doorkeeper 5.2.2 → 5.5.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +198 -3
- data/README.md +28 -20
- data/app/controllers/doorkeeper/application_controller.rb +3 -2
- data/app/controllers/doorkeeper/application_metal_controller.rb +2 -2
- data/app/controllers/doorkeeper/applications_controller.rb +7 -8
- data/app/controllers/doorkeeper/authorizations_controller.rb +48 -18
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +6 -6
- data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +70 -25
- data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +35 -14
- data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
- data/app/views/doorkeeper/authorizations/new.html.erb +2 -0
- data/config/locales/en.yml +9 -2
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +26 -14
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/config.rb +214 -122
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grape/helpers.rb +2 -2
- data/lib/doorkeeper/helpers/controller.rb +18 -12
- data/lib/doorkeeper/models/access_grant_mixin.rb +23 -19
- data/lib/doorkeeper/models/access_token_mixin.rb +157 -55
- data/lib/doorkeeper/models/application_mixin.rb +8 -7
- data/lib/doorkeeper/models/concerns/expirable.rb +1 -1
- data/lib/doorkeeper/models/concerns/ownership.rb +1 -1
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/reusable.rb +1 -1
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -28
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +22 -9
- data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/token.rb +23 -18
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +30 -20
- data/lib/doorkeeper/oauth/base_request.rb +19 -23
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client.rb +8 -9
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +38 -12
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +10 -8
- data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb} +7 -5
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +4 -4
- data/lib/doorkeeper/oauth/code_response.rb +24 -14
- data/lib/doorkeeper/oauth/error.rb +1 -1
- data/lib/doorkeeper/oauth/error_response.rb +10 -11
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +2 -1
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +8 -12
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +10 -7
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +1 -19
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_request_response.rb +3 -3
- data/lib/doorkeeper/oauth/invalid_token_response.rb +7 -4
- data/lib/doorkeeper/oauth/password_access_token_request.rb +28 -10
- data/lib/doorkeeper/oauth/pre_authorization.rb +73 -37
- data/lib/doorkeeper/oauth/refresh_token_request.rb +35 -26
- data/lib/doorkeeper/oauth/token.rb +6 -7
- data/lib/doorkeeper/oauth/token_introspection.rb +12 -16
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record/access_grant.rb +4 -43
- data/lib/doorkeeper/orm/active_record/access_token.rb +4 -35
- data/lib/doorkeeper/orm/active_record/application.rb +5 -95
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +69 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +60 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +199 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +8 -3
- data/lib/doorkeeper/orm/active_record.rb +5 -7
- data/lib/doorkeeper/rails/helpers.rb +4 -4
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +17 -25
- data/lib/doorkeeper/rake/db.rake +6 -6
- data/lib/doorkeeper/rake/setup.rake +5 -0
- data/lib/doorkeeper/request/authorization_code.rb +3 -3
- data/lib/doorkeeper/request/client_credentials.rb +2 -2
- data/lib/doorkeeper/request/password.rb +3 -2
- data/lib/doorkeeper/request/refresh_token.rb +5 -4
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/request.rb +49 -12
- data/lib/doorkeeper/server.rb +5 -5
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +2 -6
- data/lib/doorkeeper.rb +112 -81
- data/lib/generators/doorkeeper/application_owner_generator.rb +1 -1
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +2 -2
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/migration_generator.rb +1 -1
- data/lib/generators/doorkeeper/pkce_generator.rb +1 -1
