doorkeeper 5.2.0.rc1 → 5.2.0

data/spec/controllers/tokens_controller_spec.rb

@@ -3,31 +3,139 @@
 require "spec_helper"
 
 describe Doorkeeper::TokensController do
-  describe "when authorization has succeeded" do
-    let(:token) { double(:token, authorize: true) }
+  let(:client) { FactoryBot.create :application }
+  let!(:user)  { User.create!(name: "Joe", password: "sekret") }
 
-    it "returns the authorization" do
-      skip "verify need of these specs"
+  before do
+    Doorkeeper.configure do
+      resource_owner_from_credentials do
+        User.first
+      end
+    end
 
-      expect(token).to receive(:authorization)
+    allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["password"])
+  end
 
-      post :create
+  subject { JSON.parse(response.body) }
+
+  describe "POST #create" do
+    before do
+      post :create, params: {
+        client_id: client.uid,
+        client_secret: client.secret,
+        grant_type: "password",
+      }
+    end
+
+    it "responds after authorization" do
+      expect(response).to be_successful
+    end
+
+    it "includes access token in response" do
+      expect(subject["access_token"]).to eq(Doorkeeper::AccessToken.first.token)
+    end
+
+    it "includes token type in response" do
+      expect(subject["token_type"]).to eq("Bearer")
+    end
+
+    it "includes token expiration in response" do
+      expect(subject["expires_in"].to_i).to eq(Doorkeeper.configuration.access_token_expires_in)
+    end
+
+    it "issues the token for the current client" do
+      expect(Doorkeeper::AccessToken.first.application_id).to eq(client.id)
+    end
+
+    it "issues the token for the current resource owner" do
+      expect(Doorkeeper::AccessToken.first.resource_owner_id).to eq(user.id)
     end
   end
 
-  describe "when authorization has failed" do
-    it "returns the error response" do
-      token = double(:token, authorize: false)
-      allow(controller).to receive(:token) { token }
+  describe "POST #create with errors" do
+    before do
+      post :create, params: {
+        client_id: client.uid,
+        client_secret: "invalid",
+        grant_type: "password",
+      }
+    end
 
-      post :create
+    it "responds after authorization" do
+      expect(response).to be_unauthorized
+    end
 
-      expect(response.status).to eq 400
-      expect(response.headers["WWW-Authenticate"]).to match(/Bearer/)
+    it "include error in response" do
+      expect(subject["error"]).to eq("invalid_client")
+    end
+
+    it "include error_description in response" do
+      expect(subject["error_description"]).to be
+    end
+
+    it "does not include access token in response" do
+      expect(subject["access_token"]).to be_nil
+    end
+
+    it "does not include token type in response" do
+      expect(subject["token_type"]).to be_nil
+    end
+
+    it "does not include token expiration in response" do
+      expect(subject["expires_in"]).to be_nil
+    end
+
+    it "does not issue any access token" do
+      expect(Doorkeeper::AccessToken.all).to be_empty
+    end
+  end
+
+  describe "POST #create with callbacks" do
+    after do
+      client.update_attribute :redirect_uri, "urn:ietf:wg:oauth:2.0:oob"
+    end
+
+    describe "when successful" do
+      after do
+        post :create, params: {
+          client_id: client.uid,
+          client_secret: client.secret,
+          grant_type: "password",
+        }
+      end
+
+      it "should call :before_successful_authorization callback" do
+        expect(Doorkeeper.configuration)
+          .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class))
+      end
+
+      it "should call :after_successful_authorization callback" do
+        expect(Doorkeeper.configuration)
+          .to receive_message_chain(:after_successful_authorization, :call).with(instance_of(described_class))
+      end
+    end
+
+    describe "with errors" do
+      after do
+        post :create, params: {
+          client_id: client.uid,
+          client_secret: "invalid",
+          grant_type: "password",
+        }
+      end
+
+      it "should call :before_successful_authorization callback" do
+        expect(Doorkeeper.configuration)
+          .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class))
+      end
+
+      it "should not call :after_successful_authorization callback" do
+        expect(Doorkeeper.configuration).not_to receive(:after_successful_authorization)
+      end
     end
   end
 
