doorkeeper 5.3.2 → 5.4.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +84 -2
- data/README.md +6 -4
- data/app/controllers/doorkeeper/applications_controller.rb +4 -4
- data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +19 -2
- data/config/locales/en.yml +3 -1
- data/lib/doorkeeper.rb +106 -79
- data/lib/doorkeeper/config.rb +64 -35
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +28 -14
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +4 -4
- data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
- data/lib/doorkeeper/models/access_token_mixin.rb +108 -45
- data/lib/doorkeeper/models/application_mixin.rb +5 -4
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
- data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
- data/lib/doorkeeper/oauth/authorization/token.rb +8 -12
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
- data/lib/doorkeeper/oauth/base_request.rb +11 -19
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +26 -8
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +3 -3
- data/lib/doorkeeper/oauth/code_response.rb +6 -2
- data/lib/doorkeeper/oauth/error_response.rb +2 -4
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +4 -6
- data/lib/doorkeeper/oauth/pre_authorization.rb +36 -30
- data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
- data/lib/doorkeeper/oauth/token.rb +5 -6
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record.rb +10 -2
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
- data/lib/doorkeeper/rails/routes.rb +13 -17
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/request/refresh_token.rb +2 -1
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/server.rb +4 -4
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +2 -2
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +12 -295
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -274
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -361
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -809
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
- data/spec/lib/oauth/base_request_spec.rb +0 -224
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -32
- data/spec/lib/oauth/error_response_spec.rb +0 -64
- data/spec/lib/oauth/error_spec.rb +0 -21
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -146
- data/spec/lib/oauth/token_request_spec.rb +0 -157
- data/spec/lib/oauth/token_response_spec.rb +0 -84
- data/spec/lib/oauth/token_spec.rb +0 -156
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -482
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -91
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -525
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -316
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -54
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -133
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Doorkeeper
|
|
4
|
+
module Models
|
|
5
|
+
module ResourceOwnerable
|
|
6
|
+
extend ActiveSupport::Concern
|
|
7
|
+
|
|
8
|
+
module ClassMethods
|
|
9
|
+
# Searches for record by Resource Owner considering Doorkeeper
|
|
10
|
+
# configuration for resource owner association.
|
|
11
|
+
#
|
|
12
|
+
# @param resource_owner [ActiveRecord::Base, Integer]
|
|
13
|
+
# resource owner
|
|
14
|
+
#
|
|
15
|
+
# @return [Doorkeeper::AccessGrant, Doorkeeper::AccessToken]
|
|
16
|
+
# collection of records
|
|
17
|
+
#
|
|
18
|
+
def by_resource_owner(resource_owner)
|
|
19
|
+
if Doorkeeper.configuration.polymorphic_resource_owner?
|
|
20
|
+
where(resource_owner: resource_owner)
|
|
21
|
+
else
|
|
22
|
+
where(resource_owner_id: resource_owner_id_for(resource_owner))
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
protected
|
|
27
|
+
|
|
28
|
+
# Backward compatible way to retrieve resource owner itself (if
|
|
29
|
+
# polymorphic association enabled) or just it's ID.
|
|
30
|
+
#
|
|
31
|
+
# @param resource_owner [ActiveRecord::Base, Integer]
|
|
32
|
+
# resource owner
|
|
33
|
+
#
|
|
34
|
+
# @return [ActiveRecord::Base, Integer]
|
|
35
|
+
# instance of Resource Owner or it's ID
|
|
36
|
+
#
|
|
37
|
+
def resource_owner_id_for(resource_owner)
|
|
38
|
+
if resource_owner.respond_to?(:to_key)
|
|
39
|
+
resource_owner.id
|
|
40
|
+
else
|
|
41
|
+
resource_owner
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
@@ -8,7 +8,11 @@ module Doorkeeper
|
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def scopes=(value)
|
|
11
|
-
|
|
11
|
+
if value.is_a?(Array)
|
|
12
|
+
super(Doorkeeper::OAuth::Scopes.from_array(value).to_s)
|
|
13
|
+
else
|
|
14
|
+
super(Doorkeeper::OAuth::Scopes.from_string(value.to_s).to_s)
|
|
15
|
+
end
|
|
12
16
|
end
|
|
13
17
|
|
|
14
18
|
def scopes_string
|
|
@@ -25,9 +25,7 @@ module Doorkeeper
|
|
|
25
25
|
# @return [Boolean]
|
|
26
26
|
# Whether input matches secret as per the secret strategy
|
|
27
27
|
#
|
|
28
|
-
|
|
29
|
-
secret_strategy.secret_matches?(input, secret)
