doorkeeper 5.1.0 → 5.5.1

data/lib/doorkeeper/config.rb

@@ -1,60 +1,66 @@
 # frozen_string_literal: true
 
+require "doorkeeper/config/abstract_builder"
 require "doorkeeper/config/option"
+require "doorkeeper/config/validations"
 
 module Doorkeeper
+  # Defines a MissingConfiguration error for a missing Doorkeeper configuration
+  #
   class MissingConfiguration < StandardError
-    # Defines a MissingConfiguration error for a missing Doorkeeper
-    # configuration
     def initialize
       super("Configuration for doorkeeper missing. Do you have doorkeeper initializer?")
     end
   end
 
-  def self.configure(&block)
-    @config = Config::Builder.new(&block).build
-    setup_orm_adapter
-    setup_orm_models
-    setup_application_owner if @config.enable_application_owner?
-    @config
-  end
+  # Doorkeeper option DSL could be reused in extensions to build their own
+  # configurations. To use the Option DSL gems need to define `builder_class` method
+  # that returns configuration Builder class. This exception raises when they don't
+  # define it.
+  #
+  class MissingConfigurationBuilderClass < StandardError; end
+
+  class << self
+    def configure(&block)
+      @config = Config::Builder.new(&block).build
+      setup_orm_adapter
+      setup_orm_models
+      setup_application_owner if @config.enable_application_owner?
+      @config
+    end
 
-  def self.configuration
-    @config || (raise MissingConfiguration)
-  end
+    # @return [Doorkeeper::Config] configuration instance
+    #
+    def configuration
+      @config || (raise MissingConfiguration)
+    end
 
-  def self.setup_orm_adapter
-    @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => error
-    raise error, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
-      [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
-      trying to load it.
+    alias config configuration
 
-      You probably need to add the related gem for this adapter to work with
-      doorkeeper.
-    ERROR_MSG
-  end
+    def setup_orm_adapter
+      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
+    rescue NameError => e
+      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
+        trying to load it.
 
-  def self.setup_orm_models
-    @orm_adapter.initialize_models!
-  end
+        You probably need to add the related gem for this adapter to work with
+        doorkeeper.
+      ERROR_MSG
+    end
+
+    def setup_orm_models
+      @orm_adapter.initialize_models!
+    end
 
-  def self.setup_application_owner
-    @orm_adapter.initialize_application_owner!
+    def setup_application_owner
+      @orm_adapter.initialize_application_owner!
+    end
   end
 
   class Config
-    class Builder
-      def initialize(&block)
-        @config = Config.new
-        instance_eval(&block)
-      end
-
-      def build
-        @config.validate
-        @config
-      end
-
+    # Default Doorkeeper configuration builder
+    class Builder < AbstractBuilder
       # Provide support for an owner to be assigned to each registered
       # application (disabled by default)
       # Optional parameter confirmation: true (default false) if you want
@@ -120,7 +126,7 @@ module Doorkeeper
       def use_refresh_token(enabled = true, &block)
         @config.instance_variable_set(
           :@refresh_token_enabled,
-          block || enabled
+          block || enabled,
         )
       end
 
@@ -131,13 +137,12 @@ module Doorkeeper
         @config.instance_variable_set(:@reuse_access_token, true)
       end
 
-      # Sets the token_reuse_limit
-      # It will be used only when reuse_access_token option in enabled
-      # By default it will be 100
-      # It will be used for token reusablity to some threshold percentage
-      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
-      def token_reuse_limit(percentage)
-        @config.instance_variable_set(:@token_reuse_limit, percentage)
+      # TODO: maybe make it more generic for other flows too?
+      # Only allow one valid access token obtained via client credentials
+      # per client. If a new access token is obtained before the old one
+      # expired, the old one gets revoked (disabled by default)
+      def revoke_previous_client_credentials_token
+        @config.instance_variable_set(:@revoke_previous_client_credentials_token, true)
       end
 
       # Use an API mode for applications generated with --api argument
@@ -146,6 +151,12 @@ module Doorkeeper
         @config.instance_variable_set(:@api_only, true)
       end
 
