RubyGems - doorkeeper - Versions diffs - 5.2.0.rc1 → 5.2.0 - Mend

doorkeeper 5.2.0.rc1 → 5.2.0

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (69) hide show

checksums.yaml +4 -4
data/Appraisals +1 -1
data/CHANGELOG.md +33 -2
data/CONTRIBUTING.md +7 -0
data/Dangerfile +1 -1
data/Dockerfile +29 -0
data/Gemfile +1 -1
data/README.md +9 -1
data/app/controllers/doorkeeper/application_controller.rb +1 -1
data/app/controllers/doorkeeper/application_metal_controller.rb +2 -1
data/app/controllers/doorkeeper/authorizations_controller.rb +14 -7
data/app/controllers/doorkeeper/tokens_controller.rb +14 -1
data/config/locales/en.yml +5 -1
data/doorkeeper.gemspec +8 -0
data/gemfiles/rails_6_0.gemfile +1 -1
data/lib/doorkeeper/config.rb +64 -9
data/lib/doorkeeper/errors.rb +13 -18
data/lib/doorkeeper/helpers/controller.rb +6 -2
data/lib/doorkeeper/models/access_token_mixin.rb +43 -2
data/lib/doorkeeper/oauth/authorization/code.rb +1 -5
data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -9
data/lib/doorkeeper/oauth/base_request.rb +2 -0
data/lib/doorkeeper/oauth/client_credentials/creator.rb +14 -0
data/lib/doorkeeper/oauth/client_credentials/validation.rb +8 -0
data/lib/doorkeeper/oauth/code_request.rb +5 -11
data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +7 -2
data/lib/doorkeeper/oauth/pre_authorization.rb +70 -37
data/lib/doorkeeper/oauth/refresh_token_request.rb +5 -2
data/lib/doorkeeper/oauth/token_introspection.rb +16 -7
data/lib/doorkeeper/oauth/token_request.rb +4 -18
data/lib/doorkeeper/orm/active_record/application.rb +1 -1
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +61 -0
data/lib/doorkeeper/orm/active_record.rb +2 -2
data/lib/doorkeeper/request/authorization_code.rb +2 -0
data/lib/doorkeeper/request.rb +6 -11
data/lib/doorkeeper/server.rb +2 -6
data/lib/doorkeeper/version.rb +1 -1
data/lib/doorkeeper.rb +1 -0
data/lib/generators/doorkeeper/templates/initializer.rb +88 -43
data/lib/generators/doorkeeper/templates/migration.rb.erb +1 -1
data/spec/controllers/authorizations_controller_spec.rb +140 -61
data/spec/controllers/protected_resources_controller_spec.rb +3 -3
data/spec/controllers/tokens_controller_spec.rb +140 -40
data/spec/dummy/config/initializers/doorkeeper.rb +47 -20
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +1 -1
data/spec/lib/config_spec.rb +32 -1
data/spec/lib/oauth/authorization_code_request_spec.rb +11 -1
data/spec/lib/oauth/base_request_spec.rb +33 -16
data/spec/lib/oauth/client_credentials/creator_spec.rb +3 -0
data/spec/lib/oauth/code_request_spec.rb +27 -28
data/spec/lib/oauth/invalid_request_response_spec.rb +75 -0
data/spec/lib/oauth/pre_authorization_spec.rb +80 -55
data/spec/lib/oauth/refresh_token_request_spec.rb +1 -0
data/spec/lib/oauth/token_request_spec.rb +20 -17
data/spec/lib/server_spec.rb +0 -12
data/spec/requests/endpoints/authorization_spec.rb +21 -5
data/spec/requests/endpoints/token_spec.rb +1 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +1 -0
data/spec/requests/flows/authorization_code_spec.rb +77 -23
data/spec/requests/flows/client_credentials_spec.rb +38 -0
data/spec/requests/flows/implicit_grant_errors_spec.rb +22 -10
data/spec/requests/flows/implicit_grant_spec.rb +9 -8
data/spec/requests/flows/password_spec.rb +37 -0
data/spec/requests/flows/refresh_token_spec.rb +1 -1
data/spec/support/helpers/request_spec_helper.rb +14 -2
data/spec/validators/redirect_uri_validator_spec.rb +1 -1
metadata +15 -6
data/app/validators/redirect_uri_validator.rb +0 -60

