doorkeeper 5.1.2 → 5.2.0.rc1

data/README.md

@@ -146,10 +146,10 @@ bundle exec rake doorkeeper:server
 ````
 
 By default, it uses the latest Rails version with ActiveRecord. To run the
-tests with a specific ORM and Rails version:
+tests with a specific Rails version:
 
 ```
-rails=5.2 orm=active_record bundle exec rake
+BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
 ## Contributing

data/RELEASING.md

@@ -1,10 +1,11 @@
-# Releasing doorkeeper
+# Releasing Doorkeeper
 
-How to release doorkeeper in five easy steps!
+How to release Doorkeeper in five easy steps!
 
 1. Update `lib/doorkeeper/version.rb` file accordingly.
-2. Update `NEWS.md` to reflect the changes since last release.
-3. Commit changes: `git commit -am 'Bump to vVERSION'`
-4. Run `rake release`
+2. Update `CHANGELOG.md` to reflect the changes since last release.
+3. Commit changes: `git commit -am 'Bump to vVERSION'`.
+4. Build and publish the gem.
+4. Create GitHub release.
 5. Announce the new release, making sure to say “thank you” to the contributors
    who helped shape this version!

data/app/controllers/doorkeeper/applications_controller.rb

@@ -4,6 +4,7 @@ module Doorkeeper
   class ApplicationsController < Doorkeeper::ApplicationController
     layout "doorkeeper/admin" unless Doorkeeper.configuration.api_only
 
+    add_flash_types :application_secret
     before_action :authenticate_admin!
     before_action :set_application, only: %i[show edit update destroy]
 
@@ -19,7 +20,7 @@ module Doorkeeper
     def show
       respond_to do |format|
         format.html
-        format.json { render json: @application, as_owner: true }
+        format.json { render json: @application }
       end
     end
 
@@ -32,10 +33,11 @@ module Doorkeeper
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
+        flash[:application_secret] = @application.plaintext_secret
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|
@@ -57,7 +59,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -9,7 +9,7 @@ module Doorkeeper
 
       respond_to do |format|
         format.html
-        format.json { render json: @applications, current_resource_owner: current_resource_owner }
+        format.json { render json: @applications }
       end
     end
 

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -6,8 +6,8 @@ module Doorkeeper
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
              status: authorize_response.status
-    rescue Errors::DoorkeeperError => error
-      handle_token_exception(error)
+    rescue Errors::DoorkeeperError => e
+      handle_token_exception(e)
     end
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
@@ -18,12 +18,13 @@ module Doorkeeper
       # Doorkeeper does not use the token_type_hint logic described in the
       # RFC 7009 due to the refresh token implementation that is a field in
       # the access token model.
-      revoke_token if authorized?
 
-      # The authorization server responds with HTTP status code 200 if the token
-      # has been revoked successfully or if the client submitted an invalid
-      # token
-      render json: {}, status: 200
+      if authorized?
+        revoke_token
+        render json: {}, status: 200
+      else
+        render json: revocation_error_response, status: :forbidden
+      end
     end
 
     def introspect
@@ -71,7 +72,10 @@ module Doorkeeper
     end
 
     def revoke_token
-      token.revoke if token.accessible?
+      # The authorization server responds with HTTP status code 200 if the token
+      # has been revoked successfully or if the client submitted an invalid
+      # token
+      token.revoke if token&.accessible?
     end
 
     def token
@@ -86,5 +90,11 @@ module Doorkeeper
     def authorize_response
       @authorize_response ||= strategy.authorize
     end
+
+    def revocation_error_response
+      error_description = I18n.t(:unauthorized, scope: %i[doorkeeper errors messages revoke])
+
+      { error: :unauthorized_client, error_description: error_description }
+    end
   end
 end

data/app/validators/redirect_uri_validator.rb

@@ -2,11 +2,10 @@
 
 require "uri"
 
+# ActiveModel validator for redirect URI validation in according
+# to OAuth standards and Doorkeeper configuration.
+#
 class RedirectUriValidator < ActiveModel::EachValidator
-  def self.native_redirect_uri
-    Doorkeeper.configuration.native_redirect_uri
-  end
-
   def validate_each(record, attribute, value)
     if value.blank?
       return if Doorkeeper.configuration.allow_blank_redirect_uri?(record)
@@ -14,12 +13,13 @@ class RedirectUriValidator < ActiveModel::EachValidator
       record.errors.add(attribute, :blank)
     else
       value.split.each do |val|
-        uri = ::URI.parse(val)
-        next if native_redirect_uri?(uri)
+        next if oob_redirect_uri?(val)
 
