RubyGems - doorkeeper - Versions diffs - 5.1.2 → 5.6.6 - Mend

doorkeeper 5.1.2 → 5.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

checksums.yaml +4 -4
data/{NEWS.md → CHANGELOG.md} +314 -27
data/README.md +39 -22
data/app/controllers/doorkeeper/application_controller.rb +3 -2
data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
data/app/controllers/doorkeeper/applications_controller.rb +5 -4
data/app/controllers/doorkeeper/authorizations_controller.rb +76 -25
data/app/controllers/doorkeeper/authorized_applications_controller.rb +5 -5
data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
data/app/controllers/doorkeeper/tokens_controller.rb +99 -28
data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
data/app/views/doorkeeper/applications/_form.html.erb +1 -7
data/app/views/doorkeeper/applications/show.html.erb +35 -14
data/app/views/doorkeeper/authorizations/error.html.erb +3 -1
data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
data/app/views/doorkeeper/authorizations/new.html.erb +16 -14
data/config/locales/en.yml +16 -3
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +20 -2
data/lib/doorkeeper/config/validations.rb +53 -0
data/lib/doorkeeper/config.rb +300 -136
data/lib/doorkeeper/engine.rb +10 -3
data/lib/doorkeeper/errors.rb +13 -18
data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
data/lib/doorkeeper/grant_flow/flow.rb +44 -0
data/lib/doorkeeper/grant_flow/registry.rb +50 -0
data/lib/doorkeeper/grant_flow.rb +45 -0
data/lib/doorkeeper/grape/helpers.rb +7 -3
data/lib/doorkeeper/helpers/controller.rb +36 -11
data/lib/doorkeeper/models/access_grant_mixin.rb +23 -19
data/lib/doorkeeper/models/access_token_mixin.rb +195 -52
data/lib/doorkeeper/models/application_mixin.rb +8 -7
data/lib/doorkeeper/models/concerns/expirable.rb +1 -1
data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +88 -0
data/lib/doorkeeper/models/concerns/ownership.rb +1 -1
data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +30 -0
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/reusable.rb +1 -1
data/lib/doorkeeper/models/concerns/revocable.rb +1 -28
data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
data/lib/doorkeeper/oauth/authorization/code.rb +31 -14
data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
data/lib/doorkeeper/oauth/authorization/token.rb +30 -19
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
data/lib/doorkeeper/oauth/authorization_code_request.rb +51 -22
data/lib/doorkeeper/oauth/base_request.rb +21 -22
data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
data/lib/doorkeeper/oauth/client.rb +8 -9
data/lib/doorkeeper/oauth/client_credentials/creator.rb +42 -5
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +10 -8
data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb} +14 -5
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
data/lib/doorkeeper/oauth/code_request.rb +6 -12
data/lib/doorkeeper/oauth/code_response.rb +24 -14
data/lib/doorkeeper/oauth/error.rb +1 -1
data/lib/doorkeeper/oauth/error_response.rb +11 -13
data/lib/doorkeeper/oauth/forbidden_token_response.rb +2 -1
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +8 -12
data/lib/doorkeeper/oauth/helpers/unique_token.rb +10 -7
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +19 -23
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +7 -4
data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +34 -11
data/lib/doorkeeper/oauth/pre_authorization.rb +114 -44
data/lib/doorkeeper/oauth/refresh_token_request.rb +54 -34
data/lib/doorkeeper/oauth/token.rb +6 -7
data/lib/doorkeeper/oauth/token_introspection.rb +28 -22
data/lib/doorkeeper/oauth/token_request.rb +6 -20
data/lib/doorkeeper/oauth/token_response.rb +2 -3
data/lib/doorkeeper/orm/active_record/access_grant.rb +4 -43
data/lib/doorkeeper/orm/active_record/access_token.rb +4 -35
data/lib/doorkeeper/orm/active_record/application.rb +5 -149
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +63 -0
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +77 -0
data/lib/doorkeeper/orm/active_record/mixins/application.rb +210 -0
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +5 -2
data/lib/doorkeeper/orm/active_record.rb +29 -22