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +2 -2
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +99 -14
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +37 -306
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -273
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -353
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -739
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -168
- data/spec/lib/oauth/base_request_spec.rb +0 -222
- data/spec/lib/oauth/base_response_spec.rb +0 -47
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -97
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -29
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -109
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -36
- data/spec/lib/oauth/error_response_spec.rb +0 -66
- data/spec/lib/oauth/error_spec.rb +0 -23
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -22
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -98
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -75
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -55
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -192
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -225
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -178
- data/spec/lib/oauth/scopes_spec.rb +0 -148
- data/spec/lib/oauth/token_request_spec.rb +0 -153
- data/spec/lib/oauth/token_response_spec.rb +0 -86
- data/spec/lib/oauth/token_spec.rb +0 -158
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -163
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -377
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -89
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -513
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -296
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -151
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -57
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/http_method_shim.rb +0 -29
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -123
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
@@ -1,46 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
feature "Implicit Grant Flow Errors" do
|
6
|
-
background do
|
7
|
-
default_scopes_exist :default
|
8
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
9
|
-
config_is_set(:grant_flows, ["implicit"])
|
10
|
-
client_exists
|
11
|
-
create_resource_owner
|
12
|
-
sign_in
|
13
|
-
end
|
14
|
-
|
15
|
-
after do
|
16
|
-
access_token_should_not_exist
|
17
|
-
end
|
18
|
-
|
19
|
-
context "when validate client_id param" do
|
20
|
-
scenario "displays invalid_client error for invalid client_id" do
|
21
|
-
visit authorization_endpoint_url(client_id: "invalid", response_type: "token")
|
22
|
-
i_should_not_see "Authorize"
|
23
|
-
i_should_see_translated_error_message :invalid_client
|
24
|
-
end
|
25
|
-
|
26
|
-
scenario "displays invalid_request error when client_id is missing" do
|
27
|
-
visit authorization_endpoint_url(client_id: "", response_type: "token")
|
28
|
-
i_should_not_see "Authorize"
|
29
|
-
i_should_see_translated_invalid_request_error_message :missing_param, :client_id
|
30
|
-
end
|
31
|
-
end
|
32
|
-
|
33
|
-
context "when validate redirect_uri param" do
|
34
|
-
scenario "displays invalid_redirect_uri error for invalid redirect_uri" do
|
35
|
-
visit authorization_endpoint_url(client: @client, redirect_uri: "invalid", response_type: "token")
|
36
|
-
i_should_not_see "Authorize"
|
37
|
-
i_should_see_translated_error_message :invalid_redirect_uri
|
38
|
-
end
|
39
|
-
|
40
|
-
scenario "displays invalid_redirect_uri error when redirect_uri is missing" do
|
41
|
-
visit authorization_endpoint_url(client: @client, redirect_uri: "", response_type: "token")
|
42
|
-
i_should_not_see "Authorize"
|
43
|
-
i_should_see_translated_error_message :invalid_redirect_uri
|
44
|
-
end
|
45
|
-
end
|
46
|
-
end
|
@@ -1,91 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
feature "Implicit Grant Flow (feature spec)" do
|
6
|
-
background do
|
7
|
-
default_scopes_exist :default
|
8
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
9
|
-
config_is_set(:grant_flows, ["implicit"])
|
10
|
-
client_exists
|
11
|
-
create_resource_owner
|
12
|
-
