doorkeeper 5.1.2 → 5.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 95c8686453ad6829c1ea72b91427ff928c327bcb070a874aa7bcb1a7069862ce
-  data.tar.gz: ea167ef64660032fa82132c2d422ef9e6d3ab1941648a93b2334b5071ba4c105
+  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
+  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
 SHA512:
-  metadata.gz: 24b52822b413bef6896c516237dfbd31bb9c4205496aae188a7a70bb574e9babb8ea0a6acbb73df014c03f27682dd97f3ecd3e509bbf29c91bdc2a56a2151d63
-  data.tar.gz: 38c01cb3999dc3384b89507aac2f25f76a311aea6e2fda59a86f35d2a323776e3e58873a74beeab888dd20bd89520b167e8414f71aa206112217fda6c890e0ba
+  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
+  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2

data/{NEWS.md → CHANGELOG.md}

@@ -1,27 +1,317 @@
-# News
+# Changelog
 
 See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
 upgrade guides.
 
 User-visible changes worth mentioning.
 
+## main
+
+- [#ID] Add your PR description here.
+
+## 5.6.6
+
+- [#1644] Update HTTP headers.
+- [#1646] Block public clients automatic authorization skip.
+- [#1648] Add custom token attributes to Refresh Token Request.
+- [#1649] Fixed custom_access_token_attributes related errors.
+
+# 5.6.5
+
+- [#1602] Allow custom data to be stored inside access grants/tokens.
+- [#1634] Code refactoring for custom token attributes.
+- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
+
+# 5.6.4
+
+- [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
+
+# 5.6.3
+
+- [#1622] Drop support for Rubies 2.5 and 2.6
+- [#1605] Fix URI validation for Ruby 3.2+.
+- [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
+- [#1626] Remove deprecated `active_record_options` config option.
+- [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
+- [#1630] Special case unique index creation for refresh_token on SQL Server.
+- [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
+
+## 5.6.2
+
+- [#1604] Fix fetching of the application when custom application_class defined.
+
+## 5.6.1
+
+- [#1593] Add support for Trilogy ActiveRecord adapter.
+- [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
+- [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
+
+## 5.6.0
+
+- [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
+
+## 5.6.0.rc2
+
+- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
+  application scopes when using client credentials.
+- [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
+
+## 5.6.0.rc1
+
+- [#1551] Change lazy loading for ORM to be Ruby standard autoload.
+- [#1552] Remove duplicate IDs on Auth form to improve accessibility.
+- [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
+
+  **[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
+  only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
+  `reuse_access_token` option is to check for existing _active_ token (see configuration option description).
+
+## 5.5.4
+
+- [#1535] Revert changes introduced in #1528 to allow query params in `redirect_uri` as per the spec.
+
+## 5.5.3
+
+- [#1528] Don't allow extra query params in redirect_uri.
+- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
+- [#1531] Disable `strict-loading` for Doorkeeper models by default.
+- [#1532] Add support for Rails 7.
+
+## 5.5.2
+
+- [#1502] Drop support for Ruby 2.4 because of EOL.
+- [#1504] Updated the url fragment in the comment for code documentation.
+- [#1512] Fix form behavior when response mode is form_post.
+- [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
+
+## 5.5.1
+
+- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
+- [#1495] Fix `respond_to` undefined in API-only mode
+- [#1488] Verify client authentication for Resource Owner Password Grant when
+  `config.skip_client_authentication_for_password_grant` is set and the client credentials
+  are sent in a HTTP Basic auth header.
+
+## 5.5.0
+
+- [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
+- [#1478] Fix ownership association and Rake tasks when custom models configured.
+- [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
+
+## 5.5.0.rc2
+
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
+
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
+
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+  **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
+  if you previously used `#to_json` serialization with custom options or attributes or rely on
+  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
+  is a breaking change which restricts serialized attributes to a very small set of columns.
+
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
+
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
+
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
+
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+## 5.3.1
+
+- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
+
+## 5.3.0
+
+- [#1339] Validate Resource Owner in `PasswordAccessTokenRequest` against `nil` and `false` values.
+- [#1341] Fix `refresh_token_revoked_on_use` with `hash_token_secrets` enabled.
+- [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.
+- [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.
+- [#1346] Refactor `Doorkeeper::Application#to_json` into convenient `#as_json` (fix #1344).
+- [#1349] Fix `Doorkeeper::Application` AR associations using an incorrect foreign key name when using a custom class.
+- [#1318] Make existing token revocation for client credentials optional and disable it by default.
+
+  **[IMPORTANT]** This is a change compared to the behaviour of version 5.2.
+  If you were relying on access tokens being revoked once the same client
+  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
+  initialization file.
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+## 5.2.4
+
+- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
+
+## 5.2.3
+
+- [#1334] Remove `application_secret` flash helper and `redirect_to` keyword.
+- [#1331] Move redirect_uri_validator to where it is used (`Application` model).
+- [#1326] Move response_type check in pre_authorization to a method to be easily to override.
+- [#1329] Fix `find_in_batches` order warning.
+
 ## 5.2.2
 
