doorkeeper 5.1.2 → 5.2.0.rc1

data/spec/requests/flows/authorization_code_spec.rb

@@ -28,8 +28,8 @@ feature "Authorization Code Flow" do
       config_is_set(:token_secret_strategy, ::Doorkeeper::SecretStoring::Sha256Hash)
     end
 
-    scenario "Authorization Code Flow with hashing" do
-      @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
+    def authorize(redirect_url)
+      @client.redirect_uri = redirect_url
       @client.save!
       visit authorization_endpoint_url(client: @client)
       click_on "Authorize"
@@ -42,16 +42,28 @@ feature "Authorization Code Flow" do
       hashed_code = Doorkeeper::AccessGrant.secret_strategy.transform_secret code
       expect(hashed_code).to eq Doorkeeper::AccessGrant.first.token
 
+      [code, hashed_code]
+    end
+
+    scenario "using redirect_url urn:ietf:wg:oauth:2.0:oob" do
+      code, hashed_code = authorize("urn:ietf:wg:oauth:2.0:oob")
       expect(code).not_to eq(hashed_code)
+      i_should_see "Authorization code:"
+      i_should_see code
+      i_should_not_see hashed_code
+    end
 
+    scenario "using redirect_url urn:ietf:wg:oauth:2.0:oob:auto" do
+      code, hashed_code = authorize("urn:ietf:wg:oauth:2.0:oob:auto")
+      expect(code).not_to eq(hashed_code)
       i_should_see "Authorization code:"
       i_should_see code
       i_should_not_see hashed_code
     end
   end
 
-  scenario "resource owner authorizes using test url" do
-    @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
+  scenario "resource owner authorizes using oob url" do
+    @client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
     @client.save!
     visit authorization_endpoint_url(client: @client)
     click_on "Authorize"

data/spec/requests/flows/revoke_token_spec.rb

@@ -40,16 +40,14 @@ describe "Revoke Token Flow" do
       end
 
       context "with invalid token to revoke" do
-        it "should not revoke any tokens and respond successfully" do
+        it "should not revoke any tokens and respond with forbidden" do
           expect do
             post revocation_token_endpoint_url,
                  params: { token: "I_AM_AN_INVALID_TOKEN" },
                  headers: headers
           end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
 
-          # The authorization server responds with HTTP status code 200 even if
-          # token is invalid
-          expect(response).to be_successful
+          expect(response).to be_forbidden
         end
       end
 
@@ -59,19 +57,23 @@ describe "Revoke Token Flow" do
           credentials = Base64.encode64("#{client_id}:poop")
           { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
         end
-        it "should not revoke any tokens and respond successfully" do
+        it "should not revoke any tokens and respond with forbidden" do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end
 
       context "with no credentials and a valid token" do
-        it "should not revoke any tokens and respond successfully" do
+        it "should not revoke any tokens and respond with forbidden" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end
@@ -88,7 +90,9 @@ describe "Revoke Token Flow" do
         it "should not revoke the token as its unauthorized" do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end
@@ -127,14 +131,18 @@ describe "Revoke Token Flow" do
         it "should not revoke the access token provided" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
 
         it "should not revoke the refresh token provided" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
 
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end

data/spec/support/doorkeeper_rspec.rb

@@ -16,7 +16,7 @@ module Doorkeeper
     # Tries to find ORM from the Gemfile used to run test suite
     def self.detect_orm
       orm = (ENV["BUNDLE_GEMFILE"] || "").match(/Gemfile\.(.+)\.rb/)
-      (orm && orm[1] || :active_record).to_sym
+      (orm && orm[1] || ENV["ORM"] || :active_record).to_sym
     end
   end
 end

data/spec/validators/redirect_uri_validator_spec.rb

@@ -18,7 +18,7 @@ describe RedirectUriValidator do
   #
   # @see https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uris-native-apps/
   it "is valid when the uri is custom native URI" do
-    subject.redirect_uri = "myapp://callback"
+    subject.redirect_uri = "myapp:/callback"
     expect(subject).to be_valid
   end
 
@@ -27,33 +27,48 @@ describe RedirectUriValidator do
     expect(subject).to be_valid
   end
 
-  it "accepts native redirect uri" do
+  it "accepts nonstandard oob redirect uri" do
     subject.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
     expect(subject).to be_valid
   end
 