sign_in
|
13
|
-
end
|
14
|
-
|
15
|
-
scenario "resource owner authorizes the client" do
|
16
|
-
visit authorization_endpoint_url(client: @client, response_type: "token")
|
17
|
-
click_on "Authorize"
|
18
|
-
|
19
|
-
access_token_should_exist_for @client, @resource_owner
|
20
|
-
|
21
|
-
i_should_be_on_client_callback @client
|
22
|
-
end
|
23
|
-
|
24
|
-
context "when application scopes are present and no scope is passed" do
|
25
|
-
background do
|
26
|
-
@client.update(scopes: "public write read")
|
27
|
-
end
|
28
|
-
|
29
|
-
scenario "scope is invalid because default scope is different from application scope" do
|
30
|
-
default_scopes_exist :admin
|
31
|
-
visit authorization_endpoint_url(client: @client, response_type: "token")
|
32
|
-
response_status_should_be 200
|
33
|
-
i_should_not_see "Authorize"
|
34
|
-
i_should_see_translated_error_message :invalid_scope
|
35
|
-
end
|
36
|
-
|
37
|
-
scenario "access token has scopes which are common in application scopes and default scopes" do
|
38
|
-
default_scopes_exist :public, :write
|
39
|
-
visit authorization_endpoint_url(client: @client, response_type: "token")
|
40
|
-
click_on "Authorize"
|
41
|
-
access_token_should_exist_for @client, @resource_owner
|
42
|
-
access_token_should_have_scopes :public, :write
|
43
|
-
end
|
44
|
-
end
|
45
|
-
end
|
46
|
-
|
47
|
-
describe "Implicit Grant Flow (request spec)" do
|
48
|
-
before do
|
49
|
-
default_scopes_exist :default
|
50
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
51
|
-
config_is_set(:grant_flows, ["implicit"])
|
52
|
-
client_exists
|
53
|
-
create_resource_owner
|
54
|
-
end
|
55
|
-
|
56
|
-
context "token reuse" do
|
57
|
-
it "should return a new token each request" do
|
58
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
|
59
|
-
|
60
|
-
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
61
|
-
|
62
|
-
post "/oauth/authorize",
|
63
|
-
params: {
|
64
|
-
client_id: @client.uid,
|
65
|
-
state: "",
|
66
|
-
redirect_uri: @client.redirect_uri,
|
67
|
-
response_type: "token",
|
68
|
-
commit: "Authorize",
|
69
|
-
}
|
70
|
-
|
71
|
-
expect(response.location).not_to include(token.token)
|
72
|
-
end
|
73
|
-
|
74
|
-
it "should return the same token if it is still accessible" do
|
75
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
76
|
-
|
77
|
-
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
78
|
-
|
79
|
-
post "/oauth/authorize",
|
80
|
-
params: {
|
81
|
-
client_id: @client.uid,
|
82
|
-
state: "",
|
83
|
-
redirect_uri: @client.redirect_uri,
|
84
|
-
response_type: "token",
|
85
|
-
commit: "Authorize",
|
86
|
-
}
|
87
|
-
|
88
|
-
expect(response.location).to include(token.token)
|
89
|
-
end
|
90
|
-
end
|
91
|
-
end
|
@@ -1,296 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
describe "Resource Owner Password Credentials Flow not set up" do
|
6
|
-
before do
|
7
|
-
client_exists
|
8
|
-
create_resource_owner
|
9
|
-
end
|
10
|
-
|
11
|
-
context "with valid user credentials" do
|
12
|
-
it "does not issue new token" do
|
13
|
-
expect do
|
14
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
15
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
16
|
-
end
|
17
|
-
end
|
18
|
-
end
|
19
|
-
|
20
|
-
describe "Resource Owner Password Credentials Flow" do
|
21
|
-
let(:client_attributes) { { redirect_uri: nil } }
|
22
|
-
|
23
|
-
before do
|
24
|
-
config_is_set(:grant_flows, ["password"])
|
25
|
-
config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
|
26
|
-
client_exists(client_attributes)
|
27
|
-
create_resource_owner
|
28
|
-
end
|
29
|
-
|
30
|
-
context "with valid user credentials" do
|
31
|
-
context "with non-confidential/public client" do
|
32
|
-
let(:client_attributes) { { confidential: false } }
|
33
|
-
|
34
|
-
context "when configured to check application supported grant flow" do
|
35
|
-
before do
|
36
|
-
Doorkeeper.configuration.instance_variable_set(
|
37
|
-
:@allow_grant_flow_for_client,
|
38
|
-
->(_grant_flow, client) { client.name == "admin" }
|
39
|
-
)
|
40
|
-
end
|
41
|
-
|
42
|
-
scenario "forbids the request when doesn't satisfy condition" do
|
43
|
-
@client.update(name: "sample app")
|
44
