doorkeeper 5.1.0 → 5.5.0

data/spec/requests/flows/client_credentials_spec.rb

@@ -1,128 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "Client Credentials Request" do
-  let(:client) { FactoryBot.create :application }
-
-  context "a valid request" do
-    it "authorizes the client and returns the token response" do
-      headers = authorization client.uid, client.secret
-      params  = { grant_type: "client_credentials" }
-
-      post "/oauth/token", params: params, headers: headers
-
-      should_have_json "access_token", Doorkeeper::AccessToken.first.token
-      should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
-      should_not_have_json "scope"
-      should_not_have_json "refresh_token"
-
-      should_not_have_json "error"
-      should_not_have_json "error_description"
-    end
-
-    context "with scopes" do
-      before do
-        optional_scopes_exist :write
-        default_scopes_exist :public
-      end
-
-      it "adds the scope to the token an returns in the response" do
-        headers = authorization client.uid, client.secret
-        params  = { grant_type: "client_credentials", scope: "write" }
-
-        post "/oauth/token", params: params, headers: headers
-
-        should_have_json "access_token", Doorkeeper::AccessToken.first.token
-        should_have_json "scope", "write"
-      end
-
-      context "that are default" do
-        it "adds the scope to the token an returns in the response" do
-          headers = authorization client.uid, client.secret
-          params  = { grant_type: "client_credentials", scope: "public" }
-
-          post "/oauth/token", params: params, headers: headers
-
-          should_have_json "access_token", Doorkeeper::AccessToken.first.token
-          should_have_json "scope", "public"
-        end
-      end
-
-      context "that are invalid" do
-        it "does not authorize the client and returns the error" do
-          headers = authorization client.uid, client.secret
-          params  = { grant_type: "client_credentials", scope: "random" }
-
-          post "/oauth/token", params: params, headers: headers
-
-          should_have_json "error", "invalid_scope"
-          should_have_json "error_description", translated_error_message(:invalid_scope)
-          should_not_have_json "access_token"
-
-          expect(response.status).to eq(400)
-        end
-      end
-    end
-  end
-
-  context "when application scopes contain some of the default scopes and no scope is passed" do
-    before do
-      client.update(scopes: "read write public")
-    end
-
-    it "issues new token with one default scope that are present in application scopes" do
-      default_scopes_exist :public
-
-      headers = authorization client.uid, client.secret
-      params  = { grant_type: "client_credentials" }
-
-      expect do
-        post "/oauth/token", params: params, headers: headers
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to eq client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public"
-    end
-
-    it "issues new token with multiple default scopes that are present in application scopes" do
-      default_scopes_exist :public, :read, :update
-
-      headers = authorization client.uid, client.secret
-      params  = { grant_type: "client_credentials" }
-
-      expect do
-        post "/oauth/token", params: params, headers: headers
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to eq client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public read"
-    end
-  end
-
-  context "an invalid request" do
-    it "does not authorize the client and returns the error" do
-      headers = {}
-      params  = { grant_type: "client_credentials" }
-
-      post "/oauth/token", params: params, headers: headers
-
-      should_have_json "error", "invalid_client"
-      should_have_json "error_description", translated_error_message(:invalid_client)
-      should_not_have_json "access_token"
-
-      expect(response.status).to eq(401)
-    end
-  end
-
-  def authorization(username, password)
-    credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
-    { "HTTP_AUTHORIZATION" => credentials }
-  end
-end

data/spec/requests/flows/implicit_grant_errors_spec.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-feature "Implicit Grant Flow Errors" do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
-    config_is_set(:grant_flows, ["implicit"])
-    client_exists
-    create_resource_owner
-    sign_in
-  end
-
-  after do
-    access_token_should_not_exist
-  end
-
-  [
-    %i[client_id invalid_client],
-    %i[redirect_uri invalid_redirect_uri],
-  ].each do |error|
-    scenario "displays #{error.last} error for invalid #{error.first}" do
-      visit authorization_endpoint_url(client: @client, error.first => "invalid", response_type: "token")
-      i_should_not_see "Authorize"
-      i_should_see_translated_error_message error.last
-    end
-
-    scenario "displays #{error.last} error when #{error.first} is missing" do
-      visit authorization_endpoint_url(client: @client, error.first => "", response_type: "token")
-      i_should_not_see "Authorize"
-      i_should_see_translated_error_message error.last
-    end
-  end
-end

