doorkeeper 5.1.2 → 5.2.2

data/README.md

@@ -21,10 +21,11 @@ Supported features:
   - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
   - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
   - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 - [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
 
 ## Table of Contents
 
@@ -93,6 +94,7 @@ Doorkeeper supports Active Record by default, but can be configured to work with
 | MongoDB | [doorkeeper-gem/doorkeeper-mongodb](https://github.com/doorkeeper-gem/doorkeeper-mongodb) |
 | Sequel | [nbulaj/doorkeeper-sequel](https://github.com/nbulaj/doorkeeper-sequel) |
 | Couchbase | [acaprojects/doorkeeper-couchbase](https://github.com/acaprojects/doorkeeper-couchbase) |
+| RethinkDB | [aca-labs/doorkeeper-rethinkdb](https://github.com/aca-labs/doorkeeper-rethinkdb) |
 
 ## Extensions
 
@@ -136,6 +138,12 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 
 > If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
 
+<br>
+
+<a href="https://www.wealthsimple.com/?utm_source=doorkeeper-gem" target="_blank"><img src="https://wealthsimple.s3.amazonaws.com/branding/medium-black.svg"/></a>
+
+> Wealthsimple is a financial company on a mission to help everyone achieve financial freedom by providing products and advice that are accessible and affordable. Using smart technology, Wealthsimple takes financial services that are often confusing, opaque and expensive and makes them simple, transparent, and low-cost. See what Investing on Autopilot is all about: [https://www.wealthsimple.com](https://www.wealthsimple.com/?utm_source=doorkeeper-gem)
+
 ## Development
 
 To run the local engine server:
@@ -146,10 +154,10 @@ bundle exec rake doorkeeper:server
 ````
 
 By default, it uses the latest Rails version with ActiveRecord. To run the
-tests with a specific ORM and Rails version:
+tests with a specific Rails version:
 
 ```
-rails=5.2 orm=active_record bundle exec rake
+BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
 ## Contributing

data/RELEASING.md

@@ -1,10 +1,11 @@
-# Releasing doorkeeper
+# Releasing Doorkeeper
 
-How to release doorkeeper in five easy steps!
+How to release Doorkeeper in five easy steps!
 
 1. Update `lib/doorkeeper/version.rb` file accordingly.
-2. Update `NEWS.md` to reflect the changes since last release.
-3. Commit changes: `git commit -am 'Bump to vVERSION'`
-4. Run `rake release`
+2. Update `CHANGELOG.md` to reflect the changes since last release.
+3. Commit changes: `git commit -am 'Bump to vVERSION'`.
+4. Build and publish the gem.
+4. Create GitHub release.
 5. Announce the new release, making sure to say “thank you” to the contributors
    who helped shape this version!

data/app/controllers/doorkeeper/application_controller.rb

@@ -2,7 +2,7 @@
 
 module Doorkeeper
   class ApplicationController <
-    Doorkeeper.configuration.base_controller.constantize
+    Doorkeeper.configuration.resolve_controller(:base)
     include Helpers::Controller
 
     unless Doorkeeper.configuration.api_only

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  class ApplicationMetalController < ActionController::API
+  class ApplicationMetalController <
+    Doorkeeper.configuration.resolve_controller(:base_metal)
     include Helpers::Controller
 
     before_action :enforce_content_type,

data/app/controllers/doorkeeper/applications_controller.rb

@@ -4,6 +4,7 @@ module Doorkeeper
   class ApplicationsController < Doorkeeper::ApplicationController
     layout "doorkeeper/admin" unless Doorkeeper.configuration.api_only
 
+    add_flash_types :application_secret unless Doorkeeper.configuration.api_only
     before_action :authenticate_admin!
     before_action :set_application, only: %i[show edit update destroy]
 
@@ -19,7 +20,7 @@ module Doorkeeper
     def show
       respond_to do |format|
         format.html
-        format.json { render json: @application, as_owner: true }
+        format.json { render json: @application }
       end
     end
 
@@ -32,10 +33,11 @@ module Doorkeeper
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
+        flash[:application_secret] = @application.plaintext_secret
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|
@@ -57,7 +59,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -12,7 +12,6 @@ module Doorkeeper
       end
     end
 