|
-
|
45
|
-
expect do
|
46
|
-
post password_token_endpoint_url(
|
47
|
-
client_id: @client.uid,
|
48
|
-
client_secret: "foobar",
|
49
|
-
resource_owner: @resource_owner
|
50
|
-
)
|
51
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
52
|
-
|
53
|
-
expect(response.status).to eq(401)
|
54
|
-
should_have_json "error", "invalid_client"
|
55
|
-
end
|
56
|
-
|
57
|
-
scenario "allows the request when satisfies condition" do
|
58
|
-
@client.update(name: "admin")
|
59
|
-
|
60
|
-
expect do
|
61
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
62
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
63
|
-
|
64
|
-
token = Doorkeeper::AccessToken.first
|
65
|
-
|
66
|
-
expect(token.application_id).to eq @client.id
|
67
|
-
should_have_json "access_token", token.token
|
68
|
-
end
|
69
|
-
end
|
70
|
-
|
71
|
-
context "when client_secret absent" do
|
72
|
-
it "should issue new token" do
|
73
|
-
expect do
|
74
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
75
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
76
|
-
|
77
|
-
token = Doorkeeper::AccessToken.first
|
78
|
-
|
79
|
-
expect(token.application_id).to eq @client.id
|
80
|
-
should_have_json "access_token", token.token
|
81
|
-
end
|
82
|
-
end
|
83
|
-
|
84
|
-
context "when client_secret present" do
|
85
|
-
it "should issue new token" do
|
86
|
-
expect do
|
87
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
88
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
89
|
-
|
90
|
-
token = Doorkeeper::AccessToken.first
|
91
|
-
|
92
|
-
expect(token.application_id).to eq @client.id
|
93
|
-
should_have_json "access_token", token.token
|
94
|
-
end
|
95
|
-
|
96
|
-
context "when client_secret incorrect" do
|
97
|
-
it "should not issue new token" do
|
98
|
-
expect do
|
99
|
-
post password_token_endpoint_url(
|
100
|
-
client_id: @client.uid,
|
101
|
-
client_secret: "foobar",
|
102
|
-
resource_owner: @resource_owner
|
103
|
-
)
|
104
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
105
|
-
|
106
|
-
expect(response.status).to eq(401)
|
107
|
-
should_have_json "error", "invalid_client"
|
108
|
-
end
|
109
|
-
end
|
110
|
-
end
|
111
|
-
end
|
112
|
-
|
113
|
-
context "with confidential/private client" do
|
114
|
-
it "should issue new token" do
|
115
|
-
expect do
|
116
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
117
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
118
|
-
|
119
|
-
token = Doorkeeper::AccessToken.first
|
120
|
-
|
121
|
-
expect(token.application_id).to eq @client.id
|
122
|
-
should_have_json "access_token", token.token
|
123
|
-
end
|
124
|
-
|
125
|
-
context "when client_secret absent" do
|
126
|
-
it "should not issue new token" do
|
127
|
-
expect do
|
128
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
129
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
130
|
-
|
131
|
-
expect(response.status).to eq(401)
|
132
|
-
should_have_json "error", "invalid_client"
|
133
|
-
end
|
134
|
-
end
|
135
|
-
end
|
136
|
-
|
137
|
-
it "should issue new token without client credentials" do
|
138
|
-
expect do
|
139
|
-
post password_token_endpoint_url(resource_owner: @resource_owner)
|
140
|
-
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
141
|
-
|
142
|
-
token = Doorkeeper::AccessToken.first
|
143
|
-
|
144
|
-
expect(token.application_id).to be_nil
|
145
|
-
should_have_json "access_token", token.token
|
146
|
-
end
|
147
|
-
|
148
|
-
it "should issue a refresh token if enabled" do
|
149
|
-
config_is_set(:refresh_token_enabled, true)
|
150
|
-
|
151
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
152
|
-
|
153
|
-
token = Doorkeeper::AccessToken.first
|
154
|
-
|
155
|
-
should_have_json "refresh_token", token.refresh_token
|
156
|
-
end
|
157
|
-
|
158
|
-
it "should return the same token if it is still accessible" do
|
159
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
160
|
-
|
161
|
-
client_is_authorized(@client, @resource_owner)
|
162
|
-
|
163
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
164
|
-
|
165
|
-
expect(Doorkeeper::AccessToken.count).to be(1)
|
166
|
-
should_have_json "access_token", Doorkeeper::AccessToken.first.token
