doorkeeper 5.1.0.rc2 → 5.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.hound.yml +2 -1
- data/.rubocop.yml +37 -4
- data/.travis.yml +4 -27
- data/Appraisals +8 -12
- data/Gemfile +6 -2
- data/NEWS.md +16 -0
- data/README.md +11 -2
- data/Rakefile +10 -8
- data/app/controllers/doorkeeper/application_controller.rb +1 -2
- data/app/controllers/doorkeeper/application_metal_controller.rb +2 -13
- data/app/controllers/doorkeeper/applications_controller.rb +17 -5
- data/app/controllers/doorkeeper/token_info_controller.rb +1 -1
- data/app/controllers/doorkeeper/tokens_controller.rb +7 -7
- data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
- data/app/validators/redirect_uri_validator.rb +5 -2
- data/app/views/doorkeeper/applications/_form.html.erb +6 -0
- data/bin/console +5 -4
- data/config/locales/en.yml +1 -0
- data/doorkeeper.gemspec +24 -22
- data/gemfiles/rails_5_0.gemfile +2 -1
- data/gemfiles/rails_5_1.gemfile +2 -1
- data/gemfiles/rails_5_2.gemfile +2 -1
- data/gemfiles/rails_6_0.gemfile +1 -0
- data/gemfiles/rails_master.gemfile +1 -0
- data/lib/doorkeeper.rb +68 -66
- data/lib/doorkeeper/config.rb +53 -90
- data/lib/doorkeeper/config/option.rb +64 -0
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grape/authorization_decorator.rb +4 -4
- data/lib/doorkeeper/grape/helpers.rb +3 -3
- data/lib/doorkeeper/helpers/controller.rb +1 -1
- data/lib/doorkeeper/models/access_grant_mixin.rb +4 -2
- data/lib/doorkeeper/models/access_token_mixin.rb +10 -10
- data/lib/doorkeeper/models/application_mixin.rb +1 -0
- data/lib/doorkeeper/models/concerns/expirable.rb +1 -0
- data/lib/doorkeeper/models/concerns/ownership.rb +1 -6
- data/lib/doorkeeper/models/concerns/revocable.rb +2 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +1 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +2 -0
- data/lib/doorkeeper/oauth.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/code.rb +1 -1
