doorkeeper 5.1.2 → 5.2.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (107) hide show
  1. checksums.yaml +4 -4
  2. data/Appraisals +1 -1
  3. data/CHANGELOG.md +854 -0
  4. data/CONTRIBUTING.md +11 -9
  5. data/Dangerfile +2 -2
  6. data/Dockerfile +29 -0
  7. data/Gemfile +3 -2
  8. data/NEWS.md +1 -819
  9. data/README.md +11 -3
  10. data/RELEASING.md +6 -5
  11. data/app/controllers/doorkeeper/application_controller.rb +1 -1
  12. data/app/controllers/doorkeeper/application_metal_controller.rb +2 -1
  13. data/app/controllers/doorkeeper/applications_controller.rb +5 -3
  14. data/app/controllers/doorkeeper/authorizations_controller.rb +14 -7
  15. data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
  16. data/app/controllers/doorkeeper/tokens_controller.rb +32 -9
  17. data/app/views/doorkeeper/applications/_form.html.erb +0 -6
  18. data/app/views/doorkeeper/applications/show.html.erb +1 -1
  19. data/config/locales/en.yml +8 -2
  20. data/doorkeeper.gemspec +9 -1
  21. data/gemfiles/rails_5_0.gemfile +1 -0
  22. data/gemfiles/rails_5_1.gemfile +1 -0
  23. data/gemfiles/rails_5_2.gemfile +1 -0
  24. data/gemfiles/rails_6_0.gemfile +2 -1
  25. data/gemfiles/rails_master.gemfile +1 -0
  26. data/lib/doorkeeper/config/option.rb +13 -7
  27. data/lib/doorkeeper/config.rb +88 -6
  28. data/lib/doorkeeper/errors.rb +13 -18
  29. data/lib/doorkeeper/grape/helpers.rb +5 -1
  30. data/lib/doorkeeper/helpers/controller.rb +23 -4
  31. data/lib/doorkeeper/models/access_token_mixin.rb +43 -2
  32. data/lib/doorkeeper/oauth/authorization/code.rb +11 -13
  33. data/lib/doorkeeper/oauth/authorization/token.rb +1 -1
  34. data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -9
  35. data/lib/doorkeeper/oauth/base_request.rb +2 -0
  36. data/lib/doorkeeper/oauth/client_credentials/creator.rb +14 -0
  37. data/lib/doorkeeper/oauth/client_credentials/validation.rb +8 -0
  38. data/lib/doorkeeper/oauth/code_request.rb +5 -11
  39. data/lib/doorkeeper/oauth/code_response.rb +2 -2
  40. data/lib/doorkeeper/oauth/error_response.rb +1 -1
  41. data/lib/doorkeeper/oauth/helpers/uri_checker.rb +18 -4
  42. data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
  43. data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
  44. data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -2
  45. data/lib/doorkeeper/oauth/pre_authorization.rb +70 -37
  46. data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -10
  47. data/lib/doorkeeper/oauth/token_introspection.rb +23 -13
  48. data/lib/doorkeeper/oauth/token_request.rb +4 -18
  49. data/lib/doorkeeper/orm/active_record/access_grant.rb +1 -1
  50. data/lib/doorkeeper/orm/active_record/access_token.rb +2 -2
  51. data/lib/doorkeeper/orm/active_record/application.rb +15 -69
  52. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +61 -0
  53. data/lib/doorkeeper/orm/active_record.rb +19 -3
  54. data/lib/doorkeeper/request/authorization_code.rb +2 -0
  55. data/lib/doorkeeper/request.rb +6 -11
  56. data/lib/doorkeeper/server.rb +2 -6
  57. data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
  58. data/lib/doorkeeper/version.rb +1 -1
  59. data/lib/doorkeeper.rb +4 -0
  60. data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +6 -6
  61. data/lib/generators/doorkeeper/templates/initializer.rb +110 -33
  62. data/lib/generators/doorkeeper/templates/migration.rb.erb +4 -1
  63. data/spec/controllers/applications_controller_spec.rb +93 -0
  64. data/spec/controllers/authorizations_controller_spec.rb +143 -62
  65. data/spec/controllers/protected_resources_controller_spec.rb +3 -3
  66. data/spec/controllers/tokens_controller_spec.rb +205 -37
  67. data/spec/dummy/config/application.rb +3 -1
  68. data/spec/dummy/config/initializers/doorkeeper.rb +54 -9
  69. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +1 -1
  70. data/spec/lib/config_spec.rb +43 -1
  71. data/spec/lib/oauth/authorization_code_request_spec.rb +13 -1
  72. data/spec/lib/oauth/base_request_spec.rb +33 -16
  73. data/spec/lib/oauth/client_credentials/creator_spec.rb +3 -0
  74. data/spec/lib/oauth/code_request_spec.rb +27 -28
  75. data/spec/lib/oauth/helpers/uri_checker_spec.rb +17 -2
  76. data/spec/lib/oauth/invalid_request_response_spec.rb +75 -0
  77. data/spec/lib/oauth/pre_authorization_spec.rb +76 -66
  78. data/spec/lib/oauth/refresh_token_request_spec.rb +1 -0
  79. data/spec/lib/oauth/token_request_spec.rb +20 -17
  80. data/spec/lib/server_spec.rb +0 -12
  81. data/spec/models/doorkeeper/access_grant_spec.rb +21 -2
  82. data/spec/models/doorkeeper/access_token_spec.rb +35 -4
  83. data/spec/models/doorkeeper/application_spec.rb +275 -370
  84. data/spec/requests/endpoints/authorization_spec.rb +21 -5
  85. data/spec/requests/endpoints/token_spec.rb +1 -1
  86. data/spec/requests/flows/authorization_code_errors_spec.rb +1 -0
  87. data/spec/requests/flows/authorization_code_spec.rb +93 -27
  88. data/spec/requests/flows/client_credentials_spec.rb +38 -0
  89. data/spec/requests/flows/implicit_grant_errors_spec.rb +22 -10
  90. data/spec/requests/flows/implicit_grant_spec.rb +9 -8
  91. data/spec/requests/flows/password_spec.rb +37 -0
  92. data/spec/requests/flows/refresh_token_spec.rb +1 -1
  93. data/spec/requests/flows/revoke_token_spec.rb +19 -11
  94. data/spec/support/doorkeeper_rspec.rb +1 -1
  95. data/spec/support/helpers/request_spec_helper.rb +14 -2
  96. data/spec/validators/redirect_uri_validator_spec.rb +40 -15
  97. metadata +16 -15
  98. data/.coveralls.yml +0 -1
  99. data/.github/ISSUE_TEMPLATE.md +0 -25
  100. data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
  101. data/.gitignore +0 -20
  102. data/.gitlab-ci.yml +0 -16
  103. data/.hound.yml +0 -3
  104. data/.rspec +0 -1
  105. data/.rubocop.yml +0 -50
  106. data/.travis.yml +0 -35
  107. data/app/validators/redirect_uri_validator.rb +0 -50
data/CHANGELOG.md ADDED
@@ -0,0 +1,854 @@
1
+ # Changelog
2
+
3
+ See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
4
+ upgrade guides.