|
167
|
-
end
|
168
|
-
|
169
|
-
context "with valid, default scope" do
|
170
|
-
before do
|
171
|
-
default_scopes_exist :public
|
172
|
-
end
|
173
|
-
|
174
|
-
it "should issue new token" do
|
175
|
-
expect do
|
176
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
|
177
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
178
|
-
|
179
|
-
token = Doorkeeper::AccessToken.first
|
180
|
-
|
181
|
-
expect(token.application_id).to eq @client.id
|
182
|
-
should_have_json "access_token", token.token
|
183
|
-
should_have_json "scope", "public"
|
184
|
-
end
|
185
|
-
end
|
186
|
-
end
|
187
|
-
|
188
|
-
context "when application scopes are present and differs from configured default scopes and no scope is passed" do
|
189
|
-
before do
|
190
|
-
default_scopes_exist :public
|
191
|
-
@client.update(scopes: "abc")
|
192
|
-
end
|
193
|
-
|
194
|
-
it "issues new token without any scope" do
|
195
|
-
expect do
|
196
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
197
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
198
|
-
|
199
|
-
token = Doorkeeper::AccessToken.first
|
200
|
-
|
201
|
-
expect(token.application_id).to eq @client.id
|
202
|
-
expect(token.scopes).to be_empty
|
203
|
-
should_have_json "access_token", token.token
|
204
|
-
should_not_have_json "scope"
|
205
|
-
end
|
206
|
-
end
|
207
|
-
|
208
|
-
context "when application scopes contain some of the default scopes and no scope is passed" do
|
209
|
-
before do
|
210
|
-
@client.update(scopes: "read write public")
|
211
|
-
end
|
212
|
-
|
213
|
-
it "issues new token with one default scope that are present in application scopes" do
|
214
|
-
default_scopes_exist :public, :admin
|
215
|
-
|
216
|
-
expect do
|
217
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
218
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
219
|
-
|
220
|
-
token = Doorkeeper::AccessToken.first
|
221
|
-
|
222
|
-
expect(token.application_id).to eq @client.id
|
223
|
-
should_have_json "access_token", token.token
|
224
|
-
should_have_json "scope", "public"
|
225
|
-
end
|
226
|
-
|
227
|
-
it "issues new token with multiple default scopes that are present in application scopes" do
|
228
|
-
default_scopes_exist :public, :read, :update
|
229
|
-
|
230
|
-
expect do
|
231
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
232
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
233
|
-
|
234
|
-
token = Doorkeeper::AccessToken.first
|
235
|
-
|
236
|
-
expect(token.application_id).to eq @client.id
|
237
|
-
should_have_json "access_token", token.token
|
238
|
-
should_have_json "scope", "public read"
|
239
|
-
end
|
240
|
-
end
|
241
|
-
|
242
|
-
context "with invalid scopes" do
|
243
|
-
subject do
|
244
|
-
post password_token_endpoint_url(client: @client,
|
245
|
-
resource_owner: @resource_owner,
|
246
|
-
scope: "random")
|
247
|
-
end
|
248
|
-
|
249
|
-
it "should not issue new token" do
|
250
|
-
expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
|
251
|
-
end
|
252
|
-
|
253
|
-
it "should return invalid_scope error" do
|
254
|
-
subject
|
255
|
-
should_have_json "error", "invalid_scope"
|
256
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
257
|
-
should_not_have_json "access_token"
|
258
|
-
|
259
|
-
expect(response.status).to eq(400)
|
260
|
-
end
|
261
|
-
end
|
262
|
-
|
263
|
-
context "with invalid user credentials" do
|
264
|
-
it "should not issue new token with bad password" do
|
265
|
-
expect do
|
266
|
-
post password_token_endpoint_url(client: @client,
|
267
|
-
resource_owner_username: @resource_owner.name,
|
268
|
-
resource_owner_password: "wrongpassword")
|
269
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
270
|
-
end
|
271
|
-
|
272
|
-
it "should not issue new token without credentials" do
|
273
|
-
expect do
|
274
|
-
post password_token_endpoint_url(client: @client)
|
275
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
276
|
-
end
|
277
|
-
end
|
278
|
-
|
279
|
-
context "with invalid confidential client credentials" do
|
280
|
-
it "should not issue new token with bad client credentials" do
|
281
|
-
expect do
|
282
|
-
post password_token_endpoint_url(client_id: @client.uid,