data/lib/doorkeeper/rails/helpers.rb +4 -4
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/rails/routes.rb +28 -27
data/lib/doorkeeper/rake/db.rake +6 -6
data/lib/doorkeeper/request/authorization_code.rb +5 -3
data/lib/doorkeeper/request/client_credentials.rb +2 -2
data/lib/doorkeeper/request/password.rb +3 -2
data/lib/doorkeeper/request/refresh_token.rb +5 -4
data/lib/doorkeeper/request/strategy.rb +2 -2
data/lib/doorkeeper/request.rb +49 -17
data/lib/doorkeeper/server.rb +7 -11
data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
data/lib/doorkeeper/version.rb +2 -6
data/lib/doorkeeper.rb +183 -80
data/lib/generators/doorkeeper/application_owner_generator.rb +1 -1
data/lib/generators/doorkeeper/confidential_applications_generator.rb +2 -2
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/migration_generator.rb +1 -1
data/lib/generators/doorkeeper/pkce_generator.rb +1 -1
data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +7 -7
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +230 -50
data/lib/generators/doorkeeper/templates/migration.rb.erb +31 -9
metadata +61 -327
data/.coveralls.yml +0 -1
data/.github/ISSUE_TEMPLATE.md +0 -25
data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
data/.gitignore +0 -20
data/.gitlab-ci.yml +0 -16
data/.hound.yml +0 -3
data/.rspec +0 -1
data/.rubocop.yml +0 -50
data/.travis.yml +0 -35
data/Appraisals +0 -40
data/CODE_OF_CONDUCT.md +0 -46
data/CONTRIBUTING.md +0 -47
data/Dangerfile +0 -67
data/Gemfile +0 -24
data/RELEASING.md +0 -10
data/Rakefile +0 -28
data/SECURITY.md +0 -15
data/UPGRADE.md +0 -2
data/app/validators/redirect_uri_validator.rb +0 -50
data/bin/console +0 -16
data/doorkeeper.gemspec +0 -34
data/gemfiles/rails_5_0.gemfile +0 -17
data/gemfiles/rails_5_1.gemfile +0 -17
data/gemfiles/rails_5_2.gemfile +0 -17
data/gemfiles/rails_6_0.gemfile +0 -17
data/gemfiles/rails_master.gemfile +0 -17
data/spec/controllers/application_metal_controller_spec.rb +0 -64
data/spec/controllers/applications_controller_spec.rb +0 -180
data/spec/controllers/authorizations_controller_spec.rb +0 -527
data/spec/controllers/protected_resources_controller_spec.rb +0 -353
data/spec/controllers/token_info_controller_spec.rb +0 -50
data/spec/controllers/tokens_controller_spec.rb +0 -330
data/spec/dummy/Rakefile +0 -9
data/spec/dummy/app/assets/config/manifest.js +0 -2
data/spec/dummy/app/controllers/application_controller.rb +0 -5
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
data/spec/dummy/app/controllers/home_controller.rb +0 -18
data/spec/dummy/app/controllers/metal_controller.rb +0 -13
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
data/spec/dummy/app/helpers/application_helper.rb +0 -7
data/spec/dummy/app/models/user.rb +0 -7
data/spec/dummy/app/views/home/index.html.erb +0 -0
data/spec/dummy/app/views/layouts/application.html.erb +0 -14
data/spec/dummy/config/application.rb +0 -47
data/spec/dummy/config/boot.rb +0 -7
data/spec/dummy/config/database.yml +0 -15
data/spec/dummy/config/environment.rb +0 -5
data/spec/dummy/config/environments/development.rb +0 -31
data/spec/dummy/config/environments/production.rb +0 -64
data/spec/dummy/config/environments/test.rb +0 -45
data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
data/spec/dummy/config/initializers/doorkeeper.rb +0 -121
data/spec/dummy/config/initializers/secret_token.rb +0 -10
data/spec/dummy/config/initializers/session_store.rb +0 -10
data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
data/spec/dummy/config/routes.rb +0 -13
data/spec/dummy/config.ru +0 -6
data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
data/spec/dummy/db/schema.rb +0 -68
data/spec/dummy/public/404.html +0 -26
data/spec/dummy/public/422.html +0 -26
data/spec/dummy/public/500.html +0 -26
data/spec/dummy/public/favicon.ico +0 -0
data/spec/dummy/script/rails +0 -9
data/spec/factories.rb +0 -30
data/spec/generators/application_owner_generator_spec.rb +0 -28
data/spec/generators/confidential_applications_generator_spec.rb +0 -29
data/spec/generators/install_generator_spec.rb +0 -36
data/spec/generators/migration_generator_spec.rb +0 -28
data/spec/generators/pkce_generator_spec.rb +0 -28
data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
