doorkeeper 5.1.0 → 5.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d8ea67fd14f902f63a276aed1f57a134c39fa02322d4b1f114571e2a90310ead
-  data.tar.gz: 44f9f0b886117c6dabe6a09c236107ba6b8c3469b40526a4f6c10f2e4b3e8eac
+  metadata.gz: '08f9f8fec2b33300cb7ed4a09ff5682330698f51515404339a1ef40621f1d0d0'
+  data.tar.gz: 6d53afbc73dfdb731b0641575ffd7156ad3a74e11452654a99a1f24ad7f1093f
 SHA512:
-  metadata.gz: 2aa8f4fbe445a84f98035e8ebeb99e715860fb7d29637d8e6cca994bf18a9ba7c051d38fda66829a5dd260f93ee74ff9f6f6d863e610203fa690da7b698b7da1
-  data.tar.gz: 5d474565c95e341b7b4773a7c1e2a782fa1bc27c4f22874428db52ceb4df10ccbb342420ba5266ba0d779380d42df3576f56449d390ecbf795e4deee50bdaff4
+  metadata.gz: 345be4d8d397eacb61d21a749b0c8e1fe38a9f6f2868c14a76006a2cc0686c6e192b9828e7f37df39f83f80c69a4a8394191f9d28691db43616f47f52b2505bb
+  data.tar.gz: 4c96d9ad3d31305f1fb9fc135de3ee5a4e187a38f317307da6d83fc8dabe265dab741c52f25d7f907930a195918b1713aa3db6495b37626a2cfe5fe621f9e240

data/{NEWS.md → CHANGELOG.md}

@@ -1,17 +1,237 @@
-# News
+# Changelog
 
 See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
 upgrade guides.
 
 User-visible changes worth mentioning.
 
-## master
+## main
+
+- [#PR ID] Add your PR description here.
+
+## 5.5.1
+
+- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
+- [#1495] Fix `respond_to` undefined in API-only mode 
+- [#1488] Verify client authentication for Resource Owner Password Grant when
+  `config.skip_client_authentication_for_password_grant` is set and the client credentials
+  are sent in a HTTP Basic auth header.
+
+## 5.5.0
+
+- [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
+- [#1478] Fix ownership association and Rake tasks when custom models configured.
+- [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
+
+## 5.5.0.rc2
+
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+  
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
+  
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
 
-- [#PR] Add your PR description here.
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
+
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+  **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
+  if you previously used `#to_json` serialization with custom options or attributes or rely on
+  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
+  is a breaking change which restricts serialized attributes to a very small set of columns.
+
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
+
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
+
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
+
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+## 5.3.1
+
+- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
+
+## 5.3.0
+
+- [#1339] Validate Resource Owner in `PasswordAccessTokenRequest` against `nil` and `false` values.
+- [#1341] Fix `refresh_token_revoked_on_use` with `hash_token_secrets` enabled.
+- [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.
+- [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.
+- [#1346] Refactor `Doorkeeper::Application#to_json` into convenient `#as_json` (fix #1344).
+- [#1349] Fix `Doorkeeper::Application` AR associations using an incorrect foreign key name when using a custom class.
+- [#1318] Make existing token revocation for client credentials optional and disable it by default.
+
+  **[IMPORTANT]** This is a change compared to the behaviour of version 5.2.
+  If you were relying on access tokens being revoked once the same client
+  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
+  initialization file.
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+## 5.2.4
+
+- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
+
+## 5.2.3
+
+- [#1334] Remove `application_secret` flash helper and `redirect_to` keyword.
+- [#1331] Move redirect_uri_validator to where it is used (`Application` model).
+- [#1326] Move response_type check in pre_authorization to a method to be easily to override.
+- [#1329] Fix `find_in_batches` order warning.
+
+## 5.2.2
+
+- [#1320] Call configured `authenticate_resource_owner` method once per request.
+- [#1315] Allow generation of new secret with `Doorkeeper::Application#renew_secret`.
+- [#1309] Allow `Doorkeeper::Application#to_json` to work without arguments.
+
+## 5.2.1
+
+- [#1308] Fix flash types for `api_only` mode (no flashes for `ActionController::API`).
+- [#1306] Fix interpolation of `missing_param` I18n.
+
+## 5.2.0
+
+- [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
+  when `api_mode` enabled (fixes #1302).
+
+## 5.2.0.rc3
+
+- [#1298] Slice strong params so doesn't error with Rails forms.
+- [#1300] Limiting access to attributes of pre_authorization.
+- [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
+- [#1293] Move ar specific redirect uri validator to ar orm directory.
+- [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
+  the PreAuthorization response.
+- [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
+- [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
+  option called `base_metal_controller` (fix #1273).
+- [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
+
+## 5.2.0.rc2
+
+- [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
+- [#1271] Reintroduce existing token revocation for client credentials.
+
+  **[IMPORTANT]** If you rely on being able to fetch multiple access tokens from the same
+  client using client credentials flow, you should skip to version 5.3, where this behaviour
+  is deactivated by default.
+
+- [#1269] Update initializer template documentation.
+- [#1266] Use strong parameters within pre-authorization.
+- [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
+- [#1263] Response properly when introspection fails and fix configurations's user guide.
+
+## 5.2.0.rc1
+
+- [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
+- [#1257] Add constraint configuration when using client authentication on introspection endpoint.
+- [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
+- [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
+- [#1248] Display the Application Secret in HTML after creating a new application even when `hash_application_secrets` is used.
+- [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
+- [#1238] Better support for native app with support for custom scheme and localhost redirection.
+
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
 
