doorkeeper 5.1.2 → 5.2.6

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -76,9 +76,51 @@ module Doorkeeper
                             end
 
         tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
-        tokens.detect do |token|
-          scopes_match?(token.scopes, scopes, application.try(:scopes))
+        find_matching_token(tokens, application, scopes)
+      end
+
+      # Interface to enumerate access token records in batches in order not
+      # to bloat the memory. Could be overloaded in any ORM extension.
+      #
+      def find_access_token_in_batches(relation, *args, &block)
+        relation.find_in_batches(*args, &block)
+      end
+
+      # Enumerates AccessToken records in batches to find a matching token.
+      # Batching is required in order not to pollute the memory if Application
+      # has huge amount of associated records.
+      #
+      # ActiveRecord 5.x - 6.x ignores custom ordering so we can't perform a
+      # database sort by created_at, so we need to load all the matching records,
+      # sort them and find latest one. Probably it would be better to rewrite this
+      # query using Time math if possible, but we n eed to consider ORM and
+      # different databases support.
+      #
+      # @param relation [ActiveRecord::Relation]
+      #   Access tokens relation
+      # @param application [Doorkeeper::Application]
+      #   Application instance
+      # @param scopes [String, Doorkeeper::OAuth::Scopes]
+      #   set of scopes
+      #
+      # @return [Doorkeeper::AccessToken, nil] Access Token instance or
+      #   nil if matching record was not found
+      #
+      def find_matching_token(relation, application, scopes)
+        return nil unless relation
+
+        matching_tokens = []
+        batch_size = Doorkeeper.configuration.token_lookup_batch_size
+
+        find_access_token_in_batches(relation, batch_size: batch_size) do |batch|
+          tokens = batch.select do |token|
+            scopes_match?(token.scopes, scopes, application.try(:scopes))
+          end
+
+          matching_tokens.concat(tokens)
         end
+
+        matching_tokens.max_by(&:created_at)
       end
 
       # Checks whether the token scopes match the scopes from the parameters
@@ -150,10 +192,9 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] array of matching AccessToken objects
       #
       def authorized_tokens_for(application_id, resource_owner_id)
-        ordered_by(:created_at, :desc)
-          .where(application_id: application_id,
-                 resource_owner_id: resource_owner_id,
-                 revoked_at: nil)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner_id,
+              revoked_at: nil)
       end
 
       # Convenience method for backwards-compatibility, return the last
@@ -168,7 +209,8 @@ module Doorkeeper
       #   nil if nothing was found
       #
       def last_authorized_token_for(application_id, resource_owner_id)
-        authorized_tokens_for(application_id, resource_owner_id).first
+        authorized_tokens_for(application_id, resource_owner_id)
+          .ordered_by(:created_at, :desc).first
       end
 
       ##

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -12,29 +12,27 @@ module Doorkeeper
         end
 
         def issue_token
-          @token ||= AccessGrant.create! access_grant_attributes
+          @token ||= AccessGrant.create!(access_grant_attributes)
         end
 
-        def native_redirect
+        def oob_redirect
           { action: :show, code: token.plaintext_token }
         end
 
-        def configuration
-          Doorkeeper.configuration
-        end
-
         private
 
         def authorization_code_expires_in
-          configuration.authorization_code_expires_in
+          Doorkeeper.configuration.authorization_code_expires_in
         end
 
         def access_grant_attributes
-          pkce_attributes.merge application_id: pre_auth.client.id,
-                                resource_owner_id: resource_owner.id,
-                                expires_in: authorization_code_expires_in,
-                                redirect_uri: pre_auth.redirect_uri,
-                                scopes: pre_auth.scopes.to_s
+          pkce_attributes.merge(
+            application_id: pre_auth.client.id,
+            resource_owner_id: resource_owner.id,
+            expires_in: authorization_code_expires_in,
+            redirect_uri: pre_auth.redirect_uri,
+            scopes: pre_auth.scopes.to_s
+          )
         end
 
         def pkce_attributes
@@ -46,7 +44,7 @@ module Doorkeeper
           }
         end
 
-        # ensures firstly, if migration with additional pcke columns was
+        # Ensures firstly, if migration with additional PKCE columns was
         # generated and migrated
         def pkce_supported?
           Doorkeeper::AccessGrant.pkce_supported?

