doorkeeper 5.1.2 → 5.2.2

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -13,26 +13,27 @@ module Doorkeeper
 
       attr_accessor :access_token, :client, :credentials, :refresh_token,
                     :server
+      attr_reader   :missing_param
 
       def initialize(server, refresh_token, credentials, parameters = {})
-        @server          = server
-        @refresh_token   = refresh_token
-        @credentials     = credentials
+        @server = server
+        @refresh_token = refresh_token
+        @credentials = credentials
         @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
-
-        if credentials
-          @client = Application.by_uid_and_secret credentials.uid,
-                                                  credentials.secret
-        end
+        @client = load_client(credentials) if credentials
       end
 
       private
 
+      def load_client(credentials)
+        Application.by_uid_and_secret(credentials.uid, credentials.secret)
+      end
+
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
-          raise Errors::InvalidTokenReuse if refresh_token.revoked?
+          raise Errors::InvalidGrantReuse if refresh_token.revoked?
 
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
@@ -76,7 +77,9 @@ module Doorkeeper
       end
 
       def validate_token_presence
-        refresh_token.present? || @refresh_token_parameter.present?
+        @missing_param = :refresh_token if refresh_token.blank? && @refresh_token_parameter.blank?
+
+        @missing_param.nil?
       end
 
       def validate_token

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -7,7 +7,7 @@ module Doorkeeper
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
       attr_reader :server, :token
-      attr_reader :error
+      attr_reader :error, :invalid_request_reason
 
       def initialize(server, token)
         @server = server
@@ -25,6 +25,8 @@ module Doorkeeper
 
         if @error == :invalid_token
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
+        elsif @error == :invalid_request
+          OAuth::InvalidRequestResponse.from_request(self)
         else
           OAuth::ErrorResponse.new(name: @error)
         end
@@ -67,9 +69,10 @@ module Doorkeeper
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token if authorized_token_matches_introspected? || !authorized_token.accessible?
+          @error = :invalid_token unless valid_authorized_token?
         else
           @error = :invalid_request
+          @invalid_request_reason = :request_not_authorized
         end
       end
 
@@ -80,8 +83,7 @@ module Doorkeeper
 
       # Bearer Token Authentication
       def authorized_token
-        @authorized_token ||=
-          OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
+        @authorized_token ||= Doorkeeper.authenticate(server.context.request)
       end
 
       # 2.2. Introspection Response
@@ -150,7 +152,7 @@ module Doorkeeper
       #
       def active?
         if authorized_client
-          valid_token? && authorized_for_client?
+          valid_token? && token_introspection_allowed?(auth_client: authorized_client.application)
         else
           valid_token?
         end
@@ -161,19 +163,27 @@ module Doorkeeper
         @token&.accessible?
       end
 
+      def valid_authorized_token?
+        !authorized_token_matches_introspected? &&
+          authorized_token.accessible? &&
+          token_introspection_allowed?(auth_token: authorized_token)
+      end
+
       # RFC7662 Section 2.1
       def authorized_token_matches_introspected?
         authorized_token.token == @token&.token
       end
 
-      # If token doesn't belong to some client, then it is public.
-      # Otherwise in it required for token to be connected to the same client.
-      def authorized_for_client?
-        if @token.application
-          @token.application == authorized_client.application
-        else
-          true
-        end
+      # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
+      def token_introspection_allowed?(auth_client: nil, auth_token: nil)
+        allow_introspection = Doorkeeper.configuration.allow_token_introspection
+        return allow_introspection unless allow_introspection.respond_to?(:call)
+
+        allow_introspection.call(
+          @token,
+          auth_client,
+          auth_token
+        )
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb

@@ -11,28 +11,14 @@ module Doorkeeper
       end
 
       def authorize
-        if pre_auth.authorizable?
-          auth = Authorization::Token.new(pre_auth, resource_owner)
-          auth.issue_token
-          @response = CodeResponse.new pre_auth,
-                                       auth,
-                                       response_on_fragment: true
-        else
-          @response = error_response
-        end
+        auth = Authorization::Token.new(pre_auth, resource_owner)
+        auth.issue_token
+        CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 
       def deny
         pre_auth.error = :access_denied
-        error_response
-      end
-
-      private
-
-      def error_response
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri,
-                                   response_on_fragment: true
+        pre_auth.error_response
       end
     end
   end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -16,7 +16,7 @@ module Doorkeeper
               :redirect_uri,
               presence: true
 
