doorkeeper 5.3.2 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (225) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +84 -2
  3. data/README.md +6 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +4 -4
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
  7. data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
  8. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  9. data/app/views/doorkeeper/applications/show.html.erb +19 -2
  10. data/config/locales/en.yml +3 -1
  11. data/lib/doorkeeper.rb +106 -79
  12. data/lib/doorkeeper/config.rb +64 -35
  13. data/lib/doorkeeper/config/abstract_builder.rb +28 -0
  14. data/lib/doorkeeper/config/option.rb +28 -14
  15. data/lib/doorkeeper/engine.rb +1 -1
  16. data/lib/doorkeeper/grape/helpers.rb +1 -1
  17. data/lib/doorkeeper/helpers/controller.rb +4 -4
  18. data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
  19. data/lib/doorkeeper/models/access_token_mixin.rb +108 -45
  20. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  21. data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  22. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  23. data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
  24. data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
  25. data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
  26. data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
  27. data/lib/doorkeeper/oauth/authorization/token.rb +8 -12
  28. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
  29. data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
  30. data/lib/doorkeeper/oauth/base_request.rb +11 -19
  31. data/lib/doorkeeper/oauth/client.rb +1 -1
  32. data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
  33. data/lib/doorkeeper/oauth/client_credentials/creator.rb +26 -8
  34. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
  35. data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
  36. data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
  37. data/lib/doorkeeper/oauth/code_request.rb +3 -3
  38. data/lib/doorkeeper/oauth/code_response.rb +6 -2
  39. data/lib/doorkeeper/oauth/error_response.rb +2 -4
  40. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
  41. data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  42. data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
  43. data/lib/doorkeeper/oauth/password_access_token_request.rb +4 -6
  44. data/lib/doorkeeper/oauth/pre_authorization.rb +36 -30
  45. data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
  46. data/lib/doorkeeper/oauth/token.rb +5 -6
  47. data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
  48. data/lib/doorkeeper/oauth/token_request.rb +3 -3
  49. data/lib/doorkeeper/oauth/token_response.rb +1 -1
  50. data/lib/doorkeeper/orm/active_record.rb +10 -2
  51. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
  52. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
  53. data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
  54. data/lib/doorkeeper/rails/routes.rb +13 -17
  55. data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  56. data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
  57. data/lib/doorkeeper/rails/routes/registry.rb +45 -0
  58. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  59. data/lib/doorkeeper/request/strategy.rb +2 -2
  60. data/lib/doorkeeper/server.rb +4 -4
  61. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  62. data/lib/doorkeeper/version.rb +2 -2
  63. data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
  64. data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  65. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
  66. data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
  67. data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
  68. data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  69. data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
  70. data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
  71. metadata +12 -295
  72. data/Appraisals +0 -40
  73. data/CODE_OF_CONDUCT.md +0 -46
  74. data/CONTRIBUTING.md +0 -49
  75. data/Dangerfile +0 -67
  76. data/Dockerfile +0 -29
  77. data/Gemfile +0 -25
  78. data/NEWS.md +0 -1
  79. data/RELEASING.md +0 -11
  80. data/Rakefile +0 -28
  81. data/SECURITY.md +0 -15
  82. data/UPGRADE.md +0 -2
  83. data/bin/console +0 -16
  84. data/doorkeeper.gemspec +0 -42
  85. data/gemfiles/rails_5_0.gemfile +0 -18
