doorkeeper 5.3.2 → 5.5.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +106 -2
- data/README.md +6 -4
- data/app/controllers/doorkeeper/applications_controller.rb +4 -4
- data/app/controllers/doorkeeper/authorizations_controller.rb +32 -12
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +60 -20
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +19 -2
- data/config/locales/en.yml +3 -2
- data/lib/doorkeeper.rb +107 -79
- data/lib/doorkeeper/config.rb +140 -94
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +26 -14
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grant_flow.rb +43 -0
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +34 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +6 -4
- data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
- data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
- data/lib/doorkeeper/models/application_mixin.rb +5 -4
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
- data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/token.rb +14 -16
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
- data/lib/doorkeeper/oauth/base_request.rb +12 -20
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +3 -3
- data/lib/doorkeeper/oauth/code_response.rb +28 -14
- data/lib/doorkeeper/oauth/error_response.rb +6 -7
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
- data/lib/doorkeeper/oauth/pre_authorization.rb +41 -31
- data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
- data/lib/doorkeeper/oauth/token.rb +5 -6
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record.rb +10 -2
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
- data/lib/doorkeeper/rails/routes.rb +14 -18
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/request.rb +49 -12
- data/lib/doorkeeper/request/refresh_token.rb +2 -1
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/server.rb +4 -4
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +3 -3
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +21 -299
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -274
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -361
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -809
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
- data/spec/lib/oauth/base_request_spec.rb +0 -224
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -32
- data/spec/lib/oauth/error_response_spec.rb +0 -64
- data/spec/lib/oauth/error_spec.rb +0 -21
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -146
- data/spec/lib/oauth/token_request_spec.rb +0 -157
- data/spec/lib/oauth/token_response_spec.rb +0 -84
- data/spec/lib/oauth/token_spec.rb +0 -156
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -482
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -91
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -525
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -316
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -54
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -133
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
|
@@ -1,166 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "spec_helper"
|
|
4
|
-
|
|
5
|
-
describe "Client Credentials Request" do
|
|
6
|
-
let(:client) { FactoryBot.create :application }
|
|
7
|
-
|
|
8
|
-
context "a valid request" do
|
|
9
|
-
it "authorizes the client and returns the token response" do
|
|
10
|
-
headers = authorization client.uid, client.secret
|
|
11
|
-
params = { grant_type: "client_credentials" }
|
|
12
|
-
|
|
13
|
-
post "/oauth/token", params: params, headers: headers
|
|
14
|
-
|
|
15
|
-
should_have_json "access_token", Doorkeeper::AccessToken.first.token
|
|
16
|
-
should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
|
|
17
|
-
should_not_have_json "scope"
|
|
18
|
-
should_not_have_json "refresh_token"
