doorkeeper 5.1.2 → 5.2.2

data/spec/controllers/protected_resources_controller_spec.rb

@@ -166,7 +166,7 @@ describe "doorkeeper authorize filter" do
       it "it renders a custom JSON response", token: :invalid do
         get :index, params: { access_token: token_string }
         expect(response.status).to eq 401
-        expect(response.content_type).to match(/application\/json/)
+        expect(response.content_type).to include("application/json")
         expect(response.header["WWW-Authenticate"]).to match(/^Bearer/)
 
         expect(json_response).not_to be_nil
@@ -196,7 +196,7 @@ describe "doorkeeper authorize filter" do
       it "it renders a custom text response", token: :invalid do
         get :index, params: { access_token: token_string }
         expect(response.status).to eq 401
-        expect(response.content_type).to match(/text\/plain/)
+        expect(response.content_type).to include("text/plain")
         expect(response.header["WWW-Authenticate"]).to match(/^Bearer/)
         expect(response.body).to eq("Unauthorized")
       end
@@ -246,7 +246,7 @@ describe "doorkeeper authorize filter" do
       it "renders a custom JSON response" do
         get :index, params: { access_token: token_string }
         expect(response.header).to_not include("WWW-Authenticate")
-        expect(response.content_type).to match(/application\/json/)
+        expect(response.content_type).to include("application/json")
         expect(response.status).to eq 403
 
         expect(json_response).not_to be_nil

data/spec/controllers/tokens_controller_spec.rb

@@ -3,31 +3,139 @@
 require "spec_helper"
 
 describe Doorkeeper::TokensController do
-  describe "when authorization has succeeded" do
-    let(:token) { double(:token, authorize: true) }
+  let(:client) { FactoryBot.create :application }
+  let!(:user)  { User.create!(name: "Joe", password: "sekret") }
 
-    it "returns the authorization" do
-      skip "verify need of these specs"
+  before do
+    Doorkeeper.configure do
+      resource_owner_from_credentials do
+        User.first
+      end
+    end
 
-      expect(token).to receive(:authorization)
+    allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["password"])
+  end
 
-      post :create
+  subject { JSON.parse(response.body) }
+
+  describe "POST #create" do
+    before do
+      post :create, params: {
+        client_id: client.uid,
+        client_secret: client.secret,
+        grant_type: "password",
+      }
+    end
+
+    it "responds after authorization" do
+      expect(response).to be_successful
+    end
+
+    it "includes access token in response" do
+      expect(subject["access_token"]).to eq(Doorkeeper::AccessToken.first.token)
+    end
+
+    it "includes token type in response" do
+      expect(subject["token_type"]).to eq("Bearer")
+    end
+
+    it "includes token expiration in response" do
+      expect(subject["expires_in"].to_i).to eq(Doorkeeper.configuration.access_token_expires_in)
+    end
+
+    it "issues the token for the current client" do
+      expect(Doorkeeper::AccessToken.first.application_id).to eq(client.id)
+    end
+
+    it "issues the token for the current resource owner" do
+      expect(Doorkeeper::AccessToken.first.resource_owner_id).to eq(user.id)
     end
   end
 
-  describe "when authorization has failed" do
-    it "returns the error response" do
-      token = double(:token, authorize: false)
-      allow(controller).to receive(:token) { token }
+  describe "POST #create with errors" do
+    before do
+      post :create, params: {
+        client_id: client.uid,
+        client_secret: "invalid",
+        grant_type: "password",
+      }
+    end
 
-      post :create
+    it "responds after authorization" do
+      expect(response).to be_unauthorized
+    end
 