  86. data/gemfiles/rails_5_1.gemfile +0 -18
  87. data/gemfiles/rails_5_2.gemfile +0 -18
  88. data/gemfiles/rails_6_0.gemfile +0 -18
  89. data/gemfiles/rails_master.gemfile +0 -18
  90. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  91. data/spec/controllers/applications_controller_spec.rb +0 -274
  92. data/spec/controllers/authorizations_controller_spec.rb +0 -608
  93. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  94. data/spec/controllers/token_info_controller_spec.rb +0 -50
  95. data/spec/controllers/tokens_controller_spec.rb +0 -498
  96. data/spec/dummy/Rakefile +0 -9
  97. data/spec/dummy/app/assets/config/manifest.js +0 -2
  98. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  99. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  100. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  101. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  102. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  103. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  104. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  105. data/spec/dummy/app/models/user.rb +0 -7
  106. data/spec/dummy/app/views/home/index.html.erb +0 -0
  107. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  108. data/spec/dummy/config.ru +0 -6
  109. data/spec/dummy/config/application.rb +0 -49
  110. data/spec/dummy/config/boot.rb +0 -7
  111. data/spec/dummy/config/database.yml +0 -15
  112. data/spec/dummy/config/environment.rb +0 -5
  113. data/spec/dummy/config/environments/development.rb +0 -31
  114. data/spec/dummy/config/environments/production.rb +0 -64
  115. data/spec/dummy/config/environments/test.rb +0 -45
  116. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  117. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  118. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  119. data/spec/dummy/config/initializers/session_store.rb +0 -10
  120. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  121. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  122. data/spec/dummy/config/routes.rb +0 -13
  123. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  124. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  125. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  126. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  127. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  128. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  129. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  130. data/spec/dummy/db/schema.rb +0 -68
  131. data/spec/dummy/public/404.html +0 -26
  132. data/spec/dummy/public/422.html +0 -26
  133. data/spec/dummy/public/500.html +0 -26
  134. data/spec/dummy/public/favicon.ico +0 -0
  135. data/spec/dummy/script/rails +0 -9
  136. data/spec/factories.rb +0 -30
  137. data/spec/generators/application_owner_generator_spec.rb +0 -28
  138. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  139. data/spec/generators/install_generator_spec.rb +0 -36
  140. data/spec/generators/migration_generator_spec.rb +0 -28
  141. data/spec/generators/pkce_generator_spec.rb +0 -28
  142. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  143. data/spec/generators/templates/routes.rb +0 -4
  144. data/spec/generators/views_generator_spec.rb +0 -29
  145. data/spec/grape/grape_integration_spec.rb +0 -137
  146. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  147. data/spec/lib/config_spec.rb +0 -809
  148. data/spec/lib/doorkeeper_spec.rb +0 -27
  149. data/spec/lib/models/expirable_spec.rb +0 -61
  150. data/spec/lib/models/reusable_spec.rb +0 -40
  151. data/spec/lib/models/revocable_spec.rb +0 -59
  152. data/spec/lib/models/scopes_spec.rb +0 -53
  153. data/spec/lib/models/secret_storable_spec.rb +0 -135
  154. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  155. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
  156. data/spec/lib/oauth/base_request_spec.rb +0 -224
  157. data/spec/lib/oauth/base_response_spec.rb +0 -45
  158. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  159. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
  160. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
  161. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
  162. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  163. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
  164. data/spec/lib/oauth/client_spec.rb +0 -38
  165. data/spec/lib/oauth/code_request_spec.rb +0 -46
  166. data/spec/lib/oauth/code_response_spec.rb +0 -32