5
+
6
+ User-visible changes worth mentioning.
7
+
8
+ ## master
9
+
10
+ - [#PR ID] Your PR short description.
11
+
12
+ ## 5.2.2
13
+
14
+ - [#1320] Call configured `authenticate_resource_owner` method once per request.
15
+ - [#1315] Allow generation of new secret with `Doorkeeper::Application#renew_secret`.
16
+ - [#1309] Allow `Doorkeeper::Application#to_json` to work without arguments.
17
+
18
+ ## 5.2.1
19
+
20
+ - [#1308] Fix flash types for `api_only` mode (no flashes for `ActionController::API`).
21
+ - [#1306] Fix interpolation of `missing_param` I18n.
22
+
23
+ ## 5.2.0
24
+
25
+ - [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
26
+ when `api_mode` enabled (fixes #1302).
27
+
28
+ ## 5.2.0.rc3
29
+
30
+ - [#1298] Slice strong params so doesn't error with Rails forms.
31
+ - [#1300] Limiting access to attributes of pre_authorization.
32
+ - [#1296] Adding client_id to strong parameters.
33
+ - [#1293] Move ar specific redirect uri validator to ar orm directory.
34
+ - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
35
+ the PreAuthorization response.
36
+ - [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
37
+ - [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
38
+ option called `base_metal_controller` (fix #1273).
39
+ - [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
40
+
41
+ ## 5.2.0.rc2
42
+
43
+ - [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
44
+ - [#1271] Reintroduce existing token revocation for client credentials.
45
+ - [#1269] Update initializer template documentation.
46
+ - [#1266] Use strong parameters within pre-authorization.
47
+ - [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
48
+ - [#1263] Response properly when introspection fails and fix configurations's user guide.
49
+
50
+ ## 5.2.0.rc1
51
+
52
+ - [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
53
+ - [#1257] Add constraint configuration when using client authentication on introspection endpoint.
54
+ - [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
55
+ - [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
56
+ - [#1248] Display the Application Secret in HTML after creating a new application even when `hash_application_secrets` is used.
57
+ - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
58
+ - [#1238] Better support for native app with support for custom scheme and localhost redirection.
59
+
60
+ ## 5.1.0
61
+
62
+ - [#1243] Add nil check operator in token checking at token introspection.
63
+ - [#1241] Explaining foreign key options for resource owner in a single place
64
+ - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
65
+ - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
66
+ - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
67
+ option using `Float::INIFINITY` return value.
68
+ - [#1224] Do not try to store token if not found by fallback hashing strategy.
69
+ - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
70
+ - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
71
+
72
+ ## 5.1.0.rc2
73
+
74
+ - [#1208] Unify hashing implementation into secret storing strategies
75
+
76
+ **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
77
+ your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
78
+ `use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt`.
79
+
80
+ - [#1216] Add nil check to `expires_at` method.
81
+ - [#1215] Fix deprecates for Rails 6.
82
+ - [#1214] Scopes field accepts array.
83
+ - [#1209] Fix tokens validation for Token Introspection request.
84
+ - [#1202] Use correct HTTP status codes for error responses.
85
+
86
+ **[IMPORTANT]**: this change might break your application if you were relying on the previous
87
+ 401 status codes, this is now a 400 by default, or a 401 for `invalid_client` and `invalid_token` errors.
88
+
89
+ - [#1201] Fix custom TTL block `client` parameter to always be an `Doorkeeper::Application` instance.
90
+
91
+ **[IMPORTANT]**: those who defined `custom_access_token_expires_in` configuration option need to check
92
+ their block implementation: if you are using `oauth_client.application` to get `Doorkeeper::Application`
93
+ instance, then you need to replace it with just `oauth_client`.
94
+
95
+ - [#1200] Increase default Doorkeeper access token value complexity (`urlsafe_base64` instead of just `hex`)
96
+ matching RFC6749/RFC6750.
97
+
98
+ **[IMPORTANT]**: this change have possible side-effects in case you have custom database constraints for
99
+ access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
100
+ token value validations, or you are using database with case-insensitive WHERE clause like MySQL
101
+ (you can face some collisions). Before this change access token value matched `[a-f0-9]` regex, and now
102
+ it matches `[a-zA-Z0-9\-_]`. In case you have such restrictions and your don't use custom token generator
103
+ please change configuration option `default_generator_method` to `:hex`.
104
+
105
+ - [#1195] Allow to customize Token Introspection response (fixes #1194).
106
+ - [#1189] Option to set `token_reuse_limit`.
107
+ - [#1191] Try to load bcrypt for hashing of application secrets, but add fallback.