|
|
30
|
-
end
|
|
28
|
+
delegate :secret_matches?, to: :secret_strategy
|
|
31
29
|
|
|
32
30
|
# Returns an instance of the Doorkeeper::AccessToken with
|
|
33
31
|
# specific token value.
|
|
@@ -4,15 +4,17 @@ module Doorkeeper
|
|
|
4
4
|
module OAuth
|
|
5
5
|
module Authorization
|
|
6
6
|
class Code
|
|
7
|
-
|
|
7
|
+
attr_reader :pre_auth, :resource_owner, :token
|
|
8
8
|
|
|
9
9
|
def initialize(pre_auth, resource_owner)
|
|
10
10
|
@pre_auth = pre_auth
|
|
11
11
|
@resource_owner = resource_owner
|
|
12
12
|
end
|
|
13
13
|
|
|
14
|
-
def issue_token
|
|
15
|
-
@token
|
|
14
|
+
def issue_token!
|
|
15
|
+
return @token if defined?(@token)
|
|
16
|
+
|
|
17
|
+
@token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
|
|
16
18
|
end
|
|
17
19
|
|
|
18
20
|
def oob_redirect
|
|
@@ -26,13 +28,20 @@ module Doorkeeper
|
|
|
26
28
|
end
|
|
27
29
|
|
|
28
30
|
def access_grant_attributes
|
|
29
|
-
|
|
31
|
+
attributes = {
|
|
30
32
|
application_id: pre_auth.client.id,
|
|
31
|
-
resource_owner_id: resource_owner.id,
|
|
32
33
|
expires_in: authorization_code_expires_in,
|
|
33
34
|
redirect_uri: pre_auth.redirect_uri,
|
|
34
35
|
scopes: pre_auth.scopes.to_s,
|
|
35
|
-
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
if Doorkeeper.config.polymorphic_resource_owner?
|
|
39
|
+
attributes[:resource_owner] = resource_owner
|
|
40
|
+
else
|
|
41
|
+
attributes[:resource_owner_id] = resource_owner.id
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
pkce_attributes.merge(attributes)
|
|
36
45
|
end
|
|
37
46
|
|
|
38
47
|
def pkce_attributes
|
|
@@ -4,7 +4,7 @@ module Doorkeeper
|
|
|
4
4
|
module OAuth
|
|
5
5
|
module Authorization
|
|
6
6
|
class Token
|
|
7
|
-
|
|
7
|
+
attr_reader :pre_auth, :resource_owner, :token
|
|
8
8
|
|
|
9
9
|
class << self
|
|
10
10
|
def build_context(pre_auth_or_oauth_client, grant_type, scopes)
|
|
@@ -48,7 +48,7 @@ module Doorkeeper
|
|
|
48
48
|
@resource_owner = resource_owner
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
-
def issue_token
|
|
51
|
+
def issue_token!
|
|
52
52
|
return @token if defined?(@token)
|
|
53
53
|
|
|
54
54
|
context = self.class.build_context(
|
|
@@ -57,12 +57,12 @@ module Doorkeeper
|
|
|
57
57
|
pre_auth.scopes,
|
|
58
58
|
)
|
|
59
59
|
|
|
60
|
-
@token =
|
|
61
|
-
pre_auth.client,
|
|
62
|
-
resource_owner
|
|
63
|
-
pre_auth.scopes,
|
|
64
|
-
self.class.access_token_expires_in(
|
|
65
|
-
false,
|
|
60
|
+
@token = Doorkeeper.config.access_token_model.find_or_create_for(
|
|
61
|
+
application: pre_auth.client,
|
|
62
|
+
resource_owner: resource_owner,
|
|
63
|
+
scopes: pre_auth.scopes,
|
|
64
|
+
expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
|
|
65
|
+
use_refresh_token: false,
|
|
66
66
|
)
|
|
67
67
|
end
|
|
68
68
|
|
|
@@ -76,10 +76,6 @@ module Doorkeeper
|
|
|
76
76
|
|
|
77
77
|
private
|
|
78
78
|
|
|
79
|
-
def configuration
|
|
80
|
-
Doorkeeper.config
|
|
81
|
-
end
|
|
82
|
-
|
|
83
79
|
def controller
|
|
84
80
|
@controller ||= begin
|
|
85
81
|
mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
|
|
@@ -8,9 +8,9 @@ module Doorkeeper
|
|
|
8
8
|
class URIBuilder
|
|
9
9
|
class << self
|
|
10
10
|
def uri_with_query(url, parameters = {})
|
|
11
|
-
uri
|
|
11
|
+
uri = URI.parse(url)
|
|
12
12
|
original_query = Rack::Utils.parse_query(uri.query)
|
|
13
|
-
uri.query
|
|
13
|
+
uri.query = build_query(original_query.merge(parameters))
|
|
14
14
|
uri.to_s
|
|
15
15
|
end
|
|
16
16
|
|
|
@@ -23,8 +23,8 @@ module Doorkeeper
|
|
|
23
23
|
private
|
|
24
24
|
|
|
25
25
|
def build_query(parameters = {})
|
|
26
|
-
parameters = parameters.reject { |_,
|
|
27
|
-
Rack::Utils.build_query
|
|
26
|
+
parameters = parameters.reject { |_, value| value.blank? }
|
|
27
|
+
Rack::Utils.build_query(parameters)
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
end
|
|
@@ -11,9 +11,8 @@ module Doorkeeper
|
|
|
11
11
|
validate :redirect_uri, error: :invalid_grant
|
|
12
12
|
validate :code_verifier, error: :invalid_grant
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
attr_reader :invalid_request_reason, :missing_param
|
|
14
|
+
attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
|
|
15
|
+
:invalid_request_reason, :missing_param
|
|
17
16
|
|
|
18
17
|
def initialize(server, grant, client, parameters = {})
|
|
19
18
|
@server = server
|
|
@@ -33,19 +32,30 @@ module Doorkeeper
|
|
|
33
32
|
|
|
34
33
|
grant.revoke
|
|
35
34
|
|
|
35
|
+
resource_owner = if Doorkeeper.config.polymorphic_resource_owner?