data/spec/requests/flows/implicit_grant_spec.rb

@@ -1,90 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-feature "Implicit Grant Flow (feature spec)" do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
-    config_is_set(:grant_flows, ["implicit"])
-    client_exists
-    create_resource_owner
-    sign_in
-  end
-
-  scenario "resource owner authorizes the client" do
-    visit authorization_endpoint_url(client: @client, response_type: "token")
-    click_on "Authorize"
-
-    access_token_should_exist_for @client, @resource_owner
-
-    i_should_be_on_client_callback @client
-  end
-
-  context "when application scopes are present and no scope is passed" do
-    background do
-      @client.update(scopes: "public write read")
-    end
-
-    scenario "access token has no scopes" do
-      default_scopes_exist :admin
-      visit authorization_endpoint_url(client: @client, response_type: "token")
-      click_on "Authorize"
-      access_token_should_exist_for @client, @resource_owner
-      token = Doorkeeper::AccessToken.first
-      expect(token.scopes).to be_empty
-    end
-
-    scenario "access token has scopes which are common in application scopees and default scopes" do
-      default_scopes_exist :public, :write
-      visit authorization_endpoint_url(client: @client, response_type: "token")
-      click_on "Authorize"
-      access_token_should_exist_for @client, @resource_owner
-      access_token_should_have_scopes :public, :write
-    end
-  end
-end
-
-describe "Implicit Grant Flow (request spec)" do
-  before do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
-    config_is_set(:grant_flows, ["implicit"])
-    client_exists
-    create_resource_owner
-  end
-
-  context "token reuse" do
-    it "should return a new token each request" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
-
-      token = client_is_authorized(@client, @resource_owner)
-
-      post "/oauth/authorize",
-           params: {
-             client_id: @client.uid,
-             state: "",
-             redirect_uri: @client.redirect_uri,
-             response_type: "token",
-             commit: "Authorize",
-           }
-
-      expect(response.location).not_to include(token.token)
-    end
-
-    it "should return the same token if it is still accessible" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-
-      token = client_is_authorized(@client, @resource_owner)
-
-      post "/oauth/authorize",
-           params: {
-             client_id: @client.uid,
-             state: "",
-             redirect_uri: @client.redirect_uri,
-             response_type: "token",
-             commit: "Authorize",
-           }
-
-      expect(response.location).to include(token.token)
-    end
-  end
-end

