doorkeeper 5.2.6 → 5.3.3

data/lib/doorkeeper/oauth/invalid_request_response.rb

@@ -11,8 +11,8 @@ module Doorkeeper
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
             missing_param: request.try(:missing_param),
-            reason: request.try(:invalid_request_reason)
-          )
+            reason: request.try(:invalid_request_reason),
+          ),
         )
       end
 
@@ -31,7 +31,7 @@ module Doorkeeper
           reason,
           scope: %i[doorkeeper errors messages invalid_request],
           default: :unknown,
-          value: @missing_param
+          value: @missing_param,
         )
       end
 

data/lib/doorkeeper/oauth/invalid_token_response.rb

@@ -27,8 +27,11 @@ module Doorkeeper
       end
 
       def description
-        scope = { scope: %i[doorkeeper errors messages invalid_token] }
-        @description ||= I18n.translate @reason, scope
+        @description ||=
+          I18n.translate(
+            @reason,
+            scope: %i[doorkeeper errors messages invalid_token],
+          )
       end
 
       protected

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -37,12 +37,12 @@ module Doorkeeper
           scope_str: scopes.to_s,
           server_scopes: server.scopes,
           app_scopes: client_scopes,
-          grant_type: grant_type
+          grant_type: grant_type,
         )
       end
 
       def validate_resource_owner
-        !resource_owner.nil?
+        resource_owner.present?
       end
 
       def validate_client
@@ -50,7 +50,7 @@ module Doorkeeper
       end
 
       def validate_client_supports_grant_flow
-        Doorkeeper.configuration.allow_grant_flow_for_client?(grant_type, client)
+        server_config.allow_grant_flow_for_client?(grant_type, client)
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -33,7 +33,7 @@ module Doorkeeper
       end
 
       def validate_client_supports_grant_flow
-        Doorkeeper.configuration.allow_grant_flow_for_client?(grant_type, client.application)
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
       end
 
       def scopes
@@ -46,8 +46,10 @@ module Doorkeeper
 
       def error_response
         if error == :invalid_request
-          OAuth::InvalidRequestResponse.from_request(self,
-                                                     response_on_fragment: response_on_fragment?)
+          OAuth::InvalidRequestResponse.from_request(
+            self,
+            response_on_fragment: response_on_fragment?,
+          )
         else
           OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
         end
@@ -86,7 +88,7 @@ module Doorkeeper
 
         Helpers::URIChecker.valid_for_authorization?(
           redirect_uri,
-          client.redirect_uri
+          client.redirect_uri,
         )
       end
 
@@ -109,7 +111,7 @@ module Doorkeeper
           scope_str: scope,
           server_scopes: server.scopes,
           app_scopes: client.scopes,
-          grant_type: grant_type
+          grant_type: grant_type,
         )
       end
 

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -27,7 +27,7 @@ module Doorkeeper
       private
 
       def load_client(credentials)
-        Application.by_uid_and_secret(credentials.uid, credentials.secret)
+        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
       end
 
       def before_successful_response
@@ -42,7 +42,7 @@ module Doorkeeper
       end
 
       def refresh_token_revoked_on_use?
-        Doorkeeper::AccessToken.refresh_token_revoked_on_use?
+        server_config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -50,7 +50,7 @@ module Doorkeeper
       end
 
       def create_access_token
-        @access_token = AccessToken.create!(access_token_attributes)
+        @access_token = server_config.access_token_model.create!(access_token_attributes)
       end
 
       def access_token_attributes
@@ -71,7 +71,7 @@ module Doorkeeper
         context = Authorization::Token.build_context(
           client,
           Doorkeeper::OAuth::REFRESH_TOKEN,
-          scopes
+          scopes,
         )
         Authorization::Token.access_token_expires_in(server, context)
       end
@@ -104,7 +104,7 @@ module Doorkeeper
         if @original_scopes.present?
           ScopeChecker.valid?(
             scope_str: @original_scopes,
-            server_scopes: refresh_token.scopes
+            server_scopes: refresh_token.scopes,
           )
         else
           true

