RubyGems - doorkeeper - Versions diffs - 5.1.2 → 5.6.6 - Mend

doorkeeper 5.1.2 → 5.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

checksums.yaml +4 -4
data/{NEWS.md → CHANGELOG.md} +314 -27
data/README.md +39 -22
data/app/controllers/doorkeeper/application_controller.rb +3 -2
data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
data/app/controllers/doorkeeper/applications_controller.rb +5 -4
data/app/controllers/doorkeeper/authorizations_controller.rb +76 -25
data/app/controllers/doorkeeper/authorized_applications_controller.rb +5 -5
data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
data/app/controllers/doorkeeper/tokens_controller.rb +99 -28
data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
data/app/views/doorkeeper/applications/_form.html.erb +1 -7
data/app/views/doorkeeper/applications/show.html.erb +35 -14
data/app/views/doorkeeper/authorizations/error.html.erb +3 -1
data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
data/app/views/doorkeeper/authorizations/new.html.erb +16 -14
data/config/locales/en.yml +16 -3
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +20 -2
data/lib/doorkeeper/config/validations.rb +53 -0
data/lib/doorkeeper/config.rb +300 -136
data/lib/doorkeeper/engine.rb +10 -3
data/lib/doorkeeper/errors.rb +13 -18
data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
data/lib/doorkeeper/grant_flow/flow.rb +44 -0
data/lib/doorkeeper/grant_flow/registry.rb +50 -0
data/lib/doorkeeper/grant_flow.rb +45 -0
data/lib/doorkeeper/grape/helpers.rb +7 -3
data/lib/doorkeeper/helpers/controller.rb +36 -11
data/lib/doorkeeper/models/access_grant_mixin.rb +23 -19
data/lib/doorkeeper/models/access_token_mixin.rb +195 -52
data/lib/doorkeeper/models/application_mixin.rb +8 -7
data/lib/doorkeeper/models/concerns/expirable.rb +1 -1
data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +88 -0
data/lib/doorkeeper/models/concerns/ownership.rb +1 -1
data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +30 -0
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/reusable.rb +1 -1
data/lib/doorkeeper/models/concerns/revocable.rb +1 -28
data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
data/lib/doorkeeper/oauth/authorization/code.rb +31 -14
data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
data/lib/doorkeeper/oauth/authorization/token.rb +30 -19
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
data/lib/doorkeeper/oauth/authorization_code_request.rb +51 -22
data/lib/doorkeeper/oauth/base_request.rb +21 -22
data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
data/lib/doorkeeper/oauth/client.rb +8 -9
data/lib/doorkeeper/oauth/client_credentials/creator.rb +42 -5
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +10 -8
data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb} +14 -5
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
data/lib/doorkeeper/oauth/code_request.rb +6 -12
data/lib/doorkeeper/oauth/code_response.rb +24 -14
data/lib/doorkeeper/oauth/error.rb +1 -1
data/lib/doorkeeper/oauth/error_response.rb +11 -13
data/lib/doorkeeper/oauth/forbidden_token_response.rb +2 -1
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +8 -12
data/lib/doorkeeper/oauth/helpers/unique_token.rb +10 -7
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +19 -23
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +7 -4
data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +34 -11
data/lib/doorkeeper/oauth/pre_authorization.rb +114 -44
data/lib/doorkeeper/oauth/refresh_token_request.rb +54 -34
data/lib/doorkeeper/oauth/token.rb +6 -7
data/lib/doorkeeper/oauth/token_introspection.rb +28 -22
data/lib/doorkeeper/oauth/token_request.rb +6 -20
data/lib/doorkeeper/oauth/token_response.rb +2 -3
data/lib/doorkeeper/orm/active_record/access_grant.rb +4 -43
data/lib/doorkeeper/orm/active_record/access_token.rb +4 -35
data/lib/doorkeeper/orm/active_record/application.rb +5 -149
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +63 -0
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +77 -0
data/lib/doorkeeper/orm/active_record/mixins/application.rb +210 -0
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +5 -2
data/lib/doorkeeper/orm/active_record.rb +29 -22
data/lib/doorkeeper/rails/helpers.rb +4 -4
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/rails/routes.rb +28 -27
data/lib/doorkeeper/rake/db.rake +6 -6
data/lib/doorkeeper/request/authorization_code.rb +5 -3
data/lib/doorkeeper/request/client_credentials.rb +2 -2
data/lib/doorkeeper/request/password.rb +3 -2
data/lib/doorkeeper/request/refresh_token.rb +5 -4
data/lib/doorkeeper/request/strategy.rb +2 -2
data/lib/doorkeeper/request.rb +49 -17
data/lib/doorkeeper/server.rb +7 -11
data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
data/lib/doorkeeper/version.rb +2 -6
data/lib/doorkeeper.rb +183 -80
data/lib/generators/doorkeeper/application_owner_generator.rb +1 -1
data/lib/generators/doorkeeper/confidential_applications_generator.rb +2 -2
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/migration_generator.rb +1 -1
data/lib/generators/doorkeeper/pkce_generator.rb +1 -1
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +7 -7
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +230 -50
