doorkeeper 5.2.6 → 5.3.3

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -40,6 +40,21 @@ module Doorkeeper
         find_by_plaintext_token(:refresh_token, refresh_token)
       end
 
+      # Returns an instance of the Doorkeeper::AccessToken
+      # found by previous refresh token. Keep in mind that value
+      # of the previous_refresh_token isn't encrypted using
+      # secrets strategy.
+      #
+      # @param previous_refresh_token [#to_s]
+      #   previous refresh token value (any object that responds to `#to_s`)
+      #
+      # @return [Doorkeeper::AccessToken, nil] AccessToken object or nil
+      #   if there is no record with such refresh token
+      #
+      def by_previous_refresh_token(previous_refresh_token)
+        find_by(refresh_token: previous_refresh_token)
+      end
+
       # Revokes AccessToken records that have not been revoked and associated
       # with the specific Application and Resource Owner.
       #
@@ -49,10 +64,11 @@ module Doorkeeper
       #   instance of the Resource Owner model
       #
       def revoke_all_for(application_id, resource_owner, clock = Time)
-        where(application_id: application_id,
-              resource_owner_id: resource_owner.id,
-              revoked_at: nil)
-          .update_all(revoked_at: clock.now.utc)
+        where(
+          application_id: application_id,
+          resource_owner_id: resource_owner.id,
+          revoked_at: nil,
+        ).update_all(revoked_at: clock.now.utc)
       end
 
       # Looking for not revoked Access Token with a matching set of scopes
@@ -143,8 +159,8 @@ module Doorkeeper
         (token_scopes.sort == param_scopes.sort) &&
           Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
             scope_str: param_scopes.to_s,
-            server_scopes: Doorkeeper.configuration.scopes,
-            app_scopes: app_scopes
+            server_scopes: Doorkeeper.config.scopes,
+            app_scopes: app_scopes,
           )
       end
 
@@ -166,7 +182,7 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] existing record or a new one
       #
       def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
-        if Doorkeeper.configuration.reuse_access_token
+        if Doorkeeper.config.reuse_access_token
           access_token = matching_token_for(application, resource_owner_id, scopes)
 
           return access_token if access_token&.reusable?
@@ -177,7 +193,7 @@ module Doorkeeper
           resource_owner_id: resource_owner_id,
           scopes: scopes.to_s,
           expires_in: expires_in,
-          use_refresh_token: use_refresh_token
+          use_refresh_token: use_refresh_token,
         )
       end
 
@@ -192,9 +208,11 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] array of matching AccessToken objects
       #
       def authorized_tokens_for(application_id, resource_owner_id)
-        where(application_id: application_id,
-              resource_owner_id: resource_owner_id,
-              revoked_at: nil)
+        where(
+          application_id: application_id,
+          resource_owner_id: resource_owner_id,
+          revoked_at: nil,
+        )
       end
 
       # Convenience method for backwards-compatibility, return the last
@@ -217,14 +235,14 @@ module Doorkeeper
       # Determines the secret storing transformer
       # Unless configured otherwise, uses the plain secret strategy
       def secret_strategy
-        ::Doorkeeper.configuration.token_secret_strategy
+        ::Doorkeeper.config.token_secret_strategy
       end
 
       ##
       # Determine the fallback storing strategy
       # Unless configured, there will be no fallback
       def fallback_secret_strategy
-        ::Doorkeeper.configuration.token_secret_fallback_strategy
+        ::Doorkeeper.config.token_secret_fallback_strategy
       end
     end
 
@@ -301,8 +319,28 @@ module Doorkeeper
       end
     end
 
+    # Revokes token with `:refresh_token` equal to `:previous_refresh_token`
+    # and clears `:previous_refresh_token` attribute.
+    #
+    def revoke_previous_refresh_token!
+      return unless self.class.refresh_token_revoked_on_use?
+
+      old_refresh_token&.revoke
+      update_attribute :previous_refresh_token, ""
+    end
+
     private
 