 ## 5.1.0
 
-- [#1243]: Add nil check operator in token checking at token introspection.
+- [#1243] Add nil check operator in token checking at token introspection.
 - [#1241] Explaining foreign key options for resource owner in a single place
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
@@ -25,9 +245,9 @@ User-visible changes worth mentioning.
 
 - [#1208] Unify hashing implementation into secret storing strategies
 
-  **[IMPORTANT]**: If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
+  **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
   your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
-  `use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt`.
+  `hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt`.
 
 - [#1216] Add nil check to `expires_at` method.
 - [#1215] Fix deprecates for Rails 6.
@@ -52,7 +272,7 @@ User-visible changes worth mentioning.
   token value validations, or you are using database with case-insensitive WHERE clause like MySQL
   (you can face some collisions). Before this change access token value matched `[a-f0-9]` regex, and now
   it matches `[a-zA-Z0-9\-_]`. In case you have such restrictions and your don't use custom token generator
-  please change configuration option `default_generator_method ` to `:hex`.
+  please change configuration option `default_generator_method` to `:hex`.
 
 - [#1195] Allow to customize Token Introspection response (fixes #1194).
 - [#1189] Option to set `token_reuse_limit`.
@@ -70,6 +290,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option
@@ -121,9 +346,9 @@ User-visible changes worth mentioning.
   either public or private/confidential
 
   **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
-    You need to manually change `confidential` column to `false` if you are using public clients,
-    in other case your mobile (or other) applications will not be able to authorize.
-    See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
+  You need to manually change `confidential` column to `false` if you are using public clients,
+  in other case your mobile (or other) applications will not be able to authorize.
+  See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
 
 - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
   `optional_scopes`) for applications
@@ -148,7 +373,6 @@ User-visible changes worth mentioning.
 - [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
   changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
 
-
 ## 4.4.2
 
 - [#1130] Backport fix for native redirect_uri from 5.x.
@@ -228,7 +452,7 @@ User-visible changes worth mentioning.
 ## 4.2.0
 
 - Security fix: Address CVE-2016-6582, implement token revocation according to
-    spec (tokens might not be revoked if client follows the spec).
+  spec (tokens might not be revoked if client follows the spec).
 - [#873] Add hooks to Doorkeeper::ApplicationMetalController
 - [#871] Allow downstream users to better utilize doorkeeper spec factories by
   eliminating name conflict on `:user` factory.
@@ -262,6 +486,7 @@ User-visible changes worth mentioning.
   ```
   rails generate doorkeeper:previous_refresh_token
   ```
+
 - [#811] Toughen parameters filter with exact match
 - [#813] Applications admin bugfix
 - [#799] Fix Ruby Warnings
@@ -355,11 +580,10 @@ User-visible changes worth mentioning.
 - Removes `doorkeeper_for` deprecation notice.
 - Remove `applications.scopes` upgrade notice.
 