data/lib/doorkeeper/oauth/client_credentials/validation.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module Doorkeeper
         include OAuth::Helpers
         validate :client, error: :invalid_client
+        validate :client_supports_grant_flow, error: :unauthorized_client
         validate :scopes, error: :invalid_scope
         def initialize(server, request)
@@ -24,6 +25,13 @@ module Doorkeeper
           @client.present?
         end
+        def validate_client_supports_grant_flow
+          Doorkeeper.configuration.allow_grant_flow_for_client?(
+            Doorkeeper::OAuth::CLIENT_CREDENTIALS,
+            @client
+          )
+        end
         def validate_scopes
           return true if @request.scopes.blank?

data/lib/doorkeeper/oauth/code_request.rb CHANGED Viewed

@@ -3,28 +3,22 @@
 module Doorkeeper
   module OAuth
     class CodeRequest
-      attr_accessor :pre_auth, :resource_owner, :client
+      attr_accessor :pre_auth, :resource_owner
       def initialize(pre_auth, resource_owner)
         @pre_auth       = pre_auth
-        @client         = pre_auth.client
         @resource_owner = resource_owner
       end
       def authorize
-        if pre_auth.authorizable?
-          auth = Authorization::Code.new(pre_auth, resource_owner)
-          auth.issue_token
-          @response = CodeResponse.new pre_auth, auth
-        else
-          @response = ErrorResponse.from_request pre_auth
-        end
+        auth = Authorization::Code.new(pre_auth, resource_owner)
+        auth.issue_token
+        CodeResponse.new(pre_auth, auth)
       end
       def deny
         pre_auth.error = :access_denied
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri
+        pre_auth.error_response
       end
     end
   end

data/lib/doorkeeper/oauth/invalid_request_response.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    class InvalidRequestResponse < ErrorResponse
+      attr_reader :reason
+      def self.from_request(request, attributes = {})
+        new(
+          attributes.merge(
+            state: request.try(:state),
+            redirect_uri: request.try(:redirect_uri),
+            missing_param: request.try(:missing_param),
+            reason: request.try(:invalid_request_reason)
+          )
+        )
+      end
+      def initialize(attributes = {})
+        super(attributes.merge(name: :invalid_request))
+        @missing_param = attributes[:missing_param]
+        @reason = @missing_param.nil? ? attributes[:reason] : :missing_param
+      end
+      def status
+        :bad_request
+      end
+      def description
+        I18n.translate(
+          reason,
+          scope: %i[doorkeeper errors messages invalid_request],
+          default: :unknown,
+          value: @missing_param
+        )
+      end
+      def redirectable?
+        super && @missing_param != :client_id
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED Viewed

