doorkeeper 5.2.6 → 5.3.0

data/lib/doorkeeper/oauth/token.rb

@@ -14,8 +14,8 @@ module Doorkeeper
 
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
-            access_token = AccessToken.by_token(token)
-            refresh_token_enabled = Doorkeeper.configuration.refresh_token_enabled?
+            access_token = Doorkeeper.config.access_token_model.by_token(token)
+            refresh_token_enabled = Doorkeeper.config.refresh_token_enabled?
             if access_token.present? && refresh_token_enabled
               access_token.revoke_previous_refresh_token!
             end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -94,7 +94,7 @@ module Doorkeeper
           client_id: @token.try(:application).try(:uid),
           token_type: @token.token_type,
           exp: @token.expires_at.to_i,
-          iat: @token.created_at.to_i
+          iat: @token.created_at.to_i,
         )
       end
 
@@ -174,15 +174,15 @@ module Doorkeeper
         authorized_token.token == @token&.token
       end
 
-      # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
+      # Config constraints for introspection in Doorkeeper.config.allow_token_introspection
       def token_introspection_allowed?(auth_client: nil, auth_token: nil)
-        allow_introspection = Doorkeeper.configuration.allow_token_introspection
+        allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
         allow_introspection.call(
           @token,
           auth_client,
-          auth_token
+          auth_token,
         )
       end
 
@@ -193,9 +193,9 @@ module Doorkeeper
       # @see https://tools.ietf.org/html/rfc7662#section-2.2
       #
       def customize_response(response)
-        customized_response = Doorkeeper.configuration.custom_introspection_response.call(
+        customized_response = Doorkeeper.config.custom_introspection_response.call(
           token,
-          server.context
+          server.context,
         )
         return response if customized_response.blank?
 

data/lib/doorkeeper/orm/active_record.rb

@@ -20,9 +20,9 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
-          if Doorkeeper.configuration.active_record_options[:establish_connection]
+          if Doorkeeper.config.active_record_options[:establish_connection]
             Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.configuration.active_record_options[:establish_connection]
+              options = Doorkeeper.config.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
           end
@@ -33,7 +33,7 @@ module Doorkeeper
         lazy_load do
           require "doorkeeper/models/concerns/ownership"
 
-          Doorkeeper::Application.send :include, Doorkeeper::Models::Ownership
+          Doorkeeper.config.application_model.send :include, Doorkeeper::Models::Ownership
         end
       end
 

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -1,48 +1,9 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class AccessGrant < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
-
-    include AccessGrantMixin
-
-    belongs_to :application, class_name: "Doorkeeper::Application",
-                             optional: true, inverse_of: :access_grants
-
-    validates :resource_owner_id,
-              :application_id,
-              :token,
-              :expires_in,
-              :redirect_uri,
-              presence: true
-
-    validates :token, uniqueness: { case_sensitive: true }
+require "doorkeeper/orm/active_record/mixins/access_grant"
 
-    before_validation :generate_token, on: :create
-
-    # We keep a volatile copy of the raw token for initial communication
-    # The stored refresh_token may be mapped and not available in cleartext.
-    #
-    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
-    # while hashing strategies do not, so you cannot rely on this value
-    # returning a present value for persisted tokens.
-    def plaintext_token
-      if secret_strategy.allows_restoring_secrets?
-        secret_strategy.restore_secret(self, :token)
-      else
-        @raw_token
-      end
-    end
-
-    private
-
-    # Generates token value with UniqueToken class.
-    #
-    # @return [String] token value
-    #
-    def generate_token
-      @raw_token = UniqueToken.generate
-      secret_strategy.store_secret(self, :token, @raw_token)
-    end
+module Doorkeeper
+  class AccessGrant < ::ActiveRecord::Base
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant
   end
 end

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -1,40 +1,9 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class AccessToken < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
-
-    include AccessTokenMixin
-
-    belongs_to :application, class_name: "Doorkeeper::Application",
-                             inverse_of: :access_tokens, optional: true
-
-    validates :token, presence: true, uniqueness: { case_sensitive: true }
-    validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
+require "doorkeeper/orm/active_record/mixins/access_token"
 
