doorkeeper 5.2.0.rc1 → 5.2.0

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -6,31 +6,25 @@ module Doorkeeper::OAuth
   describe PreAuthorization do
     let(:server) do
       server = Doorkeeper.configuration
-      allow(server).to receive(:default_scopes).and_return(Scopes.new)
-      allow(server).to receive(:scopes).and_return(Scopes.from_string("public profile"))
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("default"))
+      allow(server).to receive(:optional_scopes).and_return(Scopes.from_string("public profile"))
       server
     end
 
-    let(:application) do
-      application = double :application
-      allow(application).to receive(:scopes).and_return(Scopes.from_string(""))
-      application
-    end
-
-    let(:client) do
-      double :client, redirect_uri: "http://tst.com/auth", application: application
-    end
+    let(:application) { FactoryBot.create(:application, redirect_uri: "https://app.com/callback") }
+    let(:client) { Client.find(application.uid) }
 
     let :attributes do
       {
+        client_id: client.uid,
         response_type: "code",
-        redirect_uri: "http://tst.com/auth",
+        redirect_uri: "https://app.com/callback",
         state: "save-this",
       }
     end
 
     subject do
-      PreAuthorization.new(server, client, attributes)
+      PreAuthorization.new(server, attributes)
     end
 
     it "is authorizable when request is valid" do
@@ -38,25 +32,25 @@ module Doorkeeper::OAuth
     end
 
     it "accepts code as response type" do
-      subject.response_type = "code"
+      attributes[:response_type] = "code"
       expect(subject).to be_authorizable
     end
 
     it "accepts token as response type" do
       allow(server).to receive(:grant_flows).and_return(["implicit"])
-      subject.response_type = "token"
+      attributes[:response_type] = "token"
       expect(subject).to be_authorizable
     end
 
     context "when using default grant flows" do
       it 'accepts "code" as response type' do
-        subject.response_type = "code"
+        attributes[:response_type] = "code"
         expect(subject).to be_authorizable
       end
 
       it 'accepts "token" as response type' do
         allow(server).to receive(:grant_flows).and_return(["implicit"])
-        subject.response_type = "token"
+        attributes[:response_type] = "token"
         expect(subject).to be_authorizable
       end
     end
@@ -67,7 +61,7 @@ module Doorkeeper::OAuth
       end
 
       it 'does not accept "code" as response type' do
-        subject.response_type = "code"
+        attributes[:response_type] = "code"
         expect(subject).not_to be_authorizable
       end
     end
@@ -78,79 +72,90 @@ module Doorkeeper::OAuth
       end
 
       it 'does not accept "token" as response type' do
-        subject.response_type = "token"
+        attributes[:response_type] = "token"
         expect(subject).not_to be_authorizable
       end
     end
 
     context "client application does not restrict valid scopes" do
       it "accepts valid scopes" do
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects (globally) non-valid scopes" do
-        subject.scope = "invalid"
+        attributes[:scope] = "invalid"
         expect(subject).not_to be_authorizable
       end
 
       it "accepts scopes which are permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:public])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects scopes which are not permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:profile])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).not_to be_authorizable
       end
     end
 
     context "client application restricts valid scopes" do
       let(:application) do
-        application = double :application
-        allow(application).to receive(:scopes).and_return(Scopes.from_string("public nonsense"))
-        application
+        FactoryBot.create(:application, scopes: Scopes.from_string("public nonsense"))
       end
 
       it "accepts valid scopes" do
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects (globally) non-valid scopes" do
-        subject.scope = "invalid"
+        attributes[:scope] = "invalid"
         expect(subject).not_to be_authorizable
       end
 
       it "rejects (application level) non-valid scopes" do
-        subject.scope = "profile"
+        attributes[:scope] = "profile"
         expect(subject).to_not be_authorizable
       end
 
       it "accepts scopes which are permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:public])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).to be_authorizable
       end
 
       it "rejects scopes which are not permitted for grant_type" do
         allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:profile])
-        subject.scope = "public"
+        attributes[:scope] = "public"
         expect(subject).not_to be_authorizable
       end
     end
 
