doorkeeper 5.2.0.rc2 → 5.2.0.rc3

data/lib/doorkeeper/request/authorization_code.rb

@@ -17,6 +17,8 @@ module Doorkeeper
       private
 
       def grant
+        raise Errors::MissingRequiredParameter, :code if parameters[:code].blank?
+
         AccessGrant.by_token(parameters[:code])
       end
     end

data/lib/doorkeeper/server.rb

@@ -10,12 +10,12 @@ module Doorkeeper
 
     def authorization_request(strategy)
       klass = Request.authorization_strategy strategy
-      klass.new self
+      klass.new(self)
     end
 
     def token_request(strategy)
       klass = Request.token_strategy strategy
-      klass.new self
+      klass.new(self)
     end
 
     # TODO: context should be the request
@@ -27,10 +27,6 @@ module Doorkeeper
       @client ||= OAuth::Client.authenticate(credentials)
     end
 
-    def client_via_uid
-      @client_via_uid ||= OAuth::Client.find(parameters[:client_id])
-    end
-
     def current_resource_owner
       context.send :current_resource_owner
     end

data/lib/doorkeeper/version.rb

@@ -10,7 +10,7 @@ module Doorkeeper
     MAJOR = 5
     MINOR = 2
     TINY = 0
-    PRE = "rc2"
+    PRE = "rc3"
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -9,7 +9,7 @@ Doorkeeper.configure do
     raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
     # Put your resource owner authentication logic here.
     # Example implementation:
-    #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
+    #   User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
   end
 
   # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
@@ -170,7 +170,7 @@ Doorkeeper.configure do
   #
   # Keys to this hash should be the name of grant_type and
   # values should be the array of scopes for that grant type.
-  # Note: scopes should be from configured_scopes(i.e. deafult or optional)
+  # Note: scopes should be from configured_scopes(i.e. default or optional)
   #
   # scopes_by_grant_type password: [:write], client_credentials: [:update]
 
@@ -281,6 +281,37 @@ Doorkeeper.configure do
   #
   # grant_flows %w[authorization_code client_credentials]
 
+  # Allows to customize OAuth grant flows that +each+ application support.
+  # You can configure a custom block (or use a class respond to `#call`) that must
+  # return `true` in case Application instance supports requested OAuth grant flow
+  # during the authorization request to the server. This configuration +doesn't+
+  # set flows per application, it only allows to check if application supports
+  # specific grant flow.
+  #
+  # For example you can add an additional database column to `oauth_applications` table,
+  # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+  # be used with this application there. Then when authorization requested Doorkeeper
+  # will call this block to check if specific Application (passed with client_id and/or
+  # client_secret) is allowed to perform the request for the specific grant type
+  # (authorization, password, client_credentials, etc).
+  #
+  # Example of the block:
+  #
+  #   ->(flow, client) { client.grant_flows.include?(flow) }
+  #
+  # In case this option invocation result is `false`, Doorkeeper server returns
+  # :unauthorized_client error and stops the request.
+  #
+  # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+  # @return [Boolean] `true` if allow or `false` if forbid the request
+  #
+  # allow_grant_flow_for_client do |grant_flow, client|
+  #   # `grant_flows` is an Array column with grant
+  #   # flows that application supports
+  #
+  #   client.grant_flows.include?(grant_flow)
+  # end
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -24,7 +24,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       t.text     :redirect_uri,      null: false
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes
+      t.string   :scopes,            null: false, default: ''
     end
 
     add_index :oauth_access_grants, :token, unique: true

data/spec/controllers/authorizations_controller_spec.rb

@@ -14,16 +14,14 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
     end
   end
 