- data/lib/doorkeeper/oauth/authorization/token.rb +9 -6
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +1 -1
- data/lib/doorkeeper/oauth/authorization_code_request.rb +5 -3
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials_request.rb +1 -1
- data/lib/doorkeeper/oauth/error_response.rb +5 -5
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +1 -1
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -1
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -1
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +6 -2
- data/lib/doorkeeper/oauth/invalid_token_response.rb +1 -1
- data/lib/doorkeeper/oauth/pre_authorization.rb +4 -3
- data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -1
- data/lib/doorkeeper/oauth/scopes.rb +5 -3
- data/lib/doorkeeper/oauth/token.rb +2 -2
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -4
- data/lib/doorkeeper/oauth/token_response.rb +9 -9
- data/lib/doorkeeper/orm/active_record.rb +6 -6
- data/lib/doorkeeper/orm/active_record/access_grant.rb +5 -12
- data/lib/doorkeeper/orm/active_record/access_token.rb +6 -13
- data/lib/doorkeeper/orm/active_record/application.rb +6 -5
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +10 -3
- data/lib/doorkeeper/rails/helpers.rb +1 -1
- data/lib/doorkeeper/rails/routes.rb +11 -11
- data/lib/doorkeeper/rails/routes/mapping.rb +7 -7
- data/lib/doorkeeper/rake.rb +1 -1
- data/lib/doorkeeper/rake/db.rake +13 -13
- data/lib/doorkeeper/request.rb +1 -1
- data/lib/doorkeeper/secret_storing/base.rb +7 -6
- data/lib/doorkeeper/secret_storing/bcrypt.rb +4 -3
- data/lib/doorkeeper/secret_storing/plain.rb +4 -4
- data/lib/doorkeeper/secret_storing/sha256_hash.rb +3 -2
- data/lib/doorkeeper/stale_records_cleaner.rb +1 -1
- data/lib/doorkeeper/version.rb +2 -2
- data/lib/generators/doorkeeper/application_owner_generator.rb +10 -9
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +10 -9
- data/lib/generators/doorkeeper/install_generator.rb +11 -9
- data/lib/generators/doorkeeper/migration_generator.rb +9 -9
- data/lib/generators/doorkeeper/pkce_generator.rb +10 -9
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +10 -9
- data/lib/generators/doorkeeper/templates/initializer.rb +30 -5
- data/lib/generators/doorkeeper/templates/migration.rb.erb +15 -7
- data/lib/generators/doorkeeper/views_generator.rb +6 -4
- data/spec/controllers/application_metal_controller_spec.rb +10 -10
- data/spec/controllers/applications_controller_spec.rb +54 -52
- data/spec/controllers/authorizations_controller_spec.rb +136 -142
- data/spec/controllers/protected_resources_controller_spec.rb +78 -76
- data/spec/controllers/token_info_controller_spec.rb +13 -11
- data/spec/controllers/tokens_controller_spec.rb +109 -94
- data/spec/dummy/Rakefile +3 -1
- data/spec/dummy/app/controllers/application_controller.rb +2 -0
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +2 -0
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +4 -2
- data/spec/dummy/app/controllers/home_controller.rb +5 -3
- data/spec/dummy/app/controllers/metal_controller.rb +2 -0
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +4 -2
- data/spec/dummy/app/helpers/application_helper.rb +2 -0
- data/spec/dummy/app/models/user.rb +2 -0
- data/spec/dummy/config.ru +3 -1
- data/spec/dummy/config/application.rb +13 -0
- data/spec/dummy/config/environments/development.rb +2 -0
- data/spec/dummy/config/environments/production.rb +2 -0
- data/spec/dummy/config/environments/test.rb +3 -1
- data/spec/dummy/config/initializers/backtrace_silencers.rb +2 -0
- data/spec/dummy/config/initializers/doorkeeper.rb +5 -2
- data/spec/dummy/config/initializers/secret_token.rb +3 -1
- data/spec/dummy/config/initializers/session_store.rb +3 -1
- data/spec/dummy/config/initializers/wrap_parameters.rb +2 -0
