doorkeeper 5.1.0.rc2 → 5.1.0

data/spec/requests/flows/refresh_token_spec.rb

@@ -1,6 +1,8 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-describe 'Refresh Token Flow' do
+require "spec_helper"
+
+describe "Refresh Token Flow" do
   before do
     Doorkeeper.configure do
       orm DOORKEEPER_ORM
@@ -10,33 +12,33 @@ describe 'Refresh Token Flow' do
     client_exists
   end
 
-  context 'issuing a refresh token' do
+  context "issuing a refresh token" do
     before do
       authorization_code_exists application: @client
     end
 
-    it 'client gets the refresh token and refreshes it' do
+    it "client gets the refresh token and refreshes it" do
       post token_endpoint_url(code: @authorization.token, client: @client)
 
       token = Doorkeeper::AccessToken.first
 
-      should_have_json 'access_token',  token.token
-      should_have_json 'refresh_token', token.refresh_token
+      should_have_json "access_token",  token.token
+      should_have_json "refresh_token", token.refresh_token
 
       expect(@authorization.reload).to be_revoked
 
       post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
 
       new_token = Doorkeeper::AccessToken.last
-      should_have_json 'access_token',  new_token.token
-      should_have_json 'refresh_token', new_token.refresh_token
+      should_have_json "access_token",  new_token.token
+      should_have_json "refresh_token", new_token.refresh_token
 
       expect(token.token).not_to         eq(new_token.token)
       expect(token.refresh_token).not_to eq(new_token.refresh_token)
     end
   end
 
-  context 'refreshing the token' do
+  context "refreshing the token" do
     before do
       @token = FactoryBot.create(
         :access_token,
@@ -47,23 +49,23 @@ describe 'Refresh Token Flow' do
     end
 
     context "refresh_token revoked on use" do
-      it 'client request a token with refresh token' do
+      it "client request a token with refresh token" do
         post refresh_token_endpoint_url(
           client: @client, refresh_token: @token.refresh_token
         )
         should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
         )
         expect(@token.reload).not_to be_revoked
       end
 
-      it 'client request a token with expired access token' do
+      it "client request a token with expired access token" do
         @token.update_attribute :expires_in, -100
         post refresh_token_endpoint_url(
           client: @client, refresh_token: @token.refresh_token
         )
         should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
         )
         expect(@token.reload).not_to be_revoked
       end
@@ -74,23 +76,23 @@ describe 'Refresh Token Flow' do
         allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
       end
 
-      it 'client request a token with refresh token' do
+      it "client request a token with refresh token" do
         post refresh_token_endpoint_url(
           client: @client, refresh_token: @token.refresh_token
         )
         should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
         )
         expect(@token.reload).to be_revoked
       end
 
-      it 'client request a token with expired access token' do
+      it "client request a token with expired access token" do
         @token.update_attribute :expires_in, -100
         post refresh_token_endpoint_url(
           client: @client, refresh_token: @token.refresh_token
         )
         should_have_json(
-          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
         )
         expect(@token.reload).to be_revoked
       end
@@ -122,59 +124,59 @@ describe 'Refresh Token Flow' do
         )
       end
 
-      it 'issues a new token without client_secret when refresh token was issued to a public client' do
+      it "issues a new token without client_secret when refresh token was issued to a public client" do
         post refresh_token_endpoint_url(
           client_id: public_client.uid,
           refresh_token: token_for_public_client.refresh_token
         )
 
         new_token = Doorkeeper::AccessToken.last
-        should_have_json 'access_token',  new_token.token
-        should_have_json 'refresh_token', new_token.refresh_token
+        should_have_json "access_token",  new_token.token
+        should_have_json "refresh_token", new_token.refresh_token
       end
 
-      it 'returns an error without credentials' do
+      it "returns an error without credentials" do
         post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
 
-        should_not_have_json 'refresh_token'
-        should_have_json 'error', 'invalid_grant'
+        should_not_have_json "refresh_token"
+        should_have_json "error", "invalid_grant"
       end
 
-      it 'returns an error with wrong credentials' do
+      it "returns an error with wrong credentials" do
         post refresh_token_endpoint_url(
-          client_id: '1',
-          client_secret: '1',
+          client_id: "1",
+          client_secret: "1",
           refresh_token: token_for_private_client.refresh_token
         )
 
-        should_not_have_json 'refresh_token'
-        should_have_json 'error', 'invalid_client'
+        should_not_have_json "refresh_token"
+        should_have_json "error", "invalid_client"
       end
     end
 
-    it 'client gets an error for invalid refresh token' do
-      post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_grant'
+    it "client gets an error for invalid refresh token" do
+      post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
+      should_not_have_json "refresh_token"
+      should_have_json "error", "invalid_grant"
     end
 