data/lib/generators/doorkeeper/templates/migration.rb.erb +31 -9
metadata +61 -327
data/.coveralls.yml +0 -1
data/.github/ISSUE_TEMPLATE.md +0 -25
data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
data/.gitignore +0 -20
data/.gitlab-ci.yml +0 -16
data/.hound.yml +0 -3
data/.rspec +0 -1
data/.rubocop.yml +0 -50
data/.travis.yml +0 -35
data/Appraisals +0 -40
data/CODE_OF_CONDUCT.md +0 -46
data/CONTRIBUTING.md +0 -47
data/Dangerfile +0 -67
data/Gemfile +0 -24
data/RELEASING.md +0 -10
data/Rakefile +0 -28
data/SECURITY.md +0 -15
data/UPGRADE.md +0 -2
data/app/validators/redirect_uri_validator.rb +0 -50
data/bin/console +0 -16
data/doorkeeper.gemspec +0 -34
data/gemfiles/rails_5_0.gemfile +0 -17
data/gemfiles/rails_5_1.gemfile +0 -17
data/gemfiles/rails_5_2.gemfile +0 -17
data/gemfiles/rails_6_0.gemfile +0 -17
data/gemfiles/rails_master.gemfile +0 -17
data/spec/controllers/application_metal_controller_spec.rb +0 -64
data/spec/controllers/applications_controller_spec.rb +0 -180
data/spec/controllers/authorizations_controller_spec.rb +0 -527
data/spec/controllers/protected_resources_controller_spec.rb +0 -353
data/spec/controllers/token_info_controller_spec.rb +0 -50
data/spec/controllers/tokens_controller_spec.rb +0 -330
data/spec/dummy/Rakefile +0 -9
data/spec/dummy/app/assets/config/manifest.js +0 -2
data/spec/dummy/app/controllers/application_controller.rb +0 -5
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
data/spec/dummy/app/controllers/home_controller.rb +0 -18
data/spec/dummy/app/controllers/metal_controller.rb +0 -13
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
data/spec/dummy/app/helpers/application_helper.rb +0 -7
data/spec/dummy/app/models/user.rb +0 -7
data/spec/dummy/app/views/home/index.html.erb +0 -0
data/spec/dummy/app/views/layouts/application.html.erb +0 -14
data/spec/dummy/config/application.rb +0 -47
data/spec/dummy/config/boot.rb +0 -7
data/spec/dummy/config/database.yml +0 -15
data/spec/dummy/config/environment.rb +0 -5
data/spec/dummy/config/environments/development.rb +0 -31
data/spec/dummy/config/environments/production.rb +0 -64
data/spec/dummy/config/environments/test.rb +0 -45
data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
data/spec/dummy/config/initializers/doorkeeper.rb +0 -121
data/spec/dummy/config/initializers/secret_token.rb +0 -10
data/spec/dummy/config/initializers/session_store.rb +0 -10
data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
data/spec/dummy/config/routes.rb +0 -13
data/spec/dummy/config.ru +0 -6
data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
data/spec/dummy/db/schema.rb +0 -68
data/spec/dummy/public/404.html +0 -26
data/spec/dummy/public/422.html +0 -26
data/spec/dummy/public/500.html +0 -26
data/spec/dummy/public/favicon.ico +0 -0
data/spec/dummy/script/rails +0 -9
data/spec/factories.rb +0 -30
data/spec/generators/application_owner_generator_spec.rb +0 -28
data/spec/generators/confidential_applications_generator_spec.rb +0 -29
data/spec/generators/install_generator_spec.rb +0 -36
data/spec/generators/migration_generator_spec.rb +0 -28
data/spec/generators/pkce_generator_spec.rb +0 -28
data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
data/spec/generators/templates/routes.rb +0 -4
data/spec/generators/views_generator_spec.rb +0 -29
data/spec/grape/grape_integration_spec.rb +0 -137
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
data/spec/lib/config_spec.rb +0 -697
data/spec/lib/doorkeeper_spec.rb +0 -27
data/spec/lib/models/expirable_spec.rb +0 -61
data/spec/lib/models/reusable_spec.rb +0 -40
data/spec/lib/models/revocable_spec.rb +0 -59
data/spec/lib/models/scopes_spec.rb +0 -53
data/spec/lib/models/secret_storable_spec.rb +0 -135
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
data/spec/lib/oauth/authorization_code_request_spec.rb +0 -156
data/spec/lib/oauth/base_request_spec.rb +0 -205
data/spec/lib/oauth/base_response_spec.rb +0 -47
data/spec/lib/oauth/client/credentials_spec.rb +0 -90
data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -94
data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -29
data/spec/lib/oauth/client_credentials_request_spec.rb +0 -109
data/spec/lib/oauth/client_spec.rb +0 -38
data/spec/lib/oauth/code_request_spec.rb +0 -47
data/spec/lib/oauth/code_response_spec.rb +0 -36
data/spec/lib/oauth/error_response_spec.rb +0 -66
data/spec/lib/oauth/error_spec.rb +0 -23
data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -22
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -98
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -247
data/spec/lib/oauth/invalid_token_response_spec.rb +0 -55
data/spec/lib/oauth/password_access_token_request_spec.rb +0 -192
data/spec/lib/oauth/pre_authorization_spec.rb +0 -215
data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
data/spec/lib/oauth/scopes_spec.rb +0 -148
data/spec/lib/oauth/token_request_spec.rb +0 -150
data/spec/lib/oauth/token_response_spec.rb +0 -86
data/spec/lib/oauth/token_spec.rb +0 -158
data/spec/lib/request/strategy_spec.rb +0 -54
data/spec/lib/secret_storing/base_spec.rb +0 -60
data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