-  def translated_error_message(key)
-    I18n.translate key, scope: %i[doorkeeper errors messages]
-  end
-
   let(:client)        { FactoryBot.create :application }
   let(:user)          { User.create!(name: "Joe", password: "sekret") }
-  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id }
+  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id, scopes: "default" }
 
   before do
     Doorkeeper.configure do
+      default_scopes :default
+
       custom_access_token_expires_in(lambda do |context|
         context.grant_type == Doorkeeper::OAuth::IMPLICIT ? 1234 : nil
       end)
@@ -106,80 +104,146 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
   end
 
   describe "POST #create with errors" do
-    before do
-      default_scopes_exist :public
+    context "when missing client_id" do
+      before do
+        post :create, params: {
+          client_id: "",
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
 
-      post :create, params: {
-        client_id: client.uid,
-        response_type: "token",
-        scope: "invalid",
-        redirect_uri: client.redirect_uri,
-      }
-    end
+      let(:response_json_body) { JSON.parse(response.body) }
 
-    it "redirects after authorization" do
-      expect(response).to be_redirect
-    end
+      it "renders 400 error" do
+        expect(response.status).to eq 400
+      end
 
-    it "redirects to client redirect uri" do
-      expect(response.location).to match(/^#{client.redirect_uri}/)
-    end
+      it "includes error name" do
+        expect(response_json_body["error"]).to eq("invalid_request")
+      end
 
-    it "does not include access token in fragment" do
-      expect(response.query_params["access_token"]).to be_nil
-    end
+      it "includes error description" do
+        expect(response_json_body["error_description"]).to eq(
+          translated_invalid_request_error_message(:missing_param, :client_id)
+        )
+      end
 
-    it "includes error in fragment" do
-      expect(response.query_params["error"]).to eq("invalid_scope")
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
 
-    it "includes error description in fragment" do
-      expect(response.query_params["error_description"]).to eq(translated_error_message(:invalid_scope))
-    end
+    context "when other error happens" do
+      before do
+        default_scopes_exist :public
+
+        post :create, params: {
+          client_id: client.uid,
+          response_type: "token",
+          scope: "invalid",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+
+      it "redirects after authorization" do
+        expect(response).to be_redirect
+      end
+
+      it "redirects to client redirect uri" do
+        expect(response.location).to match(/^#{client.redirect_uri}/)
+      end
+
+      it "does not include access token in fragment" do
+        expect(response.query_params["access_token"]).to be_nil
+      end
+
+      it "includes error in fragment" do
+        expect(response.query_params["error"]).to eq("invalid_scope")
+      end
 
-    it "does not issue any access token" do
-      expect(Doorkeeper::AccessToken.all).to be_empty
+      it "includes error description in fragment" do
+        expect(response.query_params["error_description"]).to eq(translated_error_message(:invalid_scope))
+      end
+
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
   end
 
   describe "POST #create in API mode with errors" do
-    before do
-      allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-      default_scopes_exist :public
+    context "when missing client_id" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
 
-      post :create, params: {
-        client_id: client.uid,
-        response_type: "token",
-        scope: "invalid",
-        redirect_uri: client.redirect_uri,
-      }
-    end
+        post :create, params: {
+          client_id: "",
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
 
-    let(:response_json_body) { JSON.parse(response.body) }
-    let(:redirect_uri) { response_json_body["redirect_uri"] }
+      let(:response_json_body) { JSON.parse(response.body) }
 
-    it "renders 400 error" do
-      expect(response.status).to eq 400
-    end
+      it "renders 400 error" do
+        expect(response.status).to eq 400
+      end
 
-    it "includes correct redirect URI" do
-      expect(redirect_uri).to match(/^#{client.redirect_uri}/)
-    end
+      it "includes error name" do
+        expect(response_json_body["error"]).to eq("invalid_request")
+      end
 
-    it "does not include access token in fragment" do
-      expect(redirect_uri.match(/access_token=([a-f0-9]+)&?/)).to be_nil
-    end
+      it "includes error description" do
+        expect(response_json_body["error_description"]).to eq(
+          translated_invalid_request_error_message(:missing_param, :client_id)
+        )
+      end
 
