RubyGems - doorkeeper - Versions diffs - 5.1.2 → 5.2.2 - Mend

doorkeeper 5.1.2 → 5.2.2

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (107) hide show

checksums.yaml +4 -4
data/Appraisals +1 -1
data/CHANGELOG.md +854 -0
data/CONTRIBUTING.md +11 -9
data/Dangerfile +2 -2
data/Dockerfile +29 -0
data/Gemfile +3 -2
data/NEWS.md +1 -819
data/README.md +11 -3
data/RELEASING.md +6 -5
data/app/controllers/doorkeeper/application_controller.rb +1 -1
data/app/controllers/doorkeeper/application_metal_controller.rb +2 -1
data/app/controllers/doorkeeper/applications_controller.rb +5 -3
data/app/controllers/doorkeeper/authorizations_controller.rb +14 -7
data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
data/app/controllers/doorkeeper/tokens_controller.rb +32 -9
data/app/views/doorkeeper/applications/_form.html.erb +0 -6
data/app/views/doorkeeper/applications/show.html.erb +1 -1
data/config/locales/en.yml +8 -2
data/doorkeeper.gemspec +9 -1
data/gemfiles/rails_5_0.gemfile +1 -0
data/gemfiles/rails_5_1.gemfile +1 -0
data/gemfiles/rails_5_2.gemfile +1 -0
data/gemfiles/rails_6_0.gemfile +2 -1
data/gemfiles/rails_master.gemfile +1 -0
data/lib/doorkeeper/config/option.rb +13 -7
data/lib/doorkeeper/config.rb +88 -6
data/lib/doorkeeper/errors.rb +13 -18
data/lib/doorkeeper/grape/helpers.rb +5 -1
data/lib/doorkeeper/helpers/controller.rb +23 -4
data/lib/doorkeeper/models/access_token_mixin.rb +43 -2
data/lib/doorkeeper/oauth/authorization/code.rb +11 -13
data/lib/doorkeeper/oauth/authorization/token.rb +1 -1
data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -9
data/lib/doorkeeper/oauth/base_request.rb +2 -0
data/lib/doorkeeper/oauth/client_credentials/creator.rb +14 -0
data/lib/doorkeeper/oauth/client_credentials/validation.rb +8 -0
data/lib/doorkeeper/oauth/code_request.rb +5 -11
data/lib/doorkeeper/oauth/code_response.rb +2 -2
data/lib/doorkeeper/oauth/error_response.rb +1 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +18 -4
data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -2
data/lib/doorkeeper/oauth/pre_authorization.rb +70 -37
data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -10
data/lib/doorkeeper/oauth/token_introspection.rb +23 -13
data/lib/doorkeeper/oauth/token_request.rb +4 -18
data/lib/doorkeeper/orm/active_record/access_grant.rb +1 -1
data/lib/doorkeeper/orm/active_record/access_token.rb +2 -2
data/lib/doorkeeper/orm/active_record/application.rb +15 -69
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +61 -0
data/lib/doorkeeper/orm/active_record.rb +19 -3
data/lib/doorkeeper/request/authorization_code.rb +2 -0
data/lib/doorkeeper/request.rb +6 -11
data/lib/doorkeeper/server.rb +2 -6
data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
data/lib/doorkeeper/version.rb +1 -1
data/lib/doorkeeper.rb +4 -0
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +6 -6
data/lib/generators/doorkeeper/templates/initializer.rb +110 -33
data/lib/generators/doorkeeper/templates/migration.rb.erb +4 -1
data/spec/controllers/applications_controller_spec.rb +93 -0
data/spec/controllers/authorizations_controller_spec.rb +143 -62
data/spec/controllers/protected_resources_controller_spec.rb +3 -3
data/spec/controllers/tokens_controller_spec.rb +205 -37
data/spec/dummy/config/application.rb +3 -1
data/spec/dummy/config/initializers/doorkeeper.rb +54 -9
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +1 -1
data/spec/lib/config_spec.rb +43 -1
data/spec/lib/oauth/authorization_code_request_spec.rb +13 -1
data/spec/lib/oauth/base_request_spec.rb +33 -16
data/spec/lib/oauth/client_credentials/creator_spec.rb +3 -0
data/spec/lib/oauth/code_request_spec.rb +27 -28
data/spec/lib/oauth/helpers/uri_checker_spec.rb +17 -2
data/spec/lib/oauth/invalid_request_response_spec.rb +75 -0
data/spec/lib/oauth/pre_authorization_spec.rb +76 -66
data/spec/lib/oauth/refresh_token_request_spec.rb +1 -0
data/spec/lib/oauth/token_request_spec.rb +20 -17
data/spec/lib/server_spec.rb +0 -12
data/spec/models/doorkeeper/access_grant_spec.rb +21 -2
data/spec/models/doorkeeper/access_token_spec.rb +35 -4
data/spec/models/doorkeeper/application_spec.rb +275 -370
data/spec/requests/endpoints/authorization_spec.rb +21 -5
data/spec/requests/endpoints/token_spec.rb +1 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +1 -0
data/spec/requests/flows/authorization_code_spec.rb +93 -27
data/spec/requests/flows/client_credentials_spec.rb +38 -0
data/spec/requests/flows/implicit_grant_errors_spec.rb +22 -10
data/spec/requests/flows/implicit_grant_spec.rb +9 -8
data/spec/requests/flows/password_spec.rb +37 -0
data/spec/requests/flows/refresh_token_spec.rb +1 -1
data/spec/requests/flows/revoke_token_spec.rb +19 -11
data/spec/support/doorkeeper_rspec.rb +1 -1
data/spec/support/helpers/request_spec_helper.rb +14 -2
data/spec/validators/redirect_uri_validator_spec.rb +40 -15
metadata +16 -15
data/.coveralls.yml +0 -1
data/.github/ISSUE_TEMPLATE.md +0 -25
data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
data/.gitignore +0 -20
data/.gitlab-ci.yml +0 -16
data/.hound.yml +0 -3
data/.rspec +0 -1
data/.rubocop.yml +0 -50
data/.travis.yml +0 -35
data/app/validators/redirect_uri_validator.rb +0 -50