data/spec/generators/templates/routes.rb +0 -4
data/spec/generators/views_generator_spec.rb +0 -29
data/spec/grape/grape_integration_spec.rb +0 -137
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
data/spec/lib/config_spec.rb +0 -697
data/spec/lib/doorkeeper_spec.rb +0 -27
data/spec/lib/models/expirable_spec.rb +0 -61
data/spec/lib/models/reusable_spec.rb +0 -40
data/spec/lib/models/revocable_spec.rb +0 -59
data/spec/lib/models/scopes_spec.rb +0 -53
data/spec/lib/models/secret_storable_spec.rb +0 -135
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
data/spec/lib/oauth/authorization_code_request_spec.rb +0 -156
data/spec/lib/oauth/base_request_spec.rb +0 -205
data/spec/lib/oauth/base_response_spec.rb +0 -47
data/spec/lib/oauth/client/credentials_spec.rb +0 -90
data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -94
data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -29
data/spec/lib/oauth/client_credentials_request_spec.rb +0 -109
data/spec/lib/oauth/client_spec.rb +0 -38
data/spec/lib/oauth/code_request_spec.rb +0 -47
data/spec/lib/oauth/code_response_spec.rb +0 -36
data/spec/lib/oauth/error_response_spec.rb +0 -66
data/spec/lib/oauth/error_spec.rb +0 -23
data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -22
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -98
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -247
data/spec/lib/oauth/invalid_token_response_spec.rb +0 -55
data/spec/lib/oauth/password_access_token_request_spec.rb +0 -192
data/spec/lib/oauth/pre_authorization_spec.rb +0 -215
data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
data/spec/lib/oauth/scopes_spec.rb +0 -148
data/spec/lib/oauth/token_request_spec.rb +0 -150
data/spec/lib/oauth/token_response_spec.rb +0 -86
data/spec/lib/oauth/token_spec.rb +0 -158
data/spec/lib/request/strategy_spec.rb +0 -54
data/spec/lib/secret_storing/base_spec.rb +0 -60
data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
data/spec/lib/secret_storing/plain_spec.rb +0 -44
data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
data/spec/lib/server_spec.rb +0 -61
data/spec/lib/stale_records_cleaner_spec.rb +0 -89
data/spec/models/doorkeeper/access_grant_spec.rb +0 -144
data/spec/models/doorkeeper/access_token_spec.rb +0 -591
data/spec/models/doorkeeper/application_spec.rb +0 -472
data/spec/requests/applications/applications_request_spec.rb +0 -259
data/spec/requests/applications/authorized_applications_spec.rb +0 -32
data/spec/requests/endpoints/authorization_spec.rb +0 -73
data/spec/requests/endpoints/token_spec.rb +0 -75
data/spec/requests/flows/authorization_code_errors_spec.rb +0 -78
data/spec/requests/flows/authorization_code_spec.rb +0 -447
data/spec/requests/flows/client_credentials_spec.rb +0 -128
data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -34
data/spec/requests/flows/implicit_grant_spec.rb +0 -90
data/spec/requests/flows/password_spec.rb +0 -259
data/spec/requests/flows/refresh_token_spec.rb +0 -233
data/spec/requests/flows/revoke_token_spec.rb +0 -143
data/spec/requests/flows/skip_authorization_spec.rb +0 -66
data/spec/requests/protected_resources/metal_spec.rb +0 -16
data/spec/requests/protected_resources/private_api_spec.rb +0 -83
data/spec/routing/custom_controller_routes_spec.rb +0 -133
data/spec/routing/default_routes_spec.rb +0 -41
data/spec/routing/scoped_routes_spec.rb +0 -47
data/spec/spec_helper.rb +0 -57
data/spec/spec_helper_integration.rb +0 -4
data/spec/support/dependencies/factory_bot.rb +0 -4
data/spec/support/doorkeeper_rspec.rb +0 -22
data/spec/support/helpers/access_token_request_helper.rb +0 -13
data/spec/support/helpers/authorization_request_helper.rb +0 -43
data/spec/support/helpers/config_helper.rb +0 -11
data/spec/support/helpers/model_helper.rb +0 -78
data/spec/support/helpers/request_spec_helper.rb +0 -98
data/spec/support/helpers/url_helper.rb +0 -62
data/spec/support/http_method_shim.rb +0 -29
data/spec/support/orm/active_record.rb +0 -5
data/spec/support/shared/controllers_shared_context.rb +0 -123
data/spec/support/shared/hashing_shared_context.rb +0 -36
data/spec/support/shared/models_shared_examples.rb +0 -54
data/spec/validators/redirect_uri_validator_spec.rb +0 -158
data/spec/version/version_spec.rb +0 -17

