doorkeeper 5.2.6 → 5.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Appraisals +2 -2
- data/CHANGELOG.md +15 -14
- data/Gemfile +2 -2
- data/app/controllers/doorkeeper/application_controller.rb +2 -2
- data/app/controllers/doorkeeper/application_metal_controller.rb +2 -2
- data/app/controllers/doorkeeper/applications_controller.rb +3 -3
- data/app/controllers/doorkeeper/authorizations_controller.rb +2 -2
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +3 -3
- data/gemfiles/rails_5_0.gemfile +2 -2
- data/gemfiles/rails_5_1.gemfile +2 -2
- data/gemfiles/rails_5_2.gemfile +2 -2
- data/gemfiles/rails_6_0.gemfile +2 -2
- data/gemfiles/rails_master.gemfile +2 -2
- data/lib/doorkeeper.rb +2 -3
- data/lib/doorkeeper/config.rb +71 -39
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +10 -8
- data/lib/doorkeeper/models/access_grant_mixin.rb +7 -6
- data/lib/doorkeeper/models/access_token_mixin.rb +55 -18
- data/lib/doorkeeper/models/application_mixin.rb +3 -3
- data/lib/doorkeeper/models/concerns/ownership.rb +1 -1
- data/lib/doorkeeper/models/concerns/reusable.rb +1 -1
- data/lib/doorkeeper/models/concerns/revocable.rb +0 -27
- data/lib/doorkeeper/oauth/authorization/code.rb +4 -4
- data/lib/doorkeeper/oauth/authorization/token.rb +9 -6
- data/lib/doorkeeper/oauth/authorization_code_request.rb +13 -6
- data/lib/doorkeeper/oauth/base_request.rb +8 -4
- data/lib/doorkeeper/oauth/client.rb +7 -8
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +16 -9
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +7 -7
- data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb} +4 -4
- data/lib/doorkeeper/oauth/client_credentials_request.rb +1 -1
- data/lib/doorkeeper/oauth/code_response.rb +2 -2
- data/lib/doorkeeper/oauth/error.rb +1 -1
- data/lib/doorkeeper/oauth/error_response.rb +5 -5
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +7 -5
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +8 -5
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +1 -1
- data/lib/doorkeeper/oauth/invalid_request_response.rb +3 -3
- data/lib/doorkeeper/oauth/invalid_token_response.rb +5 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +3 -3
- data/lib/doorkeeper/oauth/pre_authorization.rb +7 -5
- data/lib/doorkeeper/oauth/refresh_token_request.rb +5 -5
- data/lib/doorkeeper/oauth/token.rb +2 -2
- data/lib/doorkeeper/oauth/token_introspection.rb +6 -6
- data/lib/doorkeeper/orm/active_record.rb +3 -3
- data/lib/doorkeeper/orm/active_record/access_grant.rb +4 -43
- data/lib/doorkeeper/orm/active_record/access_token.rb +4 -35
- data/lib/doorkeeper/orm/active_record/application.rb +3 -155
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +53 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +47 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +128 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +3 -3
- data/lib/doorkeeper/rails/helpers.rb +4 -4
- data/lib/doorkeeper/rails/routes.rb +5 -7
- data/lib/doorkeeper/rake/db.rake +3 -3
- data/lib/doorkeeper/request.rb +1 -1
- data/lib/doorkeeper/request/authorization_code.rb +3 -3
- data/lib/doorkeeper/request/client_credentials.rb +2 -2
- data/lib/doorkeeper/request/password.rb +2 -2
- data/lib/doorkeeper/request/refresh_token.rb +3 -3
- data/lib/doorkeeper/server.rb +1 -1
- data/lib/doorkeeper/stale_records_cleaner.rb +1 -1
- data/lib/doorkeeper/version.rb +2 -2
- data/lib/generators/doorkeeper/application_owner_generator.rb +1 -1
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/migration_generator.rb +1 -1
- data/lib/generators/doorkeeper/pkce_generator.rb +1 -1
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +2 -2
- data/lib/generators/doorkeeper/templates/initializer.rb +39 -8
