doorkeeper 5.2.2 → 5.5.4

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -11,9 +11,8 @@ module Doorkeeper
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
 
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
-      attr_reader   :missing_param
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
 
       def initialize(server, refresh_token, credentials, parameters = {})
         @server = server
@@ -27,7 +26,7 @@ module Doorkeeper
       private
 
       def load_client(credentials)
-        Application.by_uid_and_secret(credentials.uid, credentials.secret)
+        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
       end
 
       def before_successful_response
@@ -42,7 +41,7 @@ module Doorkeeper
       end
 
       def refresh_token_revoked_on_use?
-        Doorkeeper::AccessToken.refresh_token_revoked_on_use?
+        server_config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -50,30 +49,40 @@ module Doorkeeper
       end
 
       def create_access_token
-        @access_token = AccessToken.create!(access_token_attributes)
-      end
+        attributes = {}
 
-      def access_token_attributes
-        {
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: access_token_expires_in,
-          use_refresh_token: true,
-        }.tap do |attributes|
-          if refresh_token_revoked_on_use?
-            attributes[:previous_refresh_token] = refresh_token.refresh_token
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
           end
+
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
-      end
 
-      def access_token_expires_in
-        context = Authorization::Token.build_context(
-          client,
-          Doorkeeper::OAuth::REFRESH_TOKEN,
-          scopes
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
+        @access_token = server_config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
         )
-        Authorization::Token.access_token_expires_in(server, context)
       end
 
       def validate_token_presence
@@ -92,7 +101,7 @@ module Doorkeeper
         client.present?
       end
 
-      # @see https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
       #
       def validate_client_match
         return true if refresh_token.application_id.blank?
@@ -104,7 +113,7 @@ module Doorkeeper
         if @original_scopes.present?
           ScopeChecker.valid?(
             scope_str: @original_scopes,
-            server_scopes: refresh_token.scopes
+            server_scopes: refresh_token.scopes,
           )
         else
           true

data/lib/doorkeeper/oauth/token.rb

@@ -8,15 +8,14 @@ module Doorkeeper
           methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
-            break credentials unless credentials.blank?
+            break credentials if credentials.present?
           end
         end
 
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
-            access_token = AccessToken.by_token(token)
-            refresh_token_enabled = Doorkeeper.configuration.refresh_token_enabled?
-            if access_token.present? && refresh_token_enabled
+            access_token = Doorkeeper.config.access_token_model.by_token(token)
+            if access_token.present? && Doorkeeper.config.refresh_token_enabled?
               access_token.revoke_previous_refresh_token!
             end
             access_token
@@ -33,13 +32,13 @@ module Doorkeeper
 
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
 
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
 
@@ -55,7 +54,7 @@ module Doorkeeper
         end
 
         def token_from_header(header, pattern)
-          header.gsub pattern, ""
+          header.gsub(pattern, "")
         end
 
         def match?(header, pattern)

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -4,11 +4,8 @@ module Doorkeeper
   module OAuth
     # RFC7662 OAuth 2.0 Token Introspection
     #
-    # @see https://tools.ietf.org/html/rfc7662
+    # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
-      attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
-
       def initialize(server, token)
         @server = server
         @token = token
@@ -38,6 +35,9 @@ module Doorkeeper
 
       private
 
+      attr_reader :server, :token
+      attr_reader :error, :invalid_request_reason
+
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
       # invalid, the authorization server responds with an HTTP 401
@@ -94,7 +94,7 @@ module Doorkeeper
           client_id: @token.try(:application).try(:uid),
           token_type: @token.token_type,
           exp: @token.expires_at.to_i,
-          iat: @token.created_at.to_i
+          iat: @token.created_at.to_i,
         )
       end
 
@@ -107,7 +107,7 @@ module Doorkeeper
       # authorization server SHOULD NOT include any additional information
       # about an inactive token, including why the token is inactive.
       #
-      # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
+      # @see https://datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
       #
       def failure_response
         {
@@ -174,28 +174,24 @@ module Doorkeeper
         authorized_token.token == @token&.token
       end
 
-      # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
+      # Config constraints for introspection in Doorkeeper.config.allow_token_introspection
       def token_introspection_allowed?(auth_client: nil, auth_token: nil)
-        allow_introspection = Doorkeeper.configuration.allow_token_introspection
+        allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
-        allow_introspection.call(
-          @token,
-          auth_client,
-          auth_token
-        )
+        allow_introspection.call(@token, auth_client, auth_token)
       end
 