-      expect(response.status).to eq 400
-      expect(response.headers["WWW-Authenticate"]).to match(/Bearer/)
+    it "include error in response" do
+      expect(subject["error"]).to eq("invalid_client")
+    end
+
+    it "include error_description in response" do
+      expect(subject["error_description"]).to be
+    end
+
+    it "does not include access token in response" do
+      expect(subject["access_token"]).to be_nil
+    end
+
+    it "does not include token type in response" do
+      expect(subject["token_type"]).to be_nil
+    end
+
+    it "does not include token expiration in response" do
+      expect(subject["expires_in"]).to be_nil
+    end
+
+    it "does not issue any access token" do
+      expect(Doorkeeper::AccessToken.all).to be_empty
+    end
+  end
+
+  describe "POST #create with callbacks" do
+    after do
+      client.update_attribute :redirect_uri, "urn:ietf:wg:oauth:2.0:oob"
+    end
+
+    describe "when successful" do
+      after do
+        post :create, params: {
+          client_id: client.uid,
+          client_secret: client.secret,
+          grant_type: "password",
+        }
+      end
+
+      it "should call :before_successful_authorization callback" do
+        expect(Doorkeeper.configuration)
+          .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class))
+      end
+
+      it "should call :after_successful_authorization callback" do
+        expect(Doorkeeper.configuration)
+          .to receive_message_chain(:after_successful_authorization, :call).with(instance_of(described_class))
+      end
+    end
+
+    describe "with errors" do
+      after do
+        post :create, params: {
+          client_id: client.uid,
+          client_secret: "invalid",
+          grant_type: "password",
+        }
+      end
+
+      it "should call :before_successful_authorization callback" do
+        expect(Doorkeeper.configuration)
+          .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class))
+      end
+
+      it "should not call :after_successful_authorization callback" do
+        expect(Doorkeeper.configuration).not_to receive(:after_successful_authorization)
+      end
     end
   end
 
-  describe "when there is a failure due to a custom error" do
+  describe "POST #create with custom error" do
     it "returns the error response with a custom message" do
       # I18n looks for `doorkeeper.errors.messages.custom_message` in locale files
       custom_message = "my_message"
@@ -58,7 +166,7 @@ describe Doorkeeper::TokensController do
   end
 
   # http://tools.ietf.org/html/rfc7009#section-2.2
-  describe "revoking tokens" do
+  describe "POST #revoke" do
     let(:client) { FactoryBot.create(:application) }
     let(:access_token) { FactoryBot.create(:access_token, application: client) }
 
@@ -102,10 +210,10 @@ describe Doorkeeper::TokensController do
         let(:some_other_client) { FactoryBot.create(:application, confidential: true) }
         let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }
 
-        it "returns 200" do
+        it "returns 403" do
           post :revoke, params: { token: access_token.token }
 
-          expect(response.status).to eq 200
+          expect(response.status).to eq 403
         end
 
         it "does not revoke the access token" do
@@ -117,21 +225,7 @@ describe Doorkeeper::TokensController do
     end
   end
 
-  describe "authorize response memoization" do
-    it "memoizes the result of the authorization" do
-      strategy = double(:strategy, authorize: true)
-      expect(strategy).to receive(:authorize).once
-      allow(controller).to receive(:strategy) { strategy }
-      allow(controller).to receive(:create) do
-        2.times { controller.send :authorize_response }
-        controller.render json: {}, status: :ok
-      end
-
-      post :create
-    end
-  end
-
-  describe "when requested token introspection" do
+  describe "POST #introspect" do
     let(:client) { FactoryBot.create(:application) }
     let(:access_token) { FactoryBot.create(:access_token, application: client) }
     let(:token_for_introspection) { FactoryBot.create(:access_token, application: client) }
@@ -147,7 +241,7 @@ describe Doorkeeper::TokensController do
       end
     end
 
-    context "authorized using valid Client Authentication" do
+    context "authorized using Client Credentials of the client that token is issued to" do
       it "responds with full token introspection" do
         request.headers["Authorization"] = basic_auth_header_for_client(client)
 
@@ -159,6 +253,26 @@ describe Doorkeeper::TokensController do
       end
     end
 