-  describe "when there is a failure due to a custom error" do
+  describe "POST #create with custom error" do
     it "returns the error response with a custom message" do
       # I18n looks for `doorkeeper.errors.messages.custom_message` in locale files
       custom_message = "my_message"
@@ -58,7 +166,7 @@ describe Doorkeeper::TokensController do
   end
 
   # http://tools.ietf.org/html/rfc7009#section-2.2
-  describe "revoking tokens" do
+  describe "POST #revoke" do
     let(:client) { FactoryBot.create(:application) }
     let(:access_token) { FactoryBot.create(:access_token, application: client) }
 
@@ -117,21 +225,7 @@ describe Doorkeeper::TokensController do
     end
   end
 
-  describe "authorize response memoization" do
-    it "memoizes the result of the authorization" do
-      strategy = double(:strategy, authorize: true)
-      expect(strategy).to receive(:authorize).once
-      allow(controller).to receive(:strategy) { strategy }
-      allow(controller).to receive(:create) do
-        2.times { controller.send :authorize_response }
-        controller.render json: {}, status: :ok
-      end
-
-      post :create
-    end
-  end
-
-  describe "when requested token introspection" do
+  describe "POST #introspect" do
     let(:client) { FactoryBot.create(:application) }
     let(:access_token) { FactoryBot.create(:access_token, application: client) }
     let(:token_for_introspection) { FactoryBot.create(:access_token, application: client) }
@@ -167,13 +261,15 @@ describe Doorkeeper::TokensController do
         end
       end
 
-      it "responds with just active: false response" do
+      it "responds with invalid_token error" do
         request.headers["Authorization"] = "Bearer #{access_token.token}"
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        response_status_should_be 401
+
+        should_not_have_json "active"
+        should_have_json "error", "invalid_token"
       end
     end
 
@@ -268,15 +364,17 @@ describe Doorkeeper::TokensController do
         expect(json_response).to include("client_id", "token_type", "exp", "iat")
       end
 
-      it "responds with just active status if authorized token doesn't have introspection scope" do
+      it "responds with invalid_token error if authorized token doesn't have introspection scope" do
         access_token.update(scopes: "read write")
 
         request.headers["Authorization"] = "Bearer #{access_token.token}"
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        response_status_should_be 401
+
+        should_not_have_json "active"
+        should_have_json "error", "invalid_token"
       end
     end
 
@@ -285,7 +383,7 @@ describe Doorkeeper::TokensController do
         FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
       end
 
-      it "responds with invalid token error" do
+      it "responds with invalid_token error" do
         request.headers["Authorization"] = "Bearer #{access_token.token}"
 
         post :introspect, params: { token: token_for_introspection.token }
@@ -340,13 +438,15 @@ describe Doorkeeper::TokensController do
       end
 
       context "authorized using valid Bearer token" do
-        it "responds with only active state" do
+        it "responds with invalid_token error" do
           request.headers["Authorization"] = "Bearer #{access_token.token}"
 
           post :introspect, params: { token: SecureRandom.hex(16) }
 
-          should_have_json "active", false
-          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+          response_status_should_be 401
+
+          should_not_have_json "active"
+          should_have_json "error", "invalid_token"
         end
       end
     end

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -107,32 +107,59 @@ Doorkeeper.configure do
   #   client.superapp? or resource_owner.admin?
   # end
 