data/spec/requests/endpoints/authorization_spec.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "spec_helper"
 feature "Authorization endpoint" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists(name: "MyApp")
   end
@@ -34,16 +35,31 @@ feature "Authorization endpoint" do
     end
   end
-  context "with a invalid request" do
+  context "with a invalid request's param" do
     background do
       create_resource_owner
       sign_in
     end
-    scenario "displays the related error" do
-      visit authorization_endpoint_url(client: @client, response_type: "")
-      i_should_not_see "Authorize"
-      i_should_see_translated_error_message :unsupported_response_type
+    context "when missing required param" do
+      scenario "displays invalid_request error when missing client" do
+        visit authorization_endpoint_url(client: nil, response_type: "code")
+        i_should_not_see "Authorize"
+        i_should_see_translated_invalid_request_error_message :missing_param, :client_id
+      end
+      scenario "displays invalid_request error when missing response_type param" do
+        visit authorization_endpoint_url(client: @client, response_type: "")
+        i_should_not_see "Authorize"
+        i_should_see_translated_invalid_request_error_message :missing_param, :response_type
+      end
+      scenario "displays invalid_request error when missing scope param and authorization server has no default scopes" do
+        config_is_set(:default_scopes, [])
+        visit authorization_endpoint_url(client: @client, response_type: "code", scope: "")
+        i_should_not_see "Authorize"
+        i_should_see_translated_invalid_request_error_message :missing_param, :scope
+      end
     end
     scenario "displays unsupported_response_type error when using a disabled response type" do

data/spec/requests/endpoints/token_spec.rb CHANGED Viewed

@@ -70,6 +70,6 @@ describe "Token endpoint" do
     should_not_have_json "access_token"
     should_have_json "error", "invalid_request"
-    should_have_json "error_description", translated_error_message("invalid_request")
+    should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :grant_type)
   end
 end

data/spec/requests/flows/authorization_code_errors_spec.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require "spec_helper"
 feature "Authorization Code Flow Errors" do
   let(:client_params) { {} }
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists client_params
     create_resource_owner