+- [#1320] Call configured `authenticate_resource_owner` method once per request.
+- [#1315] Allow generation of new secret with `Doorkeeper::Application#renew_secret`.
+- [#1309] Allow `Doorkeeper::Application#to_json` to work without arguments.
+
+## 5.2.1
+
+- [#1308] Fix flash types for `api_only` mode (no flashes for `ActionController::API`).
+- [#1306] Fix interpolation of `missing_param` I18n.
+
+## 5.2.0
+
+- [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
+  when `api_mode` enabled (fixes #1302).
+
+## 5.2.0.rc3
+
+- [#1298] Slice strong params so doesn't error with Rails forms.
+- [#1300] Limiting access to attributes of pre_authorization.
+- [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
+- [#1293] Move ar specific redirect uri validator to ar orm directory.
+- [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
+  the PreAuthorization response.
+- [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
+- [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
+  option called `base_metal_controller` (fix #1273).
+- [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
+
+## 5.2.0.rc2
+
+- [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
+- [#1271] Reintroduce existing token revocation for client credentials.
+
+  **[IMPORTANT]** If you rely on being able to fetch multiple access tokens from the same
+  client using client credentials flow, you should skip to version 5.3, where this behaviour
+  is deactivated by default.
+
+- [#1269] Update initializer template documentation.
+- [#1266] Use strong parameters within pre-authorization.
+- [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
+- [#1263] Response properly when introspection fails and fix configurations's user guide.
+
+## 5.2.0.rc1
+
+- [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
+- [#1257] Add constraint configuration when using client authentication on introspection endpoint.
+- [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
+- [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
+- [#1248] Display the Application Secret in HTML after creating a new application even when `hash_application_secrets` is used.
+- [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
+- [#1238] Better support for native app with support for custom scheme and localhost redirection.
+
+## 5.1.2
+
 - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
 
 ## 5.1.1
 
-[#1371] Backport: add #as_json method and attributes serialization restriction for Application model.
-        Fixes information disclosure vulnerability (CVE-2020-10187).
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
 
 ## 5.1.0
 
-- [#1243]: Add nil check operator in token checking at token introspection.
+- [#1243] Add nil check operator in token checking at token introspection.
 - [#1241] Explaining foreign key options for resource owner in a single place
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
 - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
-  option using `Float::INIFINITY` return value.
+  option using `Float::INFINITY` return value.
 - [#1224] Do not try to store token if not found by fallback hashing strategy.
 - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
 - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
@@ -30,9 +320,9 @@ User-visible changes worth mentioning.
 
 - [#1208] Unify hashing implementation into secret storing strategies
 
-  **[IMPORTANT]**: If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
+  **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
   your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
-  `use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt`.
+  `hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt`.
 
 - [#1216] Add nil check to `expires_at` method.
 - [#1215] Fix deprecates for Rails 6.
@@ -57,7 +347,7 @@ User-visible changes worth mentioning.
   token value validations, or you are using database with case-insensitive WHERE clause like MySQL
   (you can face some collisions). Before this change access token value matched `[a-f0-9]` regex, and now
   it matches `[a-zA-Z0-9\-_]`. In case you have such restrictions and your don't use custom token generator
-  please change configuration option `default_generator_method ` to `:hex`.
+  please change configuration option `default_generator_method` to `:hex`.
 
 - [#1195] Allow to customize Token Introspection response (fixes #1194).
 - [#1189] Option to set `token_reuse_limit`.
@@ -75,6 +365,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option
@@ -101,7 +396,7 @@ User-visible changes worth mentioning.
 - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
   hitting the `AuthorizedApplicationController#destroy` route.
 - [#1114] Make token info endpoint's attributes consistent with token creation
-- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1108] Simple formatting of callback URLs when listing oauth applications
 - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
   configured by developers.
 
@@ -126,9 +421,9 @@ User-visible changes worth mentioning.
   either public or private/confidential
 
   **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
-    You need to manually change `confidential` column to `false` if you are using public clients,
-    in other case your mobile (or other) applications will not be able to authorize.
-    See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
+  You need to manually change `confidential` column to `false` if you are using public clients,
+  in other case your mobile (or other) applications will not be able to authorize.
+  See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
 
 - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
   `optional_scopes`) for applications
@@ -153,7 +448,6 @@ User-visible changes worth mentioning.
 - [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
   changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
 
-
 ## 4.4.2
 
 - [#1130] Backport fix for native redirect_uri from 5.x.
@@ -233,7 +527,7 @@ User-visible changes worth mentioning.
 ## 4.2.0
 