-  # Implement constraints in case you use Client Credentials to authenticate
-  # the introspection endpoint.
-  # By default allow introspection if the introspected token belongs to authorized client,
-  # OR token doesn't belong to any client (public token). Otherwise disallow.
-  #
-  # Params:
-  # `token` - the token to be introspected (see Doorkeeper::AccessToken)
-  # `client` - the client application authorized for the endpoint (see Doorkeeper::Application)
-  #
-  # You can completely ignore it:
-  # allow_token_introspection do |_token, _client|
-  #   false
-  # end
+  # Configure custom constraints for the Token Introspection request.
+  # By default this configuration option allows to introspect a token by another
+  # token of the same application, OR to introspect the token that belongs to
+  # authorized client (from authenticated client) OR when token doesn't
+  # belong to any client (public token). Otherwise requester has no access to the
+  # introspection and it will return response as stated in the RFC.
+  #
+  # Block arguments:
+  #
+  # @param token [Doorkeeper::AccessToken]
+  #   token to be introspected
+  #
+  # @param authorized_client [Doorkeeper::Application]
+  #   authorized client (if request is authorized using Basic auth with
+  #   Client Credentials for example)
+  #
+  # @param authorized_token [Doorkeeper::AccessToken]
+  #   Bearer token used to authorize the request
   #
-  # Or you can define your custom check:
-  #   Adding `protected_resource` boolean column to applications table
-  #   to allow protected_resource client introspect the token of normal client.
-  #   In this case, protected resource client must be confidential.
+  # In case the block returns `nil` or `false` introspection responses with 401 status code
+  # when using authorized token to introspect, or you'll get 200 with { "active": false } body
+  # when using authorized client to introspect as stated in the
+  # RFC 7662 section 2.2. Introspection Response.
   #
-  # allow_token_introspection do |token, client|
-  #   if token.application
-  #     token.application == client || client.protected_resource?
+  # Using with caution:
+  # Keep in mind that these three parameters pass to block can be nil as following case:
+  #  `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
+  #  `token` will be nil if and only if `authorized_token` is present.
+  # So remember to use `&` or check if it is present before calling method on
+  # them to make sure you doesn't get NoMethodError exception.
+  #
+  # You can define your custom check:
+  #
+  # allow_token_introspection do |token, authorized_client, authorized_token|
+  #   if authorized_token
+  #     # customize: require `introspection` scope
+  #     authorized_token.application == token&.application ||
+  #       authorized_token.scopes.include?("introspection")
+  #   elsif token.application
+  #     # `protected_resource` is a new database boolean column, for example
+  #     authorized_client == token.application || authorized_client.protected_resource?
   #   else
+  #     # public token (when token.application is nil, token doesn't belong to any application)
   #     true
   #   end
   # end
+  #
+  # Or you can completely disable any token introspection:
+  #
+  # allow_token_introspection false
+  #
+  # If you need to block the request at all, then configure your routes.rb or web-server
+  # like nginx to forbid the request.
 
   # WWW-Authenticate Realm (default "Doorkeeper").
   realm "Doorkeeper"

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb

@@ -25,7 +25,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
       t.text     :redirect_uri,      null: false
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes
+      t.string   :scopes,            null: false, default: ""
     end
 
     add_index :oauth_access_grants, :token, unique: true

data/spec/lib/config_spec.rb

@@ -502,7 +502,21 @@ describe Doorkeeper, "configuration" do
 
   describe "base_controller" do
     context "default" do
-      it { expect(Doorkeeper.configuration.base_controller).to eq("ActionController::Base") }
+      it { expect(Doorkeeper.configuration.base_controller).to be_an_instance_of(Proc) }
+
+      it "resolves to a ApplicationController::Base in default mode" do
+        expect(Doorkeeper.configuration.resolve_controller(:base))
+          .to eq(ActionController::Base)
+      end
+
+      it "resolves to a ApplicationController::API in api_only mode" do
+        Doorkeeper.configure do
+          api_only
+        end
+
+        expect(Doorkeeper.configuration.resolve_controller(:base))
+          .to eq(ActionController::API)
+      end
     end
 
     context "custom" do
@@ -517,6 +531,23 @@ describe Doorkeeper, "configuration" do
     end
   end
 