data/spec/requests/flows/authorization_code_spec.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "spec_helper"
 feature "Authorization Code Flow" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists
     create_resource_owner
@@ -23,13 +24,46 @@ feature "Authorization Code Flow" do
     url_should_not_have_param("error")
   end
+  context "when configured to check application supported grant flow" do
+    before do
+      config_is_set(:allow_grant_flow_for_client, ->(_grant_flow, client) { client.name == "admin" })
+    end
+    scenario "forbids the request when doesn't satisfy condition" do
+      @client.update(name: "sample app")
+      visit authorization_endpoint_url(client: @client)
+      i_should_see_translated_error_message("unauthorized_client")
+    end
+    scenario "allows the request when satisfies condition" do
+      @client.update(name: "admin")
+      visit authorization_endpoint_url(client: @client)
+      i_should_not_see_translated_error_message("unauthorized_client")
+      click_on "Authorize"
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      create_access_token authorization_code, @client
+      access_token_should_exist_for(@client, @resource_owner)
+      should_not_have_json "error"
+      should_have_json "access_token", Doorkeeper::AccessToken.first.token
+      should_have_json "token_type", "Bearer"
+      should_have_json_within "expires_in", Doorkeeper::AccessToken.first.expires_in, 1
+    end
+  end
   context "with grant hashing enabled" do
     background do
       config_is_set(:token_secret_strategy, ::Doorkeeper::SecretStoring::Sha256Hash)
     end
-    scenario "Authorization Code Flow with hashing" do
-      @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
+    def authorize(redirect_url)
+      @client.redirect_uri = redirect_url
       @client.save!
       visit authorization_endpoint_url(client: @client)
       click_on "Authorize"
@@ -42,16 +76,28 @@ feature "Authorization Code Flow" do
       hashed_code = Doorkeeper::AccessGrant.secret_strategy.transform_secret code
       expect(hashed_code).to eq Doorkeeper::AccessGrant.first.token
+      [code, hashed_code]
+    end
+    scenario "using redirect_url urn:ietf:wg:oauth:2.0:oob" do
+      code, hashed_code = authorize("urn:ietf:wg:oauth:2.0:oob")
       expect(code).not_to eq(hashed_code)
+      i_should_see "Authorization code:"
+      i_should_see code
+      i_should_not_see hashed_code
+    end
+    scenario "using redirect_url urn:ietf:wg:oauth:2.0:oob:auto" do
+      code, hashed_code = authorize("urn:ietf:wg:oauth:2.0:oob:auto")
+      expect(code).not_to eq(hashed_code)
       i_should_see "Authorization code:"
       i_should_see code
       i_should_not_see hashed_code
     end
   end
-  scenario "resource owner authorizes using test url" do
-    @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
+  scenario "resource owner authorizes using oob url" do
+    @client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
     @client.save!
     visit authorization_endpoint_url(client: @client)
     click_on "Authorize"
@@ -71,6 +117,17 @@ feature "Authorization Code Flow" do
     url_should_not_have_param("code_challenge_method")
   end
+  scenario "resource owner requests an access token without authorization code" do
+    create_access_token "", @client
+    access_token_should_not_exist
+    expect(Doorkeeper::AccessToken.count).to be_zero
+    should_have_json "error", "invalid_request"
+    should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :code)
+  end
   scenario "resource owner requests an access token with authorization code" do
     visit authorization_endpoint_url(client: @client)
     click_on "Authorize"
@@ -98,6 +155,7 @@ feature "Authorization Code Flow" do
     expect(Doorkeeper::AccessToken.count).to be_zero
     should_have_json "error", "invalid_client"
+    should_have_json "error_description", translated_error_message(:invalid_client)
   end
   scenario "resource owner requests an access token with authorization code but without client id" do
@@ -111,6 +169,7 @@ feature "Authorization Code Flow" do
     expect(Doorkeeper::AccessToken.count).to be_zero
     should_have_json "error", "invalid_client"
+    should_have_json "error_description", translated_error_message(:invalid_client)
   end
   scenario "silently authorizes if matching token exists" do
@@ -153,6 +212,7 @@ feature "Authorization Code Flow" do
         create_access_token authorization_code, @client, code_verifier
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
       scenario "mobile app requests an access token with authorization code and plain code challenge method" do
@@ -175,17 +235,32 @@ feature "Authorization Code Flow" do
         should_have_json_within "expires_in", Doorkeeper::AccessToken.first.expires_in, 1
       end
-      scenario "mobile app requests an access token with authorization code and code_challenge" do
