doorkeeper 5.1.2 → 5.2.2

data/spec/lib/oauth/code_request_spec.rb

@@ -4,18 +4,23 @@ require "spec_helper"
 
 module Doorkeeper::OAuth
   describe CodeRequest do
-    let(:pre_auth) do
-      double(
-        :pre_auth,
-        client: double(:application, id: 9990),
-        redirect_uri: "http://tst.com/cb",
-        scopes: nil,
-        state: nil,
-        error: nil,
-        authorizable?: true,
-        code_challenge: nil,
-        code_challenge_method: nil
-      )
+    let :pre_auth do
+      server = Doorkeeper.configuration
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("public"))
+      allow(server).to receive(:grant_flows).and_return(Scopes.from_string("authorization_code"))
+
+      application = FactoryBot.create(:application, scopes: "public")
+      client = Doorkeeper::OAuth::Client.new(application)
+
+      attributes = {
+        client_id: client.uid,
+        response_type: "code",
+        redirect_uri: "https://app.com/callback",
+      }
+
+      pre_auth = PreAuthorization.new(server, attributes)
+      pre_auth.authorizable?
+      pre_auth
     end
 
     let(:owner) { double :owner, id: 8900 }
@@ -24,24 +29,18 @@ module Doorkeeper::OAuth
       CodeRequest.new(pre_auth, owner)
     end
 
-    it "creates an access grant" do
-      expect do
-        subject.authorize
-      end.to change { Doorkeeper::AccessGrant.count }.by(1)
+    context "when pre_auth is authorized" do
+      it "creates an access grant and returns a code response" do
+        expect { subject.authorize }.to change { Doorkeeper::AccessGrant.count }.by(1)
+        expect(subject.authorize).to be_a(CodeResponse)
+      end
     end
 
-    it "returns a code response" do
-      expect(subject.authorize).to be_a(CodeResponse)
-    end
-
-    it "does not create grant when not authorizable" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect { subject.authorize }.not_to(change { Doorkeeper::AccessGrant.count })
-    end
-
-    it "returns a error response" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect(subject.authorize).to be_a(ErrorResponse)
+    context "when pre_auth is denied" do
+      it "does not create access grant and returns a error response" do
+        expect { subject.deny }.not_to(change { Doorkeeper::AccessGrant.count })
+        expect(subject.deny).to be_a(ErrorResponse)
+      end
     end
   end
 end

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -40,13 +40,28 @@ module Doorkeeper::OAuth::Helpers
         expect(URIChecker.valid?(uri)).to be_falsey
       end
 
+      it "is invalid if localhost is resolved as as scheme (no scheme specified)" do
+        uri = "localhost:8080"
+        expect(URIChecker.valid?(uri)).to be_falsey
+      end
+
+      it "is invalid if scheme is missing #2" do
+        uri = "app.co:80"
+        expect(URIChecker.valid?(uri)).to be_falsey
+      end
+
       it "is invalid if is not an uri" do
         uri = "   "
         expect(URIChecker.valid?(uri)).to be_falsey
       end
 
-      it "is valid for native uris" do
-        uri = "urn:ietf:wg:oauth:2.0:oob"
+      it "is valid for custom schemes" do
+        uri = "com.example.app:/test"
+        expect(URIChecker.valid?(uri)).to be_truthy
+      end
+
+      it "is valid for custom schemes with authority marker (common misconfiguration)" do
+        uri = "com.example.app://test"
         expect(URIChecker.valid?(uri)).to be_truthy
       end
     end