+      # Enables polymorphic Resource Owner association for Access Grant and
+      # Access Token models. Requires additional database columns to be setup.
+      def use_polymorphic_resource_owner
+        @config.instance_variable_set(:@polymorphic_resource_owner, true)
+      end
+
       # Forbids creating/updating applications with arbitrary scopes that are
       # not in configuration, i.e. `default_scopes` or `optional_scopes`.
       # (disabled by default)
@@ -195,8 +206,7 @@ module Doorkeeper
       def configure_secrets_for(type, using:, fallback:)
         raise ArgumentError, "Invalid type #{type}" if %i[application token].exclude?(type)
 
-        @config.instance_variable_set(:"@#{type}_secret_strategy",
-                                      using.constantize)
+        @config.instance_variable_set(:"@#{type}_secret_strategy", using.constantize)
 
         if fallback.nil?
           return
@@ -204,18 +214,21 @@ module Doorkeeper
           fallback = "::Doorkeeper::SecretStoring::Plain"
         end
 
-        @config.instance_variable_set(:"@#{type}_secret_fallback_strategy",
-                                      fallback.constantize)
+        @config.instance_variable_set(:"@#{type}_secret_fallback_strategy", fallback.constantize)
       end
     end
 
+    # Replace with `default: Builder` when we drop support of Rails < 5.2
+    mattr_reader(:builder_class) { Builder }
+
     extend Option
+    include Validations
 
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
              ::Rails.logger.warn(
-               I18n.t("doorkeeper.errors.messages.resource_owner_authenticator_not_configured")
+               I18n.t("doorkeeper.errors.messages.resource_owner_authenticator_not_configured"),
              )
 
              nil
@@ -225,7 +238,7 @@ module Doorkeeper
            as: :authenticate_admin,
            default: (lambda do |_routes|
              ::Rails.logger.warn(
-               I18n.t("doorkeeper.errors.messages.admin_authenticator_not_configured")
+               I18n.t("doorkeeper.errors.messages.admin_authenticator_not_configured"),
              )
 
              head :forbidden
@@ -234,15 +247,15 @@ module Doorkeeper
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
              ::Rails.logger.warn(
-               I18n.t("doorkeeper.errors.messages.credential_flow_not_configured")
+               I18n.t("doorkeeper.errors.messages.credential_flow_not_configured"),
              )
 
              nil
            end)
 
     # Hooks for authorization
-    option :before_successful_authorization,      default: ->(_context) {}
-    option :after_successful_authorization,       default: ->(_context) {}
+    option :before_successful_authorization,      default: ->(_controller, _context = nil) {}
+    option :after_successful_authorization,       default: ->(_controller, _context = nil) {}
     # Hooks for strategies responses
     option :before_successful_strategy_response,  default: ->(_request) {}
     option :after_successful_strategy_response,   default: ->(_request, _response) {}
@@ -254,10 +267,65 @@ module Doorkeeper
     option :custom_access_token_expires_in, default: ->(_context) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
-    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob"
-    option :active_record_options,          default: {}
+    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
+    option :token_lookup_batch_size,        default: 10_000
+    # Sets the token_reuse_limit
+    # It will be used only when reuse_access_token option in enabled
+    # By default it will be 100
+    # It will be used for token reusablity to some threshold percentage
+    # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
+    option :token_reuse_limit,              default: 100
+
+    # Don't require client authentication for password grants. If client credentials
+    # are present they will still be validated, and the grant rejected if the credentials
+    # are invalid.
+    #
+    # This is discouraged. Spec says that password grants always require a client.
+    #
+    # See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422
+    # and https://github.com/doorkeeper-gem/doorkeeper/pull/1420
+    #
+    # Since many applications use this unsafe behavior in the wild, this is kept as a
+    # not-recommended option. You should be aware that you are not following the OAuth
+    # spec, and understand the security implications of doing so.
+    option :skip_client_authentication_for_password_grant,
+           default: false
+
+    option :active_record_options,
+           default: {},
+           deprecated: { message: "Customize Doorkeeper models instead" }
+
+    # Hook to allow arbitrary user-client authorization
+    option :authorize_resource_owner_for_client,
+           default: ->(_client, _resource_owner) { true }
+
+    # Allows to customize OAuth grant flows that +each+ application support.
+    # You can configure a custom block (or use a class respond to `#call`) that must
+    # return `true` in case Application instance supports requested OAuth grant flow
+    # during the authorization request to the server. This configuration +doesn't+
+    # set flows per application, it only allows to check if application supports
+    # specific grant flow.
+    #
+    # For example you can add an additional database column to `oauth_applications` table,
+    # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+    # be used with this application there. Then when authorization requested Doorkeeper
+    # will call this block to check if specific Application (passed with client_id and/or
+    # client_secret) is allowed to perform the request for the specific grant type
+    # (authorization, password, client_credentials, etc).
+    #
+    # Example of the block:
+    #
+    #   ->(flow, client) { client.grant_flows.include?(flow) }
+    #
+    # In case this option invocation result is `false`, Doorkeeper server returns
+    # :unauthorized_client error and stops the request.
+    #
+    # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+    # @return [Boolean] `true` if allow or `false` if forbid the request
+    #
+    option :allow_grant_flow_for_client,    default: ->(_grant_flow, _client) { true }
 
