doorkeeper 5.1.2 → 5.2.0.rc1

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -12,10 +12,10 @@ module Doorkeeper
         end
 
         def issue_token
-          @token ||= AccessGrant.create! access_grant_attributes
+          @token ||= AccessGrant.create!(access_grant_attributes)
         end
 
-        def native_redirect
+        def oob_redirect
           { action: :show, code: token.plaintext_token }
         end
 
@@ -30,11 +30,13 @@ module Doorkeeper
         end
 
         def access_grant_attributes
-          pkce_attributes.merge application_id: pre_auth.client.id,
-                                resource_owner_id: resource_owner.id,
-                                expires_in: authorization_code_expires_in,
-                                redirect_uri: pre_auth.redirect_uri,
-                                scopes: pre_auth.scopes.to_s
+          pkce_attributes.merge(
+            application_id: pre_auth.client.id,
+            resource_owner_id: resource_owner.id,
+            expires_in: authorization_code_expires_in,
+            redirect_uri: pre_auth.redirect_uri,
+            scopes: pre_auth.scopes.to_s
+          )
         end
 
         def pkce_attributes
@@ -46,7 +48,7 @@ module Doorkeeper
           }
         end
 
-        # ensures firstly, if migration with additional pcke columns was
+        # Ensures firstly, if migration with additional PKCE columns was
         # generated and migrated
         def pkce_supported?
           Doorkeeper::AccessGrant.pkce_supported?

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -63,7 +63,7 @@ module Doorkeeper
           )
         end
 
-        def native_redirect
+        def oob_redirect
           {
             controller: controller,
             action: :show,

data/lib/doorkeeper/oauth/code_response.rb

@@ -18,8 +18,8 @@ module Doorkeeper
       end
 
       def redirect_uri
-        if URIChecker.native_uri? pre_auth.redirect_uri
-          auth.native_redirect
+        if URIChecker.oob_uri? pre_auth.redirect_uri
+          auth.oob_redirect
         elsif response_on_fragment
           Authorization::URIBuilder.uri_with_fragment(
             pre_auth.redirect_uri,

data/lib/doorkeeper/oauth/error_response.rb

@@ -41,7 +41,7 @@ module Doorkeeper
 
       def redirectable?
         name != :invalid_redirect_uri && name != :invalid_client &&
-          !URIChecker.native_uri?(@redirect_uri)
+          !URIChecker.oob_uri?(@redirect_uri)
       end
 
       def redirect_uri

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -25,10 +25,10 @@ module Doorkeeper
     module Helpers
       module URIChecker
         def self.valid?(url)
-          return true if native_uri?(url)
+          return true if oob_uri?(url)
 
           uri = as_uri(url)
-          uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
+          valid_scheme?(uri) && iff_host?(uri) && uri.fragment.nil? && uri.opaque.nil?
         rescue URI::InvalidURIError
           false
         end
@@ -78,8 +78,22 @@ module Doorkeeper
           client_query.split("&").sort == query.split("&").sort
         end
 
-        def self.native_uri?(url)
-          url == Doorkeeper.configuration.native_redirect_uri
+        def self.valid_scheme?(uri)
+          return false if uri.scheme.nil?
+
+          %w[localhost].include?(uri.scheme) == false
+        end
+
+        def self.hypertext_scheme?(uri)
+          %w[http https].include?(uri.scheme)
+        end
+
+        def self.iff_host?(uri)
+          !(hypertext_scheme?(uri) && uri.host.nil?)
+        end
+
+        def self.oob_uri?(uri)
+          NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
         end
       end
     end