+  describe "base_metal_controller" do
+    context "default" do
+      it { expect(Doorkeeper.configuration.base_metal_controller).to eq("ActionController::API") }
+    end
+
+    context "custom" do
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          base_metal_controller { "ApplicationController" }
+        end
+      end
+
+      it { expect(Doorkeeper.configuration.resolve_controller(:base_metal)).to eq(ApplicationController) }
+    end
+  end
+
   if DOORKEEPER_ORM == :active_record
     describe "active_record_options" do
       let(:models) { [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application] }

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -23,7 +23,7 @@ module Doorkeeper::OAuth
     end
 
     subject do
-      AuthorizationCodeRequest.new server, grant, client, params
+      AuthorizationCodeRequest.new(server, grant, client, params)
     end
 
     it "issues a new token for the client" do
@@ -65,6 +65,16 @@ module Doorkeeper::OAuth
       subject.redirect_uri = nil
       subject.validate
       expect(subject.error).to eq(:invalid_request)
+      expect(subject.missing_param).to eq(:redirect_uri)
+    end
+
+    it "invalid code_verifier param because server does not support pkce" do
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:respond_to?).with(:code_challenge).and_return(false)
+
+      subject.code_verifier = "a45a9fea-0676-477e-95b1-a40f72ac3cfb"
+      subject.validate
+      expect(subject.error).to eq(:invalid_request)
+      expect(subject.invalid_request_reason).to eq(:not_support_pkce)
     end
 
     it "matches the redirect_uri with grant's one" do

data/spec/lib/oauth/base_request_spec.rb

@@ -66,27 +66,44 @@ module Doorkeeper::OAuth
       end
 
       context "invalid" do
-        before do
-          allow(subject).to receive(:valid?).and_return(false)
-          allow(subject).to receive(:error).and_return("server_error")
-          allow(subject).to receive(:state).and_return("hello")
+        context "with error other than invalid_request" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:server_error)
+            allow(subject).to receive(:state).and_return("hello")
+          end
+
+          it "returns an ErrorResponse object" do
+            result = subject.authorize
+
+            expect(result).to be_an_instance_of(ErrorResponse)
+
+            expect(result.body).to eq(
+              error: :server_error,
+              error_description: translated_error_message(:server_error),
+              state: "hello"
+            )
+          end
         end
 
-        it "returns an ErrorResponse object" do
-          error_description = I18n.translate(
-            "server_error",
-            scope: %i[doorkeeper errors messages]
-          )
+        context "with invalid_request error" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:invalid_request)
+            allow(subject).to receive(:state).and_return("hello")
+          end
 
-          result = subject.authorize
+          it "returns an InvalidRequestResponse object" do
+            result = subject.authorize
 
-          expect(result).to be_an_instance_of(ErrorResponse)
+            expect(result).to be_an_instance_of(InvalidRequestResponse)
 
-          expect(result.body).to eq(
-            error: "server_error",
-            error_description: error_description,
-            state: "hello"
-          )
+            expect(result.body).to eq(
+              error: :invalid_request,
+              error_description: translated_invalid_request_error_message(:unknown, :unknown),
+              state: "hello"
+            )
+          end
         end
       end
     end

data/spec/lib/oauth/client_credentials/creator_spec.rb

@@ -55,6 +55,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
           expect(Doorkeeper::AccessToken.count).to eq(2)
           expect(result).not_to eq(existing_token)
+          expect(existing_token.reload).to be_revoked
         end
       end
 