@@ -5,9 +5,10 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :client,         error: :invalid_client
+      validate :client, error: :invalid_client
+      validate :client_supports_grant_flow, error: :unauthorized_client
       validate :resource_owner, error: :invalid_grant
-      validate :scopes,         error: :invalid_scope
+      validate :scopes, error: :invalid_scope
       attr_accessor :server, :client, :resource_owner, :parameters,
                     :access_token
@@ -47,6 +48,10 @@ module Doorkeeper
       def validate_client
         !parameters[:client_id] || client.present?
       end
+      def validate_client_supports_grant_flow
+        Doorkeeper.configuration.allow_grant_flow_for_client?(grant_type, client)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -5,19 +5,21 @@ module Doorkeeper
     class PreAuthorization
       include Validations
-      validate :response_type, error: :unsupported_response_type
-      validate :client, error: :invalid_client
-      validate :scopes, error: :invalid_scope
-      validate :redirect_uri, error: :invalid_redirect_uri
+      validate :client_id,             error: :invalid_request
+      validate :client,                error: :invalid_client
+      validate :redirect_uri,          error: :invalid_redirect_uri
+      validate :params,                error: :invalid_request
+      validate :response_type,         error: :unsupported_response_type
+      validate :scopes,                error: :invalid_scope
       validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_supports_grant_flow, error: :unauthorized_client
-      attr_accessor :server, :client, :response_type, :redirect_uri, :state,
-                    :code_challenge, :code_challenge_method
-      attr_writer   :scope
+      attr_reader :server, :client_id, :client, :redirect_uri, :response_type, :state,
+                  :code_challenge, :code_challenge_method, :missing_param
-      def initialize(server, client, attrs = {})
+      def initialize(server, attrs = {})
         @server                = server
-        @client                = client
+        @client_id             = attrs[:client_id]
         @response_type         = attrs[:response_type]
         @redirect_uri          = attrs[:redirect_uri]
         @scope                 = attrs[:scope]
@@ -30,34 +32,38 @@ module Doorkeeper
         valid?
       end
+      def validate_client_supports_grant_flow
+        Doorkeeper.configuration.allow_grant_flow_for_client?(grant_type, client.application)
+      end
       def scopes
         Scopes.from_string scope
       end
       def scope
-        @scope.presence || build_scopes
+        @scope.presence || (server.default_scopes.presence && build_scopes)
       end
       def error_response
-        OAuth::ErrorResponse.from_request(self)
+        is_implicit_flow = response_type == "token"
+        if error == :invalid_request
+          OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: is_implicit_flow)
+        else
+          OAuth::ErrorResponse.from_request(self, response_on_fragment: is_implicit_flow)
+        end
       end
-      def as_json(_options)
-        {
-          client_id: client.uid,
-          redirect_uri: redirect_uri,
-          state: state,
-          response_type: response_type,
-          scope: scope,
-          client_name: client.name,
-          status: I18n.t("doorkeeper.pre_authorization.status"),
-        }
+      def as_json(attributes = {})
+        return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
+        pre_auth_hash
       end
       private
       def build_scopes
-        client_scopes = client.application.scopes
+        client_scopes = client.scopes
         if client_scopes.blank?
           server.default_scopes.to_s
         else
@@ -65,21 +71,45 @@ module Doorkeeper
         end
       end
-      def validate_response_type
-        server.authorization_response_types.include? response_type
+      def validate_client_id
+        @missing_param = :client_id if client_id.blank?
+        @missing_param.nil?
       end
       def validate_client
-        client.present?
+        @client = OAuth::Client.find(client_id)
+        @client.present?
       end
-      def validate_scopes
-        return true if scope.blank?
+      def validate_redirect_uri
+        return false if redirect_uri.blank?
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          client.redirect_uri
+        )
+      end
+      def validate_params
+        @missing_param = if response_type.blank?
+                           :response_type
+                         elsif @scope.blank? && server.default_scopes.blank?
+                           :scope
+                         end
+        @missing_param.nil?
+      end
+      def validate_response_type
+        server.authorization_response_types.include?(response_type)
+      end
+      def validate_scopes
         Helpers::ScopeChecker.valid?(
           scope_str: scope,
           server_scopes: server.scopes,
-          app_scopes: client.application.scopes,
+          app_scopes: client.scopes,
           grant_type: grant_type
         )
       end
@@ -88,19 +118,22 @@ module Doorkeeper
         response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
       end
-      def validate_redirect_uri
-        return false if redirect_uri.blank?
-        Helpers::URIChecker.valid_for_authorization?(
-          redirect_uri,
-          client.redirect_uri
-        )
-      end
       def validate_code_challenge_method
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
+      def pre_auth_hash
+        {
+          client_id: client.uid,
+          redirect_uri: redirect_uri,
+          state: state,
+          response_type: response_type,
+          scope: scope,
+          client_name: client.name,
+          status: I18n.t("doorkeeper.pre_authorization.status"),
+        }
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module Doorkeeper
       attr_accessor :access_token, :client, :credentials, :refresh_token,
                     :server
+      attr_reader   :missing_param
       def initialize(server, refresh_token, credentials, parameters = {})
         @server = server
@@ -32,7 +33,7 @@ module Doorkeeper
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
-          raise Errors::InvalidTokenReuse if refresh_token.revoked?
+          raise Errors::InvalidGrantReuse if refresh_token.revoked?
           refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
@@ -76,7 +77,9 @@ module Doorkeeper
       end
       def validate_token_presence
-        refresh_token.present? || @refresh_token_parameter.present?
+        @missing_param = :refresh_token if refresh_token.blank? && @refresh_token_parameter.blank?
+        @missing_param.nil?
       end
       def validate_token

