doorkeeper 5.2.0.rc1 → 5.2.0

data/spec/requests/flows/implicit_grant_errors_spec.rb

@@ -4,6 +4,7 @@ require "spec_helper"
 
 feature "Implicit Grant Flow Errors" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     config_is_set(:grant_flows, ["implicit"])
     client_exists
@@ -15,20 +16,31 @@ feature "Implicit Grant Flow Errors" do
     access_token_should_not_exist
   end
 
-  [
-    %i[client_id invalid_client],
-    %i[redirect_uri invalid_redirect_uri],
-  ].each do |error|
-    scenario "displays #{error.last} error for invalid #{error.first}" do
-      visit authorization_endpoint_url(client: @client, error.first => "invalid", response_type: "token")
+  context "when validate client_id param" do
+    scenario "displays invalid_client error for invalid client_id" do
+      visit authorization_endpoint_url(client_id: "invalid", response_type: "token")
       i_should_not_see "Authorize"
-      i_should_see_translated_error_message error.last
+      i_should_see_translated_error_message :invalid_client
     end
 
-    scenario "displays #{error.last} error when #{error.first} is missing" do
-      visit authorization_endpoint_url(client: @client, error.first => "", response_type: "token")
+    scenario "displays invalid_request error when client_id is missing" do
+      visit authorization_endpoint_url(client_id: "", response_type: "token")
       i_should_not_see "Authorize"
-      i_should_see_translated_error_message error.last
+      i_should_see_translated_invalid_request_error_message :missing_param, :client_id
+    end
+  end
+
+  context "when validate redirect_uri param" do
+    scenario "displays invalid_redirect_uri error for invalid redirect_uri" do
+      visit authorization_endpoint_url(client: @client, redirect_uri: "invalid", response_type: "token")
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_redirect_uri
+    end
+
+    scenario "displays invalid_redirect_uri error when redirect_uri is missing" do
+      visit authorization_endpoint_url(client: @client, redirect_uri: "", response_type: "token")
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_redirect_uri
     end
   end
 end

data/spec/requests/flows/implicit_grant_spec.rb

@@ -4,6 +4,7 @@ require "spec_helper"
 
 feature "Implicit Grant Flow (feature spec)" do
   background do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     config_is_set(:grant_flows, ["implicit"])
     client_exists
@@ -25,16 +26,15 @@ feature "Implicit Grant Flow (feature spec)" do
       @client.update(scopes: "public write read")
     end
 
-    scenario "access token has no scopes" do
+    scenario "scope is invalid because default scope is different from application scope" do
       default_scopes_exist :admin
       visit authorization_endpoint_url(client: @client, response_type: "token")
-      click_on "Authorize"
-      access_token_should_exist_for @client, @resource_owner
-      token = Doorkeeper::AccessToken.first
-      expect(token.scopes).to be_empty
+      response_status_should_be 200
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :invalid_scope
     end
 
-    scenario "access token has scopes which are common in application scopees and default scopes" do
+    scenario "access token has scopes which are common in application scopes and default scopes" do
       default_scopes_exist :public, :write
       visit authorization_endpoint_url(client: @client, response_type: "token")
       click_on "Authorize"
@@ -46,6 +46,7 @@ end
 
 describe "Implicit Grant Flow (request spec)" do
   before do
+    default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
     config_is_set(:grant_flows, ["implicit"])
     client_exists
@@ -56,7 +57,7 @@ describe "Implicit Grant Flow (request spec)" do
     it "should return a new token each request" do
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
 
-      token = client_is_authorized(@client, @resource_owner)
+      token = client_is_authorized(@client, @resource_owner, scopes: "default")
 
       post "/oauth/authorize",
            params: {
@@ -73,7 +74,7 @@ describe "Implicit Grant Flow (request spec)" do
     it "should return the same token if it is still accessible" do
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
 