     # Allows to forbid specific Application redirect URI's by custom rules.
     # Doesn't forbid any URI by default.
@@ -288,7 +356,7 @@ module Doorkeeper
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
 
     # Use a custom class for generating the access token.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
     #
     # @param access_token_generator [String]
     #   the name of the access token generator class
@@ -306,11 +374,29 @@ module Doorkeeper
 
     # The controller Doorkeeper::ApplicationController inherits from.
     # Defaults to ActionController::Base.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
     #
     # @param base_controller [String] the name of the base controller
     option :base_controller,
-           default: "ActionController::Base"
+           default: (lambda do
+             api_only ? "ActionController::API" : "ActionController::Base"
+           end)
+
+    # The controller Doorkeeper::ApplicationMetalController inherits from.
+    # Defaults to ActionController::API.
+    #
+    # @param base_metal_controller [String] the name of the base controller
+    option :base_metal_controller,
+           default: "ActionController::API"
+
+    option :access_token_class,
+           default: "Doorkeeper::AccessToken"
+
+    option :access_grant_class,
+           default: "Doorkeeper::AccessGrant"
+
+    option :application_class,
+           default: "Doorkeeper::Application"
 
     # Allows to set blank redirect URIs for Applications in case
     # server configured to use URI-less grant flows.
@@ -321,17 +407,62 @@ module Doorkeeper
                grant_flows.exclude?("implicit")
            end)
 
-    attr_reader :api_only,
-                :enforce_content_type,
-                :reuse_access_token,
+    # Configure protection of token introspection request.
+    # By default this configuration allows to introspect a token by
+    # another token of the same application, or to introspect the token
+    # that belongs to authorized client, or access token has been introspected
+    # is a public one (doesn't belong to any client)
+    #
+    # You can define any custom rule you need or just disable token
+    # introspection at all.
+    #
+    # @param token [Doorkeeper::AccessToken]
+    #   token to be introspected
+    #
+    # @param authorized_client [Doorkeeper::Application]
+    #   authorized client (if request is authorized using Basic auth with
+    #   Client Credentials for example)
+    #
+    # @param authorized_token [Doorkeeper::AccessToken]
+    #   Bearer token used to authorize the request
+    #
+    option :allow_token_introspection,
+           default: (lambda do |token, authorized_client, authorized_token|
+             if authorized_token
+               authorized_token.application == token&.application
+             elsif token.application
+               authorized_client == token.application
+             else
+               true
+             end
+           end)
+
+    attr_reader :reuse_access_token,
                 :token_secret_fallback_strategy,
                 :application_secret_fallback_strategy
 
-    # Return the valid subset of this configuration
-    def validate
-      validate_reuse_access_token_value
-      validate_token_reuse_limit
-      validate_secret_strategies
+    # Doorkeeper Access Token model class.
+    #
+    # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+    #
+    def access_token_model
+      @access_token_model ||= access_token_class.constantize
+    end
+
+    # Doorkeeper Access Grant model class.
+    #
+    # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+    #
+    def access_grant_model
+      @access_grant_model ||= access_grant_class.constantize
+    end
+
+    # Doorkeeper Application model class.
+    #
+    # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+    #
+    def application_model
+      @application_model ||= application_class.constantize
     end
 