-    it "uses default scopes when none is required" do
-      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("default"))
-      subject.scope = nil
-      expect(subject.scope).to eq("default")
-      expect(subject.scopes).to eq(Scopes.from_string("default"))
+    context "when scope is not provided to pre_authorization" do
+      before { attributes[:scope] = nil }
+
+      context "when default scopes is provided" do
+        it "uses default scopes" do
+          allow(server).to receive(:default_scopes).and_return(Scopes.from_string("default_scope"))
+          expect(subject).to be_authorizable
+          expect(subject.scope).to eq("default_scope")
+          expect(subject.scopes).to eq(Scopes.from_string("default_scope"))
+        end
+      end
+
+      context "when default scopes is none" do
+        it "not be authorizable when none default scope" do
+          allow(server).to receive(:default_scopes).and_return(Scopes.new)
+          expect(subject).not_to be_authorizable
+        end
+      end
     end
 
     it "matches the redirect uri against client's one" do
-      subject.redirect_uri = "http://nothesame.com"
+      attributes[:redirect_uri] = "http://nothesame.com"
       expect(subject).not_to be_authorizable
     end
 
@@ -159,41 +164,61 @@ module Doorkeeper::OAuth
     end
 
     it "rejects if response type is not allowed" do
-      subject.response_type = "whops"
+      attributes[:response_type] = "whops"
       expect(subject).not_to be_authorizable
     end
 
     it "requires an existing client" do
-      subject.client = nil
+      attributes[:client_id] = nil
       expect(subject).not_to be_authorizable
     end
 
     it "requires a redirect uri" do
-      subject.redirect_uri = nil
+      attributes[:redirect_uri] = nil
       expect(subject).not_to be_authorizable
     end
 
     describe "as_json" do
-      let(:client_id) { "client_uid_123" }
-      let(:client_name) { "Acme Co." }
+      before { subject.authorizable? }
 
-      before do
-        allow(client).to receive(:uid).and_return client_id
-        allow(client).to receive(:name).and_return client_name
+      it { is_expected.to respond_to :as_json }
+
+      shared_examples "returns the pre authorization" do
+        it "returns the pre authorization" do
+          expect(json[:client_id]).to eq client.uid
+          expect(json[:redirect_uri]).to eq subject.redirect_uri
+          expect(json[:state]).to eq subject.state
+          expect(json[:response_type]).to eq subject.response_type
+          expect(json[:scope]).to eq subject.scope
+          expect(json[:client_name]).to eq client.name
+          expect(json[:status]).to eq I18n.t("doorkeeper.pre_authorization.status")
+        end
       end
 
-      let(:json) { subject.as_json({}) }
+      context "when attributes param is not passed" do
+        let(:json) { subject.as_json }
 
-      it { is_expected.to respond_to :as_json }
+        include_examples "returns the pre authorization"
+      end
+
+      context "when attributes param is passed" do
+        context "when attributes is a hash" do
+          let(:custom_attributes) { { custom_id: "1234", custom_name: "a pretty good name" } }
+          let(:json) { subject.as_json(custom_attributes) }
+
+          include_examples "returns the pre authorization"
+
+          it "merges the attributes in params" do
+            expect(json[:custom_id]).to eq custom_attributes[:custom_id]
+            expect(json[:custom_name]).to eq custom_attributes[:custom_name]
+          end
+        end
+
+        context "when attributes is not a hash" do
+          let(:json) { subject.as_json(nil) }
 
-      it "returns correct values" do
-        expect(json[:client_id]).to eq client_id
-        expect(json[:redirect_uri]).to eq subject.redirect_uri
-        expect(json[:state]).to eq subject.state
-        expect(json[:response_type]).to eq subject.response_type
-        expect(json[:scope]).to eq subject.scope
-        expect(json[:client_name]).to eq client_name
-        expect(json[:status]).to eq I18n.t("doorkeeper.pre_authorization.status")
+          include_examples "returns the pre authorization"
+        end
       end
     end
   end

data/spec/lib/oauth/refresh_token_request_spec.rb

@@ -63,6 +63,7 @@ module Doorkeeper::OAuth
       subject.refresh_token = nil
       subject.validate
       expect(subject.error).to eq(:invalid_request)
+      expect(subject.missing_param).to eq(:refresh_token)
     end
 
