doorkeeper 5.2.6 → 5.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f054b4619e2489e52e1e61a959878fa612ae5c42f7217d48f8b59173fb0c8da
-  data.tar.gz: 160f404b0c1e5eeffe97340c748e2f1f65d4bd6092367320ad573ad042f05ad1
+  metadata.gz: 4d3ed9e21e9d404f1c7f67a48a36a5745d9a5a7aca05b9ae63fbd10c6d170ac1
+  data.tar.gz: 21ab4db448c9404a7067e8223433a8aa2ecfe955fd3729e7038efafd616c4237
 SHA512:
-  metadata.gz: e8929470e2fd326bed639d35723f458799e9e868e8bdd27b35e4d667d9271edd38e0e3d1d14b0b7e0c7f36a474acfb9d5ee72cf84aa6a77a7f768fb0a898709c
-  data.tar.gz: 6fed1b0c2e7f6ffc141c22bd27974423bd80d3c81c90bbeff83964570b9e9158616cc56fefca1996c8da2018c098246691fc8a5b7f8ef6e6fcc2bd9b03488c38
+  metadata.gz: a03ea8dbf25bc5d48f2fa92942c73dfefa74978d16229b79f1f6d691e0d591ecdc08be84bc243139a1a4df50091fde2d039f5dcae65a8250477e309a31ad054d
+  data.tar.gz: 7f6445f2beb910ba6b3cdeebd5d0d265986f49bb400ccccdbd811f7be8e34e5e029e07acfe22330729fe9065169b1807a4c98094abf3d247fe7175a1cd52daf5

data/Appraisals

@@ -23,7 +23,7 @@ appraise "rails-6-0" do
   gem "rspec-core", github: "rspec/rspec-core"
   gem "rspec-expectations", github: "rspec/rspec-expectations"
   gem "rspec-mocks", github: "rspec/rspec-mocks"
-  gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-dev"
+  gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-maintenance"
   gem "rspec-support", github: "rspec/rspec-support"
 end
 
@@ -35,6 +35,6 @@ appraise "rails-master" do
   gem "rspec-core", github: "rspec/rspec-core"
   gem "rspec-expectations", github: "rspec/rspec-expectations"
   gem "rspec-mocks", github: "rspec/rspec-mocks"
-  gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-dev"
+  gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-maintenance"
   gem "rspec-support", github: "rspec/rspec-support"
 end

data/CHANGELOG.md

@@ -5,11 +5,11 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.2.6
+## 5.3.3
 
 - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
 
-## 5.2.5
+## 5.3.2
 
 - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
@@ -19,9 +19,28 @@ User-visible changes worth mentioning.
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
   is a breaking change which restricts serialized attributes to a very small set of columns.
 
-## 5.2.4
+## 5.3.1
+
+- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
+
+## 5.3.0
+
+- [#1339] Validate Resource Owner in `PasswordAccessTokenRequest` against `nil` and `false` values.
+- [#1341] Fix `refresh_token_revoked_on_use` with `hash_token_secrets` enabled.
+- [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.
+- [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.
+- [#1346] Refactor `Doorkeeper::Application#to_json` into convenient `#as_json` (fix #1344).
+- [#1349] Fix `Doorkeeper::Application` AR associations using an incorrect foreign key name when using a custom class.
+- [#1318] Make existing token revocation for client credentials optional and disable it by default.
 
-- [#1360] Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
+  **[IMPORTANT]** This is a change compared to the behaviour of version 5.2.
+  If you were relying on access tokens being revoked once the same client
+  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
+  initialization file.
+  
+## 5.2.4
+  
+- [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
 
 ## 5.2.3
 
@@ -101,7 +120,7 @@ User-visible changes worth mentioning.
 
   **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
   your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
-  `use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt`.
+  `hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt`.
 
 - [#1216] Add nil check to `expires_at` method.
 - [#1215] Fix deprecates for Rails 6.

data/Gemfile

@@ -11,10 +11,10 @@ gem "rails", "~> 6.0.0"
 gem "rspec-core", github: "rspec/rspec-core"
 gem "rspec-expectations", github: "rspec/rspec-expectations"
 gem "rspec-mocks", github: "rspec/rspec-mocks"
-gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-maintenance"
+gem "rspec-rails", "4.0.0.beta3"
 gem "rspec-support", github: "rspec/rspec-support"
 
