doorkeeper 5.3.2 → 5.5.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +106 -2
- data/README.md +6 -4
- data/app/controllers/doorkeeper/applications_controller.rb +4 -4
- data/app/controllers/doorkeeper/authorizations_controller.rb +32 -12
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +60 -20
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +19 -2
- data/config/locales/en.yml +3 -2
- data/lib/doorkeeper.rb +107 -79
- data/lib/doorkeeper/config.rb +140 -94
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +26 -14
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grant_flow.rb +43 -0
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +34 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +6 -4
- data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
- data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
- data/lib/doorkeeper/models/application_mixin.rb +5 -4
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
- data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/token.rb +14 -16
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
- data/lib/doorkeeper/oauth/base_request.rb +12 -20
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +3 -3
- data/lib/doorkeeper/oauth/code_response.rb +28 -14
- data/lib/doorkeeper/oauth/error_response.rb +6 -7
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
- data/lib/doorkeeper/oauth/pre_authorization.rb +41 -31
- data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
- data/lib/doorkeeper/oauth/token.rb +5 -6
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record.rb +10 -2
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
- data/lib/doorkeeper/rails/routes.rb +14 -18
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/request.rb +49 -12
- data/lib/doorkeeper/request/refresh_token.rb +2 -1
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/server.rb +4 -4
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +3 -3
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +21 -299
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -274
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -361
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -809
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
- data/spec/lib/oauth/base_request_spec.rb +0 -224
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -32
- data/spec/lib/oauth/error_response_spec.rb +0 -64
- data/spec/lib/oauth/error_spec.rb +0 -21
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -146
- data/spec/lib/oauth/token_request_spec.rb +0 -157
- data/spec/lib/oauth/token_response_spec.rb +0 -84
- data/spec/lib/oauth/token_spec.rb +0 -156
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -482
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -91
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -525
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -316
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -54
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -133
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
@@ -1,233 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
describe "Refresh Token Flow" do
|
6
|
-
before do
|
7
|
-
Doorkeeper.configure do
|
8
|
-
orm DOORKEEPER_ORM
|
9
|
-
use_refresh_token
|
10
|
-
end
|
11
|
-
|
12
|
-
client_exists
|
13
|
-
end
|
14
|
-
|
15
|
-
context "issuing a refresh token" do
|
16
|
-
before do
|
17
|
-
authorization_code_exists application: @client
|
18
|
-
end
|
19
|
-
|
20
|
-
it "client gets the refresh token and refreshes it" do
|
21
|
-
post token_endpoint_url(code: @authorization.token, client: @client)
|
22
|
-
|
23
|
-
token = Doorkeeper::AccessToken.first
|
24
|
-
|
25
|
-
should_have_json "access_token", token.token
|
26
|
-
should_have_json "refresh_token", token.refresh_token
|
27
|
-
|
28
|
-
expect(@authorization.reload).to be_revoked
|
29
|
-
|
30
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
|
31
|
-
|
32
|
-