       # Allows to customize introspection response.
       # Provides context (controller) and token for generating developer-specific
       # response.
       #
-      # @see https://tools.ietf.org/html/rfc7662#section-2.2
+      # @see https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
       #
       def customize_response(response)
-        customized_response = Doorkeeper.configuration.custom_introspection_response.call(
+        customized_response = Doorkeeper.config.custom_introspection_response.call(
           token,
-          server.context
+          server.context,
         )
         return response if customized_response.blank?
 

data/lib/doorkeeper/oauth/token_request.rb

@@ -3,16 +3,16 @@
 module Doorkeeper
   module OAuth
     class TokenRequest
-      attr_accessor :pre_auth, :resource_owner
+      attr_reader :pre_auth, :resource_owner
 
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
 
       def authorize
         auth = Authorization::Token.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 

data/lib/doorkeeper/oauth/token_response.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class TokenResponse
-      attr_accessor :token
+      attr_reader :token
 
       def initialize(token)
         @token = token

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -1,48 +1,9 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class AccessGrant < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
-
-    include AccessGrantMixin
-
-    belongs_to :application, class_name: "Doorkeeper::Application",
-                             optional: true, inverse_of: :access_grants
-
-    validates :resource_owner_id,
-              :application_id,
-              :token,
-              :expires_in,
-              :redirect_uri,
-              presence: true
-
-    validates :token, uniqueness: { case_sensitive: true }
+require "doorkeeper/orm/active_record/mixins/access_grant"
 
-    before_validation :generate_token, on: :create
-
-    # We keep a volatile copy of the raw token for initial communication
-    # The stored refresh_token may be mapped and not available in cleartext.
-    #
-    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
-    # while hashing strategies do not, so you cannot rely on this value
-    # returning a present value for persisted tokens.
-    def plaintext_token
-      if secret_strategy.allows_restoring_secrets?
-        secret_strategy.restore_secret(self, :token)
-      else
-        @raw_token
-      end
-    end
-
-    private
-
-    # Generates token value with UniqueToken class.
-    #
-    # @return [String] token value
-    #
-    def generate_token
-      @raw_token = UniqueToken.generate
-      secret_strategy.store_secret(self, :token, @raw_token)
-    end
+module Doorkeeper
+  class AccessGrant < ::ActiveRecord::Base
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant
   end
 end

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -1,40 +1,9 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class AccessToken < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
-
-    include AccessTokenMixin
-
-    belongs_to :application, class_name: "Doorkeeper::Application",
-                             inverse_of: :access_tokens, optional: true
-
-    validates :token, presence: true, uniqueness: { case_sensitive: true }
-    validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
+require "doorkeeper/orm/active_record/mixins/access_token"
 
-    # @attr_writer [Boolean, nil] use_refresh_token
-    #   indicates the possibility of using refresh token
-    attr_writer :use_refresh_token
-
-    before_validation :generate_token, on: :create
-    before_validation :generate_refresh_token,
-                      on: :create, if: :use_refresh_token?
-
-    # Searches for not revoked Access Tokens associated with the
-    # specific Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   Resource Owner model instance
-    #
-    # @return [ActiveRecord::Relation]
-    #   active Access Tokens for Resource Owner
-    #
-    def self.active_for(resource_owner)
-      where(resource_owner_id: resource_owner.id, revoked_at: nil)
-    end
-
-    def self.refresh_token_revoked_on_use?
-      column_names.include?("previous_refresh_token")
-    end
+module Doorkeeper
+  class AccessToken < ::ActiveRecord::Base
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
   end
 end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -1,100 +1,10 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class Application < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
-
-    include ApplicationMixin
-
-    has_many :access_grants, dependent: :delete_all, class_name: "Doorkeeper::AccessGrant"
-    has_many :access_tokens, dependent: :delete_all, class_name: "Doorkeeper::AccessToken"
-
-    validates :name, :secret, :uid, presence: true
-    validates :uid, uniqueness: { case_sensitive: true }
-    validates :redirect_uri, "doorkeeper/redirect_uri": true
-    validates :confidential, inclusion: { in: [true, false] }
-
-    validate :scopes_match_configured, if: :enforce_scopes?
-
-    before_validation :generate_uid, :generate_secret, on: :create
-
-    has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: "AccessToken"
-    has_many :authorized_applications, through: :authorized_tokens, source: :application
-
-    # Returns Applications associated with active (not revoked) Access Tokens
-    # that are owned by the specific Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   Resource Owner model instance
-    #
-    # @return [ActiveRecord::Relation]
-    #   Applications authorized for the Resource Owner
-    #
-    def self.authorized_for(resource_owner)
-      resource_access_tokens = AccessToken.active_for(resource_owner)
-      where(id: resource_access_tokens.select(:application_id).distinct)
-    end
-
-    # Revokes AccessToken and AccessGrant records that have not been revoked and
-    # associated with the specific Application and Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   instance of the Resource Owner model
-    #
-    def self.revoke_tokens_and_grants_for(id, resource_owner)
-      AccessToken.revoke_all_for(id, resource_owner)
-      AccessGrant.revoke_all_for(id, resource_owner)
-    end
+require "doorkeeper/orm/active_record/redirect_uri_validator"
+require "doorkeeper/orm/active_record/mixins/application"
 