data/lib/doorkeeper/oauth/client_credentials_request.rb CHANGED Viewed

@@ -3,18 +3,12 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      attr_accessor :server, :client, :original_scopes
-      attr_reader :response
-      attr_writer :issuer
+      attr_reader :client, :original_scopes, :response
       alias error_response response
       delegate :error, to: :issuer
-      def issuer
-        @issuer ||= Issuer.new(server, Validation.new(server, self))
-      end
       def initialize(server, client, parameters = {})
         @client = client
         @server = server
@@ -26,6 +20,13 @@ module Doorkeeper
         issuer.token
       end
+      def issuer
+        @issuer ||= ClientCredentials::Issuer.new(
+          server,
+          ClientCredentials::Validator.new(server, self),
+        )
+      end
       private
       def valid?

data/lib/doorkeeper/oauth/code_request.rb CHANGED Viewed

@@ -3,28 +3,22 @@
 module Doorkeeper
   module OAuth
     class CodeRequest
-      attr_accessor :pre_auth, :resource_owner, :client
+      attr_reader :pre_auth, :resource_owner
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
-        @client         = pre_auth.client
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
       def authorize
-        if pre_auth.authorizable?
-          auth = Authorization::Code.new(pre_auth, resource_owner)
-          auth.issue_token
-          @response = CodeResponse.new pre_auth, auth
-        else
-          @response = ErrorResponse.from_request pre_auth
-        end
+        auth = Authorization::Code.new(pre_auth, resource_owner)
+        auth.issue_token!
+        CodeResponse.new(pre_auth, auth, response_on_fragment: pre_auth.response_mode == "fragment")
       end
       def deny
         pre_auth.error = :access_denied
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri
+        pre_auth.error_response
       end
     end
   end

data/lib/doorkeeper/oauth/code_response.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     class CodeResponse < BaseResponse
       include OAuth::Helpers
-      attr_accessor :pre_auth, :auth, :response_on_fragment
+      attr_reader :pre_auth, :auth, :response_on_fragment
       def initialize(pre_auth, auth, options = {})
         @pre_auth = pre_auth
@@ -17,23 +17,33 @@ module Doorkeeper
         true
       end
-      def redirect_uri
-        if URIChecker.native_uri? pre_auth.redirect_uri
-          auth.native_redirect
-        elsif response_on_fragment
-          Authorization::URIBuilder.uri_with_fragment(
-            pre_auth.redirect_uri,
+      def issued_token
+        auth.token
+      end
+      def body
+        if auth.try(:access_token?)
+          {
             access_token: auth.token.plaintext_token,
             token_type: auth.token.token_type,
             expires_in: auth.token.expires_in_seconds,
-            state: pre_auth.state
-          )
-        else
-          Authorization::URIBuilder.uri_with_query(
-            pre_auth.redirect_uri,
+            state: pre_auth.state,
+          }
+        elsif auth.try(:access_grant?)
+          {
             code: auth.token.plaintext_token,
-            state: pre_auth.state
-          )
+            state: pre_auth.state,
+          }
+        end
+      end
+      def redirect_uri
+        if URIChecker.oob_uri?(pre_auth.redirect_uri)
+          auth.oob_redirect
+        elsif response_on_fragment
+          Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
+        else
+          Authorization::URIBuilder.uri_with_query(pre_auth.redirect_uri, body)
         end
       end
     end

data/lib/doorkeeper/oauth/error.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Doorkeeper
         I18n.translate(
           name,
           scope: %i[doorkeeper errors messages],
-          default: :server_error
+          default: :server_error,
         )
       end
     end