 - Security fix: Address CVE-2016-6582, implement token revocation according to
-    spec (tokens might not be revoked if client follows the spec).
+  spec (tokens might not be revoked if client follows the spec).
 - [#873] Add hooks to Doorkeeper::ApplicationMetalController
 - [#871] Allow downstream users to better utilize doorkeeper spec factories by
   eliminating name conflict on `:user` factory.
@@ -267,6 +561,7 @@ User-visible changes worth mentioning.
   ```
   rails generate doorkeeper:previous_refresh_token
   ```
+
 - [#811] Toughen parameters filter with exact match
 - [#813] Applications admin bugfix
 - [#799] Fix Ruby Warnings
@@ -360,11 +655,10 @@ User-visible changes worth mentioning.
 - Removes `doorkeeper_for` deprecation notice.
 - Remove `applications.scopes` upgrade notice.
 
-
 ## 2.2.2
 
 - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
-    (happens only when ProtectedAttributes gem is used) in #599
+  (happens only when ProtectedAttributes gem is used) in #599
 
 ## 2.2.1
 
@@ -383,7 +677,6 @@ User-visible changes worth mentioning.
 - [#627] i18n fallbacks to english
 - Moved CHANGELOG to NEWS.md
 
-
 ## 2.1.4 - 2015-03-27
 
 - [#595] HTTP spec: Add `scope` for refresh token scope param
@@ -391,12 +684,10 @@ User-visible changes worth mentioning.
 - [#567] Add Grape helpers for easier integration with Grape framework
 - [#606] Add custom access token expiration support for Client Credentials flow
 
-
 ## 2.1.3 - 2015-03-01
 
 - [#588] Fixes scopes_match? bug that skipped authorization form in some cases
 
-
 ## 2.1.2 - 2015-02-25
 
 - [#574] Remove unused update authorization route.
@@ -405,17 +696,15 @@ User-visible changes worth mentioning.
 - [#583] Database connection bugfix in certain scenarios.
 - Testing improvements
 
-
 ## 2.1.1 - 2015-02-06
 
 - Remove `wildcard_redirect_url` option
 - [#481] Customize token flow OAuth expirations with a config lambda
 - [#568] TokensController: Memoize strategy.authorize_response result to enable
-    subclasses to use the response object.
+  subclasses to use the response object.
 - [#571] Fix database initialization issues in some configurations.
 - Documentation improvements
 
-
 ## 2.1.0 - 2015-01-13
 
 - [#540] Include `created_at` in response.
@@ -435,12 +724,10 @@ User-visible changes worth mentioning.
   Disables implicit and password grant flows by default.
 - [#510, #544, 722113f] Revoked refresh token response bugfix.
 
-
 ## 2.0.1 - 2014-12-17
 
 - [#525, #526, #527] Fix `ActiveRecord::NoDatabaseError` on gem load.
 
-
 ## 2.0.0 - 2014-12-16
 
 ### Backward incompatible changes
@@ -574,7 +861,7 @@ User-visible changes worth mentioning.
     tokens for an application/owner instead of deleting them.
   - [#333] Rails 4.1 support
 - internals
-  - Removes jQuery dependency [fixes #300] [PR #312 is related]
+  - Removes jQuery dependency [fixes #300][pr #312 is related]
   - [#294] Client uid and secret will be generated only if not present.
   - [#316] Test warnings addressed.
   - [#338] Rspec 3 syntax.
@@ -692,7 +979,7 @@ Official support for rubinius was removed.
   - Add support for mongoid
   - [#78, #128, #137, #138] Application Ownership
   - [#92] Allow users to skip controllers
-  - [#99] Remove deprecated warnings for data-* attributes [@towerhe](https://github.com/towerhe)
+  - [#99] Remove deprecated warnings for data-\* attributes [@towerhe](https://github.com/towerhe)
   - [#101] Return existing access_token for PasswordAccessTokenRequest [@benoist](https://github.com/benoist)
   - [#104] Changed access token scopes example code to default_scopes and optional_scopes [@amkirwan](https://github.com/amkirwan)
   - [#107] Fix typos in initializer
@@ -754,7 +1041,7 @@ Official support for rubinius was removed.
   - [#50] Fix typos [@tomekw](https://github.com/tomekw)
   - [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer [@antekpiechnik](https://github.com/antekpiechnik)
   - [#62] Typos, .gitignore [@jaimeiniesta](https://github.com/jaimeiniesta)
-  - [#65] Change _path redirections to _url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
+  - [#65] Change \_path redirections to \_url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
   - [#75] Fix unknown method #authenticate_admin! [@mattgreen](https://github.com/mattgreen)
   - Remove application link in authorized app view
 

data/README.md

@@ -1,12 +1,11 @@
 # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
+[![CI](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
-[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
-[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
+[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -14,17 +13,18 @@ functionality to your Ruby on Rails or Grape application.
 
