doorkeeper 5.3.2 → 5.5.0.rc1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (231) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +106 -2
  3. data/README.md +6 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +4 -4
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +32 -12
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
  7. data/app/controllers/doorkeeper/tokens_controller.rb +60 -20
  8. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  9. data/app/views/doorkeeper/applications/show.html.erb +19 -2
  10. data/config/locales/en.yml +3 -2
  11. data/lib/doorkeeper.rb +107 -79
  12. data/lib/doorkeeper/config.rb +140 -94
  13. data/lib/doorkeeper/config/abstract_builder.rb +28 -0
  14. data/lib/doorkeeper/config/option.rb +26 -14
  15. data/lib/doorkeeper/config/validations.rb +53 -0
  16. data/lib/doorkeeper/engine.rb +1 -1
  17. data/lib/doorkeeper/grant_flow.rb +43 -0
  18. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  19. data/lib/doorkeeper/grant_flow/flow.rb +34 -0
  20. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  21. data/lib/doorkeeper/grape/helpers.rb +1 -1
  22. data/lib/doorkeeper/helpers/controller.rb +6 -4
  23. data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
  24. data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
  25. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  26. data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  27. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  28. data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
  29. data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
  30. data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
  31. data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
  32. data/lib/doorkeeper/oauth/authorization/token.rb +14 -16
  33. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
  34. data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
  35. data/lib/doorkeeper/oauth/base_request.rb +12 -20
  36. data/lib/doorkeeper/oauth/client.rb +1 -1
  37. data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
  38. data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
  39. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
  40. data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
  41. data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
  42. data/lib/doorkeeper/oauth/code_request.rb +3 -3
  43. data/lib/doorkeeper/oauth/code_response.rb +28 -14
  44. data/lib/doorkeeper/oauth/error_response.rb +6 -7
  45. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
  46. data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  47. data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
  48. data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
  49. data/lib/doorkeeper/oauth/pre_authorization.rb +41 -31
  50. data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
  51. data/lib/doorkeeper/oauth/token.rb +5 -6
  52. data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
  53. data/lib/doorkeeper/oauth/token_request.rb +3 -3
  54. data/lib/doorkeeper/oauth/token_response.rb +1 -1
  55. data/lib/doorkeeper/orm/active_record.rb +10 -2
  56. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
  57. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
  58. data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
  59. data/lib/doorkeeper/rails/routes.rb +14 -18
  60. data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  61. data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
  62. data/lib/doorkeeper/rails/routes/registry.rb +45 -0
  63. data/lib/doorkeeper/request.rb +49 -12
  64. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  65. data/lib/doorkeeper/request/strategy.rb +2 -2
  66. data/lib/doorkeeper/server.rb +4 -4
  67. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  68. data/lib/doorkeeper/version.rb +3 -3
  69. data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
  70. data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  71. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
  72. data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
  73. data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
  74. data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  75. data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
  76. data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
  77. metadata +21 -299
  78. data/Appraisals +0 -40
  79. data/CODE_OF_CONDUCT.md +0 -46
  80. data/CONTRIBUTING.md +0 -49
  81. data/Dangerfile +0 -67
  82. data/Dockerfile +0 -29
  83. data/Gemfile +0 -25
  84. data/NEWS.md +0 -1
