doorkeeper 5.1.0.rc2 → 5.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.hound.yml +2 -1
- data/.rubocop.yml +37 -4
- data/.travis.yml +4 -27
- data/Appraisals +8 -12
- data/Gemfile +6 -2
- data/NEWS.md +16 -0
- data/README.md +11 -2
- data/Rakefile +10 -8
- data/app/controllers/doorkeeper/application_controller.rb +1 -2
- data/app/controllers/doorkeeper/application_metal_controller.rb +2 -13
- data/app/controllers/doorkeeper/applications_controller.rb +17 -5
- data/app/controllers/doorkeeper/token_info_controller.rb +1 -1
- data/app/controllers/doorkeeper/tokens_controller.rb +7 -7
- data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
- data/app/validators/redirect_uri_validator.rb +5 -2
- data/app/views/doorkeeper/applications/_form.html.erb +6 -0
- data/bin/console +5 -4
- data/config/locales/en.yml +1 -0
- data/doorkeeper.gemspec +24 -22
- data/gemfiles/rails_5_0.gemfile +2 -1
- data/gemfiles/rails_5_1.gemfile +2 -1
- data/gemfiles/rails_5_2.gemfile +2 -1
- data/gemfiles/rails_6_0.gemfile +1 -0
- data/gemfiles/rails_master.gemfile +1 -0
- data/lib/doorkeeper.rb +68 -66
- data/lib/doorkeeper/config.rb +53 -90
- data/lib/doorkeeper/config/option.rb +64 -0
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grape/authorization_decorator.rb +4 -4
- data/lib/doorkeeper/grape/helpers.rb +3 -3
- data/lib/doorkeeper/helpers/controller.rb +1 -1
- data/lib/doorkeeper/models/access_grant_mixin.rb +4 -2
- data/lib/doorkeeper/models/access_token_mixin.rb +10 -10
- data/lib/doorkeeper/models/application_mixin.rb +1 -0
- data/lib/doorkeeper/models/concerns/expirable.rb +1 -0
- data/lib/doorkeeper/models/concerns/ownership.rb +1 -6
- data/lib/doorkeeper/models/concerns/revocable.rb +2 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +2 -0
- data/lib/doorkeeper/oauth.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/code.rb +1 -1
- data/lib/doorkeeper/oauth/authorization/token.rb +9 -6
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +1 -1
- data/lib/doorkeeper/oauth/authorization_code_request.rb +5 -3
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials_request.rb +1 -1
- data/lib/doorkeeper/oauth/error_response.rb +5 -5
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -1
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -1
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +6 -2
- data/lib/doorkeeper/oauth/invalid_token_response.rb +1 -1
- data/lib/doorkeeper/oauth/pre_authorization.rb +4 -3
- data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -1
- data/lib/doorkeeper/oauth/scopes.rb +5 -3
- data/lib/doorkeeper/oauth/token.rb +2 -2
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -4
- data/lib/doorkeeper/oauth/token_response.rb +9 -9
- data/lib/doorkeeper/orm/active_record.rb +6 -6
- data/lib/doorkeeper/orm/active_record/access_grant.rb +5 -12
- data/lib/doorkeeper/orm/active_record/access_token.rb +6 -13
- data/lib/doorkeeper/orm/active_record/application.rb +6 -5
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +10 -3
- data/lib/doorkeeper/rails/helpers.rb +1 -1
- data/lib/doorkeeper/rails/routes.rb +11 -11
- data/lib/doorkeeper/rails/routes/mapping.rb +7 -7
- data/lib/doorkeeper/rake.rb +1 -1
- data/lib/doorkeeper/rake/db.rake +13 -13
- data/lib/doorkeeper/request.rb +1 -1
- data/lib/doorkeeper/secret_storing/base.rb +7 -6
- data/lib/doorkeeper/secret_storing/bcrypt.rb +4 -3
