeeper.configuration.before_successful_strategy_response)
         .to receive(:call).with(subject).once

data/spec/lib/oauth/token_request_spec.rb

@@ -80,7 +80,7 @@ module Doorkeeper::OAuth
         end.to change { Doorkeeper::AccessToken.count }.by(1)
       end
 
-      it 'skips token creation if there is a matching one' do
+      it 'skips token creation if there is a matching one reusable' do
         allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
         allow(application.scopes).to receive(:has_scopes?).and_return(true)
         allow(application.scopes).to receive(:all?).and_return(true)
@@ -90,6 +90,21 @@ module Doorkeeper::OAuth
 
         expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
       end
+
+      it 'creates new token if there is a matching one but non reusable' do
+        allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+        allow(application.scopes).to receive(:has_scopes?).and_return(true)
+        allow(application.scopes).to receive(:all?).and_return(true)
+
+        FactoryBot.create(:access_token, application_id: pre_auth.client.id,
+                                         resource_owner_id: owner.id, scopes: 'public')
+
+        allow_any_instance_of(Doorkeeper::AccessToken).to receive(:reusable?).and_return(false)
+
+        expect do
+          subject.authorize
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
+      end
     end
   end
 end

data/spec/lib/secret_storing/base_spec.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ::Doorkeeper::SecretStoring::Base do
+  let(:instance) { double('instance', token: 'foo') }
+  subject { described_class }
+
+  describe '#transform_secret' do
+    it 'raises' do
+      expect { subject.transform_secret('foo') }.to raise_error(NotImplementedError)
+    end
+  end
+
+  describe '#store_secret' do
+    it 'sends to response of #transform_secret to the instance' do
+      expect(described_class)
+        .to receive(:transform_secret).with('bar')
+        .and_return 'bar+transform'
+
+      expect(instance).to receive(:token=).with 'bar+transform'
+      result = subject.store_secret instance, :token, 'bar'
+      expect(result).to eq 'bar+transform'
+    end
+  end
+
+  describe '#restore_secret' do
+    it 'raises' do
+      expect { subject.restore_secret(subject, :token) }.to raise_error(NotImplementedError)
+    end
+  end
+
+  describe '#allows_restoring_secrets?' do
+    it 'does not allow it' do
+      expect(subject.allows_restoring_secrets?).to eq false
+    end
+  end
+
+  describe 'validate_for' do
+    it 'allows for valid model' do
+      expect(subject.validate_for(:application)).to eq true
+      expect(subject.validate_for(:token)).to eq true
+    end
+
+    it 'raises for invalid model' do
+      expect { subject.validate_for(:wat) }.to raise_error(ArgumentError, /can not be used for wat/)
+    end
+  end
+
+  describe 'secret_matches?' do
+    before do
+      allow(subject).to receive(:transform_secret) { |input| "transformed: #{input}" }
+    end
+
+    it 'compares input with #transform_secret' do
+      expect(subject.secret_matches?('input', 'input')).to eq false
+      expect(subject.secret_matches?('a', 'transformed: a')).to eq true
+    end
+  end
+end

data/spec/lib/secret_storing/bcrypt_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'bcrypt'
+
+describe ::Doorkeeper::SecretStoring::BCrypt do
+  subject { described_class }
+  let(:instance) { double('instance', token: 'foo') }
+
+  describe '#transform_secret' do
+    it 'creates a bcrypt password' do
+      expect(subject.transform_secret('foo')).to be_a BCrypt::Password
+    end
+  end
+
+  describe '#restore_secret' do
+    it 'raises' do
+      expect { subject.restore_secret(instance, :token) }.to raise_error(NotImplementedError)
+    end
+  end
+
+  describe '#allows_restoring_secrets?' do
+    it 'does not allow it' do
+      expect(subject.allows_restoring_secrets?).to eq false
+    end
+  end
+
+  describe 'validate_for' do
+    it 'allows for valid model' do
+      expect(subject.validate_for(:application)).to eq true
+    end
+
+    it 'raises for invalid model' do
+      expect { subject.validate_for(:wat) }
+        .to raise_error(ArgumentError, /can only be used for storing application secrets/)
+      expect { subject.validate_for(:token) }
+        .to raise_error(ArgumentError, /can only be used for storing application secrets/)
+    end
+  end
+
+  describe 'secret_matches?' do
+    it 'compares input with #transform_secret' do
+      expect(subject.secret_matches?('input', 'input')).to eq false
+
+      password = BCrypt::Password.create 'foobar'
+      expect(subject.secret_matches?('foobar', password.to_s)).to eq true
+    end
+  end
+end