+      scenario "mobile app requests an access token with authorization code but without code_verifier" do
         visit authorization_endpoint_url(client: @client,
-                                         code_challenge: code_verifier,
+                                         code_challenge: code_challenge,
                                          code_challenge_method: "plain")
         click_on "Authorize"
         authorization_code = current_params["code"]
-        create_access_token authorization_code, @client, code_verifier: nil
+        create_access_token authorization_code, @client, nil
+        should_not_have_json "access_token"
+        should_have_json "error", "invalid_request"
+        should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :code_verifier)
+      end
+      scenario "mobile app requests an access token with authorization code with wrong code_verifier" do
+        visit authorization_endpoint_url(client: @client,
+                                         code_challenge: code_challenge,
+                                         code_challenge_method: "plain")
+        click_on "Authorize"
+        authorization_code = current_params["code"]
+        create_access_token authorization_code, @client, "wrong_code_verifier"
         should_not_have_json "access_token"
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
     end
@@ -226,19 +301,6 @@ feature "Authorization Code Flow" do
         should_have_json_within "expires_in", Doorkeeper::AccessToken.first.expires_in, 1
       end
-      scenario "mobile app requests an access token with authorization code and without code_verifier" do
-        visit authorization_endpoint_url(
-          client: @client,
-          code_challenge: code_challenge,
-          code_challenge_method: "S256"
-        )
-        click_on "Authorize"
-        authorization_code = current_params["code"]
-        create_access_token authorization_code, @client
-        should_have_json "error", "invalid_request"
-        should_not_have_json "access_token"
-      end
       scenario "mobile app requests an access token with authorization code and without secret" do
         visit authorization_endpoint_url(
           client: @client,
@@ -250,8 +312,9 @@ feature "Authorization Code Flow" do
         authorization_code = current_params["code"]
         page.driver.post token_endpoint_url(code: authorization_code, client_id: @client.uid,
                                             redirect_uri: @client.redirect_uri, code_verifier: code_verifier)
-        should_have_json "error", "invalid_client"
         should_not_have_json "access_token"
+        should_have_json "error", "invalid_client"
+        should_have_json "error_description", translated_error_message(:invalid_client)
       end
       scenario "mobile app requests an access token with authorization code and without secret but is marked as not confidential" do
@@ -286,6 +349,7 @@ feature "Authorization Code Flow" do
         should_not_have_json "access_token"
         should_have_json "error", "invalid_request"
+        should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :code_verifier)
       end
       scenario "mobile app requests an access token with authorization code with wrong verifier" do
@@ -301,6 +365,7 @@ feature "Authorization Code Flow" do
         should_not_have_json "access_token"
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
       scenario "code_challenge_mehthod in token request is totally ignored" do
@@ -321,6 +386,7 @@ feature "Authorization Code Flow" do
         should_not_have_json "access_token"
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
       scenario "expects to set code_challenge_method explicitely without fallback" do
@@ -332,16 +398,15 @@ feature "Authorization Code Flow" do
   context "when application scopes are present and no scope is passed" do
     background do
-      @client.update(scopes: "public write read")
+      @client.update(scopes: "public write read default")
     end
-    scenario "access grant has no scope" do
+    scenario "scope is invalid because default scope is different from application scope" do
       default_scopes_exist :admin
       visit authorization_endpoint_url(client: @client)
-      click_on "Authorize"
-      access_grant_should_exist_for(@client, @resource_owner)
-      grant = Doorkeeper::AccessGrant.first
-      expect(grant.scopes).to be_empty
+      response_status_should_be 200
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_scope
     end
     scenario "access grant have scopes which are common in application scopees and default scopes" do
@@ -442,6 +507,7 @@ describe "Authorization Code Flow" do
       should_not_have_json "access_token"
       should_have_json "error", "invalid_grant"
+      should_have_json "error_description", translated_error_message(:invalid_grant)
     end
   end
 end