+    # Searches for Access Token record with `:refresh_token` equal to
+    # `:previous_refresh_token` value.
+    #
+    # @return [Doorkeeper::AccessToken, nil]
+    #   Access Token record or nil if nothing found
+    #
+    def old_refresh_token
+      @old_refresh_token ||= self.class.by_previous_refresh_token(previous_refresh_token)
+    end
+
     # Generates refresh token with UniqueToken generator.
     #
     # @return [String] refresh token value
@@ -313,7 +351,7 @@ module Doorkeeper
     end
 
     # Generates and sets the token value with the
-    # configured Generator class (see Doorkeeper.configuration).
+    # configured Generator class (see Doorkeeper.config).
     #
     # @return [String] generated token value
     #
@@ -330,7 +368,7 @@ module Doorkeeper
         scopes: scopes,
         application: application,
         expires_in: expires_in,
-        created_at: created_at
+        created_at: created_at,
       )
 
       secret_strategy.store_secret(self, :token, @raw_token)
@@ -338,7 +376,7 @@ module Doorkeeper
     end
 
     def token_generator
-      generator_name = Doorkeeper.configuration.access_token_generator
+      generator_name = Doorkeeper.config.access_token_generator
       generator = generator_name.constantize
 
       return generator if generator.respond_to?(:generate)

data/lib/doorkeeper/models/application_mixin.rb

@@ -47,14 +47,14 @@ module Doorkeeper
       # Determines the secret storing transformer
       # Unless configured otherwise, uses the plain secret strategy
       def secret_strategy
-        ::Doorkeeper.configuration.application_secret_strategy
+        ::Doorkeeper.config.application_secret_strategy
       end
 
       ##
       # Determine the fallback storing strategy
       # Unless configured, there will be no fallback
       def fallback_secret_strategy
-        ::Doorkeeper.configuration.application_secret_fallback_strategy
+        ::Doorkeeper.config.application_secret_fallback_strategy
       end
     end
 
@@ -72,7 +72,7 @@ module Doorkeeper
     # @param input [#to_s] Plain secret provided by user
     #        (any object that responds to `#to_s`)
     #
-    # @return [true] Whether the given secret matches the stored secret
+    # @return [Boolean] Whether the given secret matches the stored secret
     #                of this application.
     #
     def secret_matches?(input)

data/lib/doorkeeper/models/concerns/ownership.rb

@@ -11,7 +11,7 @@ module Doorkeeper
       end
 
       def validate_owner?
-        Doorkeeper.configuration.confirm_application_owner?
+        Doorkeeper.config.confirm_application_owner?
       end
     end
   end

data/lib/doorkeeper/models/concerns/reusable.rb

@@ -11,7 +11,7 @@ module Doorkeeper
         return false if expired?
         return true unless expires_in
 
-        threshold_limit = 100 - Doorkeeper.configuration.token_reuse_limit
+        threshold_limit = 100 - Doorkeeper.config.token_reuse_limit
         expires_in_seconds >= threshold_limit * expires_in / 100
       end
     end

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -19,33 +19,6 @@ module Doorkeeper
       def revoked?
         !!(revoked_at && revoked_at <= Time.now.utc)
       end
-
-      # Revokes token with `:refresh_token` equal to `:previous_refresh_token`
-      # and clears `:previous_refresh_token` attribute.
-      #
-      def revoke_previous_refresh_token!
-        return unless refresh_token_revoked_on_use?
-
-        old_refresh_token&.revoke
-        update_attribute :previous_refresh_token, ""
-      end
-
-      private
-
-      # Searches for Access Token record with `:refresh_token` equal to
-      # `:previous_refresh_token` value.
-      #
-      # @return [Doorkeeper::AccessToken, nil]
-      #   Access Token record or nil if nothing found
-      #
-      def old_refresh_token
-        @old_refresh_token ||=
-          AccessToken.by_refresh_token(previous_refresh_token)
-      end
-
-      def refresh_token_revoked_on_use?
-        AccessToken.refresh_token_revoked_on_use?
-      end
     end
   end
 end