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -63,7 +63,7 @@ module Doorkeeper
           )
         end
 
-        def native_redirect
+        def oob_redirect
           {
             controller: controller,
             action: :show,

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,7 +3,8 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :attributes,   error: :invalid_request
+      validate :pkce_support, error: :invalid_request
+      validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
       # @see https://tools.ietf.org/html/rfc6749#section-5.2
@@ -12,6 +13,7 @@ module Doorkeeper
 
       attr_accessor :server, :grant, :client, :redirect_uri, :access_token,
                     :code_verifier
+      attr_reader :invalid_request_reason, :missing_param
 
       def initialize(server, grant, client, parameters = {})
         @server = server
@@ -24,10 +26,6 @@ module Doorkeeper
 
       private
 
-      def client_by_uid(parameters)
-        Doorkeeper::Application.by_uid(parameters[:client_id])
-      end
-
       def before_successful_response
         grant.transaction do
           grant.lock!
@@ -42,11 +40,22 @@ module Doorkeeper
         super
       end
 
-      def validate_attributes
-        return false if grant&.uses_pkce? && code_verifier.blank?
-        return false if grant && !grant.pkce_supported? && !code_verifier.blank?
+      def validate_pkce_support
+        @invalid_request_reason = :not_support_pkce if grant &&
+                                                       !grant.pkce_supported? &&
+                                                       code_verifier.present?
+
+        @invalid_request_reason.nil?
+      end
+
+      def validate_params
+        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
+                           :code_verifier
+                         elsif redirect_uri.blank?
+                           :redirect_uri
+                         end
 
-        redirect_uri.present?
+        @missing_param.nil?
       end
 
       def validate_client

data/lib/doorkeeper/oauth/base_request.rb

@@ -15,6 +15,8 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
+        elsif error == :invalid_request
+          @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)
         end

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -5,11 +5,25 @@ module Doorkeeper
     class ClientCredentialsRequest < BaseRequest
       class Creator
         def call(client, scopes, attributes = {})
+          existing_token = existing_token_for(client, scopes)
+
+          if Doorkeeper.configuration.reuse_access_token && existing_token&.reusable?
+            return existing_token
+          end
+
+          existing_token&.revoke
+
           AccessToken.find_or_create_for(
             client, nil, scopes, attributes[:expires_in],
             attributes[:use_refresh_token]
           )
         end
+
+        private
+
+        def existing_token_for(client, scopes)
+          Doorkeeper::AccessToken.matching_token_for client, nil, scopes
+        end
       end
     end
   end

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -8,6 +8,7 @@ module Doorkeeper
         include OAuth::Helpers
 
         validate :client, error: :invalid_client
+        validate :client_supports_grant_flow, error: :unauthorized_client
         validate :scopes, error: :invalid_scope
 
         def initialize(server, request)
@@ -24,6 +25,13 @@ module Doorkeeper
           @client.present?
         end
 
+        def validate_client_supports_grant_flow
+          Doorkeeper.configuration.allow_grant_flow_for_client?(
+            Doorkeeper::OAuth::CLIENT_CREDENTIALS,
+            @client
+          )
+        end
+
         def validate_scopes
           return true if @request.scopes.blank?
 

