doorkeeper 5.1.0.rc2 → 5.1.0

data/spec/models/doorkeeper/application_spec.rb

@@ -1,17 +1,19 @@
-require 'spec_helper'
-require 'bcrypt'
+# frozen_string_literal: true
+
+require "spec_helper"
+require "bcrypt"
 
 module Doorkeeper
   describe Application do
     let(:clazz) { Doorkeeper::Application }
-    let(:require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', true) }
-    let(:unset_require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', false) }
+    let(:require_owner) { Doorkeeper.configuration.instance_variable_set("@confirm_application_owner", true) }
+    let(:unset_require_owner) { Doorkeeper.configuration.instance_variable_set("@confirm_application_owner", false) }
     let(:new_application) { FactoryBot.build(:application) }
 
     let(:uid) { SecureRandom.hex(8) }
     let(:secret) { SecureRandom.hex(8) }
 
-    context 'application_owner is enabled' do
+    context "application_owner is enabled" do
       before do
         Doorkeeper.configure do
           orm DOORKEEPER_ORM
@@ -19,132 +21,171 @@ module Doorkeeper
         end
       end
 
-      context 'application owner is not required' do
+      context "application owner is not required" do
         before(:each) do
           unset_require_owner
         end
 
-        it 'is valid given valid attributes' do
+        it "is valid given valid attributes" do
           expect(new_application).to be_valid
         end
       end
 
-      context 'application owner is required' do
+      context "application owner is required" do
         before(:each) do
           require_owner
           @owner = FactoryBot.build_stubbed(:doorkeeper_testing_user)
         end
 
-        it 'is invalid without an owner' do
+        it "is invalid without an owner" do
           expect(new_application).not_to be_valid
         end
 
-        it 'is valid with an owner' do
+        it "is valid with an owner" do
           new_application.owner = @owner
           expect(new_application).to be_valid
         end
       end
     end
 
-    it 'is invalid without a name' do
+    it "is invalid without a name" do
       new_application.name = nil
       expect(new_application).not_to be_valid
     end
 
-    it 'is invalid without determining confidentiality' do
+    it "is invalid without determining confidentiality" do
       new_application.confidential = nil
       expect(new_application).not_to be_valid
     end
 
-    it 'generates uid on create' do
+    it "generates uid on create" do
       expect(new_application.uid).to be_nil
       new_application.save
       expect(new_application.uid).not_to be_nil
     end
 
-    it 'generates uid on create if an empty string' do
-      new_application.uid = ''
+    it "generates uid on create if an empty string" do
+      new_application.uid = ""
       new_application.save
       expect(new_application.uid).not_to be_blank
     end
 
-    it 'generates uid on create unless one is set' do
+    it "generates uid on create unless one is set" do
       new_application.uid = uid
       new_application.save
       expect(new_application.uid).to eq(uid)
     end
 
-    it 'is invalid without uid' do
+    it "is invalid without uid" do
       new_application.save
       new_application.uid = nil
       expect(new_application).not_to be_valid
     end
 
-    it 'is invalid without redirect_uri' do
-      new_application.save
-      new_application.redirect_uri = nil
-      expect(new_application).not_to be_valid
+    context "redirect URI" do
+      context "when grant flows allow blank redirect URI" do
+        before do
+          Doorkeeper.configure do
+            grant_flows %w[password client_credentials]
+          end
+        end
+
+        it "is valid without redirect_uri" do
+          new_application.save
+          new_application.redirect_uri = nil
+          expect(new_application).to be_valid
+        end
+      end
+
+      context "when grant flows require redirect URI" do
+        before do
+          Doorkeeper.configure do
+            grant_flows %w[password client_credentials authorization_code]
+          end
+        end
+
+        it "is invalid without redirect_uri" do
+          new_application.save
+          new_application.redirect_uri = nil
+          expect(new_application).not_to be_valid
+        end
+      end
+
+      context "when blank URI option disabled" do
+        before do
+          Doorkeeper.configure do
+            grant_flows %w[password client_credentials]
+            allow_blank_redirect_uri false
+          end
+        end
+
+        it "is invalid without redirect_uri" do
+          new_application.save
+          new_application.redirect_uri = nil
+          expect(new_application).not_to be_valid
+        end
+      end
     end
 
