RubyGems - doorkeeper - Versions diffs - 5.1.0 → 5.2.0 - Mend

doorkeeper 5.1.0 → 5.2.0

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (103) hide show

checksums.yaml +4 -4
data/Appraisals +1 -1
data/CHANGELOG.md +843 -0
data/CONTRIBUTING.md +11 -9
data/Dangerfile +2 -2
data/Dockerfile +29 -0
data/Gemfile +2 -1
data/NEWS.md +1 -814
data/README.md +11 -3
data/RELEASING.md +6 -5
data/app/controllers/doorkeeper/application_controller.rb +1 -1
data/app/controllers/doorkeeper/application_metal_controller.rb +2 -1
data/app/controllers/doorkeeper/applications_controller.rb +2 -0
data/app/controllers/doorkeeper/authorizations_controller.rb +14 -7
data/app/controllers/doorkeeper/tokens_controller.rb +32 -9
data/app/views/doorkeeper/applications/_form.html.erb +0 -6
data/app/views/doorkeeper/applications/show.html.erb +1 -1
data/config/locales/en.yml +8 -2
data/doorkeeper.gemspec +9 -1
data/gemfiles/rails_5_0.gemfile +1 -0
data/gemfiles/rails_5_1.gemfile +1 -0
data/gemfiles/rails_5_2.gemfile +1 -0
data/gemfiles/rails_6_0.gemfile +2 -1
data/gemfiles/rails_master.gemfile +1 -0
data/lib/doorkeeper/config/option.rb +13 -7
data/lib/doorkeeper/config.rb +88 -6
data/lib/doorkeeper/errors.rb +13 -18
data/lib/doorkeeper/grape/helpers.rb +5 -1
data/lib/doorkeeper/helpers/controller.rb +20 -3
data/lib/doorkeeper/models/access_token_mixin.rb +43 -2
data/lib/doorkeeper/oauth/authorization/code.rb +11 -13
data/lib/doorkeeper/oauth/authorization/token.rb +1 -1
data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -9
data/lib/doorkeeper/oauth/base_request.rb +2 -0
data/lib/doorkeeper/oauth/client_credentials/creator.rb +14 -0
data/lib/doorkeeper/oauth/client_credentials/validation.rb +8 -0
data/lib/doorkeeper/oauth/code_request.rb +5 -11
data/lib/doorkeeper/oauth/code_response.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +1 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +18 -4
data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -2
data/lib/doorkeeper/oauth/pre_authorization.rb +70 -37
data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -10
data/lib/doorkeeper/oauth/token_introspection.rb +23 -13
data/lib/doorkeeper/oauth/token_request.rb +4 -18
data/lib/doorkeeper/orm/active_record/access_grant.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_token.rb +2 -2
data/lib/doorkeeper/orm/active_record/application.rb +8 -2
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +61 -0
data/lib/doorkeeper/orm/active_record.rb +19 -3
data/lib/doorkeeper/request/authorization_code.rb +2 -0
data/lib/doorkeeper/request.rb +6 -11
data/lib/doorkeeper/server.rb +2 -6
data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
data/lib/doorkeeper/version.rb +1 -1
data/lib/doorkeeper.rb +4 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +6 -6
data/lib/generators/doorkeeper/templates/initializer.rb +110 -33
data/lib/generators/doorkeeper/templates/migration.rb.erb +4 -1
data/spec/controllers/applications_controller_spec.rb +93 -0
data/spec/controllers/authorizations_controller_spec.rb +140 -61
data/spec/controllers/protected_resources_controller_spec.rb +3 -3
data/spec/controllers/tokens_controller_spec.rb +205 -37
data/spec/dummy/config/application.rb +3 -1
data/spec/dummy/config/initializers/doorkeeper.rb +54 -9
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +1 -1
data/spec/lib/config_spec.rb +43 -1
data/spec/lib/oauth/authorization_code_request_spec.rb +11 -1
data/spec/lib/oauth/base_request_spec.rb +33 -16
data/spec/lib/oauth/client_credentials/creator_spec.rb +3 -0
data/spec/lib/oauth/code_request_spec.rb +27 -28
data/spec/lib/oauth/helpers/uri_checker_spec.rb +17 -2
data/spec/lib/oauth/invalid_request_response_spec.rb +75 -0
data/spec/lib/oauth/pre_authorization_spec.rb +76 -66
data/spec/lib/oauth/refresh_token_request_spec.rb +1 -0
data/spec/lib/oauth/token_request_spec.rb +20 -17
data/spec/lib/server_spec.rb +0 -12
data/spec/requests/endpoints/authorization_spec.rb +21 -5
data/spec/requests/endpoints/token_spec.rb +1 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +1 -0
data/spec/requests/flows/authorization_code_spec.rb +93 -27
data/spec/requests/flows/client_credentials_spec.rb +38 -0
data/spec/requests/flows/implicit_grant_errors_spec.rb +22 -10
data/spec/requests/flows/implicit_grant_spec.rb +9 -8
data/spec/requests/flows/password_spec.rb +37 -0
data/spec/requests/flows/refresh_token_spec.rb +1 -1
data/spec/requests/flows/revoke_token_spec.rb +19 -11
data/spec/support/doorkeeper_rspec.rb +1 -1
data/spec/support/helpers/request_spec_helper.rb +14 -2
data/spec/validators/redirect_uri_validator_spec.rb +40 -15
metadata +15 -13
data/.coveralls.yml +0 -1
data/.github/ISSUE_TEMPLATE.md +0 -25
data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
data/.gitignore +0 -20
data/.gitlab-ci.yml +0 -16
data/.hound.yml +0 -3
data/.rspec +0 -1
data/.rubocop.yml +0 -50
data/.travis.yml +0 -35
data/app/validators/redirect_uri_validator.rb +0 -50