-    # @attr_writer [Boolean, nil] use_refresh_token
-    #   indicates the possibility of using refresh token
-    attr_writer :use_refresh_token
-
-    before_validation :generate_token, on: :create
-    before_validation :generate_refresh_token,
-                      on: :create, if: :use_refresh_token?
-
-    # Searches for not revoked Access Tokens associated with the
-    # specific Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   Resource Owner model instance
-    #
-    # @return [ActiveRecord::Relation]
-    #   active Access Tokens for Resource Owner
-    #
-    def self.active_for(resource_owner)
-      where(resource_owner_id: resource_owner.id, revoked_at: nil)
-    end
-
-    def self.refresh_token_revoked_on_use?
-      column_names.include?("previous_refresh_token")
-    end
+module Doorkeeper
+  class AccessToken < ::ActiveRecord::Base
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
   end
 end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -1,162 +1,10 @@
 # frozen_string_literal: true
 
 require "doorkeeper/orm/active_record/redirect_uri_validator"
+require "doorkeeper/orm/active_record/mixins/application"
 
 module Doorkeeper
-  class Application < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
-
-    include ApplicationMixin
-
-    has_many :access_grants, dependent: :delete_all, class_name: "Doorkeeper::AccessGrant"
-    has_many :access_tokens, dependent: :delete_all, class_name: "Doorkeeper::AccessToken"
-
-    validates :name, :secret, :uid, presence: true
-    validates :uid, uniqueness: { case_sensitive: true }
-    validates :redirect_uri, "doorkeeper/redirect_uri": true
-    validates :confidential, inclusion: { in: [true, false] }
-
-    validate :scopes_match_configured, if: :enforce_scopes?
-
-    before_validation :generate_uid, :generate_secret, on: :create
-
-    has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: "AccessToken"
-    has_many :authorized_applications, through: :authorized_tokens, source: :application
-
-    # Returns Applications associated with active (not revoked) Access Tokens
-    # that are owned by the specific Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   Resource Owner model instance
-    #
-    # @return [ActiveRecord::Relation]
-    #   Applications authorized for the Resource Owner
-    #
-    def self.authorized_for(resource_owner)
-      resource_access_tokens = AccessToken.active_for(resource_owner)
-      where(id: resource_access_tokens.select(:application_id).distinct)
-    end
-
-    # Revokes AccessToken and AccessGrant records that have not been revoked and
-    # associated with the specific Application and Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   instance of the Resource Owner model
-    #
-    def self.revoke_tokens_and_grants_for(id, resource_owner)
-      AccessToken.revoke_all_for(id, resource_owner)
-      AccessGrant.revoke_all_for(id, resource_owner)
-    end
-
-    # Generates a new secret for this application, intended to be used
-    # for rotating the secret or in case of compromise.
-    #
-    def renew_secret
-      @raw_secret = UniqueToken.generate
-      secret_strategy.store_secret(self, :secret, @raw_secret)
-    end
-
-    # We keep a volatile copy of the raw secret for initial communication
-    # The stored refresh_token may be mapped and not available in cleartext.
-    #
-    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
-    # while hashing strategies do not, so you cannot rely on this value
-    # returning a present value for persisted tokens.
-    def plaintext_secret
-      if secret_strategy.allows_restoring_secrets?
-        secret_strategy.restore_secret(self, :secret)
-      else
-        @raw_secret
-      end
-    end
-
-    # Represents client as set of it's attributes in JSON format.
-    # This is the right way how we want to override ActiveRecord #to_json.
-    #
-    # Respects privacy settings and serializes minimum set of attributes
-    # for public/private clients and full set for authorized owners.
-    #
-    # @return [Hash] entity attributes for JSON
-    #
-    def as_json(options = {})
-      # if application belongs to some owner we need to check if it's the same as
-      # the one passed in the options or check if we render the client as an owner
-      if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
-         options[:as_owner]
-        # Owners can see all the client attributes, fallback to ActiveModel serialization
-        super
-      else
-        # if application has no owner or it's owner doesn't match one from the options
-        # we render only minimum set of attributes that could be exposed to a public