-    it "includes error in redirect uri" do
-      expect(redirect_uri.match(/error=([a-z_]+)&?/)[1]).to eq "invalid_scope"
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
 
-    it "includes error description in redirect uri" do
-      expect(redirect_uri.match(/error_description=(.+)&?/)[1]).to_not be_nil
-    end
+    context "when other error happens" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+        default_scopes_exist :public
+
+        post :create, params: {
+          client_id: client.uid,
+          response_type: "token",
+          scope: "invalid",
+          redirect_uri: client.redirect_uri,
+        }
+      end
 
-    it "does not issue any access token" do
-      expect(Doorkeeper::AccessToken.all).to be_empty
+      let(:response_json_body) { JSON.parse(response.body) }
+      let(:redirect_uri) { response_json_body["redirect_uri"] }
+
+      it "renders 400 error" do
+        expect(response.status).to eq 400
+      end
+
+      it "includes correct redirect URI" do
+        expect(redirect_uri).to match(/^#{client.redirect_uri}/)
+      end
+
+      it "does not include access token in fragment" do
+        expect(redirect_uri.match(/access_token=([a-f0-9]+)&?/)).to be_nil
+      end
+
+      it "includes error in redirect uri" do
+        expect(redirect_uri.match(/error=([a-z_]+)&?/)[1]).to eq "invalid_scope"
+      end
+
+      it "includes error description in redirect uri" do
+        expect(redirect_uri.match(/error_description=(.+)&?/)[1]).to_not be_nil
+      end
+
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
     end
   end
 
@@ -368,7 +432,7 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
       expect(json_response["redirect_uri"]).to eq(client.redirect_uri)
       expect(json_response["state"]).to be_nil
       expect(json_response["response_type"]).to eq("token")
-      expect(json_response["scope"]).to eq("")
+      expect(json_response["scope"]).to eq("default")
     end
   end
 
@@ -445,12 +509,12 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
     end
 
     it "includes error in body" do
-      expect(response_json_body["error"]).to eq("unsupported_response_type")
+      expect(response_json_body["error"]).to eq("invalid_request")
     end
 
     it "includes error description in body" do
       expect(response_json_body["error_description"])
-        .to eq(translated_error_message(:unsupported_response_type))
+        .to eq(translated_invalid_request_error_message(:missing_param, :client_id))
     end
 
     it "does not issue any token" do
@@ -513,6 +577,8 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
 
   describe "authorize response memoization" do
     it "memoizes the result of the authorization" do
+      pre_auth = double(:pre_auth, authorizable?: true)
+      allow(controller).to receive(:pre_auth) { pre_auth }
       strategy = double(:strategy, authorize: true)
       expect(strategy).to receive(:authorize).once
       allow(controller).to receive(:strategy) { strategy }

data/spec/controllers/protected_resources_controller_spec.rb

@@ -166,7 +166,7 @@ describe "doorkeeper authorize filter" do
       it "it renders a custom JSON response", token: :invalid do
         get :index, params: { access_token: token_string }
         expect(response.status).to eq 401
-        expect(response.content_type).to eq("application/json")
+        expect(response.content_type).to include("application/json")
         expect(response.header["WWW-Authenticate"]).to match(/^Bearer/)
 
         expect(json_response).not_to be_nil
@@ -196,7 +196,7 @@ describe "doorkeeper authorize filter" do
       it "it renders a custom text response", token: :invalid do
         get :index, params: { access_token: token_string }
         expect(response.status).to eq 401
-        expect(response.content_type).to eq("text/plain")
+        expect(response.content_type).to include("text/plain")
         expect(response.header["WWW-Authenticate"]).to match(/^Bearer/)
         expect(response.body).to eq("Unauthorized")
       end
@@ -246,7 +246,7 @@ describe "doorkeeper authorize filter" do
       it "renders a custom JSON response" do
         get :index, params: { access_token: token_string }
         expect(response.header).to_not include("WWW-Authenticate")
-        expect(response.content_type).to eq("application/json")
+        expect(response.content_type).to include("application/json")
         expect(response.status).to eq 403
 