data/spec/requests/flows/password_spec.rb

@@ -1,259 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "Resource Owner Password Credentials Flow not set up" do
-  before do
-    client_exists
-    create_resource_owner
-  end
-
-  context "with valid user credentials" do
-    it "does not issue new token" do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-end
-
-describe "Resource Owner Password Credentials Flow" do
-  let(:client_attributes) { { redirect_uri: nil } }
-
-  before do
-    config_is_set(:grant_flows, ["password"])
-    config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists(client_attributes)
-    create_resource_owner
-  end
-
-  context "with valid user credentials" do
-    context "with non-confidential/public client" do
-      let(:client_attributes) { { confidential: false } }
-
-      context "when client_secret absent" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-          token = Doorkeeper::AccessToken.first
-
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
-        end
-      end
-
-      context "when client_secret present" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-          token = Doorkeeper::AccessToken.first
-
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
-        end
-
-        context "when client_secret incorrect" do
-          it "should not issue new token" do
-            expect do
-              post password_token_endpoint_url(
-                client_id: @client.uid,
-                client_secret: "foobar",
-                resource_owner: @resource_owner
-              )
-            end.not_to(change { Doorkeeper::AccessToken.count })
-
-            expect(response.status).to eq(401)
-            should_have_json "error", "invalid_client"
-          end
-        end
-      end
-    end
-
-    context "with confidential/private client" do
-      it "should issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-        token = Doorkeeper::AccessToken.first
-
-        expect(token.application_id).to eq @client.id
-        should_have_json "access_token", token.token
-      end
-
-      context "when client_secret absent" do
-        it "should not issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.not_to(change { Doorkeeper::AccessToken.count })
-
-          expect(response.status).to eq(401)
-          should_have_json "error", "invalid_client"
-        end
-      end
-    end
-
-    it "should issue new token without client credentials" do
-      expect do
-        post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to(change { Doorkeeper::AccessToken.count }.by(1))
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to be_nil
-      should_have_json "access_token", token.token
-    end
-
-    it "should issue a refresh token if enabled" do
-      config_is_set(:refresh_token_enabled, true)
-
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-
-      token = Doorkeeper::AccessToken.first
-
-      should_have_json "refresh_token", token.refresh_token
-    end
-
-    it "should return the same token if it is still accessible" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-
-      client_is_authorized(@client, @resource_owner)
-
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-
-      expect(Doorkeeper::AccessToken.count).to be(1)
-      should_have_json "access_token", Doorkeeper::AccessToken.first.token
-    end
-
-    context "with valid, default scope" do
-      before do
-        default_scopes_exist :public
-      end
-
-      it "should issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-        token = Doorkeeper::AccessToken.first
-
-        expect(token.application_id).to eq @client.id
-        should_have_json "access_token", token.token
-        should_have_json "scope", "public"
-      end
-    end
-  end
-
-  context "when application scopes are present and differs from configured default scopes and no scope is passed" do
-    before do
-      default_scopes_exist :public
-      @client.update(scopes: "abc")
-    end
-
-    it "issues new token without any scope" do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to eq @client.id
-      expect(token.scopes).to be_empty
-      should_have_json "access_token", token.token
-      should_not_have_json "scope"
-    end
-  end
-
-  context "when application scopes contain some of the default scopes and no scope is passed" do
-    before do
-      @client.update(scopes: "read write public")
-    end
-
-    it "issues new token with one default scope that are present in application scopes" do
-      default_scopes_exist :public, :admin
-
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to eq @client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public"
-    end
-
-    it "issues new token with multiple default scopes that are present in application scopes" do
-      default_scopes_exist :public, :read, :update
-
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-
-      token = Doorkeeper::AccessToken.first
-
-      expect(token.application_id).to eq @client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public read"
-    end
-  end
-
-  context "with invalid scopes" do
-    subject do
-      post password_token_endpoint_url(client: @client,
-                                       resource_owner: @resource_owner,
-                                       scope: "random")
-    end
-
-    it "should not issue new token" do
-      expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
-    end
-
-    it "should return invalid_scope error" do
-      subject
-      should_have_json "error", "invalid_scope"
-      should_have_json "error_description", translated_error_message(:invalid_scope)
-      should_not_have_json "access_token"
-
-      expect(response.status).to eq(400)
-    end
-  end
-
-  context "with invalid user credentials" do
-    it "should not issue new token with bad password" do
-      expect do
-        post password_token_endpoint_url(client: @client,
-                                         resource_owner_username: @resource_owner.name,
-                                         resource_owner_password: "wrongpassword")
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-
-    it "should not issue new token without credentials" do
-      expect do
-        post password_token_endpoint_url(client: @client)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-
-  context "with invalid confidential client credentials" do
-    it "should not issue new token with bad client credentials" do
-      expect do
-        post password_token_endpoint_url(client_id: @client.uid,
-                                         client_secret: "bad_secret",
-                                         resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-
-  context "with invalid public client id" do
-    it "should not issue new token with bad client id" do
-      expect do
-        post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-end