data/spec/lib/oauth/invalid_request_response_spec.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+module Doorkeeper::OAuth
+  describe InvalidRequestResponse do
+    describe "#name" do
+      it { expect(subject.name).to eq(:invalid_request) }
+    end
+
+    describe "#status" do
+      it { expect(subject.status).to eq(:bad_request) }
+    end
+
+    describe :from_request do
+      let(:response) { InvalidRequestResponse.from_request(request) }
+
+      context "missing param" do
+        let(:request) { double(missing_param: "some_param") }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:missing_param, scope: %i[doorkeeper errors messages invalid_request], value: "some_param")
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:missing_param)
+        end
+      end
+
+      context "server doesn not support_pkce" do
+        let(:request) { double(invalid_request_reason: :not_support_pkce) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:not_support_pkce, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:not_support_pkce)
+        end
+      end
+
+      context "request is not authorized" do
+        let(:request) { double(invalid_request_reason: :request_not_authorized) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:request_not_authorized, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:request_not_authorized)
+        end
+      end
+
+      context "unknown reason" do
+        let(:request) { double(invalid_request_reason: :unknown_reason) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:unknown, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "unknown reason" do
+          expect(response.reason).to eq(:unknown_reason)
+        end
+      end
+    end
+  end
+end

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -6,31 +6,25 @@ module Doorkeeper::OAuth
   describe PreAuthorization do
     let(:server) do
       server = Doorkeeper.configuration
-      allow(server).to receive(:default_scopes).and_return(Scopes.new)
-      allow(server).to receive(:scopes).and_return(Scopes.from_string("public profile"))
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("default"))
+      allow(server).to receive(:optional_scopes).and_return(Scopes.from_string("public profile"))
       server
     end
 
-    let(:application) do
-      application = double :application
-      allow(application).to receive(:scopes).and_return(Scopes.from_string(""))
-      application
-    end
-
-    let(:client) do
-      double :client, redirect_uri: "http://tst.com/auth", application: application
-    end
+    let(:application) { FactoryBot.create(:application, redirect_uri: "https://app.com/callback") }
+    let(:client) { Client.find(application.uid) }
 
     let :attributes do
       {
+        client_id: client.uid,
         response_type: "code",
-        redirect_uri: "http://tst.com/auth",
+        redirect_uri: "https://app.com/callback",
         state: "save-this",
       }
     end
 
     subject do
-      PreAuthorization.new(server, client, attributes)
+      PreAuthorization.new(server, attributes)
     end
 
     it "is authorizable when request is valid" do
@@ -38,25 +32,25 @@ module Doorkeeper::OAuth
     end
 
     it "accepts code as response type" do
-      subject.response_type = "code"
+      attributes[:response_type] = "code"
       expect(subject).to be_authorizable
     end
 
     it "accepts token as response type" do
       allow(server).to receive(:grant_flows).and_return(["implicit"])
-      subject.response_type = "token"
+      attributes[:response_type] = "token"
       expect(subject).to be_authorizable
     end
 
     context "when using default grant flows" do
       it 'accepts "code" as response type' do
-        subject.response_type = "code"
+        attributes[:response_type] = "code"
         expect(subject).to be_authorizable
       end
 
       it 'accepts "token" as response type' do
         allow(server).to receive(:grant_flows).and_return(["implicit"])
-        subject.response_type = "token"
+        attributes[:response_type] = "token"
         expect(subject).to be_authorizable
       end
     end
@@ -67,7 +61,7 @@ module Doorkeeper::OAuth
       end
 
       it 'does not accept "code" as response type' do
-        subject.response_type = "code"
+        attributes[:response_type] = "code"
         expect(subject).not_to be_authorizable
       end
     end
@@ -78,94 +72,90 @@ module Doorkeeper::OAuth
       end
 
       it 'does not accept "token" as response type' do
-        subject.response_type = "token"
+        attributes[:response_type] = "token"
         expect(subject).not_to be_authorizable
       end
     end
 
     context "client application does not restrict valid scopes" do
       it "accepts valid scopes" do
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects (globally) non-valid scopes" do
-        subject.scope = "invalid"
+        attributes[:scope] = "invalid"
         expect(subject).not_to be_authorizable
       end
 
       it "accepts scopes which are permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:public])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects scopes which are not permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:profile])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).not_to be_authorizable
       end
     end
 