-        only = extract_serializable_attributes(options)
-        super(options.merge(only: only))
-      end
-    end
-
-    # We need to hook into this method to allow serializing plan-text secrets
-    # when secrets hashing enabled.
-    #
-    # @param key [String] attribute name
-    #
-    def read_attribute_for_serialization(key)
-      return super unless key.to_s == "secret"
-
-      plaintext_secret || secret
-    end
-
-    private
-
-    def generate_uid
-      self.uid = UniqueToken.generate if uid.blank?
-    end
-
-    def generate_secret
-      return unless secret.blank?
-      renew_secret
-    end
-
-    def scopes_match_configured
-      if scopes.present? &&
-         !ScopeChecker.valid?(scope_str: scopes.to_s,
-                              server_scopes: Doorkeeper.configuration.scopes)
-        errors.add(:scopes, :not_match_configured)
-      end
-    end
-
-    def enforce_scopes?
-      Doorkeeper.configuration.enforce_configured_scopes?
-    end
-
-    # Helper method to extract collection of serializable attribute names
-    # considering serialization options (like `only`, `except` and so on).
-    #
-    # @param options [Hash] serialization options
-    #
-    # @return [Array<String>]
-    #   collection of attributes to be serialized using #as_json
-    #
-    def extract_serializable_attributes(options = {})
-      opts = options.try(:dup) || {}
-      only = Array.wrap(opts[:only]).map(&:to_s)
-
-      only = if only.blank?
-               serializable_attributes
-             else
-               only & serializable_attributes
-             end
-
-      only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
-      only.uniq
-    end
-
-    # Collection of attributes that could be serialized for public.
-    # Override this method if you need additional attributes to be serialized.
-    #
-    # @return [Array<String>] collection of serializable attributes
-    def serializable_attributes
-      attributes = %w[id name created_at]
-      attributes << "uid" unless confidential?
-      attributes
-    end
+  class Application < ::ActiveRecord::Base
+    include ::Doorkeeper::Orm::ActiveRecord::Mixins::Application
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module AccessGrant
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
+
+      include ::Doorkeeper::AccessGrantMixin
+
+      belongs_to :application, class_name: Doorkeeper.config.application_class,
+                               optional: true,
+                               inverse_of: :access_grants
+
+      validates :resource_owner_id,
+                :application_id,
+                :token,
+                :expires_in,
+                :redirect_uri,
+                presence: true
+
+      validates :token, uniqueness: { case_sensitive: true }
+
+      before_validation :generate_token, on: :create
+
+      # We keep a volatile copy of the raw token for initial communication
+      # The stored refresh_token may be mapped and not available in cleartext.
+      #
+      # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+      # while hashing strategies do not, so you cannot rely on this value
+      # returning a present value for persisted tokens.
+      def plaintext_token
+        if secret_strategy.allows_restoring_secrets?
+          secret_strategy.restore_secret(self, :token)
+        else
+          @raw_token
+        end
+      end
+
+      private
+
+      # Generates token value with UniqueToken class.
+      #
+      # @return [String] token value
+      #
+      def generate_token
+        @raw_token = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        secret_strategy.store_secret(self, :token, @raw_token)
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module AccessToken
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
+
+      include ::Doorkeeper::AccessTokenMixin
+
+      belongs_to :application, class_name: Doorkeeper.config.application_class,
+                               inverse_of: :access_tokens,
+                               optional: true
+
+      validates :token, presence: true, uniqueness: { case_sensitive: true }
+      validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
+
+      # @attr_writer [Boolean, nil] use_refresh_token
+      #   indicates the possibility of using refresh token
+      attr_writer :use_refresh_token
+
+      before_validation :generate_token, on: :create
+      before_validation :generate_refresh_token,
+                        on: :create, if: :use_refresh_token?
+    end
+
+    class_methods do
+      # Searches for not revoked Access Tokens associated with the
+      # specific Resource Owner.