-      token = client_is_authorized(@client, @resource_owner)
+      token = client_is_authorized(@client, @resource_owner, scopes: "default")
 
       post "/oauth/authorize",
            params: {

data/spec/requests/flows/password_spec.rb

@@ -31,6 +31,43 @@ describe "Resource Owner Password Credentials Flow" do
     context "with non-confidential/public client" do
       let(:client_attributes) { { confidential: false } }
 
+      context "when configured to check application supported grant flow" do
+        before do
+          Doorkeeper.configuration.instance_variable_set(
+            :@allow_grant_flow_for_client,
+            ->(_grant_flow, client) { client.name == "admin" }
+          )
+        end
+
+        scenario "forbids the request when doesn't satisfy condition" do
+          @client.update(name: "sample app")
+
+          expect do
+            post password_token_endpoint_url(
+              client_id: @client.uid,
+              client_secret: "foobar",
+              resource_owner: @resource_owner
+            )
+          end.not_to(change { Doorkeeper::AccessToken.count })
+
+          expect(response.status).to eq(401)
+          should_have_json "error", "invalid_client"
+        end
+
+        scenario "allows the request when satisfies condition" do
+          @client.update(name: "admin")
+
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+          token = Doorkeeper::AccessToken.first
+
+          expect(token.application_id).to eq @client.id
+          should_have_json "access_token", token.token
+        end
+      end
+
       context "when client_secret absent" do
         it "should issue new token" do
           expect do

data/spec/requests/flows/refresh_token_spec.rb

@@ -172,7 +172,7 @@ describe "Refresh Token Flow" do
       post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
 
       should_not_have_json "refresh_token"
-      should_have_json "error", "invalid_request"
+      should_have_json "error", "invalid_grant"
     end
   end
 

data/spec/support/helpers/request_spec_helper.rb

@@ -54,7 +54,7 @@ module RequestSpecHelper
   end
 
   def with_header(header, value)
-    page.driver.header header, value
+    page.driver.header(header, value)
   end
 
   def basic_auth_header_for_client(client)
@@ -86,8 +86,20 @@ module RequestSpecHelper
     i_should_see translated_error_message(key)
   end
 
+  def i_should_not_see_translated_error_message(key)
+    i_should_not_see translated_error_message(key)
+  end
+
   def translated_error_message(key)
-    I18n.translate key, scope: %i[doorkeeper errors messages]
+    I18n.translate(key, scope: %i[doorkeeper errors messages])
+  end
+
+  def i_should_see_translated_invalid_request_error_message(key, value)
+    i_should_see translated_invalid_request_error_message(key, value)
+  end
+
+  def translated_invalid_request_error_message(key, value)
+    I18n.translate key, scope: %i[doorkeeper errors messages invalid_request], value: value
   end
 
   def response_status_should_be(status)

data/spec/validators/redirect_uri_validator_spec.rb

@@ -2,7 +2,7 @@
 
 require "spec_helper"
 