- data/spec/controllers/application_metal_controller_spec.rb +1 -1
- data/spec/controllers/applications_controller_spec.rb +3 -2
- data/spec/controllers/authorizations_controller_spec.rb +18 -18
- data/spec/controllers/protected_resources_controller_spec.rb +25 -17
- data/spec/controllers/token_info_controller_spec.rb +1 -1
- data/spec/controllers/tokens_controller_spec.rb +1 -1
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +3 -3
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +1 -1
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +1 -1
- data/spec/generators/install_generator_spec.rb +1 -1
- data/spec/generators/previous_refresh_token_generator_spec.rb +2 -2
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
- data/spec/lib/config_spec.rb +61 -21
- data/spec/lib/doorkeeper_spec.rb +1 -1
- data/spec/lib/models/revocable_spec.rb +3 -3
- data/spec/lib/oauth/authorization_code_request_spec.rb +127 -125
- data/spec/lib/oauth/base_request_spec.rb +160 -158
- data/spec/lib/oauth/base_response_spec.rb +27 -29
- data/spec/lib/oauth/client/credentials_spec.rb +1 -1
- data/spec/lib/oauth/client_credentials/creator_spec.rb +42 -5
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +12 -12
- data/spec/lib/oauth/client_credentials/validation_spec.rb +4 -4
- data/spec/lib/oauth/client_credentials_integration_spec.rb +16 -18
- data/spec/lib/oauth/client_credentials_request_spec.rb +78 -80
- data/spec/lib/oauth/client_spec.rb +26 -26
- data/spec/lib/oauth/code_request_spec.rb +34 -34
- data/spec/lib/oauth/code_response_spec.rb +21 -25
- data/spec/lib/oauth/error_response_spec.rb +42 -44
- data/spec/lib/oauth/error_spec.rb +12 -14
- data/spec/lib/oauth/forbidden_token_response_spec.rb +11 -13
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +30 -18
- data/spec/lib/oauth/invalid_request_response_spec.rb +48 -50
- data/spec/lib/oauth/invalid_token_response_spec.rb +32 -34
- data/spec/lib/oauth/password_access_token_request_spec.rb +145 -147
- data/spec/lib/oauth/pre_authorization_spec.rb +159 -161
- data/spec/lib/oauth/refresh_token_request_spec.rb +138 -139
- data/spec/lib/oauth/scopes_spec.rb +104 -106
- data/spec/lib/oauth/token_request_spec.rb +115 -111
- data/spec/lib/oauth/token_response_spec.rb +71 -73
- data/spec/lib/oauth/token_spec.rb +121 -123
- data/spec/models/doorkeeper/access_grant_spec.rb +3 -5
- data/spec/models/doorkeeper/access_token_spec.rb +7 -7
- data/spec/models/doorkeeper/application_spec.rb +295 -373
- data/spec/requests/applications/applications_request_spec.rb +1 -1
- data/spec/requests/endpoints/authorization_spec.rb +5 -3
- data/spec/requests/flows/authorization_code_spec.rb +34 -22
- data/spec/requests/flows/client_credentials_spec.rb +1 -1
- data/spec/requests/flows/password_spec.rb +32 -12
- data/spec/requests/flows/refresh_token_spec.rb +19 -19
- data/spec/requests/flows/revoke_token_spec.rb +18 -12
- data/spec/spec_helper.rb +1 -4
- data/spec/support/shared/controllers_shared_context.rb +33 -23
- data/spec/validators/redirect_uri_validator_spec.rb +1 -1
- metadata +6 -5
- data/spec/support/http_method_shim.rb +0 -29
|
@@ -17,17 +17,17 @@ module Doorkeeper
|
|
|
17
17
|
# :doc:
|
|
18
18
|
def current_resource_owner
|
|
19
19
|
@current_resource_owner ||= begin
|
|
20
|
-
instance_eval(&Doorkeeper.
|
|
20
|
+
instance_eval(&Doorkeeper.config.authenticate_resource_owner)
|
|
21
21
|
end
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
def resource_owner_from_credentials
|
|
25
|
-
instance_eval(&Doorkeeper.
|
|
25
|
+
instance_eval(&Doorkeeper.config.resource_owner_from_credentials)
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
# :doc:
|
|
29
29
|
def authenticate_admin!
|
|
30
|
-
instance_eval(&Doorkeeper.