     it "requires credentials to be valid if provided" do

data/spec/lib/oauth/token_request_spec.rb

@@ -9,15 +9,21 @@ module Doorkeeper::OAuth
     end
 
     let :pre_auth do
-      double(
-        :pre_auth,
-        client: application,
-        redirect_uri: "http://tst.com/cb",
-        state: nil,
-        scopes: Scopes.from_string("public"),
-        error: nil,
-        authorizable?: true
-      )
+      server = Doorkeeper.configuration
+      allow(server).to receive(:default_scopes).and_return(Scopes.from_string("public"))
+      allow(server).to receive(:grant_flows).and_return(Scopes.from_string("implicit"))
+
+      client = Doorkeeper::OAuth::Client.new(application)
+
+      attributes = {
+        client_id: client.uid,
+        response_type: "token",
+        redirect_uri: "https://app.com/callback",
+      }
+
+      pre_auth = PreAuthorization.new(server, attributes)
+      pre_auth.authorizable?
+      pre_auth
     end
 
     let :owner do
@@ -38,14 +44,11 @@ module Doorkeeper::OAuth
       expect(subject.authorize).to be_a(CodeResponse)
     end
 
-    it "does not create token when not authorizable" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
-    end
-
-    it "returns a error response" do
-      allow(pre_auth).to receive(:authorizable?).and_return(false)
-      expect(subject.authorize).to be_a(ErrorResponse)
+    context "when pre_auth is denied" do
+      it "does not create token and returns a error response" do
+        expect { subject.deny }.not_to(change { Doorkeeper::AccessToken.count })
+        expect(subject.deny).to be_a(ErrorResponse)
+      end
     end
 
     describe "with custom expiration" do

data/spec/lib/server_spec.rb

@@ -10,12 +10,6 @@ describe Doorkeeper::Server do
   end
 
   describe ".authorization_request" do
-    it "raises error when strategy does not exist" do
-      expect do
-        subject.authorization_request(:duh)
-      end.to raise_error(Doorkeeper::Errors::InvalidAuthorizationStrategy)
-    end
-
     it "raises error when strategy does not match phase" do
       expect do
         subject.token_request(:code)
@@ -29,12 +23,6 @@ describe Doorkeeper::Server do
           .and_return(["authorization_code"])
       end
 
-      it "raises error when using the disabled Implicit strategy" do
-        expect do
-          subject.authorization_request(:token)
-        end.to raise_error(Doorkeeper::Errors::InvalidAuthorizationStrategy)
-      end
-
       it "raises error when using the disabled Client Credentials strategy" do
         expect do
           subject.token_request(:client_credentials)

data/spec/requests/endpoints/authorization_spec.rb

@@ -4,6 +4,7 @@ require "spec_helper"
 
 feature "Authorization endpoint" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists(name: "MyApp")
   end
@@ -34,16 +35,31 @@ feature "Authorization endpoint" do
     end
   end
 
-  context "with a invalid request" do
+  context "with a invalid request's param" do
     background do
       create_resource_owner
       sign_in
     end
 
-    scenario "displays the related error" do
-      visit authorization_endpoint_url(client: @client, response_type: "")
-      i_should_not_see "Authorize"
-      i_should_see_translated_error_message :unsupported_response_type
+    context "when missing required param" do
+      scenario "displays invalid_request error when missing client" do
+        visit authorization_endpoint_url(client: nil, response_type: "code")
+        i_should_not_see "Authorize"
+        i_should_see_translated_invalid_request_error_message :missing_param, :client_id
+      end
+
+      scenario "displays invalid_request error when missing response_type param" do
+        visit authorization_endpoint_url(client: @client, response_type: "")
+        i_should_not_see "Authorize"
+        i_should_see_translated_invalid_request_error_message :missing_param, :response_type
+      end
+
+      scenario "displays invalid_request error when missing scope param and authorization server has no default scopes" do
+        config_is_set(:default_scopes, [])
+        visit authorization_endpoint_url(client: @client, response_type: "code", scope: "")
+        i_should_not_see "Authorize"
+        i_should_see_translated_invalid_request_error_message :missing_param, :scope
+      end
     end
 
     scenario "displays unsupported_response_type error when using a disabled response type" do

data/spec/requests/endpoints/token_spec.rb

@@ -70,6 +70,6 @@ describe "Token endpoint" do
 
     should_not_have_json "access_token"
     should_have_json "error", "invalid_request"
-    should_have_json "error_description", translated_error_message("invalid_request")
+    should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :grant_type)
   end
 end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -5,6 +5,7 @@ require "spec_helper"
 feature "Authorization Code Flow Errors" do
   let(:client_params) { {} }
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists client_params
     create_resource_owner

data/spec/requests/flows/authorization_code_spec.rb

@@ -4,6 +4,7 @@ require "spec_helper"
 
 feature "Authorization Code Flow" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     client_exists
     create_resource_owner
@@ -23,6 +24,39 @@ feature "Authorization Code Flow" do
     url_should_not_have_param("error")
   end
 