+        uri = ::URI.parse(val)
         record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
         record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
-        record.errors.add(attribute, :relative_uri) if uri.scheme.nil? || uri.host.nil?
+        record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
+        record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
         record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
       end
     end
@@ -29,14 +29,24 @@ class RedirectUriValidator < ActiveModel::EachValidator
 
   private
 
-  def native_redirect_uri?(uri)
-    self.class.native_redirect_uri.present? && uri.to_s == self.class.native_redirect_uri.to_s
+  def oob_redirect_uri?(uri)
+    Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
   end
 
   def forbidden_uri?(uri)
     Doorkeeper.configuration.forbid_redirect_uri.call(uri)
   end
 
+  def unspecified_scheme?(uri)
+    return true if uri.opaque.present?
+
+    %w[localhost].include?(uri.try(:scheme))
+  end
+
+  def relative_uri?(uri)
+    uri.scheme.nil? && uri.host.nil?
+  end
+
   def invalid_ssl_uri?(uri)
     forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
     non_https = uri.try(:scheme) == "http"

data/app/views/doorkeeper/applications/_form.html.erb

@@ -20,12 +20,6 @@
         <%= t('doorkeeper.applications.help.redirect_uri') %>
       </span>
 
-      <% if Doorkeeper.configuration.native_redirect_uri %>
-          <span class="form-text text-secondary">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code, class: 'bg-light') { Doorkeeper.configuration.native_redirect_uri }) %>
-          </span>
-      <% end %>
-
       <% if Doorkeeper.configuration.allow_blank_redirect_uri?(application) %>
         <span class="form-text text-secondary">
           <%= t('doorkeeper.applications.help.blank_redirect_uri') %>

data/app/views/doorkeeper/applications/show.html.erb

@@ -8,7 +8,7 @@
     <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
 
     <h4><%= t('.secret') %>:</h4>
-    <p><code class="bg-light" id="secret"><%= @application.plaintext_secret %></code></p>
+    <p><code class="bg-light" id="secret"><%= flash[:application_secret].presence || @application.plaintext_secret %></code></p>
 
     <h4><%= t('.scopes') %>:</h4>
     <p><code class="bg-light" id="scopes"><%= @application.scopes.presence || raw('&nbsp;') %></code></p>

data/config/locales/en.yml

@@ -11,6 +11,7 @@ en:
             redirect_uri:
               fragment_present: 'cannot contain a fragment.'
               invalid_uri: 'must be a valid URI.'
+              unspecified_scheme: 'must specify a scheme.'
               relative_uri: 'must be an absolute URI.'
               secured_uri: 'must be an HTTPS/SSL URI.'
               forbidden_uri: 'is forbidden by the server.'
@@ -33,7 +34,6 @@ en:
         confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
         redirect_uri: 'Use one line per URI'
         blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI."
-        native_redirect_uri: 'Use %{native_redirect_uri} if you want to add localhost URIs for development purposes'
         scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
       edit:
         title: 'Edit application'
@@ -114,6 +114,8 @@ en:
           revoked: "The access token was revoked"
           expired: "The access token expired"
           unknown: "The access token is invalid"
+        revoke:
+          unauthorized: "You are not authorized to revoke this token"
 
     flash:
       applications:

data/doorkeeper.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |gem|
   gem.description = "Doorkeeper is an OAuth 2 provider for Rails and Grape."
   gem.license     = "MIT"
 
-  gem.files         = `git ls-files`.split("\n")
+  gem.files         = `git ls-files`.split("\n").reject { |file| file.start_with?(".") }
   gem.test_files    = `git ls-files -- spec/*`.split("\n")
   gem.require_paths = ["lib"]
 

data/gemfiles/rails_5_0.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_1.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_2.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_6_0.gemfile

@@ -2,13 +2,14 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 6.0.0.beta3"
+gem "rails", "~> 6.0.0.rc1"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_master.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/lib/doorkeeper.rb

@@ -52,6 +52,7 @@ require "doorkeeper/oauth/token"
 require "doorkeeper/oauth/token_introspection"
 require "doorkeeper/oauth/invalid_token_response"
 require "doorkeeper/oauth/forbidden_token_response"
+require "doorkeeper/oauth/nonstandard"
 
 require "doorkeeper/secret_storing/base"
 require "doorkeeper/secret_storing/plain"
@@ -80,6 +81,8 @@ require "doorkeeper/stale_records_cleaner"
 
 require "doorkeeper/orm/active_record"
 
+# Main Doorkeeper namespace.
+#
 module Doorkeeper
   def self.authenticate(request, methods = Doorkeeper.configuration.access_token_methods)
     OAuth::Token.authenticate(request, *methods)

data/lib/doorkeeper/config.rb

@@ -25,8 +25,8 @@ module Doorkeeper
 
   def self.setup_orm_adapter
     @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => error
-    raise error, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+  rescue NameError => e
+    raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
       [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
       trying to load it.
 