|
|
30
|
+
instance_eval(&Doorkeeper.config.authenticate_admin)
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
def server
|
|
@@ -40,16 +40,18 @@ module Doorkeeper
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def config_methods
|
|
43
|
-
@config_methods ||= Doorkeeper.
|
|
43
|
+
@config_methods ||= Doorkeeper.config.access_token_methods
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def get_error_response_from_exception(exception)
|
|
47
47
|
if exception.respond_to?(:response)
|
|
48
48
|
exception.response
|
|
49
49
|
elsif exception.type == :invalid_request
|
|
50
|
-
OAuth::InvalidRequestResponse.new(
|
|
51
|
-
|
|
52
|
-
|
|
50
|
+
OAuth::InvalidRequestResponse.new(
|
|
51
|
+
name: exception.type,
|
|
52
|
+
state: params[:state],
|
|
53
|
+
missing_param: exception.missing_param,
|
|
54
|
+
)
|
|
53
55
|
else
|
|
54
56
|
OAuth::ErrorResponse.new(name: exception.type, state: params[:state])
|
|
55
57
|
end
|
|
@@ -65,7 +67,7 @@ module Doorkeeper
|
|
|
65
67
|
def skip_authorization?
|
|
66
68
|
!!instance_exec(
|
|
67
69
|
[server.current_resource_owner, @pre_auth.client],
|
|
68
|
-
&Doorkeeper.
|
|
70
|
+
&Doorkeeper.config.skip_authorization
|
|
69
71
|
)
|
|
70
72
|
end
|
|
71
73
|
|
|
@@ -43,10 +43,11 @@ module Doorkeeper
|
|
|
43
43
|
# instance of the Resource Owner model
|
|
44
44
|
#
|
|
45
45
|
def revoke_all_for(application_id, resource_owner, clock = Time)
|
|
46
|
-
where(
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
46
|
+
where(
|
|
47
|
+
application_id: application_id,
|
|
48
|
+
resource_owner_id: resource_owner.id,
|
|
49
|
+
revoked_at: nil,
|
|
50
|
+
).update_all(revoked_at: clock.now.utc)
|
|
50
51
|
end
|
|
51
52
|
|
|
52
53
|
# Implements PKCE code_challenge encoding without base64 padding as described in the spec.
|
|
@@ -102,14 +103,14 @@ module Doorkeeper
|
|
|
102
103
|
# Determines the secret storing transformer
|
|
103
104
|
# Unless configured otherwise, uses the plain secret strategy
|
|
104
105
|
def secret_strategy
|
|
105
|
-
::Doorkeeper.
|
|
106
|
+
::Doorkeeper.config.token_secret_strategy
|
|
106
107
|
end
|
|
107
108
|
|
|
108
109
|
##
|
|
109
110
|
# Determine the fallback storing strategy
|
|
110
111
|
# Unless configured, there will be no fallback
|
|
111
112
|
def fallback_secret_strategy
|
|
112
|
-
::Doorkeeper.
|
|
113
|
+
::Doorkeeper.config.token_secret_fallback_strategy
|
|
113
114
|
end
|
|
114
115
|
end
|
|
115
116
|
end
|
|
@@ -40,6 +40,21 @@ module Doorkeeper
|
|
|
40
40
|
find_by_plaintext_token(:refresh_token, refresh_token)
|
|
41
41
|
end
|
|
42
42
|
|
|
43
|
+
# Returns an instance of the Doorkeeper::AccessToken
|
|
44
|
+
# found by previous refresh token. Keep in mind that value
|
|
45
|
+
# of the previous_refresh_token isn't encrypted using
|
|
46
|
+
# secrets strategy.
|
|
47
|
+
#
|
|
48
|
+
# @param previous_refresh_token [#to_s]
|
|
49
|
+
# previous refresh token value (any object that responds to `#to_s`)
|
|
50
|
+
#
|
|
51
|
+
# @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
|
|
52
|
+
# if there is no record with such refresh token
|
|
53
|
+
#
|
|
54
|
+
def by_previous_refresh_token(previous_refresh_token)
|
|
55
|
+
find_by(refresh_token: previous_refresh_token)