-
 ## 2.2.2
 
 - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
-    (happens only when ProtectedAttributes gem is used) in #599
+  (happens only when ProtectedAttributes gem is used) in #599
 
 ## 2.2.1
 
@@ -378,7 +602,6 @@ User-visible changes worth mentioning.
 - [#627] i18n fallbacks to english
 - Moved CHANGELOG to NEWS.md
 
-
 ## 2.1.4 - 2015-03-27
 
 - [#595] HTTP spec: Add `scope` for refresh token scope param
@@ -386,12 +609,10 @@ User-visible changes worth mentioning.
 - [#567] Add Grape helpers for easier integration with Grape framework
 - [#606] Add custom access token expiration support for Client Credentials flow
 
-
 ## 2.1.3 - 2015-03-01
 
 - [#588] Fixes scopes_match? bug that skipped authorization form in some cases
 
-
 ## 2.1.2 - 2015-02-25
 
 - [#574] Remove unused update authorization route.
@@ -400,17 +621,15 @@ User-visible changes worth mentioning.
 - [#583] Database connection bugfix in certain scenarios.
 - Testing improvements
 
-
 ## 2.1.1 - 2015-02-06
 
 - Remove `wildcard_redirect_url` option
 - [#481] Customize token flow OAuth expirations with a config lambda
 - [#568] TokensController: Memoize strategy.authorize_response result to enable
-    subclasses to use the response object.
+  subclasses to use the response object.
 - [#571] Fix database initialization issues in some configurations.
 - Documentation improvements
 
-
 ## 2.1.0 - 2015-01-13
 
 - [#540] Include `created_at` in response.
@@ -430,12 +649,10 @@ User-visible changes worth mentioning.
   Disables implicit and password grant flows by default.
 - [#510, #544, 722113f] Revoked refresh token response bugfix.
 
-
 ## 2.0.1 - 2014-12-17
 
 - [#525, #526, #527] Fix `ActiveRecord::NoDatabaseError` on gem load.
 
-
 ## 2.0.0 - 2014-12-16
 
 ### Backward incompatible changes
@@ -569,7 +786,7 @@ User-visible changes worth mentioning.
     tokens for an application/owner instead of deleting them.
   - [#333] Rails 4.1 support
 - internals
-  - Removes jQuery dependency [fixes #300] [PR #312 is related]
+  - Removes jQuery dependency [fixes #300][pr #312 is related]
   - [#294] Client uid and secret will be generated only if not present.
   - [#316] Test warnings addressed.
   - [#338] Rspec 3 syntax.
@@ -687,7 +904,7 @@ Official support for rubinius was removed.
   - Add support for mongoid
   - [#78, #128, #137, #138] Application Ownership
   - [#92] Allow users to skip controllers
-  - [#99] Remove deprecated warnings for data-* attributes [@towerhe](https://github.com/towerhe)
+  - [#99] Remove deprecated warnings for data-\* attributes [@towerhe](https://github.com/towerhe)
   - [#101] Return existing access_token for PasswordAccessTokenRequest [@benoist](https://github.com/benoist)
   - [#104] Changed access token scopes example code to default_scopes and optional_scopes [@amkirwan](https://github.com/amkirwan)
   - [#107] Fix typos in initializer
@@ -749,7 +966,7 @@ Official support for rubinius was removed.
   - [#50] Fix typos [@tomekw](https://github.com/tomekw)
   - [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer [@antekpiechnik](https://github.com/antekpiechnik)
   - [#62] Typos, .gitignore [@jaimeiniesta](https://github.com/jaimeiniesta)
-  - [#65] Change _path redirections to _url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
+  - [#65] Change \_path redirections to \_url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
   - [#75] Fix unknown method #authenticate_admin! [@mattgreen](https://github.com/mattgreen)
   - Remove application link in authorized app view
 

data/README.md

@@ -1,12 +1,12 @@
 # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
+[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=main)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
-[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
-[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
+[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
+[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -21,10 +21,11 @@ Supported features:
   - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
   - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
   - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 - [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
 
 ## Table of Contents
 
@@ -50,7 +51,7 @@ Supported features:
 
 ## Documentation
 
-This documentation is valid for `master` branch. Please check the documentation for the version of doorkeeper you are using in:
+This documentation is valid for `main` branch. Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases.
 