     context "client application restricts valid scopes" do
       let(:application) do
-        application = double :application
-        allow(application).to receive(:scopes).and_return(Scopes.from_string("public nonsense"))
-        application
+        FactoryBot.create(:application, scopes: Scopes.from_string("public nonsense"))
       end
 
       it "accepts valid scopes" do
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects (globally) non-valid scopes" do
-        subject.scope = "invalid"
+        attributes[:scope] = "invalid"
         expect(subject).not_to be_authorizable
       end
 
       it "rejects (application level) non-valid scopes" do
-        subject.scope = "profile"
+        attributes[:scope] = "profile"
         expect(subject).to_not be_authorizable
       end
 
       it "accepts scopes which are permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:public])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects scopes which are not permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:profile])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).not_to be_authorizable
       end
     end
 
-    it "uses default scopes when none is required" do
-      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("default"))
-      subject.scope = nil
-      expect(subject.scope).to eq("default")
-      expect(subject.scopes).to eq(Scopes.from_string("default"))
-    end
-
-    context "with native redirect uri" do
-      let(:native_redirect_uri) { "urn:ietf:wg:oauth:2.0:oob" }
+    context "when scope is not provided to pre_authorization" do
+      before { attributes[:scope] = nil }
 
-      it "accepts redirect_uri when it matches with the client" do
-        subject.redirect_uri = native_redirect_uri
-        allow(subject.client).to receive(:redirect_uri) { native_redirect_uri }
-        expect(subject).to be_authorizable
+      context "when default scopes is provided" do
+        it "uses default scopes" do
+          allow(server).to receive(:default_scopes).and_return(Scopes.from_string("default_scope"))
+          expect(subject).to be_authorizable
+          expect(subject.scope).to eq("default_scope")
+          expect(subject.scopes).to eq(Scopes.from_string("default_scope"))
+        end
       end
 
-      it "invalidates redirect_uri when it does'n match with the client" do
-        subject.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
-        expect(subject).not_to be_authorizable
+      context "when default scopes is none" do
+        it "not be authorizable when none default scope" do
+          allow(server).to receive(:default_scopes).and_return(Scopes.new)
+          expect(subject).not_to be_authorizable
+        end
       end
     end
 
     it "matches the redirect uri against client's one" do
-      subject.redirect_uri = "http://nothesame.com"
+      attributes[:redirect_uri] = "http://nothesame.com"
       expect(subject).not_to be_authorizable
     end
 
@@ -174,41 +164,61 @@ module Doorkeeper::OAuth
     end
 
     it "rejects if response type is not allowed" do
-      subject.response_type = "whops"
+      attributes[:response_type] = "whops"
       expect(subject).not_to be_authorizable
     end
 
     it "requires an existing client" do
-      subject.client = nil
+      attributes[:client_id] = nil
       expect(subject).not_to be_authorizable
     end
 
     it "requires a redirect uri" do
-      subject.redirect_uri = nil
+      attributes[:redirect_uri] = nil
       expect(subject).not_to be_authorizable
     end
 
     describe "as_json" do
-      let(:client_id) { "client_uid_123" }
-      let(:client_name) { "Acme Co." }
+      before { subject.authorizable? }
 
-      before do
-        allow(client).to receive(:uid).and_return client_id
-        allow(client).to receive(:name).and_return client_name
+      it { is_expected.to respond_to :as_json }
+
+      shared_examples "returns the pre authorization" do
+        it "returns the pre authorization" do
+          expect(json[:client_id]).to eq client.uid
+          expect(json[:redirect_uri]).to eq subject.redirect_uri
+          expect(json[:state]).to eq subject.state
+          expect(json[:response_type]).to eq subject.response_type
+          expect(json[:scope]).to eq subject.scope
+          expect(json[:client_name]).to eq client.name
+          expect(json[:status]).to eq I18n.t("doorkeeper.pre_authorization.status")
+        end
       end
 
-      let(:json) { subject.as_json({}) }
+      context "when attributes param is not passed" do
+        let(:json) { subject.as_json }
 