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -12,7 +12,7 @@ module Doorkeeper
         end
 
         def issue_token
-          @token ||= AccessGrant.create!(access_grant_attributes)
+          @token ||= Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
         end
 
         def oob_redirect
@@ -22,7 +22,7 @@ module Doorkeeper
         private
 
         def authorization_code_expires_in
-          Doorkeeper.configuration.authorization_code_expires_in
+          Doorkeeper.config.authorization_code_expires_in
         end
 
         def access_grant_attributes
@@ -31,7 +31,7 @@ module Doorkeeper
             resource_owner_id: resource_owner.id,
             expires_in: authorization_code_expires_in,
             redirect_uri: pre_auth.redirect_uri,
-            scopes: pre_auth.scopes.to_s
+            scopes: pre_auth.scopes.to_s,
           )
         end
 
@@ -47,7 +47,7 @@ module Doorkeeper
         # Ensures firstly, if migration with additional PKCE columns was
         # generated and migrated
         def pkce_supported?
-          Doorkeeper::AccessGrant.pkce_supported?
+          Doorkeeper.config.access_grant_model.pkce_supported?
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -19,7 +19,7 @@ module Doorkeeper
             Doorkeeper::OAuth::Authorization::Context.new(
               oauth_client,
               grant_type,
-              scopes
+              scopes,
             )
           end
 
@@ -35,7 +35,7 @@ module Doorkeeper
           end
 
           def refresh_token_enabled?(server, context)
-            if server.refresh_token_enabled?.respond_to? :call
+            if server.refresh_token_enabled?.respond_to?(:call)
               server.refresh_token_enabled?.call(context)
             else
               !!server.refresh_token_enabled?
@@ -49,17 +49,20 @@ module Doorkeeper
         end
 
         def issue_token
+          return @token if defined?(@token)
+
           context = self.class.build_context(
             pre_auth.client,
             Doorkeeper::OAuth::IMPLICIT,
-            pre_auth.scopes
+            pre_auth.scopes,
           )
-          @token ||= AccessToken.find_or_create_for(
+
+          @token = configuration.access_token_model.find_or_create_for(
             pre_auth.client,
             resource_owner.id,
             pre_auth.scopes,
             self.class.access_token_expires_in(configuration, context),
-            false
+            false,
           )
         end
 
@@ -74,7 +77,7 @@ module Doorkeeper
         private
 
         def configuration
-          Doorkeeper.configuration
+          Doorkeeper.config
         end
 
         def controller

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -32,10 +32,13 @@ module Doorkeeper
           raise Errors::InvalidGrantReuse if grant.revoked?
 
           grant.revoke
-          find_or_create_access_token(grant.application,
-                                      grant.resource_owner_id,
-                                      grant.scopes,
-                                      server)
+
+          find_or_create_access_token(
+            grant.application,
+            grant.resource_owner_id,
+            grant.scopes,
+            server,
+          )
         end
         super
       end
@@ -71,7 +74,7 @@ module Doorkeeper
       def validate_redirect_uri
         Helpers::URIChecker.valid_for_authorization?(
           redirect_uri,
-          grant.redirect_uri
+          grant.redirect_uri,
         )
       end
 
@@ -82,13 +85,17 @@ module Doorkeeper
         return false unless grant.pkce_supported?
 
         if grant.code_challenge_method == "S256"
-          grant.code_challenge == AccessGrant.generate_code_challenge(code_verifier)
+          grant.code_challenge == generate_code_challenge(code_verifier)
         elsif grant.code_challenge_method == "plain"
           grant.code_challenge == code_verifier
         else
           false
         end
       end
+
+      def generate_code_challenge(code_verifier)
+        server_config.access_grant_model.generate_code_challenge(code_verifier)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/base_request.rb

@@ -36,21 +36,25 @@ module Doorkeeper
 
       def find_or_create_access_token(client, resource_owner_id, scopes, server)
         context = Authorization::Token.build_context(client, grant_type, scopes)
-        @access_token = AccessToken.find_or_create_for(
+        @access_token = server_config.access_token_model.find_or_create_for(
           client,
           resource_owner_id,
           scopes,
           Authorization::Token.access_token_expires_in(server, context),
-          Authorization::Token.refresh_token_enabled?(server, context)
+          Authorization::Token.refresh_token_enabled?(server, context),
         )
       end
 
       def before_successful_response
-        Doorkeeper.configuration.before_successful_strategy_response.call(self)
+        server_config.before_successful_strategy_response.call(self)
       end
 
       def after_successful_response
-        Doorkeeper.configuration.after_successful_strategy_response.call(self, @response)
+        server_config.after_successful_strategy_response.call(self, @response)
+      end
+
+      def server_config
+        Doorkeeper.config
       end
 
       private

data/lib/doorkeeper/oauth/client.rb

@@ -11,18 +11,17 @@ module Doorkeeper
         @application = application
       end
 