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -5,13 +5,15 @@ module Doorkeeper
     class ErrorResponse < BaseResponse
       include OAuth::Helpers
+      NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
             name: request.error,
             state: request.try(:state),
-            redirect_uri: request.try(:redirect_uri)
-          )
+            redirect_uri: request.try(:redirect_uri),
+          ),
         )
       end
@@ -32,7 +34,7 @@ module Doorkeeper
       end
       def status
-        if name == :invalid_client
+        if name == :invalid_client || name == :unauthorized_client
           :unauthorized
         else
           :bad_request
@@ -40,22 +42,20 @@ module Doorkeeper
       end
       def redirectable?
-        name != :invalid_redirect_uri && name != :invalid_client &&
-          !URIChecker.native_uri?(@redirect_uri)
+        !NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri)
       end
       def redirect_uri
         if @response_on_fragment
-          Authorization::URIBuilder.uri_with_fragment @redirect_uri, body
+          Authorization::URIBuilder.uri_with_fragment(@redirect_uri, body)
         else
-          Authorization::URIBuilder.uri_with_query @redirect_uri, body
+          Authorization::URIBuilder.uri_with_query(@redirect_uri, body)
         end
       end
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
           "WWW-Authenticate" => authenticate_info,
         }
@@ -67,10 +67,8 @@ module Doorkeeper
       protected
-      delegate :realm, to: :configuration
-      def configuration
-        Doorkeeper.configuration
+      def realm
+        Doorkeeper.config.realm
       end
       def exception_class

data/lib/doorkeeper/oauth/forbidden_token_response.rb CHANGED Viewed

@@ -23,7 +23,8 @@ module Doorkeeper
       end
       def description
-        @description ||= @scopes.map { |s| I18n.t(s, scope: %i[doorkeeper scopes]) }.join("\n")
+        @description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
+                                oauth_scopes: @scopes.map(&:to_s).join(" "),)
       end
       protected

data/lib/doorkeeper/oauth/helpers/scope_checker.rb CHANGED Viewed

@@ -12,9 +12,7 @@ module Doorkeeper
             @scope_str = scope_str
             @valid_scopes = valid_scopes(server_scopes, app_scopes)
-            if grant_type
-              @scopes_by_grant_type = Doorkeeper.configuration.scopes_by_grant_type[grant_type.to_sym]
-            end
+            @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym] if grant_type
           end
           def valid?
@@ -27,11 +25,7 @@ module Doorkeeper
           private
           def valid_scopes(server_scopes, app_scopes)
-            if app_scopes.present?
-              app_scopes
-            else
-              server_scopes
-            end
+            app_scopes.presence || server_scopes
           end
           def permitted_to_grant_type?
@@ -43,10 +37,12 @@ module Doorkeeper
         end
         def self.valid?(scope_str:, server_scopes:, app_scopes: nil, grant_type: nil)
-          Validator.new(scope_str,
-                        server_scopes,
-                        app_scopes,
-                        grant_type).valid?
+          Validator.new(
+            scope_str,
+            server_scopes,
+            app_scopes,
+            grant_type,
+          ).valid?
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/unique_token.rb CHANGED Viewed

@@ -3,23 +3,26 @@
 module Doorkeeper
   module OAuth
     module Helpers
+      # Default Doorkeeper token generator. Follows OAuth RFC and
+      # could be customized using `default_generator_method` in
+      # configuration.
       module UniqueToken
         def self.generate(options = {})
           # Access Token value must be 1*VSCHAR or
           # 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
           #
-          # @see https://tools.ietf.org/html/rfc6749#appendix-A.12
-          # @see https://tools.ietf.org/html/rfc6750#section-2.1
+          # @see https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.12
+          # @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
           #
-          generator_method = options.delete(:generator) || SecureRandom.method(self.generator_method)
-          token_size       = options.delete(:size)      || 32
-          generator_method.call(token_size)
+          generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
+          token_size = options.delete(:size) || 32
+          generator.call(token_size)
         end
         # Generator method for default generator class (SecureRandom)
         #
-        def self.generator_method
-          Doorkeeper.configuration.default_generator_method
+        def self.default_generator_method
+          Doorkeeper.config.default_generator_method
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/uri_checker.rb CHANGED Viewed