  85. data/RELEASING.md +0 -11
  86. data/Rakefile +0 -28
  87. data/SECURITY.md +0 -15
  88. data/UPGRADE.md +0 -2
  89. data/bin/console +0 -16
  90. data/doorkeeper.gemspec +0 -42
  91. data/gemfiles/rails_5_0.gemfile +0 -18
  92. data/gemfiles/rails_5_1.gemfile +0 -18
  93. data/gemfiles/rails_5_2.gemfile +0 -18
  94. data/gemfiles/rails_6_0.gemfile +0 -18
  95. data/gemfiles/rails_master.gemfile +0 -18
  96. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  97. data/spec/controllers/applications_controller_spec.rb +0 -274
  98. data/spec/controllers/authorizations_controller_spec.rb +0 -608
  99. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  100. data/spec/controllers/token_info_controller_spec.rb +0 -50
  101. data/spec/controllers/tokens_controller_spec.rb +0 -498
  102. data/spec/dummy/Rakefile +0 -9
  103. data/spec/dummy/app/assets/config/manifest.js +0 -2
  104. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  105. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  106. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  107. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  108. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  109. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  110. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  111. data/spec/dummy/app/models/user.rb +0 -7
  112. data/spec/dummy/app/views/home/index.html.erb +0 -0
  113. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  114. data/spec/dummy/config.ru +0 -6
  115. data/spec/dummy/config/application.rb +0 -49
  116. data/spec/dummy/config/boot.rb +0 -7
  117. data/spec/dummy/config/database.yml +0 -15
  118. data/spec/dummy/config/environment.rb +0 -5
  119. data/spec/dummy/config/environments/development.rb +0 -31
  120. data/spec/dummy/config/environments/production.rb +0 -64
  121. data/spec/dummy/config/environments/test.rb +0 -45
  122. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  123. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  124. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  125. data/spec/dummy/config/initializers/session_store.rb +0 -10
  126. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  127. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  128. data/spec/dummy/config/routes.rb +0 -13
  129. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  130. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  131. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  132. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  133. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  134. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  135. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  136. data/spec/dummy/db/schema.rb +0 -68
  137. data/spec/dummy/public/404.html +0 -26
  138. data/spec/dummy/public/422.html +0 -26
  139. data/spec/dummy/public/500.html +0 -26
  140. data/spec/dummy/public/favicon.ico +0 -0
  141. data/spec/dummy/script/rails +0 -9
  142. data/spec/factories.rb +0 -30
  143. data/spec/generators/application_owner_generator_spec.rb +0 -28
  144. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  145. data/spec/generators/install_generator_spec.rb +0 -36
  146. data/spec/generators/migration_generator_spec.rb +0 -28
  147. data/spec/generators/pkce_generator_spec.rb +0 -28
  148. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  149. data/spec/generators/templates/routes.rb +0 -4
  150. data/spec/generators/views_generator_spec.rb +0 -29
  151. data/spec/grape/grape_integration_spec.rb +0 -137
  152. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  153. data/spec/lib/config_spec.rb +0 -809
  154. data/spec/lib/doorkeeper_spec.rb +0 -27
  155. data/spec/lib/models/expirable_spec.rb +0 -61
  156. data/spec/lib/models/reusable_spec.rb +0 -40
  157. data/spec/lib/models/revocable_spec.rb +0 -59
  158. data/spec/lib/models/scopes_spec.rb +0 -53
  159. data/spec/lib/models/secret_storable_spec.rb +0 -135
  160. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  161. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
  162. data/spec/lib/oauth/base_request_spec.rb +0 -224
  163. data/spec/lib/oauth/base_response_spec.rb +0 -45
  164. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  165. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
  166. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
  167. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
  168. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  169. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