data/lib/doorkeeper/oauth/nonstandard.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    class NonStandard
+      # These are not part of the OAuth 2 specification but are still in use by Google
+      # and in some other implementations. Native applications should use one of the
+      # approaches discussed in RFC8252. OOB is 'Out of Band'
+
+      # This value signals to the Google Authorization Server that the authorization
+      # code should be returned in the title bar of the browser, with the page text
+      # prompting the user to copy the code and paste it in the application.
+      # This is useful when the client (such as a Windows application) cannot listen
+      # on an HTTP port without significant client configuration.
+
+      # When you use this value, your application can then detect that the page has loaded, and can
+      # read the title of the HTML page to obtain the authorization code. It is then up to your
+      # application to close the browser window if you want to ensure that the user never sees the
+      # page that contains the authorization code. The mechanism for doing this varies from platform
+      # to platform.
+      #
+      # If your platform doesn't allow you to detect that the page has loaded or read the title of
+      # the page, you can have the user paste the code back to your application, as prompted by the
+      # text in the confirmation page that the OAuth 2.0 server generates.
+      IETF_WG_OAUTH2_OOB = "urn:ietf:wg:oauth:2.0:oob"
+
+      # This is identical to urn:ietf:wg:oauth:2.0:oob, but the text in the confirmation page that
+      # the OAuth 2.0 server generates won't instruct the user to copy the authorization code, but
+      # instead will simply ask the user to close the window.
+      #
+      # This is useful when your application reads the title of the HTML page (by checking window
+      # titles on the desktop, for example) to obtain the authorization code, but can't close the
+      # page on its own.
+      IETF_WG_OAUTH2_OOB_AUTO = "urn:ietf:wg:oauth:2.0:oob:auto"
+
+      IETF_WG_OAUTH2_OOB_METHODS = [IETF_WG_OAUTH2_OOB, IETF_WG_OAUTH2_OOB_AUTO].freeze
+    end
+  end
+end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -15,20 +15,20 @@ module Doorkeeper
                     :server
 
       def initialize(server, refresh_token, credentials, parameters = {})
-        @server          = server
-        @refresh_token   = refresh_token
-        @credentials     = credentials
+        @server = server
+        @refresh_token = refresh_token
+        @credentials = credentials
         @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
-
-        if credentials
-          @client = Application.by_uid_and_secret credentials.uid,
-                                                  credentials.secret
-        end
+        @client = load_client(credentials) if credentials
       end
 
       private
 
+      def load_client(credentials)
+        Application.by_uid_and_secret(credentials.uid, credentials.secret)
+      end
+
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -80,8 +80,7 @@ module Doorkeeper
 
       # Bearer Token Authentication
       def authorized_token
-        @authorized_token ||=
-          OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
+        @authorized_token ||= Doorkeeper.authenticate(server.context.request)
       end
 
       # 2.2. Introspection Response
@@ -150,9 +149,9 @@ module Doorkeeper
       #
       def active?
         if authorized_client
-          valid_token? && authorized_for_client?
+          valid_token? && token_introspection_allowed?(authorized_client.application)
         else
-          valid_token?
+          valid_token? && token_introspection_allowed?(authorized_token&.application)
         end
       end
 
@@ -166,14 +165,16 @@ module Doorkeeper
         authorized_token.token == @token&.token
       end
 
-      # If token doesn't belong to some client, then it is public.
-      # Otherwise in it required for token to be connected to the same client.
-      def authorized_for_client?
-        if @token.application
-          @token.application == authorized_client.application
-        else
-          true
-        end
+      # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
+      def token_introspection_allowed?(client)
+        allow_introspection = Doorkeeper.configuration.allow_token_introspection
+        return allow_introspection unless allow_introspection.respond_to?(:call)
+
+        allow_introspection.call(
+          @token,
+          client,
+          authorized_token
+        )
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/orm/active_record.rb