  167. data/spec/lib/oauth/error_response_spec.rb +0 -64
  168. data/spec/lib/oauth/error_spec.rb +0 -21
  169. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  170. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  171. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  172. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  173. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  174. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  175. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
  176. data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
  177. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
  178. data/spec/lib/oauth/scopes_spec.rb +0 -146
  179. data/spec/lib/oauth/token_request_spec.rb +0 -157
  180. data/spec/lib/oauth/token_response_spec.rb +0 -84
  181. data/spec/lib/oauth/token_spec.rb +0 -156
  182. data/spec/lib/request/strategy_spec.rb +0 -54
  183. data/spec/lib/secret_storing/base_spec.rb +0 -60
  184. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  185. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  186. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  187. data/spec/lib/server_spec.rb +0 -49
  188. data/spec/lib/stale_records_cleaner_spec.rb +0 -89
  189. data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
  190. data/spec/models/doorkeeper/access_token_spec.rb +0 -622
  191. data/spec/models/doorkeeper/application_spec.rb +0 -482
  192. data/spec/requests/applications/applications_request_spec.rb +0 -259
  193. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  194. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  195. data/spec/requests/endpoints/token_spec.rb +0 -75
  196. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
  197. data/spec/requests/flows/authorization_code_spec.rb +0 -525
  198. data/spec/requests/flows/client_credentials_spec.rb +0 -166
  199. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  200. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  201. data/spec/requests/flows/password_spec.rb +0 -316
  202. data/spec/requests/flows/refresh_token_spec.rb +0 -233
  203. data/spec/requests/flows/revoke_token_spec.rb +0 -157
  204. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  205. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  206. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  207. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  208. data/spec/routing/default_routes_spec.rb +0 -41
  209. data/spec/routing/scoped_routes_spec.rb +0 -47
  210. data/spec/spec_helper.rb +0 -54
  211. data/spec/spec_helper_integration.rb +0 -4
  212. data/spec/support/dependencies/factory_bot.rb +0 -4
  213. data/spec/support/doorkeeper_rspec.rb +0 -22
  214. data/spec/support/helpers/access_token_request_helper.rb +0 -13
  215. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  216. data/spec/support/helpers/config_helper.rb +0 -11
  217. data/spec/support/helpers/model_helper.rb +0 -78
  218. data/spec/support/helpers/request_spec_helper.rb +0 -110
  219. data/spec/support/helpers/url_helper.rb +0 -62
  220. data/spec/support/orm/active_record.rb +0 -5
  221. data/spec/support/shared/controllers_shared_context.rb +0 -133
  222. data/spec/support/shared/hashing_shared_context.rb +0 -36
  223. data/spec/support/shared/models_shared_examples.rb +0 -54
  224. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  225. data/spec/version/version_spec.rb +0 -17
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2a2e558c16d91012fda8543a405ee8e107ec3e100edc255ef9c0453e15fee34b
4
- data.tar.gz: 0e9ffe0268ccfb370ec23cd5c5b124e8febdec591cd0d5443974bd73942079f2
3
+ metadata.gz: 76b3a86e21584548c9b0c176512c844bee90ba9c447aaf09741abf54488093bb
4
+ data.tar.gz: ce7a4ffdf3b0aebaa69f703b70f0109276205c9ec0b2f1e2c7b3e88cb4746f8b
5
5
  SHA512:
6
- metadata.gz: 11b2350bfbe3e18b7500b9a159096dda35fc2307f66ab5ccec9e1266c18a4fc34e1ac9a8ffa763f713cd431dbb9a5fee7734bcd9d6576b41749101e3f149e969
7
- data.tar.gz: 7fdb1df4a142ac870a3a37838c4131a7514f81571319339c115754bf92ad3ed97c9e5a543008b94da6117e854104e418052bb634a5e5fcfb460063ecb83c6b5d
6
+ metadata.gz: 7192f9711713f15d323e85aa3ad4274b314a55dcc89ba945de52dca5dbbad2e267dc3252da353cd4991fae365a1161fd91d06c0bfcaba767163b4c54eafca125
7
+ data.tar.gz: b5f324cfe8064b32254ca1c045bc24c54ab21a485bf3c6a9726bc995ab9dc24516872bf8ee314850b65f6ce3d879d0497e67416ea78c0f8f7566bdbfd48e024a
@@ -5,9 +5,17 @@ upgrade guides.
5
5
 