  170. data/spec/lib/oauth/client_spec.rb +0 -38
  171. data/spec/lib/oauth/code_request_spec.rb +0 -46
  172. data/spec/lib/oauth/code_response_spec.rb +0 -32
  173. data/spec/lib/oauth/error_response_spec.rb +0 -64
  174. data/spec/lib/oauth/error_spec.rb +0 -21
  175. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  176. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  177. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  178. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  179. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  180. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  181. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
  182. data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
  183. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
  184. data/spec/lib/oauth/scopes_spec.rb +0 -146
  185. data/spec/lib/oauth/token_request_spec.rb +0 -157
  186. data/spec/lib/oauth/token_response_spec.rb +0 -84
  187. data/spec/lib/oauth/token_spec.rb +0 -156
  188. data/spec/lib/request/strategy_spec.rb +0 -54
  189. data/spec/lib/secret_storing/base_spec.rb +0 -60
  190. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  191. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  192. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  193. data/spec/lib/server_spec.rb +0 -49
  194. data/spec/lib/stale_records_cleaner_spec.rb +0 -89
  195. data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
  196. data/spec/models/doorkeeper/access_token_spec.rb +0 -622
  197. data/spec/models/doorkeeper/application_spec.rb +0 -482
  198. data/spec/requests/applications/applications_request_spec.rb +0 -259
  199. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  200. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  201. data/spec/requests/endpoints/token_spec.rb +0 -75
  202. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
  203. data/spec/requests/flows/authorization_code_spec.rb +0 -525
  204. data/spec/requests/flows/client_credentials_spec.rb +0 -166
  205. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  206. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  207. data/spec/requests/flows/password_spec.rb +0 -316
  208. data/spec/requests/flows/refresh_token_spec.rb +0 -233
  209. data/spec/requests/flows/revoke_token_spec.rb +0 -157
  210. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  211. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  212. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  213. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  214. data/spec/routing/default_routes_spec.rb +0 -41
  215. data/spec/routing/scoped_routes_spec.rb +0 -47
  216. data/spec/spec_helper.rb +0 -54
  217. data/spec/spec_helper_integration.rb +0 -4
  218. data/spec/support/dependencies/factory_bot.rb +0 -4
  219. data/spec/support/doorkeeper_rspec.rb +0 -22
  220. data/spec/support/helpers/access_token_request_helper.rb +0 -13
  221. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  222. data/spec/support/helpers/config_helper.rb +0 -11
  223. data/spec/support/helpers/model_helper.rb +0 -78
  224. data/spec/support/helpers/request_spec_helper.rb +0 -110
  225. data/spec/support/helpers/url_helper.rb +0 -62
  226. data/spec/support/orm/active_record.rb +0 -5
  227. data/spec/support/shared/controllers_shared_context.rb +0 -133
  228. data/spec/support/shared/hashing_shared_context.rb +0 -36
  229. data/spec/support/shared/models_shared_examples.rb +0 -54
  230. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  231. data/spec/version/version_spec.rb +0 -17
@@ -1,233 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Refresh Token Flow" do
6
- before do
7
- Doorkeeper.configure do
8
- orm DOORKEEPER_ORM
9
- use_refresh_token
10
- end
11
-
12
- client_exists
13
- end
14
-
15
- context "issuing a refresh token" do
16
- before do
17
- authorization_code_exists application: @client
18
- end
19
-
20
- it "client gets the refresh token and refreshes it" do
21
- post token_endpoint_url(code: @authorization.token, client: @client)
22
-
23
- token = Doorkeeper::AccessToken.first
24
-
25
- should_have_json "access_token", token.token
26
- should_have_json "refresh_token", token.refresh_token
27
-
28
- expect(@authorization.reload).to be_revoked
29
-
30
- post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
31
-
32
- new_token = Doorkeeper::AccessToken.last
33
- should_have_json "access_token", new_token.token
34
- should_have_json "refresh_token", new_token.refresh_token
35
-
36
- expect(token.token).not_to eq(new_token.token)
37
- expect(token.refresh_token).not_to eq(new_token.refresh_token)