new_token = Doorkeeper::AccessToken.last
|
33
|
-
should_have_json "access_token", new_token.token
|
34
|
-
should_have_json "refresh_token", new_token.refresh_token
|
35
|
-
|
36
|
-
expect(token.token).not_to eq(new_token.token)
|
37
|
-
expect(token.refresh_token).not_to eq(new_token.refresh_token)
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
context "refreshing the token" do
|
42
|
-
before do
|
43
|
-
@token = FactoryBot.create(
|
44
|
-
:access_token,
|
45
|
-
application: @client,
|
46
|
-
resource_owner_id: 1,
|
47
|
-
use_refresh_token: true,
|
48
|
-
)
|
49
|
-
end
|
50
|
-
|
51
|
-
context "refresh_token revoked on use" do
|
52
|
-
it "client request a token with refresh token" do
|
53
|
-
post refresh_token_endpoint_url(
|
54
|
-
client: @client, refresh_token: @token.refresh_token,
|
55
|
-
)
|
56
|
-
should_have_json(
|
57
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token,
|
58
|
-
)
|
59
|
-
expect(@token.reload).not_to be_revoked
|
60
|
-
end
|
61
|
-
|
62
|
-
it "client request a token with expired access token" do
|
63
|
-
@token.update_attribute :expires_in, -100
|
64
|
-
post refresh_token_endpoint_url(
|
65
|
-
client: @client, refresh_token: @token.refresh_token,
|
66
|
-
)
|
67
|
-
should_have_json(
|
68
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token,
|
69
|
-
)
|
70
|
-
expect(@token.reload).not_to be_revoked
|
71
|
-
end
|
72
|
-
end
|
73
|
-
|
74
|
-
context "refresh_token revoked on refresh_token request" do
|
75
|
-
before do
|
76
|
-
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
77
|
-
end
|
78
|
-
|
79
|
-
it "client request a token with refresh token" do
|
80
|
-
post refresh_token_endpoint_url(
|
81
|
-
client: @client, refresh_token: @token.refresh_token,
|
82
|
-
)
|
83
|
-
should_have_json(
|
84
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token,
|
85
|
-
)
|
86
|
-
expect(@token.reload).to be_revoked
|
87
|
-
end
|
88
|
-
|
89
|
-
it "client request a token with expired access token" do
|
90
|
-
@token.update_attribute :expires_in, -100
|
91
|
-
post refresh_token_endpoint_url(
|
92
|
-
client: @client, refresh_token: @token.refresh_token,
|
93
|
-
)
|
94
|
-
should_have_json(
|
95
|
-
"refresh_token", Doorkeeper::AccessToken.last.refresh_token,
|
96
|
-
)
|
97
|
-
expect(@token.reload).to be_revoked
|
98
|
-
end
|
99
|
-
end
|
100
|
-
|
101
|
-
context "public & private clients" do
|
102
|
-
let(:public_client) do
|
103
|
-
FactoryBot.create(
|
104
|
-
:application,
|
105
|
-
confidential: false,
|
106
|
-
)
|
107
|
-
end
|
108
|
-
|
109
|
-
let(:token_for_private_client) do
|
110
|
-
FactoryBot.create(
|
111
|
-
:access_token,
|
112
|
-
application: @client,
|
113
|
-
resource_owner_id: 1,
|
114
|
-
use_refresh_token: true,
|
115
|
-
)
|
116
|
-
end
|
117
|
-
|
118
|
-
let(:token_for_public_client) do
|
119
|
-
FactoryBot.create(
|
120
|
-
:access_token,
|
121
|
-
application: public_client,
|
122
|
-
resource_owner_id: 1,
|
123
|
-
use_refresh_token: true,
|
124
|
-
)
|
125
|
-
end
|
126
|
-
|
127
|
-
it "issues a new token without client_secret when refresh token was issued to a public client" do
|
128
|
-
post refresh_token_endpoint_url(
|
129
|
-
client_id: public_client.uid,
|
130
|
-
refresh_token: token_for_public_client.refresh_token,
|
131
|
-
)
|
132
|
-
|
133
|
-
new_token = Doorkeeper::AccessToken.last
|
134
|
-
should_have_json "access_token", new_token.token
|
135
|
-
should_have_json "refresh_token", new_token.refresh_token
|
136
|
-
end
|
137
|
-
|
138
|
-
it "returns an error without credentials" do
|
139
|
-
post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
|
140
|
-
|
141
|
-
should_not_have_json "refresh_token"
|
142
|
-
should_have_json "error", "invalid_grant"
|
143
|
-
end
|
144
|
-
|
145
|
-
it "returns an error with wrong credentials" do
|
146
|
-
post refresh_token_endpoint_url(
|
147
|
-
client_id: "1",
|
148
|
-
client_secret: "1",
|
149
|
-