data/lib/generators/doorkeeper/templates/migration.rb.erb CHANGED Viewed

@@ -24,7 +24,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       t.text     :redirect_uri,      null: false
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes
+      t.string   :scopes,            null: false, default: ''
     end
     add_index :oauth_access_grants, :token, unique: true
@@ -36,6 +36,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     create_table :oauth_access_tokens do |t|
       t.references :resource_owner, index: true
+      # Remove `null: false` if you are planning to use Password
+      # Credentials Grant flow that doesn't require an application.
       t.references :application,    null: false
       # If you use a custom token generator you may need to change this column

data/spec/controllers/applications_controller_spec.rb CHANGED Viewed

@@ -26,6 +26,10 @@ module Doorkeeper
         expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+        application = Application.last
+        secret_from_response = json_response["secret"]
+        expect(application.secret_matches?(secret_from_response)).to be_truthy
         expect(json_response["name"]).to eq("Example")
         expect(json_response["redirect_uri"]).to eq("https://example.com")
       end
@@ -44,6 +48,21 @@ module Doorkeeper
         expect(json_response).to include("errors")
       end
+      it "returns validations on wrong create params (unspecified scheme)" do
+        expect do
+          post :create, params: {
+            doorkeeper_application: {
+              name: "Example",
+              redirect_uri: "app.com:80",
+            }, format: :json,
+          }
+        end.not_to(change { Doorkeeper::Application.count })
+        expect(response).to have_http_status(422)
+        expect(json_response).to include("errors")
+      end
       it "returns application info" do
         application = FactoryBot.create(:application, name: "Change me")
@@ -121,6 +140,72 @@ module Doorkeeper
     end
     context "when admin is authenticated" do
+      context "when application secrets are hashed" do
+        before do
+          allow(Doorkeeper.configuration).to receive(:application_secret_strategy).and_return(Doorkeeper::SecretStoring::Sha256Hash)
+        end
+        it "shows the application secret after creating a new application" do
+          expect do
+            post :create, params: {
+              doorkeeper_application: {
+                name: "Example",
+                redirect_uri: "https://example.com",
+              },
+            }
+          end.to change { Doorkeeper::Application.count }.by(1)
+          application = Application.last
+          secret_from_flash = flash[:application_secret]
+          expect(secret_from_flash).not_to be_empty
+          expect(application.secret_matches?(secret_from_flash)).to be_truthy
+          expect(response).to redirect_to(controller.main_app.oauth_application_url(application.id))
+          get :show, params: { id: application.id, format: :html }
+          # We don't know the application secret here (because its hashed) so we can not assert its text on the page
+          # Instead, we read it from the page and then check if it matches the application secret
+          code_element = %r{<code.*id="secret".*>(.*)<\/code>}.match(response.body)
+          secret_from_page = code_element[1]
+          expect(response.body).to have_selector("code#application_id", text: application.uid)
+          expect(response.body).to have_selector("code#secret")
+          expect(secret_from_page).not_to be_empty
+          expect(application.secret_matches?(secret_from_page)).to be_truthy
+        end
+        it "does not show an application secret when application did already exist" do
+          application = FactoryBot.create(:application)
+          get :show, params: { id: application.id, format: :html }
+          expect(response.body).to have_selector("code#application_id", text: application.uid)
+          expect(response.body).to have_selector("code#secret", text: "")
+        end
+        it "returns the application details in a json response" do
+          expect do
+            post :create, params: {
+              doorkeeper_application: {
+                name: "Example",
+                redirect_uri: "https://example.com",
+              }, format: :json,
+            }
+          end.to(change { Doorkeeper::Application.count })
+          expect(response).to be_successful
+          expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+          application = Application.last
+          secret_from_response = json_response["secret"]
+          expect(application.secret_matches?(secret_from_response)).to be_truthy
+          expect(json_response["name"]).to eq("Example")
+          expect(json_response["redirect_uri"]).to eq("https://example.com")
+        end
+      end
       render_views
       before do
@@ -151,6 +236,14 @@ module Doorkeeper
         expect(response).to be_redirect
       end
+      it "shows application details" do
+        application = FactoryBot.create(:application)
+        get :show, params: { id: application.id, format: :html }
+        expect(response.body).to have_selector("code#application_id", text: application.uid)
+        expect(response.body).to have_selector("code#secret", text: application.plaintext_secret)
+      end
       it "does not allow mass assignment of uid or secret" do
         application = FactoryBot.create(:application)
         put :update, params: {