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +17 -10
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +2 -0
- data/spec/dummy/db/schema.rb +1 -1
- data/spec/dummy/script/rails +5 -3
- data/spec/factories.rb +5 -3
- data/spec/generators/application_owner_generator_spec.rb +13 -26
- data/spec/generators/confidential_applications_generator_spec.rb +12 -28
- data/spec/generators/install_generator_spec.rb +17 -15
- data/spec/generators/migration_generator_spec.rb +13 -26
- data/spec/generators/pkce_generator_spec.rb +11 -26
- data/spec/generators/previous_refresh_token_generator_spec.rb +16 -29
- data/spec/generators/templates/routes.rb +2 -0
- data/spec/generators/views_generator_spec.rb +14 -12
- data/spec/grape/grape_integration_spec.rb +34 -32
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +9 -7
- data/spec/lib/config_spec.rb +137 -136
- data/spec/lib/doorkeeper_spec.rb +3 -1
- data/spec/lib/models/expirable_spec.rb +12 -10
- data/spec/lib/models/reusable_spec.rb +6 -6
- data/spec/lib/models/revocable_spec.rb +8 -6
- data/spec/lib/models/scopes_spec.rb +19 -17
- data/spec/lib/models/secret_storable_spec.rb +71 -49
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +17 -15
- data/spec/lib/oauth/authorization_code_request_spec.rb +18 -12
- data/spec/lib/oauth/base_request_spec.rb +20 -8
- data/spec/lib/oauth/base_response_spec.rb +3 -1
- data/spec/lib/oauth/client/credentials_spec.rb +24 -22
- data/spec/lib/oauth/client_credentials/creator_spec.rb +13 -11
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +27 -18
- data/spec/lib/oauth/client_credentials/validation_spec.rb +17 -15
- data/spec/lib/oauth/client_credentials_integration_spec.rb +7 -5
- data/spec/lib/oauth/client_credentials_request_spec.rb +27 -21
- data/spec/lib/oauth/client_spec.rb +15 -13
- data/spec/lib/oauth/code_request_spec.rb +8 -6
- data/spec/lib/oauth/code_response_spec.rb +9 -7
- data/spec/lib/oauth/error_response_spec.rb +14 -12
- data/spec/lib/oauth/error_spec.rb +4 -2
- data/spec/lib/oauth/forbidden_token_response_spec.rb +7 -5
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +35 -33
- data/spec/lib/oauth/helpers/unique_token_spec.rb +8 -6
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +103 -101
- data/spec/lib/oauth/invalid_token_response_spec.rb +3 -1
- data/spec/lib/oauth/password_access_token_request_spec.rb +52 -34
- data/spec/lib/oauth/pre_authorization_spec.rb +64 -62
- data/spec/lib/oauth/refresh_token_request_spec.rb +36 -33
- data/spec/lib/oauth/scopes_spec.rb +63 -61
- data/spec/lib/oauth/token_request_spec.rb +66 -26
- data/spec/lib/oauth/token_response_spec.rb +39 -37
- data/spec/lib/oauth/token_spec.rb +51 -49
- data/spec/lib/request/strategy_spec.rb +3 -1
- data/spec/lib/secret_storing/base_spec.rb +23 -23
- data/spec/lib/secret_storing/bcrypt_spec.rb +18 -18
- data/spec/lib/secret_storing/plain_spec.rb +17 -17
- data/spec/lib/secret_storing/sha256_hash_spec.rb +16 -16
- data/spec/lib/server_spec.rb +16 -14
- data/spec/lib/stale_records_cleaner_spec.rb +17 -17
- data/spec/models/doorkeeper/access_grant_spec.rb +30 -26
- data/spec/models/doorkeeper/access_token_spec.rb +97 -95
- data/spec/models/doorkeeper/application_spec.rb +98 -57
- data/spec/requests/applications/applications_request_spec.rb +98 -66
- data/spec/requests/applications/authorized_applications_spec.rb +20 -18
- data/spec/requests/endpoints/authorization_spec.rb +25 -23
- data/spec/requests/endpoints/token_spec.rb +38 -36
- data/spec/requests/flows/authorization_code_errors_spec.rb +26 -24
- data/spec/requests/flows/authorization_code_spec.rb +161 -159
- data/spec/requests/flows/client_credentials_spec.rb +53 -51
- data/spec/requests/flows/implicit_grant_errors_spec.rb +10 -8
- data/spec/requests/flows/implicit_grant_spec.rb +27 -25
- data/spec/requests/flows/password_spec.rb +56 -54