-      it { is_expected.to respond_to :as_json }
+        include_examples "returns the pre authorization"
+      end
+
+      context "when attributes param is passed" do
+        context "when attributes is a hash" do
+          let(:custom_attributes) { { custom_id: "1234", custom_name: "a pretty good name" } }
+          let(:json) { subject.as_json(custom_attributes) }
+
+          include_examples "returns the pre authorization"
+
+          it "merges the attributes in params" do
+            expect(json[:custom_id]).to eq custom_attributes[:custom_id]
+            expect(json[:custom_name]).to eq custom_attributes[:custom_name]
+          end
+        end
+
+        context "when attributes is not a hash" do
+          let(:json) { subject.as_json(nil) }
 
-      it "returns correct values" do
-        expect(json[:client_id]).to eq client_id
-        expect(json[:redirect_uri]).to eq subject.redirect_uri
-        expect(json[:state]).to eq subject.state
-        expect(json[:response_type]).to eq subject.response_type
-        expect(json[:scope]).to eq subject.scope
-        expect(json[:client_name]).to eq client_name
-        expect(json[:status]).to eq I18n.t("doorkeeper.pre_authorization.status")
+          include_examples "returns the pre authorization"
+        end
       end
     end
   end

data/spec/lib/oauth/refresh_token_request_spec.rb

@@ -63,6 +63,7 @@ module Doorkeeper::OAuth
       subject.refresh_token = nil
       subject.validate
       expect(subject.error).to eq(:invalid_request)
+      expect(subject.missing_param).to eq(:refresh_token)
     end
 
     it "requires credentials to be valid if provided" do

data/spec/lib/oauth/token_request_spec.rb

@@ -9,15 +9,21 @@ module Doorkeeper::OAuth
     end
 
     let :pre_auth do
-      double(
-        :pre_auth,
-        client: application,
-        redirect_uri: "http://tst.com/cb",
-        state: nil,
-        scopes: Scopes.from_string("public"),
-        error: nil,
-        authorizable?: true
-      )
+      server = Doorkeeper.configuration
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("public"))
+      allow(server).to receive(:grant_flows).and_return(Scopes.from_string("implicit"))
+
+      client = Doorkeeper::OAuth::Client.new(application)
+
+      attributes = {
+        client_id: client.uid,
+        response_type: "token",
+        redirect_uri: "https://app.com/callback",
+      }
+
+      pre_auth = PreAuthorization.new(server, attributes)
+      pre_auth.authorizable?
+      pre_auth
     end
 
     let :owner do
@@ -38,14 +44,11 @@ module Doorkeeper::OAuth
       expect(subject.authorize).to be_a(CodeResponse)
     end
 
-    it "does not create token when not authorizable" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
-    end
-
-    it "returns a error response" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect(subject.authorize).to be_a(ErrorResponse)
+    context "when pre_auth is denied" do
+      it "does not create token and returns a error response" do
+        expect { subject.deny }.not_to(change { Doorkeeper::AccessToken.count })
+        expect(subject.deny).to be_a(ErrorResponse)
+      end
     end
 
     describe "with custom expiration" do

data/spec/lib/server_spec.rb

@@ -10,12 +10,6 @@ describe Doorkeeper::Server do
   end
 
   describe ".authorization_request" do
-    it "raises error when strategy does not exist" do
-      expect do
-        subject.authorization_request(:duh)
-      end.to raise_error(Doorkeeper::Errors::InvalidAuthorizationStrategy)
-    end
-
     it "raises error when strategy does not match phase" do
       expect do
         subject.token_request(:code)
@@ -29,12 +23,6 @@ describe Doorkeeper::Server do
           .and_return(["authorization_code"])
       end
 