 Supported features:
 
-- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
-  - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
-  - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
-  - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
-  - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
-  - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
-  - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
-- [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
-- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
-- [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
+- [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
+  - [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
+  - [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
+  - [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
+  - [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
+  - [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
+  - [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
+- [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
+- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
+- [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
 
 ## Table of Contents
 
@@ -50,7 +50,7 @@ Supported features:
 
 ## Documentation
 
-This documentation is valid for `master` branch. Please check the documentation for the version of doorkeeper you are using in:
+This documentation is valid for `main` branch. Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases.
 
 Additionally, other resources can be found on:
@@ -93,6 +93,7 @@ Doorkeeper supports Active Record by default, but can be configured to work with
 | MongoDB | [doorkeeper-gem/doorkeeper-mongodb](https://github.com/doorkeeper-gem/doorkeeper-mongodb) |
 | Sequel | [nbulaj/doorkeeper-sequel](https://github.com/nbulaj/doorkeeper-sequel) |
 | Couchbase | [acaprojects/doorkeeper-couchbase](https://github.com/acaprojects/doorkeeper-couchbase) |
+| RethinkDB | [aca-labs/doorkeeper-rethinkdb](https://github.com/aca-labs/doorkeeper-rethinkdb) |
 
 ## Extensions
 
@@ -104,6 +105,8 @@ Extensions that are not included by default and can be installed separately.
 | JWT Token support | [doorkeeper-gem/doorkeeper-jwt](https://github.com/doorkeeper-gem/doorkeeper-jwt) |
 | Assertion grant extension | [doorkeeper-gem/doorkeeper-grants\_assertion](https://github.com/doorkeeper-gem/doorkeeper-grants_assertion) |
 | I18n translations | [doorkeeper-gem/doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) |
+| CIBA - Client Initiated Backchannel Authentication Flow extension | [doorkeeper-ciba](https://github.com/autoseg/doorkeeper-ciba) |
+| Device Authorization Grant | [doorkeeper-device_authorization_grant](https://github.com/exop-group/doorkeeper-device_authorization_grant) |
 
 ## Example Applications
 
@@ -111,7 +114,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -132,10 +135,22 @@ See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-to
 
 Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/doorkeeper-gem#sponsor)]
 
+<a href="https://codecademy.com/about/careers?utm_source=doorkeeper-gem" target="_blank"><img src="https://static-assets.codecademy.com/marketing/codecademy_logo_padded.png"/></a>
+
+> Codecademy supports open source as part of its mission to democratize tech. Come help us build the education the world deserves: [https://codecademy.com/about/careers](https://codecademy.com/about/careers?utm_source=doorkeeper-gem)
+
+<br>
+
 <a href="https://oauth.io/?utm_source=doorkeeper-gem" target="_blank"><img src="https://oauth.io/img/logo_text.png"/></a>
 
 > If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
 
+<br>
+
+<a href="https://www.wealthsimple.com/?utm_source=doorkeeper-gem" target="_blank"><img src="https://wealthsimple.s3.amazonaws.com/branding/medium-black.svg"/></a>
+
+> Wealthsimple is a financial company on a mission to help everyone achieve financial freedom by providing products and advice that are accessible and affordable. Using smart technology, Wealthsimple takes financial services that are often confusing, opaque and expensive and makes them simple, transparent, and low-cost. See what Investing on Autopilot is all about: [https://www.wealthsimple.com](https://www.wealthsimple.com/?utm_source=doorkeeper-gem)
+
 ## Development
 
 To run the local engine server:
@@ -146,12 +161,15 @@ bundle exec rake doorkeeper:server
 ````
 
 By default, it uses the latest Rails version with ActiveRecord. To run the
-tests with a specific ORM and Rails version:
+tests with a specific Rails version:
 
 ```
-rails=5.2 orm=active_record bundle exec rake
+BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -160,8 +178,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 
@@ -172,4 +189,4 @@ contributors](https://github.com/doorkeeper-gem/doorkeeper/graphs/contributors)!
 
 ## License
 
-MIT License. Copyright 2011 Applicake.
+MIT License. Created in Applicake. Maintained by the community.

data/app/controllers/doorkeeper/application_controller.rb

@@ -2,10 +2,11 @@
 
 module Doorkeeper
   class ApplicationController <
-    Doorkeeper.configuration.base_controller.constantize
+    Doorkeeper.config.resolve_controller(:base)
     include Helpers::Controller
+    include ActionController::MimeResponds if Doorkeeper.config.api_only
 
-    unless Doorkeeper.configuration.api_only
+    unless Doorkeeper.config.api_only
       protect_from_forgery with: :exception
       helper "doorkeeper/dashboard"
     end