- data/lib/doorkeeper/secret_storing/plain.rb +4 -4
- data/lib/doorkeeper/secret_storing/sha256_hash.rb +3 -2
- data/lib/doorkeeper/stale_records_cleaner.rb +1 -1
- data/lib/doorkeeper/version.rb +2 -2
- data/lib/generators/doorkeeper/application_owner_generator.rb +10 -9
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +10 -9
- data/lib/generators/doorkeeper/install_generator.rb +11 -9
- data/lib/generators/doorkeeper/migration_generator.rb +9 -9
- data/lib/generators/doorkeeper/pkce_generator.rb +10 -9
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +10 -9
- data/lib/generators/doorkeeper/templates/initializer.rb +30 -5
- data/lib/generators/doorkeeper/templates/migration.rb.erb +15 -7
- data/lib/generators/doorkeeper/views_generator.rb +6 -4
- data/spec/controllers/application_metal_controller_spec.rb +10 -10
- data/spec/controllers/applications_controller_spec.rb +54 -52
- data/spec/controllers/authorizations_controller_spec.rb +136 -142
- data/spec/controllers/protected_resources_controller_spec.rb +78 -76
- data/spec/controllers/token_info_controller_spec.rb +13 -11
- data/spec/controllers/tokens_controller_spec.rb +109 -94
- data/spec/dummy/Rakefile +3 -1
- data/spec/dummy/app/controllers/application_controller.rb +2 -0
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +2 -0
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +4 -2
- data/spec/dummy/app/controllers/home_controller.rb +5 -3
- data/spec/dummy/app/controllers/metal_controller.rb +2 -0
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +4 -2
- data/spec/dummy/app/helpers/application_helper.rb +2 -0
- data/spec/dummy/app/models/user.rb +2 -0
- data/spec/dummy/config.ru +3 -1
- data/spec/dummy/config/application.rb +13 -0
- data/spec/dummy/config/environments/development.rb +2 -0
- data/spec/dummy/config/environments/production.rb +2 -0
- data/spec/dummy/config/environments/test.rb +3 -1
- data/spec/dummy/config/initializers/backtrace_silencers.rb +2 -0
- data/spec/dummy/config/initializers/doorkeeper.rb +5 -2
- data/spec/dummy/config/initializers/secret_token.rb +3 -1
- data/spec/dummy/config/initializers/session_store.rb +3 -1
- data/spec/dummy/config/initializers/wrap_parameters.rb +2 -0
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +17 -10
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +2 -0
- data/spec/dummy/db/schema.rb +1 -1
- data/spec/dummy/script/rails +5 -3
- data/spec/factories.rb +5 -3
- data/spec/generators/application_owner_generator_spec.rb +13 -26
- data/spec/generators/confidential_applications_generator_spec.rb +12 -28
- data/spec/generators/install_generator_spec.rb +17 -15
- data/spec/generators/migration_generator_spec.rb +13 -26
- data/spec/generators/pkce_generator_spec.rb +11 -26
- data/spec/generators/previous_refresh_token_generator_spec.rb +16 -29
- data/spec/generators/templates/routes.rb +2 -0
- data/spec/generators/views_generator_spec.rb +14 -12
- data/spec/grape/grape_integration_spec.rb +34 -32
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +9 -7
- data/spec/lib/config_spec.rb +137 -136
- data/spec/lib/doorkeeper_spec.rb +3 -1
- data/spec/lib/models/expirable_spec.rb +12 -10
- data/spec/lib/models/reusable_spec.rb +6 -6
- data/spec/lib/models/revocable_spec.rb +8 -6
- data/spec/lib/models/scopes_spec.rb +19 -17
- data/spec/lib/models/secret_storable_spec.rb +71 -49
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +17 -15
