doorkeeper 5.1.2 → 5.2.6

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -65,15 +65,6 @@ Doorkeeper.configure do
   # Check out the wiki for more information on customization
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
-  # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to any server and
-  # the authorization code will be displayed within the provider
-  # The value can be any string. Use nil to disable this feature.
-  # When disabled, clients must provide a valid URL
-  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
-  #
-  # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
-
   # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
@@ -116,6 +107,60 @@ Doorkeeper.configure do
   #   client.superapp? or resource_owner.admin?
   # end
 
+  # Configure custom constraints for the Token Introspection request.
+  # By default this configuration option allows to introspect a token by another
+  # token of the same application, OR to introspect the token that belongs to
+  # authorized client (from authenticated client) OR when token doesn't
+  # belong to any client (public token). Otherwise requester has no access to the
+  # introspection and it will return response as stated in the RFC.
+  #
+  # Block arguments:
+  #
+  # @param token [Doorkeeper::AccessToken]
+  #   token to be introspected
+  #
+  # @param authorized_client [Doorkeeper::Application]
+  #   authorized client (if request is authorized using Basic auth with
+  #   Client Credentials for example)
+  #
+  # @param authorized_token [Doorkeeper::AccessToken]
+  #   Bearer token used to authorize the request
+  #
+  # In case the block returns `nil` or `false` introspection responses with 401 status code
+  # when using authorized token to introspect, or you'll get 200 with { "active": false } body
+  # when using authorized client to introspect as stated in the
+  # RFC 7662 section 2.2. Introspection Response.
+  #
+  # Using with caution:
+  # Keep in mind that these three parameters pass to block can be nil as following case:
+  #  `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
+  #  `token` will be nil if and only if `authorized_token` is present.
+  # So remember to use `&` or check if it is present before calling method on
+  # them to make sure you doesn't get NoMethodError exception.
+  #
+  # You can define your custom check:
+  #
+  # allow_token_introspection do |token, authorized_client, authorized_token|
+  #   if authorized_token
+  #     # customize: require `introspection` scope
+  #     authorized_token.application == token&.application ||
+  #       authorized_token.scopes.include?("introspection")
+  #   elsif token.application
+  #     # `protected_resource` is a new database boolean column, for example
+  #     authorized_client == token.application || authorized_client.protected_resource?
+  #   else
+  #     # public token (when token.application is nil, token doesn't belong to any application)
+  #     true
+  #   end
+  # end
+  #
+  # Or you can completely disable any token introspection:
+  #
+  # allow_token_introspection false
+  #
+  # If you need to block the request at all, then configure your routes.rb or web-server
+  # like nginx to forbid the request.
+
   # WWW-Authenticate Realm (default "Doorkeeper").
   realm "Doorkeeper"
 end

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb

@@ -25,7 +25,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
       t.text     :redirect_uri,      null: false
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes
+      t.string   :scopes,            null: false, default: ""
     end
 
     add_index :oauth_access_grants, :token, unique: true

data/spec/lib/config_spec.rb

@@ -502,7 +502,21 @@ describe Doorkeeper, "configuration" do
 
   describe "base_controller" do
     context "default" do
-      it { expect(Doorkeeper.configuration.base_controller).to eq("ActionController::Base") }
+      it { expect(Doorkeeper.configuration.base_controller).to be_an_instance_of(Proc) }
+
+      it "resolves to a ApplicationController::Base in default mode" do
+        expect(Doorkeeper.configuration.resolve_controller(:base))
+          .to eq(ActionController::Base)
+      end
+
+      it "resolves to a ApplicationController::API in api_only mode" do
+        Doorkeeper.configure do
+          api_only
+        end
+
+        expect(Doorkeeper.configuration.resolve_controller(:base))
+          .to eq(ActionController::API)
+      end
     end
 
     context "custom" do
@@ -517,6 +531,23 @@ describe Doorkeeper, "configuration" do
     end
   end
 
+  describe "base_metal_controller" do
+    context "default" do
+      it { expect(Doorkeeper.configuration.base_metal_controller).to eq("ActionController::API") }
+    end
+
+    context "custom" do
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          base_metal_controller { "ApplicationController" }
+        end
+      end
+
+      it { expect(Doorkeeper.configuration.resolve_controller(:base_metal)).to eq(ApplicationController) }
+    end
+  end
+
   if DOORKEEPER_ORM == :active_record
     describe "active_record_options" do
       let(:models) { [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application] }
@@ -557,6 +588,21 @@ describe Doorkeeper, "configuration" do
     end
   end
 