     def api_only
@@ -350,8 +481,19 @@ module Doorkeeper
       end
     end
 
-    def token_reuse_limit
-      @token_reuse_limit ||= 100
+    def resolve_controller(name)
+      config_option = public_send(:"#{name}_controller")
+      controller_name = if config_option.respond_to?(:call)
+                          instance_exec(&config_option)
+                        else
+                          config_option
+                        end
+
+      controller_name.constantize
+    end
+
+    def revoke_previous_client_credentials_token?
+      option_set? :revoke_previous_client_credentials_token
     end
 
     def enforce_configured_scopes?
@@ -362,6 +504,10 @@ module Doorkeeper
       option_set? :enable_application_owner
     end
 
+    def polymorphic_resource_owner?
+      option_set? :polymorphic_resource_owner
+    end
+
     def confirm_application_owner?
       option_set? :confirm_application_owner
     end
@@ -370,6 +516,10 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
 
+    def application_secret_hashed?
+      instance_variable_defined?(:"@application_secret_strategy")
+    end
+
     def token_secret_strategy
       @token_secret_strategy ||= ::Doorkeeper::SecretStoring::Plain
     end
@@ -406,85 +556,109 @@ module Doorkeeper
       ]
     end
 
+    def enabled_grant_flows
+      @enabled_grant_flows ||= calculate_grant_flows.map { |name| Doorkeeper::GrantFlow.get(name) }.compact
+    end
+
+    def authorization_response_flows
+      @authorization_response_flows ||= enabled_grant_flows.select(&:handles_response_type?) +
+                                        deprecated_authorization_flows
+    end
+
+    def token_grant_flows
+      @token_grant_flows ||= calculate_token_grant_flows
+    end
+
     def authorization_response_types
-      @authorization_response_types ||= calculate_authorization_response_types.freeze
+      authorization_response_flows.map(&:response_type_matches)
     end
 
     def token_grant_types
-      @token_grant_types ||= calculate_token_grant_types.freeze
+      token_grant_flows.map(&:grant_type_matches)
     end
 
-    def allow_blank_redirect_uri?(application = nil)
-      if allow_blank_redirect_uri.respond_to?(:call)
-        allow_blank_redirect_uri.call(grant_flows, application)
-      else
-        allow_blank_redirect_uri
-      end
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_token_grant_types_resolver
+      @deprecated_token_grant_types ||= calculate_token_grant_types
     end
 
-    def option_defined?(name)
-      instance_variable_defined?("@#{name}")
-    end
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_authorization_flows
+      response_types = calculate_authorization_response_types
 
-    private
+      if response_types.any?
+        ::Kernel.warn <<~WARNING
+          Please, don't patch Doorkeeper::Config#calculate_authorization_response_types method.
+          Register your custom grant flows using the public API:
+          `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+        WARNING
+      end
 
-    # Helper to read boolearized configuration option
-    def option_set?(instance_key)
-      var = instance_variable_get("@#{instance_key}")
-      !!(defined?(var) && var)
+      response_types.map do |response_type|
+        Doorkeeper::GrantFlow::FallbackFlow.new(response_type, response_type_matches: response_type)
+      end
     end
 
-    # Determines what values are acceptable for 'response_type' param in
-    # authorization request endpoint, and return them as an array of strings.
-    #
+    # [NOTE]: deprecated and will be removed soon
     def calculate_authorization_response_types
-      types = []
-      types << "code"  if grant_flows.include? "authorization_code"
-      types << "token" if grant_flows.include? "implicit"
-      types
+      []
     end
 
-    # Determines what values are acceptable for 'grant_type' param token
-    # request endpoint, and return them in array.
-    #
+    # [NOTE]: deprecated and will be removed soon
     def calculate_token_grant_types
       types = grant_flows - ["implicit"]
       types << "refresh_token" if refresh_token_enabled?
       types
     end
 