- data/spec/lib/oauth/authorization_code_request_spec.rb +18 -12
- data/spec/lib/oauth/base_request_spec.rb +20 -8
- data/spec/lib/oauth/base_response_spec.rb +3 -1
- data/spec/lib/oauth/client/credentials_spec.rb +24 -22
- data/spec/lib/oauth/client_credentials/creator_spec.rb +13 -11
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +27 -18
- data/spec/lib/oauth/client_credentials/validation_spec.rb +17 -15
- data/spec/lib/oauth/client_credentials_integration_spec.rb +7 -5
- data/spec/lib/oauth/client_credentials_request_spec.rb +27 -21
- data/spec/lib/oauth/client_spec.rb +15 -13
- data/spec/lib/oauth/code_request_spec.rb +8 -6
- data/spec/lib/oauth/code_response_spec.rb +9 -7
- data/spec/lib/oauth/error_response_spec.rb +14 -12
- data/spec/lib/oauth/error_spec.rb +4 -2
- data/spec/lib/oauth/forbidden_token_response_spec.rb +7 -5
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +35 -33
- data/spec/lib/oauth/helpers/unique_token_spec.rb +8 -6
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +103 -101
- data/spec/lib/oauth/invalid_token_response_spec.rb +3 -1
- data/spec/lib/oauth/password_access_token_request_spec.rb +52 -34
- data/spec/lib/oauth/pre_authorization_spec.rb +64 -62
- data/spec/lib/oauth/refresh_token_request_spec.rb +36 -33
- data/spec/lib/oauth/scopes_spec.rb +63 -61
- data/spec/lib/oauth/token_request_spec.rb +66 -26
- data/spec/lib/oauth/token_response_spec.rb +39 -37
- data/spec/lib/oauth/token_spec.rb +51 -49
- data/spec/lib/request/strategy_spec.rb +3 -1
- data/spec/lib/secret_storing/base_spec.rb +23 -23
- data/spec/lib/secret_storing/bcrypt_spec.rb +18 -18
- data/spec/lib/secret_storing/plain_spec.rb +17 -17
- data/spec/lib/secret_storing/sha256_hash_spec.rb +16 -16
- data/spec/lib/server_spec.rb +16 -14
- data/spec/lib/stale_records_cleaner_spec.rb +17 -17
- data/spec/models/doorkeeper/access_grant_spec.rb +30 -26
- data/spec/models/doorkeeper/access_token_spec.rb +97 -95
- data/spec/models/doorkeeper/application_spec.rb +98 -57
- data/spec/requests/applications/applications_request_spec.rb +98 -66
- data/spec/requests/applications/authorized_applications_spec.rb +20 -18
- data/spec/requests/endpoints/authorization_spec.rb +25 -23
- data/spec/requests/endpoints/token_spec.rb +38 -36
- data/spec/requests/flows/authorization_code_errors_spec.rb +26 -24
- data/spec/requests/flows/authorization_code_spec.rb +161 -159
- data/spec/requests/flows/client_credentials_spec.rb +53 -51
- data/spec/requests/flows/implicit_grant_errors_spec.rb +10 -8
- data/spec/requests/flows/implicit_grant_spec.rb +27 -25
- data/spec/requests/flows/password_spec.rb +56 -54
- data/spec/requests/flows/refresh_token_spec.rb +45 -43
- data/spec/requests/flows/revoke_token_spec.rb +29 -27
- data/spec/requests/flows/skip_authorization_spec.rb +23 -21
- data/spec/requests/protected_resources/metal_spec.rb +7 -5
- data/spec/requests/protected_resources/private_api_spec.rb +35 -33
- data/spec/routing/custom_controller_routes_spec.rb +67 -65
- data/spec/routing/default_routes_spec.rb +22 -20
- data/spec/routing/scoped_routes_spec.rb +20 -18
- data/spec/spec_helper.rb +14 -13
- data/spec/spec_helper_integration.rb +3 -1
- data/spec/support/dependencies/factory_bot.rb +3 -1
- data/spec/support/doorkeeper_rspec.rb +3 -1
- data/spec/support/helpers/access_token_request_helper.rb +3 -1
- data/spec/support/helpers/authorization_request_helper.rb +4 -2