         expect(json_response).not_to be_nil

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb

@@ -25,7 +25,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
       t.text     :redirect_uri,      null: false
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes
+      t.string   :scopes,            null: false, default: ""
     end
 
     add_index :oauth_access_grants, :token, unique: true

data/spec/lib/config_spec.rb

@@ -517,6 +517,23 @@ describe Doorkeeper, "configuration" do
     end
   end
 
+  describe "base_metal_controller" do
+    context "default" do
+      it { expect(Doorkeeper.configuration.base_metal_controller).to eq("ActionController::API") }
+    end
+
+    context "custom" do
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          base_metal_controller "ApplicationController"
+        end
+      end
+
+      it { expect(Doorkeeper.configuration.base_metal_controller).to eq("ApplicationController") }
+    end
+  end
+
   if DOORKEEPER_ORM == :active_record
     describe "active_record_options" do
       let(:models) { [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application] }

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -23,7 +23,7 @@ module Doorkeeper::OAuth
     end
 
     subject do
-      AuthorizationCodeRequest.new server, grant, client, params
+      AuthorizationCodeRequest.new(server, grant, client, params)
     end
 
     it "issues a new token for the client" do
@@ -65,6 +65,16 @@ module Doorkeeper::OAuth
       subject.redirect_uri = nil
       subject.validate
       expect(subject.error).to eq(:invalid_request)
+      expect(subject.missing_param).to eq(:redirect_uri)
+    end
+
+    it "invalid code_verifier param because server does not support pkce" do
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:respond_to?).with(:code_challenge).and_return(false)
+
+      subject.code_verifier = "a45a9fea-0676-477e-95b1-a40f72ac3cfb"
+      subject.validate
+      expect(subject.error).to eq(:invalid_request)
+      expect(subject.invalid_request_reason).to eq(:not_support_pkce)
     end
 
     it "matches the redirect_uri with grant's one" do

data/spec/lib/oauth/base_request_spec.rb

@@ -66,27 +66,44 @@ module Doorkeeper::OAuth
       end
 
       context "invalid" do
-        before do
-          allow(subject).to receive(:valid?).and_return(false)
-          allow(subject).to receive(:error).and_return("server_error")
-          allow(subject).to receive(:state).and_return("hello")
+        context "with error other than invalid_request" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:server_error)
+            allow(subject).to receive(:state).and_return("hello")
+          end
+
+          it "returns an ErrorResponse object" do
+            result = subject.authorize
+
+            expect(result).to be_an_instance_of(ErrorResponse)
+
+            expect(result.body).to eq(
+              error: :server_error,
+              error_description: translated_error_message(:server_error),
+              state: "hello"
+            )
+          end
         end
 
-        it "returns an ErrorResponse object" do
-          error_description = I18n.translate(
-            "server_error",
-            scope: %i[doorkeeper errors messages]
-          )
+        context "with invalid_request error" do
+          before do
+            allow(subject).to receive(:valid?).and_return(false)
+            allow(subject).to receive(:error).and_return(:invalid_request)
+            allow(subject).to receive(:state).and_return("hello")
+          end
 
-          result = subject.authorize
+          it "returns an InvalidRequestResponse object" do
+            result = subject.authorize
 
-          expect(result).to be_an_instance_of(ErrorResponse)
+            expect(result).to be_an_instance_of(InvalidRequestResponse)
 
-          expect(result.body).to eq(
-            error: "server_error",
-            error_description: error_description,
-            state: "hello"
-          )
+            expect(result.body).to eq(
+              error: :invalid_request,
+              error_description: translated_invalid_request_error_message(:unknown, :unknown),
+              state: "hello"
+            )
+          end
         end
       end
     end