-    # TODO: Handle raise invalid authorization
     def create
       redirect_or_render authorize_response
     end
@@ -66,9 +65,16 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration,
-                                                server.client_via_uid,
-                                                params)
+      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+    end
+
+    def pre_auth_params
+      params.slice(*pre_auth_param_fields).permit(*pre_auth_param_fields)
+    end
+
+    def pre_auth_param_fields
+      %i[client_id response_type redirect_uri scope state code_challenge
+         code_challenge_method]
     end
 
     def authorization
@@ -81,10 +87,11 @@ module Doorkeeper
 
     def authorize_response
       @authorize_response ||= begin
-        authorizable = pre_auth.authorizable?
-        before_successful_authorization if authorizable
+        return pre_auth.error_response unless pre_auth.authorizable?
+
+        before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization if authorizable
+        after_successful_authorization
         auth
       end
     end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -9,7 +9,7 @@ module Doorkeeper
 
       respond_to do |format|
         format.html
-        format.json { render json: @applications, current_resource_owner: current_resource_owner }
+        format.json { render json: @applications }
       end
     end
 

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -6,8 +6,8 @@ module Doorkeeper
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
              status: authorize_response.status
-    rescue Errors::DoorkeeperError => error
-      handle_token_exception(error)
+    rescue Errors::DoorkeeperError => e
+      handle_token_exception(e)
     end
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
@@ -18,12 +18,13 @@ module Doorkeeper
       # Doorkeeper does not use the token_type_hint logic described in the
       # RFC 7009 due to the refresh token implementation that is a field in
       # the access token model.
-      revoke_token if authorized?
 
-      # The authorization server responds with HTTP status code 200 if the token
-      # has been revoked successfully or if the client submitted an invalid
-      # token
-      render json: {}, status: 200
+      if authorized?
+        revoke_token
+        render json: {}, status: 200
+      else
+        render json: revocation_error_response, status: :forbidden
+      end
     end
 
     def introspect
@@ -71,7 +72,10 @@ module Doorkeeper
     end
 
     def revoke_token
-      token.revoke if token.accessible?
+      # The authorization server responds with HTTP status code 200 if the token
+      # has been revoked successfully or if the client submitted an invalid
+      # token
+      token.revoke if token&.accessible?
     end
 
     def token
@@ -84,7 +88,26 @@ module Doorkeeper
     end
 
     def authorize_response
-      @authorize_response ||= strategy.authorize
+      @authorize_response ||= begin
+        before_successful_authorization
+        auth = strategy.authorize
+        after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
+        auth
+      end
+    end
+
+    def after_successful_authorization
+      Doorkeeper.configuration.after_successful_authorization.call(self)
+    end
+
+    def before_successful_authorization
+      Doorkeeper.configuration.before_successful_authorization.call(self)
+    end
+
+    def revocation_error_response
+      error_description = I18n.t(:unauthorized, scope: %i[doorkeeper errors messages revoke])
+
+      { error: :unauthorized_client, error_description: error_description }
     end
   end
 end

data/app/views/doorkeeper/applications/_form.html.erb

@@ -20,12 +20,6 @@
         <%= t('doorkeeper.applications.help.redirect_uri') %>
       </span>
 
-      <% if Doorkeeper.configuration.native_redirect_uri %>
-          <span class="form-text text-secondary">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code, class: 'bg-light') { Doorkeeper.configuration.native_redirect_uri }) %>
-          </span>
-      <% end %>
-
       <% if Doorkeeper.configuration.allow_blank_redirect_uri?(application) %>
         <span class="form-text text-secondary">
           <%= t('doorkeeper.applications.help.blank_redirect_uri') %>

data/app/views/doorkeeper/applications/show.html.erb

@@ -8,7 +8,7 @@
     <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
 
     <h4><%= t('.secret') %>:</h4>
-    <p><code class="bg-light" id="secret"><%= @application.plaintext_secret %></code></p>
+    <p><code class="bg-light" id="secret"><%= flash[:application_secret].presence || @application.plaintext_secret %></code></p>
 
     <h4><%= t('.scopes') %>:</h4>
     <p><code class="bg-light" id="scopes"><%= @application.scopes.presence || raw('&nbsp;') %></code></p>

data/config/locales/en.yml

@@ -11,6 +11,7 @@ en:
             redirect_uri:
               fragment_present: 'cannot contain a fragment.'
               invalid_uri: 'must be a valid URI.'
+              unspecified_scheme: 'must specify a scheme.'
               relative_uri: 'must be an absolute URI.'
               secured_uri: 'must be an HTTPS/SSL URI.'
               forbidden_uri: 'is forbidden by the server.'
@@ -33,7 +34,6 @@ en:
         confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
         redirect_uri: 'Use one line per URI'
         blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI."
-        native_redirect_uri: 'Use %{native_redirect_uri} if you want to add localhost URIs for development purposes'
         scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
       edit:
         title: 'Edit application'
@@ -88,7 +88,11 @@ en:
     errors:
       messages:
         # Common error messages
-        invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+        invalid_request:
+          unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+          missing_param: 'Missing required parameter: %{value}.'
+          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
+          request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
@@ -114,6 +118,8 @@ en:
           revoked: "The access token was revoked"
           expired: "The access token expired"
           unknown: "The access token is invalid"
+        revoke:
+          unauthorized: "You are not authorized to revoke this token"
 
     flash:
       applications:

data/doorkeeper.gemspec

@@ -14,10 +14,18 @@ Gem::Specification.new do |gem|
   gem.description = "Doorkeeper is an OAuth 2 provider for Rails and Grape."
   gem.license     = "MIT"
 
