doorkeeper 5.3.2 → 5.5.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a2e558c16d91012fda8543a405ee8e107ec3e100edc255ef9c0453e15fee34b
-  data.tar.gz: 0e9ffe0268ccfb370ec23cd5c5b124e8febdec591cd0d5443974bd73942079f2
+  metadata.gz: 1099136de2b2fe0f0443f88bdbe2260ebed52efb2aab31d1d35bb7aa9f801acd
+  data.tar.gz: '09837820494b55d6bd26e2d997c203b221bc7951e74a6d1e2197122a86f0f1b2'
 SHA512:
-  metadata.gz: 11b2350bfbe3e18b7500b9a159096dda35fc2307f66ab5ccec9e1266c18a4fc34e1ac9a8ffa763f713cd431dbb9a5fee7734bcd9d6576b41749101e3f149e969
-  data.tar.gz: 7fdb1df4a142ac870a3a37838c4131a7514f81571319339c115754bf92ad3ed97c9e5a543008b94da6117e854104e418052bb634a5e5fcfb460063ecb83c6b5d
+  metadata.gz: 9197207fe8db140d8658aa12cd7422bfd84a001227a9f0841ebf5d92da4be531cfd7dea26aad584fff3573bc066b8fadc4e9d4e70bcc6dd5978253d94a9d66a4
+  data.tar.gz: 3b37c794027fcdbec12ef314bd6a927e111c2aed2044f3ead9f05893400e7221bf9adf98203efe7a225b395d5644326b943c144c13fb0caeccff5dff20a56ca5

data/CHANGELOG.md

@@ -5,9 +5,39 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.3.2
+## master
 
-- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+- [#PR ID] Add your PR description here.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+  
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if yoo didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. For migration purposes you could enable
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but such behavior
+    (as well as configuration option) would be completely removed in a future version of Doorkeeper.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
+
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
   
   **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
@@ -15,6 +45,54 @@ User-visible changes worth mentioning.
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
   is a breaking change which restricts serialized attributes to a very small set of columns.
 
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
+
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364) 
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+  
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+  
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing 
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
+  
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
+
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.3.1
 
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -33,6 +111,15 @@ User-visible changes worth mentioning.
   If you were relying on access tokens being revoked once the same client
   requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
   initialization file.
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
   
 ## 5.2.4
   
@@ -66,6 +153,9 @@ User-visible changes worth mentioning.
 - [#1298] Slice strong params so doesn't error with Rails forms.
 - [#1300] Limiting access to attributes of pre_authorization.
 - [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
 - [#1293] Move ar specific redirect uri validator to ar orm directory.
 - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
   the PreAuthorization response.
@@ -98,6 +188,15 @@ User-visible changes worth mentioning.
 - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
 - [#1238] Better support for native app with support for custom scheme and localhost redirection.
 
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.1.0
 
 - [#1243] Add nil check operator in token checking at token introspection.
@@ -159,6 +258,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option

data/README.md

@@ -6,7 +6,7 @@
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -113,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -160,6 +160,9 @@ tests with a specific Rails version:
 BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +171,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 

data/app/controllers/doorkeeper/applications_controller.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = Application.ordered_by(:created_at)
+      @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
 
       respond_to do |format|
         format.html
@@ -24,11 +24,11 @@ module Doorkeeper
     end
 
     def new
-      @application = Application.new
+      @application = Doorkeeper.config.application_model.new
     end
 
     def create
-      @application = Application.new(application_params)
+      @application = Doorkeeper.config.application_model.new(application_params)
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -84,7 +84,7 @@ module Doorkeeper
     private
 
     def set_application
-      @application = Application.find(params[:id])
+      @application = Doorkeeper.config.application_model.find(params[:id])
     end
 
     def application_params

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -42,9 +42,9 @@ module Doorkeeper
     end
 
     def matching_token?
-      AccessToken.matching_token_for(
+      Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
-        current_resource_owner.id,
+        current_resource_owner,
         pre_auth.scopes,
       )
     end
@@ -65,7 +65,11 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+      @pre_auth ||= OAuth::PreAuthorization.new(
+        Doorkeeper.configuration,
+        pre_auth_params,
+        current_resource_owner,
+      )
     end
 