@@ -6,6 +6,14 @@ require "doorkeeper/orm/active_record/stale_records_cleaner"
 
 module Doorkeeper
   module Orm
+    # ActiveRecord ORM for Doorkeeper entity models.
+    # Consists of three main OAuth entities:
+    #   * Access Token
+    #   * Access Grant
+    #   * Application (client)
+    #
+    # Do a lazy loading of all the required and configured stuff.
+    #
     module ActiveRecord
       def self.initialize_models!
         lazy_load do
@@ -14,7 +22,7 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/application"
 
           if Doorkeeper.configuration.active_record_options[:establish_connection]
-            [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application].each do |model|
+            Doorkeeper::Orm::ActiveRecord.models.each do |model|
               options = Doorkeeper.configuration.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
@@ -33,6 +41,14 @@ module Doorkeeper
       def self.lazy_load(&block)
         ActiveSupport.on_load(:active_record, {}, &block)
       end
+
+      def self.models
+        [
+          Doorkeeper::AccessGrant,
+          Doorkeeper::AccessToken,
+          Doorkeeper::Application,
+        ]
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -16,7 +16,7 @@ module Doorkeeper
               :redirect_uri,
               presence: true
 
-    validates :token, uniqueness: true
+    validates :token, uniqueness: { case_sensitive: true }
 
     before_validation :generate_token, on: :create
 

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -9,8 +9,8 @@ module Doorkeeper
     belongs_to :application, class_name: "Doorkeeper::Application",
                              inverse_of: :access_tokens, optional: true
 
-    validates :token, presence: true, uniqueness: true
-    validates :refresh_token, uniqueness: true, if: :use_refresh_token?
+    validates :token, presence: true, uniqueness: { case_sensitive: true }
+    validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
     # @attr_writer [Boolean, nil] use_refresh_token
     #   indicates the possibility of using refresh token

data/lib/doorkeeper/orm/active_record/application.rb

@@ -10,7 +10,7 @@ module Doorkeeper
     has_many :access_tokens, dependent: :delete_all, class_name: "Doorkeeper::AccessToken"
 
     validates :name, :secret, :uid, presence: true
-    validates :uid, uniqueness: true
+    validates :uid, uniqueness: { case_sensitive: true }
     validates :redirect_uri, redirect_uri: true
     validates :confidential, inclusion: { in: [true, false] }
 
@@ -60,38 +60,10 @@ module Doorkeeper
       end
     end
 
-    # Represents client as set of it's attributes in JSON format.
-    # This is the right way how we want to override ActiveRecord #to_json.
-    #
-    # Respects privacy settings and serializes minimum set of attributes
-    # for public/private clients and full set for authorized owners.
-    #
-    # @return [Hash] entity attributes for JSON
-    #
-    def as_json(options = {})
-      # if application belongs to some owner we need to check if it's the same as
-      # the one passed in the options or check if we render the client as an owner
-      if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
-         options[:as_owner]
-        # Owners can see all the client attributes, fallback to ActiveModel serialization
-        super
-      else
-        # if application has no owner or it's owner doesn't match one from the options
-        # we render only minimum set of attributes that could be exposed to a public
-        only = extract_serializable_attributes(options)
-        super(options.merge(only: only))
-      end
-    end
-
-    # We need to hook into this method to allow serializing plan-text secrets
-    # when secrets hashing enabled.
-    #
-    # @param key [String] attribute name
-    #
-    def read_attribute_for_serialization(key)
-      return super unless key.to_s == "secret"
-
-      plaintext_secret || secret
+    def to_json(options)
+      serializable_hash(except: :secret)
+        .merge(secret: plaintext_secret)
+        .to_json(options)
     end
 
     private
@@ -118,37 +90,5 @@ module Doorkeeper
     def enforce_scopes?
       Doorkeeper.configuration.enforce_configured_scopes?
     end
-
-    # Helper method to extract collection of serializable attribute names
-    # considering serialization options (like `only`, `except` and so on).
-    #
-    # @param options [Hash] serialization options
-    #
-    # @return [Array<String>]
-    #   collection of attributes to be serialized using #as_json
-    #
-    def extract_serializable_attributes(options = {})
-      opts = options.try(:dup) || {}
-      only = Array.wrap(opts[:only]).map(&:to_s)
-
-      only = if only.blank?
-               serializable_attributes
-             else
-               only & serializable_attributes
-             end
-
-      only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
-      only.uniq
-    end
-
-    # Collection of attributes that could be serialized for public.
-    # Override this method if you need additional attributes to be serialized.
-    #
-    # @return [Array<String>] collection of serializable attributes
-    def serializable_attributes
-      attributes = %w[id name created_at]
-      attributes << "uid" unless confidential?
-      attributes
-    end
   end
 end