-gem "rubocop", "~> 0.66"
+gem "rubocop", "~> 0.75"
 gem "rubocop-performance"
 
 gem "bcrypt", "~> 3.1", require: false

data/app/controllers/doorkeeper/application_controller.rb

@@ -2,10 +2,10 @@
 
 module Doorkeeper
   class ApplicationController <
-    Doorkeeper.configuration.resolve_controller(:base)
+    Doorkeeper.config.resolve_controller(:base)
     include Helpers::Controller
 
-    unless Doorkeeper.configuration.api_only
+    unless Doorkeeper.config.api_only
       protect_from_forgery with: :exception
       helper "doorkeeper/dashboard"
     end

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -2,11 +2,11 @@
 
 module Doorkeeper
   class ApplicationMetalController <
-    Doorkeeper.configuration.resolve_controller(:base_metal)
+    Doorkeeper.config.resolve_controller(:base_metal)
     include Helpers::Controller
 
     before_action :enforce_content_type,
-                  if: -> { Doorkeeper.configuration.enforce_content_type }
+                  if: -> { Doorkeeper.config.enforce_content_type }
 
     ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -45,7 +45,7 @@ module Doorkeeper
       AccessToken.matching_token_for(
         pre_auth.client,
         current_resource_owner.id,
-        pre_auth.scopes
+        pre_auth.scopes,
       )
     end
 
@@ -54,7 +54,7 @@ module Doorkeeper
         if Doorkeeper.configuration.api_only
           render(
             json: { status: :redirect, redirect_uri: auth.redirect_uri },
-            status: auth.status
+            status: auth.status,
           )
         else
           redirect_to auth.redirect_uri

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -16,13 +16,13 @@ module Doorkeeper
     def destroy
       Application.revoke_tokens_and_grants_for(
         params[:id],
-        current_resource_owner
+        current_resource_owner,
       )
 
       respond_to do |format|
         format.html do
           redirect_to oauth_authorized_applications_url, notice: I18n.t(
-            :notice, scope: %i[doorkeeper flash authorized_applications destroy]
+            :notice, scope: %i[doorkeeper flash authorized_applications destroy],
           )
         end
 

data/gemfiles/rails_5_0.gemfile

@@ -6,9 +6,9 @@ gem "rails", "~> 5.0.0"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
-gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-rails", "4.0.0.beta3"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
-gem "rubocop", "~> 0.66"
+gem "rubocop", "~> 0.75"
 gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby

data/gemfiles/rails_5_1.gemfile

@@ -6,9 +6,9 @@ gem "rails", "~> 5.1.0"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
-gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-rails", "4.0.0.beta3"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
-gem "rubocop", "~> 0.66"
+gem "rubocop", "~> 0.75"
 gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby

data/gemfiles/rails_5_2.gemfile

@@ -6,9 +6,9 @@ gem "rails", "~> 5.2.0"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
-gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-rails", "4.0.0.beta3"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
-gem "rubocop", "~> 0.66"
+gem "rubocop", "~> 0.75"
 gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby

data/gemfiles/rails_6_0.gemfile

@@ -6,9 +6,9 @@ gem "rails", "~> 6.0.0"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
-gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-rails", "4.0.0.beta3"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
-gem "rubocop", "~> 0.66"
+gem "rubocop", "~> 0.75"
 gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby

data/gemfiles/rails_master.gemfile

@@ -6,9 +6,9 @@ gem "rails", git: "https://github.com/rails/rails"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"
-gem "rspec-rails", branch: "4-0-dev", git: "https://github.com/rspec/rspec-rails.git"
+gem "rspec-rails", "4.0.0.beta3"
 gem "rspec-support", git: "https://github.com/rspec/rspec-support.git"
-gem "rubocop", "~> 0.66"
+gem "rubocop", "~> 0.75"
 gem "rubocop-performance"
 gem "bcrypt", "~> 3.1", require: false
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby

data/lib/doorkeeper/config.rb

@@ -11,36 +11,40 @@ module Doorkeeper
     end
   end
 
-  def self.configure(&block)
-    @config = Config::Builder.new(&block).build
-    setup_orm_adapter
-    setup_orm_models
-    setup_application_owner if @config.enable_application_owner?
-    @config
-  end
+  class << self
+    def configure(&block)
+      @config = Config::Builder.new(&block).build
+      setup_orm_adapter
+      setup_orm_models
+      setup_application_owner if @config.enable_application_owner?
+      @config
+    end
 
-  def self.configuration
-    @config || (raise MissingConfiguration)
-  end
+    def configuration
+      @config || (raise MissingConfiguration)
+    end
 
-  def self.setup_orm_adapter
-    @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => e
-    raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
-      [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
-      trying to load it.
+    alias config configuration
 
-      You probably need to add the related gem for this adapter to work with
-      doorkeeper.
-    ERROR_MSG
-  end
+    def setup_orm_adapter
+      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
+    rescue NameError => e
+      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+        [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
+        trying to load it.
 