-    validates :token, uniqueness: true
+    validates :token, uniqueness: { case_sensitive: true }
 
     before_validation :generate_token, on: :create
 

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -9,8 +9,8 @@ module Doorkeeper
     belongs_to :application, class_name: "Doorkeeper::Application",
                              inverse_of: :access_tokens, optional: true
 
-    validates :token, presence: true, uniqueness: true
-    validates :refresh_token, uniqueness: true, if: :use_refresh_token?
+    validates :token, presence: true, uniqueness: { case_sensitive: true }
+    validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
     # @attr_writer [Boolean, nil] use_refresh_token
     #   indicates the possibility of using refresh token

data/lib/doorkeeper/orm/active_record/application.rb

@@ -10,8 +10,8 @@ module Doorkeeper
     has_many :access_tokens, dependent: :delete_all, class_name: "Doorkeeper::AccessToken"
 
     validates :name, :secret, :uid, presence: true
-    validates :uid, uniqueness: true
-    validates :redirect_uri, redirect_uri: true
+    validates :uid, uniqueness: { case_sensitive: true }
+    validates :redirect_uri, "doorkeeper/redirect_uri": true
     validates :confidential, inclusion: { in: [true, false] }
 
     validate :scopes_match_configured, if: :enforce_scopes?
@@ -46,6 +46,14 @@ module Doorkeeper
       AccessGrant.revoke_all_for(id, resource_owner)
     end
 
+    # Generates a new secret for this application, intended to be used
+    # for rotating the secret or in case of compromise.
+    #
+    def renew_secret
+      @raw_secret = UniqueToken.generate
+      secret_strategy.store_secret(self, :secret, @raw_secret)
+    end
+
     # We keep a volatile copy of the raw secret for initial communication
     # The stored refresh_token may be mapped and not available in cleartext.
     #
@@ -60,38 +68,10 @@ module Doorkeeper
       end
     end
 
-    # Represents client as set of it's attributes in JSON format.
-    # This is the right way how we want to override ActiveRecord #to_json.
-    #
-    # Respects privacy settings and serializes minimum set of attributes
-    # for public/private clients and full set for authorized owners.
-    #
-    # @return [Hash] entity attributes for JSON
-    #
-    def as_json(options = {})
-      # if application belongs to some owner we need to check if it's the same as
-      # the one passed in the options or check if we render the client as an owner
-      if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
-         options[:as_owner]
-        # Owners can see all the client attributes, fallback to ActiveModel serialization
-        super
-      else
-        # if application has no owner or it's owner doesn't match one from the options
-        # we render only minimum set of attributes that could be exposed to a public
-        only = extract_serializable_attributes(options)
-        super(options.merge(only: only))
-      end
-    end
-
-    # We need to hook into this method to allow serializing plan-text secrets
-    # when secrets hashing enabled.
-    #
-    # @param key [String] attribute name
-    #
-    def read_attribute_for_serialization(key)
-      return super unless key.to_s == "secret"
-
-      plaintext_secret || secret
+    def to_json(options = nil)
+      serializable_hash(except: :secret)
+        .merge(secret: plaintext_secret)
+        .to_json(options)
     end
 
     private
@@ -102,9 +82,7 @@ module Doorkeeper
 
     def generate_secret
       return unless secret.blank?
-
-      @raw_secret = UniqueToken.generate
-      secret_strategy.store_secret(self, :secret, @raw_secret)
+      renew_secret
     end
 