 Additionally, other resources can be found on:
@@ -93,6 +94,7 @@ Doorkeeper supports Active Record by default, but can be configured to work with
 | MongoDB | [doorkeeper-gem/doorkeeper-mongodb](https://github.com/doorkeeper-gem/doorkeeper-mongodb) |
 | Sequel | [nbulaj/doorkeeper-sequel](https://github.com/nbulaj/doorkeeper-sequel) |
 | Couchbase | [acaprojects/doorkeeper-couchbase](https://github.com/acaprojects/doorkeeper-couchbase) |
+| RethinkDB | [aca-labs/doorkeeper-rethinkdb](https://github.com/aca-labs/doorkeeper-rethinkdb) |
 
 ## Extensions
 
@@ -111,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -136,6 +138,12 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 
 > If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
 
+<br>
+
+<a href="https://www.wealthsimple.com/?utm_source=doorkeeper-gem" target="_blank"><img src="https://wealthsimple.s3.amazonaws.com/branding/medium-black.svg"/></a>
+
+> Wealthsimple is a financial company on a mission to help everyone achieve financial freedom by providing products and advice that are accessible and affordable. Using smart technology, Wealthsimple takes financial services that are often confusing, opaque and expensive and makes them simple, transparent, and low-cost. See what Investing on Autopilot is all about: [https://www.wealthsimple.com](https://www.wealthsimple.com/?utm_source=doorkeeper-gem)
+
 ## Development
 
 To run the local engine server:
@@ -146,12 +154,15 @@ bundle exec rake doorkeeper:server
 ````
 
 By default, it uses the latest Rails version with ActiveRecord. To run the
-tests with a specific ORM and Rails version:
+tests with a specific Rails version:
 
 ```
-rails=5.2 orm=active_record bundle exec rake
+BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -160,8 +171,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 

data/app/controllers/doorkeeper/application_controller.rb

@@ -2,10 +2,11 @@
 
 module Doorkeeper
   class ApplicationController <
-    Doorkeeper.configuration.base_controller.constantize
+    Doorkeeper.config.resolve_controller(:base)
     include Helpers::Controller
+    include ActionController::MimeResponds if Doorkeeper.config.api_only
 
-    unless Doorkeeper.configuration.api_only
+    unless Doorkeeper.config.api_only
       protect_from_forgery with: :exception
       helper "doorkeeper/dashboard"
     end

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  class ApplicationMetalController < ActionController::API
+  class ApplicationMetalController <
+    Doorkeeper.config.resolve_controller(:base_metal)
     include Helpers::Controller
 
     before_action :enforce_content_type,
-                  if: -> { Doorkeeper.configuration.enforce_content_type }
+                  if: -> { Doorkeeper.config.enforce_content_type }
 
     ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end

data/app/controllers/doorkeeper/applications_controller.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = Application.ordered_by(:created_at)
+      @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
 
       respond_to do |format|
         format.html
@@ -19,23 +19,24 @@ module Doorkeeper
     def show
       respond_to do |format|
         format.html
-        format.json { render json: @application }
+        format.json { render json: @application, as_owner: true }
       end
     end
 
     def new
-      @application = Application.new
+      @application = Doorkeeper.config.application_model.new
     end
 
     def create
-      @application = Application.new(application_params)
+      @application = Doorkeeper.config.application_model.new(application_params)
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
+        flash[:application_secret] = @application.plaintext_secret
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application }
+          format.json { render json: @application, as_owner: true }
         end
       else
         respond_to do |format|
@@ -57,7 +58,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application }
+          format.json { render json: @application, as_owner: true }
         end
       else
         respond_to do |format|
@@ -83,7 +84,7 @@ module Doorkeeper
     private
 
     def set_application
-      @application = Application.find(params[:id])
+      @application = Doorkeeper.config.application_model.find(params[:id])
     end
 
     def application_params