-  def self.setup_orm_models
-    @orm_adapter.initialize_models!
-  end
+        You probably need to add the related gem for this adapter to work with
+        doorkeeper.
+      ERROR_MSG
+    end
+
+    def setup_orm_models
+      @orm_adapter.initialize_models!
+    end
 
-  def self.setup_application_owner
-    @orm_adapter.initialize_application_owner!
+    def setup_application_owner
+      @orm_adapter.initialize_application_owner!
+    end
   end
 
   class Config
@@ -120,7 +124,7 @@ module Doorkeeper
       def use_refresh_token(enabled = true, &block)
         @config.instance_variable_set(
           :@refresh_token_enabled,
-          block || enabled
+          block || enabled,
         )
       end
 
@@ -140,6 +144,14 @@ module Doorkeeper
         @config.instance_variable_set(:@token_reuse_limit, percentage)
       end
 
+      # TODO: maybe make it more generic for other flows too?
+      # Only allow one valid access token obtained via client credentials
+      # per client. If a new access token is obtained before the old one
+      # expired, the old one gets revoked (disabled by default)
+      def revoke_previous_client_credentials_token
+        @config.instance_variable_set(:@revoke_previous_client_credentials_token, true)
+      end
+
       # Use an API mode for applications generated with --api argument
       # It will skip applications controller, disable forgery protection
       def api_only
@@ -195,8 +207,7 @@ module Doorkeeper
       def configure_secrets_for(type, using:, fallback:)
         raise ArgumentError, "Invalid type #{type}" if %i[application token].exclude?(type)
 
-        @config.instance_variable_set(:"@#{type}_secret_strategy",
-                                      using.constantize)
+        @config.instance_variable_set(:"@#{type}_secret_strategy", using.constantize)
 
         if fallback.nil?
           return
@@ -204,8 +215,7 @@ module Doorkeeper
           fallback = "::Doorkeeper::SecretStoring::Plain"
         end
 
-        @config.instance_variable_set(:"@#{type}_secret_fallback_strategy",
-                                      fallback.constantize)
+        @config.instance_variable_set(:"@#{type}_secret_fallback_strategy", fallback.constantize)
       end
     end
 
@@ -215,7 +225,7 @@ module Doorkeeper
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
              ::Rails.logger.warn(
-               I18n.t("doorkeeper.errors.messages.resource_owner_authenticator_not_configured")
+               I18n.t("doorkeeper.errors.messages.resource_owner_authenticator_not_configured"),
              )
 
              nil
@@ -225,7 +235,7 @@ module Doorkeeper
            as: :authenticate_admin,
            default: (lambda do |_routes|
              ::Rails.logger.warn(
-               I18n.t("doorkeeper.errors.messages.admin_authenticator_not_configured")
+               I18n.t("doorkeeper.errors.messages.admin_authenticator_not_configured"),
              )
 
              head :forbidden
@@ -234,7 +244,7 @@ module Doorkeeper
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
              ::Rails.logger.warn(
-               I18n.t("doorkeeper.errors.messages.credential_flow_not_configured")
+               I18n.t("doorkeeper.errors.messages.credential_flow_not_configured"),
              )
 
              nil
@@ -348,6 +358,15 @@ module Doorkeeper
     option :base_metal_controller,
            default: "ActionController::API"
 
+    option :access_token_class,
+           default: "Doorkeeper::AccessToken"
+
+    option :access_grant_class,
+           default: "Doorkeeper::AccessGrant"
+
+    option :application_class,
+           default: "Doorkeeper::Application"
+
     # Allows to set blank redirect URIs for Applications in case
     # server configured to use URI-less grant flows.
     #
@@ -387,9 +406,7 @@ module Doorkeeper
              end
            end)
 
-    attr_reader :api_only,
-                :enforce_content_type,
-                :reuse_access_token,
+    attr_reader :reuse_access_token,
                 :token_secret_fallback_strategy,
                 :application_secret_fallback_strategy
 
@@ -400,6 +417,18 @@ module Doorkeeper
       validate_secret_strategies
     end
 
