RubyGems - doorkeeper - Versions diffs - 5.3.2 → 5.5.0.rc1 - Mend

doorkeeper 5.3.2 → 5.5.0.rc1

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (231) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +106 -2
data/README.md +6 -4
data/app/controllers/doorkeeper/applications_controller.rb +4 -4
data/app/controllers/doorkeeper/authorizations_controller.rb +32 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
data/app/controllers/doorkeeper/tokens_controller.rb +60 -20
data/app/views/doorkeeper/applications/_form.html.erb +1 -1
data/app/views/doorkeeper/applications/show.html.erb +19 -2
data/config/locales/en.yml +3 -2
data/lib/doorkeeper.rb +107 -79
data/lib/doorkeeper/config.rb +140 -94
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +26 -14
data/lib/doorkeeper/config/validations.rb +53 -0
data/lib/doorkeeper/engine.rb +1 -1
data/lib/doorkeeper/grant_flow.rb +43 -0
data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
data/lib/doorkeeper/grant_flow/flow.rb +34 -0
data/lib/doorkeeper/grant_flow/registry.rb +50 -0
data/lib/doorkeeper/grape/helpers.rb +1 -1
data/lib/doorkeeper/helpers/controller.rb +6 -4
data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
data/lib/doorkeeper/models/application_mixin.rb +5 -4
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
data/lib/doorkeeper/oauth/authorization/token.rb +14 -16
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
data/lib/doorkeeper/oauth/base_request.rb +12 -20
data/lib/doorkeeper/oauth/client.rb +1 -1
data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
data/lib/doorkeeper/oauth/code_request.rb +3 -3
data/lib/doorkeeper/oauth/code_response.rb +28 -14
data/lib/doorkeeper/oauth/error_response.rb +6 -7
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
data/lib/doorkeeper/oauth/pre_authorization.rb +41 -31
data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
data/lib/doorkeeper/oauth/token.rb +5 -6
data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
data/lib/doorkeeper/oauth/token_request.rb +3 -3
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record.rb +10 -2
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
data/lib/doorkeeper/rails/routes.rb +14 -18
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/request.rb +49 -12
data/lib/doorkeeper/request/refresh_token.rb +2 -1
data/lib/doorkeeper/request/strategy.rb +2 -2
data/lib/doorkeeper/server.rb +4 -4
data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
data/lib/doorkeeper/version.rb +3 -3
data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
metadata +21 -299
data/Appraisals +0 -40
data/CODE_OF_CONDUCT.md +0 -46
data/CONTRIBUTING.md +0 -49
data/Dangerfile +0 -67
data/Dockerfile +0 -29
data/Gemfile +0 -25
data/NEWS.md +0 -1
data/RELEASING.md +0 -11
data/Rakefile +0 -28
data/SECURITY.md +0 -15
data/UPGRADE.md +0 -2
data/bin/console +0 -16
data/doorkeeper.gemspec +0 -42
data/gemfiles/rails_5_0.gemfile +0 -18
data/gemfiles/rails_5_1.gemfile +0 -18
data/gemfiles/rails_5_2.gemfile +0 -18
data/gemfiles/rails_6_0.gemfile +0 -18
data/gemfiles/rails_master.gemfile +0 -18
data/spec/controllers/application_metal_controller_spec.rb +0 -64
data/spec/controllers/applications_controller_spec.rb +0 -274
data/spec/controllers/authorizations_controller_spec.rb +0 -608
data/spec/controllers/protected_resources_controller_spec.rb +0 -361
data/spec/controllers/token_info_controller_spec.rb +0 -50
data/spec/controllers/tokens_controller_spec.rb +0 -498
data/spec/dummy/Rakefile +0 -9
data/spec/dummy/app/assets/config/manifest.js +0 -2
data/spec/dummy/app/controllers/application_controller.rb +0 -5
data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
data/spec/dummy/app/controllers/home_controller.rb +0 -18
data/spec/dummy/app/controllers/metal_controller.rb +0 -13
data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
data/spec/dummy/app/helpers/application_helper.rb +0 -7
data/spec/dummy/app/models/user.rb +0 -7
data/spec/dummy/app/views/home/index.html.erb +0 -0
data/spec/dummy/app/views/layouts/application.html.erb +0 -14
data/spec/dummy/config.ru +0 -6
data/spec/dummy/config/application.rb +0 -49
data/spec/dummy/config/boot.rb +0 -7
data/spec/dummy/config/database.yml +0 -15
data/spec/dummy/config/environment.rb +0 -5
data/spec/dummy/config/environments/development.rb +0 -31
data/spec/dummy/config/environments/production.rb +0 -64
data/spec/dummy/config/environments/test.rb +0 -45
data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
data/spec/dummy/config/initializers/secret_token.rb +0 -10
data/spec/dummy/config/initializers/session_store.rb +0 -10
data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
data/spec/dummy/config/routes.rb +0 -13
data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
data/spec/dummy/db/schema.rb +0 -68