|
|
56
|
+
end
|
|
57
|
+
|
|
43
58
|
# Revokes AccessToken records that have not been revoked and associated
|
|
44
59
|
# with the specific Application and Resource Owner.
|
|
45
60
|
#
|
|
@@ -49,10 +64,11 @@ module Doorkeeper
|
|
|
49
64
|
# instance of the Resource Owner model
|
|
50
65
|
#
|
|
51
66
|
def revoke_all_for(application_id, resource_owner, clock = Time)
|
|
52
|
-
where(
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
67
|
+
where(
|
|
68
|
+
application_id: application_id,
|
|
69
|
+
resource_owner_id: resource_owner.id,
|
|
70
|
+
revoked_at: nil,
|
|
71
|
+
).update_all(revoked_at: clock.now.utc)
|
|
56
72
|
end
|
|
57
73
|
|
|
58
74
|
# Looking for not revoked Access Token with a matching set of scopes
|
|
@@ -110,9 +126,8 @@ module Doorkeeper
|
|
|
110
126
|
return nil unless relation
|
|
111
127
|
|
|
112
128
|
matching_tokens = []
|
|
113
|
-
batch_size = Doorkeeper.configuration.token_lookup_batch_size
|
|
114
129
|
|
|
115
|
-
find_access_token_in_batches(relation
|
|
130
|
+
find_access_token_in_batches(relation) do |batch|
|
|
116
131
|
tokens = batch.select do |token|
|
|
117
132
|
scopes_match?(token.scopes, scopes, application.try(:scopes))
|
|
118
133
|
end
|
|
@@ -143,8 +158,8 @@ module Doorkeeper
|
|
|
143
158
|
(token_scopes.sort == param_scopes.sort) &&
|
|
144
159
|
Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
|
|
145
160
|
scope_str: param_scopes.to_s,
|
|
146
|
-
server_scopes: Doorkeeper.
|
|
147
|
-
app_scopes: app_scopes
|
|
161
|
+
server_scopes: Doorkeeper.config.scopes,
|
|
162
|
+
app_scopes: app_scopes,
|
|
148
163
|
)
|
|
149
164
|
end
|
|
150
165
|
|
|
@@ -166,7 +181,7 @@ module Doorkeeper
|
|
|
166
181
|
# @return [Doorkeeper::AccessToken] existing record or a new one
|
|
167
182
|
#
|
|
168
183
|
def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
|
|
169
|
-
if Doorkeeper.
|
|
184
|
+
if Doorkeeper.config.reuse_access_token
|
|
170
185
|
access_token = matching_token_for(application, resource_owner_id, scopes)
|
|
171
186
|
|
|
172
187
|
return access_token if access_token&.reusable?
|
|
@@ -177,7 +192,7 @@ module Doorkeeper
|
|
|
177
192
|
resource_owner_id: resource_owner_id,
|
|
178
193
|
scopes: scopes.to_s,
|
|
179
194
|
expires_in: expires_in,
|
|
180
|
-
use_refresh_token: use_refresh_token
|
|
195
|
+
use_refresh_token: use_refresh_token,
|
|
181
196
|
)
|
|
182
197
|
end
|
|
183
198
|
|
|
@@ -192,9 +207,11 @@ module Doorkeeper
|
|
|
192
207
|
# @return [Doorkeeper::AccessToken] array of matching AccessToken objects
|
|
193
208
|
#
|
|
194
209
|
def authorized_tokens_for(application_id, resource_owner_id)
|
|
195
|
-
where(
|
|
196
|
-
|
|
197
|
-
|
|
210
|
+
where(
|
|
211
|
+
application_id: application_id,
|
|
212
|
+
resource_owner_id: resource_owner_id,
|
|
213
|
+
revoked_at: nil,
|
|
214
|
+
)
|
|
198
215
|
end
|
|
199
216
|
|
|
200
217
|
# Convenience method for backwards-compatibility, return the last
|
|
@@ -217,14 +234,14 @@ module Doorkeeper
|
|
|
217
234
|
# Determines the secret storing transformer
|
|
218
235
|
# Unless configured otherwise, uses the plain secret strategy
|
|
219
236
|
def secret_strategy
|
|
220
|
-
::Doorkeeper.