data/lib/doorkeeper/oauth/token.rb

@@ -14,8 +14,8 @@ module Doorkeeper
 
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
-            access_token = AccessToken.by_token(token)
-            refresh_token_enabled = Doorkeeper.configuration.refresh_token_enabled?
+            access_token = Doorkeeper.config.access_token_model.by_token(token)
+            refresh_token_enabled = Doorkeeper.config.refresh_token_enabled?
             if access_token.present? && refresh_token_enabled
               access_token.revoke_previous_refresh_token!
             end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -94,7 +94,7 @@ module Doorkeeper
           client_id: @token.try(:application).try(:uid),
           token_type: @token.token_type,
           exp: @token.expires_at.to_i,
-          iat: @token.created_at.to_i
+          iat: @token.created_at.to_i,
         )
       end
 
@@ -174,15 +174,15 @@ module Doorkeeper
         authorized_token.token == @token&.token
       end
 
-      # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
+      # Config constraints for introspection in Doorkeeper.config.allow_token_introspection
       def token_introspection_allowed?(auth_client: nil, auth_token: nil)
-        allow_introspection = Doorkeeper.configuration.allow_token_introspection
+        allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
         allow_introspection.call(
           @token,
           auth_client,
-          auth_token
+          auth_token,
         )
       end
 
@@ -193,9 +193,9 @@ module Doorkeeper
       # @see https://tools.ietf.org/html/rfc7662#section-2.2
       #
       def customize_response(response)
-        customized_response = Doorkeeper.configuration.custom_introspection_response.call(
+        customized_response = Doorkeeper.config.custom_introspection_response.call(
           token,
-          server.context
+          server.context,
         )
         return response if customized_response.blank?
 

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -1,48 +1,9 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class AccessGrant < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
-
-    include AccessGrantMixin
-
-    belongs_to :application, class_name: "Doorkeeper::Application",
-                             optional: true, inverse_of: :access_grants
-
-    validates :resource_owner_id,
-              :application_id,
-              :token,
-              :expires_in,
-              :redirect_uri,
-              presence: true
-
-    validates :token, uniqueness: { case_sensitive: true }
+require "doorkeeper/orm/active_record/mixins/access_grant"
 
-    before_validation :generate_token, on: :create
-
-    # We keep a volatile copy of the raw token for initial communication
-    # The stored refresh_token may be mapped and not available in cleartext.
-    #
-    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
-    # while hashing strategies do not, so you cannot rely on this value
-    # returning a present value for persisted tokens.
-    def plaintext_token
-      if secret_strategy.allows_restoring_secrets?
-        secret_strategy.restore_secret(self, :token)
-      else
-        @raw_token
-      end
-    end
-
-    private
-
-    # Generates token value with UniqueToken class.
-    #
-    # @return [String] token value
-    #
-    def generate_token
-      @raw_token = UniqueToken.generate
-      secret_strategy.store_secret(self, :token, @raw_token)
-    end
+module Doorkeeper
+  class AccessGrant < ::ActiveRecord::Base
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant
   end
 end

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -1,40 +1,9 @@
 # frozen_string_literal: true
 
-module Doorkeeper
-  class AccessToken < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
-
-    include AccessTokenMixin
-
-    belongs_to :application, class_name: "Doorkeeper::Application",
-                             inverse_of: :access_tokens, optional: true
-
-    validates :token, presence: true, uniqueness: { case_sensitive: true }
-    validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
+require "doorkeeper/orm/active_record/mixins/access_token"
 
-    # @attr_writer [Boolean, nil] use_refresh_token
-    #   indicates the possibility of using refresh token
-    attr_writer :use_refresh_token
-
-    before_validation :generate_token, on: :create
-    before_validation :generate_refresh_token,
-                      on: :create, if: :use_refresh_token?
-
-    # Searches for not revoked Access Tokens associated with the
-    # specific Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   Resource Owner model instance
-    #
-    # @return [ActiveRecord::Relation]
-    #   active Access Tokens for Resource Owner
-    #
-    def self.active_for(resource_owner)
-      where(resource_owner_id: resource_owner.id, revoked_at: nil)
-    end
-
-    def self.refresh_token_revoked_on_use?
-      column_names.include?("previous_refresh_token")
-    end
+module Doorkeeper
+  class AccessToken < ::ActiveRecord::Base
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
   end
 end