data/spec/lib/secret_storing/plain_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ::Doorkeeper::SecretStoring::Plain do
+  subject { described_class }
+  let(:instance) { double('instance', token: 'foo') }
+
+  describe '#transform_secret' do
+    it 'raises' do
+      expect(subject.transform_secret('foo')).to eq 'foo'
+    end
+  end
+
+  describe '#restore_secret' do
+    it 'raises' do
+      expect(subject.restore_secret(instance, :token)).to eq 'foo'
+    end
+  end
+
+  describe '#allows_restoring_secrets?' do
+    it 'does allow it' do
+      expect(subject.allows_restoring_secrets?).to eq true
+    end
+  end
+
+  describe 'validate_for' do
+    it 'allows for valid model' do
+      expect(subject.validate_for(:application)).to eq true
+      expect(subject.validate_for(:token)).to eq true
+    end
+
+    it 'raises for invalid model' do
+      expect { subject.validate_for(:wat) }.to raise_error(ArgumentError, /can not be used for wat/)
+    end
+  end
+
+  describe 'secret_matches?' do
+    it 'compares input with #transform_secret' do
+      expect(subject.secret_matches?('input', 'input')).to eq true
+      expect(subject.secret_matches?('a', 'b')).to eq false
+    end
+  end
+end

data/spec/lib/secret_storing/sha256_hash_spec.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ::Doorkeeper::SecretStoring::Sha256Hash do
+  subject { described_class }
+  let(:instance) { double('instance') }
+
+  let(:hash_function) do
+    ->(input) { ::Digest::SHA256.hexdigest(input) }
+  end
+
+  describe '#transform_secret' do
+    it 'raises' do
+      expect(subject.transform_secret('foo')).to eq hash_function.call('foo')
+    end
+  end
+
+  describe '#restore_secret' do
+    it 'raises' do
+      expect { subject.restore_secret(instance, :token) }.to raise_error(NotImplementedError)
+    end
+  end
+
+  describe '#allows_restoring_secrets?' do
+    it 'does not allow it' do
+      expect(subject.allows_restoring_secrets?).to eq false
+    end
+  end
+
+  describe 'validate_for' do
+    it 'allows for valid model' do
+      expect(subject.validate_for(:application)).to eq true
+      expect(subject.validate_for(:token)).to eq true
+    end
+
+    it 'raises for invalid model' do
+      expect { subject.validate_for(:wat) }.to raise_error(ArgumentError, /can not be used for wat/)
+    end
+  end
+
+  describe 'secret_matches?' do
+    it 'compares input with #transform_secret' do
+      expect(subject.secret_matches?('input', 'input')).to eq false
+      expect(subject.secret_matches?('a', hash_function.call('a'))).to eq true
+    end
+  end
+end

data/spec/models/doorkeeper/application_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'bcrypt'
 
 module Doorkeeper
   describe Application do
@@ -126,11 +127,29 @@ module Doorkeeper
     context 'with hashing enabled' do
       include_context 'with application hashing enabled'
       let(:app) { FactoryBot.create :application }
+      let(:default_strategy) { Doorkeeper::SecretStoring::Sha256Hash }
 