+  describe "token_lookup_batch_size" do
+    it "uses default doorkeeper value" do
+      expect(subject.token_lookup_batch_size).to eq(10_000)
+    end
+
+    it "can change the value" do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        token_lookup_batch_size 100_000
+      end
+
+      expect(subject.token_lookup_batch_size).to eq(100_000)
+    end
+  end
+
   describe "strict_content_type" do
     it "is false by default" do
       expect(subject.enforce_content_type).to eq(false)
@@ -694,4 +740,15 @@ describe Doorkeeper, "configuration" do
       end
     end
   end
+
+  describe "options deprecation" do
+    it "prints a warning message when an option is deprecated" do
+      expect(Kernel).to receive(:warn).with(
+        "[DOORKEEPER] native_redirect_uri has been deprecated and will soon be removed"
+      )
+      Doorkeeper.configure do
+        native_redirect_uri "urn:ietf:wg:oauth:2.0:oob"
+      end
+    end
+  end
 end

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -23,7 +23,7 @@ module Doorkeeper::OAuth
     end
 
     subject do
-      AuthorizationCodeRequest.new server, grant, client, params
+      AuthorizationCodeRequest.new(server, grant, client, params)
     end
 
     it "issues a new token for the client" do
@@ -65,6 +65,18 @@ module Doorkeeper::OAuth
       subject.redirect_uri = nil
       subject.validate
       expect(subject.error).to eq(:invalid_request)
+      expect(subject.missing_param).to eq(:redirect_uri)
+    end
+
+    it "invalid code_verifier param because server does not support pkce" do
+      # Some other ORMs work relies on #respond_to? so it's not a good idea to stub it :\
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:respond_to?).with(anything).and_call_original
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:respond_to?).with(:code_challenge).and_return(false)
+
+      subject.code_verifier = "a45a9fea-0676-477e-95b1-a40f72ac3cfb"
+      subject.validate
+      expect(subject.error).to eq(:invalid_request)
+      expect(subject.invalid_request_reason).to eq(:not_support_pkce)
     end
 
     it "matches the redirect_uri with grant's one" do

data/spec/lib/oauth/base_request_spec.rb

@@ -66,27 +66,44 @@ module Doorkeeper::OAuth
       end
 
       context "invalid" do
-        before do
-          allow(subject).to receive(:valid?).and_return(false)
-          allow(subject).to receive(:error).and_return("server_error")
-          allow(subject).to receive(:state).and_return("hello")
+        context "with error other than invalid_request" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:server_error)
+            allow(subject).to receive(:state).and_return("hello")
+          end
+
+          it "returns an ErrorResponse object" do
+            result = subject.authorize
+
+            expect(result).to be_an_instance_of(ErrorResponse)
+
+            expect(result.body).to eq(
+              error: :server_error,
+              error_description: translated_error_message(:server_error),
+              state: "hello"
+            )
+          end
         end
 
-        it "returns an ErrorResponse object" do
-          error_description = I18n.translate(
-            "server_error",
-            scope: %i[doorkeeper errors messages]
-          )
+        context "with invalid_request error" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:invalid_request)
+            allow(subject).to receive(:state).and_return("hello")
+          end
 
-          result = subject.authorize
+          it "returns an InvalidRequestResponse object" do
+            result = subject.authorize
 
-          expect(result).to be_an_instance_of(ErrorResponse)
+            expect(result).to be_an_instance_of(InvalidRequestResponse)
 
-          expect(result.body).to eq(
-            error: "server_error",
-            error_description: error_description,
-            state: "hello"
-          )
+            expect(result.body).to eq(
+              error: :invalid_request,
+              error_description: translated_invalid_request_error_message(:unknown, :unknown),
+              state: "hello"
+            )
+          end
         end
       end
     end

data/spec/lib/oauth/client_credentials/creator_spec.rb

@@ -55,6 +55,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
           expect(Doorkeeper::AccessToken.count).to eq(2)
           expect(result).not_to eq(existing_token)
+          expect(existing_token.reload).to be_revoked
         end
       end
 