data/lib/doorkeeper/orm/active_record/application.rb

@@ -1,162 +1,10 @@
 # frozen_string_literal: true
 
 require "doorkeeper/orm/active_record/redirect_uri_validator"
+require "doorkeeper/orm/active_record/mixins/application"
 
 module Doorkeeper
-  class Application < ActiveRecord::Base
-    self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
-
-    include ApplicationMixin
-
-    has_many :access_grants, dependent: :delete_all, class_name: "Doorkeeper::AccessGrant"
-    has_many :access_tokens, dependent: :delete_all, class_name: "Doorkeeper::AccessToken"
-
-    validates :name, :secret, :uid, presence: true
-    validates :uid, uniqueness: { case_sensitive: true }
-    validates :redirect_uri, "doorkeeper/redirect_uri": true
-    validates :confidential, inclusion: { in: [true, false] }
-
-    validate :scopes_match_configured, if: :enforce_scopes?
-
-    before_validation :generate_uid, :generate_secret, on: :create
-
-    has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: "AccessToken"
-    has_many :authorized_applications, through: :authorized_tokens, source: :application
-
-    # Returns Applications associated with active (not revoked) Access Tokens
-    # that are owned by the specific Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   Resource Owner model instance
-    #
-    # @return [ActiveRecord::Relation]
-    #   Applications authorized for the Resource Owner
-    #
-    def self.authorized_for(resource_owner)
-      resource_access_tokens = AccessToken.active_for(resource_owner)
-      where(id: resource_access_tokens.select(:application_id).distinct)
-    end
-
-    # Revokes AccessToken and AccessGrant records that have not been revoked and
-    # associated with the specific Application and Resource Owner.
-    #
-    # @param resource_owner [ActiveRecord::Base]
-    #   instance of the Resource Owner model
-    #
-    def self.revoke_tokens_and_grants_for(id, resource_owner)
-      AccessToken.revoke_all_for(id, resource_owner)
-      AccessGrant.revoke_all_for(id, resource_owner)
-    end
-
-    # Generates a new secret for this application, intended to be used
-    # for rotating the secret or in case of compromise.
-    #
-    def renew_secret
-      @raw_secret = UniqueToken.generate
-      secret_strategy.store_secret(self, :secret, @raw_secret)
-    end
-
-    # We keep a volatile copy of the raw secret for initial communication
-    # The stored refresh_token may be mapped and not available in cleartext.
-    #
-    # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
-    # while hashing strategies do not, so you cannot rely on this value
-    # returning a present value for persisted tokens.
-    def plaintext_secret
-      if secret_strategy.allows_restoring_secrets?
-        secret_strategy.restore_secret(self, :secret)
-      else
-        @raw_secret
-      end
-    end
-
-    # Represents client as set of it's attributes in JSON format.
-    # This is the right way how we want to override ActiveRecord #to_json.
-    #
-    # Respects privacy settings and serializes minimum set of attributes
-    # for public/private clients and full set for authorized owners.
-    #
-    # @return [Hash] entity attributes for JSON
-    #
-    def as_json(options = {})
-      # if application belongs to some owner we need to check if it's the same as
-      # the one passed in the options or check if we render the client as an owner
-      if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
-         options[:as_owner]
-        # Owners can see all the client attributes, fallback to ActiveModel serialization
-        super
-      else
-        # if application has no owner or it's owner doesn't match one from the options
-        # we render only minimum set of attributes that could be exposed to a public
-        only = extract_serializable_attributes(options)
-        super(options.merge(only: only))
-      end
-    end
-
-    # We need to hook into this method to allow serializing plan-text secrets
-    # when secrets hashing enabled.
-    #
-    # @param key [String] attribute name
-    #
-    def read_attribute_for_serialization(key)
-      return super unless key.to_s == "secret"
-
-      plaintext_secret || secret
-    end
-
-    private
-
-    def generate_uid
-      self.uid = UniqueToken.generate if uid.blank?
-    end
-
-    def generate_secret
-      return unless secret.blank?
-      renew_secret
-    end
-
-    def scopes_match_configured
-      if scopes.present? &&
-         !ScopeChecker.valid?(scope_str: scopes.to_s,