+    context "configured token introspection disabled" do
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          allow_token_introspection false
+        end
+      end
+
+      it "responds with invalid_token error" do
+        request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+        post :introspect, params: { token: token_for_introspection.token }
+
+        response_status_should_be 401
+
+        should_not_have_json "active"
+        should_have_json "error", "invalid_token"
+      end
+    end
+
     context "using custom introspection response" do
       before do
         Doorkeeper.configure do
@@ -212,12 +326,64 @@ describe Doorkeeper::TokensController do
       end
     end
 
+    context "introspection request authorized by a client and allow_token_introspection is true" do
+      let(:different_client) { FactoryBot.create(:application) }
+
+      before do
+        allow(Doorkeeper.configuration).to receive(:allow_token_introspection).and_return(proc do
+          true
+        end)
+      end
+
+      it "responds with full token introspection" do
+        request.headers["Authorization"] = basic_auth_header_for_client(different_client)
+
+        post :introspect, params: { token: token_for_introspection.token }
+
+        should_have_json "active", true
+        expect(json_response).to include("client_id", "token_type", "exp", "iat")
+        should_have_json "client_id", client.uid
+      end
+    end
+
+    context "allow_token_introspection requires authorized token with special scope" do
+      let(:access_token) { FactoryBot.create(:access_token, scopes: "introspection") }
+
+      before do
+        allow(Doorkeeper.configuration).to receive(:allow_token_introspection).and_return(proc do |_token, _client, authorized_token|
+          authorized_token.scopes.include?("introspection")
+        end)
+      end
+
+      it "responds with full token introspection if authorized token has introspection scope" do
+        request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+        post :introspect, params: { token: token_for_introspection.token }
+
+        should_have_json "active", true
+        expect(json_response).to include("client_id", "token_type", "exp", "iat")
+      end
+
+      it "responds with invalid_token error if authorized token doesn't have introspection scope" do
+        access_token.update(scopes: "read write")
+
+        request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+        post :introspect, params: { token: token_for_introspection.token }
+
+        response_status_should_be 401
+
+        should_not_have_json "active"
+        should_have_json "error", "invalid_token"
+      end
+    end
+
     context "authorized using invalid Bearer token" do
       let(:access_token) do
         FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
       end
 
-      it "responds with invalid token error" do
+      it "responds with invalid_token error" do
         request.headers["Authorization"] = "Bearer #{access_token.token}"
 
         post :introspect, params: { token: token_for_introspection.token }
@@ -272,13 +438,15 @@ describe Doorkeeper::TokensController do
       end
 
       context "authorized using valid Bearer token" do
-        it "responds with only active state" do
+        it "responds with invalid_token error" do
           request.headers["Authorization"] = "Bearer #{access_token.token}"
 
           post :introspect, params: { token: SecureRandom.hex(16) }
 
-          should_have_json "active", false
-          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+          response_status_should_be 401
+
+          should_not_have_json "active"
+          should_have_json "error", "invalid_token"
         end
       end
     end

data/spec/dummy/config/application.rb

@@ -5,11 +5,13 @@ require "rails"
 %w[
   action_controller/railtie
   action_view/railtie
+  action_cable/engine
   sprockets/railtie
 ].each do |railtie|
   begin
     require railtie
-  rescue LoadError
+  rescue LoadError => e
+    puts "Error loading '#{railtie}' (#{e.message})"
   end
 end
 

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -65,15 +65,6 @@ Doorkeeper.configure do
   # Check out the wiki for more information on customization
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
-  # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to any server and
-  # the authorization code will be displayed within the provider
-  # The value can be any string. Use nil to disable this feature.
-  # When disabled, clients must provide a valid URL
-  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
-  #
-  # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
-
   # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
@@ -116,6 +107,60 @@ Doorkeeper.configure do
   #   client.superapp? or resource_owner.admin?
   # end
 