-      def self.find(uid, method = Application.method(:by_uid))
-        if (application = method.call(uid))
-          new(application)
-        end
+      def self.find(uid, method = Doorkeeper.config.application_model.method(:by_uid))
+        return unless (application = method.call(uid))
+
+        new(application)
       end
 
-      def self.authenticate(credentials, method = Application.method(:by_uid_and_secret))
+      def self.authenticate(credentials, method = Doorkeeper.config.application_model.method(:by_uid_and_secret))
         return if credentials.blank?
+        return unless (application = method.call(credentials.uid, credentials.secret))
 
-        if (application = method.call(credentials.uid, credentials.secret))
-          new(application)
-        end
+        new(application)
       end
     end
   end

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -5,24 +5,31 @@ module Doorkeeper
     class ClientCredentialsRequest < BaseRequest
       class Creator
         def call(client, scopes, attributes = {})
-          existing_token = existing_token_for(client, scopes)
+          if lookup_existing_token?
+            existing_token = find_existing_token_for(client, scopes)
+            return existing_token if server_config.reuse_access_token && existing_token&.reusable?
 
-          if Doorkeeper.configuration.reuse_access_token && existing_token&.reusable?
-            return existing_token
+            existing_token&.revoke if server_config.revoke_previous_client_credentials_token
           end
 
-          existing_token&.revoke
-
-          AccessToken.find_or_create_for(
+          server_config.access_token_model.find_or_create_for(
             client, nil, scopes, attributes[:expires_in],
-            attributes[:use_refresh_token]
+            attributes[:use_refresh_token],
           )
         end
 
         private
 
-        def existing_token_for(client, scopes)
-          Doorkeeper::AccessToken.matching_token_for client, nil, scopes
+        def lookup_existing_token?
+          server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token
+        end
+
+        def find_existing_token_for(client, scopes)
+          server_config.access_token_model.matching_token_for(client, nil, scopes)
+        end
+
+        def server_config
+          Doorkeeper.config
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -4,20 +4,20 @@ module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
       class Issuer
-        attr_accessor :token, :validation, :error
+        attr_accessor :token, :validator, :error
 
-        def initialize(server, validation)
+        def initialize(server, validator)
           @server = server
-          @validation = validation
+          @validator = validator
         end
 
         def create(client, scopes, creator = Creator.new)
-          if validation.valid?
+          if validator.valid?
             @token = create_token(client, scopes, creator)
             @error = :server_error unless @token
           else
             @token = false
-            @error = validation.error
+            @error = validator.error
           end
           @token
         end
@@ -28,7 +28,7 @@ module Doorkeeper
           context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
-            scopes
+            scopes,
           )
           ttl = Authorization::Token.access_token_expires_in(@server, context)
 
@@ -36,7 +36,7 @@ module Doorkeeper
             client,
             scopes,
             use_refresh_token: false,
-            expires_in: ttl
+            expires_in: ttl,
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb}

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      class Validation
+      class Validator
         include Validations
         include OAuth::Helpers
 
@@ -26,9 +26,9 @@ module Doorkeeper
         end
 
         def validate_client_supports_grant_flow
-          Doorkeeper.configuration.allow_grant_flow_for_client?(
+          Doorkeeper.config.allow_grant_flow_for_client?(
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
-            @client
+            @client,
           )
         end
 