refresh_token: token_for_private_client.refresh_token,
|
150
|
-
)
|
151
|
-
|
152
|
-
should_not_have_json "refresh_token"
|
153
|
-
should_have_json "error", "invalid_client"
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
it "client gets an error for invalid refresh token" do
|
158
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
|
159
|
-
should_not_have_json "refresh_token"
|
160
|
-
should_have_json "error", "invalid_grant"
|
161
|
-
end
|
162
|
-
|
163
|
-
it "client gets an error for revoked access token" do
|
164
|
-
@token.revoke
|
165
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
166
|
-
should_not_have_json "refresh_token"
|
167
|
-
should_have_json "error", "invalid_grant"
|
168
|
-
end
|
169
|
-
|
170
|
-
it "second of simultaneous client requests get an error for revoked access token" do
|
171
|
-
allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
|
172
|
-
post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
|
173
|
-
|
174
|
-
should_not_have_json "refresh_token"
|
175
|
-
should_have_json "error", "invalid_grant"
|
176
|
-
end
|
177
|
-
end
|
178
|
-
|
179
|
-
context "refreshing the token with multiple sessions (devices)" do
|
180
|
-
before do
|
181
|
-
# enable password auth to simulate other devices
|
182
|
-
config_is_set(:grant_flows, ["password"])
|
183
|
-
config_is_set(:resource_owner_from_credentials) do
|
184
|
-
User.authenticate! params[:username], params[:password]
|
185
|
-
end
|
186
|
-
create_resource_owner
|
187
|
-
_another_token = post password_token_endpoint_url(
|
188
|
-
client: @client, resource_owner: @resource_owner,
|
189
|
-
)
|
190
|
-
last_token.update_attribute :created_at, 5.seconds.ago
|
191
|
-
|
192
|
-
@token = FactoryBot.create(
|
193
|
-
:access_token,
|
194
|
-
application: @client,
|
195
|
-
resource_owner_id: @resource_owner.id,
|
196
|
-
use_refresh_token: true,
|
197
|
-
)
|
198
|
-
@token.update_attribute :expires_in, -100
|
199
|
-
end
|
200
|
-
|
201
|
-
context "refresh_token revoked on use" do
|
202
|
-
it "client request a token after creating another token with the same user" do
|
203
|
-
post refresh_token_endpoint_url(
|
204
|
-
client: @client, refresh_token: @token.refresh_token,
|
205
|
-
)
|
206
|
-
|
207
|
-
should_have_json "refresh_token", last_token.refresh_token
|
208
|
-
expect(@token.reload).not_to be_revoked
|
209
|
-
end
|
210
|
-
end
|
211
|
-
|
212
|
-
context "refresh_token revoked on refresh_token request" do
|
213
|
-
before do
|
214
|
-
allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
|
215
|
-
end
|
216
|
-
|
217
|
-
it "client request a token after creating another token with the same user" do
|
218
|
-
post refresh_token_endpoint_url(
|
219
|
-
client: @client, refresh_token: @token.refresh_token,
|
220
|
-
)
|
221
|
-
|
222
|
-
should_have_json "refresh_token", last_token.refresh_token
|
223
|
-
expect(@token.reload).to be_revoked
|
224
|
-
end
|
225
|
-
end
|
226
|
-
|
227
|
-
def last_token
|
228
|
-
Doorkeeper::AccessToken.last_authorized_token_for(
|
229
|
-
@client.id, @resource_owner.id,
|
230
|
-
)
|
231
|
-
end
|
232
|
-
end
|
233
|
-
end
|
@@ -1,157 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
describe "Revoke Token Flow" do
|
6
|
-
before do
|
7
|
-
Doorkeeper.configure { orm DOORKEEPER_ORM }
|
8
|
-
end
|
9
|
-
|
10
|
-
context "with default parameters" do
|
11
|
-
let(:client_application) { FactoryBot.create :application }
|
12
|
-
let(:resource_owner) { User.create!(name: "John", password: "sekret") }
|
13
|
-
let(:access_token) do
|
14
|
-
FactoryBot.create(
|
15
|
-
:access_token,
|
16
|
-
application: client_application,
|
17
|
-
resource_owner_id: resource_owner.id,
|
18
|
-
use_refresh_token: true,
|
19
|
-
)
|
20
|
-
end
|
21
|
-
|
22
|
-
context "with authenticated, confidential OAuth 2.0 client/application" do
|
23
|
-
let(:headers) do
|
24
|
-
client_id = client_application.uid
|
25
|
-