6
6
  User-visible changes worth mentioning.
7
7
 
8
- ## 5.3.2
8
+ ## master
9
9
 
10
- - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
10
+ - [#PR ID] Your PR description.
11
+
12
+ ## 5.4.0
13
+
14
+ - [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
15
+
16
+ ## 5.4.0.rc2
17
+
18
+ - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
11
19
  Fixes information disclosure vulnerability (CVE-2020-10187).
12
20
 
13
21
  **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
@@ -15,6 +23,54 @@ User-visible changes worth mentioning.
15
23
  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
16
24
  is a breaking change which restricts serialized attributes to a very small set of columns.
17
25
 
26
+ - [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
27
+ - [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
28
+ custom configured application model.
29
+ - [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
30
+ option (fixes #1398).
31
+ - [#1402] Handle trying authorization with client credentials.
32
+
33
+ ## 5.4.0.rc1
34
+ - [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
35
+ - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
36
+ - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
37
+ models (`use_polymorphic_resource_owner` configuration option).
38
+
39
+ **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
40
+ have such - since now Doorkeeper passes Resource Owner instance to every objects and not
41
+ just it's ID. See PR description for details.
42
+
43
+ - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
44
+ - [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
45
+ `Stack level too deep` error with AMS (fix #1312).
46
+ - [#1358] Deprecate `active_record_options` configuration option.
47
+ - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
48
+ in external extensions.
49
+ - [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
50
+ - [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
51
+ - [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
52
+
53
+ **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
54
+ (for public clients) and `client_secret` (for private clients). Please update your apps to include that
55
+ info in the revocation request payload.
56
+
57
+ - [#1373] Make Doorkeeper routes mapper reusable in extensions.
58
+ - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
59
+ - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
60
+ - [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
61
+ - [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
62
+ - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
63
+ - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
64
+
65
+ ## 5.3.3
66
+
67
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
68
+
69
+ ## 5.3.2
70
+
71
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
72
+ Fixes information disclosure vulnerability (CVE-2020-10187).
73
+
18
74
  ## 5.3.1
19
75
 
20
76
  - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -33,6 +89,15 @@ User-visible changes worth mentioning.
33
89
  If you were relying on access tokens being revoked once the same client
34
90
  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
35
91
  initialization file.
92
+
93
+ ## 5.2.6
94
+
95
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
96
+
97
+ ## 5.2.5
98
+
99
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
100
+ Fixes information disclosure vulnerability (CVE-2020-10187).
36
101
 
37
102
  ## 5.2.4
38
103
 
@@ -66,6 +131,9 @@ User-visible changes worth mentioning.
66
131
  - [#1298] Slice strong params so doesn't error with Rails forms.
67
132
  - [#1300] Limiting access to attributes of pre_authorization.
68
133
  - [#1296] Adding client_id to strong parameters.
134
+
135
+ **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
136
+
69
137
  - [#1293] Move ar specific redirect uri validator to ar orm directory.
70
138
  - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
71
139
  the PreAuthorization response.
@@ -98,6 +166,15 @@ User-visible changes worth mentioning.
98
166
  - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
99
167
  - [#1238] Better support for native app with support for custom scheme and localhost redirection.
100
168
 
169
+ ## 5.1.2
170
+
171
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
172
+
173
+ ## 5.1.1
174
+
175
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
176
+ Fixes information disclosure vulnerability (CVE-2020-10187).
177
+
101
178
  ## 5.1.0
102
179
 
103
180
  - [#1243] Add nil check operator in token checking at token introspection.
@@ -159,6 +236,11 @@ User-visible changes worth mentioning.
159
236
  - [#1164] Fix error when `root_path` is not defined.
160
237
  - [#1162] Fix `enforce_content_type` for requests without body.
161
238
 
239
+ ## 5.0.3
240
+
241
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
242
+ Fixes information disclosure vulnerability (CVE-2020-10187).
243
+
162
244
  ## 5.0.2
163
245
 
164
246
  - [#1158] Fix initializer template: change `handle_auth_errors` option
data/README.md CHANGED
@@ -6,7 +6,7 @@
6
6
  [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
7
7
  [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
8
8
  [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
9
- [![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
9
+ [![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
10
10
  [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
11
11
 
12
12
  Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -113,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
113
113
 
114
114
  | Application | Link |
115
115
  | :--- | :--- |
116
- | oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
116
+ | OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
117
117
  | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
118
118
  | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
119
119
 