data/spec/controllers/authorizations_controller_spec.rb CHANGED Viewed

@@ -14,16 +14,14 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
     end
   end
-  def translated_error_message(key)
-    I18n.translate key, scope: %i[doorkeeper errors messages]
-  end
   let(:client)        { FactoryBot.create :application }
   let(:user)          { User.create!(name: "Joe", password: "sekret") }
-  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id }
+  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id, scopes: "default" }
   before do
     Doorkeeper.configure do
+      default_scopes :default
       custom_access_token_expires_in(lambda do |context|
         context.grant_type == Doorkeeper::OAuth::IMPLICIT ? 1234 : nil
       end)
@@ -106,80 +104,146 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
   end
   describe "POST #create with errors" do
-    before do
-      default_scopes_exist :public
+    context "when missing client_id" do
+      before do
+        post :create, params: {
+          client_id: "",
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
-      post :create, params: {
-        client_id: client.uid,
-        response_type: "token",
-        scope: "invalid",
-        redirect_uri: client.redirect_uri,
-      }
-    end
+      let(:response_json_body) { JSON.parse(response.body) }
-    it "redirects after authorization" do
-      expect(response).to be_redirect
-    end
+      it "renders 400 error" do
+        expect(response.status).to eq 400
+      end
-    it "redirects to client redirect uri" do
-      expect(response.location).to match(/^#{client.redirect_uri}/)
-    end
+      it "includes error name" do
+        expect(response_json_body["error"]).to eq("invalid_request")
+      end
-    it "does not include access token in fragment" do
-      expect(response.query_params["access_token"]).to be_nil
-    end
+      it "includes error description" do
+        expect(response_json_body["error_description"]).to eq(
+          translated_invalid_request_error_message(:missing_param, :client_id)
+        )
+      end
-    it "includes error in fragment" do
-      expect(response.query_params["error"]).to eq("invalid_scope")
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
-    it "includes error description in fragment" do
-      expect(response.query_params["error_description"]).to eq(translated_error_message(:invalid_scope))
-    end
+    context "when other error happens" do
+      before do
+        default_scopes_exist :public
+        post :create, params: {
+          client_id: client.uid,
+          response_type: "token",
+          scope: "invalid",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+      it "redirects after authorization" do
+        expect(response).to be_redirect
+      end
+      it "redirects to client redirect uri" do
+        expect(response.location).to match(/^#{client.redirect_uri}/)
+      end
+      it "does not include access token in fragment" do
+        expect(response.query_params["access_token"]).to be_nil
+      end
+      it "includes error in fragment" do
+        expect(response.query_params["error"]).to eq("invalid_scope")
+      end
+      it "includes error description in fragment" do
+        expect(response.query_params["error_description"]).to eq(translated_error_message(:invalid_scope))
+      end
-    it "does not issue any access token" do
-      expect(Doorkeeper::AccessToken.all).to be_empty
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
   end
   describe "POST #create in API mode with errors" do
-    before do
-      allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-      default_scopes_exist :public
+    context "when missing client_id" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-      post :create, params: {
-        client_id: client.uid,
-        response_type: "token",
-        scope: "invalid",
-        redirect_uri: client.redirect_uri,
-      }
-    end
+        post :create, params: {
+          client_id: "",
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
-    let(:response_json_body) { JSON.parse(response.body) }
-    let(:redirect_uri) { response_json_body["redirect_uri"] }
+      let(:response_json_body) { JSON.parse(response.body) }
-    it "renders 400 error" do
-      expect(response.status).to eq 400
-    end
+      it "renders 400 error" do
+        expect(response.status).to eq 400
+      end
-    it "includes correct redirect URI" do
-      expect(redirect_uri).to match(/^#{client.redirect_uri}/)
-    end
+      it "includes error name" do
+        expect(response_json_body["error"]).to eq("invalid_request")
+      end
-    it "does not include access token in fragment" do
-      expect(redirect_uri.match(/access_token=([a-f0-9]+)&?/)).to be_nil
-    end
+      it "includes error description" do
+        expect(response_json_body["error_description"]).to eq(
+          translated_invalid_request_error_message(:missing_param, :client_id)
+        )
+      end
-    it "includes error in redirect uri" do
-      expect(redirect_uri.match(/error=([a-z_]+)&?/)[1]).to eq "invalid_scope"
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
-    it "includes error description in redirect uri" do
-      expect(redirect_uri.match(/error_description=(.+)&?/)[1]).to_not be_nil
-    end
+    context "when other error happens" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+        default_scopes_exist :public
-    it "does not issue any access token" do
-      expect(Doorkeeper::AccessToken.all).to be_empty
+        post :create, params: {
+          client_id: client.uid,
+          response_type: "token",
+          scope: "invalid",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+      let(:response_json_body) { JSON.parse(response.body) }
+      let(:redirect_uri) { response_json_body["redirect_uri"] }
+      it "renders 400 error" do
+        expect(response.status).to eq 400
+      end
+      it "includes correct redirect URI" do
+        expect(redirect_uri).to match(/^#{client.redirect_uri}/)
+      end
+      it "does not include access token in fragment" do
+        expect(redirect_uri.match(/access_token=([a-f0-9]+)&?/)).to be_nil
+      end
+      it "includes error in redirect uri" do
+        expect(redirect_uri.match(/error=([a-z_]+)&?/)[1]).to eq "invalid_scope"
+      end
+      it "includes error description in redirect uri" do
+        expect(redirect_uri.match(/error_description=(.+)&?/)[1]).to_not be_nil
+      end
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
   end
@@ -368,7 +432,7 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
       expect(json_response["redirect_uri"]).to eq(client.redirect_uri)
       expect(json_response["state"]).to be_nil
       expect(json_response["response_type"]).to eq("token")
-      expect(json_response["scope"]).to eq("")
+      expect(json_response["scope"]).to eq("default")
     end
   end
@@ -445,12 +509,12 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
     end
     it "includes error in body" do
-      expect(response_json_body["error"]).to eq("unsupported_response_type")
+      expect(response_json_body["error"]).to eq("invalid_request")
     end
     it "includes error description in body" do
       expect(response_json_body["error_description"])
-        .to eq(translated_error_message(:unsupported_response_type))
+        .to eq(translated_invalid_request_error_message(:missing_param, :client_id))
     end
     it "does not issue any token" do
@@ -513,6 +577,8 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
   describe "authorize response memoization" do
     it "memoizes the result of the authorization" do
+      pre_auth = double(:pre_auth, authorizable?: true)
+      allow(controller).to receive(:pre_auth) { pre_auth }
       strategy = double(:strategy, authorize: true)
       expect(strategy).to receive(:authorize).once
       allow(controller).to receive(:strategy) { strategy }
@@ -524,4 +590,17 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
       post :create
     end
   end
+  describe "strong parameters" do
+    it "ignores non-scalar scope parameter" do
+      get :new, params: {
+        client_id: client.uid,
+        response_type: "token",
+        redirect_uri: client.redirect_uri,
+        scope: { "0" => "profile" },
+      }
+      expect(response).to be_successful
+    end
+  end
 end