- data/spec/requests/flows/refresh_token_spec.rb +45 -43
- data/spec/requests/flows/revoke_token_spec.rb +29 -27
- data/spec/requests/flows/skip_authorization_spec.rb +23 -21
- data/spec/requests/protected_resources/metal_spec.rb +7 -5
- data/spec/requests/protected_resources/private_api_spec.rb +35 -33
- data/spec/routing/custom_controller_routes_spec.rb +67 -65
- data/spec/routing/default_routes_spec.rb +22 -20
- data/spec/routing/scoped_routes_spec.rb +20 -18
- data/spec/spec_helper.rb +14 -13
- data/spec/spec_helper_integration.rb +3 -1
- data/spec/support/dependencies/factory_bot.rb +3 -1
- data/spec/support/doorkeeper_rspec.rb +3 -1
- data/spec/support/helpers/access_token_request_helper.rb +3 -1
- data/spec/support/helpers/authorization_request_helper.rb +4 -2
- data/spec/support/helpers/config_helper.rb +2 -0
- data/spec/support/helpers/model_helper.rb +3 -1
- data/spec/support/helpers/request_spec_helper.rb +5 -3
- data/spec/support/helpers/url_helper.rb +9 -7
- data/spec/support/http_method_shim.rb +4 -9
- data/spec/support/orm/active_record.rb +3 -1
- data/spec/support/shared/controllers_shared_context.rb +18 -16
- data/spec/support/shared/hashing_shared_context.rb +3 -3
- data/spec/support/shared/models_shared_examples.rb +12 -10
- data/spec/validators/redirect_uri_validator_spec.rb +74 -45
- data/spec/version/version_spec.rb +7 -5
- metadata +12 -16
- data/gemfiles/rails_4_2.gemfile +0 -17
- data/spec/dummy/config/initializers/new_framework_defaults.rb +0 -8
- data/spec/support/ruby_2_6_rails_4_2_patch.rb +0 -14
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Doorkeeper
|
|
4
|
+
class Config
|
|
5
|
+
# Doorkeeper configuration option DSL
|
|
6
|
+
module Option
|
|
7
|
+
# Defines configuration option
|
|
8
|
+
#
|
|
9
|
+
# When you call option, it defines two methods. One method will take place
|
|
10
|
+
# in the +Config+ class and the other method will take place in the
|
|
11
|
+
# +Builder+ class.
|
|
12
|
+
#
|
|
13
|
+
# The +name+ parameter will set both builder method and config attribute.
|
|
14
|
+
# If the +:as+ option is defined, the builder method will be the specified
|
|
15
|
+
# option while the config attribute will be the +name+ parameter.
|
|
16
|
+
#
|
|
17
|
+
# If you want to introduce another level of config DSL you can
|
|
18
|
+
# define +builder_class+ parameter.
|
|
19
|
+
# Builder should take a block as the initializer parameter and respond to function +build+
|
|
20
|
+
# that returns the value of the config attribute.
|
|
21
|
+
#
|
|
22
|
+
# ==== Options
|
|
23
|
+
#
|
|
24
|
+
# * [:+as+] Set the builder method that goes inside +configure+ block
|
|
25
|
+
# * [+:default+] The default value in case no option was set
|
|
26
|
+
# * [+:builder_class+] Configuration option builder class
|
|
27
|
+
#
|
|
28
|
+
# ==== Examples
|
|
29
|
+
#
|
|
30
|
+
# option :name
|
|
31
|
+
# option :name, as: :set_name
|
|
32
|
+
# option :name, default: 'My Name'
|
|
33
|
+
# option :scopes builder_class: ScopesBuilder
|
|
34
|
+
#
|
|
35
|
+
def option(name, options = {})
|
|
36
|
+
attribute = options[:as] || name
|
|
37
|
+
attribute_builder = options[:builder_class]
|
|
38
|
+
|
|
39
|
+
Builder.instance_eval do
|
|
40
|
+
remove_method name if method_defined?(name)
|
|
41
|
+
define_method name do |*args, &block|
|
|
42
|
+
value = if attribute_builder
|
|
43
|
+
attribute_builder.new(&block).build
|
|
44
|
+
else
|
|
45
|
+
block || args.first
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
@config.instance_variable_set(:"@#{attribute}", value)
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
define_method attribute do |*_args|
|
|
53
|
+
if instance_variable_defined?(:"@#{attribute}")
|
|
54
|
+
instance_variable_get(:"@#{attribute}")
|
|
55
|
+
else
|
|
56
|
+
options[:default]