-                              server_scopes: Doorkeeper.configuration.scopes)
-        errors.add(:scopes, :not_match_configured)
-      end
-    end
-
-    def enforce_scopes?
-      Doorkeeper.configuration.enforce_configured_scopes?
-    end
-
-    # Helper method to extract collection of serializable attribute names
-    # considering serialization options (like `only`, `except` and so on).
-    #
-    # @param options [Hash] serialization options
-    #
-    # @return [Array<String>]
-    #   collection of attributes to be serialized using #as_json
-    #
-    def extract_serializable_attributes(options = {})
-      opts = options.try(:dup) || {}
-      only = Array.wrap(opts[:only]).map(&:to_s)
-
-      only = if only.blank?
-               serializable_attributes
-             else
-               only & serializable_attributes
-             end
-
-      only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
-      only.uniq
-    end
-
-    # Collection of attributes that could be serialized for public.
-    # Override this method if you need additional attributes to be serialized.
-    #
-    # @return [Array<String>] collection of serializable attributes
-    def serializable_attributes
-      attributes = %w[id name created_at]
-      attributes << "uid" unless confidential?
-      attributes
-    end
+  class Application < ::ActiveRecord::Base
+    include ::Doorkeeper::Orm::ActiveRecord::Mixins::Application
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module AccessGrant
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
+
+      include ::Doorkeeper::AccessGrantMixin
+
+      belongs_to :application, class_name: Doorkeeper.config.application_class,
+                               optional: true,
+                               inverse_of: :access_grants
+
+      validates :resource_owner_id,
+                :application_id,
+                :token,
+                :expires_in,
+                :redirect_uri,
+                presence: true
+
+      validates :token, uniqueness: { case_sensitive: true }
+
+      before_validation :generate_token, on: :create
+
+      # We keep a volatile copy of the raw token for initial communication
+      # The stored refresh_token may be mapped and not available in cleartext.
+      #
+      # Some strategies allow restoring stored secrets (e.g. symmetric encryption)
+      # while hashing strategies do not, so you cannot rely on this value
+      # returning a present value for persisted tokens.
+      def plaintext_token
+        if secret_strategy.allows_restoring_secrets?
+          secret_strategy.restore_secret(self, :token)
+        else
+          @raw_token
+        end
+      end
+
+      private
+
+      # Generates token value with UniqueToken class.
+      #
+      # @return [String] token value
+      #
+      def generate_token
+        @raw_token = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        secret_strategy.store_secret(self, :token, @raw_token)
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Doorkeeper::Orm::ActiveRecord::Mixins
+  module AccessToken
+    extend ActiveSupport::Concern
+
+    included do
+      self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
+
+      include ::Doorkeeper::AccessTokenMixin
+
+      belongs_to :application, class_name: Doorkeeper.config.application_class,
+                               inverse_of: :access_tokens,
+                               optional: true
+
+      validates :token, presence: true, uniqueness: { case_sensitive: true }
+      validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
+
+      # @attr_writer [Boolean, nil] use_refresh_token
+      #   indicates the possibility of using refresh token
+      attr_writer :use_refresh_token
+
+      before_validation :generate_token, on: :create
+      before_validation :generate_refresh_token,
+                        on: :create, if: :use_refresh_token?
+    end
+
+    class_methods do
+      # Searches for not revoked Access Tokens associated with the
+      # specific Resource Owner.
+      #
+      # @param resource_owner [ActiveRecord::Base]
+      #   Resource Owner model instance
+      #
+      # @return [ActiveRecord::Relation]
+      #   active Access Tokens for Resource Owner
+      #
+      def active_for(resource_owner)
+        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+      end
+
+      def refresh_token_revoked_on_use?
+        column_names.include?("previous_refresh_token")
+      end
+    end
+  end
+end