+  # Configure custom constraints for the Token Introspection request.
+  # By default this configuration option allows to introspect a token by another
+  # token of the same application, OR to introspect the token that belongs to
+  # authorized client (from authenticated client) OR when token doesn't
+  # belong to any client (public token). Otherwise requester has no access to the
+  # introspection and it will return response as stated in the RFC.
+  #
+  # Block arguments:
+  #
+  # @param token [Doorkeeper::AccessToken]
+  #   token to be introspected
+  #
+  # @param authorized_client [Doorkeeper::Application]
+  #   authorized client (if request is authorized using Basic auth with
+  #   Client Credentials for example)
+  #
+  # @param authorized_token [Doorkeeper::AccessToken]
+  #   Bearer token used to authorize the request
+  #
+  # In case the block returns `nil` or `false` introspection responses with 401 status code
+  # when using authorized token to introspect, or you'll get 200 with { "active": false } body
+  # when using authorized client to introspect as stated in the
+  # RFC 7662 section 2.2. Introspection Response.
+  #
+  # Using with caution:
+  # Keep in mind that these three parameters pass to block can be nil as following case:
+  #  `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
+  #  `token` will be nil if and only if `authorized_token` is present.
+  # So remember to use `&` or check if it is present before calling method on
+  # them to make sure you doesn't get NoMethodError exception.
+  #
+  # You can define your custom check:
+  #
+  # allow_token_introspection do |token, authorized_client, authorized_token|
+  #   if authorized_token
+  #     # customize: require `introspection` scope
+  #     authorized_token.application == token&.application ||
+  #       authorized_token.scopes.include?("introspection")
+  #   elsif token.application
+  #     # `protected_resource` is a new database boolean column, for example
+  #     authorized_client == token.application || authorized_client.protected_resource?
+  #   else
+  #     # public token (when token.application is nil, token doesn't belong to any application)
+  #     true
+  #   end
+  # end
+  #
+  # Or you can completely disable any token introspection:
+  #
+  # allow_token_introspection false
+  #
+  # If you need to block the request at all, then configure your routes.rb or web-server
+  # like nginx to forbid the request.
+
   # WWW-Authenticate Realm (default "Doorkeeper").
   realm "Doorkeeper"
 end

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb

@@ -25,7 +25,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
       t.text     :redirect_uri,      null: false
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes
+      t.string   :scopes,            null: false, default: ""
     end
 
     add_index :oauth_access_grants, :token, unique: true

data/spec/lib/config_spec.rb

@@ -502,7 +502,21 @@ describe Doorkeeper, "configuration" do
 
   describe "base_controller" do
     context "default" do
-      it { expect(Doorkeeper.configuration.base_controller).to eq("ActionController::Base") }
+      it { expect(Doorkeeper.configuration.base_controller).to be_an_instance_of(Proc) }
+
+      it "resolves to a ApplicationController::Base in default mode" do
+        expect(Doorkeeper.configuration.resolve_controller(:base))
+          .to eq(ActionController::Base)
+      end
+
+      it "resolves to a ApplicationController::API in api_only mode" do
+        Doorkeeper.configure do
+          api_only
+        end
+
+        expect(Doorkeeper.configuration.resolve_controller(:base))
+          .to eq(ActionController::API)
+      end
     end
 
     context "custom" do
@@ -517,6 +531,23 @@ describe Doorkeeper, "configuration" do
     end
   end
 
+  describe "base_metal_controller" do
+    context "default" do
+      it { expect(Doorkeeper.configuration.base_metal_controller).to eq("ActionController::API") }
+    end
+
+    context "custom" do
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          base_metal_controller { "ApplicationController" }
+        end
+      end
+
+      it { expect(Doorkeeper.configuration.resolve_controller(:base_metal)).to eq(ApplicationController) }
+    end
+  end
+
   if DOORKEEPER_ORM == :active_record
     describe "active_record_options" do
       let(:models) { [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application] }
@@ -694,4 +725,15 @@ describe Doorkeeper, "configuration" do
       end
     end
   end
+
+  describe "options deprecation" do
+    it "prints a warning message when an option is deprecated" do
+      expect(Kernel).to receive(:warn).with(
+        "[DOORKEEPER] native_redirect_uri has been deprecated and will soon be removed"
+      )
+      Doorkeeper.configure do
+        native_redirect_uri "urn:ietf:wg:oauth:2.0:oob"
+      end
+    end
+  end
 end