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Doorkeeper
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
       attr_reader :server, :token
-      attr_reader :error
+      attr_reader :error, :invalid_request_reason
       def initialize(server, token)
         @server = server
@@ -25,6 +25,8 @@ module Doorkeeper
         if @error == :invalid_token
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
+        elsif @error == :invalid_request
+          OAuth::InvalidRequestResponse.from_request(self)
         else
           OAuth::ErrorResponse.new(name: @error)
         end
@@ -67,9 +69,10 @@ module Doorkeeper
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token if authorized_token_matches_introspected? || !authorized_token.accessible?
+          @error = :invalid_token unless valid_authorized_token?
         else
           @error = :invalid_request
+          @invalid_request_reason = :request_not_authorized
         end
       end
@@ -149,9 +152,9 @@ module Doorkeeper
       #
       def active?
         if authorized_client
-          valid_token? && token_introspection_allowed?(authorized_client.application)
+          valid_token? && token_introspection_allowed?(auth_client: authorized_client.application)
         else
-          valid_token? && token_introspection_allowed?(authorized_token&.application)
+          valid_token?
         end
       end
@@ -160,20 +163,26 @@ module Doorkeeper
         @token&.accessible?
       end
+      def valid_authorized_token?
+        !authorized_token_matches_introspected? &&
+          authorized_token.accessible? &&
+          token_introspection_allowed?(auth_token: authorized_token)
+      end
       # RFC7662 Section 2.1
       def authorized_token_matches_introspected?
         authorized_token.token == @token&.token
       end
       # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
-      def token_introspection_allowed?(client)
+      def token_introspection_allowed?(auth_client: nil, auth_token: nil)
         allow_introspection = Doorkeeper.configuration.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
         allow_introspection.call(
           @token,
-          client,
-          authorized_token
+          auth_client,
+          auth_token
         )
       end

data/lib/doorkeeper/oauth/token_request.rb CHANGED Viewed

@@ -11,28 +11,14 @@ module Doorkeeper
       end
       def authorize
-        if pre_auth.authorizable?
-          auth = Authorization::Token.new(pre_auth, resource_owner)
-          auth.issue_token
-          @response = CodeResponse.new pre_auth,
-                                       auth,
-                                       response_on_fragment: true
-        else
-          @response = error_response
-        end
+        auth = Authorization::Token.new(pre_auth, resource_owner)
+        auth.issue_token
+        CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
       def deny
         pre_auth.error = :access_denied
-        error_response
-      end
-      private
-      def error_response
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri,
-                                   response_on_fragment: true
+        pre_auth.error_response
       end
     end
   end

data/lib/doorkeeper/orm/active_record/application.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Doorkeeper
     validates :name, :secret, :uid, presence: true
     validates :uid, uniqueness: { case_sensitive: true }
-    validates :redirect_uri, redirect_uri: true
+    validates :redirect_uri, "doorkeeper/redirect_uri": true
     validates :confidential, inclusion: { in: [true, false] }
     validate :scopes_match_configured, if: :enforce_scopes?