+  context "when configured to check application supported grant flow" do
+    before do
+      config_is_set(:allow_grant_flow_for_client, ->(_grant_flow, client) { client.name == "admin" })
+    end
+
+    scenario "forbids the request when doesn't satisfy condition" do
+      @client.update(name: "sample app")
+
+      visit authorization_endpoint_url(client: @client)
+
+      i_should_see_translated_error_message("unauthorized_client")
+    end
+
+    scenario "allows the request when satisfies condition" do
+      @client.update(name: "admin")
+
+      visit authorization_endpoint_url(client: @client)
+      i_should_not_see_translated_error_message("unauthorized_client")
+      click_on "Authorize"
+
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      create_access_token authorization_code, @client
+
+      access_token_should_exist_for(@client, @resource_owner)
+
+      should_not_have_json "error"
+
+      should_have_json "access_token", Doorkeeper::AccessToken.first.token
+      should_have_json "token_type", "Bearer"
+      should_have_json_within "expires_in", Doorkeeper::AccessToken.first.expires_in, 1
+    end
+  end
+
   context "with grant hashing enabled" do
     background do
       config_is_set(:token_secret_strategy, ::Doorkeeper::SecretStoring::Sha256Hash)
@@ -83,6 +117,17 @@ feature "Authorization Code Flow" do
     url_should_not_have_param("code_challenge_method")
   end
 
+  scenario "resource owner requests an access token without authorization code" do
+    create_access_token "", @client
+
+    access_token_should_not_exist
+
+    expect(Doorkeeper::AccessToken.count).to be_zero
+
+    should_have_json "error", "invalid_request"
+    should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :code)
+  end
+
   scenario "resource owner requests an access token with authorization code" do
     visit authorization_endpoint_url(client: @client)
     click_on "Authorize"
@@ -110,6 +155,7 @@ feature "Authorization Code Flow" do
     expect(Doorkeeper::AccessToken.count).to be_zero
 
     should_have_json "error", "invalid_client"
+    should_have_json "error_description", translated_error_message(:invalid_client)
   end
 
   scenario "resource owner requests an access token with authorization code but without client id" do
@@ -123,6 +169,7 @@ feature "Authorization Code Flow" do
     expect(Doorkeeper::AccessToken.count).to be_zero
 
     should_have_json "error", "invalid_client"
+    should_have_json "error_description", translated_error_message(:invalid_client)
   end
 
   scenario "silently authorizes if matching token exists" do
@@ -165,6 +212,7 @@ feature "Authorization Code Flow" do
         create_access_token authorization_code, @client, code_verifier
 
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
 
       scenario "mobile app requests an access token with authorization code and plain code challenge method" do
@@ -187,17 +235,32 @@ feature "Authorization Code Flow" do
         should_have_json_within "expires_in", Doorkeeper::AccessToken.first.expires_in, 1
       end
 
-      scenario "mobile app requests an access token with authorization code and code_challenge" do
+      scenario "mobile app requests an access token with authorization code but without code_verifier" do
         visit authorization_endpoint_url(client: @client,
-                                         code_challenge: code_verifier,
+                                         code_challenge: code_challenge,
                                          code_challenge_method: "plain")
         click_on "Authorize"
 
         authorization_code = current_params["code"]
-        create_access_token authorization_code, @client, code_verifier: nil
+        create_access_token authorization_code, @client, nil
+
+        should_not_have_json "access_token"
+        should_have_json "error", "invalid_request"
+        should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :code_verifier)
+      end
+
+      scenario "mobile app requests an access token with authorization code with wrong code_verifier" do
+        visit authorization_endpoint_url(client: @client,
+                                         code_challenge: code_challenge,
+                                         code_challenge_method: "plain")
+        click_on "Authorize"
+
+        authorization_code = current_params["code"]
+        create_access_token authorization_code, @client, "wrong_code_verifier"
 
         should_not_have_json "access_token"
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
     end
 