client_secret = client_application.secret
|
26
|
-
credentials = Base64.encode64("#{client_id}:#{client_secret}")
|
27
|
-
{ "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
|
28
|
-
end
|
29
|
-
|
30
|
-
it "should revoke the access token provided" do
|
31
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
32
|
-
|
33
|
-
expect(response).to be_successful
|
34
|
-
expect(access_token.reload.revoked?).to be_truthy
|
35
|
-
end
|
36
|
-
|
37
|
-
it "should revoke the refresh token provided" do
|
38
|
-
post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
|
39
|
-
|
40
|
-
expect(response).to be_successful
|
41
|
-
expect(access_token.reload.revoked?).to be_truthy
|
42
|
-
end
|
43
|
-
|
44
|
-
context "with invalid token to revoke" do
|
45
|
-
it "should not revoke any tokens and respond with forbidden" do
|
46
|
-
expect do
|
47
|
-
post revocation_token_endpoint_url,
|
48
|
-
params: { token: "I_AM_AN_INVALID_TOKEN" },
|
49
|
-
headers: headers
|
50
|
-
end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
|
51
|
-
|
52
|
-
expect(response).to be_forbidden
|
53
|
-
end
|
54
|
-
end
|
55
|
-
|
56
|
-
context "with bad credentials and a valid token" do
|
57
|
-
let(:headers) do
|
58
|
-
client_id = client_application.uid
|
59
|
-
credentials = Base64.encode64("#{client_id}:poop")
|
60
|
-
{ "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
|
61
|
-
end
|
62
|
-
it "should not revoke any tokens and respond with forbidden" do
|
63
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
64
|
-
|
65
|
-
expect(response).to be_forbidden
|
66
|
-
expect(response.body).to include("unauthorized_client")
|
67
|
-
expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
|
68
|
-
expect(access_token.reload.revoked?).to be_falsey
|
69
|
-
end
|
70
|
-
end
|
71
|
-
|
72
|
-
context "with no credentials and a valid token" do
|
73
|
-
it "should not revoke any tokens and respond with forbidden" do
|
74
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }
|
75
|
-
|
76
|
-
expect(response).to be_forbidden
|
77
|
-
expect(response.body).to include("unauthorized_client")
|
78
|
-
expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
|
79
|
-
expect(access_token.reload.revoked?).to be_falsey
|
80
|
-
end
|
81
|
-
end
|
82
|
-
|
83
|
-
context "with valid token for another client application" do
|
84
|
-
let(:other_client_application) { FactoryBot.create :application }
|
85
|
-
let(:headers) do
|
86
|
-
client_id = other_client_application.uid
|
87
|
-
client_secret = other_client_application.secret
|
88
|
-
credentials = Base64.encode64("#{client_id}:#{client_secret}")
|
89
|
-
{ "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
|
90
|
-
end
|
91
|
-
|
92
|
-
it "should not revoke the token as its unauthorized" do
|
93
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
|
94
|
-
|
95
|
-
expect(response).to be_forbidden
|
96
|
-
expect(response.body).to include("unauthorized_client")
|
97
|
-
expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
|
98
|
-
expect(access_token.reload.revoked?).to be_falsey
|
99
|
-
end
|
100
|
-
end
|
101
|
-
end
|
102
|
-
|
103
|
-
context "with public OAuth 2.0 client/application" do
|
104
|
-
let(:access_token) do
|
105
|
-
FactoryBot.create(
|
106
|
-
:access_token,
|
107
|
-
application: nil,
|
108
|
-
resource_owner_id: resource_owner.id,
|
109
|
-
use_refresh_token: true,
|
110
|
-
)
|
111
|
-
end
|
112
|
-
|
113
|
-
it "should revoke the access token provided" do
|
114
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }
|
115
|
-
|
116
|
-
expect(response).to be_successful
|
117
|
-
expect(access_token.reload.revoked?).to be_truthy
|
118
|
-
end
|
119
|
-
|
120
|
-
it "should revoke the refresh token provided" do
|
121
|
-
post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
|
122
|
-
|
123
|
-
expect(response).to be_successful
|
124
|
-
expect(access_token.reload.revoked?).to be_truthy
|
125
|
-
end
|
126
|
-