data/spec/lib/secret_storing/plain_spec.rb +0 -44
data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
data/spec/lib/server_spec.rb +0 -61
data/spec/lib/stale_records_cleaner_spec.rb +0 -89
data/spec/models/doorkeeper/access_grant_spec.rb +0 -144
data/spec/models/doorkeeper/access_token_spec.rb +0 -591
data/spec/models/doorkeeper/application_spec.rb +0 -472
data/spec/requests/applications/applications_request_spec.rb +0 -259
data/spec/requests/applications/authorized_applications_spec.rb +0 -32
data/spec/requests/endpoints/authorization_spec.rb +0 -73
data/spec/requests/endpoints/token_spec.rb +0 -75
data/spec/requests/flows/authorization_code_errors_spec.rb +0 -78
data/spec/requests/flows/authorization_code_spec.rb +0 -447
data/spec/requests/flows/client_credentials_spec.rb +0 -128
data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -34
data/spec/requests/flows/implicit_grant_spec.rb +0 -90
data/spec/requests/flows/password_spec.rb +0 -259
data/spec/requests/flows/refresh_token_spec.rb +0 -233
data/spec/requests/flows/revoke_token_spec.rb +0 -143
data/spec/requests/flows/skip_authorization_spec.rb +0 -66
data/spec/requests/protected_resources/metal_spec.rb +0 -16
data/spec/requests/protected_resources/private_api_spec.rb +0 -83
data/spec/routing/custom_controller_routes_spec.rb +0 -133
data/spec/routing/default_routes_spec.rb +0 -41
data/spec/routing/scoped_routes_spec.rb +0 -47
data/spec/spec_helper.rb +0 -57
data/spec/spec_helper_integration.rb +0 -4
data/spec/support/dependencies/factory_bot.rb +0 -4
data/spec/support/doorkeeper_rspec.rb +0 -22
data/spec/support/helpers/access_token_request_helper.rb +0 -13
data/spec/support/helpers/authorization_request_helper.rb +0 -43
data/spec/support/helpers/config_helper.rb +0 -11
data/spec/support/helpers/model_helper.rb +0 -78
data/spec/support/helpers/request_spec_helper.rb +0 -98
data/spec/support/helpers/url_helper.rb +0 -62
data/spec/support/http_method_shim.rb +0 -29
data/spec/support/orm/active_record.rb +0 -5
data/spec/support/shared/controllers_shared_context.rb +0 -123
data/spec/support/shared/hashing_shared_context.rb +0 -36
data/spec/support/shared/models_shared_examples.rb +0 -54
data/spec/validators/redirect_uri_validator_spec.rb +0 -158
data/spec/version/version_spec.rb +0 -17

data/spec/requests/flows/password_spec.rb DELETED Viewed

@@ -1,259 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-describe "Resource Owner Password Credentials Flow not set up" do
-  before do
-    client_exists
-    create_resource_owner
-  end
-  context "with valid user credentials" do
-    it "does not issue new token" do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-end
-describe "Resource Owner Password Credentials Flow" do
-  let(:client_attributes) { { redirect_uri: nil } }
-  before do
-    config_is_set(:grant_flows, ["password"])
-    config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists(client_attributes)
-    create_resource_owner
-  end
-  context "with valid user credentials" do
-    context "with non-confidential/public client" do
-      let(:client_attributes) { { confidential: false } }
-      context "when client_secret absent" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
-        end
-      end
-      context "when client_secret present" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
-        end
-        context "when client_secret incorrect" do
-          it "should not issue new token" do
-            expect do
-              post password_token_endpoint_url(
-                client_id: @client.uid,
-                client_secret: "foobar",
-                resource_owner: @resource_owner
-              )
-            end.not_to(change { Doorkeeper::AccessToken.count })
-            expect(response.status).to eq(401)
-            should_have_json "error", "invalid_client"
-          end
-        end
-      end
-    end
-    context "with confidential/private client" do
-      it "should issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq @client.id
-        should_have_json "access_token", token.token
-      end
-      context "when client_secret absent" do
-        it "should not issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.not_to(change { Doorkeeper::AccessToken.count })
-          expect(response.status).to eq(401)
-          should_have_json "error", "invalid_client"
-        end
-      end
-    end
-    it "should issue new token without client credentials" do
-      expect do
-        post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to(change { Doorkeeper::AccessToken.count }.by(1))
-      token = Doorkeeper::AccessToken.first
-      expect(token.application_id).to be_nil
-      should_have_json "access_token", token.token
-    end
-    it "should issue a refresh token if enabled" do
-      config_is_set(:refresh_token_enabled, true)
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      token = Doorkeeper::AccessToken.first
-      should_have_json "refresh_token", token.refresh_token
-    end
-    it "should return the same token if it is still accessible" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      client_is_authorized(@client, @resource_owner)