108
+
109
+ ## 5.1.0.rc1
110
+
111
+ - [#1188] Use `params` instead of `request.POST` in tokens controller (fixes #1183).
112
+ - [#1182] Fix loopback IP redirect URIs to conform with RFC8252, p. 7.3 (fixes #1170).
113
+ - [#1179] Authorization Code Grant Flow without client id returns invalid_client error.
114
+ - [#1177] Allow to limit `scopes` for certain `grant_types`
115
+ - [#1176] Fix test factory support for `factory_bot_rails`
116
+ - [#1175] Internal refactor: use `scopes_string` inside `scopes`.
117
+ - [#1168] Allow optional hashing of tokens and secrets.
118
+ - [#1164] Fix error when `root_path` is not defined.
119
+ - [#1162] Fix `enforce_content_type` for requests without body.
120
+
121
+ ## 5.0.2
122
+
123
+ - [#1158] Fix initializer template: change `handle_auth_errors` option
124
+ - [#1157] Remove redundant index from migration template.
125
+
126
+ ## 5.0.1
127
+
128
+ - [#1154] Refactor `StaleRecordsCleaner` to be ORM agnostic.
129
+ - [#1152] Fix migration template: change resource owner data type from integer to Rails generic `references`
130
+ - [#1151] Fix Refresh Token strategy: add proper validation of client credentials both for Public & Private clients.
131
+ - [#1149] Fix for `URIChecker#valid_for_authorization?` false negative when query is blank, but `?` present.
132
+ - [#1140] Allow rendering custom errors from exceptions (issue #844). Originally opened as [#944].
133
+ - [#1138] Revert regression bug (check for token expiration in Authorizations controller so authorization
134
+ triggers every time)
135
+
136
+ ## 5.0.0
137
+
138
+ - [#1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.
139
+
140
+ ## 5.0.0.rc2
141
+
142
+ - [#1122] Fix AuthorizationsController#new error response to be in JSON format
143
+ - [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
144
+ - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
145
+ hitting the `AuthorizedApplicationController#destroy` route.
146
+ - [#1114] Make token info endpoint's attributes consistent with token creation
147
+ - [#1108] Simple formating of callback URLs when listing oauth applications
148
+ - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
149
+ configured by developers.
150
+
151
+ ## 5.0.0.rc1
152
+
153
+ - [#1103] Allow customizing use_refresh_token
154
+ - [#1089] Removed enable_pkce_without_secret configuration option
155
+ - [#1102] Expiration time based on scopes
156
+ - [#1099] All the configuration variables in `Doorkeeper.configuration` now
157
+ always return a non-nil value (`true` or `false`)
158
+ - [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
159
+ in `doorkeeper.rb`
160
+ - [#996] Expiration Time Base On Grant Type
161
+ - [#997] Allow PKCE authorization_code flow as specified in RFC7636
162
+ - [#907] Fix lookup for matching tokens in certain edge-cases
163
+ - [#992] Add API option to use Doorkeeper without management views for API only
164
+ Rails applications (`api_only`)
165
+ - [#1045] Validate redirect_uri as the native URI when making authorization code requests
166
+ - [#1048] Remove deprecated `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
167
+ `Doorkeeper#installed?` method
168
+ - [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
169
+ either public or private/confidential
170
+
171
+ **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
172
+ You need to manually change `confidential` column to `false` if you are using public clients,
173
+ in other case your mobile (or other) applications will not be able to authorize.
174
+ See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
175
+
176
+ - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
177
+ `optional_scopes`) for applications
178
+ - [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
179
+ - [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
180
+ - [#1069] Upgrade Bootstrap to 4 for Admin
181
+ - [#1068] Add rake task to cleanup databases that can become large over time
182
+ - [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
183
+ subclasses to use the response object.
184
+ - [#1075] Call `before_successful_authorization` and `after_successful_authorization` hooks
185
+ on `create` action as well as `new`
186
+ - [#1082] Fix #916: remember routes mapping and use it required places (fix error with
187
+ customized Token Info route).
188
+ - [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
189
+ not present in the application scopes (use scopes intersection).
190
+ - [#1076] Add config to enforce content type to application/x-www-form-urlencoded
191
+ - Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
192
+ SSL redirect_uri.
193
+
194
+ ## 4.4.3
195
+
196
+ - [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
197
+ changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
198
+
199
+ ## 4.4.2
200
+
201
+ - [#1130] Backport fix for native redirect_uri from 5.x.
202
+
203
+ ## 4.4.1
204
+
205
+ - [#1127] Backport token type to comply with the RFC6750 specification.
206
+ - [#1125] Backport Quote surround I18n yes/no keys
207
+
208
+ ## 4.4.0
209
+
210
+ - [#1120] Backport security fix from 5.x for token revocation when using public clients
211
+
212
+ **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
213
+ You need to manually change `confidential` column to `false` if you are using public clients,
214
+ in other case your mobile (or other) applications will not be able to authorize.
215
+ See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
216
+
217
+ ## 4.3.2
218
+
219
+ - [#1053] Support authorizing with query params in the request `redirect_uri` if explicitly present in app's `Application#redirect_uri`
220
+
221
+ ## 4.3.1
222
+
223
+ - Remove `BaseRecord` and introduce additional concern for ordering methods to fix
224
+ braking changes for Doorkeeper models.
225
+ - [#1032] Refactor BaseRequest callbacks into configurable lambdas
226
+ - [#1040] Clear mixins from ActiveRecord DSL and save only overridable API. It
227
+ allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.
228
+
229
+ ## 4.3.0
230
+
231
+ - [#976] Fix to invalidate the second redirect URI when the first URI is the native URI
232
+ - [#1035] Allow `Application#redirect_uri=` to handle array of URIs.
233
+ - [#1036] Allow to forbid Application redirect URI's with specific rules.