data/spec/controllers/protected_resources_controller_spec.rb CHANGED Viewed

@@ -166,7 +166,7 @@ describe "doorkeeper authorize filter" do
       it "it renders a custom JSON response", token: :invalid do
         get :index, params: { access_token: token_string }
         expect(response.status).to eq 401
-        expect(response.content_type).to eq("application/json")
+        expect(response.content_type).to include("application/json")
         expect(response.header["WWW-Authenticate"]).to match(/^Bearer/)
         expect(json_response).not_to be_nil
@@ -196,7 +196,7 @@ describe "doorkeeper authorize filter" do
       it "it renders a custom text response", token: :invalid do
         get :index, params: { access_token: token_string }
         expect(response.status).to eq 401
-        expect(response.content_type).to eq("text/plain")
+        expect(response.content_type).to include("text/plain")
         expect(response.header["WWW-Authenticate"]).to match(/^Bearer/)
         expect(response.body).to eq("Unauthorized")
       end
@@ -246,7 +246,7 @@ describe "doorkeeper authorize filter" do
       it "renders a custom JSON response" do
         get :index, params: { access_token: token_string }
         expect(response.header).to_not include("WWW-Authenticate")
-        expect(response.content_type).to eq("application/json")
+        expect(response.content_type).to include("application/json")
         expect(response.status).to eq 403
         expect(json_response).not_to be_nil