@@ -160,6 +160,9 @@ tests with a specific Rails version:
160
160
  BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
161
161
  ```
162
162
 
163
+ You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
164
+ Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
165
+
163
166
  ## Contributing
164
167
 
165
168
  Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +171,7 @@ create [example
168
171
  apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
169
172
  integrate the gem with your app and let us know!
170
173
 
171
- Also, check out our [contributing guidelines
172
- page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
174
+ Also, check out our [contributing guidelines page](CONTRIBUTING.md).
173
175
 
174
176
  ## Contributors
175
177
 
@@ -8,7 +8,7 @@ module Doorkeeper
8
8
  before_action :set_application, only: %i[show edit update destroy]
9
9
 
10
10
  def index
11
- @applications = Application.ordered_by(:created_at)
11
+ @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
12
12
 
13
13
  respond_to do |format|
14
14
  format.html
@@ -24,11 +24,11 @@ module Doorkeeper
24
24
  end
25
25
 
26
26
  def new
27
- @application = Application.new
27
+ @application = Doorkeeper.config.application_model.new
28
28
  end
29
29
 
30
30
  def create
31
- @application = Application.new(application_params)
31
+ @application = Doorkeeper.config.application_model.new(application_params)
32
32
 
33
33
  if @application.save
34
34
  flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -84,7 +84,7 @@ module Doorkeeper
84
84
  private
85
85
 
86
86
  def set_application
87
- @application = Application.find(params[:id])
87
+ @application = Doorkeeper.config.application_model.find(params[:id])
88
88
  end
89
89
 
90
90
  def application_params
@@ -42,9 +42,9 @@ module Doorkeeper
42
42
  end
43
43
 
44
44
  def matching_token?
45
- AccessToken.matching_token_for(
45
+ Doorkeeper.config.access_token_model.matching_token_for(
46
46
  pre_auth.client,
47
- current_resource_owner.id,
47
+ current_resource_owner,
48
48
  pre_auth.scopes,
49
49
  )
50
50
  end
@@ -65,7 +65,11 @@ module Doorkeeper
65
65
  end
66
66
 
67
67
  def pre_auth
68
- @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
68
+ @pre_auth ||= OAuth::PreAuthorization.new(
69
+ Doorkeeper.configuration,
70
+ pre_auth_params,
71
+ current_resource_owner,
72
+ )
69
73
  end
70
74
 
71
75
  def pre_auth_params
@@ -73,8 +77,14 @@ module Doorkeeper
73
77
  end
74
78
 
75
79
  def pre_auth_param_fields
76
- %i[client_id response_type redirect_uri scope state code_challenge
77
- code_challenge_method]
80
+ %i[
81
+ client_id
82
+ code_challenge
83
+ code_challenge_method
84
+ response_type
85
+ redirect_uri
86
+ scope state
87
+ ]
78
88
  end
79
89
 
80
90
  def authorization
@@ -82,26 +92,35 @@ module Doorkeeper
82
92
  end
83
93
 
84
94
  def strategy
85
- @strategy ||= server.authorization_request pre_auth.response_type
95
+ @strategy ||= server.authorization_request(pre_auth.response_type)
86
96
  end
87
97
 
88
98
  def authorize_response
89
99
  @authorize_response ||= begin
90
100
  return pre_auth.error_response unless pre_auth.authorizable?
91
101
 
92
- before_successful_authorization
102
+ context = build_context(pre_auth: pre_auth)
103
+ before_successful_authorization(context)
104
+
93
105
  auth = strategy.authorize
94
- after_successful_authorization
106
+
107
+ context = build_context(auth: auth)
108
+ after_successful_authorization(context)
109
+
95
110
  auth
96
111
  end
97
112
  end
98
113
 
99
- def after_successful_authorization
100
- Doorkeeper.configuration.after_successful_authorization.call(self)
114
+ def build_context(**attributes)
115
+ Doorkeeper::OAuth::Hooks::Context.new(**attributes)
116
+ end
117
+
118
+ def before_successful_authorization(context = nil)
119
+ Doorkeeper.config.before_successful_authorization.call(self, context)
101
120
  end
102
121
 
103