|
127
|
-
context "with a valid token issued for a confidential client" do
|
128
|
-
let(:access_token) do
|
129
|
-
FactoryBot.create(
|
130
|
-
:access_token,
|
131
|
-
application: client_application,
|
132
|
-
resource_owner_id: resource_owner.id,
|
133
|
-
use_refresh_token: true,
|
134
|
-
)
|
135
|
-
end
|
136
|
-
|
137
|
-
it "should not revoke the access token provided" do
|
138
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }
|
139
|
-
|
140
|
-
expect(response).to be_forbidden
|
141
|
-
expect(response.body).to include("unauthorized_client")
|
142
|
-
expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
|
143
|
-
expect(access_token.reload.revoked?).to be_falsey
|
144
|
-
end
|
145
|
-
|
146
|
-
it "should not revoke the refresh token provided" do
|
147
|
-
post revocation_token_endpoint_url, params: { token: access_token.token }
|
148
|
-
|
149
|
-
expect(response).to be_forbidden
|
150
|
-
expect(response.body).to include("unauthorized_client")
|
151
|
-
expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
|
152
|
-
expect(access_token.reload.revoked?).to be_falsey
|
153
|
-
end
|
154
|
-
end
|
155
|
-
end
|
156
|
-
end
|
157
|
-
end
|
@@ -1,66 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "spec_helper"
|
4
|
-
|
5
|
-
feature "Skip authorization form" do
|
6
|
-
background do
|
7
|
-
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
8
|
-
client_exists
|
9
|
-
default_scopes_exist :public
|
10
|
-
optional_scopes_exist :write
|
11
|
-
end
|
12
|
-
|
13
|
-
context "for previously authorized clients" do
|
14
|
-
background do
|
15
|
-
create_resource_owner
|
16
|
-
sign_in
|
17
|
-
end
|
18
|
-
|
19
|
-
scenario "skips the authorization and return a new grant code" do
|
20
|
-
client_is_authorized(@client, @resource_owner, scopes: "public")
|
21
|
-
visit authorization_endpoint_url(client: @client, scope: "public")
|
22
|
-
|
23
|
-
i_should_not_see "Authorize"
|
24
|
-
client_should_be_authorized @client
|
25
|
-
i_should_be_on_client_callback @client
|
26
|
-
url_should_have_param "code", Doorkeeper::AccessGrant.first.token
|
27
|
-
end
|
28
|
-
|
29
|
-
scenario "skips the authorization if other scopes are not requested" do
|
30
|
-
client_exists scopes: "public read write"
|
31
|
-
client_is_authorized(@client, @resource_owner, scopes: "public")
|
32
|
-
visit authorization_endpoint_url(client: @client, scope: "public")
|
33
|
-
|
34
|
-
i_should_not_see "Authorize"
|
35
|
-
client_should_be_authorized @client
|
36
|
-
i_should_be_on_client_callback @client
|
37
|
-
url_should_have_param "code", Doorkeeper::AccessGrant.first.token
|
38
|
-
end
|
39
|
-
|
40
|
-
scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
|
41
|
-
client_is_authorized(@client, @resource_owner, scopes: "public write")
|
42
|
-
visit authorization_endpoint_url(client: @client, scope: "public")
|
43
|
-
i_should_see "Authorize"
|
44
|
-
end
|
45
|
-
|
46
|
-
scenario "does not skip authorization when scopes differ (new request has more scopes)" do
|
47
|
-
client_is_authorized(@client, @resource_owner, scopes: "public write")
|
48
|
-
visit authorization_endpoint_url(client: @client, scopes: "public write email")
|
49
|
-
i_should_see "Authorize"
|
50
|
-
end
|
51
|
-
|
52
|
-
scenario "creates grant with new scope when scopes differ" do
|
53
|
-
client_is_authorized(@client, @resource_owner, scopes: "public write")
|
54
|
-
visit authorization_endpoint_url(client: @client, scope: "public")
|
55
|
-
click_on "Authorize"
|
56
|
-
access_grant_should_have_scopes :public
|
57
|
-
end
|
58
|
-
|
59
|
-
scenario "creates grant with new scope when scopes are greater" do
|
60
|
-
client_is_authorized(@client, @resource_owner, scopes: "public")
|
61
|
-
visit authorization_endpoint_url(client: @client, scope: "public write")
|
62
|
-
click_on "Authorize"
|
63
|
-
access_grant_should_have_scopes :public, :write
|
64
|
-
end
|
65
|
-
end
|
66
|
-
end
|