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb ADDED Viewed

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+require "uri"
+module Doorkeeper
+  # ActiveModel validator for redirect URI validation in according
+  # to OAuth standards and Doorkeeper configuration.
+  class RedirectUriValidator < ActiveModel::EachValidator
+    def validate_each(record, attribute, value)
+      if value.blank?
+        return if Doorkeeper.configuration.allow_blank_redirect_uri?(record)
+        record.errors.add(attribute, :blank)
+      else
+        value.split.each do |val|
+          next if oob_redirect_uri?(val)
+          uri = ::URI.parse(val)
+          record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
+          record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
+          record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
+          record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
+          record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+        end
+      end
+    rescue URI::InvalidURIError
+      record.errors.add(attribute, :invalid_uri)
+    end
+    private
+    def oob_redirect_uri?(uri)
+      Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
+    end
+    def forbidden_uri?(uri)
+      Doorkeeper.configuration.forbid_redirect_uri.call(uri)
+    end
+    def unspecified_scheme?(uri)
+      return true if uri.opaque.present?
+      %w[localhost].include?(uri.try(:scheme))
+    end
+    def relative_uri?(uri)
+      uri.scheme.nil? && uri.host.nil?
+    end
+    def invalid_ssl_uri?(uri)
+      forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
+      non_https = uri.try(:scheme) == "http"
+      if forces_ssl.respond_to?(:call)
+        forces_ssl.call(uri) && non_https
+      else
+        forces_ssl && non_https
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record.rb CHANGED Viewed

@@ -2,8 +2,6 @@
 require "active_support/lazy_load_hooks"
-require "doorkeeper/orm/active_record/stale_records_cleaner"
 module Doorkeeper
   module Orm
     # ActiveRecord ORM for Doorkeeper entity models.
@@ -17,6 +15,8 @@ module Doorkeeper
     module ActiveRecord
       def self.initialize_models!
         lazy_load do
+          require "doorkeeper/orm/active_record/stale_records_cleaner"
+          require "doorkeeper/orm/active_record/redirect_uri_validator"
           require "doorkeeper/orm/active_record/access_grant"
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"

data/lib/doorkeeper/request/authorization_code.rb CHANGED Viewed

@@ -17,6 +17,8 @@ module Doorkeeper
       private
       def grant
+        raise Errors::MissingRequiredParameter, :code if parameters[:code].blank?
         AccessGrant.by_token(parameters[:code])
       end
     end

data/lib/doorkeeper/request.rb CHANGED Viewed

@@ -4,30 +4,25 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        get_strategy(response_type, authorization_response_types)
-      rescue NameError
-        raise Errors::InvalidAuthorizationStrategy
+        build_strategy_class(response_type)
       end
       def token_strategy(grant_type)
+        raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
         get_strategy(grant_type, token_grant_types)
       rescue NameError
         raise Errors::InvalidTokenStrategy
       end
-      def get_strategy(grant_or_request_type, available)
-        raise Errors::MissingRequestStrategy if grant_or_request_type.blank?
-        raise NameError unless available.include?(grant_or_request_type.to_s)
+      def get_strategy(grant_type, available)
+        raise NameError unless available.include?(grant_type.to_s)
-        build_strategy_class(grant_or_request_type)
+        build_strategy_class(grant_type)
       end
       private
-      def authorization_response_types
-        Doorkeeper.configuration.authorization_response_types
-      end
       def token_grant_types
         Doorkeeper.configuration.token_grant_types
       end

data/lib/doorkeeper/server.rb CHANGED Viewed

@@ -10,12 +10,12 @@ module Doorkeeper
     def authorization_request(strategy)
       klass = Request.authorization_strategy strategy
-      klass.new self
+      klass.new(self)
     end
     def token_request(strategy)
       klass = Request.token_strategy strategy
-      klass.new self
+      klass.new(self)
     end
     # TODO: context should be the request
@@ -27,10 +27,6 @@ module Doorkeeper
       @client ||= OAuth::Client.authenticate(credentials)
     end
-    def client_via_uid
-      @client_via_uid ||= OAuth::Client.find(parameters[:client_id])
-    end
     def current_resource_owner
       context.send :current_resource_owner
     end

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module Doorkeeper
     MAJOR = 5
     MINOR = 2
     TINY = 0
-    PRE = "rc1"
+    PRE = nil
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/doorkeeper.rb CHANGED Viewed

@@ -52,6 +52,7 @@ require "doorkeeper/oauth/token"
 require "doorkeeper/oauth/token_introspection"
 require "doorkeeper/oauth/invalid_token_response"
 require "doorkeeper/oauth/forbidden_token_response"
+require "doorkeeper/oauth/invalid_request_response"
 require "doorkeeper/oauth/nonstandard"
 require "doorkeeper/secret_storing/base"