|
|
36
|
+
grant.resource_owner
|
|
37
|
+
else
|
|
38
|
+
grant.resource_owner_id
|
|
39
|
+
end
|
|
40
|
+
|
|
36
41
|
find_or_create_access_token(
|
|
37
42
|
grant.application,
|
|
38
|
-
|
|
43
|
+
resource_owner,
|
|
39
44
|
grant.scopes,
|
|
40
45
|
server,
|
|
41
46
|
)
|
|
42
47
|
end
|
|
48
|
+
|
|
43
49
|
super
|
|
44
50
|
end
|
|
45
51
|
|
|
52
|
+
def pkce_supported?
|
|
53
|
+
Doorkeeper.config.access_grant_model.pkce_supported?
|
|
54
|
+
end
|
|
55
|
+
|
|
46
56
|
def validate_pkce_support
|
|
47
57
|
@invalid_request_reason = :not_support_pkce if grant &&
|
|
48
|
-
!
|
|
58
|
+
!pkce_supported? &&
|
|
49
59
|
code_verifier.present?
|
|
50
60
|
|
|
51
61
|
@invalid_request_reason.nil?
|
|
@@ -78,11 +88,11 @@ module Doorkeeper
|
|
|
78
88
|
)
|
|
79
89
|
end
|
|
80
90
|
|
|
81
|
-
# if either side (server or client) request
|
|
82
|
-
# against the DB - if
|
|
91
|
+
# if either side (server or client) request PKCE, check the verifier
|
|
92
|
+
# against the DB - if PKCE is supported
|
|
83
93
|
def validate_code_verifier
|
|
84
94
|
return true unless grant.uses_pkce? || code_verifier
|
|
85
|
-
return false unless
|
|
95
|
+
return false unless pkce_supported?
|
|
86
96
|
|
|
87
97
|
if grant.code_challenge_method == "S256"
|
|
88
98
|
grant.code_challenge == generate_code_challenge(code_verifier)
|
|
@@ -5,11 +5,11 @@ module Doorkeeper
|
|
|
5
5
|
class BaseRequest
|
|
6
6
|
include Validations
|
|
7
7
|
|
|
8
|
-
attr_reader :grant_type
|
|
8
|
+
attr_reader :grant_type, :server
|
|
9
9
|
|
|
10
|
-
|
|
11
|
-
validate
|
|
10
|
+
delegate :default_scopes, to: :server
|
|
12
11
|
|
|
12
|
+
def authorize
|
|
13
13
|
if valid?
|
|
14
14
|
before_successful_response
|
|
15
15
|
@response = TokenResponse.new(access_token)
|
|
@@ -26,22 +26,14 @@ module Doorkeeper
|
|
|
26
26
|
@scopes ||= build_scopes
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
def
|
|
30
|
-
server.default_scopes
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
def valid?
|
|
34
|
-
error.nil?