-      it 'holds a volatile plaintext and BCrypt secret' do
-        expect(app.plaintext_secret).to be_a(String)
-        expect(app.secret).not_to eq(app.plaintext_secret)
-        expect { BCrypt::Password.create(app.secret) }.not_to raise_error
+      it 'uses SHA256 to avoid additional dependencies' do
+        # Ensure token was generated
+        app.validate
+        expect(app.secret).to eq(default_strategy.transform_secret(app.plaintext_secret))
+      end
+
+      context 'when bcrypt strategy is configured' do
+        # In this text context, we have bcrypt loaded so `bcrypt_present?`
+        # will always be true
+        before do
+          Doorkeeper.configure do
+            hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt'
+          end
+        end
+
+        it 'holds a volatile plaintext and BCrypt secret' do
+          expect(app.secret_strategy).to eq Doorkeeper::SecretStoring::BCrypt
+          expect(app.plaintext_secret).to be_a(String)
+          expect(app.secret).not_to eq(app.plaintext_secret)
+          expect { ::BCrypt::Password.create(app.secret) }.not_to raise_error
+        end
       end
 
       it 'does not fallback to plain lookup by default' do

data/spec/requests/flows/authorization_code_spec.rb

@@ -23,7 +23,7 @@ feature 'Authorization Code Flow' do
 
   context 'with grant hashing enabled' do
     background do
-      config_is_set(:hash_token_secrets) { true }
+      config_is_set(:token_secret_strategy, ::Doorkeeper::SecretStoring::Sha256Hash)
     end
 
     scenario 'Authorization Code Flow with hashing' do
@@ -37,7 +37,7 @@ feature 'Authorization Code Flow' do
       code = current_params['code']
       expect(code).not_to be_nil
 
-      hashed_code = Doorkeeper::AccessGrant.hashed_or_plain_token code
+      hashed_code = Doorkeeper::AccessGrant.secret_strategy.transform_secret code
       expect(hashed_code).to eq Doorkeeper::AccessGrant.first.token
 
       expect(code).not_to eq(hashed_code)
@@ -330,7 +330,7 @@ feature 'Authorization Code Flow' do
 
   context 'when application scopes are present and no scope is passed' do
     background do
-      @client.update_attributes(scopes: 'public write read')
+      @client.update(scopes: 'public write read')
     end
 
     scenario 'access grant has no scope' do

data/spec/requests/flows/client_credentials_spec.rb

@@ -58,7 +58,7 @@ describe 'Client Credentials Request' do
           should_have_json 'error_description', translated_error_message(:invalid_scope)
           should_not_have_json 'access_token'
 
-          expect(response.status).to eq(401)
+          expect(response.status).to eq(400)
         end
       end
     end
@@ -66,7 +66,7 @@ describe 'Client Credentials Request' do
 
   context 'when application scopes contain some of the default scopes and no scope is passed' do
     before do
-      client.update_attributes(scopes: 'read write public')
+      client.update(scopes: 'read write public')
     end
 
     it 'issues new token with one default scope that are present in application scopes' do

data/spec/requests/flows/implicit_grant_spec.rb

@@ -20,7 +20,7 @@ feature 'Implicit Grant Flow (feature spec)' do
 
   context 'when application scopes are present and no scope is passed' do
     background do
-      @client.update_attributes(scopes: 'public write read')
+      @client.update(scopes: 'public write read')
     end
 
     scenario 'access token has no scopes' do

data/spec/requests/flows/password_spec.rb

@@ -149,7 +149,7 @@ describe 'Resource Owner Password Credentials Flow' do
   context 'when application scopes are present and differs from configured default scopes and no scope is passed' do
     before do
       default_scopes_exist :public
-      @client.update_attributes(scopes: 'abc')
+      @client.update(scopes: 'abc')
     end
 
     it 'issues new token without any scope' do
@@ -168,7 +168,7 @@ describe 'Resource Owner Password Credentials Flow' do
 
   context 'when application scopes contain some of the default scopes and no scope is passed' do
     before do
-      @client.update_attributes(scopes: 'read write public')
+      @client.update(scopes: 'read write public')
     end
 
     it 'issues new token with one default scope that are present in application scopes' do
@@ -217,7 +217,7 @@ describe 'Resource Owner Password Credentials Flow' do
       should_have_json 'error_description', translated_error_message(:invalid_scope)
       should_not_have_json 'access_token'
 
-      expect(response.status).to eq(401)
+      expect(response.status).to eq(400)
     end
   end