-    # Determine whether +reuse_access_token+ and a non-restorable
-    # +token_secret_strategy+ have both been activated.
+    # Calculates grant flows configured by the user in Doorkeeper
+    # configuration considering registered aliases that is exposed
+    # to single or multiple other flows.
     #
-    # In that case, disable reuse_access_token value and warn the user.
-    def validate_reuse_access_token_value
-      strategy = token_secret_strategy
-      return if !reuse_access_token || strategy.allows_restoring_secrets?
+    def calculate_grant_flows
+      configured_flows = grant_flows.map(&:to_s)
+      aliases = Doorkeeper::GrantFlow.aliases.keys.map(&:to_s)
+
+      flows = configured_flows - aliases
+      aliases.each do |flow_alias|
+        next unless configured_flows.include?(flow_alias)
+
+        flows.concat(Doorkeeper::GrantFlow.expand_alias(flow_alias))
+      end
+
+      flows.flatten.uniq
+    end
+
+    def allow_blank_redirect_uri?(application = nil)
+      if allow_blank_redirect_uri.respond_to?(:call)
+        allow_blank_redirect_uri.call(grant_flows, application)
+      else
+        allow_blank_redirect_uri
+      end
+    end
+
+    def allow_grant_flow_for_client?(grant_flow, client)
+      return true unless option_defined?(:allow_grant_flow_for_client)
 
-      ::Rails.logger.warn(
-        "You have configured both reuse_access_token " \
-        "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
-        "This combination is unsupported. reuse_access_token will be disabled"
-      )
-      @reuse_access_token = false
+      allow_grant_flow_for_client.call(grant_flow, client)
     end
 
-    # Validate that the provided strategies are valid for
-    # tokens and applications
-    def validate_secret_strategies
-      token_secret_strategy.validate_for :token
-      application_secret_strategy.validate_for :application
+    def option_defined?(name)
+      instance_variable_defined?("@#{name}")
     end
 
-    def validate_token_reuse_limit
-      return if !reuse_access_token ||
-                (token_reuse_limit > 0 && token_reuse_limit <= 100)
+    private
+
+    # Helper to read boolearized configuration option
+    def option_set?(instance_key)
+      var = instance_variable_get("@#{instance_key}")
+      !!(defined?(var) && var)
+    end
 
-      ::Rails.logger.warn(
-        "You have configured an invalid value for token_reuse_limit option. " \
-        "It will be set to default 100"
-      )
-      @token_reuse_limit = 100
+    def calculate_token_grant_flows
+      flows = enabled_grant_flows.select(&:handles_grant_type?)
+      flows << Doorkeeper::GrantFlow.get("refresh_token") if refresh_token_enabled?
+      flows
     end
   end
 end

data/lib/doorkeeper/engine.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|
       parameters = %w[client_secret code authentication_token access_token refresh_token]
-      app.config.filter_parameters << /^(#{Regexp.union parameters})$/
+      app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
     end
 
     initializer "doorkeeper.routes" do

data/lib/doorkeeper/errors.rb

@@ -8,18 +8,6 @@ module Doorkeeper
       end
     end
 
-    class InvalidAuthorizationStrategy < DoorkeeperError
-      def type
-        :unsupported_response_type
-      end
-    end
-
-    class InvalidTokenReuse < DoorkeeperError
-      def type
-        :invalid_request
-      end
-    end
-
     class InvalidGrantReuse < DoorkeeperError
       def type
         :invalid_grant
@@ -32,7 +20,14 @@ module Doorkeeper
       end
     end
 
-    class MissingRequestStrategy < DoorkeeperError
+    class MissingRequiredParameter < DoorkeeperError
+      attr_reader :missing_param
+
+      def initialize(missing_param)
+        super
+        @missing_param = missing_param
+      end
+
       def type
         :invalid_request
       end
@@ -50,10 +45,10 @@ module Doorkeeper
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
 
-    InvalidToken = Class.new BaseResponseError
-    TokenExpired = Class.new InvalidToken
-    TokenRevoked = Class.new InvalidToken
-    TokenUnknown = Class.new InvalidToken
-    TokenForbidden = Class.new InvalidToken
+    InvalidToken = Class.new(BaseResponseError)
+    TokenExpired = Class.new(InvalidToken)
+    TokenRevoked = Class.new(InvalidToken)
+    TokenUnknown = Class.new(InvalidToken)
+    TokenForbidden = Class.new(InvalidToken)
   end
 end

data/lib/doorkeeper/grant_flow/fallback_flow.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    class FallbackFlow < Flow
+      def handles_grant_type?
+        false
+      end
+
+      def handles_response_type?
+        false
+      end
+    end
+  end
+end