|
|
19
|
-
|
|
20
|
-
should_not_have_json "error"
|
|
21
|
-
should_not_have_json "error_description"
|
|
22
|
-
end
|
|
23
|
-
|
|
24
|
-
context "with scopes" do
|
|
25
|
-
before do
|
|
26
|
-
optional_scopes_exist :write
|
|
27
|
-
default_scopes_exist :public
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
it "adds the scope to the token an returns in the response" do
|
|
31
|
-
headers = authorization client.uid, client.secret
|
|
32
|
-
params = { grant_type: "client_credentials", scope: "write" }
|
|
33
|
-
|
|
34
|
-
post "/oauth/token", params: params, headers: headers
|
|
35
|
-
|
|
36
|
-
should_have_json "access_token", Doorkeeper::AccessToken.first.token
|
|
37
|
-
should_have_json "scope", "write"
|
|
38
|
-
end
|
|
39
|
-
|
|
40
|
-
context "that are default" do
|
|
41
|
-
it "adds the scope to the token an returns in the response" do
|
|
42
|
-
headers = authorization client.uid, client.secret
|
|
43
|
-
params = { grant_type: "client_credentials", scope: "public" }
|
|
44
|
-
|
|
45
|
-
post "/oauth/token", params: params, headers: headers
|
|
46
|
-
|
|
47
|
-
should_have_json "access_token", Doorkeeper::AccessToken.first.token
|
|
48
|
-
should_have_json "scope", "public"
|
|
49
|
-
end
|
|
50
|
-
end
|
|
51
|
-
|
|
52
|
-
context "that are invalid" do
|
|
53
|
-
it "does not authorize the client and returns the error" do
|
|
54
|
-
headers = authorization client.uid, client.secret
|
|
55
|
-
params = { grant_type: "client_credentials", scope: "random" }
|
|
56
|
-
|
|
57
|
-
post "/oauth/token", params: params, headers: headers
|
|
58
|
-
|
|
59
|
-
should_have_json "error", "invalid_scope"
|
|
60
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
|
61
|
-
should_not_have_json "access_token"
|
|
62
|
-
|
|
63
|
-
expect(response.status).to eq(400)
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
end
|
|
67
|
-
end
|
|
68
|
-
|
|
69
|
-
context "when configured to check application supported grant flow" do
|
|
70
|
-
before do
|
|
71
|
-
Doorkeeper.configuration.instance_variable_set(
|
|
72
|
-
:@allow_grant_flow_for_client,
|
|
73
|
-
->(_grant_flow, client) { client.name == "admin" },
|
|
74
|
-
)
|
|
75
|
-
end
|
|
76
|
-
|
|
77
|
-
scenario "forbids the request when doesn't satisfy condition" do
|
|
78
|
-
client.update(name: "sample app")
|
|
79
|
-
|
|
80
|
-
headers = authorization client.uid, client.secret
|
|
81
|
-
params = { grant_type: "client_credentials" }
|
|
82
|
-
|
|
83
|
-
post "/oauth/token", params: params, headers: headers
|
|
84
|
-
|
|
85
|
-
should_have_json "error", "unauthorized_client"
|
|
86
|
-
should_have_json "error_description", translated_error_message(:unauthorized_client)
|
|
87
|
-
end
|
|
88
|
-
|
|
89
|
-
scenario "allows the request when satisfies condition" do
|
|
90
|
-
client.update(name: "admin")
|
|
91
|
-
|
|
92
|
-
headers = authorization client.uid, client.secret
|
|
93
|
-
params = { grant_type: "client_credentials" }
|
|
94
|
-
|
|
95
|
-
post "/oauth/token", params: params, headers: headers
|
|
96
|
-
|
|
97
|
-
should_have_json "access_token", Doorkeeper::AccessToken.first.token
|
|
98
|
-
should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
|
|
99
|
-
should_not_have_json "scope"
|
|
100
|
-
should_not_have_json "refresh_token"
|
|
101
|
-
|
|
102
|
-
should_not_have_json "error"
|
|
103
|
-
should_not_have_json "error_description"
|
|
104
|
-
end
|
|
105
|
-
end
|
|
106
|
-
|
|
107
|
-
context "when application scopes contain some of the default scopes and no scope is passed" do
|
|
108
|
-
before do
|
|
109
|
-
client.update(scopes: "read write public")
|
|
110
|
-
end
|
|
111
|
-
|
|
112
|
-
it "issues new token with one default scope that are present in application scopes" do
|
|
113
|
-
default_scopes_exist :public
|
|
114
|