- data/spec/support/helpers/config_helper.rb +2 -0
- data/spec/support/helpers/model_helper.rb +3 -1
- data/spec/support/helpers/request_spec_helper.rb +5 -3
- data/spec/support/helpers/url_helper.rb +9 -7
- data/spec/support/http_method_shim.rb +4 -9
- data/spec/support/orm/active_record.rb +3 -1
- data/spec/support/shared/controllers_shared_context.rb +18 -16
- data/spec/support/shared/hashing_shared_context.rb +3 -3
- data/spec/support/shared/models_shared_examples.rb +12 -10
- data/spec/validators/redirect_uri_validator_spec.rb +74 -45
- data/spec/version/version_spec.rb +7 -5
- metadata +12 -16
- data/gemfiles/rails_4_2.gemfile +0 -17
- data/spec/dummy/config/initializers/new_framework_defaults.rb +0 -8
- data/spec/support/ruby_2_6_rails_4_2_patch.rb +0 -14
@@ -1,6 +1,8 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
3
|
+
require "spec_helper"
|
4
|
+
|
5
|
+
describe "Refresh Token Flow" do
|
4
6
|
before do
|
5
7
|
Doorkeeper.configure do
|
6
8
|
orm DOORKEEPER_ORM
|
@@ -10,33 +12,33 @@ describe 'Refresh Token Flow' do
|
|
10
12
|
client_exists
|
11
13
|
end
|
12
14
|
|
13
|
-
context
|
15
|
+
context "issuing a refresh token" do
|
14
16
|
before do
|
15
17
|
authorization_code_exists application: @client
|
16
18
|
end
|
17
19
|
|
18
|
-
it
|
20
|
+
it "client gets the refresh token and refreshes it" do
|
19
21
|
post token_endpoint_url(code: @authorization.token, client: @client)
|
20
22
|
|
21
23
|
token = Doorkeeper::AccessToken.first
|
22
24
|
|
23
|
-
should_have_json
|
24
|
-
should_have_json
|
25
|
+
should_have_json "access_token", token.token
|
26
|
+
should_have_json "refresh_token", token.refresh_token
|
25
27
|
|
26
28
|
expect(@authorization.reload).to be_revoked
|
27
29
|
|
28
30
|
post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
|
29
31
|
|
30
32
|
new_token = Doorkeeper::AccessToken.last
|
31
|
-
should_have_json
|
32
|
-
should_have_json
|
33
|
+
should_have_json "access_token", new_token.token
|
34
|
+
should_have_json "refresh_token", new_token.refresh_token
|
33
35
|
|
34
36
|
expect(token.token).not_to eq(new_token.token)
|
35
37
|
expect(token.refresh_token).not_to eq(new_token.refresh_token)
|
36
38
|
end
|
37
39
|
end
|
38
40
|
|
39
|
-
context
|
41
|
+
context "refreshing the token" do
|
40
42
|
before do
|
41
43
|
@token = FactoryBot.create(
|
42
44
|
:access_token,
|
@@ -47,23 +49,23 @@ describe 'Refresh Token Flow' do
|
|
47
49
|
end
|
48
50
|
|
49
51
|
context "refresh_token revoked on use" do
|
50
|
-
it
|
52
|
+
it "client request a token with refresh token" do
|
51
53
|
post refresh_token_endpoint_url(
|
52
54
|
client: @client, refresh_token: @token.refresh_token
|
53
55
|
)
|
54
56
|
should_have_json(
|
55
|
-
|
57
|
+
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
56
58
|
)
|
57
59
|
expect(@token.reload).not_to be_revoked
|
58
60
|
end
|
59
61
|
|
60
|
-
it
|
62
|
+
it "client request a token with expired access token" do
|
61
63
|
@token.update_attribute :expires_in, -100
|
62
64
|
post refresh_token_endpoint_url(
|
63
65
|
client: @client, refresh_token: @token.refresh_token
|
64
66
|
)
|
65
67
|
should_have_json(
|
66
|
-
|
68
|
+
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
67
69
|
)
|
68
70
|
expect(@token.reload).not_to be_revoked
|
69
71
|
end
|
@@ -74,23 +76,23 @@ describe 'Refresh Token Flow' do
|
|
74
76
|
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