234
+ - [#1029] Deprecate `order_method` and introduce `ordered_by`. Sort applications
235
+ by `created_at` in index action.
236
+ - [#1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
237
+ - Fix Grape integration & add specs for it
238
+ - [#913] Deferred ORM (ActiveRecord) models loading
239
+ - [#943] Fix Access Token token generation when certain errors occur in custom token generators
240
+ - [#1026] Implement RFC7662 - OAuth 2.0 Token Introspection
241
+ - [#985] Generate valid migration files for Rails >= 5
242
+ - [#972] Replace Struct subclassing with block-form initialization
243
+ - [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
244
+
245
+ **[IMPORTANT]**: Previously authorization code response route was `/oauth/authorize/<code>`,
246
+ now it is `oauth/authorize/native?code=<code>` (in order to help applications to automatically find the code value).
247
+
248
+ - [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
249
+ object.
250
+ - [#1019] Remove translation not in use: `invalid_resource_owner`.
251
+ - Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
252
+ - [#948] Make Scopes.<=> work with any "other" value.
253
+ - [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
254
+ - [#1004] More explicit help text for `native_redirect_uri`.
255
+ - [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
256
+ - [#1024] Migrate from FactoryGirl to FactoryBot.
257
+ - [#1025] Improve documentation for adding foreign keys
258
+ - [#1028] Make it possible to have composite strategy names.
259
+
260
+ ## 4.2.6
261
+
262
+ - [#970] Escape certain attributes in authorization forms.
263
+
264
+ ## 4.2.5
265
+
266
+ - [#936] Deprecate `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
267
+ `Doorkeeper#installed?`
268
+ - [#909] Add `InvalidTokenResponse#reason` reader method to allow read the kind
269
+ of invalid token error.
270
+ - [#928] Test against more recent Ruby versions
271
+ - Small refactorings within the codebase
272
+ - [#921] Switch to Appraisal, and test against Rails master
273
+ - [#892] Add minimum Ruby version requirement
274
+
275
+ ## 4.2.0
276
+
277
+ - Security fix: Address CVE-2016-6582, implement token revocation according to
278
+ spec (tokens might not be revoked if client follows the spec).
279
+ - [#873] Add hooks to Doorkeeper::ApplicationMetalController
280
+ - [#871] Allow downstream users to better utilize doorkeeper spec factories by
281
+ eliminating name conflict on `:user` factory.
282
+
283
+ ## 4.1.0
284
+
285
+ - [#845] Allow customising the `Doorkeeper::ApplicationController` base
286
+ controller
287
+
288
+ ## 4.0.0
289
+
290
+ - [#834] Fix AssetNotPrecompiled error with Sprockets 4
291
+ - [#843] Revert "Fix validation error messages"
292
+ - [#847] Specify Null option to timestamps
293
+
294
+ ## 4.0.0.rc4
295
+
296
+ - [#777] Add support for public client in password grant flow
297
+ - [#823] Make configuration and specs ORM independent
298
+ - [#745] Add created_at timestamp to token generation options
299
+ - [#838] Drop `Application#scopes` generator and warning, introduced for
300
+ upgrading doorkeeper from v2 to v3.
301
+ - [#801] Fix Rails 5 warning messages
302
+ - Test against Rails 5 RC1
303
+
304
+ ## 4.0.0.rc3
305
+
306
+ - [#769] Revoke refresh token on access token use. To make use of the new config
307
+ add `previous_refresh_token` column to `oauth_access_tokens`:
308
+
309
+ ```
310
+ rails generate doorkeeper:previous_refresh_token
311
+ ```
312
+
313
+ - [#811] Toughen parameters filter with exact match
314
+ - [#813] Applications admin bugfix
315
+ - [#799] Fix Ruby Warnings
316
+ - Drop `attr_accessible` from models
317
+
318
+ ### Backward incompatible changes
319
+
320
+ - [#730] Force all timezones to use UTC to prevent comparison issues.
321
+ - [#802] Remove `config.i18n.fallbacks` from engine
322
+
323
+ ## 4.0.0.rc2
324
+
325
+ - Fix optional belongs_to for Rails 5
326
+ - Fix Ruby warnings
327
+
328
+ ## 4.0.0.rc1
329
+
330
+ ### Backward incompatible changes
331
+
332
+ - Drops support for Rails 4.1 and earlier
333
+ - Drops support for Ruby 2.0
334
+ - [#778] Bug fix: use the remaining time that a token is still valid when
335
+ building the redirect URI for the implicit grant flow
336
+
337
+ ### Other changes
338
+
339
+ - [#771] Validation error messages fixes
340
+ - Adds foreign key constraints in generated migrations between tokens and
341
+ grants, and applications
342
+ - Support Rails 5
343
+
344
+ ## 3.1.0
345
+
346
+ - [#736] Existing valid tokens are now reused in client_credentials flow
347
+ - [#749] Allow user to raise authorization error with custom messages.
348
+ Under `resource_owner_authenticator` block a user can
349
+ `raise Doorkeeper::Errors::DoorkeeperError.new('custom_message')`
350
+ - [#762] Check doesn’t abort the actual migration, so it runs
351
+ - [#722] `doorkeeper_forbidden_render_options` now supports returning a 404 by
352
+ specifying `respond_not_found_when_forbidden: true` in the
353
+ `doorkeeper_forbidden_render_options` method.
354
+ - [#734] Simplify and remove duplication in request strategy classes
355
+
356
+ ## 3.0.1
357
+
358
+ - [#712] Wrap exchange of grant token for access token and access token refresh
359
+ in transactions
360
+ - [#704] Allow applications scopes to be mass assigned
361
+ - [#707] Fixed order of Mixin inclusion and table_name configuration in models
362
+ - [#712] Wrap access token and refresh grants in transactions
363
+ - Adds JRuby support
364
+ - Specs, views and documentation adjustments
365
+
366
+ ## 3.0.0
367
+
368
+ ### Other changes
369
+
370
+ - [#693] Updates `en.yml`.