-
|
|
115
|
-
headers = authorization client.uid, client.secret
|
|
116
|
-
params = { grant_type: "client_credentials" }
|
|
117
|
-
|
|
118
|
-
expect do
|
|
119
|
-
post "/oauth/token", params: params, headers: headers
|
|
120
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
121
|
-
|
|
122
|
-
token = Doorkeeper::AccessToken.first
|
|
123
|
-
|
|
124
|
-
expect(token.application_id).to eq client.id
|
|
125
|
-
should_have_json "access_token", token.token
|
|
126
|
-
should_have_json "scope", "public"
|
|
127
|
-
end
|
|
128
|
-
|
|
129
|
-
it "issues new token with multiple default scopes that are present in application scopes" do
|
|
130
|
-
default_scopes_exist :public, :read, :update
|
|
131
|
-
|
|
132
|
-
headers = authorization client.uid, client.secret
|
|
133
|
-
params = { grant_type: "client_credentials" }
|
|
134
|
-
|
|
135
|
-
expect do
|
|
136
|
-
post "/oauth/token", params: params, headers: headers
|
|
137
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
138
|
-
|
|
139
|
-
token = Doorkeeper::AccessToken.first
|
|
140
|
-
|
|
141
|
-
expect(token.application_id).to eq client.id
|
|
142
|
-
should_have_json "access_token", token.token
|
|
143
|
-
should_have_json "scope", "public read"
|
|
144
|
-
end
|
|
145
|
-
end
|
|
146
|
-
|
|
147
|
-
context "an invalid request" do
|
|
148
|
-
it "does not authorize the client and returns the error" do
|
|
149
|
-
headers = {}
|
|
150
|
-
params = { grant_type: "client_credentials" }
|
|
151
|
-
|
|
152
|
-
post "/oauth/token", params: params, headers: headers
|
|
153
|
-
|
|
154
|
-
should_have_json "error", "invalid_client"
|
|
155
|
-
should_have_json "error_description", translated_error_message(:invalid_client)
|
|
156
|
-
should_not_have_json "access_token"
|
|
157
|
-
|
|
158
|
-
expect(response.status).to eq(401)
|
|
159
|
-
end
|
|
160
|
-
end
|
|
161
|
-
|
|
162
|
-
def authorization(username, password)
|
|
163
|
-
credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
|
|
164
|
-
{ "HTTP_AUTHORIZATION" => credentials }
|
|
165
|
-
end
|
|
166
|
-
end
|
|
@@ -1,46 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "spec_helper"
|
|
4
|
-
|
|
5
|
-
feature "Implicit Grant Flow Errors" do
|
|
6
|
-
background do
|
|
7
|
-
default_scopes_exist :default
|
|
8
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
|
9
|
-
config_is_set(:grant_flows, ["implicit"])
|
|
10
|
-
client_exists
|
|
11
|
-
create_resource_owner
|
|
12
|
-
sign_in
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
after do
|
|
16
|
-
access_token_should_not_exist
|
|
17
|
-
end
|
|
18
|
-
|
|
19
|
-
context "when validate client_id param" do
|
|
20
|
-
scenario "displays invalid_client error for invalid client_id" do
|
|
21
|
-
visit authorization_endpoint_url(client_id: "invalid", response_type: "token")
|
|
22
|
-
i_should_not_see "Authorize"
|
|
23
|
-
i_should_see_translated_error_message :invalid_client
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
scenario "displays invalid_request error when client_id is missing" do
|
|
27
|
-
visit authorization_endpoint_url(client_id: "", response_type: "token")
|
|
28
|
-
i_should_not_see "Authorize"
|
|
29
|
-
i_should_see_translated_invalid_request_error_message :missing_param, :client_id
|
|
30
|
-
end
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
context "when validate redirect_uri param" do
|
|
34
|
-
scenario "displays invalid_redirect_uri error for invalid redirect_uri" do
|
|
35
|
-
visit authorization_endpoint_url(client: @client, redirect_uri: "invalid", response_type: "token")
|
|
36
|
-
i_should_not_see "Authorize"
|
|
37
|
-
i_should_see_translated_error_message :invalid_redirect_uri
|
|
38
|
-
end
|
|
39
|
-
|
|
40
|
-
scenario "displays invalid_redirect_uri error when redirect_uri is missing" do
|