75
77
|
end
|
76
78
|
|
77
|
-
it
|
79
|
+
it "client request a token with refresh token" do
|
78
80
|
post refresh_token_endpoint_url(
|
79
81
|
client: @client, refresh_token: @token.refresh_token
|
80
82
|
)
|
81
83
|
should_have_json(
|
82
|
-
|
84
|
+
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
83
85
|
)
|
84
86
|
expect(@token.reload).to be_revoked
|
85
87
|
end
|
86
88
|
|
87
|
-
it
|
89
|
+
it "client request a token with expired access token" do
|
88
90
|
@token.update_attribute :expires_in, -100
|
89
91
|
post refresh_token_endpoint_url(
|
90
92
|
client: @client, refresh_token: @token.refresh_token
|
91
93
|
)
|
92
94
|
should_have_json(
|
93
|
-
|
95
|
+
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
94
96
|
)
|
95
97
|
expect(@token.reload).to be_revoked
|
96
98
|
end
|
@@ -122,59 +124,59 @@ describe 'Refresh Token Flow' do
|
|
122
124
|
)
|
123
125
|
end
|
124
126
|
|
125
|
-
it
|
127
|
+
it "issues a new token without client_secret when refresh token was issued to a public client" do
|
126
128
|
post refresh_token_endpoint_url(
|
127
129
|
client_id: public_client.uid,
|
128
130
|
refresh_token: token_for_public_client.refresh_token
|
129
131
|
)
|
130
132
|
|
131
133
|
new_token = Doorkeeper::AccessToken.last
|
132
|
-
should_have_json
|
133
|
-
should_have_json
|
134
|
+
should_have_json "access_token", new_token.token
|
135
|
+
should_have_json "refresh_token", new_token.refresh_token
|
134
136
|
end
|
135
137
|
|
136
|
-
it
|
138
|
+
it "returns an error without credentials" do
|
137
139
|
post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
|
138
140
|
|
139
|
-
should_not_have_json
|
140
|
-
should_have_json
|
141
|
+
should_not_have_json "refresh_token"
|
142
|
+
should_have_json "error", "invalid_grant"
|
141
143
|
end
|
142
144
|
|
143
|
-
it
|
145
|
+
it "returns an error with wrong credentials" do
|
144
146
|
post refresh_token_endpoint_url(
|
145
|
-
client_id:
|
146
|
-
client_secret:
|
147
|
+
client_id: "1",
|
148
|
+
client_secret: "1",
|
147
149
|
refresh_token: token_for_private_client.refresh_token
|
148
150
|
)
|
149
151
|
|
150
|
-
should_not_have_json
|
151
|
-
should_have_json
|
152
|
+
should_not_have_json "refresh_token"
|
153
|
+
should_have_json "error", "invalid_client"
|
152
154
|
end
|
153
155
|
end
|
154
156
|
|
155
|
-
it
|
156
|
-
post refresh_token_endpoint_url(client: @client, refresh_token:
|
157
|
-
should_not_have_json
|
158
|
-
should_have_json
|
157
|
+
it "client gets an error for invalid refresh token" do
|
158
|
+
post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
|
159
|
+
should_not_have_json "refresh_token"
|
160
|
+
should_have_json "error", "invalid_grant"
|
159
161
|
end
|
160
162
|
|
161
|
-
it
|
163
|
+
it "client gets an error for revoked access token" do
|
162
164
|
@token.revoke
|
163
165
|
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
164
|
-
should_not_have_json
|
165
|
-
should_have_json
|
166
|
+
should_not_have_json "refresh_token"
|
167
|
+
should_have_json "error", "invalid_grant"
|
166
168
|
end
|
167
169
|
|
168
|
-
it
|
170
|
+
it "second of simultaneous client requests get an error for revoked access token" do
|
169
171
|
allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
|
170
172
|
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
171
173
|
|
172
|
-
should_not_have_json
|
173
|
-