371
+
372
+ ## 3.0.0 (rc2)
373
+
374
+ ### Backward incompatible changes
375
+
376
+ - [#678] Change application-specific scopes to take precedence over server-wide
377
+ scopes. This removes the previous behavior where the intersection between
378
+ application and server scopes was used.
379
+
380
+ ### Other changes
381
+
382
+ - [#671] Fixes `NoMethodError - undefined method 'getlocal'` when calling
383
+ the /oauth/token path. Switch from using a DateTime object to update
384
+ AR to using a Time object. (Issue #668)
385
+ - [#677] Support editing application-specific scopes via the standard forms
386
+ - [#682] Pass error hash to Grape `error!`
387
+ - [#683] Generate application secret/UID if fields are blank strings
388
+
389
+ ## 3.0.0 (rc1)
390
+
391
+ ### Backward incompatible changes
392
+
393
+ - [#648] Extracts mongodb ORMs to
394
+ https://github.com/doorkeeper-gem/doorkeeper-mongodb. If you use ActiveRecord
395
+ you don’t need to do any change, otherwise you will need to install the new
396
+ plugin.
397
+ - [#665] `doorkeeper_unauthorized_render_options(error:)` and
398
+ `doorkeeper_forbidden_render_options(error:)` now accept `error` keyword
399
+ argument.
400
+
401
+ ### Removed deprecations
402
+
403
+ - Removes `doorkeeper_for` deprecation notice.
404
+ - Remove `applications.scopes` upgrade notice.
405
+
406
+ ## 2.2.2
407
+
408
+ - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
409
+ (happens only when ProtectedAttributes gem is used) in #599
410
+
411
+ ## 2.2.1
412
+
413
+ - [#636] `custom_access_token_expires_in` bugfixes
414
+ - [#641] syntax error fix (Issue #612)
415
+ - [#633] Send extra details to Custom Token Generator
416
+ - [#628] Refactor: improve orm adapters to ease extension
417
+ - [#637] Upgrade to rspec to 3.2
418
+
419
+ ## 2.2.0 - 2015-04-19
420
+
421
+ - [#611] Allow custom access token generators to be used
422
+ - [#632] Properly fallback to `default_scopes` when no scope is specified
423
+ - [#622] Clarify that there is a logical OR between scopes for authorizing
424
+ - [#635] Upgrade to rspec 3
425
+ - [#627] i18n fallbacks to english
426
+ - Moved CHANGELOG to NEWS.md
427
+
428
+ ## 2.1.4 - 2015-03-27
429
+
430
+ - [#595] HTTP spec: Add `scope` for refresh token scope param
431
+ - [#596] Limit scopes in app scopes for client credentials
432
+ - [#567] Add Grape helpers for easier integration with Grape framework
433
+ - [#606] Add custom access token expiration support for Client Credentials flow
434
+
435
+ ## 2.1.3 - 2015-03-01
436
+
437
+ - [#588] Fixes scopes_match? bug that skipped authorization form in some cases
438
+
439
+ ## 2.1.2 - 2015-02-25
440
+
441
+ - [#574] Remove unused update authorization route.
442
+ - [#576] Filter out sensitive parameters from logs.
443
+ - [#582] The Authorization HTTP header fields are now case insensitive.
444
+ - [#583] Database connection bugfix in certain scenarios.
445
+ - Testing improvements
446
+
447
+ ## 2.1.1 - 2015-02-06
448
+
449
+ - Remove `wildcard_redirect_url` option
450
+ - [#481] Customize token flow OAuth expirations with a config lambda
451
+ - [#568] TokensController: Memoize strategy.authorize_response result to enable
452
+ subclasses to use the response object.
453
+ - [#571] Fix database initialization issues in some configurations.
454
+ - Documentation improvements
455
+
456
+ ## 2.1.0 - 2015-01-13
457
+
458
+ - [#540] Include `created_at` in response.
459
+ - [#538] Check application-level scopes in client_credentials and password flow.
460
+ - [5596227] Check application scopes in AccessToken when present. Fixes a bug in
461
+ doorkeeper 2.0.0 and 2.0.1 referring to application specific scopes.
462
+ - [#534] Internationalizes doorkeeper views.
463
+ - [#545] Ensure there is a connection to the database before checking for
464
+ missing columns
465
+ - [#546] Use `Doorkeeper::` prefix when referencing `Application` to avoid
466
+ possible application model name conflict.
467
+ - [#538] Test with Rails ~> 4.2.
468
+
469
+ ### Potentially backward incompatible changes
470
+
471
+ - Enable by default `authorization_code` and `client_credentials` grant flows.
472
+ Disables implicit and password grant flows by default.
473
+ - [#510, #544, 722113f] Revoked refresh token response bugfix.
474
+
475
+ ## 2.0.1 - 2014-12-17
476
+
477
+ - [#525, #526, #527] Fix `ActiveRecord::NoDatabaseError` on gem load.
478
+
479
+ ## 2.0.0 - 2014-12-16
480
+
481
+ ### Backward incompatible changes
482
+
483
+ - [#448] Removes `doorkeeper_for` helper. Now we use
484
+ `before_action :doorkeeper_authorize!`.
485
+ - [#469] Allow client applications to restrict the set of allowable scopes.
486
+ Fixes #317. `oauth_applications` relation needs a new `scopes` string column,
487
+ non nullable, which defaults to an empty string. To add the column run:
488
+
489
+ ```
490
+ rails generate doorkeeper:application_scopes
491
+ ```
492
+
493
+ If you’d rather do it by hand, your ActiveRecord migration should contain:
494
+
495
+ ```ruby
496
+ add_column :oauth_applications, :scopes, :string, null: false, default: ‘’
497
+ ```
498
+
499
+ ### Removed deprecations
500
+
501
+ - Removes `test_redirect_uri` option. It is now called `native_redirect_uri`.