@@ -254,7 +254,7 @@ module Doorkeeper
     option :custom_access_token_expires_in, default: ->(_context) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
-    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob"
+    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :active_record_options,          default: {}
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
@@ -321,6 +321,33 @@ module Doorkeeper
                grant_flows.exclude?("implicit")
            end)
 
+    # Configure protection of token introspection request.
+    # By default token introspection is allowed only for clients that
+    # introspected token belongs to or if access token been introspected
+    # is a public one (doesn't belong to any client).
+    #
+    # You can define any custom rule you need or just disable token
+    # introspection at all.
+    #
+    # @param token [Doorkeeper::AccessToken]
+    #   token to be introspected
+    #
+    # @param authorized_client [Doorkeeper::Application]
+    #   authorized client (if request is authorized using Basic auth with
+    #   Client Credentials for example)
+    #
+    # @param authorized_token [Doorkeeper::AccessToken]
+    #   Bearer token used to authorize the request
+    #
+    option :allow_token_introspection,
+           default: (lambda do |token, authorized_client, _authorized_token|
+             if token.application
+               token.application == authorized_client
+             else
+               true
+             end
+           end)
+
     attr_reader :api_only,
                 :enforce_content_type,
                 :reuse_access_token,

data/lib/doorkeeper/config/option.rb

@@ -38,14 +38,20 @@ module Doorkeeper
 
         Builder.instance_eval do
           remove_method name if method_defined?(name)
-          define_method name do |*args, &block|
-            value = if attribute_builder
-                      attribute_builder.new(&block).build
-                    else
-                      block || args.first
-                    end
+          if options[:deprecated]
+            define_method name do |*_, &_|
+              Kernel.warn "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
+            end
+          else
+            define_method name do |*args, &block|
+              value = if attribute_builder
+                        attribute_builder.new(&block).build
+                      else
+                        block || args.first
+                      end
 
-            @config.instance_variable_set(:"@#{attribute}", value)
+              @config.instance_variable_set(:"@#{attribute}", value)
+            end
           end
         end
 

data/lib/doorkeeper/grape/helpers.rb

@@ -4,6 +4,8 @@ require "doorkeeper/grape/authorization_decorator"
 
 module Doorkeeper
   module Grape
+    # Doorkeeper helpers for Grape applications.
+    # Provides helpers for endpoints authorization based on defined set of scopes.
     module Helpers
       # These helpers are for grape >= 0.10
       extend ::Grape::API::Helpers
@@ -11,7 +13,9 @@ module Doorkeeper
 
       # endpoint specific scopes > parameter scopes > default scopes
       def doorkeeper_authorize!(*scopes)
-        endpoint_scopes = endpoint.route_setting(:scopes) || endpoint.options[:route_options][:scopes]
+        endpoint_scopes = endpoint.route_setting(:scopes) ||
+                          endpoint.options[:route_options][:scopes]
+
         scopes = if endpoint_scopes
                    Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
                  elsif scopes && !scopes.empty?

data/lib/doorkeeper/helpers/controller.rb

@@ -4,6 +4,8 @@
 # Doorkeeper::ApplicationMetalController or Doorkeeper::ApplicationController
 module Doorkeeper
   module Helpers
+    # Rails controller helpers.
+    #
     module Controller
       private
 
@@ -40,7 +42,11 @@ module Doorkeeper
       end
 
       def get_error_response_from_exception(exception)
-        OAuth::ErrorResponse.new name: exception.type, state: params[:state]
+        if exception.respond_to?(:response)
+          exception.response
+        else
+          OAuth::ErrorResponse.new name: exception.type, state: params[:state]
+        end
       end
 
       def handle_token_exception(exception)
@@ -51,14 +57,21 @@ module Doorkeeper
       end
 
       def skip_authorization?
-        !!instance_exec([@server.current_resource_owner, @pre_auth.client], &Doorkeeper.configuration.skip_authorization)
+        !!instance_exec(
+          [@server.current_resource_owner, @pre_auth.client],
+          &Doorkeeper.configuration.skip_authorization
+        )
       end
 
       def enforce_content_type
-        if (request.put? || request.post? || request.patch?) && request.content_type != "application/x-www-form-urlencoded"
+        if (request.put? || request.post? || request.patch?) && !x_www_form_urlencoded?
           render json: {}, status: :unsupported_media_type
         end
       end
+
+      def x_www_form_urlencoded?
+        request.content_type == "application/x-www-form-urlencoded"
+      end
     end
   end
 end