-      it "raises error when using the disabled Implicit strategy" do
-        expect do
-          subject.authorization_request(:token)
-        end.to raise_error(Doorkeeper::Errors::InvalidAuthorizationStrategy)
-      end
-
       it "raises error when using the disabled Client Credentials strategy" do
         expect do
           subject.token_request(:client_credentials)

data/spec/models/doorkeeper/access_grant_spec.rb

@@ -61,10 +61,29 @@ describe Doorkeeper::AccessGrant do
         it "upgrades a plain token when falling back to it" do
           # Side-effect: This will automatically upgrade the token
           expect(clazz).to receive(:upgrade_fallback_value).and_call_original
-          expect(clazz.by_token(plain_text_token)).to eq(grant)
+          expect(clazz.by_token(plain_text_token))
+            .to have_attributes(
+              resource_owner_id: grant.resource_owner_id,
+              application_id: grant.application_id,
+              redirect_uri: grant.redirect_uri,
+              expires_in: grant.expires_in,
+              scopes: grant.scopes,
+            )
 
           # Will find subsequently by hashing the token
-          expect(clazz.by_token(plain_text_token)).to eq(grant)
+          expect(clazz.by_token(plain_text_token))
+            .to have_attributes(
+              resource_owner_id: grant.resource_owner_id,
+              application_id: grant.application_id,
+              redirect_uri: grant.redirect_uri,
+              expires_in: grant.expires_in,
+              scopes: grant.scopes,
+            )
+
+          # Not all the ORM support :id PK
+          if grant.respond_to?(:id)
+            expect(clazz.by_token(plain_text_token).id).to eq(grant.id)
+          end
 
           # And it modifies the token value
           grant.reload

data/spec/models/doorkeeper/access_token_spec.rb

@@ -73,10 +73,25 @@ module Doorkeeper
             it "upgrades a plain token when falling back to it" do
               # Side-effect: This will automatically upgrade the token
               expect(clazz).to receive(:upgrade_fallback_value).and_call_original
-              expect(clazz.by_token(plain_text_token)).to eq(access_token)
+              expect(clazz.by_token(plain_text_token))
+                .to have_attributes(
+                  resource_owner_id: access_token.resource_owner_id,
+                  application_id: access_token.application_id,
+                  scopes: access_token.scopes,
+                )
 
               # Will find subsequently by hashing the token
-              expect(clazz.by_token(plain_text_token)).to eq(access_token)
+              expect(clazz.by_token(plain_text_token))
+                .to have_attributes(
+                  resource_owner_id: access_token.resource_owner_id,
+                  application_id: access_token.application_id,
+                  scopes: access_token.scopes,
+                )
+
+              # Not all the ORM support :id PK
+              if access_token.respond_to?(:id)
+                expect(clazz.by_token(plain_text_token).id).to eq(access_token.id)
+              end
 
               # And it modifies the token value
               access_token.reload
@@ -113,6 +128,7 @@ module Doorkeeper
         eigenclass.class_eval do
           remove_method :generate
         end
+
         module CustomGeneratorArgs
           def self.generate(opts = {})
             "custom_generator_token_#{opts[:application].name}"
@@ -307,10 +323,25 @@ module Doorkeeper
             it "upgrades a plain token when falling back to it" do
               # Side-effect: This will automatically upgrade the token
               expect(clazz).to receive(:upgrade_fallback_value).and_call_original
-              expect(clazz.by_refresh_token(plain_refresh_token)).to eq(access_token)
+              expect(clazz.by_refresh_token(plain_refresh_token))
+                .to have_attributes(
+                  token: access_token.token,
+                  resource_owner_id: access_token.resource_owner_id,
+                  application_id: access_token.application_id,
+                )
 
               # Will find subsequently by hashing the token
-              expect(clazz.by_refresh_token(plain_refresh_token)).to eq(access_token)
+              expect(clazz.by_refresh_token(plain_refresh_token))
+                .to have_attributes(
+                  token: access_token.token,
+                  resource_owner_id: access_token.resource_owner_id,
+                  application_id: access_token.application_id,
+                )
+
+              # Not all the ORM support :id PK
+              if access_token.respond_to?(:id)
+                expect(clazz.by_refresh_token(plain_refresh_token).id).to eq(access_token.id)
+              end
 
               # And it modifies the token value
               access_token.reload