@@ -3,32 +3,14 @@
 require "ipaddr"
 module Doorkeeper
-  module IPAddrLoopback
-    def loopback?
-      case @family
-      when Socket::AF_INET
-        @addr & 0xff000000 == 0x7f000000
-      when Socket::AF_INET6
-        @addr == 1
-      else
-        raise AddressFamilyError, "unsupported address family"
-      end
-    end
-  end
-  # For backward compatibility with old rubies
-  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5.0")
-    IPAddr.send(:include, Doorkeeper::IPAddrLoopback)
-  end
   module OAuth
     module Helpers
       module URIChecker
         def self.valid?(url)
-          return true if native_uri?(url)
+          return true if oob_uri?(url)
           uri = as_uri(url)
-          uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
+          valid_scheme?(uri) && iff_host?(uri) && uri.fragment.nil? && uri.opaque.nil?
         rescue URI::InvalidURIError
           false
         end
@@ -46,7 +28,7 @@ module Doorkeeper
           end
           # RFC8252, Paragraph 7.3
-          # @see https://tools.ietf.org/html/rfc8252#section-7.3
+          # @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
           if loopback_uri?(url) && loopback_uri?(client_url)
             url.port = nil
             client_url.port = nil
@@ -78,8 +60,22 @@ module Doorkeeper
           client_query.split("&").sort == query.split("&").sort
         end
-        def self.native_uri?(url)
-          url == Doorkeeper.configuration.native_redirect_uri
+        def self.valid_scheme?(uri)
+          return false if uri.scheme.blank?
+          %w[localhost].exclude?(uri.scheme)
+        end
+        def self.hypertext_scheme?(uri)
+          %w[http https].include?(uri.scheme)
+        end
+        def self.iff_host?(uri)
+          !(hypertext_scheme?(uri) && uri.host.blank?)
+        end
+        def self.oob_uri?(uri)
+          NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
         end
       end
     end

data/lib/doorkeeper/oauth/hooks/context.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    module Hooks
+      class Context
+        attr_reader :auth, :pre_auth
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
+        end
+        def issued_token
+          auth&.issued_token
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/invalid_request_response.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    class InvalidRequestResponse < ErrorResponse
+      attr_reader :reason
+      def self.from_request(request, attributes = {})
+        new(
+          attributes.merge(
+            state: request.try(:state),
+            redirect_uri: request.try(:redirect_uri),
+            missing_param: request.try(:missing_param),
+            reason: request.try(:invalid_request_reason),
+          ),
+        )
+      end
+      def initialize(attributes = {})
+        super(attributes.merge(name: :invalid_request))
+        @missing_param = attributes[:missing_param]
+        @reason = @missing_param.nil? ? attributes[:reason] : :missing_param
+      end
+      def status
+        :bad_request
+      end
+      def description
+        I18n.translate(
+          reason,
+          scope: %i[doorkeeper errors messages invalid_request],
+          default: :unknown,
+          value: @missing_param,
+        )
+      end
+      def redirectable?
+        super && @missing_param != :client_id
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/invalid_token_response.rb CHANGED Viewed

@@ -6,9 +6,9 @@ module Doorkeeper
       attr_reader :reason
       def self.from_access_token(access_token, attributes = {})
-        reason = if access_token.try(:revoked?)
+        reason = if access_token&.revoked?
                    :revoked
-                 elsif access_token.try(:expired?)
+                 elsif access_token&.expired?
                    :expired
                  else
                    :unknown
@@ -27,8 +27,11 @@ module Doorkeeper
       end
       def description
-        scope = { scope: %i[doorkeeper errors messages invalid_token] }
-        @description ||= I18n.translate @reason, scope
+        @description ||=
+          I18n.translate(
+            @reason,
+            scope: %i[doorkeeper errors messages invalid_token],
+          )
       end
       protected