data/lib/doorkeeper/oauth/code_request.rb

@@ -3,28 +3,22 @@
 module Doorkeeper
   module OAuth
     class CodeRequest
-      attr_accessor :pre_auth, :resource_owner, :client
+      attr_accessor :pre_auth, :resource_owner
 
       def initialize(pre_auth, resource_owner)
         @pre_auth       = pre_auth
-        @client         = pre_auth.client
         @resource_owner = resource_owner
       end
 
       def authorize
-        if pre_auth.authorizable?
-          auth = Authorization::Code.new(pre_auth, resource_owner)
-          auth.issue_token
-          @response = CodeResponse.new pre_auth, auth
-        else
-          @response = ErrorResponse.from_request pre_auth
-        end
+        auth = Authorization::Code.new(pre_auth, resource_owner)
+        auth.issue_token
+        CodeResponse.new(pre_auth, auth)
       end
 
       def deny
         pre_auth.error = :access_denied
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri
+        pre_auth.error_response
       end
     end
   end

data/lib/doorkeeper/oauth/code_response.rb

@@ -18,8 +18,8 @@ module Doorkeeper
       end
 
       def redirect_uri
-        if URIChecker.native_uri? pre_auth.redirect_uri
-          auth.native_redirect
+        if URIChecker.oob_uri? pre_auth.redirect_uri
+          auth.oob_redirect
         elsif response_on_fragment
           Authorization::URIBuilder.uri_with_fragment(
             pre_auth.redirect_uri,

data/lib/doorkeeper/oauth/error_response.rb

@@ -41,7 +41,7 @@ module Doorkeeper
 
       def redirectable?
         name != :invalid_redirect_uri && name != :invalid_client &&
-          !URIChecker.native_uri?(@redirect_uri)
+          !URIChecker.oob_uri?(@redirect_uri)
       end
 
       def redirect_uri

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -25,10 +25,10 @@ module Doorkeeper
     module Helpers
       module URIChecker
         def self.valid?(url)
-          return true if native_uri?(url)
+          return true if oob_uri?(url)
 
           uri = as_uri(url)
-          uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
+          valid_scheme?(uri) && iff_host?(uri) && uri.fragment.nil? && uri.opaque.nil?
         rescue URI::InvalidURIError
           false
         end
@@ -78,8 +78,22 @@ module Doorkeeper
           client_query.split("&").sort == query.split("&").sort
         end
 
-        def self.native_uri?(url)
-          url == Doorkeeper.configuration.native_redirect_uri
+        def self.valid_scheme?(uri)
+          return false if uri.scheme.nil?
+
+          %w[localhost].include?(uri.scheme) == false
+        end
+
+        def self.hypertext_scheme?(uri)
+          %w[http https].include?(uri.scheme)
+        end
+
+        def self.iff_host?(uri)
+          !(hypertext_scheme?(uri) && uri.host.nil?)
+        end
+
+        def self.oob_uri?(uri)
+          NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
         end
       end
     end