-    it 'checks uniqueness of uid' do
+    it "checks uniqueness of uid" do
       app1 = FactoryBot.create(:application)
       app2 = FactoryBot.create(:application)
       app2.uid = app1.uid
       expect(app2).not_to be_valid
     end
 
-    it 'expects database to throw an error when uids are the same' do
+    it "expects database to throw an error when uids are the same" do
       app1 = FactoryBot.create(:application)
       app2 = FactoryBot.create(:application)
       app2.uid = app1.uid
       expect { app2.save!(validate: false) }.to raise_error(uniqueness_error)
     end
 
-    it 'generate secret on create' do
+    it "generate secret on create" do
       expect(new_application.secret).to be_nil
       new_application.save
       expect(new_application.secret).not_to be_nil
     end
 
-    it 'generate secret on create if is blank string' do
-      new_application.secret = ''
+    it "generate secret on create if is blank string" do
+      new_application.secret = ""
       new_application.save
       expect(new_application.secret).not_to be_blank
     end
 
-    it 'generate secret on create unless one is set' do
+    it "generate secret on create unless one is set" do
       new_application.secret = secret
       new_application.save
       expect(new_application.secret).to eq(secret)
     end
 
-    it 'is invalid without secret' do
+    it "is invalid without secret" do
       new_application.save
       new_application.secret = nil
       expect(new_application).not_to be_valid
     end
 
-    context 'with hashing enabled' do
-      include_context 'with application hashing enabled'
+    context "with hashing enabled" do
+      include_context "with application hashing enabled"
       let(:app) { FactoryBot.create :application }
       let(:default_strategy) { Doorkeeper::SecretStoring::Sha256Hash }
 
-      it 'uses SHA256 to avoid additional dependencies' do
+      it "uses SHA256 to avoid additional dependencies" do
         # Ensure token was generated
         app.validate
         expect(app.secret).to eq(default_strategy.transform_secret(app.plaintext_secret))
       end
 
-      context 'when bcrypt strategy is configured' do
+      context "when bcrypt strategy is configured" do
         # In this text context, we have bcrypt loaded so `bcrypt_present?`
         # will always be true
         before do
           Doorkeeper.configure do
-            hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt'
+            hash_application_secrets using: "Doorkeeper::SecretStoring::BCrypt"
           end
         end
 
-        it 'holds a volatile plaintext and BCrypt secret' do
+        it "holds a volatile plaintext and BCrypt secret" do
           expect(app.secret_strategy).to eq Doorkeeper::SecretStoring::BCrypt
           expect(app.plaintext_secret).to be_a(String)
           expect(app.secret).not_to eq(app.plaintext_secret)
@@ -152,7 +193,7 @@ module Doorkeeper
         end
       end
 
-      it 'does not fallback to plain lookup by default' do
+      it "does not fallback to plain lookup by default" do
         lookup = clazz.by_uid_and_secret(app.uid, app.secret)
         expect(lookup).to eq(nil)
 
@@ -160,10 +201,10 @@ module Doorkeeper
         expect(lookup).to eq(app)
       end
 
-      context 'with fallback enabled' do
-        include_context 'with token hashing and fallback lookup enabled'
+      context "with fallback enabled" do
+        include_context "with token hashing and fallback lookup enabled"
 
-        it 'provides plain and hashed lookup' do
+        it "provides plain and hashed lookup" do
           lookup = clazz.by_uid_and_secret(app.uid, app.secret)
           expect(lookup).to eq(app)
 
@@ -172,23 +213,23 @@ module Doorkeeper
         end
       end
 
-      it 'does not provide access to secret after loading' do
+      it "does not provide access to secret after loading" do
         lookup = clazz.by_uid_and_secret(app.uid, app.plaintext_secret)
         expect(lookup.plaintext_secret).to be_nil
       end
     end
 
-    describe 'destroy related models on cascade' do
+    describe "destroy related models on cascade" do
       before(:each) do
         new_application.save
       end
 
-      it 'should destroy its access grants' do
+      it "should destroy its access grants" do
         FactoryBot.create(:access_grant, application: new_application)
         expect { new_application.destroy }.to change { Doorkeeper::AccessGrant.count }.by(-1)
       end
 