should_have_json
|
174
|
+
should_not_have_json "refresh_token"
|
175
|
+
should_have_json "error", "invalid_request"
|
174
176
|
end
|
175
177
|
end
|
176
178
|
|
177
|
-
context
|
179
|
+
context "refreshing the token with multiple sessions (devices)" do
|
178
180
|
before do
|
179
181
|
# enable password auth to simulate other devices
|
180
182
|
config_is_set(:grant_flows, ["password"])
|
@@ -197,12 +199,12 @@ describe 'Refresh Token Flow' do
|
|
197
199
|
end
|
198
200
|
|
199
201
|
context "refresh_token revoked on use" do
|
200
|
-
it
|
202
|
+
it "client request a token after creating another token with the same user" do
|
201
203
|
post refresh_token_endpoint_url(
|
202
204
|
client: @client, refresh_token: @token.refresh_token
|
203
205
|
)
|
204
206
|
|
205
|
-
should_have_json
|
207
|
+
should_have_json "refresh_token", last_token.refresh_token
|
206
208
|
expect(@token.reload).not_to be_revoked
|
207
209
|
end
|
208
210
|
end
|
@@ -212,12 +214,12 @@ describe 'Refresh Token Flow' do
|
|
212
214
|
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
213
215
|
end
|
214
216
|
|
215
|
-
it
|
217
|
+
it "client request a token after creating another token with the same user" do
|
216
218
|
post refresh_token_endpoint_url(
|
217
219
|
client: @client, refresh_token: @token.refresh_token
|
218
220
|
)
|
219
221
|
|
220
|
-
should_have_json
|
222
|
+
should_have_json "refresh_token", last_token.refresh_token
|
221
223
|
expect(@token.reload).to be_revoked
|
222
224
|
end
|
223
225
|
end
|
@@ -1,13 +1,15 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
3
|
+
require "spec_helper"
|
4
|
+
|
5
|
+
describe "Revoke Token Flow" do
|
4
6
|
before do
|
5
7
|
Doorkeeper.configure { orm DOORKEEPER_ORM }
|
6
8
|
end
|
7
9
|
|
8
|
-
context
|
10
|
+
context "with default parameters" do
|
9
11
|
let(:client_application) { FactoryBot.create :application }
|
10
|
-
let(:resource_owner) { User.create!(name:
|
12
|
+
let(:resource_owner) { User.create!(name: "John", password: "sekret") }
|
11
13
|
let(:access_token) do
|
12
14
|
FactoryBot.create(:access_token,
|
13
15
|
application: client_application,
|
@@ -15,35 +17,35 @@ describe 'Revoke Token Flow' do
|
|
15
17
|
use_refresh_token: true)
|
16
18
|
end
|
17
19
|
|
18
|
-
context
|
20
|
+
context "with authenticated, confidential OAuth 2.0 client/application" do
|
19
21
|
let(:headers) do
|
20
22
|
client_id = client_application.uid
|
21
23
|
client_secret = client_application.secret
|
22
24
|
credentials = Base64.encode64("#{client_id}:#{client_secret}")
|
23
|
-
{
|
25
|
+
{ "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
|
24
26
|
end
|
25
27
|
|
26
|
-
it
|
28
|
+
it "should revoke the access token provided" do
|
27
29
|
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
28
30
|
|
29
31
|
expect(response).to be_successful
|
30
32
|
expect(access_token.reload.revoked?).to be_truthy
|
31
33
|
end
|
32
34
|
|
33
|
-
it
|
35
|
+
it "should revoke the refresh token provided" do
|
34
36
|
post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
|
35
37
|
|
36
38
|
expect(response).to be_successful
|
37
39
|
expect(access_token.reload.revoked?).to be_truthy
|
38
40
|
end
|
39
41
|
|
40
|
-
context
|
41
|
-
it
|
42
|
+
context "with invalid token to revoke" do
|
43
|
+
it "should not revoke any tokens and respond successfully" do
|
42
44
|
expect do
|
43
45
|
post revocation_token_endpoint_url,