data/lib/doorkeeper/oauth/nonstandard.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    class NonStandard
+      # These are not part of the OAuth 2 specification but are still in use by Google
+      # and in some other implementations. Native applications should use one of the
+      # approaches discussed in RFC8252. OOB is 'Out of Band'
+      # This value signals to the Google Authorization Server that the authorization
+      # code should be returned in the title bar of the browser, with the page text
+      # prompting the user to copy the code and paste it in the application.
+      # This is useful when the client (such as a Windows application) cannot listen
+      # on an HTTP port without significant client configuration.
+      # When you use this value, your application can then detect that the page has loaded, and can
+      # read the title of the HTML page to obtain the authorization code. It is then up to your
+      # application to close the browser window if you want to ensure that the user never sees the
+      # page that contains the authorization code. The mechanism for doing this varies from platform
+      # to platform.
+      #
+      # If your platform doesn't allow you to detect that the page has loaded or read the title of
+      # the page, you can have the user paste the code back to your application, as prompted by the
+      # text in the confirmation page that the OAuth 2.0 server generates.
+      IETF_WG_OAUTH2_OOB = "urn:ietf:wg:oauth:2.0:oob"
+      # This is identical to urn:ietf:wg:oauth:2.0:oob, but the text in the confirmation page that
+      # the OAuth 2.0 server generates won't instruct the user to copy the authorization code, but
+      # instead will simply ask the user to close the window.
+      #
+      # This is useful when your application reads the title of the HTML page (by checking window
+      # titles on the desktop, for example) to obtain the authorization code, but can't close the
+      # page on its own.
+      IETF_WG_OAUTH2_OOB_AUTO = "urn:ietf:wg:oauth:2.0:oob:auto"
+      IETF_WG_OAUTH2_OOB_METHODS = [IETF_WG_OAUTH2_OOB, IETF_WG_OAUTH2_OOB_AUTO].freeze
+    end
+  end
+end

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED Viewed

@@ -5,17 +5,18 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :client,         error: :invalid_client
+      validate :client, error: :invalid_client
+      validate :client_supports_grant_flow, error: :unauthorized_client
       validate :resource_owner, error: :invalid_grant
-      validate :scopes,         error: :invalid_scope
+      validate :scopes, error: :invalid_scope
-      attr_accessor :server, :client, :resource_owner, :parameters,
-                    :access_token
+      attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
-      def initialize(server, client, resource_owner, parameters = {})
+      def initialize(server, client, credentials, resource_owner, parameters = {})
         @server          = server
         @resource_owner  = resource_owner
         @client          = client
+        @credentials     = credentials
         @parameters      = parameters
         @original_scopes = parameters[:scope]
         @grant_type      = Doorkeeper::OAuth::PASSWORD
@@ -24,28 +25,50 @@ module Doorkeeper
       private
       def before_successful_response
-        find_or_create_access_token(client, resource_owner.id, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, {}, server)
         super
       end
       def validate_scopes
-        client_scopes = client.try(:scopes)
         return true if scopes.blank?
         ScopeChecker.valid?(
           scope_str: scopes.to_s,
           server_scopes: server.scopes,
-          app_scopes: client_scopes,
-          grant_type: grant_type
+          app_scopes: client.try(:scopes),
+          grant_type: grant_type,
         )
       end
       def validate_resource_owner
-        !resource_owner.nil?
+        resource_owner.present?
       end
+      # Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
+      #
+      #   If the client type is confidential or the client was issued client credentials (or assigned
+      #   other authentication requirements), the client MUST authenticate with the authorization
+      #   server as described in Section 3.2.1.
+      #
+      #   The authorization server MUST:
+      #
+      #    o  require client authentication for confidential clients or for any  client that was
+      #       issued client credentials (or with other authentication requirements)
+      #
+      #    o  authenticate the client if client authentication is included,
+      #
+      #   @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
+      #
       def validate_client
-        !parameters[:client_id] || client.present?
+        if Doorkeeper.config.skip_client_authentication_for_password_grant
+          client.present? || (!parameters[:client_id] && credentials.blank?)
+        else
+          client.present?
+        end
+      end
+      def validate_client_supports_grant_flow
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client&.application)
       end
     end
   end