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      expect(Doorkeeper::AccessToken.count).to be(1)
-      should_have_json "access_token", Doorkeeper::AccessToken.first.token
-    end
-    context "with valid, default scope" do
-      before do
-        default_scopes_exist :public
-      end
-      it "should issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq @client.id
-        should_have_json "access_token", token.token
-        should_have_json "scope", "public"
-      end
-    end
-  end
-  context "when application scopes are present and differs from configured default scopes and no scope is passed" do
-    before do
-      default_scopes_exist :public
-      @client.update(scopes: "abc")
-    end
-    it "issues new token without any scope" do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-      token = Doorkeeper::AccessToken.first
-      expect(token.application_id).to eq @client.id
-      expect(token.scopes).to be_empty
-      should_have_json "access_token", token.token
-      should_not_have_json "scope"
-    end
-  end
-  context "when application scopes contain some of the default scopes and no scope is passed" do
-    before do
-      @client.update(scopes: "read write public")
-    end
-    it "issues new token with one default scope that are present in application scopes" do
-      default_scopes_exist :public, :admin
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-      token = Doorkeeper::AccessToken.first
-      expect(token.application_id).to eq @client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public"
-    end
-    it "issues new token with multiple default scopes that are present in application scopes" do
-      default_scopes_exist :public, :read, :update
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-      token = Doorkeeper::AccessToken.first
-      expect(token.application_id).to eq @client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public read"
-    end
-  end
-  context "with invalid scopes" do
-    subject do
-      post password_token_endpoint_url(client: @client,
-                                       resource_owner: @resource_owner,
-                                       scope: "random")
-    end
-    it "should not issue new token" do
-      expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
-    end
-    it "should return invalid_scope error" do
-      subject
-      should_have_json "error", "invalid_scope"
-      should_have_json "error_description", translated_error_message(:invalid_scope)
-      should_not_have_json "access_token"
-      expect(response.status).to eq(400)
-    end
-  end
-  context "with invalid user credentials" do
-    it "should not issue new token with bad password" do
-      expect do
-        post password_token_endpoint_url(client: @client,
-                                         resource_owner_username: @resource_owner.name,
-                                         resource_owner_password: "wrongpassword")
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-    it "should not issue new token without credentials" do
-      expect do
-        post password_token_endpoint_url(client: @client)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-  context "with invalid confidential client credentials" do
-    it "should not issue new token with bad client credentials" do
-      expect do
-        post password_token_endpoint_url(client_id: @client.uid,
-                                         client_secret: "bad_secret",
-                                         resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-  context "with invalid public client id" do
-    it "should not issue new token with bad client id" do
-      expect do
-        post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
-  end
-end

data/spec/requests/flows/refresh_token_spec.rb DELETED Viewed

@@ -1,233 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-describe "Refresh Token Flow" do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-  context "issuing a refresh token" do
-    before do
-      authorization_code_exists application: @client
-    end
-    it "client gets the refresh token and refreshes it" do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-      token = Doorkeeper::AccessToken.first
-      should_have_json "access_token",  token.token
-      should_have_json "refresh_token", token.refresh_token
-      expect(@authorization.reload).to be_revoked
-      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
-      new_token = Doorkeeper::AccessToken.last
-      should_have_json "access_token",  new_token.token
-      should_have_json "refresh_token", new_token.refresh_token
-      expect(token.token).not_to         eq(new_token.token)
-      expect(token.refresh_token).not_to eq(new_token.refresh_token)
-    end
-  end
-  context "refreshing the token" do
-    before do
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: 1,
-        use_refresh_token: true
-      )
-    end
-    context "refresh_token revoked on use" do