|
44
|
-
|
45
|
-
|
46
|
-
|
46
|
+
params: { token: "I_AM_AN_INVALID_TOKEN" },
|
47
|
+
headers: headers
|
48
|
+
end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
|
47
49
|
|
48
50
|
# The authorization server responds with HTTP status code 200 even if
|
49
51
|
# token is invalid
|
@@ -51,13 +53,13 @@ describe 'Revoke Token Flow' do
|
|
51
53
|
end
|
52
54
|
end
|
53
55
|
|
54
|
-
context
|
56
|
+
context "with bad credentials and a valid token" do
|
55
57
|
let(:headers) do
|
56
58
|
client_id = client_application.uid
|
57
59
|
credentials = Base64.encode64("#{client_id}:poop")
|
58
|
-
{
|
60
|
+
{ "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
|
59
61
|
end
|
60
|
-
it
|
62
|
+
it "should not revoke any tokens and respond successfully" do
|
61
63
|
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
62
64
|
|
63
65
|
expect(response).to be_successful
|
@@ -65,8 +67,8 @@ describe 'Revoke Token Flow' do
|
|
65
67
|
end
|
66
68
|
end
|
67
69
|
|
68
|
-
context
|
69
|
-
it
|
70
|
+
context "with no credentials and a valid token" do
|
71
|
+
it "should not revoke any tokens and respond successfully" do
|
70
72
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
71
73
|
|
72
74
|
expect(response).to be_successful
|
@@ -74,16 +76,16 @@ describe 'Revoke Token Flow' do
|
|
74
76
|
end
|
75
77
|
end
|
76
78
|
|
77
|
-
context
|
79
|
+
context "with valid token for another client application" do
|
78
80
|
let(:other_client_application) { FactoryBot.create :application }
|
79
81
|
let(:headers) do
|
80
82
|
client_id = other_client_application.uid
|
81
83
|
client_secret = other_client_application.secret
|
82
84
|
credentials = Base64.encode64("#{client_id}:#{client_secret}")
|
83
|
-
{
|
85
|
+
{ "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
|
84
86
|
end
|
85
87
|
|
86
|
-
it
|
88
|
+
it "should not revoke the token as its unauthorized" do
|
87
89
|
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
88
90
|
|
89
91
|
expect(response).to be_successful
|
@@ -92,7 +94,7 @@ describe 'Revoke Token Flow' do
|
|
92
94
|
end
|
93
95
|
end
|
94
96
|
|
95
|
-
context
|
97
|
+
context "with public OAuth 2.0 client/application" do
|
96
98
|
let(:access_token) do
|
97
99
|
FactoryBot.create(:access_token,
|
98
100
|
application: nil,
|
@@ -100,21 +102,21 @@ describe 'Revoke Token Flow' do
|
|
100
102
|
use_refresh_token: true)
|
101
103
|
end
|
102
104
|
|
103
|
-
it
|
105
|
+
it "should revoke the access token provided" do
|
104
106
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
105
107
|
|
106
108
|
expect(response).to be_successful
|
107
109
|
expect(access_token.reload.revoked?).to be_truthy
|
108
110
|
end
|
109
111
|
|
110
|
-
it
|
112
|
+
it "should revoke the refresh token provided" do
|
111
113
|
post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
|
112
114
|
|
113
115
|
expect(response).to be_successful
|
114
116
|
expect(access_token.reload.revoked?).to be_truthy
|
115
117
|
end
|
116
118
|
|
117
|
-
context
|
119
|
+
context "with a valid token issued for a confidential client" do
|
118
120
|
let(:access_token) do
|
119
121
|
FactoryBot.create(:access_token,
|
120
122
|
application: client_application,
|
@@ -122,14 +124,14 @@ describe 'Revoke Token Flow' do
|
|
122
124
|
use_refresh_token: true)
|
123
125
|
end
|
124
126
|
|
125
|
-
it
|
127
|
+
it "should not revoke the access token provided" do