502
+ - [#446] Removes `mount Doorkeeper::Engine`. Now we use `use_doorkeeper`.
503
+
504
+ ### Others
505
+
506
+ - [#484] Performance improvement - avoid performing order_by when not required.
507
+ - [#450] When password is invalid in Password Credentials Grant, Doorkeeper
508
+ returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec
509
+ declares. Fixes #444.
510
+ - [#452] Allows `revoked_at` to be set in the future, for future expiry.
511
+ Rationale: https://github.com/doorkeeper-gem/doorkeeper/pull/452#issuecomment-51431459
512
+ - [#480] For Implicit grant flow, access tokens can now be reused. Fixes #421.
513
+ - [#491] Reworks of @jasl's #454 and #478. ORM refactor that allows doorkeeper
514
+ to be extended more easily with unsupported ORMs. It also marks the boundaries
515
+ between shared model code and ORM specifics inside of the gem.
516
+ - [#496] Tests with Rails 4.2.
517
+ - [#489] Adds `force_ssl_in_redirect_uri` to force the usage of the HTTPS
518
+ protocol in non-native redirect uris.
519
+ - [#516] SECURITY: Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
520
+ - [#518] Fix random failures in mongodb.
521
+
522
+ ---
523
+
524
+ ## 1.4.2 - 2015-03-02
525
+
526
+ - [#576] Filter out sensitive parameters from logs
527
+
528
+ ## 1.4.1 - 2014-12-17
529
+
530
+ - [#516] SECURITY: Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
531
+
532
+ ## 1.4.0 - 2014-07-31
533
+
534
+ - internals
535
+ - [#427] Adds specs expectations.
536
+ - [#428] Error response refactor.
537
+ - [#417] Moves token validation into Access Token class.
538
+ - [#439] Removes redundant module includes.
539
+ - [#443] TokensController and TokenInfoController inherit from ActionController::Metal
540
+ - bug
541
+ - [#418] fixes #243, requests with insufficient scope now respond 403 instead
542
+ of 401. (API change)
543
+ - [#438] fixes #398, native redirect for implicit token grant bug.
544
+ - [#440] namespace fixes
545
+ - enhancements
546
+ - [#432] Keeps query parameters
547
+
548
+ ## 1.3.1 - 2014-07-06
549
+
550
+ - enhancements
551
+ - [#405] Adds facade to more easily get the token from a request in a route
552
+ constraint.
553
+ - [#415] Extend Doorkeeper TokenResponse with an `after_successful_response`
554
+ callback that allows handling of `response` object.
555
+ - internals
556
+ - [#409] Deprecates `test_redirect_uri` in favor of `native_redirect_uri`.
557
+ See discussion in: [#351].
558
+ - [#411] Clean rspec deprecations. General test improvements.
559
+ - [#412] rspec line width can go longer than 80 (hound CI config).
560
+ - bug
561
+ - [#413] fixes #340, routing scope is now taken into account in redirect.
562
+ - [#401] and [#425] application is not required any longer for access_token.
563
+
564
+ ## 1.3.0 - 2014-05-23
565
+
566
+ - enhancements
567
+ - [#387] Adds reuse_access_token configuration option.
568
+
569
+ ## 1.2.0 - 2014-05-02
570
+
571
+ - enhancements
572
+ - [#376] Allow users to enable basic header authorization for access tokens.
573
+ - [#374] Token revocation implementation [RFC 7009]
574
+ - [#295] Only enable specific grant flows.
575
+ - internals
576
+ - [#381] Locale source fix.
577
+ - [#380] Renames `errors_for` to `doorkeeper_errors_for`.
578
+ - [#390] Style adjustments in accordance with Ruby Style Guide form
579
+ Thoughtbot.
580
+
581
+ ## 1.1.0 - 2014-03-29
582
+
583
+ - enhancements
584
+ - [#336] mongoid4 support.
585
+ - [#372] Allow users to set ActiveRecord table_name_prefix/suffix options
586
+ - internals
587
+ - [#343] separate OAuth's admin and user end-point to different layouts, upgrade theme to Bootstrap 3.1.
588
+ - [#348] Move render_options in filter after `@error` has been set
589
+
590
+ ## 1.0.0 - 2014-01-13
591
+
592
+ - bug (spec)
593
+ - [#228] token response `expires_in` value is now in seconds, relative to
594
+ request time
595
+ - [#296] client is optional for password grant type.
596
+ - [#319] If client credentials are present on password grant type they are validated
597
+ - [#326] If client credentials are present in refresh token they are validated
598
+ - [#326] If authenticated client does not match original client that
599
+ obtained a refresh token it responds `invalid_grant` instead of
600
+ `invalid_client`. Previous usage was invalid according to Section 5.2 of
601
+ the spec.
602
+ - [#329] access tokens' `scopes` string wa being compared against
603
+ `default_scopes` symbols, always unauthorizing.
604
+ - [#318] Include "WWW-Authenticate" header with Unauthorized responses
605
+ - enhancements
606
+ - [#293] Adds ActionController::Instrumentation in TokensController
607
+ - [#298] Support for multiple redirect_uris added.
608
+ - [#313] `AccessToken.revoke_all_for` actually revokes all non-revoked
609
+ tokens for an application/owner instead of deleting them.
610
+ - [#333] Rails 4.1 support
611
+ - internals
612
+ - Removes jQuery dependency [fixes #300][pr #312 is related]
613
+ - [#294] Client uid and secret will be generated only if not present.
614
+ - [#316] Test warnings addressed.
615
+ - [#338] Rspec 3 syntax.
616
+
617
+ ---
618
+
619
+ ## 0.7.4 - 2013-12-01
620
+
621
+ - bug
622
+ - Symbols instead of strings for user input.