-  gem.files         = `git ls-files`.split("\n")
+  gem.files         = `git ls-files`.split("\n").reject { |file| file.start_with?(".") }
   gem.test_files    = `git ls-files -- spec/*`.split("\n")
   gem.require_paths = ["lib"]
 
+  gem.metadata = {
+    "homepage_uri" => "https://github.com/doorkeeper-gem/doorkeeper",
+    "changelog_uri" => "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
+    "source_code_uri" => "https://github.com/doorkeeper-gem/doorkeeper",
+    "bug_tracker_uri" => "https://github.com/doorkeeper-gem/doorkeeper/issues",
+    "documentation_uri" => "https://doorkeeper.gitbook.io/guides/",
+  }
+
   gem.add_dependency "railties", ">= 5"
   gem.required_ruby_version = ">= 2.4"
 

data/gemfiles/rails_5_0.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_1.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_2.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.3", "< 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_6_0.gemfile

@@ -2,13 +2,14 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 6.0.0.beta3"
+gem "rails", "~> 6.0.0"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_master.gemfile

@@ -9,6 +9,7 @@ gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
 gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
 gem "rubocop", "~> 0.66"
+gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/lib/doorkeeper/config/option.rb

@@ -38,14 +38,20 @@ module Doorkeeper
 
         Builder.instance_eval do
           remove_method name if method_defined?(name)
-          define_method name do |*args, &block|
-            value = if attribute_builder
-                      attribute_builder.new(&block).build
-                    else
-                      block || args.first
-                    end
+          if options[:deprecated]
+            define_method name do |*_, &_|
+              Kernel.warn "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
+            end
+          else
+            define_method name do |*args, &block|
+              value = if attribute_builder
+                        attribute_builder.new(&block).build
+                      else
+                        block || args.first
+                      end
 
-            @config.instance_variable_set(:"@#{attribute}", value)
+              @config.instance_variable_set(:"@#{attribute}", value)
+            end
           end
         end
 

data/lib/doorkeeper/config.rb

@@ -25,8 +25,8 @@ module Doorkeeper
 
   def self.setup_orm_adapter
     @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => error
-    raise error, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+  rescue NameError => e
+    raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
       [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
       trying to load it.
 
@@ -254,11 +254,37 @@ module Doorkeeper
     option :custom_access_token_expires_in, default: ->(_context) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
-    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob"
+    option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :active_record_options,          default: {}
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
 
+    # Allows to customize OAuth grant flows that +each+ application support.
+    # You can configure a custom block (or use a class respond to `#call`) that must
+    # return `true` in case Application instance supports requested OAuth grant flow
+    # during the authorization request to the server. This configuration +doesn't+
+    # set flows per application, it only allows to check if application supports
+    # specific grant flow.
+    #
+    # For example you can add an additional database column to `oauth_applications` table,
+    # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+    # be used with this application there. Then when authorization requested Doorkeeper
+    # will call this block to check if specific Application (passed with client_id and/or
+    # client_secret) is allowed to perform the request for the specific grant type
+    # (authorization, password, client_credentials, etc).
+    #
+    # Example of the block:
+    #
+    #   ->(flow, client) { client.grant_flows.include?(flow) }
+    #
+    # In case this option invocation result is `false`, Doorkeeper server returns
+    # :unauthorized_client error and stops the request.
+    #
+    # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+    # @return [Boolean] `true` if allow or `false` if forbid the request
+    #
+    option :allow_grant_flow_for_client,    default: ->(_grant_flow, _client) { true }
+
     # Allows to forbid specific Application redirect URI's by custom rules.
     # Doesn't forbid any URI by default.
     #
@@ -288,7 +314,7 @@ module Doorkeeper
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
 
     # Use a custom class for generating the access token.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
     #
     # @param access_token_generator [String]
     #   the name of the access token generator class
@@ -306,11 +332,20 @@ module Doorkeeper
 
     # The controller Doorkeeper::ApplicationController inherits from.
     # Defaults to ActionController::Base.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
     #
     # @param base_controller [String] the name of the base controller
     option :base_controller,
-           default: "ActionController::Base"
+           default: (lambda do
+             api_only ? "ActionController::API" : "ActionController::Base"
+           end)
+
+    # The controller Doorkeeper::ApplicationMetalController inherits from.
+    # Defaults to ActionController::API.
+    #
+    # @param base_metal_controller [String] the name of the base controller
+    option :base_metal_controller,
+           default: "ActionController::API"
 