     def pre_auth_params
@@ -73,8 +77,15 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[client_id response_type redirect_uri scope state code_challenge
-         code_challenge_method]
+      %i[
+        client_id
+        code_challenge
+        code_challenge_method
+        response_type
+        redirect_uri
+        scope
+        state
+      ]
     end
 
     def authorization
@@ -82,26 +93,35 @@ module Doorkeeper
     end
 
     def strategy
-      @strategy ||= server.authorization_request pre_auth.response_type
+      @strategy ||= server.authorization_request(pre_auth.response_type)
     end
 
     def authorize_response
       @authorize_response ||= begin
         return pre_auth.error_response unless pre_auth.authorizable?
 
-        before_successful_authorization
+        context = build_context(pre_auth: pre_auth)
+        before_successful_authorization(context)
+
         auth = strategy.authorize
-        after_successful_authorization
+
+        context = build_context(auth: auth)
+        after_successful_authorization(context)
+
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
   end
 end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     before_action :authenticate_resource_owner!
 
     def index
-      @applications = Application.authorized_for(current_resource_owner)
+      @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
 
       respond_to do |format|
         format.html
@@ -14,7 +14,7 @@ module Doorkeeper
     end
 
     def destroy
-      Application.revoke_tokens_and_grants_for(
+      Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
         params[:id],
         current_resource_owner,
       )

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -12,14 +12,41 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # The authorization server, if applicable, first authenticates the client
-      # and checks its ownership of the provided token.
+      # @see 2.1.  Revocation Request
       #
-      # Doorkeeper does not use the token_type_hint logic described in the
-      # RFC 7009 due to the refresh token implementation that is a field in
-      # the access token model.
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      unless server.client
+        # If this validation [client credentials / token ownership] fails, the request is
+        # refused and the  client is informed of the error by the authorization server as
+        # described below.
+        #
+        # @see 2.2.1.  Error Response
+        #
+        # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+        render json: revocation_error_response, status: :forbidden
+        return
+      end
 
-      if authorized?
+      # The authorization server responds with HTTP status code 200 if the client
+      # submitted an invalid token or the token has been revoked successfully.
+      if token.blank?
+        render json: {}, status: 200
+      # The authorization server validates [...] and whether the token
+      # was issued to the client making the revocation request. If this
+      # validation fails, the request is refused and the client is informed
+      # of the error by the authorization server as described below.
+      elsif authorized?
         revoke_token
         render json: {}, status: 200
       else
@@ -42,8 +69,15 @@ module Doorkeeper
     private
 
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
-    # Public clients (as per RFC 7009) do not require authentication whereas
-    # confidential clients must be authenticated for their token revocation.
+    #
+    # RFC7009
+    # Section 5. Security Considerations
+    # A malicious client may attempt to guess valid tokens on this endpoint
+    # by making revocation requests against potential token strings.
+    # According to this specification, a client's request must contain a
+    # valid client_id, in the case of a public client, or valid client
+    # credentials, in the case of a confidential client. The token being
+    # revoked must also belong to the requesting client.
     #
     # Once a confidential client is authenticated, it must be authorized to
     # revoke the provided access or refresh token. This ensures one client
@@ -58,15 +92,13 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      return unless token.present?
-
-      # Client is confidential, therefore client authentication & authorization
-      # is required
+      # Token belongs to specific client, so we need to check if
+      # authenticated client could access it.
       if token.application_id? && token.application.confidential?
         # We authorize client by checking token's application
         server.client && server.client.application == token.application
       else
-        # Client is public, authentication unnecessary
+        # Token was issued without client, authorization unnecessary
         true
       end
     end
@@ -78,9 +110,12 @@ module Doorkeeper
       token.revoke if token&.accessible?
     end
 
+    # Doorkeeper does not use the token_type_hint logic described in the
+    # RFC 7009 due to the refresh token implementation that is a field in
+    # the access token model.
     def token
-      @token ||= AccessToken.by_token(params["token"]) ||
-                 AccessToken.by_refresh_token(params["token"])
+      @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
+                 Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
     end
 
     def strategy
@@ -91,17 +126,22 @@ module Doorkeeper
       @authorize_response ||= begin
         before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
+        context = build_context(auth: auth)
+        after_successful_authorization(context) unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
 
     def revocation_error_response