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
def find_or_create_access_token(client, resource_owner_id, scopes, server)
|
|
29
|
+
def find_or_create_access_token(client, resource_owner, scopes, server)
|
|
38
30
|
context = Authorization::Token.build_context(client, grant_type, scopes)
|
|
39
31
|
@access_token = server_config.access_token_model.find_or_create_for(
|
|
40
|
-
client,
|
|
41
|
-
|
|
42
|
-
scopes,
|
|
43
|
-
Authorization::Token.access_token_expires_in(server, context),
|
|
44
|
-
Authorization::Token.refresh_token_enabled?(server, context),
|
|
32
|
+
application: client,
|
|
33
|
+
resource_owner: resource_owner,
|
|
34
|
+
scopes: scopes,
|
|
35
|
+
expires_in: Authorization::Token.access_token_expires_in(server, context),
|
|
36
|
+
use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
|
|
45
37
|
)
|
|
46
38
|
end
|
|
47
39
|
|
|
@@ -63,10 +55,10 @@ module Doorkeeper
|
|
|
63
55
|
if @original_scopes.present?
|
|
64
56
|
OAuth::Scopes.from_string(@original_scopes)
|
|
65
57
|
else
|
|
66
|
-
client_scopes = @client
|
|
58
|
+
client_scopes = @client&.scopes
|
|
67
59
|
return default_scopes if client_scopes.blank?
|
|
68
60
|
|
|
69
|
-
default_scopes &
|
|
61
|
+
default_scopes & client_scopes
|
|
70
62
|
end
|
|
71
63
|
end
|
|
72
64
|
end
|
|
@@ -9,7 +9,7 @@ module Doorkeeper
|
|
|
9
9
|
credentials_methods.inject(nil) do |_, method|
|
|
10
10
|
method = self.method(method) if method.is_a?(Symbol)
|
|
11
11
|
credentials = Credentials.new(*method.call(request))
|
|
12
|
-
break credentials
|
|
12
|
+
break credentials if credentials.present?
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
|
|
@@ -27,9 +27,7 @@ module Doorkeeper
|
|
|
27
27
|
|
|
28
28
|
# Public clients may have their secret blank, but "credentials" are
|
|
29
29
|
# still present
|
|
30
|
-
|
|
31
|
-
uid.blank?
|
|
32
|
-
end
|
|
30
|
+
delegate :blank?, to: :uid
|
|
33
31
|
end
|
|
34
32
|
end
|
|
35
33
|
end
|
|
@@ -2,26 +2,44 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Creator
|
|
7
7
|
def call(client, scopes, attributes = {})
|
|
8
|
+
existing_token = nil
|
|
9
|
+
|
|
8
10
|
if lookup_existing_token?
|
|
9
11
|
existing_token = find_existing_token_for(client, scopes)
|
|
10
12
|
return existing_token if server_config.reuse_access_token && existing_token&.reusable?
|
|
11
|
-
|
|
12
|
-
existing_token&.revoke if server_config.revoke_previous_client_credentials_token
|
|
13
13
|
end
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
15
|
+
with_revocation(existing_token: existing_token) do
|
|
16
|
+
server_config.access_token_model.find_or_create_for(
|
|
17
|
+
application: client,
|
|
18
|
+
resource_owner: nil,
|
|
19
|
+
scopes: scopes,
|
|
20
|
+
**attributes,
|
|
21
|
+
)
|
|
22
|
+
end
|
|
19
23
|
end
|
|
20
24
|
|
|
21
25
|
private
|
|
22
26
|
|
|
27
|
+
def with_revocation(existing_token:)
|
|
28
|
+
if existing_token && server_config.revoke_previous_client_credentials_token?
|
|
29
|
+
existing_token.with_lock do
|
|
30
|
+
raise Errors::DoorkeeperError, :invalid_token_reuse if existing_token.revoked?
|
|
31
|
+
|
|
32
|
+
existing_token.revoke
|
|
33
|
+
|
|
34
|
+
yield
|
|
35
|
+
end
|
|
36
|
+
else
|
|
37
|
+
yield
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
23
41
|
def lookup_existing_token?
|
|
24
|
-
server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token
|
|
42
|
+
server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token?
|
|
25
43
|
end
|
|
26
44
|
|
|
27
45
|
def find_existing_token_for(client, scopes)
|
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Issuer
|
|
7
|
-
|
|
7
|
+
attr_reader :token, :validator, :error
|
|
8
8
|
|
|
9
9
|
def initialize(server, validator)
|
|
10
10
|
@server = server
|
|
@@ -19,6 +19,7 @@ module Doorkeeper
|
|
|
19
19
|
@token = false
|
|
20
20
|
@error = validator.error
|
|
21
21
|
end
|
|
22
|
+
|
|
22
23
|
@token
|
|
23
24
|
end
|
|
24
25
|
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Validator
|
|
7
7
|
include Validations
|
|
8
8
|
include OAuth::Helpers
|
|
@@ -26,9 +26,11 @@ module Doorkeeper
|
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def validate_client_supports_grant_flow
|
|
29
|
+
return if @client.blank?
|
|
30
|
+
|
|
29
31
|
Doorkeeper.config.allow_grant_flow_for_client?(
|
|
30
32
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
31
|
-
@client,
|
|
33
|
+
@client.application,
|
|
32
34
|
)
|
|
33
35
|
end
|
|
34
36
|
|