data/lib/doorkeeper/oauth/invalid_request_response.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    class InvalidRequestResponse < ErrorResponse
+      attr_reader :reason
+
+      def self.from_request(request, attributes = {})
+        new(
+          attributes.merge(
+            state: request.try(:state),
+            redirect_uri: request.try(:redirect_uri),
+            missing_param: request.try(:missing_param),
+            reason: request.try(:invalid_request_reason)
+          )
+        )
+      end
+
+      def initialize(attributes = {})
+        super(attributes.merge(name: :invalid_request))
+        @missing_param = attributes[:missing_param]
+        @reason = @missing_param.nil? ? attributes[:reason] : :missing_param
+      end
+
+      def status
+        :bad_request
+      end
+
+      def description
+        I18n.translate(
+          reason,
+          scope: %i[doorkeeper errors messages invalid_request],
+          default: :unknown,
+          value: @missing_param
+        )
+      end
+
+      def redirectable?
+        super && @missing_param != :client_id
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/nonstandard.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OAuth
+    class NonStandard
+      # These are not part of the OAuth 2 specification but are still in use by Google
+      # and in some other implementations. Native applications should use one of the
+      # approaches discussed in RFC8252. OOB is 'Out of Band'
+
+      # This value signals to the Google Authorization Server that the authorization
+      # code should be returned in the title bar of the browser, with the page text
+      # prompting the user to copy the code and paste it in the application.
+      # This is useful when the client (such as a Windows application) cannot listen
+      # on an HTTP port without significant client configuration.
+
+      # When you use this value, your application can then detect that the page has loaded, and can
+      # read the title of the HTML page to obtain the authorization code. It is then up to your
+      # application to close the browser window if you want to ensure that the user never sees the
+      # page that contains the authorization code. The mechanism for doing this varies from platform
+      # to platform.
+      #
+      # If your platform doesn't allow you to detect that the page has loaded or read the title of
+      # the page, you can have the user paste the code back to your application, as prompted by the
+      # text in the confirmation page that the OAuth 2.0 server generates.
+      IETF_WG_OAUTH2_OOB = "urn:ietf:wg:oauth:2.0:oob"
+
+      # This is identical to urn:ietf:wg:oauth:2.0:oob, but the text in the confirmation page that
+      # the OAuth 2.0 server generates won't instruct the user to copy the authorization code, but
+      # instead will simply ask the user to close the window.
+      #
+      # This is useful when your application reads the title of the HTML page (by checking window
+      # titles on the desktop, for example) to obtain the authorization code, but can't close the
+      # page on its own.
+      IETF_WG_OAUTH2_OOB_AUTO = "urn:ietf:wg:oauth:2.0:oob:auto"
+
+      IETF_WG_OAUTH2_OOB_METHODS = [IETF_WG_OAUTH2_OOB, IETF_WG_OAUTH2_OOB_AUTO].freeze
+    end
+  end
+end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -5,9 +5,10 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :client,         error: :invalid_client
+      validate :client, error: :invalid_client
+      validate :client_supports_grant_flow, error: :unauthorized_client
       validate :resource_owner, error: :invalid_grant
-      validate :scopes,         error: :invalid_scope
+      validate :scopes, error: :invalid_scope
 
       attr_accessor :server, :client, :resource_owner, :parameters,
                     :access_token
@@ -47,6 +48,10 @@ module Doorkeeper
       def validate_client
         !parameters[:client_id] || client.present?
       end
+
+      def validate_client_supports_grant_flow
+        Doorkeeper.configuration.allow_grant_flow_for_client?(grant_type, client)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -5,19 +5,21 @@ module Doorkeeper
     class PreAuthorization
       include Validations
 
-      validate :response_type, error: :unsupported_response_type
-      validate :client, error: :invalid_client
-      validate :scopes, error: :invalid_scope
-      validate :redirect_uri, error: :invalid_redirect_uri
+      validate :client_id,             error: :invalid_request
+      validate :client,                error: :invalid_client
+      validate :redirect_uri,          error: :invalid_redirect_uri
+      validate :params,                error: :invalid_request
+      validate :response_type,         error: :unsupported_response_type
+      validate :scopes,                error: :invalid_scope
       validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_supports_grant_flow, error: :unauthorized_client
 
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state,
-                    :code_challenge, :code_challenge_method
-      attr_writer   :scope
+      attr_reader :server, :client_id, :client, :redirect_uri, :response_type, :state,
+                  :code_challenge, :code_challenge_method, :missing_param
 
-      def initialize(server, client, attrs = {})
+      def initialize(server, attrs = {})
         @server                = server
-        @client                = client
+        @client_id             = attrs[:client_id]
         @response_type         = attrs[:response_type]
         @redirect_uri          = attrs[:redirect_uri]
         @scope                 = attrs[:scope]
@@ -30,34 +32,37 @@ module Doorkeeper
         valid?
       end
 