@@ -238,19 +301,6 @@ feature "Authorization Code Flow" do
         should_have_json_within "expires_in", Doorkeeper::AccessToken.first.expires_in, 1
       end
 
-      scenario "mobile app requests an access token with authorization code and without code_verifier" do
-        visit authorization_endpoint_url(
-          client: @client,
-          code_challenge: code_challenge,
-          code_challenge_method: "S256"
-        )
-        click_on "Authorize"
-        authorization_code = current_params["code"]
-        create_access_token authorization_code, @client
-        should_have_json "error", "invalid_request"
-        should_not_have_json "access_token"
-      end
-
       scenario "mobile app requests an access token with authorization code and without secret" do
         visit authorization_endpoint_url(
           client: @client,
@@ -262,8 +312,9 @@ feature "Authorization Code Flow" do
         authorization_code = current_params["code"]
         page.driver.post token_endpoint_url(code: authorization_code, client_id: @client.uid,
                                             redirect_uri: @client.redirect_uri, code_verifier: code_verifier)
-        should_have_json "error", "invalid_client"
         should_not_have_json "access_token"
+        should_have_json "error", "invalid_client"
+        should_have_json "error_description", translated_error_message(:invalid_client)
       end
 
       scenario "mobile app requests an access token with authorization code and without secret but is marked as not confidential" do
@@ -298,6 +349,7 @@ feature "Authorization Code Flow" do
 
         should_not_have_json "access_token"
         should_have_json "error", "invalid_request"
+        should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :code_verifier)
       end
 
       scenario "mobile app requests an access token with authorization code with wrong verifier" do
@@ -313,6 +365,7 @@ feature "Authorization Code Flow" do
 
         should_not_have_json "access_token"
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
 
       scenario "code_challenge_mehthod in token request is totally ignored" do
@@ -333,6 +386,7 @@ feature "Authorization Code Flow" do
 
         should_not_have_json "access_token"
         should_have_json "error", "invalid_grant"
+        should_have_json "error_description", translated_error_message(:invalid_grant)
       end
 
       scenario "expects to set code_challenge_method explicitely without fallback" do
@@ -344,16 +398,15 @@ feature "Authorization Code Flow" do
 
   context "when application scopes are present and no scope is passed" do
     background do
-      @client.update(scopes: "public write read")
+      @client.update(scopes: "public write read default")
     end
 
-    scenario "access grant has no scope" do
+    scenario "scope is invalid because default scope is different from application scope" do
       default_scopes_exist :admin
       visit authorization_endpoint_url(client: @client)
-      click_on "Authorize"
-      access_grant_should_exist_for(@client, @resource_owner)
-      grant = Doorkeeper::AccessGrant.first
-      expect(grant.scopes).to be_empty
+      response_status_should_be 200
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_scope
     end
 
     scenario "access grant have scopes which are common in application scopees and default scopes" do
@@ -454,6 +507,7 @@ describe "Authorization Code Flow" do
 
       should_not_have_json "access_token"
       should_have_json "error", "invalid_grant"
+      should_have_json "error_description", translated_error_message(:invalid_grant)
     end
   end
 end

data/spec/requests/flows/client_credentials_spec.rb

@@ -66,6 +66,44 @@ describe "Client Credentials Request" do
     end
   end
 
+  context "when configured to check application supported grant flow" do
+    before do
+      Doorkeeper.configuration.instance_variable_set(
+        :@allow_grant_flow_for_client,
+        ->(_grant_flow, client) { client.name == "admin" }
+      )
+    end
+
+    scenario "forbids the request when doesn't satisfy condition" do
+      client.update(name: "sample app")
+
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: "client_credentials" }
+
+      post "/oauth/token", params: params, headers: headers
+
+      should_have_json "error", "unauthorized_client"
+      should_have_json "error_description", translated_error_message(:unauthorized_client)
+    end
+
+    scenario "allows the request when satisfies condition" do
+      client.update(name: "admin")
+
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: "client_credentials" }
+
+      post "/oauth/token", params: params, headers: headers
+
+      should_have_json "access_token", Doorkeeper::AccessToken.first.token
+      should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
+      should_not_have_json "scope"
+      should_not_have_json "refresh_token"
+
+      should_not_have_json "error"
+      should_not_have_json "error_description"
+    end
+  end
+
   context "when application scopes contain some of the default scopes and no scope is passed" do
     before do
       client.update(scopes: "read write public")