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
public attribute
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
end
|
|
64
|
+
end
|
data/lib/doorkeeper/engine.rb
CHANGED
|
@@ -18,7 +18,7 @@ module Doorkeeper
|
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
|
|
21
|
-
initializer
|
|
21
|
+
initializer "doorkeeper.assets.precompile" do |app|
|
|
22
22
|
# Force users to use:
|
|
23
23
|
# //= link doorkeeper/admin/application.css
|
|
24
24
|
# in Doorkeeper 5 for Sprockets 4 instead of precompile.
|
|
@@ -9,10 +9,10 @@ module Doorkeeper
|
|
|
9
9
|
|
|
10
10
|
def authorization
|
|
11
11
|
env = __getobj__.env
|
|
12
|
-
env[
|
|
13
|
-
env[
|
|
14
|
-
env[
|
|
15
|
-
env[
|
|
12
|
+
env["HTTP_AUTHORIZATION"] ||
|
|
13
|
+
env["X-HTTP_AUTHORIZATION"] ||
|
|
14
|
+
env["X_HTTP_AUTHORIZATION"] ||
|
|
15
|
+
env["REDIRECT_X_HTTP_AUTHORIZATION"]
|
|
16
16
|
end
|
|
17
17
|
end
|
|
18
18
|
end
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require
|
|
3
|
+
require "doorkeeper/grape/authorization_decorator"
|
|
4
4
|
|
|
5
5
|
module Doorkeeper
|
|
6
6
|
module Grape
|
|
@@ -29,7 +29,7 @@ module Doorkeeper
|
|
|
29
29
|
private
|
|
30
30
|
|
|
31
31
|
def endpoint
|
|
32
|
-
env[
|
|
32
|
+
env["api.endpoint"]
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
def doorkeeper_token
|
|
@@ -46,7 +46,7 @@ module Doorkeeper
|
|
|
46
46
|
def error_status_codes
|
|
47
47
|
{
|
|
48
48
|
unauthorized: 401,
|
|
49
|
-
forbidden: 403
|
|
49
|
+
forbidden: 403,
|
|
50
50
|
}
|
|
51
51
|
end
|
|
52
52
|
end
|
|
@@ -55,7 +55,7 @@ module Doorkeeper
|
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
def enforce_content_type
|
|
58
|
-
if (request.put? || request.post? || request.patch?) && request.content_type !=
|
|
58
|
+
if (request.put? || request.post? || request.patch?) && request.content_type != "application/x-www-form-urlencoded"
|
|
59
59
|
render json: {}, status: :unsupported_media_type
|
|
60
60
|
end
|
|
61
61
|
end
|
|
@@ -86,10 +86,12 @@ module Doorkeeper
|
|
|
86
86
|
|
|
87
87
|
# @param code_verifier [#to_s] a one time use value (any object that responds to `#to_s`)
|
|
88
88
|
#
|
|
89
|
-
# @return [#to_s] An encoded code challenge based on the provided verifier
|
|
89
|
+
# @return [#to_s] An encoded code challenge based on the provided verifier
|
|
90
|
+
# suitable for PKCE validation
|
|
91
|
+
#
|
|
90
92
|
def generate_code_challenge(code_verifier)
|
|
91
93
|
padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
|
|
92
|
-
padded_result.split(
|
|
94
|
+
padded_result.split("=")[0] # Remove any trailing '='
|
|
93
95
|
end
|
|
94
96
|
|
|
95
97
|
def pkce_supported?
|
|
@@ -127,14 +127,14 @@ module Doorkeeper
|
|
|
127
127
|
if Doorkeeper.configuration.reuse_access_token
|
|
128
128
|
access_token = matching_token_for(application, resource_owner_id, scopes)
|
|
129
129
|
|
|
130
|
-
return access_token if access_token
|
|
130
|
+
return access_token if access_token&.reusable?
|
|
131
131
|
end
|
|
132
132
|
|
|
133
133
|
create!(
|
|
134
|
-
application_id:
|
|
134
|
+
application_id: application.try(:id),
|
|
135
135
|
resource_owner_id: resource_owner_id,
|
|
136
|
-
scopes:
|
|
137
|
-
expires_in:
|
|
136
|
+
scopes: scopes.to_s,
|
|
137
|
+
expires_in: expires_in,
|
|
138
138
|
use_refresh_token: use_refresh_token
|
|
139
139
|
)
|
|
140
140
|
end
|
|
@@ -191,7 +191,7 @@ module Doorkeeper
|
|
|
191
191
|
# The OAuth 2.0 Authorization Framework: Bearer Token Usage
|
|
192
192
|
#
|
|
193
193
|
def token_type
|
|
194
|
-
|
|
194
|
+
"Bearer"
|
|
195
195
|
end
|
|
196
196
|
|
|
197
197
|
def use_refresh_token?
|
|
@@ -204,11 +204,11 @@ module Doorkeeper
|
|
|
204
204
|
# @return [Hash] hash with token data
|
|
205
205
|
def as_json(_options = {})
|
|
206
206
|
{
|
|
207
|
-
resource_owner_id:
|
|
208
|
-
scope:
|
|
209
|
-
expires_in:
|
|
210
|
-
application:
|
|
211
|
-
created_at:
|
|
207
|
+
resource_owner_id: resource_owner_id,
|
|
208
|
+
scope: scopes,
|
|
209
|
+
expires_in: expires_in_seconds,
|
|
210
|
+
application: { uid: application.try(:uid) },
|
|
211
|
+
created_at: created_at.to_i,
|
|
212
212
|
}
|
|
213
213
|
end
|
|
214
214
|
|
|
@@ -6,12 +6,7 @@ module Doorkeeper
|
|
|
6
6
|
extend ActiveSupport::Concern
|
|
7
7
|
|
|
8
8
|
included do
|
|
9
|
-
|
|
10
|
-
if defined?(ActiveRecord::Base) && ActiveRecord::VERSION::MAJOR >= 5
|
|
11
|
-
belongs_to_options[:optional] = true
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
belongs_to :owner, belongs_to_options
|
|
9
|
+
belongs_to :owner, polymorphic: true, optional: true
|
|
15
10
|
validates :owner, presence: true, if: :validate_owner?