-  it "rejects if test uri is disabled" do
-    allow(RedirectUriValidator).to receive(:native_redirect_uri).and_return(nil)
-    subject.redirect_uri = "urn:some:test"
-    expect(subject).not_to be_valid
+  it "accepts nonstandard oob:auto redirect uri" do
+    subject.redirect_uri = "urn:ietf:wg:oauth:2.0:oob:auto"
+    expect(subject).to be_valid
   end
 
   it "is invalid when the uri is not a uri" do
     subject.redirect_uri = "]"
     expect(subject).not_to be_valid
-    expect(subject.errors[:redirect_uri].first).to eq("must be a valid URI.")
+    expect(subject.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.invalid_uri"))
   end
 
   it "is invalid when the uri is relative" do
     subject.redirect_uri = "/abcd"
     expect(subject).not_to be_valid
-    expect(subject.errors[:redirect_uri].first).to eq("must be an absolute URI.")
+    expect(subject.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.relative_uri"))
   end
 
   it "is invalid when the uri has a fragment" do
     subject.redirect_uri = "https://example.com/abcd#xyz"
     expect(subject).not_to be_valid
-    expect(subject.errors[:redirect_uri].first).to eq("cannot contain a fragment.")
+    expect(subject.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.fragment_present"))
+  end
+
+  it "is invalid when scheme resolves to localhost (needs an explict scheme)" do
+    subject.redirect_uri = "localhost:80"
+    expect(subject).to be_invalid
+    expect(subject.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.unspecified_scheme"))
+  end
+
+  it "is invalid if an ip address" do
+    subject.redirect_uri = "127.0.0.1:8080"
+    expect(subject).to be_invalid
+  end
+
+  it "accepts an ip address based URI if a scheme is specified" do
+    subject.redirect_uri = "https://127.0.0.1:8080"
+    expect(subject).to be_valid
   end
 
   context "force secured uri" do
@@ -62,13 +77,23 @@ describe RedirectUriValidator do
       expect(subject).to be_valid
     end
 
-    it "accepts native redirect uri" do
-      subject.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
+    it "accepts custom scheme redirect uri (as per rfc8252 section 7.1)" do
+      subject.redirect_uri = "com.example.app:/oauth/callback"
+      expect(subject).to be_valid
+    end
+
+    it "accepts custom scheme redirect uri (as per rfc8252 section 7.1) #2" do
+      subject.redirect_uri = "com.example.app:/test"
+      expect(subject).to be_valid
+    end
+
+    it "accepts custom scheme redirect uri (common misconfiguration we have decided to allow)" do
+      subject.redirect_uri = "com.example.app://oauth/callback"
       expect(subject).to be_valid
     end
 
-    it "accepts app redirect uri" do
-      subject.redirect_uri = "some-awesome-app://oauth/callback"
+    it "accepts custom scheme redirect uri (common misconfiguration we have decided to allow) #2" do
+      subject.redirect_uri = "com.example.app://test"
       expect(subject).to be_valid
     end
 
@@ -118,7 +143,7 @@ describe RedirectUriValidator do
       subject.redirect_uri = "http://example.com/callback"
       expect(subject).not_to be_valid
       error = subject.errors[:redirect_uri].first
-      expect(error).to eq("must be an HTTPS/SSL URI.")
+      expect(error).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.secured_uri"))
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.1.2
+  version: 5.2.0.rc1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-19 00:00:00.000000000 Z
+date: 2019-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -174,16 +174,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".coveralls.yml"
-- ".github/ISSUE_TEMPLATE.md"
-- ".github/PULL_REQUEST_TEMPLATE.md"
-- ".gitignore"
-- ".gitlab-ci.yml"
-- ".hound.yml"
-- ".rspec"
-- ".rubocop.yml"
-- ".travis.yml"
 - Appraisals
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Dangerfile
@@ -269,6 +261,7 @@ files:
 - lib/doorkeeper/oauth/helpers/unique_token.rb
 - lib/doorkeeper/oauth/helpers/uri_checker.rb
 - lib/doorkeeper/oauth/invalid_token_response.rb
+- lib/doorkeeper/oauth/nonstandard.rb
 - lib/doorkeeper/oauth/password_access_token_request.rb
 - lib/doorkeeper/oauth/pre_authorization.rb
 - lib/doorkeeper/oauth/refresh_token_request.rb
@@ -471,12 +464,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.9
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape

data/.coveralls.yml

@@ -1 +0,0 @@
-service_name: travis-ci

data/.github/ISSUE_TEMPLATE.md

@@ -1,25 +0,0 @@
-### Steps to reproduce
-What we need to do to see your problem or bug?
-
-The more detailed the issue, the more likely that we will fix it ASAP.
-
-Don't use GitHub issues for questions like "How can I do that?" —
-use [StackOverflow](https://stackoverflow.com/questions/tagged/doorkeeper)
-instead with the corresponding tag.
-
-### Expected behavior
-Tell us what should happen
-
-### Actual behavior
-Tell us what happens instead
-
-### System configuration
-You can help us to understand your problem if you will share some very
-useful information about your project environment (don't forget to
-remove any confidential data if it exists).
-
-**Doorkeeper initializer**:
-
-**Ruby version**:
-
-**Gemfile.lock**:

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -1,17 +0,0 @@
-### Summary
-
-Provide a general description of the code changes in your pull
-request... were there any bugs you had fixed? If so, mention them. If
-these bugs have open GitHub issues, be sure to tag them here as well,
-to keep the conversation linked together.
-
-### Other Information
-
-If there's anything else that's important and relevant to your pull
-request, mention that information here. This could include
-benchmarks, or other information.
-
-If you are updating NEWS.md file or are asked to update it by reviewers,
-please add the changelog entry at the top of the file.
-
-Thanks for contributing to Doorkeeper project!

data/.gitignore

@@ -1,20 +0,0 @@
-.bundle/
-.rbx
-*.rbc
-log/*.log
-pkg/
-spec/dummy/db/*.sqlite3
-spec/dummy/log/*.log
-spec/dummy/tmp/
-spec/generators/tmp
-Gemfile.lock
-gemfiles/*.lock
-.rvmrc
-*.swp
-.idea
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-coverage
-*.gem

data/.gitlab-ci.yml

@@ -1,16 +0,0 @@
-dependency_scanning:
-  image: docker:stable
-  variables:
-    DOCKER_DRIVER: overlay2
-  allow_failure: true
-  services:
-    - docker:stable-dind
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
-  artifacts:
-    paths: [gl-dependency-scanning-report.json]

data/.hound.yml

@@ -1,3 +0,0 @@
-rubocop:
-  config_file: .rubocop.yml
-  version: 0.64.0

data/.rspec

@@ -1 +0,0 @@
---colour

data/.rubocop.yml

@@ -1,50 +0,0 @@
-AllCops:
-  TargetRubyVersion: 2.4
-  Exclude:
-    - "spec/dummy/db/*"
-    - "spec/dummy/config/*"
-    - "Dangerfile"
-    - "gemfiles/*.gemfile"
-
-Metrics/BlockLength:
-  Exclude:
-    - spec/**/*
-    - lib/doorkeeper/rake/*
-
-Metrics/LineLength:
-  Exclude:
-    - spec/**/*
-  Max: 100
-
-Metrics/MethodLength:
-  Exclude:
-    - spec/dummy/db/*
-
-Style/StringLiterals:
-  EnforcedStyle: double_quotes
-Style/StringLiteralsInInterpolation:
-  EnforcedStyle: double_quotes
-
-Style/FrozenStringLiteralComment:
-  Enabled: true
-
-Style/TrailingCommaInHashLiteral:
-  EnforcedStyleForMultiline: consistent_comma
-Style/TrailingCommaInArrayLiteral:
-  EnforcedStyleForMultiline: consistent_comma
-
-Style/SymbolArray:
-  MinSize: 3
-Style/WordArray:
-  MinSize: 3
-
-Style/ClassAndModuleChildren:
-  Exclude:
-    - spec/**/*
-
-Layout/MultilineMethodCallIndentation:
-  EnforcedStyle: indented
-Layout/TrailingBlankLines:
-  Enabled: true
-Layout/DotPosition:
-  EnforcedStyle: leading

data/.travis.yml

@@ -1,35 +0,0 @@
-language: ruby
-cache: bundler
-
-rvm:
-  - 2.4
-  - 2.5
-  - 2.6
-  - ruby-head
-
-#before_install:
-#  - gem update --system
-#  - gem install bundler
-
-gemfile:
-  - gemfiles/rails_5_0.gemfile
-  - gemfiles/rails_5_1.gemfile
-  - gemfiles/rails_5_2.gemfile
-  - gemfiles/rails_6_0.gemfile
-  - gemfiles/rails_master.gemfile
-
-matrix:
-  fast_finish: true
-  # Run Danger only once
-  include:
-    - rvm: 2.5
-      gemfile: gemfiles/rails_5_2.gemfile
-      script: bundle exec danger
-  exclude:
-    - gemfile: gemfiles/rails_6_0.gemfile
-      rvm: 2.4
-    - gemfile: gemfiles/rails_master.gemfile
-      rvm: 2.4
-  allow_failures:
-    - gemfile: gemfiles/rails_master.gemfile
-    - rvm: ruby-head