@@ -69,6 +70,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
           expect(Doorkeeper::AccessToken.count).to eq(2)
           expect(result).not_to eq(existing_token)
+          expect(existing_token.reload).to be_revoked
         end
       end
     end
@@ -82,6 +84,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
 
         expect(Doorkeeper::AccessToken.count).to eq(2)
         expect(result).not_to eq(existing_token)
+        expect(existing_token.reload).to be_revoked
       end
     end
 

data/spec/lib/oauth/code_request_spec.rb

@@ -4,18 +4,23 @@ require "spec_helper"
 
 module Doorkeeper::OAuth
   describe CodeRequest do
-    let(:pre_auth) do
-      double(
-        :pre_auth,
-        client: double(:application, id: 9990),
-        redirect_uri: "http://tst.com/cb",
-        scopes: nil,
-        state: nil,
-        error: nil,
-        authorizable?: true,
-        code_challenge: nil,
-        code_challenge_method: nil
-      )
+    let :pre_auth do
+      server = Doorkeeper.configuration
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("public"))
+      allow(server).to receive(:grant_flows).and_return(Scopes.from_string("authorization_code"))
+
+      application = FactoryBot.create(:application, scopes: "public")
+      client = Doorkeeper::OAuth::Client.new(application)
+
+      attributes = {
+        client_id: client.uid,
+        response_type: "code",
+        redirect_uri: "https://app.com/callback",
+      }
+
+      pre_auth = PreAuthorization.new(server, attributes)
+      pre_auth.authorizable?
+      pre_auth
     end
 
     let(:owner) { double :owner, id: 8900 }
@@ -24,24 +29,18 @@ module Doorkeeper::OAuth
       CodeRequest.new(pre_auth, owner)
     end
 
-    it "creates an access grant" do
-      expect do
-        subject.authorize
-      end.to change { Doorkeeper::AccessGrant.count }.by(1)
+    context "when pre_auth is authorized" do
+      it "creates an access grant and returns a code response" do
+        expect { subject.authorize }.to change { Doorkeeper::AccessGrant.count }.by(1)
+        expect(subject.authorize).to be_a(CodeResponse)
+      end
     end
 
-    it "returns a code response" do
-      expect(subject.authorize).to be_a(CodeResponse)
-    end
-
-    it "does not create grant when not authorizable" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect { subject.authorize }.not_to(change { Doorkeeper::AccessGrant.count })
-    end
-
-    it "returns a error response" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect(subject.authorize).to be_a(ErrorResponse)
+    context "when pre_auth is denied" do
+      it "does not create access grant and returns a error response" do
+        expect { subject.deny }.not_to(change { Doorkeeper::AccessGrant.count })
+        expect(subject.deny).to be_a(ErrorResponse)
+      end
     end
   end
 end

data/spec/lib/oauth/invalid_request_response_spec.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+module Doorkeeper::OAuth
+  describe InvalidRequestResponse do
+    describe "#name" do
+      it { expect(subject.name).to eq(:invalid_request) }
+    end
+
+    describe "#status" do
+      it { expect(subject.status).to eq(:bad_request) }
+    end
+
+    describe :from_request do
+      let(:response) { InvalidRequestResponse.from_request(request) }
+
+      context "missing param" do
+        let(:request) { double(missing_param: "some_param") }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:missing_param, scope: %i[doorkeeper errors messages invalid_request], value: "some_param")
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:missing_param)
+        end
+      end
+
+      context "server doesn not support_pkce" do
+        let(:request) { double(invalid_request_reason: :not_support_pkce) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:not_support_pkce, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:not_support_pkce)
+        end
+      end
+
+      context "request is not authorized" do
+        let(:request) { double(invalid_request_reason: :request_not_authorized) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:request_not_authorized, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "sets the reason" do
+          expect(response.reason).to eq(:request_not_authorized)
+        end
+      end
+
+      context "unknown reason" do
+        let(:request) { double(invalid_request_reason: :unknown_reason) }
+
+        it "sets a description" do
+          expect(response.description).to eq(
+            I18n.t(:unknown, scope: %i[doorkeeper errors messages invalid_request])
+          )
+        end
+
+        it "unknown reason" do
+          expect(response.reason).to eq(:unknown_reason)
+        end
+      end
+    end
+  end
+end