     def scopes_match_configured
@@ -118,37 +96,5 @@ module Doorkeeper
     def enforce_scopes?
       Doorkeeper.configuration.enforce_configured_scopes?
     end
-
-    # Helper method to extract collection of serializable attribute names
-    # considering serialization options (like `only`, `except` and so on).
-    #
-    # @param options [Hash] serialization options
-    #
-    # @return [Array<String>]
-    #   collection of attributes to be serialized using #as_json
-    #
-    def extract_serializable_attributes(options = {})
-      opts = options.try(:dup) || {}
-      only = Array.wrap(opts[:only]).map(&:to_s)
-
-      only = if only.blank?
-               serializable_attributes
-             else
-               only & serializable_attributes
-             end
-
-      only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
-      only.uniq
-    end
-
-    # Collection of attributes that could be serialized for public.
-    # Override this method if you need additional attributes to be serialized.
-    #
-    # @return [Array<String>] collection of serializable attributes
-    def serializable_attributes
-      attributes = %w[id name created_at]
-      attributes << "uid" unless confidential?
-      attributes
-    end
   end
 end

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module Doorkeeper
+  # ActiveModel validator for redirect URI validation in according
+  # to OAuth standards and Doorkeeper configuration.
+  class RedirectUriValidator < ActiveModel::EachValidator
+    def validate_each(record, attribute, value)
+      if value.blank?
+        return if Doorkeeper.configuration.allow_blank_redirect_uri?(record)
+
+        record.errors.add(attribute, :blank)
+      else
+        value.split.each do |val|
+          next if oob_redirect_uri?(val)
+
+          uri = ::URI.parse(val)
+          record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
+          record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
+          record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
+          record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
+          record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+        end
+      end
+    rescue URI::InvalidURIError
+      record.errors.add(attribute, :invalid_uri)
+    end
+
+    private
+
+    def oob_redirect_uri?(uri)
+      Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
+    end
+
+    def forbidden_uri?(uri)
+      Doorkeeper.configuration.forbid_redirect_uri.call(uri)
+    end
+
+    def unspecified_scheme?(uri)
+      return true if uri.opaque.present?
+
+      %w[localhost].include?(uri.try(:scheme))
+    end
+
+    def relative_uri?(uri)
+      uri.scheme.nil? && uri.host.nil?
+    end
+
+    def invalid_ssl_uri?(uri)
+      forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
+      non_https = uri.try(:scheme) == "http"
+
+      if forces_ssl.respond_to?(:call)
+        forces_ssl.call(uri) && non_https
+      else
+        forces_ssl && non_https
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record.rb

@@ -2,19 +2,27 @@
 
 require "active_support/lazy_load_hooks"
 
-require "doorkeeper/orm/active_record/stale_records_cleaner"
-
 module Doorkeeper
   module Orm
+    # ActiveRecord ORM for Doorkeeper entity models.
+    # Consists of three main OAuth entities:
+    #   * Access Token
+    #   * Access Grant
+    #   * Application (client)
+    #
+    # Do a lazy loading of all the required and configured stuff.
+    #
     module ActiveRecord
       def self.initialize_models!
         lazy_load do
+          require "doorkeeper/orm/active_record/stale_records_cleaner"
+          require "doorkeeper/orm/active_record/redirect_uri_validator"
           require "doorkeeper/orm/active_record/access_grant"
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
           if Doorkeeper.configuration.active_record_options[:establish_connection]
-            [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application].each do |model|
+            Doorkeeper::Orm::ActiveRecord.models.each do |model|
               options = Doorkeeper.configuration.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
@@ -33,6 +41,14 @@ module Doorkeeper
       def self.lazy_load(&block)
         ActiveSupport.on_load(:active_record, {}, &block)
       end
+
+      def self.models
+        [
+          Doorkeeper::AccessGrant,
+          Doorkeeper::AccessToken,
+          Doorkeeper::Application,
+        ]
+      end
     end
   end
 end

data/lib/doorkeeper/request/authorization_code.rb

@@ -17,6 +17,8 @@ module Doorkeeper
       private
 
       def grant
+        raise Errors::MissingRequiredParameter, :code if parameters[:code].blank?
+
         AccessGrant.by_token(parameters[:code])
       end
     end

data/lib/doorkeeper/request.rb

@@ -4,30 +4,25 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        get_strategy(response_type, authorization_response_types)
-      rescue NameError
-        raise Errors::InvalidAuthorizationStrategy
+        build_strategy_class(response_type)
       end
 
       def token_strategy(grant_type)
+        raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
+
         get_strategy(grant_type, token_grant_types)
       rescue NameError
         raise Errors::InvalidTokenStrategy
       end
 