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -5,12 +5,16 @@ module Doorkeeper
     CLEANER_CLASS = "StaleRecordsCleaner"
 
     def self.for(base_scope)
-      orm_adapter = "doorkeeper/orm/#{Doorkeeper.configuration.orm}".classify
+      orm_adapter = "doorkeeper/orm/#{configured_orm}".classify
 
       orm_cleaner = "#{orm_adapter}::#{CLEANER_CLASS}".constantize
       orm_cleaner.new(base_scope)
     rescue NameError
-      raise Doorkeeper::Errors::NoOrmCleaner, "'#{Doorkeeper.configuration.orm}' ORM has no cleaner!"
+      raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
+    end
+
+    def self.configured_orm
+      Doorkeeper.configuration.orm
     end
 
     def self.new(base_scope)

data/lib/doorkeeper/version.rb

@@ -8,9 +8,9 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 1
-    TINY = 2
-    PRE = nil
+    MINOR = 2
+    TINY = 0
+    PRE = "rc1"
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -17,12 +17,12 @@ module Doorkeeper
     end
 
     def previous_refresh_token
-      if no_previous_refresh_token_column?
-        migration_template(
-          "add_previous_refresh_token_to_access_tokens.rb.erb",
-          "db/migrate/add_previous_refresh_token_to_access_tokens.rb"
-        )
-      end
+      return unless no_previous_refresh_token_column?
+
+      migration_template(
+        "add_previous_refresh_token_to_access_tokens.rb.erb",
+        "db/migrate/add_previous_refresh_token_to_access_tokens.rb"
+      )
     end
 
     private

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -196,15 +196,6 @@ Doorkeeper.configure do
   #
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
-  # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to
-  # any server and the authorizationcode will be displayed within the provider
-  # The value can be any string. Use nil to disable this feature. When disabled, clients
-  # must providea valid URL
-  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
-  #
-  # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
-
   # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
@@ -323,6 +314,47 @@ Doorkeeper.configure do
   #   client.superapp? or resource_owner.admin?
   # end
 
+  # Configure custom constraints for the Token Introspection request. By default
+  # this configuration option allows to introspect the token that belongs to authorized
+  # client (from Bearer token or from authenticated client) OR when token doesn't
+  # belong to any client (public token). Otherwise requester has no access to the
+  # introspection and it will return response as stated in the RFC.
+  #
+  # You can define your custom check:
+  #
+  # allow_token_introspection do |token, authorized_client, _authorized_token|
+  #   if token.application
+  #     # `protected_resource` is a new database boolean column, for example
+  #     token.application == authorized_client || authorized_client.protected_resource?
+  #   else
+  #     true
+  #   end
+  # end
+  #
+  # Block arguments:
+  #
+  # @param token [Doorkeeper::AccessToken]
+  #   token to be introspected
+  #
+  # @param authorized_client [Doorkeeper::Application]
+  #   authorized client (if request is authorized using Basic auth with
+  #   Client Credentials for example)
+  #
+  # @param authorized_token [Doorkeeper::AccessToken]
+  #   Bearer token used to authorize the request
+  #
+  # Keep in mind, that in case the block returns `nil` or `false` introspection response
+  # doesn't have 401 status code and some descriptive body, you'll get 200 with
+  # { "active": false } body as stated in the RFC 7662 section 2.2. Introspection Response.
+  #
+  # You can completely disable any token introspection:
+  #
+  # allow_token_introspection false
+  #
+  # In such case every request for token introspection will get { "active": false } response.
+  # If you need to block the request at all, then configure your routes.rb or web-server
+  # like nginx to forbid the request.
+
   # WWW-Authenticate Realm (default "Doorkeeper").
   #
   # realm "Doorkeeper"