+      #
+      # @param resource_owner [ActiveRecord::Base]
+      #   Resource Owner model instance
+      #
+      # @return [ActiveRecord::Relation]
+      #   active Access Tokens for Resource Owner
+      #
+      def active_for(resource_owner)
+        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+      end
+
+      def refresh_token_revoked_on_use?
+        column_names.include?("previous_refresh_token")
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module Application
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
+
+      include ::Doorkeeper::ApplicationMixin
+
+      has_many :access_grants,
+               foreign_key: :application_id,
+               dependent: :delete_all,
+               class_name: Doorkeeper.config.access_grant_class
+
+      has_many :access_tokens,
+               foreign_key: :application_id,
+               dependent: :delete_all,
+               class_name: Doorkeeper.config.access_token_class
+
+      validates :name, :secret, :uid, presence: true
+      validates :uid, uniqueness: { case_sensitive: true }
+      validates :redirect_uri, "doorkeeper/redirect_uri": true
+      validates :confidential, inclusion: { in: [true, false] }
+
+      validate :scopes_match_configured, if: :enforce_scopes?
+
+      before_validation :generate_uid, :generate_secret, on: :create
+
+      has_many :authorized_tokens,
+               -> { where(revoked_at: nil) },
+               foreign_key: :application_id,
+               class_name: Doorkeeper.config.access_token_class
+
+      has_many :authorized_applications,
+               through: :authorized_tokens,
+               source: :application
+
+      # Generates a new secret for this application, intended to be used
+      # for rotating the secret or in case of compromise.
+      #
+      # @return [String] new transformed secret value
+      #
+      def renew_secret
+        @raw_secret = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        secret_strategy.store_secret(self, :secret, @raw_secret)
+      end
+
+      # We keep a volatile copy of the raw secret for initial communication
+      # The stored refresh_token may be mapped and not available in cleartext.
+      #
+      # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+      # while hashing strategies do not, so you cannot rely on this value
+      # returning a present value for persisted tokens.
+      def plaintext_secret
+        if secret_strategy.allows_restoring_secrets?
+          secret_strategy.restore_secret(self, :secret)
+        else
+          @raw_secret
+        end
+      end
+
+      # This is the right way how we want to override ActiveRecord #to_json
+      #
+      # @return [String] entity attributes as JSON
+      #
+      def as_json(options = {})
+        hash = super
+
+        hash["secret"] = plaintext_secret if hash.key?("secret")
+        hash
+      end
+
+      private
+
+      def generate_uid
+        self.uid = Doorkeeper::OAuth::Helpers::UniqueToken.generate if uid.blank?
+      end
+
+      def generate_secret
+        return unless secret.blank?
+
+        renew_secret
+      end
+
+      def scopes_match_configured
+        if scopes.present? && !Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+          scope_str: scopes.to_s,
+          server_scopes: Doorkeeper.config.scopes,
+        )
+          errors.add(:scopes, :not_match_configured)
+        end
+      end
+
+      def enforce_scopes?
+        Doorkeeper.config.enforce_configured_scopes?
+      end
+    end
+
+    class_methods do
+      # Returns Applications associated with active (not revoked) Access Tokens
+      # that are owned by the specific Resource Owner.
+      #
+      # @param resource_owner [ActiveRecord::Base]
+      #   Resource Owner model instance
+      #
+      # @return [ActiveRecord::Relation]
+      #   Applications authorized for the Resource Owner
+      #
+      def authorized_for(resource_owner)
+        resource_access_tokens = Doorkeeper.config.access_token_model.active_for(resource_owner)
+        where(id: resource_access_tokens.select(:application_id).distinct)
+      end
+
+      # Revokes AccessToken and AccessGrant records that have not been revoked and
+      # associated with the specific Application and Resource Owner.
+      #
+      # @param resource_owner [ActiveRecord::Base]
+      #   instance of the Resource Owner model
+      #
+      def revoke_tokens_and_grants_for(id, resource_owner)
+        Doorkeeper.config.access_token_model.revoke_all_for(id, resource_owner)
+        Doorkeeper.config.access_grant_model.revoke_all_for(id, resource_owner)
+      end
+    end
+  end
+end