38
- end
39
- end
40
-
41
- context "refreshing the token" do
42
- before do
43
- @token = FactoryBot.create(
44
- :access_token,
45
- application: @client,
46
- resource_owner_id: 1,
47
- use_refresh_token: true,
48
- )
49
- end
50
-
51
- context "refresh_token revoked on use" do
52
- it "client request a token with refresh token" do
53
- post refresh_token_endpoint_url(
54
- client: @client, refresh_token: @token.refresh_token,
55
- )
56
- should_have_json(
57
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
58
- )
59
- expect(@token.reload).not_to be_revoked
60
- end
61
-
62
- it "client request a token with expired access token" do
63
- @token.update_attribute :expires_in, -100
64
- post refresh_token_endpoint_url(
65
- client: @client, refresh_token: @token.refresh_token,
66
- )
67
- should_have_json(
68
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
69
- )
70
- expect(@token.reload).not_to be_revoked
71
- end
72
- end
73
-
74
- context "refresh_token revoked on refresh_token request" do
75
- before do
76
- allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
77
- end
78
-
79
- it "client request a token with refresh token" do
80
- post refresh_token_endpoint_url(
81
- client: @client, refresh_token: @token.refresh_token,
82
- )
83
- should_have_json(
84
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
85
- )
86
- expect(@token.reload).to be_revoked
87
- end
88
-
89
- it "client request a token with expired access token" do
90
- @token.update_attribute :expires_in, -100
91
- post refresh_token_endpoint_url(
92
- client: @client, refresh_token: @token.refresh_token,
93
- )
94
- should_have_json(
95
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
96
- )
97
- expect(@token.reload).to be_revoked
98
- end
99
- end
100
-
101
- context "public & private clients" do
102
- let(:public_client) do
103
- FactoryBot.create(
104
- :application,
105
- confidential: false,
106
- )
107
- end
108
-
109
- let(:token_for_private_client) do
110
- FactoryBot.create(
111
- :access_token,
112
- application: @client,
113
- resource_owner_id: 1,
114
- use_refresh_token: true,
115
- )
116
- end
117
-
118
- let(:token_for_public_client) do
119
- FactoryBot.create(
120
- :access_token,
121
- application: public_client,
122
- resource_owner_id: 1,
123
- use_refresh_token: true,
124
- )
125
- end
126
-
127
- it "issues a new token without client_secret when refresh token was issued to a public client" do
128
- post refresh_token_endpoint_url(
129
- client_id: public_client.uid,
130
- refresh_token: token_for_public_client.refresh_token,
131
- )
132
-
133
- new_token = Doorkeeper::AccessToken.last
134
- should_have_json "access_token", new_token.token
135
- should_have_json "refresh_token", new_token.refresh_token
136
- end
137
-
138
- it "returns an error without credentials" do
139
- post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
140
-
141
- should_not_have_json "refresh_token"
142
- should_have_json "error", "invalid_grant"
143
- end
144
-
145
- it "returns an error with wrong credentials" do
146
- post refresh_token_endpoint_url(
147
- client_id: "1",
148
- client_secret: "1",
149
- refresh_token: token_for_private_client.refresh_token,
150
- )
151
-
152
- should_not_have_json "refresh_token"
153
- should_have_json "error", "invalid_client"
154
- end
155
- end
156
-
157
- it "client gets an error for invalid refresh token" do
158
- post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
159
- should_not_have_json "refresh_token"
160
- should_have_json "error", "invalid_grant"
161
- end
162
-
163
- it "client gets an error for revoked access token" do
164
- @token.revoke
165
- post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
166
- should_not_have_json "refresh_token"
167
- should_have_json "error", "invalid_grant"
168
- end
169
-
170
- it "second of simultaneous client requests get an error for revoked access token" do
171
- allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
172
- post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
173
-
174
- should_not_have_json "refresh_token"
175
- should_have_json "error", "invalid_grant"
176
- end
177
- end
178
-
179
- context "refreshing the token with multiple sessions (devices)" do
180
- before do
181
- # enable password auth to simulate other devices
182
- config_is_set(:grant_flows, ["password"])
183
- config_is_set(:resource_owner_from_credentials) do
184
- User.authenticate! params[:username], params[:password]
185
- end
186
- create_resource_owner
187
- _another_token = post password_token_endpoint_url(
188