-describe RedirectUriValidator do
+describe Doorkeeper::RedirectUriValidator do
   subject do
     FactoryBot.create(:application)
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.2.0.rc1
+  version: 5.2.0
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-23 00:00:00.000000000 Z
+date: 2019-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -179,6 +179,7 @@ files:
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Dangerfile
+- Dockerfile
 - Gemfile
 - MIT-LICENSE
 - NEWS.md
@@ -197,7 +198,6 @@ files:
 - app/controllers/doorkeeper/token_info_controller.rb
 - app/controllers/doorkeeper/tokens_controller.rb
 - app/helpers/doorkeeper/dashboard_helper.rb
-- app/validators/redirect_uri_validator.rb
 - app/views/doorkeeper/applications/_delete_form.html.erb
 - app/views/doorkeeper/applications/_form.html.erb
 - app/views/doorkeeper/applications/edit.html.erb
@@ -260,6 +260,7 @@ files:
 - lib/doorkeeper/oauth/helpers/scope_checker.rb
 - lib/doorkeeper/oauth/helpers/unique_token.rb
 - lib/doorkeeper/oauth/helpers/uri_checker.rb
+- lib/doorkeeper/oauth/invalid_request_response.rb
 - lib/doorkeeper/oauth/invalid_token_response.rb
 - lib/doorkeeper/oauth/nonstandard.rb
 - lib/doorkeeper/oauth/password_access_token_request.rb
@@ -274,6 +275,7 @@ files:
 - lib/doorkeeper/orm/active_record/access_grant.rb
 - lib/doorkeeper/orm/active_record/access_token.rb
 - lib/doorkeeper/orm/active_record/application.rb
+- lib/doorkeeper/orm/active_record/redirect_uri_validator.rb
 - lib/doorkeeper/orm/active_record/stale_records_cleaner.rb
 - lib/doorkeeper/rails/helpers.rb
 - lib/doorkeeper/rails/routes.rb
@@ -395,6 +397,7 @@ files:
 - spec/lib/oauth/helpers/scope_checker_spec.rb
 - spec/lib/oauth/helpers/unique_token_spec.rb
 - spec/lib/oauth/helpers/uri_checker_spec.rb
+- spec/lib/oauth/invalid_request_response_spec.rb
 - spec/lib/oauth/invalid_token_response_spec.rb
 - spec/lib/oauth/password_access_token_request_spec.rb
 - spec/lib/oauth/pre_authorization_spec.rb
@@ -452,7 +455,12 @@ files:
 homepage: https://github.com/doorkeeper-gem/doorkeeper
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://github.com/doorkeeper-gem/doorkeeper
+  changelog_uri: https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
+  bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
+  documentation_uri: https://doorkeeper.gitbook.io/guides/
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -464,9 +472,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.0.2
 signing_key: 
@@ -556,6 +564,7 @@ test_files:
 - spec/lib/oauth/helpers/scope_checker_spec.rb
 - spec/lib/oauth/helpers/unique_token_spec.rb
 - spec/lib/oauth/helpers/uri_checker_spec.rb
+- spec/lib/oauth/invalid_request_response_spec.rb
 - spec/lib/oauth/invalid_token_response_spec.rb
 - spec/lib/oauth/password_access_token_request_spec.rb
 - spec/lib/oauth/pre_authorization_spec.rb

data/app/validators/redirect_uri_validator.rb

@@ -1,60 +0,0 @@
-# frozen_string_literal: true
-
-require "uri"
-
-# ActiveModel validator for redirect URI validation in according
-# to OAuth standards and Doorkeeper configuration.
-#
-class RedirectUriValidator < ActiveModel::EachValidator
-  def validate_each(record, attribute, value)
-    if value.blank?
-      return if Doorkeeper.configuration.allow_blank_redirect_uri?(record)
-
-      record.errors.add(attribute, :blank)
-    else
-      value.split.each do |val|
-        next if oob_redirect_uri?(val)
-
-        uri = ::URI.parse(val)
-        record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
-        record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
-        record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
-        record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
-        record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
-      end
-    end
-  rescue URI::InvalidURIError
-    record.errors.add(attribute, :invalid_uri)
-  end
-
-  private
-
-  def oob_redirect_uri?(uri)
-    Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
-  end
-
-  def forbidden_uri?(uri)
-    Doorkeeper.configuration.forbid_redirect_uri.call(uri)
-  end
-
-  def unspecified_scheme?(uri)
-    return true if uri.opaque.present?
-
-    %w[localhost].include?(uri.try(:scheme))
-  end
-
-  def relative_uri?(uri)
-    uri.scheme.nil? && uri.host.nil?
-  end
-
-  def invalid_ssl_uri?(uri)
-    forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
-    non_https = uri.try(:scheme) == "http"
-
-    if forces_ssl.respond_to?(:call)
-      forces_ssl.call(uri) && non_https
-    else
-      forces_ssl && non_https
-    end
-  end
-end