623
+
624
+ ## 0.7.3 - 2013-10-04
625
+
626
+ - enhancements
627
+ - [#204] Allow to overwrite scope in routes
628
+ - internals
629
+ - Returns only present keys in Token Response (may imply a backwards
630
+ incompatible change). https://github.com/doorkeeper-gem/doorkeeper/issues/220
631
+ - bug
632
+ - [#290] Support for Rails 4 when 'protected_attributes' gem is present.
633
+
634
+ ## 0.7.2 - 2013-09-11
635
+
636
+ - enhancements
637
+ - [#272] Allow issuing multiple access_tokens for one user/application for multiple devices
638
+ - [#170] Increase length of allowed redirect URIs
639
+ - [#239] Do not try to load unavailable Request class for the current phase.
640
+ - [#273] Relax jquery-rails gem dependency
641
+
642
+ ## 0.7.1 - 2013-08-30
643
+
644
+ - bug
645
+ - [#269] Rails 3.2 raised `ActiveModel::MassAssignmentSecurity::Error`.
646
+
647
+ ## 0.7.0 - 2013-08-21
648
+
649
+ - enhancements
650
+ - [#229] Rails 4!
651
+ - internals
652
+ - [#203] Changing table name to be specific in column_names_with_table
653
+ - [#215] README update
654
+ - [#227] Use Rails.config.paths["config/routes"] instead of assuming "config/routes.rb" exists
655
+ - [#262] Add jquery as gem dependency
656
+ - [#263] Add a configuration for ActiveRecord.establish_connection
657
+ - Deprecation and Ruby warnings (PRs merged outside of GitHub).
658
+
659
+ ## 0.6.7 - 2013-01-13
660
+
661
+ - internals
662
+ - [#188] Add IDs to the show views for integration testing [@egtann](https://github.com/egtann)
663
+
664
+ ## 0.6.6 - 2013-01-04
665
+
666
+ - enhancements
667
+ - [#187] Raise error if configuration is not set
668
+
669
+ ## 0.6.5 - 2012-12-26
670
+
671
+ - enhancements
672
+ - [#184] Vendor the Bootstrap CSS [@tylerhunt](https://github.com/tylerhunt)
673
+
674
+ ## 0.6.4 - 2012-12-15
675
+
676
+ - bug
677
+ - [#180] Add localization to authorized_applications destroy notice [@aalvarado](https://github.com/aalvarado)
678
+
679
+ ## 0.6.3 - 2012-12-07
680
+
681
+ - bugfixes
682
+ - [#163] Error response content-type header should be application/json [@ggayan](https://github.com/ggayan)
683
+ - [#175] Make token.expires_in_seconds return nil when expires_in is nil [@miyagawa](https://github.com/miyagawa)
684
+ - enhancements
685
+ - [#166, #172, #174] Behavior to automatically authorize based on a configured proc
686
+ - internals
687
+ - [#168] Using expectation syntax for controller specs [@rdsoze](https://github.com/rdsoze)
688
+
689
+ ## 0.6.2 - 2012-11-10
690
+
691
+ - bugfixes
692
+ - [#162] Remove ownership columns from base migration template [@rdsoze](https://github.com/rdsoze)
693
+
694
+ ## 0.6.1 - 2012-11-07
695
+
696
+ - bugfixes
697
+ - [#160] Removed |routes| argument from initializer authenticator blocks
698
+ - documentation
699
+ - [#160] Fixed description of context of authenticator blocks
700
+
701
+ ## 0.6.0 - 2012-11-05
702
+
703
+ - enhancements
704
+ - Mongoid `orm` configuration accepts only :mongoid2 or :mongoid3
705
+ - Authorization endpoint does not redirect in #new action anymore. It wasn't specified by OAuth spec
706
+ - TokensController now inherits from ActionController::Metal. There might be performance upgrades
707
+ - Add link to authorization in Applications scaffold
708
+ - [#116] MongoMapper support [@carols10cents](https://github.com/carols10cents)
709
+ - [#122] Mongoid3 support [@petergoldstein](https://github.com/petergoldstein)
710
+ - [#150] Introduce test redirect uri for applications
711
+ - bugfixes
712
+ - [#157] Response token status should be `:ok`, not `:success` [@theycallmeswift](https://github.com/theycallmeswift)
713
+ - [#159] Remove ActionView::Base.field_error_proc override (fixes #145)
714
+ - internals
715
+ - Update development dependencies
716
+ - Several refactorings
717
+ - Rails/ORM are easily swichable with env vars (rails and orm)
718
+ - Travis now tests against Mongoid v2
719
+
720
+ ## 0.5.0 - 2012-10-20
721
+
722
+ Official support for rubinius was removed.