|
283
|
-
client_secret: "bad_secret",
|
284
|
-
resource_owner: @resource_owner)
|
285
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
286
|
-
end
|
287
|
-
end
|
288
|
-
|
289
|
-
context "with invalid public client id" do
|
290
|
-
it "should not issue new token with bad client id" do
|
291
|
-
expect do
|
292
|
-
post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
|
293
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
294
|
-
end
|
295
|
-
end
|
296
|
-
end
|
@@ -1,233 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
describe "Refresh Token Flow" do
|
6
|
-
before do
|
7
|
-
Doorkeeper.configure do
|
8
|
-
orm DOORKEEPER_ORM
|
9
|
-
use_refresh_token
|
10
|
-
end
|
11
|
-
|
12
|
-
client_exists
|
13
|
-
end
|
14
|
-
|
15
|
-
context "issuing a refresh token" do
|
16
|
-
before do
|
17
|
-
authorization_code_exists application: @client
|
18
|
-
end
|
19
|
-
|
20
|
-
it "client gets the refresh token and refreshes it" do
|
21
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
22
|
-
|
23
|
-
token = Doorkeeper::AccessToken.first
|
24
|
-
|
25
|
-
should_have_json "access_token", token.token
|
26
|
-
should_have_json "refresh_token", token.refresh_token
|
27
|
-
|
28
|
-
expect(@authorization.reload).to be_revoked
|
29
|
-
|
30
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
|
31
|
-
|
32
|
-
new_token = Doorkeeper::AccessToken.last
|
33
|
-
should_have_json "access_token", new_token.token
|
34
|
-
should_have_json "refresh_token", new_token.refresh_token
|
35
|
-
|
36
|
-
expect(token.token).not_to eq(new_token.token)
|
37
|
-
expect(token.refresh_token).not_to eq(new_token.refresh_token)
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
context "refreshing the token" do
|
42
|
-
before do
|
43
|
-
@token = FactoryBot.create(
|
44
|
-
:access_token,
|
45
|
-
application: @client,
|
46
|
-
resource_owner_id: 1,
|
47
|
-
use_refresh_token: true
|
48
|
-
)
|
49
|
-
end
|
50
|
-
|
51
|
-
context "refresh_token revoked on use" do
|
52
|
-
it "client request a token with refresh token" do
|
53
|
-
post refresh_token_endpoint_url(
|
54
|
-
client: @client, refresh_token: @token.refresh_token
|
55
|
-
)
|
56
|
-
should_have_json(
|
57
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
58
|
-
)
|
59
|
-
expect(@token.reload).not_to be_revoked
|
60
|
-
end
|
61
|
-
|
62
|
-
it "client request a token with expired access token" do
|
63
|
-
@token.update_attribute :expires_in, -100
|
64
|
-
post refresh_token_endpoint_url(
|
65
|
-
client: @client, refresh_token: @token.refresh_token
|
66
|
-
)
|
67
|
-
should_have_json(
|
68
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
69
|
-
)
|
70
|
-
expect(@token.reload).not_to be_revoked
|
71
|
-
end
|
72
|
-
end
|
73
|
-
|
74
|
-
context "refresh_token revoked on refresh_token request" do
|
75
|
-
before do
|
76
|
-
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
77
|
-
end
|
78
|
-
|
79
|
-
it "client request a token with refresh token" do
|
80
|
-
post refresh_token_endpoint_url(
|
81
|
-
client: @client, refresh_token: @token.refresh_token
|
82
|
-
)
|
83
|
-
should_have_json(
|
84
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
85
|
-
)
|
86
|
-
expect(@token.reload).to be_revoked
|
87
|
-
end
|
88
|
-
|
89
|
-
it "client request a token with expired access token" do
|
90
|
-
@token.update_attribute :expires_in, -100
|
91
|
-
post refresh_token_endpoint_url(
|
92
|
-
client: @client, refresh_token: @token.refresh_token
|
93
|
-
)
|
94
|
-
should_have_json(
|
95
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token
|
96
|
-
)
|
97
|
-
expect(@token.reload).to be_revoked
|
98
|
-
end
|
99
|
-
end
|
100
|
-
|
101
|
-
context "public & private clients" do
|
102
|
-
let(:public_client) do
|
103
|
-
FactoryBot.create(
|
104
|
-
:application,
|
105
|
-
confidential: false
|
106
|
-
)
|
107
|
-
end
|
108
|
-
|
109
|
-
let(:token_for_private_client) do
|
110
|
-
FactoryBot.create(
|
111
|
-
:access_token,
|
112
|
-
application: @client,
|
113
|
-
resource_owner_id: 1,
|
114
|
-
use_refresh_token: true
|
115
|
-
)
|
116
|
-
end
|
117
|
-
|
118
|
-
let(:token_for_public_client) do
|
119
|
-
FactoryBot.create(