-      it 'should destroy its access tokens' do
+      it "should destroy its access tokens" do
         FactoryBot.create(:access_token, application: new_application)
         FactoryBot.create(:access_token, application: new_application, revoked_at: Time.now.utc)
         expect do
@@ -200,15 +241,15 @@ module Doorkeeper
     describe :ordered_by do
       let(:applications) { FactoryBot.create_list(:application, 5) }
 
-      context 'when a direction is not specified' do
-        it 'calls order with a default order of asc' do
+      context "when a direction is not specified" do
+        it "calls order with a default order of asc" do
           names = applications.map(&:name).sort
           expect(Application.ordered_by(:name).map(&:name)).to eq(names)
         end
       end
 
-      context 'when a direction is specified' do
-        it 'calls order with specified direction' do
+      context "when a direction is specified" do
+        it "calls order with specified direction" do
           names = applications.map(&:name).sort.reverse
           expect(Application.ordered_by(:name, :desc).map(&:name)).to eq(names)
         end
@@ -218,7 +259,7 @@ module Doorkeeper
     describe "#redirect_uri=" do
       context "when array of valid redirect_uris" do
         it "should join by newline" do
-          new_application.redirect_uri = ['http://localhost/callback1', 'http://localhost/callback2']
+          new_application.redirect_uri = ["http://localhost/callback1", "http://localhost/callback2"]
           expect(new_application.redirect_uri).to eq("http://localhost/callback1\nhttp://localhost/callback2")
         end
       end
@@ -233,28 +274,28 @@ module Doorkeeper
     describe :authorized_for do
       let(:resource_owner) { double(:resource_owner, id: 10) }
 
-      it 'is empty if the application is not authorized for anyone' do
+      it "is empty if the application is not authorized for anyone" do
         expect(Application.authorized_for(resource_owner)).to be_empty
       end
 
-      it 'returns only application for a specific resource owner' do
+      it "returns only application for a specific resource owner" do
         FactoryBot.create(:access_token, resource_owner_id: resource_owner.id + 1)
         token = FactoryBot.create(:access_token, resource_owner_id: resource_owner.id)
         expect(Application.authorized_for(resource_owner)).to eq([token.application])
       end
 
-      it 'excludes revoked tokens' do
+      it "excludes revoked tokens" do
         FactoryBot.create(:access_token, resource_owner_id: resource_owner.id, revoked_at: 2.days.ago)
         expect(Application.authorized_for(resource_owner)).to be_empty
       end
 
-      it 'returns all applications that have been authorized' do
+      it "returns all applications that have been authorized" do
         token1 = FactoryBot.create(:access_token, resource_owner_id: resource_owner.id)
         token2 = FactoryBot.create(:access_token, resource_owner_id: resource_owner.id)
         expect(Application.authorized_for(resource_owner)).to eq([token1.application, token2.application])
       end
 
-      it 'returns only one application even if it has been authorized twice' do
+      it "returns only one application even if it has been authorized twice" do
         application = FactoryBot.create(:application)
         FactoryBot.create(:access_token, resource_owner_id: resource_owner.id, application: application)
         FactoryBot.create(:access_token, resource_owner_id: resource_owner.id, application: application)
@@ -263,7 +304,7 @@ module Doorkeeper
     end
 
     describe :revoke_tokens_and_grants_for do
-      it 'revokes all access tokens and access grants' do
+      it "revokes all access tokens and access grants" do
         application_id = 42
         resource_owner = double
         expect(Doorkeeper::AccessToken)
@@ -285,7 +326,7 @@ module Doorkeeper
         context "when secret is wrong" do
           it "should not find the application" do
             app = FactoryBot.create :application
-            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
+            authenticated = Application.by_uid_and_secret(app.uid, "bad")
             expect(authenticated).to eq(nil)
           end
         end
@@ -302,7 +343,7 @@ module Doorkeeper
         context "when secret is wrong" do
           it "should not find the application" do
             app = FactoryBot.create :application, confidential: false
-            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
+            authenticated = Application.by_uid_and_secret(app.uid, "bad")
             expect(authenticated).to eq(nil)
           end
         end
@@ -312,12 +353,12 @@ module Doorkeeper
     describe :confidential? do
       subject { FactoryBot.create(:application, confidential: confidential).confidential? }
 