@@ -45,7 +45,7 @@ module Doorkeeper
             scope_str: @request.scopes.to_s,
             server_scopes: @server.scopes,
             app_scopes: application_scopes,
-            grant_type: Doorkeeper::OAuth::CLIENT_CREDENTIALS
+            grant_type: Doorkeeper::OAuth::CLIENT_CREDENTIALS,
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -12,7 +12,7 @@ module Doorkeeper
       delegate :error, to: :issuer
 
       def issuer
-        @issuer ||= Issuer.new(server, Validation.new(server, self))
+        @issuer ||= Issuer.new(server, Validator.new(server, self))
       end
 
       def initialize(server, client, parameters = {})

data/lib/doorkeeper/oauth/code_response.rb

@@ -26,13 +26,13 @@ module Doorkeeper
             access_token: auth.token.plaintext_token,
             token_type: auth.token.token_type,
             expires_in: auth.token.expires_in_seconds,
-            state: pre_auth.state
+            state: pre_auth.state,
           )
         else
           Authorization::URIBuilder.uri_with_query(
             pre_auth.redirect_uri,
             code: auth.token.plaintext_token,
-            state: pre_auth.state
+            state: pre_auth.state,
           )
         end
       end

data/lib/doorkeeper/oauth/error.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         I18n.translate(
           name,
           scope: %i[doorkeeper errors messages],
-          default: :server_error
+          default: :server_error,
         )
       end
     end

data/lib/doorkeeper/oauth/error_response.rb

@@ -10,8 +10,8 @@ module Doorkeeper
           attributes.merge(
             name: request.error,
             state: request.try(:state),
-            redirect_uri: request.try(:redirect_uri)
-          )
+            redirect_uri: request.try(:redirect_uri),
+          ),
         )
       end
 
@@ -46,9 +46,9 @@ module Doorkeeper
 
       def redirect_uri
         if @response_on_fragment
-          Authorization::URIBuilder.uri_with_fragment @redirect_uri, body
+          Authorization::URIBuilder.uri_with_fragment(@redirect_uri, body)
         else
-          Authorization::URIBuilder.uri_with_query @redirect_uri, body
+          Authorization::URIBuilder.uri_with_query(@redirect_uri, body)
         end
       end
 
@@ -70,7 +70,7 @@ module Doorkeeper
       delegate :realm, to: :configuration
 
       def configuration
-        Doorkeeper.configuration
+        Doorkeeper.config
       end
 
       def exception_class

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -13,7 +13,7 @@ module Doorkeeper
             @valid_scopes = valid_scopes(server_scopes, app_scopes)
 
             if grant_type
-              @scopes_by_grant_type = Doorkeeper.configuration.scopes_by_grant_type[grant_type.to_sym]
+              @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym]
             end
           end
 
@@ -43,10 +43,12 @@ module Doorkeeper
         end
 
         def self.valid?(scope_str:, server_scopes:, app_scopes: nil, grant_type: nil)
-          Validator.new(scope_str,
-                        server_scopes,
-                        app_scopes,
-                        grant_type).valid?
+          Validator.new(
+            scope_str,
+            server_scopes,
+            app_scopes,
+            grant_type,
+          ).valid?
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/unique_token.rb

@@ -3,6 +3,9 @@
 module Doorkeeper
   module OAuth
     module Helpers
+      # Default Doorkeeper token generator. Follows OAuth RFC and
+      # could be customized using `default_generator_method` in
+      # configuration.
       module UniqueToken
         def self.generate(options = {})
           # Access Token value must be 1*VSCHAR or
@@ -11,15 +14,15 @@ module Doorkeeper
           # @see https://tools.ietf.org/html/rfc6749#appendix-A.12
           # @see https://tools.ietf.org/html/rfc6750#section-2.1
           #
-          generator_method = options.delete(:generator) || SecureRandom.method(self.generator_method)
-          token_size       = options.delete(:size)      || 32
-          generator_method.call(token_size)
+          generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
+          token_size = options.delete(:size) || 32
+          generator.call(token_size)
         end
 
         # Generator method for default generator class (SecureRandom)
         #
-        def self.generator_method
-          Doorkeeper.configuration.default_generator_method
+        def self.default_generator_method
+          Doorkeeper.config.default_generator_method
         end
       end
     end

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -18,7 +18,7 @@ module Doorkeeper
 
   # For backward compatibility with old rubies
   if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5.0")
-    IPAddr.send(:include, Doorkeeper::IPAddrLoopback)
+    IPAddr.include Doorkeeper::IPAddrLoopback
   end
 
   module OAuth