|
126
128
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
127
129
|
|
128
130
|
expect(response).to be_successful
|
129
131
|
expect(access_token.reload.revoked?).to be_falsey
|
130
132
|
end
|
131
133
|
|
132
|
-
it
|
134
|
+
it "should not revoke the refresh token provided" do
|
133
135
|
post revocation_token_endpoint_url, params: { token: access_token.token }
|
134
136
|
|
135
137
|
expect(response).to be_successful
|
@@ -1,20 +1,22 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
3
|
+
require "spec_helper"
|
4
|
+
|
5
|
+
feature "Skip authorization form" do
|
4
6
|
background do
|
5
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to(
|
7
|
+
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
6
8
|
client_exists
|
7
9
|
default_scopes_exist :public
|
8
10
|
optional_scopes_exist :write
|
9
11
|
end
|
10
12
|
|
11
|
-
context
|
13
|
+
context "for previously authorized clients" do
|
12
14
|
background do
|
13
15
|
create_resource_owner
|
14
16
|
sign_in
|
15
17
|
end
|
16
18
|
|
17
|
-
scenario
|
19
|
+
scenario "skips the authorization and return a new grant code" do
|
18
20
|
client_is_authorized(@client, @resource_owner, scopes: "public")
|
19
21
|
visit authorization_endpoint_url(client: @client, scope: "public")
|
20
22
|
|
@@ -35,29 +37,29 @@ feature 'Skip authorization form' do
|
|
35
37
|
url_should_have_param "code", Doorkeeper::AccessGrant.first.token
|
36
38
|
end
|
37
39
|
|
38
|
-
scenario
|
39
|
-
client_is_authorized(@client, @resource_owner, scopes:
|
40
|
-
visit authorization_endpoint_url(client: @client, scope:
|
41
|
-
i_should_see
|
40
|
+
scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
|
41
|
+
client_is_authorized(@client, @resource_owner, scopes: "public write")
|
42
|
+
visit authorization_endpoint_url(client: @client, scope: "public")
|
43
|
+
i_should_see "Authorize"
|
42
44
|
end
|
43
45
|
|
44
|
-
scenario
|
45
|
-
client_is_authorized(@client, @resource_owner, scopes:
|
46
|
-
visit authorization_endpoint_url(client: @client, scopes:
|
47
|
-
i_should_see
|
46
|
+
scenario "does not skip authorization when scopes differ (new request has more scopes)" do
|
47
|
+
client_is_authorized(@client, @resource_owner, scopes: "public write")
|
48
|
+
visit authorization_endpoint_url(client: @client, scopes: "public write email")
|
49
|
+
i_should_see "Authorize"
|
48
50
|
end
|
49
51
|
|
50
|
-
scenario
|
51
|
-
client_is_authorized(@client, @resource_owner, scopes:
|
52
|
-
visit authorization_endpoint_url(client: @client, scope:
|
53
|
-
click_on
|
52
|
+
scenario "creates grant with new scope when scopes differ" do
|
53
|
+
client_is_authorized(@client, @resource_owner, scopes: "public write")
|
54
|
+
visit authorization_endpoint_url(client: @client, scope: "public")
|
55
|
+
click_on "Authorize"
|
54
56
|
access_grant_should_have_scopes :public
|
55
57
|
end
|
56
58
|
|
57
|
-
scenario
|
58
|
-
client_is_authorized(@client, @resource_owner, scopes:
|
59
|
-
visit authorization_endpoint_url(client: @client, scope:
|
60
|
-
click_on
|
59
|
+
scenario "creates grant with new scope when scopes are greater" do
|
60
|
+
client_is_authorized(@client, @resource_owner, scopes: "public")
|
61
|
+
visit authorization_endpoint_url(client: @client, scope: "public write")
|
62
|
+
click_on "Authorize"
|
61
63
|
access_grant_should_have_scopes :public, :write
|
62
64
|
end
|
63
65
|
end
|