723
+
724
+ - enhancements
725
+ - Configure the way access token is retrieved from request (default to bearer header)
726
+ - Authorization Code expiration time is now configurable
727
+ - Add support for mongoid
728
+ - [#78, #128, #137, #138] Application Ownership
729
+ - [#92] Allow users to skip controllers
730
+ - [#99] Remove deprecated warnings for data-\* attributes [@towerhe](https://github.com/towerhe)
731
+ - [#101] Return existing access_token for PasswordAccessTokenRequest [@benoist](https://github.com/benoist)
732
+ - [#104] Changed access token scopes example code to default_scopes and optional_scopes [@amkirwan](https://github.com/amkirwan)
733
+ - [#107] Fix typos in initializer
734
+ - [#123] i18n for validator, flash messages [@petergoldstein](https://github.com/petergoldstein)
735
+ - [#140] ActiveRecord is the default value for the ORM [@petergoldstein](https://github.com/petergoldstein)
736
+ - internals
737
+ - [#112, #120] Replacing update_attribute with update_column to eliminate deprecation warnings [@rmoriz](https://github.com/rmoriz), [@petergoldstein](https://github.com/petergoldstein)
738
+ - [#121] Updating all development dependencies to recent versions. [@petergoldstein](https://github.com/petergoldstein)
739
+ - [#144] Adding MongoDB dependency to .travis.yml [@petergoldstein](https://github.com/petergoldstein)
740
+ - [#143] Displays errors for unconfigured error messages [@timgaleckas](https://github.com/timgaleckas)
741
+ - bugfixes
742
+ - [#102] Not returning 401 when access token generation fails [@cslew](https://github.com/cslew)
743
+ - [#125] Doorkeeper is using ActiveRecord version of as_json in ORM agnostic code [@petergoldstein](https://github.com/petergoldstein)
744
+ - [#142] Prevent double submission of password based authentication [@bdurand](https://github.com/bdurand)
745
+ - documentation
746
+ - [#141] Add rack-cors middleware to readme [@gottfrois](https://github.com/gottfrois)
747
+
748
+ ## 0.4.2 - 2012-06-05
749
+
750
+ - bugfixes:
751
+ - [#94] Uninitialized Constant in Password Flow
752
+
753
+ ## 0.4.1 - 2012-06-02
754
+
755
+ - enhancements:
756
+ - Backport: Move doorkeeper_for extension to Filter helper
757
+
758
+ ## 0.4.0 - 2012-05-26
759
+
760
+ - deprecation
761
+ - Deprecate authorization_scopes
762
+ - database changes
763
+ - AccessToken#resource_owner_id is not nullable
764
+ - enhancements
765
+ - [#83] Add Resource Owner Password Credentials flow [@jaimeiniesta](https://github.com/jaimeiniesta)
766
+ - [#76] Allow token expiration to be disabled [@mattgreen](https://github.com/mattgreen)
767
+ - [#89] Configure the way client credentials are retrieved from request
768
+ - [#b6470a] Add Client Credentials flow
769
+ - internals
770
+ - [#2ece8d, #f93778] Introduce Client and ErrorResponse classes
771
+
772
+ ## 0.3.4 - 2012-05-24
773
+
774
+ - Fix attr_accessible for rails 3.2.x
775
+
776
+ ## 0.3.3 - 2012-05-07
777
+
778
+ - [#86] shrink gem package size
779
+
780
+ ## 0.3.2 - 2012-04-29
781
+
782
+ - enhancements
783
+ - [#54] Ignore Authorization: headers that are not Bearer [@miyagawa](https://github.com/miyagawa)
784
+ - [#58, #64] Add destroy action to applications endpoint [@jaimeiniesta](https://github.com/jaimeiniesta), [@davidfrey](https://github.com/davidfrey)
785
+ - [#63] TokensController responds with `401 unauthorized` [@jaimeiniesta](https://github.com/jaimeiniesta)
786
+ - [#67, #72] Fix for mass-assignment [@cicloid](https://github.com/cicloid)
787
+ - internals
788
+ - [#49] Add Gemnasium status image to README [@laserlemon](https://github.com/laserlemon)
789
+ - [#50] Fix typos [@tomekw](https://github.com/tomekw)
790
+ - [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer [@antekpiechnik](https://github.com/antekpiechnik)
791
+ - [#62] Typos, .gitignore [@jaimeiniesta](https://github.com/jaimeiniesta)
792
+ - [#65] Change \_path redirections to \_url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
793
+ - [#75] Fix unknown method #authenticate_admin! [@mattgreen](https://github.com/mattgreen)
794
+ - Remove application link in authorized app view
795
+
796
+ ## 0.3.1 - 2012-02-17
797
+
798
+ - enhancements
799
+ - [#48] Add if, else options to doorkeeper_for
800
+ - Add views generator
801
+ - internals
802
+ - Namespace models
803
+
804
+ ## 0.3.0 - 2012-02-11
805
+
806
+ - enhancements
807
+ - [#17, #31] Add support for client credentials in basic auth header [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
808
+ - [#28] Add indices to migration [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
809
+ - [#29] Allow doorkeeper to run with rails 3.2 [@john-griffin](https://github.com/john-griffin)
810
+ - [#30] Improve client's redirect uri validation [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
811
+ - [#32] Add token (implicit grant) flow [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
812
+ - [#34] Add support for custom unathorized responses [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
813
+ - [#36] Remove repetitions from the Authorised Applications view [@carvil](https://github.com/carvil)
814
+ - When user revoke an application, all tokens for that application are revoked
815
+ - Error messages now can be translated
816
+ - Install generator copies the error messages localization file
817
+ - internals
818
+ - Fix deprecation warnings in ActiveSupport::Base64
819
+ - Remove deprecation in doorkeeper_for that handles hash arguments
820
+ - Depends on railties instead of whole rails framework
821
+ - CI now integrates with rails 3.1 and 3.2
822
+
823
+ ## 0.2.0 - 2011-12-17
824
+
825
+ - enhancements
826
+ - [#4] Add authorized applications endpoint
827
+ - [#5, #11] Add access token scopes
828
+ - [#10] Add access token expiration by default
829
+ - [#9, #12] Add refresh token flow
830
+ - internals
831
+ - [#7] Improve configuration options with :default
832
+ - Improve configuration options with :builder
833
+ - Refactor config class
834
+ - Improve coverage of authorization request integration
835
+ - bug fixes
836
+ - [#6, #20] Fix access token response headers
837
+ - Fix issue with state parameter
838
+ - deprecation
839
+ - deprecate :only and :except options in doorkeeper_for
840
+
841
+ ## 0.1.1 - 2011-11-30
842
+
843
+ - enhancements
844
+ - [#3] Authorization code must be short lived and single use
845
+ - [#2] Improve views provided by doorkeeper
846
+ - [#1] Skips authorization form if the client has been authorized by the resource owner
847
+ - Improve readme
848
+ - bugfixes
849
+ - Fix issue when creating the access token (wrong client id)
850
+
851
+ ## 0.1.0 - 2011-11-25
852
+
853
+ - Authorization Code flow
854
+ - OAuth applications endpoint