+      def validate_client_supports_grant_flow
+        Doorkeeper.configuration.allow_grant_flow_for_client?(grant_type, client.application)
+      end
+
       def scopes
         Scopes.from_string scope
       end
 
       def scope
-        @scope.presence || build_scopes
+        @scope.presence || (server.default_scopes.presence && build_scopes)
       end
 
       def error_response
-        OAuth::ErrorResponse.from_request(self)
+        if error == :invalid_request
+          OAuth::InvalidRequestResponse.from_request(self,
+                                                     response_on_fragment: response_on_fragment?)
+        else
+          OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
+        end
       end
 
-      def as_json(_options)
-        {
-          client_id: client.uid,
-          redirect_uri: redirect_uri,
-          state: state,
-          response_type: response_type,
-          scope: scope,
-          client_name: client.name,
-          status: I18n.t("doorkeeper.pre_authorization.status"),
-        }
+      def as_json(attributes = {})
+        return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
+
+        pre_auth_hash
       end
 
       private
 
       def build_scopes
-        client_scopes = client.application.scopes
+        client_scopes = client.scopes
         if client_scopes.blank?
           server.default_scopes.to_s
         else
@@ -65,21 +70,45 @@ module Doorkeeper
         end
       end
 
-      def validate_response_type
-        server.authorization_response_types.include? response_type
+      def validate_client_id
+        @missing_param = :client_id if client_id.blank?
+
+        @missing_param.nil?
       end
 
       def validate_client
-        client.present?
+        @client = OAuth::Client.find(client_id)
+        @client.present?
       end
 
-      def validate_scopes
-        return true if scope.blank?
+      def validate_redirect_uri
+        return false if redirect_uri.blank?
+
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          client.redirect_uri
+        )
+      end
+
+      def validate_params
+        @missing_param = if response_type.blank?
+                           :response_type
+                         elsif @scope.blank? && server.default_scopes.blank?
+                           :scope
+                         end
+
+        @missing_param.nil?
+      end
+
+      def validate_response_type
+        server.authorization_response_types.include?(response_type)
+      end
 
+      def validate_scopes
         Helpers::ScopeChecker.valid?(
           scope_str: scope,
           server_scopes: server.scopes,
-          app_scopes: client.application.scopes,
+          app_scopes: client.scopes,
           grant_type: grant_type
         )
       end
@@ -88,19 +117,26 @@ module Doorkeeper
         response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
       end
 
-      def validate_redirect_uri
-        return false if redirect_uri.blank?
-
-        Helpers::URIChecker.valid_for_authorization?(
-          redirect_uri,
-          client.redirect_uri
-        )
-      end
-
       def validate_code_challenge_method
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
+
+      def response_on_fragment?
+        response_type == "token"
+      end
+
+      def pre_auth_hash
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t("doorkeeper.pre_authorization.status"),
+        }
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -13,26 +13,27 @@ module Doorkeeper
 
       attr_accessor :access_token, :client, :credentials, :refresh_token,
                     :server
+      attr_reader   :missing_param
 
       def initialize(server, refresh_token, credentials, parameters = {})
-        @server          = server
-        @refresh_token   = refresh_token
-        @credentials     = credentials
+        @server = server
+        @refresh_token = refresh_token
+        @credentials = credentials
         @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
-
-        if credentials
-          @client = Application.by_uid_and_secret credentials.uid,
-                                                  credentials.secret
-        end
+        @client = load_client(credentials) if credentials
       end
 
       private
 
+      def load_client(credentials)
+        Application.by_uid_and_secret(credentials.uid, credentials.secret)
+      end
+
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
-          raise Errors::InvalidTokenReuse if refresh_token.revoked?
+          raise Errors::InvalidGrantReuse if refresh_token.revoked?
 
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
@@ -76,7 +77,9 @@ module Doorkeeper
       end
 
       def validate_token_presence
-        refresh_token.present? || @refresh_token_parameter.present?
+        @missing_param = :refresh_token if refresh_token.blank? && @refresh_token_parameter.blank?
+
+        @missing_param.nil?
       end
 
       def validate_token