|
|
237
|
+
::Doorkeeper.config.token_secret_strategy
|
|
221
238
|
end
|
|
222
239
|
|
|
223
240
|
##
|
|
224
241
|
# Determine the fallback storing strategy
|
|
225
242
|
# Unless configured, there will be no fallback
|
|
226
243
|
def fallback_secret_strategy
|
|
227
|
-
::Doorkeeper.
|
|
244
|
+
::Doorkeeper.config.token_secret_fallback_strategy
|
|
228
245
|
end
|
|
229
246
|
end
|
|
230
247
|
|
|
@@ -301,8 +318,28 @@ module Doorkeeper
|
|
|
301
318
|
end
|
|
302
319
|
end
|
|
303
320
|
|
|
321
|
+
# Revokes token with `:refresh_token` equal to `:previous_refresh_token`
|
|
322
|
+
# and clears `:previous_refresh_token` attribute.
|
|
323
|
+
#
|
|
324
|
+
def revoke_previous_refresh_token!
|
|
325
|
+
return unless self.class.refresh_token_revoked_on_use?
|
|
326
|
+
|
|
327
|
+
old_refresh_token&.revoke
|
|
328
|
+
update_attribute :previous_refresh_token, ""
|
|
329
|
+
end
|
|
330
|
+
|
|
304
331
|
private
|
|
305
332
|
|
|
333
|
+
# Searches for Access Token record with `:refresh_token` equal to
|
|
334
|
+
# `:previous_refresh_token` value.
|
|
335
|
+
#
|
|
336
|
+
# @return [Doorkeeper::AccessToken, nil]
|
|
337
|
+
# Access Token record or nil if nothing found
|
|
338
|
+
#
|
|
339
|
+
def old_refresh_token
|
|
340
|
+
@old_refresh_token ||= self.class.by_previous_refresh_token(previous_refresh_token)
|
|
341
|
+
end
|
|
342
|
+
|
|
306
343
|
# Generates refresh token with UniqueToken generator.
|
|
307
344
|
#
|
|
308
345
|
# @return [String] refresh token value
|
|
@@ -313,7 +350,7 @@ module Doorkeeper
|
|
|
313
350
|
end
|
|
314
351
|
|
|
315
352
|
# Generates and sets the token value with the
|
|
316
|
-
# configured Generator class (see Doorkeeper.
|
|
353
|
+
# configured Generator class (see Doorkeeper.config).
|
|
317
354
|
#
|
|
318
355
|
# @return [String] generated token value
|
|
319
356
|
#
|
|
@@ -330,7 +367,7 @@ module Doorkeeper
|
|
|
330
367
|
scopes: scopes,
|
|
331
368
|
application: application,
|
|
332
369
|
expires_in: expires_in,
|
|
333
|
-
created_at: created_at
|
|
370
|
+
created_at: created_at,
|
|
334
371
|
)
|
|
335
372
|
|
|
336
373
|
secret_strategy.store_secret(self, :token, @raw_token)
|
|
@@ -338,7 +375,7 @@ module Doorkeeper
|
|
|
338
375
|
end
|
|
339
376
|
|
|
340
377
|
def token_generator
|
|
341
|
-
generator_name = Doorkeeper.
|
|
378
|
+
generator_name = Doorkeeper.config.access_token_generator
|
|
342
379
|
generator = generator_name.constantize
|
|
343
380
|
|
|
344
381
|
return generator if generator.respond_to?(:generate)
|
|
@@ -47,14 +47,14 @@ module Doorkeeper
|
|
|
47
47
|
# Determines the secret storing transformer
|
|
48
48
|
# Unless configured otherwise, uses the plain secret strategy
|
|
49
49
|
def secret_strategy
|
|
50
|
-
::Doorkeeper.
|
|
50
|
+
::Doorkeeper.config.application_secret_strategy
|
|
51
51
|
end
|
|
52
52
|
|
|
53
53
|
##
|
|
54
54
|
# Determine the fallback storing strategy
|
|
55
55
|
# Unless configured, there will be no fallback
|
|
56
56
|
def fallback_secret_strategy
|
|
57
|
-
::Doorkeeper.