- client: @client, resource_owner: @resource_owner,
189
- )
190
- last_token.update_attribute :created_at, 5.seconds.ago
191
-
192
- @token = FactoryBot.create(
193
- :access_token,
194
- application: @client,
195
- resource_owner_id: @resource_owner.id,
196
- use_refresh_token: true,
197
- )
198
- @token.update_attribute :expires_in, -100
199
- end
200
-
201
- context "refresh_token revoked on use" do
202
- it "client request a token after creating another token with the same user" do
203
- post refresh_token_endpoint_url(
204
- client: @client, refresh_token: @token.refresh_token,
205
- )
206
-
207
- should_have_json "refresh_token", last_token.refresh_token
208
- expect(@token.reload).not_to be_revoked
209
- end
210
- end
211
-
212
- context "refresh_token revoked on refresh_token request" do
213
- before do
214
- allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
215
- end
216
-
217
- it "client request a token after creating another token with the same user" do
218
- post refresh_token_endpoint_url(
219
- client: @client, refresh_token: @token.refresh_token,
220
- )
221
-
222
- should_have_json "refresh_token", last_token.refresh_token
223
- expect(@token.reload).to be_revoked
224
- end
225
- end
226
-
227
- def last_token
228
- Doorkeeper::AccessToken.last_authorized_token_for(
229
- @client.id, @resource_owner.id,
230
- )
231
- end
232
- end
233
- end
@@ -1,157 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Revoke Token Flow" do
6
- before do
7
- Doorkeeper.configure { orm DOORKEEPER_ORM }
8
- end
9
-
10
- context "with default parameters" do
11
- let(:client_application) { FactoryBot.create :application }
12
- let(:resource_owner) { User.create!(name: "John", password: "sekret") }
13
- let(:access_token) do
14
- FactoryBot.create(
15
- :access_token,
16
- application: client_application,
17
- resource_owner_id: resource_owner.id,
18
- use_refresh_token: true,
19
- )
20
- end
21
-
22
- context "with authenticated, confidential OAuth 2.0 client/application" do
23
- let(:headers) do
24
- client_id = client_application.uid
25
- client_secret = client_application.secret
26
- credentials = Base64.encode64("#{client_id}:#{client_secret}")
27
- { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
28
- end
29
-
30
- it "should revoke the access token provided" do
31
- post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
32
-
33
- expect(response).to be_successful
34
- expect(access_token.reload.revoked?).to be_truthy
35
- end
36
-
37
- it "should revoke the refresh token provided" do
38
- post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
39
-
40
- expect(response).to be_successful
41
- expect(access_token.reload.revoked?).to be_truthy
42
- end
43
-
44
- context "with invalid token to revoke" do
45
- it "should not revoke any tokens and respond with forbidden" do
46
- expect do
47
- post revocation_token_endpoint_url,
48
- params: { token: "I_AM_AN_INVALID_TOKEN" },
49
- headers: headers
50
- end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
51
-
52
- expect(response).to be_forbidden
53
- end
54
- end
55
-
56
- context "with bad credentials and a valid token" do
57
- let(:headers) do
58
- client_id = client_application.uid
59
- credentials = Base64.encode64("#{client_id}:poop")
60
- { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
61
- end
62
- it "should not revoke any tokens and respond with forbidden" do
63
- post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
64
-
65
- expect(response).to be_forbidden
66
- expect(response.body).to include("unauthorized_client")
67
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
68
- expect(access_token.reload.revoked?).to be_falsey
69
- end
70
- end
71
-
72
- context "with no credentials and a valid token" do
73
- it "should not revoke any tokens and respond with forbidden" do
74
- post revocation_token_endpoint_url, params: { token: access_token.token }
75
-
76
- expect(response).to be_forbidden
77
- expect(response.body).to include("unauthorized_client")
78
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
79
- expect(access_token.reload.revoked?).to be_falsey
80
- end
81
- end
82
-
83
- context "with valid token for another client application" do
84
- let(:other_client_application) { FactoryBot.create :application }
85
- let(:headers) do
86
- client_id = other_client_application.uid
87
- client_secret = other_client_application.secret
88
- credentials = Base64.encode64("#{client_id}:#{client_secret}")
89
- { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
90
- end
91
-
92
- it "should not revoke the token as its unauthorized" do