@@ -69,6 +70,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
           expect(Doorkeeper::AccessToken.count).to eq(2)
           expect(result).not_to eq(existing_token)
+          expect(existing_token.reload).to be_revoked
         end
       end
     end
@@ -82,6 +84,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
         expect(Doorkeeper::AccessToken.count).to eq(2)
         expect(result).not_to eq(existing_token)
+        expect(existing_token.reload).to be_revoked
       end
     end
 

data/spec/lib/oauth/code_request_spec.rb

@@ -4,18 +4,23 @@ require "spec_helper"
 
 module Doorkeeper::OAuth
   describe CodeRequest do
-    let(:pre_auth) do
-      double(
-        :pre_auth,
-        client: double(:application, id: 9990),
-        redirect_uri: "http://tst.com/cb",
-        scopes: nil,
-        state: nil,
-        error: nil,
-        authorizable?: true,
-        code_challenge: nil,
-        code_challenge_method: nil
-      )
+    let :pre_auth do
+      server = Doorkeeper.configuration
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("public"))
+      allow(server).to receive(:grant_flows).and_return(Scopes.from_string("authorization_code"))
+
+      application = FactoryBot.create(:application, scopes: "public")
+      client = Doorkeeper::OAuth::Client.new(application)
+
+      attributes = {
+        client_id: client.uid,
+        response_type: "code",
+        redirect_uri: "https://app.com/callback",
+      }
+
+      pre_auth = PreAuthorization.new(server, attributes)
+      pre_auth.authorizable?
+      pre_auth
     end
 
     let(:owner) { double :owner, id: 8900 }
@@ -24,24 +29,18 @@ module Doorkeeper::OAuth
       CodeRequest.new(pre_auth, owner)
     end
 
-    it "creates an access grant" do
-      expect do
-        subject.authorize
-      end.to change { Doorkeeper::AccessGrant.count }.by(1)
+    context "when pre_auth is authorized" do
+      it "creates an access grant and returns a code response" do
+        expect { subject.authorize }.to change { Doorkeeper::AccessGrant.count }.by(1)
+        expect(subject.authorize).to be_a(CodeResponse)
+      end
     end
 
-    it "returns a code response" do
-      expect(subject.authorize).to be_a(CodeResponse)
-    end
-
-    it "does not create grant when not authorizable" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect { subject.authorize }.not_to(change { Doorkeeper::AccessGrant.count })
-    end
-
-    it "returns a error response" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect(subject.authorize).to be_a(ErrorResponse)
+    context "when pre_auth is denied" do
+      it "does not create access grant and returns a error response" do
+        expect { subject.deny }.not_to(change { Doorkeeper::AccessGrant.count })
+        expect(subject.deny).to be_a(ErrorResponse)
+      end
     end
   end
 end

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -40,13 +40,28 @@ module Doorkeeper::OAuth::Helpers
         expect(URIChecker.valid?(uri)).to be_falsey
       end
 
+      it "is invalid if localhost is resolved as as scheme (no scheme specified)" do
+        uri = "localhost:8080"
+        expect(URIChecker.valid?(uri)).to be_falsey
+      end
+
+      it "is invalid if scheme is missing #2" do
+        uri = "app.co:80"
+        expect(URIChecker.valid?(uri)).to be_falsey
+      end
+
       it "is invalid if is not an uri" do
         uri = "   "
         expect(URIChecker.valid?(uri)).to be_falsey
       end
 
-      it "is valid for native uris" do
-        uri = "urn:ietf:wg:oauth:2.0:oob"
+      it "is valid for custom schemes" do
+        uri = "com.example.app:/test"
+        expect(URIChecker.valid?(uri)).to be_truthy
+      end
+
+      it "is valid for custom schemes with authority marker (common misconfiguration)" do
+        uri = "com.example.app://test"
         expect(URIChecker.valid?(uri)).to be_truthy
       end
     end

data/spec/lib/oauth/invalid_request_response_spec.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+module Doorkeeper::OAuth
+  describe InvalidRequestResponse do
+    describe "#name" do
+      it { expect(subject.name).to eq(:invalid_request) }
+    end
+
+    describe "#status" do
+      it { expect(subject.status).to eq(:bad_request) }
+    end
+
+    describe :from_request do
+      let(:response) { InvalidRequestResponse.from_request(request) }
+
+      context "missing param" do
+        let(:request) { double(missing_param: "some_param") }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:missing_param, scope: %i[doorkeeper errors messages invalid_request], value: "some_param")
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:missing_param)
+        end
+      end
+
+      context "server doesn not support_pkce" do
+        let(:request) { double(invalid_request_reason: :not_support_pkce) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:not_support_pkce, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:not_support_pkce)
+        end
+      end
+
+      context "request is not authorized" do
+        let(:request) { double(invalid_request_reason: :request_not_authorized) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:request_not_authorized, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:request_not_authorized)
+        end
+      end
+
+      context "unknown reason" do
+        let(:request) { double(invalid_request_reason: :unknown_reason) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:unknown, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "unknown reason" do
+          expect(response.reason).to eq(:unknown_reason)
+        end
+      end
+    end
+  end
+end