data/spec/requests/flows/client_credentials_spec.rb CHANGED Viewed

@@ -66,6 +66,44 @@ describe "Client Credentials Request" do
     end
   end
+  context "when configured to check application supported grant flow" do
+    before do
+      Doorkeeper.configuration.instance_variable_set(
+        :@allow_grant_flow_for_client,
+        ->(_grant_flow, client) { client.name == "admin" }
+      )
+    end
+    scenario "forbids the request when doesn't satisfy condition" do
+      client.update(name: "sample app")
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: "client_credentials" }
+      post "/oauth/token", params: params, headers: headers
+      should_have_json "error", "unauthorized_client"
+      should_have_json "error_description", translated_error_message(:unauthorized_client)
+    end
+    scenario "allows the request when satisfies condition" do
+      client.update(name: "admin")
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: "client_credentials" }
+      post "/oauth/token", params: params, headers: headers
+      should_have_json "access_token", Doorkeeper::AccessToken.first.token
+      should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
+      should_not_have_json "scope"
+      should_not_have_json "refresh_token"
+      should_not_have_json "error"
+      should_not_have_json "error_description"
+    end
+  end
   context "when application scopes contain some of the default scopes and no scope is passed" do
     before do
       client.update(scopes: "read write public")

data/spec/requests/flows/implicit_grant_errors_spec.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "spec_helper"
 feature "Implicit Grant Flow Errors" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     config_is_set(:grant_flows, ["implicit"])
     client_exists
@@ -15,20 +16,31 @@ feature "Implicit Grant Flow Errors" do
     access_token_should_not_exist
   end
-  [
-    %i[client_id invalid_client],
-    %i[redirect_uri invalid_redirect_uri],
-  ].each do |error|
-    scenario "displays #{error.last} error for invalid #{error.first}" do
-      visit authorization_endpoint_url(client: @client, error.first => "invalid", response_type: "token")
+  context "when validate client_id param" do
+    scenario "displays invalid_client error for invalid client_id" do
+      visit authorization_endpoint_url(client_id: "invalid", response_type: "token")
       i_should_not_see "Authorize"
-      i_should_see_translated_error_message error.last
+      i_should_see_translated_error_message :invalid_client
     end
-    scenario "displays #{error.last} error when #{error.first} is missing" do
-      visit authorization_endpoint_url(client: @client, error.first => "", response_type: "token")
+    scenario "displays invalid_request error when client_id is missing" do
+      visit authorization_endpoint_url(client_id: "", response_type: "token")
       i_should_not_see "Authorize"
-      i_should_see_translated_error_message error.last
+      i_should_see_translated_invalid_request_error_message :missing_param, :client_id
+    end
+  end
+  context "when validate redirect_uri param" do
+    scenario "displays invalid_redirect_uri error for invalid redirect_uri" do
+      visit authorization_endpoint_url(client: @client, redirect_uri: "invalid", response_type: "token")
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_redirect_uri
+    end
+    scenario "displays invalid_redirect_uri error when redirect_uri is missing" do
+      visit authorization_endpoint_url(client: @client, redirect_uri: "", response_type: "token")
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_redirect_uri
     end
   end
 end

data/spec/requests/flows/implicit_grant_spec.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "spec_helper"
 feature "Implicit Grant Flow (feature spec)" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     config_is_set(:grant_flows, ["implicit"])
     client_exists
@@ -25,16 +26,15 @@ feature "Implicit Grant Flow (feature spec)" do
       @client.update(scopes: "public write read")
     end
-    scenario "access token has no scopes" do
+    scenario "scope is invalid because default scope is different from application scope" do
       default_scopes_exist :admin
       visit authorization_endpoint_url(client: @client, response_type: "token")
-      click_on "Authorize"
-      access_token_should_exist_for @client, @resource_owner
-      token = Doorkeeper::AccessToken.first
-      expect(token.scopes).to be_empty
+      response_status_should_be 200
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_scope
     end
-    scenario "access token has scopes which are common in application scopees and default scopes" do
+    scenario "access token has scopes which are common in application scopes and default scopes" do
       default_scopes_exist :public, :write
       visit authorization_endpoint_url(client: @client, response_type: "token")
       click_on "Authorize"
@@ -46,6 +46,7 @@ end
 describe "Implicit Grant Flow (request spec)" do
   before do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     config_is_set(:grant_flows, ["implicit"])
     client_exists
@@ -56,7 +57,7 @@ describe "Implicit Grant Flow (request spec)" do
     it "should return a new token each request" do
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
-      token = client_is_authorized(@client, @resource_owner)
+      token = client_is_authorized(@client, @resource_owner, scopes: "default")
       post "/oauth/authorize",
            params: {
@@ -73,7 +74,7 @@ describe "Implicit Grant Flow (request spec)" do
     it "should return the same token if it is still accessible" do
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      token = client_is_authorized(@client, @resource_owner)
+      token = client_is_authorized(@client, @resource_owner, scopes: "default")
       post "/oauth/authorize",
            params: {