-      it "client request a token with refresh token" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-      it "client request a token with expired access token" do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-    context "refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-      it "client request a token with refresh token" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).to be_revoked
-      end
-      it "client request a token with expired access token" do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json(
-          "refresh_token", Doorkeeper::AccessToken.last.refresh_token
-        )
-        expect(@token.reload).to be_revoked
-      end
-    end
-    context "public & private clients" do
-      let(:public_client) do
-        FactoryBot.create(
-          :application,
-          confidential: false
-        )
-      end
-      let(:token_for_private_client) do
-        FactoryBot.create(
-          :access_token,
-          application: @client,
-          resource_owner_id: 1,
-          use_refresh_token: true
-        )
-      end
-      let(:token_for_public_client) do
-        FactoryBot.create(
-          :access_token,
-          application: public_client,
-          resource_owner_id: 1,
-          use_refresh_token: true
-        )
-      end
-      it "issues a new token without client_secret when refresh token was issued to a public client" do
-        post refresh_token_endpoint_url(
-          client_id: public_client.uid,
-          refresh_token: token_for_public_client.refresh_token
-        )
-        new_token = Doorkeeper::AccessToken.last
-        should_have_json "access_token",  new_token.token
-        should_have_json "refresh_token", new_token.refresh_token
-      end
-      it "returns an error without credentials" do
-        post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
-        should_not_have_json "refresh_token"
-        should_have_json "error", "invalid_grant"
-      end
-      it "returns an error with wrong credentials" do
-        post refresh_token_endpoint_url(
-          client_id: "1",
-          client_secret: "1",
-          refresh_token: token_for_private_client.refresh_token
-        )
-        should_not_have_json "refresh_token"
-        should_have_json "error", "invalid_client"
-      end
-    end
-    it "client gets an error for invalid refresh token" do
-      post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
-      should_not_have_json "refresh_token"
-      should_have_json "error", "invalid_grant"
-    end
-    it "client gets an error for revoked access token" do
-      @token.revoke
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_not_have_json "refresh_token"
-      should_have_json "error", "invalid_grant"
-    end
-    it "second of simultaneous client requests get an error for revoked access token" do
-      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      should_not_have_json "refresh_token"
-      should_have_json "error", "invalid_request"
-    end
-  end
-  context "refreshing the token with multiple sessions (devices)" do
-    before do
-      # enable password auth to simulate other devices
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) do
-        User.authenticate! params[:username], params[:password]
-      end
-      create_resource_owner
-      _another_token = post password_token_endpoint_url(
-        client: @client, resource_owner: @resource_owner
-      )
-      last_token.update_attribute :created_at, 5.seconds.ago
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: @resource_owner.id,
-        use_refresh_token: true
-      )
-      @token.update_attribute :expires_in, -100
-    end
-    context "refresh_token revoked on use" do
-      it "client request a token after creating another token with the same user" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json "refresh_token", last_token.refresh_token
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-    context "refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-      it "client request a token after creating another token with the same user" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token
-        )
-        should_have_json "refresh_token", last_token.refresh_token
-        expect(@token.reload).to be_revoked
-      end
-    end
-    def last_token
-      Doorkeeper::AccessToken.last_authorized_token_for(
-        @client.id, @resource_owner.id
-      )
-    end
-  end
-end

data/spec/requests/flows/revoke_token_spec.rb DELETED Viewed

@@ -1,143 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-describe "Revoke Token Flow" do
-  before do
-    Doorkeeper.configure { orm DOORKEEPER_ORM }
-  end
-  context "with default parameters" do
-    let(:client_application) { FactoryBot.create :application }
-    let(:resource_owner) { User.create!(name: "John", password: "sekret") }
-    let(:access_token) do
-      FactoryBot.create(:access_token,
-                        application: client_application,
-                        resource_owner_id: resource_owner.id,
-                        use_refresh_token: true)
-    end
-    context "with authenticated, confidential OAuth 2.0 client/application" do
-      let(:headers) do
-        client_id = client_application.uid
-        client_secret = client_application.secret