|
41
|
-
visit authorization_endpoint_url(client: @client, redirect_uri: "", response_type: "token")
|
|
42
|
-
i_should_not_see "Authorize"
|
|
43
|
-
i_should_see_translated_error_message :invalid_redirect_uri
|
|
44
|
-
end
|
|
45
|
-
end
|
|
46
|
-
end
|
|
@@ -1,91 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "spec_helper"
|
|
4
|
-
|
|
5
|
-
feature "Implicit Grant Flow (feature spec)" do
|
|
6
|
-
background do
|
|
7
|
-
default_scopes_exist :default
|
|
8
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
|
9
|
-
config_is_set(:grant_flows, ["implicit"])
|
|
10
|
-
client_exists
|
|
11
|
-
create_resource_owner
|
|
12
|
-
sign_in
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
scenario "resource owner authorizes the client" do
|
|
16
|
-
visit authorization_endpoint_url(client: @client, response_type: "token")
|
|
17
|
-
click_on "Authorize"
|
|
18
|
-
|
|
19
|
-
access_token_should_exist_for @client, @resource_owner
|
|
20
|
-
|
|
21
|
-
i_should_be_on_client_callback @client
|
|
22
|
-
end
|
|
23
|
-
|
|
24
|
-
context "when application scopes are present and no scope is passed" do
|
|
25
|
-
background do
|
|
26
|
-
@client.update(scopes: "public write read")
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
scenario "scope is invalid because default scope is different from application scope" do
|
|
30
|
-
default_scopes_exist :admin
|
|
31
|
-
visit authorization_endpoint_url(client: @client, response_type: "token")
|
|
32
|
-
response_status_should_be 200
|
|
33
|
-
i_should_not_see "Authorize"
|
|
34
|
-
i_should_see_translated_error_message :invalid_scope
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
scenario "access token has scopes which are common in application scopes and default scopes" do
|
|
38
|
-
default_scopes_exist :public, :write
|
|
39
|
-
visit authorization_endpoint_url(client: @client, response_type: "token")
|
|
40
|
-
click_on "Authorize"
|
|
41
|
-
access_token_should_exist_for @client, @resource_owner
|
|
42
|
-
access_token_should_have_scopes :public, :write
|
|
43
|
-
end
|
|
44
|
-
end
|
|
45
|
-
end
|
|
46
|
-
|
|
47
|
-
describe "Implicit Grant Flow (request spec)" do
|
|
48
|
-
before do
|
|
49
|
-
default_scopes_exist :default
|
|
50
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
|
51
|
-
config_is_set(:grant_flows, ["implicit"])
|
|
52
|
-
client_exists
|
|
53
|
-
create_resource_owner
|
|
54
|
-
end
|
|
55
|
-
|
|
56
|
-
context "token reuse" do
|
|
57
|
-
it "should return a new token each request" do
|
|
58
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
|
|
59
|
-
|
|
60
|
-
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
|
61
|
-
|
|
62
|
-
post "/oauth/authorize",
|
|
63
|
-
params: {
|
|
64
|
-
client_id: @client.uid,
|
|
65
|
-
state: "",
|
|
66
|
-
redirect_uri: @client.redirect_uri,
|
|
67
|
-
response_type: "token",
|
|
68
|
-
commit: "Authorize",
|
|
69
|
-
}
|
|
70
|
-
|
|
71
|
-
expect(response.location).not_to include(token.token)
|
|
72
|
-
end
|
|
73
|
-
|
|
74
|
-
it "should return the same token if it is still accessible" do
|
|
75
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
|
76
|
-
|
|
77
|
-
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
|
78
|
-
|
|
79
|
-
post "/oauth/authorize",
|
|
80
|
-
params: {
|
|
81
|
-
client_id: @client.uid,
|
|
82
|
-
state: "",
|
|
83
|
-
redirect_uri: @client.redirect_uri,
|
|
84
|
-
response_type: "token",
|
|
85
|
-
commit: "Authorize",
|
|
86
|
-
}
|
|
87
|
-
|
|
88
|
-
expect(response.location).to include(token.token)
|
|
89
|
-
end
|
|
90
|
-
end
|
|
91
|
-
end
|
|
@@ -1,316 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "spec_helper"
|
|
4
|
-
|
|
5
|
-
describe "Resource Owner Password Credentials Flow not set up" do
|
|
6
|
-
before do
|
|
7
|
-
client_exists