|
|
16
11
|
end
|
|
17
12
|
|
|
@@ -66,6 +66,8 @@ module Doorkeeper
|
|
|
66
66
|
# Use the previous strategy to look up
|
|
67
67
|
stored_token = fallback_secret_strategy.transform_secret(plain_secret)
|
|
68
68
|
find_by(attr => stored_token).tap do |resource|
|
|
69
|
+
return nil unless resource
|
|
70
|
+
|
|
69
71
|
upgrade_fallback_value resource, attr, plain_secret
|
|
70
72
|
end
|
|
71
73
|
end
|
data/lib/doorkeeper/oauth.rb
CHANGED
|
@@ -3,11 +3,11 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
GRANT_TYPES = [
|
|
6
|
-
AUTHORIZATION_CODE =
|
|
7
|
-
IMPLICIT =
|
|
8
|
-
PASSWORD =
|
|
9
|
-
CLIENT_CREDENTIALS =
|
|
10
|
-
REFRESH_TOKEN =
|
|
6
|
+
AUTHORIZATION_CODE = "authorization_code",
|
|
7
|
+
IMPLICIT = "implicit",
|
|
8
|
+
PASSWORD = "password",
|
|
9
|
+
CLIENT_CREDENTIALS = "client_credentials",
|
|
10
|
+
REFRESH_TOKEN = "refresh_token",
|
|
11
11
|
].freeze
|
|
12
12
|
end
|
|
13
13
|
end
|
|
@@ -23,11 +23,14 @@ module Doorkeeper
|
|
|
23
23
|
)
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
-
def access_token_expires_in(
|
|
27
|
-
if (
|
|
28
|
-
expiration
|
|
26
|
+
def access_token_expires_in(configuration, context)
|
|
27
|
+
if configuration.option_defined?(:custom_access_token_expires_in)
|
|
28
|
+
expiration = configuration.custom_access_token_expires_in.call(context)
|
|
29
|
+
return nil if expiration == Float::INFINITY
|
|
30
|
+
|
|
31
|
+
expiration || configuration.access_token_expires_in
|
|
29
32
|
else
|
|
30
|
-
|
|
33
|
+
configuration.access_token_expires_in
|
|
31
34
|
end
|
|
32
35
|
end
|
|
33
36
|
|
|
@@ -64,7 +67,7 @@ module Doorkeeper
|
|
|
64
67
|
{
|
|
65
68
|
controller: controller,
|
|
66
69
|
action: :show,
|
|
67
|
-
access_token: token.plaintext_token
|
|
70
|
+
access_token: token.plaintext_token,
|
|
68
71
|
}
|
|
69
72
|
end
|
|
70
73
|
|
|
@@ -77,7 +80,7 @@ module Doorkeeper
|
|
|
77
80
|
def controller
|
|
78
81
|
@controller ||= begin
|
|
79
82
|
mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
|
|
80
|
-
mapping[:controllers] ||
|
|
83
|
+
mapping[:controllers] || "doorkeeper/token_info"
|
|
81
84
|
end
|
|
82
85
|
end
|
|
83
86
|
end
|
|
@@ -43,8 +43,9 @@ module Doorkeeper
|
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
def validate_attributes
|
|
46
|
-
return false if grant
|
|
46
|
+
return false if grant&.uses_pkce? && code_verifier.blank?
|
|
47
47
|
return false if grant && !grant.pkce_supported? && !code_verifier.blank?
|
|
48
|
+
|
|
48
49
|
redirect_uri.present?