data/spec/requests/flows/password_spec.rb CHANGED Viewed

@@ -31,6 +31,43 @@ describe "Resource Owner Password Credentials Flow" do
     context "with non-confidential/public client" do
       let(:client_attributes) { { confidential: false } }
+      context "when configured to check application supported grant flow" do
+        before do
+          Doorkeeper.configuration.instance_variable_set(
+            :@allow_grant_flow_for_client,
+            ->(_grant_flow, client) { client.name == "admin" }
+          )
+        end
+        scenario "forbids the request when doesn't satisfy condition" do
+          @client.update(name: "sample app")
+          expect do
+            post password_token_endpoint_url(
+              client_id: @client.uid,
+              client_secret: "foobar",
+              resource_owner: @resource_owner
+            )
+          end.not_to(change { Doorkeeper::AccessToken.count })
+          expect(response.status).to eq(401)
+          should_have_json "error", "invalid_client"
+        end
+        scenario "allows the request when satisfies condition" do
+          @client.update(name: "admin")
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
+          token = Doorkeeper::AccessToken.first
+          expect(token.application_id).to eq @client.id
+          should_have_json "access_token", token.token
+        end
+      end
       context "when client_secret absent" do
         it "should issue new token" do
           expect do

data/spec/requests/flows/refresh_token_spec.rb CHANGED Viewed

@@ -172,7 +172,7 @@ describe "Refresh Token Flow" do
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_not_have_json "refresh_token"
-      should_have_json "error", "invalid_request"
+      should_have_json "error", "invalid_grant"
     end
   end

data/spec/requests/flows/revoke_token_spec.rb CHANGED Viewed

@@ -40,16 +40,14 @@ describe "Revoke Token Flow" do
       end
       context "with invalid token to revoke" do
-        it "should not revoke any tokens and respond successfully" do
+        it "should not revoke any tokens and respond with forbidden" do
           expect do
             post revocation_token_endpoint_url,
                  params: { token: "I_AM_AN_INVALID_TOKEN" },
                  headers: headers
           end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
-          # The authorization server responds with HTTP status code 200 even if
-          # token is invalid
-          expect(response).to be_successful
+          expect(response).to be_forbidden
         end
       end
@@ -59,19 +57,23 @@ describe "Revoke Token Flow" do
           credentials = Base64.encode64("#{client_id}:poop")
           { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
         end
-        it "should not revoke any tokens and respond successfully" do
+        it "should not revoke any tokens and respond with forbidden" do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end
       context "with no credentials and a valid token" do
-        it "should not revoke any tokens and respond successfully" do
+        it "should not revoke any tokens and respond with forbidden" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end
@@ -88,7 +90,9 @@ describe "Revoke Token Flow" do
         it "should not revoke the token as its unauthorized" do
           post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end
@@ -127,14 +131,18 @@ describe "Revoke Token Flow" do
         it "should not revoke the access token provided" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
         it "should not revoke the refresh token provided" do
           post revocation_token_endpoint_url, params: { token: access_token.token }
-          expect(response).to be_successful
+          expect(response).to be_forbidden
+          expect(response.body).to include("unauthorized_client")
+          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
           expect(access_token.reload.revoked?).to be_falsey
         end
       end

data/spec/support/doorkeeper_rspec.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Doorkeeper
     # Tries to find ORM from the Gemfile used to run test suite
     def self.detect_orm
       orm = (ENV["BUNDLE_GEMFILE"] || "").match(/Gemfile\.(.+)\.rb/)
-      (orm && orm[1] || :active_record).to_sym
+      (orm && orm[1] || ENV["ORM"] || :active_record).to_sym
     end
   end
 end

data/spec/support/helpers/request_spec_helper.rb CHANGED Viewed

@@ -54,7 +54,7 @@ module RequestSpecHelper
   end
   def with_header(header, value)
-    page.driver.header header, value
+    page.driver.header(header, value)
   end
   def basic_auth_header_for_client(client)
@@ -86,8 +86,20 @@ module RequestSpecHelper
     i_should_see translated_error_message(key)
   end
+  def i_should_not_see_translated_error_message(key)
+    i_should_not_see translated_error_message(key)
+  end
   def translated_error_message(key)
-    I18n.translate key, scope: %i[doorkeeper errors messages]
+    I18n.translate(key, scope: %i[doorkeeper errors messages])
+  end
+  def i_should_see_translated_invalid_request_error_message(key, value)
+    i_should_see translated_invalid_request_error_message(key, value)
+  end
+  def translated_invalid_request_error_message(key, value)
+    I18n.translate key, scope: %i[doorkeeper errors messages invalid_request], value: value
   end
   def response_status_should_be(status)