|
|
8
|
-
create_resource_owner
|
|
9
|
-
end
|
|
10
|
-
|
|
11
|
-
context "with valid user credentials" do
|
|
12
|
-
it "does not issue new token" do
|
|
13
|
-
expect do
|
|
14
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
15
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
16
|
-
end
|
|
17
|
-
end
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
describe "Resource Owner Password Credentials Flow" do
|
|
21
|
-
let(:client_attributes) { { redirect_uri: nil } }
|
|
22
|
-
|
|
23
|
-
before do
|
|
24
|
-
config_is_set(:grant_flows, ["password"])
|
|
25
|
-
config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
|
|
26
|
-
client_exists(client_attributes)
|
|
27
|
-
create_resource_owner
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
context "with valid user credentials" do
|
|
31
|
-
context "with non-confidential/public client" do
|
|
32
|
-
let(:client_attributes) { { confidential: false } }
|
|
33
|
-
|
|
34
|
-
context "when configured to check application supported grant flow" do
|
|
35
|
-
before do
|
|
36
|
-
Doorkeeper.configuration.instance_variable_set(
|
|
37
|
-
:@allow_grant_flow_for_client,
|
|
38
|
-
->(_grant_flow, client) { client.name == "admin" },
|
|
39
|
-
)
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
scenario "forbids the request when doesn't satisfy condition" do
|
|
43
|
-
@client.update(name: "sample app")
|
|
44
|
-
|
|
45
|
-
expect do
|
|
46
|
-
post password_token_endpoint_url(
|
|
47
|
-
client_id: @client.uid,
|
|
48
|
-
client_secret: "foobar",
|
|
49
|
-
resource_owner: @resource_owner,
|
|
50
|
-
)
|
|
51
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
52
|
-
|
|
53
|
-
expect(response.status).to eq(401)
|
|
54
|
-
should_have_json "error", "invalid_client"
|
|
55
|
-
end
|
|
56
|
-
|
|
57
|
-
scenario "allows the request when satisfies condition" do
|
|
58
|
-
@client.update(name: "admin")
|
|
59
|
-
|
|
60
|
-
expect do
|
|
61
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
62
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
63
|
-
|
|
64
|
-
token = Doorkeeper::AccessToken.first
|
|
65
|
-
|
|
66
|
-
expect(token.application_id).to eq @client.id
|
|
67
|
-
should_have_json "access_token", token.token
|
|
68
|
-
end
|
|
69
|
-
end
|
|
70
|
-
|
|
71
|
-
context "when client_secret absent" do
|
|
72
|
-
it "should issue new token" do
|
|
73
|
-
expect do
|
|
74
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
75
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
76
|
-
|
|
77
|
-
token = Doorkeeper::AccessToken.first
|
|
78
|
-
|
|
79
|
-
expect(token.application_id).to eq @client.id
|
|
80
|
-
should_have_json "access_token", token.token
|
|
81
|
-
end
|
|
82
|
-
end
|
|
83
|
-
|
|
84
|
-
context "when client_secret present" do
|
|
85
|
-
it "should issue new token" do
|
|
86
|
-
expect do
|
|
87
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
88
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
89
|
-
|
|
90
|
-
token = Doorkeeper::AccessToken.first
|
|
91
|
-
|
|
92
|
-
expect(token.application_id).to eq @client.id
|
|
93
|
-
should_have_json "access_token", token.token
|
|
94
|
-
end
|
|
95
|
-
|
|
96
|
-
context "when client_secret incorrect" do
|
|
97
|
-
it "should not issue new token" do
|
|
98
|
-
expect do
|
|
99
|
-
post password_token_endpoint_url(
|
|
100
|
-
client_id: @client.uid,
|
|
101
|
-
client_secret: "foobar",
|
|
102
|
-
resource_owner: @resource_owner,
|
|
103
|
-
)
|
|
104
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
105
|
-
|
|
106
|
-
expect(response.status).to eq(401)
|
|
107
|
-
should_have_json "error", "invalid_client"
|
|
108
|
-
end
|
|
109
|
-
end
|
|
110
|
-
end
|
|
111
|
-
end
|
|
112
|
-
|
|
113
|
-
context "with confidential/private client" do
|
|
114
|
-
it "should issue new token" do