+    def access_token_model
+      @access_token_model ||= access_token_class.constantize
+    end
+
+    def access_grant_model
+      @access_grant_model ||= access_grant_class.constantize
+    end
+
+    def application_model
+      @application_model ||= application_class.constantize
+    end
+
     def api_only
       @api_only ||= false
     end
@@ -420,6 +449,10 @@ module Doorkeeper
       @token_reuse_limit ||= 100
     end
 
+    def revoke_previous_client_credentials_token
+      @revoke_previous_client_credentials_token || false
+    end
+
     def resolve_controller(name)
       config_option = public_send(:"#{name}_controller")
       controller_name = if config_option.respond_to?(:call)
@@ -547,7 +580,7 @@ module Doorkeeper
       ::Rails.logger.warn(
         "You have configured both reuse_access_token " \
         "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
-        "This combination is unsupported. reuse_access_token will be disabled"
+        "This combination is unsupported. reuse_access_token will be disabled",
       )
       @reuse_access_token = false
     end
@@ -565,7 +598,7 @@ module Doorkeeper
 
       ::Rails.logger.warn(
         "You have configured an invalid value for token_reuse_limit option. " \
-        "It will be set to default 100"
+        "It will be set to default 100",
       )
       @token_reuse_limit = 100
     end

data/lib/doorkeeper/grape/helpers.rb

@@ -39,7 +39,7 @@ module Doorkeeper
       def doorkeeper_token
         @doorkeeper_token ||= OAuth::Token.authenticate(
           decorated_request,
-          *Doorkeeper.configuration.access_token_methods
+          *Doorkeeper.config.access_token_methods,
         )
       end
 

data/lib/doorkeeper/helpers/controller.rb

@@ -17,17 +17,17 @@ module Doorkeeper
       # :doc:
       def current_resource_owner
         @current_resource_owner ||= begin
-          instance_eval(&Doorkeeper.configuration.authenticate_resource_owner)
+          instance_eval(&Doorkeeper.config.authenticate_resource_owner)
         end
       end
 
       def resource_owner_from_credentials
-        instance_eval(&Doorkeeper.configuration.resource_owner_from_credentials)
+        instance_eval(&Doorkeeper.config.resource_owner_from_credentials)
       end
 
       # :doc:
       def authenticate_admin!
-        instance_eval(&Doorkeeper.configuration.authenticate_admin)
+        instance_eval(&Doorkeeper.config.authenticate_admin)
       end
 
       def server
@@ -40,16 +40,18 @@ module Doorkeeper
       end
 
       def config_methods
-        @config_methods ||= Doorkeeper.configuration.access_token_methods
+        @config_methods ||= Doorkeeper.config.access_token_methods
       end
 
       def get_error_response_from_exception(exception)
         if exception.respond_to?(:response)
           exception.response
         elsif exception.type == :invalid_request
-          OAuth::InvalidRequestResponse.new(name: exception.type,
-                                            state: params[:state],
-                                            missing_param: exception.missing_param)
+          OAuth::InvalidRequestResponse.new(
+            name: exception.type,
+            state: params[:state],
+            missing_param: exception.missing_param,
+          )
         else
           OAuth::ErrorResponse.new(name: exception.type, state: params[:state])
         end
@@ -65,7 +67,7 @@ module Doorkeeper
       def skip_authorization?
         !!instance_exec(
           [server.current_resource_owner, @pre_auth.client],
-          &Doorkeeper.configuration.skip_authorization
+          &Doorkeeper.config.skip_authorization
         )
       end
 

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -43,10 +43,11 @@ module Doorkeeper
       #   instance of the Resource Owner model
       #
       def revoke_all_for(application_id, resource_owner, clock = Time)
-        where(application_id: application_id,
-              resource_owner_id: resource_owner.id,
-              revoked_at: nil)
-          .update_all(revoked_at: clock.now.utc)
+        where(
+          application_id: application_id,
+          resource_owner_id: resource_owner.id,
+          revoked_at: nil,
+        ).update_all(revoked_at: clock.now.utc)
       end
 
       # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
@@ -102,14 +103,14 @@ module Doorkeeper
       # Determines the secret storing transformer
       # Unless configured otherwise, uses the plain secret strategy
       def secret_strategy
-        ::Doorkeeper.configuration.token_secret_strategy
+        ::Doorkeeper.config.token_secret_strategy
       end
 
       ##
       # Determine the fallback storing strategy
       # Unless configured, there will be no fallback
       def fallback_secret_strategy
-        ::Doorkeeper.configuration.token_secret_fallback_strategy
+        ::Doorkeeper.config.token_secret_fallback_strategy
       end
     end
   end