|
|
49
50
|
end
|
|
50
51
|
|
|
@@ -54,6 +55,7 @@ module Doorkeeper
|
|
|
54
55
|
|
|
55
56
|
def validate_grant
|
|
56
57
|
return false unless grant && grant.application_id == client.id
|
|
58
|
+
|
|
57
59
|
grant.accessible?
|
|
58
60
|
end
|
|
59
61
|
|
|
@@ -70,9 +72,9 @@ module Doorkeeper
|
|
|
70
72
|
return true unless grant.uses_pkce? || code_verifier
|
|
71
73
|
return false unless grant.pkce_supported?
|
|
72
74
|
|
|
73
|
-
if grant.code_challenge_method ==
|
|
75
|
+
if grant.code_challenge_method == "S256"
|
|
74
76
|
grant.code_challenge == AccessGrant.generate_code_challenge(code_verifier)
|
|
75
|
-
elsif grant.code_challenge_method ==
|
|
77
|
+
elsif grant.code_challenge_method == "plain"
|
|
76
78
|
grant.code_challenge == code_verifier
|
|
77
79
|
else
|
|
78
80
|
false
|
|
@@ -27,7 +27,7 @@ module Doorkeeper
|
|
|
27
27
|
{
|
|
28
28
|
error: name,
|
|
29
29
|
error_description: description,
|
|
30
|
-
state: state
|
|
30
|
+
state: state,
|
|
31
31
|
}.reject { |_, v| v.blank? }
|
|
32
32
|
end
|
|
33
33
|
|
|
@@ -54,10 +54,10 @@ module Doorkeeper
|
|
|
54
54
|
|
|
55
55
|
def headers
|
|
56
56
|
{
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
57
|
+
"Cache-Control" => "no-store",
|
|
58
|
+
"Pragma" => "no-cache",
|
|
59
|
+
"Content-Type" => "application/json; charset=utf-8",
|
|
60
|
+
"WWW-Authenticate" => authenticate_info,
|
|
61
61
|
}
|
|
62
62
|
end
|
|
63
63
|
|
|
@@ -5,7 +5,8 @@ module Doorkeeper
|
|
|
5
5
|
module Helpers
|
|
6
6
|
module UniqueToken
|
|
7
7
|
def self.generate(options = {})
|
|
8
|
-
# Access Token value must be 1*VSCHAR or
|
|
8
|
+
# Access Token value must be 1*VSCHAR or
|
|
9
|
+
# 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
|
|
9
10
|
#
|
|
10
11
|
# @see https://tools.ietf.org/html/rfc6749#appendix-A.12
|
|
11
12
|
# @see https://tools.ietf.org/html/rfc6750#section-2.1
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
|
-
|
|
2
|
+
|
|
3
|
+
require "ipaddr"
|
|
3
4
|
|
|
4
5
|
module Doorkeeper
|
|
5
6
|
module IPAddrLoopback
|
|
@@ -25,6 +26,7 @@ module Doorkeeper
|
|
|
25
26
|
module URIChecker
|
|
26
27
|
def self.valid?(url)
|
|
27
28
|
return true if native_uri?(url)
|
|
29
|
+
|
|
28
30
|
uri = as_uri(url)
|
|
29
31
|
uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
|
|
30
32
|
rescue URI::InvalidURIError
|
|
@@ -37,6 +39,7 @@ module Doorkeeper
|
|
|
37
39
|
|
|
38
40
|
unless client_url.query.nil?
|
|
39
41
|
return false unless query_matches?(url.query, client_url.query)
|
|
42
|
+
|
|
40
43
|
# Clear out queries so rest of URI can be tested. This allows query
|
|
41
44
|
# params to be in the request but order not mattering.
|
|
42
45
|
client_url.query = nil
|
|
@@ -70,8 +73,9 @@ module Doorkeeper
|
|
|
70
73
|
def self.query_matches?(query, client_query)
|
|
71
74
|
return true if client_query.blank? && query.blank?
|
|
72
75
|
return false if client_query.nil? || query.nil?
|
|
76
|
+
|
|
73
77
|
# Will return true independent of query order
|
|
74
|
-
client_query.split(
|
|
78
|
+
client_query.split("&").sort == query.split("&").sort
|
|
75
79
|
end
|
|
76
80
|
|
|
77
81
|
def self.native_uri?(url)
|