-        credentials = Base64.encode64("#{client_id}:#{client_secret}")
-        { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-      end
-      it "should revoke the access token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-      it "should revoke the refresh token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-      context "with invalid token to revoke" do
-        it "should not revoke any tokens and respond successfully" do
-          expect do
-            post revocation_token_endpoint_url,
-                 params: { token: "I_AM_AN_INVALID_TOKEN" },
-                 headers: headers
-          end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
-          # The authorization server responds with HTTP status code 200 even if
-          # token is invalid
-          expect(response).to be_successful
-        end
-      end
-      context "with bad credentials and a valid token" do
-        let(:headers) do
-          client_id = client_application.uid
-          credentials = Base64.encode64("#{client_id}:poop")
-          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-        end
-        it "should not revoke any tokens and respond successfully" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-          expect(response).to be_successful
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-      context "with no credentials and a valid token" do
-        it "should not revoke any tokens and respond successfully" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-          expect(response).to be_successful
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-      context "with valid token for another client application" do
-        let(:other_client_application) { FactoryBot.create :application }
-        let(:headers) do
-          client_id = other_client_application.uid
-          client_secret = other_client_application.secret
-          credentials = Base64.encode64("#{client_id}:#{client_secret}")
-          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-        end
-        it "should not revoke the token as its unauthorized" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-          expect(response).to be_successful
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-    end
-    context "with public OAuth 2.0 client/application" do
-      let(:access_token) do
-        FactoryBot.create(:access_token,
-                          application: nil,
-                          resource_owner_id: resource_owner.id,
-                          use_refresh_token: true)
-      end
-      it "should revoke the access token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-      it "should revoke the refresh token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-      context "with a valid token issued for a confidential client" do
-        let(:access_token) do
-          FactoryBot.create(:access_token,
-                            application: client_application,
-                            resource_owner_id: resource_owner.id,
-                            use_refresh_token: true)
-        end
-        it "should not revoke the access token provided" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-          expect(response).to be_successful
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-        it "should not revoke the refresh token provided" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-          expect(response).to be_successful
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-    end
-  end
-end

data/spec/requests/flows/skip_authorization_spec.rb DELETED Viewed

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-feature "Skip authorization form" do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
-    client_exists
-    default_scopes_exist  :public
-    optional_scopes_exist :write
-  end
-  context "for previously authorized clients" do
-    background do
-      create_resource_owner
-      sign_in
-    end
-    scenario "skips the authorization and return a new grant code" do
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_not_see "Authorize"
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
-    end
-    scenario "skips the authorization if other scopes are not requested" do
-      client_exists scopes: "public read write"
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_not_see "Authorize"
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
-    end
-    scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_see "Authorize"
-    end
-    scenario "does not skip authorization when scopes differ (new request has more scopes)" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scopes: "public write email")
-      i_should_see "Authorize"
-    end
-    scenario "creates grant with new scope when scopes differ" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      click_on "Authorize"
-      access_grant_should_have_scopes :public
-    end
-    scenario "creates grant with new scope when scopes are greater" do
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public write")
-      click_on "Authorize"
-      access_grant_should_have_scopes :public, :write
-    end
-  end
-end