|
|
115
|
-
expect do
|
|
116
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
117
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
118
|
-
|
|
119
|
-
token = Doorkeeper::AccessToken.first
|
|
120
|
-
|
|
121
|
-
expect(token.application_id).to eq @client.id
|
|
122
|
-
should_have_json "access_token", token.token
|
|
123
|
-
end
|
|
124
|
-
|
|
125
|
-
context "when client_secret absent" do
|
|
126
|
-
it "should not issue new token" do
|
|
127
|
-
expect do
|
|
128
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
129
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
130
|
-
|
|
131
|
-
expect(response.status).to eq(401)
|
|
132
|
-
should_have_json "error", "invalid_client"
|
|
133
|
-
end
|
|
134
|
-
end
|
|
135
|
-
end
|
|
136
|
-
|
|
137
|
-
it "should issue new token without client credentials" do
|
|
138
|
-
expect do
|
|
139
|
-
post password_token_endpoint_url(resource_owner: @resource_owner)
|
|
140
|
-
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
|
141
|
-
|
|
142
|
-
token = Doorkeeper::AccessToken.first
|
|
143
|
-
|
|
144
|
-
expect(token.application_id).to be_nil
|
|
145
|
-
should_have_json "access_token", token.token
|
|
146
|
-
end
|
|
147
|
-
|
|
148
|
-
it "should issue a refresh token if enabled" do
|
|
149
|
-
config_is_set(:refresh_token_enabled, true)
|
|
150
|
-
|
|
151
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
152
|
-
|
|
153
|
-
token = Doorkeeper::AccessToken.first
|
|
154
|
-
|
|
155
|
-
should_have_json "refresh_token", token.refresh_token
|
|
156
|
-
end
|
|
157
|
-
|
|
158
|
-
it "should return the same token if it is still accessible" do
|
|
159
|
-
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
|
160
|
-
|
|
161
|
-
client_is_authorized(@client, @resource_owner)
|
|
162
|
-
|
|
163
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
164
|
-
|
|
165
|
-
expect(Doorkeeper::AccessToken.count).to be(1)
|
|
166
|
-
should_have_json "access_token", Doorkeeper::AccessToken.first.token
|
|
167
|
-
end
|
|
168
|
-
|
|
169
|
-
context "with valid, default scope" do
|
|
170
|
-
before do
|
|
171
|
-
default_scopes_exist :public
|
|
172
|
-
end
|
|
173
|
-
|
|
174
|
-
it "should issue new token" do
|
|
175
|
-
expect do
|
|
176
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
|
|
177
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
178
|
-
|
|
179
|
-
token = Doorkeeper::AccessToken.first
|
|
180
|
-
|
|
181
|
-
expect(token.application_id).to eq @client.id
|
|
182
|
-
should_have_json "access_token", token.token
|
|
183
|
-
should_have_json "scope", "public"
|
|
184
|
-
end
|
|
185
|
-
end
|
|
186
|
-
end
|
|
187
|
-
|
|
188
|
-
context "when application scopes are present and differs from configured default scopes and no scope is passed" do
|
|
189
|
-
before do
|
|
190
|
-
default_scopes_exist :public
|
|
191
|
-
@client.update(scopes: "abc")
|
|
192
|
-
end
|
|
193
|
-
|
|
194
|
-
it "issues new token without any scope" do
|
|
195
|
-
expect do
|
|
196
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
197
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
198
|
-
|
|
199
|
-
token = Doorkeeper::AccessToken.first
|
|
200
|
-
|
|
201
|
-
expect(token.application_id).to eq @client.id
|
|
202
|
-
expect(token.scopes).to be_empty
|
|
203
|
-
should_have_json "access_token", token.token
|
|
204
|
-
should_not_have_json "scope"
|
|
205
|
-
end
|
|
206
|
-
end
|
|
207
|
-
|
|
208
|
-
context "when application scopes contain some of the default scopes and no scope is passed" do
|
|
209
|
-
before do
|
|
210
|
-
@client.update(scopes: "read write public")
|
|
211
|
-
end
|
|
212
|
-
|
|
213
|
-
it "issues new token with one default scope that are present in application scopes" do
|
|
214
|
-
default_scopes_exist :public, :admin
|
|