- def before_successful_authorization
104
- Doorkeeper.configuration.before_successful_authorization.call(self)
122
+ def after_successful_authorization(context)
123
+ Doorkeeper.config.after_successful_authorization.call(self, context)
105
124
  end
106
125
  end
107
126
  end
@@ -5,7 +5,7 @@ module Doorkeeper
5
5
  before_action :authenticate_resource_owner!
6
6
 
7
7
  def index
8
- @applications = Application.authorized_for(current_resource_owner)
8
+ @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
9
9
 
10
10
  respond_to do |format|
11
11
  format.html
@@ -14,7 +14,7 @@ module Doorkeeper
14
14
  end
15
15
 
16
16
  def destroy
17
- Application.revoke_tokens_and_grants_for(
17
+ Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
18
18
  params[:id],
19
19
  current_resource_owner,
20
20
  )
@@ -12,14 +12,41 @@ module Doorkeeper
12
12
 
13
13
  # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
14
14
  def revoke
15
- # The authorization server, if applicable, first authenticates the client
16
- # and checks its ownership of the provided token.
15
+ # @see 2.1. Revocation Request
17
16
  #
18
- # Doorkeeper does not use the token_type_hint logic described in the
19
- # RFC 7009 due to the refresh token implementation that is a field in
20
- # the access token model.
17
+ # The client constructs the request by including the following
18
+ # parameters using the "application/x-www-form-urlencoded" format in
19
+ # the HTTP request entity-body:
20
+ # token REQUIRED.
21
+ # token_type_hint OPTIONAL.
22
+ #
23
+ # The client also includes its authentication credentials as described
24
+ # in Section 2.3. of [RFC6749].
25
+ #
26
+ # The authorization server first validates the client credentials (in
27
+ # case of a confidential client) and then verifies whether the token
28
+ # was issued to the client making the revocation request.
29
+ unless server.client
30
+ # If this validation [client credentials / token ownership] fails, the request is
31
+ # refused and the client is informed of the error by the authorization server as
32
+ # described below.
33
+ #
34
+ # @see 2.2.1. Error Response
35
+ #
36
+ # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
37
+ render json: revocation_error_response, status: :forbidden
38
+ return
39
+ end
21
40
 
22
- if authorized?
41
+ # The authorization server responds with HTTP status code 200 if the client
42
+ # submitted an invalid token or the token has been revoked successfully.
43
+ if token.blank?
44
+ render json: {}, status: 200
45
+ # The authorization server validates [...] and whether the token
46
+ # was issued to the client making the revocation request. If this
47
+ # validation fails, the request is refused and the client is informed
48
+ # of the error by the authorization server as described below.
49
+ elsif authorized?
23
50
  revoke_token
24
51
  render json: {}, status: 200
25
52
  else
@@ -42,8 +69,12 @@ module Doorkeeper
42
69
  private
43
70
 
44
71
  # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
45
- # Public clients (as per RFC 7009) do not require authentication whereas
46
- # confidential clients must be authenticated for their token revocation.
72
+ # A malicious client may attempt to guess valid tokens on this endpoint
73
+ # by making revocation requests against potential token strings.
74
+ # According to this specification, a client's request must contain a
75
+ # valid client_id, in the case of a public client, or valid client
76
+ # credentials, in the case of a confidential client. The token being
77
+ # revoked must also belong to the requesting client.
47
78
  #
48
79
  # Once a confidential client is authenticated, it must be authorized to
49
80
  # revoke the provided access or refresh token. This ensures one client
@@ -58,15 +89,13 @@ module Doorkeeper
58
89
  # https://tools.ietf.org/html/rfc6749#section-2.1
59
90
  # https://tools.ietf.org/html/rfc7009
60