93
- post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
94
-
95
- expect(response).to be_forbidden
96
- expect(response.body).to include("unauthorized_client")
97
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
98
- expect(access_token.reload.revoked?).to be_falsey
99
- end
100
- end
101
- end
102
-
103
- context "with public OAuth 2.0 client/application" do
104
- let(:access_token) do
105
- FactoryBot.create(
106
- :access_token,
107
- application: nil,
108
- resource_owner_id: resource_owner.id,
109
- use_refresh_token: true,
110
- )
111
- end
112
-
113
- it "should revoke the access token provided" do
114
- post revocation_token_endpoint_url, params: { token: access_token.token }
115
-
116
- expect(response).to be_successful
117
- expect(access_token.reload.revoked?).to be_truthy
118
- end
119
-
120
- it "should revoke the refresh token provided" do
121
- post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
122
-
123
- expect(response).to be_successful
124
- expect(access_token.reload.revoked?).to be_truthy
125
- end
126
-
127
- context "with a valid token issued for a confidential client" do
128
- let(:access_token) do
129
- FactoryBot.create(
130
- :access_token,
131
- application: client_application,
132
- resource_owner_id: resource_owner.id,
133
- use_refresh_token: true,
134
- )
135
- end
136
-
137
- it "should not revoke the access token provided" do
138
- post revocation_token_endpoint_url, params: { token: access_token.token }
139
-
140
- expect(response).to be_forbidden
141
- expect(response.body).to include("unauthorized_client")
142
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
143
- expect(access_token.reload.revoked?).to be_falsey
144
- end
145
-
146
- it "should not revoke the refresh token provided" do
147
- post revocation_token_endpoint_url, params: { token: access_token.token }
148
-
149
- expect(response).to be_forbidden
150
- expect(response.body).to include("unauthorized_client")
151
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
152
- expect(access_token.reload.revoked?).to be_falsey
153
- end
154
- end
155
- end
156
- end
157
- end
@@ -1,66 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- feature "Skip authorization form" do
6
- background do
7
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
8
- client_exists
9
- default_scopes_exist :public
10
- optional_scopes_exist :write
11
- end
12
-
13
- context "for previously authorized clients" do
14
- background do
15
- create_resource_owner
16
- sign_in
17
- end
18
-
19
- scenario "skips the authorization and return a new grant code" do
20
- client_is_authorized(@client, @resource_owner, scopes: "public")
21
- visit authorization_endpoint_url(client: @client, scope: "public")
22
-
23
- i_should_not_see "Authorize"
24
- client_should_be_authorized @client
25
- i_should_be_on_client_callback @client
26
- url_should_have_param "code", Doorkeeper::AccessGrant.first.token
27
- end
28
-
29
- scenario "skips the authorization if other scopes are not requested" do
30
- client_exists scopes: "public read write"
31
- client_is_authorized(@client, @resource_owner, scopes: "public")
32
- visit authorization_endpoint_url(client: @client, scope: "public")
33
-
34
- i_should_not_see "Authorize"
35
- client_should_be_authorized @client
36
- i_should_be_on_client_callback @client
37
- url_should_have_param "code", Doorkeeper::AccessGrant.first.token
38
- end
39
-
40
- scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
41
- client_is_authorized(@client, @resource_owner, scopes: "public write")
42
- visit authorization_endpoint_url(client: @client, scope: "public")
43
- i_should_see "Authorize"
44
- end
45
-
46
- scenario "does not skip authorization when scopes differ (new request has more scopes)" do
47
- client_is_authorized(@client, @resource_owner, scopes: "public write")
48
- visit authorization_endpoint_url(client: @client, scopes: "public write email")
49
- i_should_see "Authorize"
50
- end
51
-
52
- scenario "creates grant with new scope when scopes differ" do
53
- client_is_authorized(@client, @resource_owner, scopes: "public write")
54
- visit authorization_endpoint_url(client: @client, scope: "public")
55
- click_on "Authorize"
56
- access_grant_should_have_scopes :public
57
- end
58
-
59
- scenario "creates grant with new scope when scopes are greater" do
60
- client_is_authorized(@client, @resource_owner, scopes: "public")
61
- visit authorization_endpoint_url(client: @client, scope: "public write")
62
- click_on "Authorize"
63
- access_grant_should_have_scopes :public, :write
64
- end
65
- end
66
- end