-      context 'when application is private/confidential' do
+      context "when application is private/confidential" do
         let(:confidential) { true }
         it { expect(subject).to eq(true) }
       end
 
-      context 'when application is public/non-confidential' do
+      context "when application is public/non-confidential" do
         let(:confidential) { false }
         it { expect(subject).to eq(false) }
       end

data/spec/requests/applications/applications_request_spec.rb

@@ -1,25 +1,27 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-feature 'Adding applications' do
-  context 'in application form' do
+require "spec_helper"
+
+feature "Adding applications" do
+  context "in application form" do
     background do
       i_am_logged_in
-      visit '/oauth/applications/new'
+      visit "/oauth/applications/new"
     end
 
-    scenario 'adding a valid app' do
-      fill_in 'doorkeeper_application[name]', with: 'My Application'
-      fill_in 'doorkeeper_application[redirect_uri]',
-              with: 'https://example.com'
+    scenario "adding a valid app" do
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: "https://example.com"
 
-      click_button 'Submit'
-      i_should_see 'Application created'
-      i_should_see 'My Application'
+      click_button "Submit"
+      i_should_see "Application created"
+      i_should_see "My Application"
     end
 
-    scenario 'adding invalid app' do
-      click_button 'Submit'
-      i_should_see 'Whoops! Check your form for possible errors'
+    scenario "adding invalid app" do
+      click_button "Submit"
+      i_should_see "Whoops! Check your form for possible errors"
     end
 
     scenario "adding app ignoring bad scope" do
@@ -88,63 +90,93 @@ feature 'Adding applications' do
       click_button "Submit"
       i_should_see "Whoops! Check your form for possible errors"
       i_should_see Regexp.new(
-        I18n.t('activerecord.errors.models.doorkeeper/application.attributes.scopes.not_match_configured'),
+        I18n.t("activerecord.errors.models.doorkeeper/application.attributes.scopes.not_match_configured"),
         true
       )
     end
+
+    context "redirect URI" do
+      scenario "adding app with blank redirect URI when configured flows requires redirect uri" do
+        config_is_set("grant_flows", %w[authorization_code implicit client_credentials])
+
+        fill_in "doorkeeper_application[name]", with: "My Application"
+        fill_in "doorkeeper_application[redirect_uri]",
+                with: ""
+
+        click_button "Submit"
+        i_should_see "Whoops! Check your form for possible errors"
+      end
+
+      scenario "adding app with blank redirect URI when configured flows without redirect uri" do
+        config_is_set("grant_flows", %w[client_credentials password])
+
+        # Visit it once again to consider grant flows
+        visit "/oauth/applications/new"
+
+        i_should_see I18n.t("doorkeeper.applications.help.blank_redirect_uri")
+
+        fill_in "doorkeeper_application[name]", with: "My Application"
+        fill_in "doorkeeper_application[redirect_uri]",
+                with: ""
+
+        click_button "Submit"
+        i_should_see "Application created"
+        i_should_see "My Application"
+      end
+    end
   end
 end
 
-feature 'Listing applications' do
+feature "Listing applications" do
   background do
     i_am_logged_in
 
-    FactoryBot.create :application, name: 'Oauth Dude'
-    FactoryBot.create :application, name: 'Awesome App'
+    FactoryBot.create :application, name: "Oauth Dude"
+    FactoryBot.create :application, name: "Awesome App"
   end
 
-  scenario 'application list' do
-    visit '/oauth/applications'
+  scenario "application list" do
+    visit "/oauth/applications"
 
-    i_should_see 'Awesome App'
-    i_should_see 'Oauth Dude'
+    i_should_see "Awesome App"
+    i_should_see "Oauth Dude"
   end
 end
 
-feature 'Renders assets' do
-  scenario 'admin stylesheets' do
-    visit '/assets/doorkeeper/admin/application.css'
+feature "Renders assets" do
+  scenario "admin stylesheets" do
+    visit "/assets/doorkeeper/admin/application.css"
 