-    # Generates a new secret for this application, intended to be used
-    # for rotating the secret or in case of compromise.
-    #
-    def renew_secret
-      @raw_secret = UniqueToken.generate
-      secret_strategy.store_secret(self, :secret, @raw_secret)
-    end
-
-    # We keep a volatile copy of the raw secret for initial communication
-    # The stored refresh_token may be mapped and not available in cleartext.
-    #
-    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
-    # while hashing strategies do not, so you cannot rely on this value
-    # returning a present value for persisted tokens.
-    def plaintext_secret
-      if secret_strategy.allows_restoring_secrets?
-        secret_strategy.restore_secret(self, :secret)
-      else
-        @raw_secret
-      end
-    end
-
-    def to_json(options = nil)
-      serializable_hash(except: :secret)
-        .merge(secret: plaintext_secret)
-        .to_json(options)
-    end
-
-    private
-
-    def generate_uid
-      self.uid = UniqueToken.generate if uid.blank?
-    end
-
-    def generate_secret
-      return unless secret.blank?
-      renew_secret
-    end
-
-    def scopes_match_configured
-      if scopes.present? &&
-         !ScopeChecker.valid?(scope_str: scopes.to_s,
-                              server_scopes: Doorkeeper.configuration.scopes)
-        errors.add(:scopes, :not_match_configured)
-      end
-    end
-
-    def enforce_scopes?
-      Doorkeeper.configuration.enforce_configured_scopes?
-    end
+module Doorkeeper
+  class Application < ::ActiveRecord::Base
+    include ::Doorkeeper::Orm::ActiveRecord::Mixins::Application
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module AccessGrant
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
+
+      include ::Doorkeeper::AccessGrantMixin
+
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
+                               optional: true,
+                               inverse_of: :access_grants
+
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: false
+      else
+        validates :resource_owner_id, presence: true
+      end
+
+      validates :application_id,
+                :token,
+                :expires_in,
+                :redirect_uri,
+                presence: true
+
+      validates :token, uniqueness: { case_sensitive: true }
+
+      before_validation :generate_token, on: :create
+
+      # We keep a volatile copy of the raw token for initial communication
+      # The stored refresh_token may be mapped and not available in cleartext.
+      #
+      # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+      # while hashing strategies do not, so you cannot rely on this value
+      # returning a present value for persisted tokens.
+      def plaintext_token
+        if secret_strategy.allows_restoring_secrets?
+          secret_strategy.restore_secret(self, :token)
+        else
+          @raw_token
+        end
+      end
+
+      private
+
+      # Generates token value with UniqueToken class.
+      #
+      # @return [String] token value
+      #
+      def generate_token
+        @raw_token = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        secret_strategy.store_secret(self, :token, @raw_token)
+      end
+    end
+
+    module ClassMethods
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_grant"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module AccessToken
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
+
+      include ::Doorkeeper::AccessTokenMixin
+
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
+                               inverse_of: :access_tokens,
+                               optional: true
+
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: true
+      end
+
+      validates :token, presence: true, uniqueness: { case_sensitive: true }
+      validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
+
+      # @attr_writer [Boolean, nil] use_refresh_token
+      #   indicates the possibility of using refresh token
+      attr_writer :use_refresh_token
+
+      before_validation :generate_token, on: :create
+      before_validation :generate_refresh_token,
+                        on: :create, if: :use_refresh_token?
+    end
+
+    module ClassMethods
+      # Searches for not revoked Access Tokens associated with the
+      # specific Resource Owner.
+      #
+      # @param resource_owner [ActiveRecord::Base]
+      #   Resource Owner model instance
+      #
+      # @return [ActiveRecord::Relation]
+      #   active Access Tokens for Resource Owner
+      #
+      def active_for(resource_owner)
+        by_resource_owner(resource_owner).where(revoked_at: nil)
+      end
+
+      def refresh_token_revoked_on_use?
+        column_names.include?("previous_refresh_token")
+      end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_token"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
+    end
+  end
+end