|
|
57
|
+
::Doorkeeper.config.application_secret_fallback_strategy
|
|
58
58
|
end
|
|
59
59
|
end
|
|
60
60
|
|
|
@@ -72,7 +72,7 @@ module Doorkeeper
|
|
|
72
72
|
# @param input [#to_s] Plain secret provided by user
|
|
73
73
|
# (any object that responds to `#to_s`)
|
|
74
74
|
#
|
|
75
|
-
# @return [
|
|
75
|
+
# @return [Boolean] Whether the given secret matches the stored secret
|
|
76
76
|
# of this application.
|
|
77
77
|
#
|
|
78
78
|
def secret_matches?(input)
|
|
@@ -11,7 +11,7 @@ module Doorkeeper
|
|
|
11
11
|
return false if expired?
|
|
12
12
|
return true unless expires_in
|
|
13
13
|
|
|
14
|
-
threshold_limit = 100 - Doorkeeper.
|
|
14
|
+
threshold_limit = 100 - Doorkeeper.config.token_reuse_limit
|
|
15
15
|
expires_in_seconds >= threshold_limit * expires_in / 100
|
|
16
16
|
end
|
|
17
17
|
end
|
|
@@ -19,33 +19,6 @@ module Doorkeeper
|
|
|
19
19
|
def revoked?
|
|
20
20
|
!!(revoked_at && revoked_at <= Time.now.utc)
|
|
21
21
|
end
|
|
22
|
-
|
|
23
|
-
# Revokes token with `:refresh_token` equal to `:previous_refresh_token`
|
|
24
|
-
# and clears `:previous_refresh_token` attribute.
|
|
25
|
-
#
|
|
26
|
-
def revoke_previous_refresh_token!
|
|
27
|
-
return unless refresh_token_revoked_on_use?
|
|
28
|
-
|
|
29
|
-
old_refresh_token&.revoke
|
|
30
|
-
update_attribute :previous_refresh_token, ""
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
private
|
|
34
|
-
|
|
35
|
-
# Searches for Access Token record with `:refresh_token` equal to
|
|
36
|
-
# `:previous_refresh_token` value.
|
|
37
|
-
#
|
|
38
|
-
# @return [Doorkeeper::AccessToken, nil]
|
|
39
|
-
# Access Token record or nil if nothing found
|
|
40
|
-
#
|
|
41
|
-
def old_refresh_token
|
|
42
|
-
@old_refresh_token ||=
|
|
43
|
-
AccessToken.by_refresh_token(previous_refresh_token)
|
|
44
|
-
end
|
|
45
|
-
|
|
46
|
-
def refresh_token_revoked_on_use?
|
|
47
|
-
AccessToken.refresh_token_revoked_on_use?
|
|
48
|
-
end
|
|
49
22
|
end
|
|
50
23
|
end
|
|
51
24
|
end
|
|
@@ -12,7 +12,7 @@ module Doorkeeper
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def issue_token
|
|
15
|
-
@token ||=
|
|
15
|
+
@token ||= Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def oob_redirect
|
|
@@ -22,7 +22,7 @@ module Doorkeeper
|
|
|
22
22
|
private
|
|
23
23
|
|
|
24
24
|
def authorization_code_expires_in
|
|
25
|
-
Doorkeeper.
|
|
25
|
+
Doorkeeper.config.authorization_code_expires_in
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def access_grant_attributes
|
|
@@ -31,7 +31,7 @@ module Doorkeeper
|
|
|
31
31
|
resource_owner_id: resource_owner.id,
|
|
32
32
|
expires_in: authorization_code_expires_in,
|
|
33
33
|
redirect_uri: pre_auth.redirect_uri,
|
|
34
|
-
scopes: pre_auth.scopes.to_s
|
|
34
|
+
scopes: pre_auth.scopes.to_s,
|
|
35
35
|
)
|
|
36
36
|
end
|
|
37
37
|
|
|
@@ -47,7 +47,7 @@ module Doorkeeper
|
|
|
47
47
|
# Ensures firstly, if migration with additional PKCE columns was
|
|
48
48
|
# generated and migrated
|
|
49
49
|
def pkce_supported?
|
|
50
|
-
Doorkeeper
|
|
50
|
+
Doorkeeper.config.access_grant_model.pkce_supported?