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -23,7 +23,7 @@ module Doorkeeper::OAuth
     end
 
     subject do
-      AuthorizationCodeRequest.new server, grant, client, params
+      AuthorizationCodeRequest.new(server, grant, client, params)
     end
 
     it "issues a new token for the client" do
@@ -65,6 +65,18 @@ module Doorkeeper::OAuth
       subject.redirect_uri = nil
       subject.validate
       expect(subject.error).to eq(:invalid_request)
+      expect(subject.missing_param).to eq(:redirect_uri)
+    end
+
+    it "invalid code_verifier param because server does not support pkce" do
+      # Some other ORMs work relies on #respond_to? so it's not a good idea to stub it :\
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:respond_to?).with(anything).and_call_original
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:respond_to?).with(:code_challenge).and_return(false)
+
+      subject.code_verifier = "a45a9fea-0676-477e-95b1-a40f72ac3cfb"
+      subject.validate
+      expect(subject.error).to eq(:invalid_request)
+      expect(subject.invalid_request_reason).to eq(:not_support_pkce)
     end
 
     it "matches the redirect_uri with grant's one" do

data/spec/lib/oauth/base_request_spec.rb

@@ -66,27 +66,44 @@ module Doorkeeper::OAuth
       end
 
       context "invalid" do
-        before do
-          allow(subject).to receive(:valid?).and_return(false)
-          allow(subject).to receive(:error).and_return("server_error")
-          allow(subject).to receive(:state).and_return("hello")
+        context "with error other than invalid_request" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:server_error)
+            allow(subject).to receive(:state).and_return("hello")
+          end
+
+          it "returns an ErrorResponse object" do
+            result = subject.authorize
+
+            expect(result).to be_an_instance_of(ErrorResponse)
+
+            expect(result.body).to eq(
+              error: :server_error,
+              error_description: translated_error_message(:server_error),
+              state: "hello"
+            )
+          end
         end
 
-        it "returns an ErrorResponse object" do
-          error_description = I18n.translate(
-            "server_error",
-            scope: %i[doorkeeper errors messages]
-          )
+        context "with invalid_request error" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:invalid_request)
+            allow(subject).to receive(:state).and_return("hello")
+          end
 
-          result = subject.authorize
+          it "returns an InvalidRequestResponse object" do
+            result = subject.authorize
 
-          expect(result).to be_an_instance_of(ErrorResponse)
+            expect(result).to be_an_instance_of(InvalidRequestResponse)
 
-          expect(result.body).to eq(
-            error: "server_error",
-            error_description: error_description,
-            state: "hello"
-          )
+            expect(result.body).to eq(
+              error: :invalid_request,
+              error_description: translated_invalid_request_error_message(:unknown, :unknown),
+              state: "hello"
+            )
+          end
         end
       end
     end

data/spec/lib/oauth/client_credentials/creator_spec.rb

@@ -55,6 +55,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
           expect(Doorkeeper::AccessToken.count).to eq(2)
           expect(result).not_to eq(existing_token)
+          expect(existing_token.reload).to be_revoked
         end
       end
 
@@ -69,6 +70,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
           expect(Doorkeeper::AccessToken.count).to eq(2)
           expect(result).not_to eq(existing_token)
+          expect(existing_token.reload).to be_revoked
         end
       end
     end
@@ -82,6 +84,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
         expect(Doorkeeper::AccessToken.count).to eq(2)
         expect(result).not_to eq(existing_token)
+        expect(existing_token.reload).to be_revoked
       end
     end