-    i_should_see 'Bootstrap'
-    i_should_see '.doorkeeper-admin'
+    i_should_see "Bootstrap"
+    i_should_see ".doorkeeper-admin"
   end
 
-  scenario 'application stylesheets' do
-    visit '/assets/doorkeeper/application.css'
+  scenario "application stylesheets" do
+    visit "/assets/doorkeeper/application.css"
 
-    i_should_see 'Bootstrap'
-    i_should_see '#oauth-permissions'
-    i_should_see '#container'
+    i_should_see "Bootstrap"
+    i_should_see "#oauth-permissions"
+    i_should_see "#container"
   end
 end
 
-feature 'Show application' do
+feature "Show application" do
   given :app do
     i_am_logged_in
 
-    FactoryBot.create :application, name: 'Just another oauth app'
+    FactoryBot.create :application, name: "Just another oauth app"
   end
 
-  scenario 'visiting application page' do
+  scenario "visiting application page" do
     visit "/oauth/applications/#{app.id}"
 
-    i_should_see 'Just another oauth app'
+    i_should_see "Just another oauth app"
   end
 end
 
-feature 'Edit application' do
+feature "Edit application" do
   let :app do
-    FactoryBot.create :application, name: 'OMG my app'
+    FactoryBot.create :application, name: "OMG my app"
   end
 
   background do
@@ -153,72 +185,72 @@ feature 'Edit application' do
     visit "/oauth/applications/#{app.id}/edit"
   end
 
-  scenario 'updating a valid app' do
-    fill_in 'doorkeeper_application[name]', with: 'Serious app'
-    click_button 'Submit'
+  scenario "updating a valid app" do
+    fill_in "doorkeeper_application[name]", with: "Serious app"
+    click_button "Submit"
 
-    i_should_see 'Application updated'
-    i_should_see 'Serious app'
-    i_should_not_see 'OMG my app'
+    i_should_see "Application updated"
+    i_should_see "Serious app"
+    i_should_not_see "OMG my app"
   end
 
-  scenario 'updating an invalid app' do
-    fill_in 'doorkeeper_application[name]', with: ''
-    click_button 'Submit'
+  scenario "updating an invalid app" do
+    fill_in "doorkeeper_application[name]", with: ""
+    click_button "Submit"
 
-    i_should_see 'Whoops! Check your form for possible errors'
+    i_should_see "Whoops! Check your form for possible errors"
   end
 end
 
-feature 'Remove application' do
+feature "Remove application" do
   background do
     i_am_logged_in
 
     @app = FactoryBot.create :application
   end
 
-  scenario 'deleting an application from list' do
-    visit '/oauth/applications'
+  scenario "deleting an application from list" do
+    visit "/oauth/applications"
 
     i_should_see @app.name
 
     within(:css, "tr#application_#{@app.id}") do
-      click_button 'Destroy'
+      click_button "Destroy"
     end
 
-    i_should_see 'Application deleted'
+    i_should_see "Application deleted"
     i_should_not_see @app.name
   end
 
-  scenario 'deleting an application from show' do
+  scenario "deleting an application from show" do
     visit "/oauth/applications/#{@app.id}"
-    click_button 'Destroy'
+    click_button "Destroy"
 
-    i_should_see 'Application deleted'
+    i_should_see "Application deleted"
   end
 end
 
-context 'when admin authenticator block is default' do
-  let(:app) { FactoryBot.create :application, name: 'app' }
+context "when admin authenticator block is default" do
+  let(:app) { FactoryBot.create :application, name: "app" }
 
-  feature 'application list' do
-    scenario 'fails with forbidden' do
-      visit '/oauth/applications'
+  feature "application list" do
+    scenario "fails with forbidden" do
+      visit "/oauth/applications"
 
       should_have_status 403
     end
   end
 
-  feature 'adding an app' do
-    scenario 'fails with forbidden' do
-      visit '/oauth/applications/new'
+  feature "adding an app" do
+    scenario "fails with forbidden" do
+      visit "/oauth/applications/new"
 
       should_have_status 403
     end
   end
 
-  feature 'editing an app' do
-    scenario 'fails with forbidden' do
+  feature "editing an app" do
+    scenario "fails with forbidden" do
       visit "/oauth/applications/#{app.id}/edit"
 
       should_have_status 403