215
|
-
|
|
216
|
-
expect do
|
|
217
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
218
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
219
|
-
|
|
220
|
-
token = Doorkeeper::AccessToken.first
|
|
221
|
-
|
|
222
|
-
expect(token.application_id).to eq @client.id
|
|
223
|
-
should_have_json "access_token", token.token
|
|
224
|
-
should_have_json "scope", "public"
|
|
225
|
-
end
|
|
226
|
-
|
|
227
|
-
it "issues new token with multiple default scopes that are present in application scopes" do
|
|
228
|
-
default_scopes_exist :public, :read, :update
|
|
229
|
-
|
|
230
|
-
expect do
|
|
231
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
232
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
233
|
-
|
|
234
|
-
token = Doorkeeper::AccessToken.first
|
|
235
|
-
|
|
236
|
-
expect(token.application_id).to eq @client.id
|
|
237
|
-
should_have_json "access_token", token.token
|
|
238
|
-
should_have_json "scope", "public read"
|
|
239
|
-
end
|
|
240
|
-
end
|
|
241
|
-
|
|
242
|
-
context "with invalid scopes" do
|
|
243
|
-
subject do
|
|
244
|
-
post password_token_endpoint_url(
|
|
245
|
-
client: @client,
|
|
246
|
-
resource_owner: @resource_owner,
|
|
247
|
-
scope: "random",
|
|
248
|
-
)
|
|
249
|
-
end
|
|
250
|
-
|
|
251
|
-
it "should not issue new token" do
|
|
252
|
-
expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
|
|
253
|
-
end
|
|
254
|
-
|
|
255
|
-
it "should return invalid_scope error" do
|
|
256
|
-
subject
|
|
257
|
-
should_have_json "error", "invalid_scope"
|
|
258
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
|
259
|
-
should_not_have_json "access_token"
|
|
260
|
-
|
|
261
|
-
expect(response.status).to eq(400)
|
|
262
|
-
end
|
|
263
|
-
end
|
|
264
|
-
|
|
265
|
-
context "with invalid user credentials" do
|
|
266
|
-
it "should not issue new token with bad password" do
|
|
267
|
-
expect do
|
|
268
|
-
post password_token_endpoint_url(
|
|
269
|
-
client: @client,
|
|
270
|
-
resource_owner_username: @resource_owner.name,
|
|
271
|
-
resource_owner_password: "wrongpassword",
|
|
272
|
-
)
|
|
273
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
274
|
-
end
|
|
275
|
-
|
|
276
|
-
it "should not issue new token without credentials" do
|
|
277
|
-
expect do
|
|
278
|
-
post password_token_endpoint_url(client: @client)
|
|
279
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
280
|
-
end
|
|
281
|
-
|
|
282
|
-
it "should not issue new token if resource_owner_from_credentials returned false or nil" do
|
|
283
|
-
config_is_set(:resource_owner_from_credentials) { false }
|
|
284
|
-
|
|
285
|
-
expect do
|
|
286
|
-
post password_token_endpoint_url(client: @client)
|
|
287
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
288
|
-
|
|
289
|
-
config_is_set(:resource_owner_from_credentials) { nil }
|
|
290
|
-
|
|
291
|
-
expect do
|
|
292
|
-
post password_token_endpoint_url(client: @client)
|
|
293
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
294
|
-
end
|
|
295
|
-
end
|
|
296
|
-
|
|
297
|
-
context "with invalid confidential client credentials" do
|
|
298
|
-
it "should not issue new token with bad client credentials" do
|
|
299
|
-
expect do
|
|
300
|
-
post password_token_endpoint_url(
|
|
301
|
-
client_id: @client.uid,
|
|
302
|
-
client_secret: "bad_secret",
|
|
303
|
-
resource_owner: @resource_owner,
|
|
304
|
-
)
|
|
305
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
306
|
-
end
|
|
307
|
-
end
|
|
308
|
-
|
|
309
|
-
context "with invalid public client id" do
|
|
310
|
-
it "should not issue new token with bad client id" do
|
|
311
|
-
expect do
|
|
312
|
-
post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
|
|
313
|
-
end.to_not(change { Doorkeeper::AccessToken.count })
|
|
314
|
-
end
|
|
315
|
-
end
|
|
316
|
-
end
|