-    it 'client gets an error for revoked access token' do
+    it "client gets an error for revoked access token" do
       @token.revoke
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_grant'
+      should_not_have_json "refresh_token"
+      should_have_json "error", "invalid_grant"
     end
 
-    it 'second of simultaneous client requests get an error for revoked access token' do
+    it "second of simultaneous client requests get an error for revoked access token" do
       allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
 
-      should_not_have_json 'refresh_token'
-      should_have_json 'error', 'invalid_request'
+      should_not_have_json "refresh_token"
+      should_have_json "error", "invalid_request"
     end
   end
 
-  context 'refreshing the token with multiple sessions (devices)' do
+  context "refreshing the token with multiple sessions (devices)" do
     before do
       # enable password auth to simulate other devices
       config_is_set(:grant_flows, ["password"])
@@ -197,12 +199,12 @@ describe 'Refresh Token Flow' do
     end
 
     context "refresh_token revoked on use" do
-      it 'client request a token after creating another token with the same user' do
+      it "client request a token after creating another token with the same user" do
         post refresh_token_endpoint_url(
           client: @client, refresh_token: @token.refresh_token
         )
 
-        should_have_json 'refresh_token', last_token.refresh_token
+        should_have_json "refresh_token", last_token.refresh_token
         expect(@token.reload).not_to be_revoked
       end
     end
@@ -212,12 +214,12 @@ describe 'Refresh Token Flow' do
         allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
       end
 
-      it 'client request a token after creating another token with the same user' do
+      it "client request a token after creating another token with the same user" do
         post refresh_token_endpoint_url(
           client: @client, refresh_token: @token.refresh_token
         )
 
-        should_have_json 'refresh_token', last_token.refresh_token
+        should_have_json "refresh_token", last_token.refresh_token
         expect(@token.reload).to be_revoked
       end
     end

data/spec/requests/flows/revoke_token_spec.rb

@@ -1,13 +1,15 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-describe 'Revoke Token Flow' do
+require "spec_helper"
+
+describe "Revoke Token Flow" do
   before do
     Doorkeeper.configure { orm DOORKEEPER_ORM }
   end
 
-  context 'with default parameters' do
+  context "with default parameters" do
     let(:client_application) { FactoryBot.create :application }
-    let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
+    let(:resource_owner) { User.create!(name: "John", password: "sekret") }
     let(:access_token) do
       FactoryBot.create(:access_token,
                         application: client_application,
@@ -15,35 +17,35 @@ describe 'Revoke Token Flow' do
                         use_refresh_token: true)
     end
 
-    context 'with authenticated, confidential OAuth 2.0 client/application' do
+    context "with authenticated, confidential OAuth 2.0 client/application" do
       let(:headers) do
         client_id = client_application.uid
         client_secret = client_application.secret
         credentials = Base64.encode64("#{client_id}:#{client_secret}")
-        { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
+        { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
       end
 
-      it 'should revoke the access token provided' do
+      it "should revoke the access token provided" do
         post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
         expect(response).to be_successful
         expect(access_token.reload.revoked?).to be_truthy
       end
 
-      it 'should revoke the refresh token provided' do
+      it "should revoke the refresh token provided" do
         post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
 
         expect(response).to be_successful
         expect(access_token.reload.revoked?).to be_truthy
       end
 
-      context 'with invalid token to revoke' do
-        it 'should not revoke any tokens and respond successfully' do
+      context "with invalid token to revoke" do
+        it "should not revoke any tokens and respond successfully" do
           expect do
             post revocation_token_endpoint_url,
-              params: { token: 'I_AM_AN_INVALID_TOKEN' },
-              headers: headers
-            end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
+                 params: { token: "I_AM_AN_INVALID_TOKEN" },
+                 headers: headers
+          end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
 
           # The authorization server responds with HTTP status code 200 even if
           # token is invalid
@@ -51,13 +53,13 @@ describe 'Revoke Token Flow' do
         end
       end
 
-      context 'with bad credentials and a valid token' do
+      context "with bad credentials and a valid token" do
         let(:headers) do
           client_id = client_application.uid
           credentials = Base64.encode64("#{client_id}:poop")
-          { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
+          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
         end
-        it 'should not revoke any tokens and respond successfully' do
+        it "should not revoke any tokens and respond successfully" do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
           expect(response).to be_successful
@@ -65,8 +67,8 @@ describe 'Revoke Token Flow' do
         end
       end
 
-      context 'with no credentials and a valid token' do
-        it 'should not revoke any tokens and respond successfully' do
+      context "with no credentials and a valid token" do
+        it "should not revoke any tokens and respond successfully" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
           expect(response).to be_successful
@@ -74,16 +76,16 @@ describe 'Revoke Token Flow' do
         end
       end
 