-      def get_strategy(grant_or_request_type, available)
-        raise Errors::MissingRequestStrategy if grant_or_request_type.blank?
-        raise NameError unless available.include?(grant_or_request_type.to_s)
+      def get_strategy(grant_type, available)
+        raise NameError unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_or_request_type)
+        build_strategy_class(grant_type)
       end
 
       private
 
-      def authorization_response_types
-        Doorkeeper.configuration.authorization_response_types
-      end
-
       def token_grant_types
         Doorkeeper.configuration.token_grant_types
       end

data/lib/doorkeeper/server.rb

@@ -10,12 +10,12 @@ module Doorkeeper
 
     def authorization_request(strategy)
       klass = Request.authorization_strategy strategy
-      klass.new self
+      klass.new(self)
     end
 
     def token_request(strategy)
       klass = Request.token_strategy strategy
-      klass.new self
+      klass.new(self)
     end
 
     # TODO: context should be the request
@@ -27,10 +27,6 @@ module Doorkeeper
       @client ||= OAuth::Client.authenticate(credentials)
     end
 
-    def client_via_uid
-      @client_via_uid ||= OAuth::Client.find(parameters[:client_id])
-    end
-
     def current_resource_owner
       context.send :current_resource_owner
     end

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -5,12 +5,16 @@ module Doorkeeper
     CLEANER_CLASS = "StaleRecordsCleaner"
 
     def self.for(base_scope)
-      orm_adapter = "doorkeeper/orm/#{Doorkeeper.configuration.orm}".classify
+      orm_adapter = "doorkeeper/orm/#{configured_orm}".classify
 
       orm_cleaner = "#{orm_adapter}::#{CLEANER_CLASS}".constantize
       orm_cleaner.new(base_scope)
     rescue NameError
-      raise Doorkeeper::Errors::NoOrmCleaner, "'#{Doorkeeper.configuration.orm}' ORM has no cleaner!"
+      raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
+    end
+
+    def self.configured_orm
+      Doorkeeper.configuration.orm
     end
 
     def self.new(base_scope)

data/lib/doorkeeper/version.rb

@@ -8,7 +8,7 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 1
+    MINOR = 2
     TINY = 2
     PRE = nil
 

data/lib/doorkeeper.rb

@@ -52,6 +52,8 @@ require "doorkeeper/oauth/token"
 require "doorkeeper/oauth/token_introspection"
 require "doorkeeper/oauth/invalid_token_response"
 require "doorkeeper/oauth/forbidden_token_response"
+require "doorkeeper/oauth/invalid_request_response"
+require "doorkeeper/oauth/nonstandard"
 
 require "doorkeeper/secret_storing/base"
 require "doorkeeper/secret_storing/plain"
@@ -80,6 +82,8 @@ require "doorkeeper/stale_records_cleaner"
 
 require "doorkeeper/orm/active_record"
 
+# Main Doorkeeper namespace.
+#
 module Doorkeeper
   def self.authenticate(request, methods = Doorkeeper.configuration.access_token_methods)
     OAuth::Token.authenticate(request, *methods)

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -17,12 +17,12 @@ module Doorkeeper
     end
 
     def previous_refresh_token
-      if no_previous_refresh_token_column?
-        migration_template(
-          "add_previous_refresh_token_to_access_tokens.rb.erb",
-          "db/migrate/add_previous_refresh_token_to_access_tokens.rb"
-        )
-      end
+      return unless no_previous_refresh_token_column?
+
+      migration_template(
+        "add_previous_refresh_token_to_access_tokens.rb.erb",
+        "db/migrate/add_previous_refresh_token_to_access_tokens.rb"
+      )
     end
 
     private