|
|
51
51
|
end
|
|
52
52
|
end
|
|
53
53
|
end
|
|
@@ -19,7 +19,7 @@ module Doorkeeper
|
|
|
19
19
|
Doorkeeper::OAuth::Authorization::Context.new(
|
|
20
20
|
oauth_client,
|
|
21
21
|
grant_type,
|
|
22
|
-
scopes
|
|
22
|
+
scopes,
|
|
23
23
|
)
|
|
24
24
|
end
|
|
25
25
|
|
|
@@ -35,7 +35,7 @@ module Doorkeeper
|
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
def refresh_token_enabled?(server, context)
|
|
38
|
-
if server.refresh_token_enabled?.respond_to?
|
|
38
|
+
if server.refresh_token_enabled?.respond_to?(:call)
|
|
39
39
|
server.refresh_token_enabled?.call(context)
|
|
40
40
|
else
|
|
41
41
|
!!server.refresh_token_enabled?
|
|
@@ -49,17 +49,20 @@ module Doorkeeper
|
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
def issue_token
|
|
52
|
+
return @token if defined?(@token)
|
|
53
|
+
|
|
52
54
|
context = self.class.build_context(
|
|
53
55
|
pre_auth.client,
|
|
54
56
|
Doorkeeper::OAuth::IMPLICIT,
|
|
55
|
-
pre_auth.scopes
|
|
57
|
+
pre_auth.scopes,
|
|
56
58
|
)
|
|
57
|
-
|
|
59
|
+
|
|
60
|
+
@token = configuration.access_token_model.find_or_create_for(
|
|
58
61
|
pre_auth.client,
|
|
59
62
|
resource_owner.id,
|
|
60
63
|
pre_auth.scopes,
|
|
61
64
|
self.class.access_token_expires_in(configuration, context),
|
|
62
|
-
false
|
|
65
|
+
false,
|
|
63
66
|
)
|
|
64
67
|
end
|
|
65
68
|
|
|
@@ -74,7 +77,7 @@ module Doorkeeper
|
|
|
74
77
|
private
|
|
75
78
|
|
|
76
79
|
def configuration
|
|
77
|
-
Doorkeeper.
|
|
80
|
+
Doorkeeper.config
|
|
78
81
|
end
|
|
79
82
|
|
|
80
83
|
def controller
|
|
@@ -32,10 +32,13 @@ module Doorkeeper
|
|
|
32
32
|
raise Errors::InvalidGrantReuse if grant.revoked?
|
|
33
33
|
|
|
34
34
|
grant.revoke
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
35
|
+
|
|
36
|
+
find_or_create_access_token(
|
|
37
|
+
grant.application,
|
|
38
|
+
grant.resource_owner_id,
|
|
39
|
+
grant.scopes,
|
|
40
|
+
server,
|
|
41
|
+
)
|
|
39
42
|
end
|
|
40
43
|
super
|
|
41
44
|
end
|
|
@@ -71,7 +74,7 @@ module Doorkeeper
|
|
|
71
74
|
def validate_redirect_uri
|
|
72
75
|
Helpers::URIChecker.valid_for_authorization?(
|
|
73
76
|
redirect_uri,
|
|
74
|
-
grant.redirect_uri
|
|
77
|
+
grant.redirect_uri,
|
|
75
78
|
)
|
|
76
79
|
end
|
|
77
80
|
|
|
@@ -82,13 +85,17 @@ module Doorkeeper
|
|
|
82
85
|
return false unless grant.pkce_supported?
|
|
83
86
|
|
|
84
87
|
if grant.code_challenge_method == "S256"
|
|
85
|
-
grant.code_challenge ==
|
|
88
|
+
grant.code_challenge == generate_code_challenge(code_verifier)
|
|
86
89
|
elsif grant.code_challenge_method == "plain"
|
|
87
90
|
grant.code_challenge == code_verifier
|
|
88
91
|
else
|
|
89
92
|
false
|
|
90
93
|
end
|
|
91
94
|
end
|
|
95
|
+
|
|
96
|
+
def generate_code_challenge(code_verifier)
|
|
97
|
+
server_config.access_grant_model.generate_code_challenge(code_verifier)
|
|
98
|
+
end
|
|
92
99
|
end
|
|
93
100
|
end
|
|
94
101
|
end
|