91
  def authorized?
61
- return unless token.present?
62
-
63
- # Client is confidential, therefore client authentication & authorization
64
- # is required
92
+ # Token belongs to specific client, so we need to check if
93
+ # authenticated client could access it.
65
94
  if token.application_id? && token.application.confidential?
66
95
  # We authorize client by checking token's application
67
96
  server.client && server.client.application == token.application
68
97
  else
69
- # Client is public, authentication unnecessary
98
+ # Token was issued without client, authorization unnecessary
70
99
  true
71
100
  end
72
101
  end
@@ -78,9 +107,12 @@ module Doorkeeper
78
107
  token.revoke if token&.accessible?
79
108
  end
80
109
 
110
+ # Doorkeeper does not use the token_type_hint logic described in the
111
+ # RFC 7009 due to the refresh token implementation that is a field in
112
+ # the access token model.
81
113
  def token
82
- @token ||= AccessToken.by_token(params["token"]) ||
83
- AccessToken.by_refresh_token(params["token"])
114
+ @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
115
+ Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
84
116
  end
85
117
 
86
118
  def strategy
@@ -91,17 +123,22 @@ module Doorkeeper
91
123
  @authorize_response ||= begin
92
124
  before_successful_authorization
93
125
  auth = strategy.authorize
94
- after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
126
+ context = build_context(auth: auth)
127
+ after_successful_authorization(context) unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
95
128
  auth
96
129
  end
97
130
  end
98
131
 
99
- def after_successful_authorization
100
- Doorkeeper.configuration.after_successful_authorization.call(self)
132
+ def build_context(**attributes)
133
+ Doorkeeper::OAuth::Hooks::Context.new(**attributes)
134
+ end
135
+
136
+ def before_successful_authorization(context = nil)
137
+ Doorkeeper.config.before_successful_authorization.call(self, context)
101
138
  end
102
139
 
103
- def before_successful_authorization
104
- Doorkeeper.configuration.before_successful_authorization.call(self)
140
+ def after_successful_authorization(context)
141
+ Doorkeeper.config.after_successful_authorization.call(self, context)
105
142
  end
106
143
 
107
144
  def revocation_error_response
@@ -1,4 +1,4 @@
1
- <%= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form' } do |f| %>
1
+ <%= form_for application, url: doorkeeper_submit_path(application), as: :doorkeeper_application, html: { role: 'form' } do |f| %>
2
2
  <% if application.errors.any? %>
3
3
  <div class="alert alert-danger" data-alert><p><%= t('doorkeeper.applications.form.error') %></p></div>
4
4
  <% end %>
@@ -8,10 +8,27 @@
8
8
  <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
9
9
 
10
10
  <h4><%= t('.secret') %>:</h4>
11
- <p><code class="bg-light" id="secret"><%= flash[:application_secret].presence || @application.plaintext_secret %></code></p>
11
+ <p>
12
+ <code class="bg-light" id="secret">
13
+ <% secret = flash[:application_secret].presence || @application.plaintext_secret %>
14
+ <% if secret.blank? && Doorkeeper.config.application_secret_hashed? %>
15
+ <span class="bg-light font-italic text-uppercase text-muted"><%= t('.secret_hashed') %></span>
16
+ <% else %>
17
+ <%= secret %>
18
+ <% end %>
19
+ </code>
20
+ </p>
12
21
 
13
22
  <h4><%= t('.scopes') %>:</h4>
14
- <p><code class="bg-light" id="scopes"><%= @application.scopes.presence || raw('&nbsp;') %></code></p>
23
+ <p>
24
+ <code class="bg-light" id="scopes">
25
+ <% if @application.scopes.present? %>
26
+ <%= @application.scopes %>
27
+ <% else %>
28
+ <span class="bg-light font-italic text-uppercase text-muted"><%= t('.not_defined') %></span>
29
+ <% end %>
30
+ </code>
31
+ </p>
15
32
 
16
33
  <h4><%= t('.confidential') %>:</h4>
17
34
  <p><code class="bg-light" id="confidential"><%= @application.confidential? %></code></p>