-      context 'with valid token for another client application' do
+      context "with valid token for another client application" do
         let(:other_client_application) { FactoryBot.create :application }
         let(:headers) do
           client_id = other_client_application.uid
           client_secret = other_client_application.secret
           credentials = Base64.encode64("#{client_id}:#{client_secret}")
-          { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
+          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
         end
 
-        it 'should not revoke the token as its unauthorized' do
+        it "should not revoke the token as its unauthorized" do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
           expect(response).to be_successful
@@ -92,7 +94,7 @@ describe 'Revoke Token Flow' do
       end
     end
 
-    context 'with public OAuth 2.0 client/application' do
+    context "with public OAuth 2.0 client/application" do
       let(:access_token) do
         FactoryBot.create(:access_token,
                           application: nil,
@@ -100,21 +102,21 @@ describe 'Revoke Token Flow' do
                           use_refresh_token: true)
       end
 
-      it 'should revoke the access token provided' do
+      it "should revoke the access token provided" do
         post revocation_token_endpoint_url, params: { token: access_token.token }
 
         expect(response).to be_successful
         expect(access_token.reload.revoked?).to be_truthy
       end
 
-      it 'should revoke the refresh token provided' do
+      it "should revoke the refresh token provided" do
         post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
 
         expect(response).to be_successful
         expect(access_token.reload.revoked?).to be_truthy
       end
 
-      context 'with a valid token issued for a confidential client' do
+      context "with a valid token issued for a confidential client" do
         let(:access_token) do
           FactoryBot.create(:access_token,
                             application: client_application,
@@ -122,14 +124,14 @@ describe 'Revoke Token Flow' do
                             use_refresh_token: true)
         end
 
-        it 'should not revoke the access token provided' do
+        it "should not revoke the access token provided" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
           expect(response).to be_successful
           expect(access_token.reload.revoked?).to be_falsey
         end
 
-        it 'should not revoke the refresh token provided' do
+        it "should not revoke the refresh token provided" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
           expect(response).to be_successful

data/spec/requests/flows/skip_authorization_spec.rb

@@ -1,20 +1,22 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-feature 'Skip authorization form' do
+require "spec_helper"
+
+feature "Skip authorization form" do
   background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists
     default_scopes_exist  :public
     optional_scopes_exist :write
   end
 
-  context 'for previously authorized clients' do
+  context "for previously authorized clients" do
     background do
       create_resource_owner
       sign_in
     end
 
-    scenario 'skips the authorization and return a new grant code' do
+    scenario "skips the authorization and return a new grant code" do
       client_is_authorized(@client, @resource_owner, scopes: "public")
       visit authorization_endpoint_url(client: @client, scope: "public")
 
@@ -35,29 +37,29 @@ feature 'Skip authorization form' do
       url_should_have_param "code", Doorkeeper::AccessGrant.first.token
     end
 
-    scenario 'does not skip authorization when scopes differ (new request has fewer scopes)' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scope: 'public')
-      i_should_see 'Authorize'
+    scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
+      client_is_authorized(@client, @resource_owner, scopes: "public write")
+      visit authorization_endpoint_url(client: @client, scope: "public")
+      i_should_see "Authorize"
     end
 
-    scenario 'does not skip authorization when scopes differ (new request has more scopes)' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scopes: 'public write email')
-      i_should_see 'Authorize'
+    scenario "does not skip authorization when scopes differ (new request has more scopes)" do
+      client_is_authorized(@client, @resource_owner, scopes: "public write")
+      visit authorization_endpoint_url(client: @client, scopes: "public write email")
+      i_should_see "Authorize"
     end
 
-    scenario 'creates grant with new scope when scopes differ' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public write')
-      visit authorization_endpoint_url(client: @client, scope: 'public')
-      click_on 'Authorize'
+    scenario "creates grant with new scope when scopes differ" do
+      client_is_authorized(@client, @resource_owner, scopes: "public write")
+      visit authorization_endpoint_url(client: @client, scope: "public")
+      click_on "Authorize"
       access_grant_should_have_scopes :public
     end
 
-    scenario 'creates grant with new scope when scopes are greater' do
-      client_is_authorized(@client, @resource_owner, scopes: 'public')
-      visit authorization_endpoint_url(client: @client, scope: 'public write')
-      click_on 'Authorize'
+    scenario "creates grant with new scope when scopes are greater" do
+      client_is_authorized(@client, @resource_owner, scopes: "public")
+      visit authorization_endpoint_url(client: @client, scope: "public write")
+      click_on "Authorize"
       access_grant_should_have_scopes :public, :write
     end
   end