     # Allows to set blank redirect URIs for Applications in case
     # server configured to use URI-less grant flows.
@@ -321,6 +356,36 @@ module Doorkeeper
                grant_flows.exclude?("implicit")
            end)
 
+    # Configure protection of token introspection request.
+    # By default this configuration allows to introspect a token by
+    # another token of the same application, or to introspect the token
+    # that belongs to authorized client, or access token has been introspected
+    # is a public one (doesn't belong to any client)
+    #
+    # You can define any custom rule you need or just disable token
+    # introspection at all.
+    #
+    # @param token [Doorkeeper::AccessToken]
+    #   token to be introspected
+    #
+    # @param authorized_client [Doorkeeper::Application]
+    #   authorized client (if request is authorized using Basic auth with
+    #   Client Credentials for example)
+    #
+    # @param authorized_token [Doorkeeper::AccessToken]
+    #   Bearer token used to authorize the request
+    #
+    option :allow_token_introspection,
+           default: (lambda do |token, authorized_client, authorized_token|
+             if authorized_token
+               authorized_token.application == token&.application
+             elsif token.application
+               authorized_client == token.application
+             else
+               true
+             end
+           end)
+
     attr_reader :api_only,
                 :enforce_content_type,
                 :reuse_access_token,
@@ -354,6 +419,17 @@ module Doorkeeper
       @token_reuse_limit ||= 100
     end
 
+    def resolve_controller(name)
+      config_option = public_send(:"#{name}_controller")
+      controller_name = if config_option.respond_to?(:call)
+                          instance_exec(&config_option)
+                        else
+                          config_option
+                        end
+
+      controller_name.constantize
+    end
+
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end
@@ -422,6 +498,12 @@ module Doorkeeper
       end
     end
 
+    def allow_grant_flow_for_client?(grant_flow, client)
+      return true unless option_defined?(:allow_grant_flow_for_client)
+
+      allow_grant_flow_for_client.call(grant_flow, client)
+    end
+
     def option_defined?(name)
       instance_variable_defined?("@#{name}")
     end

data/lib/doorkeeper/errors.rb

@@ -8,18 +8,6 @@ module Doorkeeper
       end
     end
 
-    class InvalidAuthorizationStrategy < DoorkeeperError
-      def type
-        :unsupported_response_type
-      end
-    end
-
-    class InvalidTokenReuse < DoorkeeperError
-      def type
-        :invalid_request
-      end
-    end
-
     class InvalidGrantReuse < DoorkeeperError
       def type
         :invalid_grant
@@ -32,7 +20,14 @@ module Doorkeeper
       end
     end
 
-    class MissingRequestStrategy < DoorkeeperError
+    class MissingRequiredParameter < DoorkeeperError
+      attr_reader :missing_param
+
+      def initialize(missing_param)
+        super
+        @missing_param = missing_param
+      end
+
       def type
         :invalid_request
       end
@@ -50,10 +45,10 @@ module Doorkeeper
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
 
-    InvalidToken = Class.new BaseResponseError
-    TokenExpired = Class.new InvalidToken
-    TokenRevoked = Class.new InvalidToken
-    TokenUnknown = Class.new InvalidToken
-    TokenForbidden = Class.new InvalidToken
+    InvalidToken = Class.new(BaseResponseError)
+    TokenExpired = Class.new(InvalidToken)
+    TokenRevoked = Class.new(InvalidToken)
+    TokenUnknown = Class.new(InvalidToken)
+    TokenForbidden = Class.new(InvalidToken)
   end
 end

data/lib/doorkeeper/grape/helpers.rb

@@ -4,6 +4,8 @@ require "doorkeeper/grape/authorization_decorator"
 
 module Doorkeeper
   module Grape
+    # Doorkeeper helpers for Grape applications.
+    # Provides helpers for endpoints authorization based on defined set of scopes.
     module Helpers
       # These helpers are for grape >= 0.10
       extend ::Grape::API::Helpers
@@ -11,7 +13,9 @@ module Doorkeeper
 
       # endpoint specific scopes > parameter scopes > default scopes
       def doorkeeper_authorize!(*scopes)
-        endpoint_scopes = endpoint.route_setting(:scopes) || endpoint.options[:route_options][:scopes]
+        endpoint_scopes = endpoint.route_setting(:scopes) ||
+                          endpoint.options[:route_options][:scopes]
+
         scopes = if endpoint_scopes
                    Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
                  elsif scopes && !scopes.empty?