|
120
|
-
:access_token,
|
121
|
-
application: public_client,
|
122
|
-
resource_owner_id: 1,
|
123
|
-
use_refresh_token: true
|
124
|
-
)
|
125
|
-
end
|
126
|
-
|
127
|
-
it "issues a new token without client_secret when refresh token was issued to a public client" do
|
128
|
-
post refresh_token_endpoint_url(
|
129
|
-
client_id: public_client.uid,
|
130
|
-
refresh_token: token_for_public_client.refresh_token
|
131
|
-
)
|
132
|
-
|
133
|
-
new_token = Doorkeeper::AccessToken.last
|
134
|
-
should_have_json "access_token", new_token.token
|
135
|
-
should_have_json "refresh_token", new_token.refresh_token
|
136
|
-
end
|
137
|
-
|
138
|
-
it "returns an error without credentials" do
|
139
|
-
post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
|
140
|
-
|
141
|
-
should_not_have_json "refresh_token"
|
142
|
-
should_have_json "error", "invalid_grant"
|
143
|
-
end
|
144
|
-
|
145
|
-
it "returns an error with wrong credentials" do
|
146
|
-
post refresh_token_endpoint_url(
|
147
|
-
client_id: "1",
|
148
|
-
client_secret: "1",
|
149
|
-
refresh_token: token_for_private_client.refresh_token
|
150
|
-
)
|
151
|
-
|
152
|
-
should_not_have_json "refresh_token"
|
153
|
-
should_have_json "error", "invalid_client"
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
it "client gets an error for invalid refresh token" do
|
158
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
|
159
|
-
should_not_have_json "refresh_token"
|
160
|
-
should_have_json "error", "invalid_grant"
|
161
|
-
end
|
162
|
-
|
163
|
-
it "client gets an error for revoked access token" do
|
164
|
-
@token.revoke
|
165
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
166
|
-
should_not_have_json "refresh_token"
|
167
|
-
should_have_json "error", "invalid_grant"
|
168
|
-
end
|
169
|
-
|
170
|
-
it "second of simultaneous client requests get an error for revoked access token" do
|
171
|
-
allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
|
172
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
173
|
-
|
174
|
-
should_not_have_json "refresh_token"
|
175
|
-
should_have_json "error", "invalid_grant"
|
176
|
-
end
|
177
|
-
end
|
178
|
-
|
179
|
-
context "refreshing the token with multiple sessions (devices)" do
|
180
|
-
before do
|
181
|
-
# enable password auth to simulate other devices
|
182
|
-
config_is_set(:grant_flows, ["password"])
|
183
|
-
config_is_set(:resource_owner_from_credentials) do
|
184
|
-
User.authenticate! params[:username], params[:password]
|
185
|
-
end
|
186
|
-
create_resource_owner
|
187
|
-
_another_token = post password_token_endpoint_url(
|
188
|
-
client: @client, resource_owner: @resource_owner
|
189
|
-
)
|
190
|
-
last_token.update_attribute :created_at, 5.seconds.ago
|
191
|
-
|
192
|
-
@token = FactoryBot.create(
|
193
|
-
:access_token,
|
194
|
-
application: @client,
|
195
|
-
resource_owner_id: @resource_owner.id,
|
196
|
-
use_refresh_token: true
|
197
|
-
)
|
198
|
-
@token.update_attribute :expires_in, -100
|
199
|
-
end
|
200
|
-
|
201
|
-
context "refresh_token revoked on use" do
|
202
|
-
it "client request a token after creating another token with the same user" do
|
203
|
-
post refresh_token_endpoint_url(
|
204
|
-
client: @client, refresh_token: @token.refresh_token
|
205
|
-
)
|
206
|
-
|
207
|
-
should_have_json "refresh_token", last_token.refresh_token
|
208
|
-
expect(@token.reload).not_to be_revoked
|
209
|
-
end
|
210
|
-
end
|
211
|
-
|
212
|
-
context "refresh_token revoked on refresh_token request" do
|
213
|
-
before do
|
214
|
-
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
215
|
-
end
|
216
|
-
|
217
|
-
it "client request a token after creating another token with the same user" do
|
218
|
-
post refresh_token_endpoint_url(
|
219
|
-
client: @client, refresh_token: @token.refresh_token
|
220
|
-
)
|
221
|
-
|
222
|
-
should_have_json "refresh_token", last_token.refresh_token
|
223
|
-
expect(@token.reload).to be_revoked
|
224
|
-
end
|
225
|
-
end
|
226
|
-
|
227
|
-
def last_token
|
228
|
-
Doorkeeper::AccessToken.last_authorized_token_for(
|
229
|
-
@client.id, @resource_owner.id
|
230
|
-
)
|
231
|
-
end
|
232
|
-
end
|
233
|
-
end
|