data/spec/dummy/public/404.html +0 -26
data/spec/dummy/public/422.html +0 -26
data/spec/dummy/public/500.html +0 -26
data/spec/dummy/public/favicon.ico +0 -0
data/spec/dummy/script/rails +0 -9
data/spec/factories.rb +0 -30
data/spec/generators/application_owner_generator_spec.rb +0 -28
data/spec/generators/confidential_applications_generator_spec.rb +0 -29
data/spec/generators/install_generator_spec.rb +0 -36
data/spec/generators/migration_generator_spec.rb +0 -28
data/spec/generators/pkce_generator_spec.rb +0 -28
data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
data/spec/generators/templates/routes.rb +0 -4
data/spec/generators/views_generator_spec.rb +0 -29
data/spec/grape/grape_integration_spec.rb +0 -137
data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
data/spec/lib/config_spec.rb +0 -809
data/spec/lib/doorkeeper_spec.rb +0 -27
data/spec/lib/models/expirable_spec.rb +0 -61
data/spec/lib/models/reusable_spec.rb +0 -40
data/spec/lib/models/revocable_spec.rb +0 -59
data/spec/lib/models/scopes_spec.rb +0 -53
data/spec/lib/models/secret_storable_spec.rb +0 -135
data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
data/spec/lib/oauth/base_request_spec.rb +0 -224
data/spec/lib/oauth/base_response_spec.rb +0 -45
data/spec/lib/oauth/client/credentials_spec.rb +0 -90
data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
data/spec/lib/oauth/client_spec.rb +0 -38
data/spec/lib/oauth/code_request_spec.rb +0 -46
data/spec/lib/oauth/code_response_spec.rb +0 -32
data/spec/lib/oauth/error_response_spec.rb +0 -64
data/spec/lib/oauth/error_spec.rb +0 -21
data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
data/spec/lib/oauth/scopes_spec.rb +0 -146
data/spec/lib/oauth/token_request_spec.rb +0 -157
data/spec/lib/oauth/token_response_spec.rb +0 -84
data/spec/lib/oauth/token_spec.rb +0 -156
data/spec/lib/request/strategy_spec.rb +0 -54
data/spec/lib/secret_storing/base_spec.rb +0 -60
data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
data/spec/lib/secret_storing/plain_spec.rb +0 -44
data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
data/spec/lib/server_spec.rb +0 -49
data/spec/lib/stale_records_cleaner_spec.rb +0 -89
data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
data/spec/models/doorkeeper/access_token_spec.rb +0 -622
data/spec/models/doorkeeper/application_spec.rb +0 -482
data/spec/requests/applications/applications_request_spec.rb +0 -259
data/spec/requests/applications/authorized_applications_spec.rb +0 -32
data/spec/requests/endpoints/authorization_spec.rb +0 -91
data/spec/requests/endpoints/token_spec.rb +0 -75
data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
data/spec/requests/flows/authorization_code_spec.rb +0 -525
data/spec/requests/flows/client_credentials_spec.rb +0 -166
data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
data/spec/requests/flows/implicit_grant_spec.rb +0 -91
data/spec/requests/flows/password_spec.rb +0 -316
data/spec/requests/flows/refresh_token_spec.rb +0 -233
data/spec/requests/flows/revoke_token_spec.rb +0 -157
data/spec/requests/flows/skip_authorization_spec.rb +0 -66
data/spec/requests/protected_resources/metal_spec.rb +0 -16
data/spec/requests/protected_resources/private_api_spec.rb +0 -83
data/spec/routing/custom_controller_routes_spec.rb +0 -133
data/spec/routing/default_routes_spec.rb +0 -41
data/spec/routing/scoped_routes_spec.rb +0 -47
data/spec/spec_helper.rb +0 -54
data/spec/spec_helper_integration.rb +0 -4
data/spec/support/dependencies/factory_bot.rb +0 -4
data/spec/support/doorkeeper_rspec.rb +0 -22
data/spec/support/helpers/access_token_request_helper.rb +0 -13
data/spec/support/helpers/authorization_request_helper.rb +0 -43
data/spec/support/helpers/config_helper.rb +0 -11
data/spec/support/helpers/model_helper.rb +0 -78
data/spec/support/helpers/request_spec_helper.rb +0 -110
data/spec/support/helpers/url_helper.rb +0 -62
data/spec/support/orm/active_record.rb +0 -5
data/spec/support/shared/controllers_shared_context.rb +0 -133
data/spec/support/shared/hashing_shared_context.rb +0 -36
data/spec/support/shared/models_shared_examples.rb +0 -54
data/spec/validators/redirect_uri_validator_spec.rb +0 -183
data/spec/version/version_spec.rb +0 -17

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED

@@ -11,9 +11,8 @@ module Doorkeeper
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
-      attr_reader   :missing_param
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
       def initialize(server, refresh_token, credentials, parameters = {})
         @server = server
@@ -50,30 +49,40 @@ module Doorkeeper
       end
       def create_access_token
-        @access_token = server_config.access_token_model.create!(access_token_attributes)
-      end
+        attributes = {}
-      def access_token_attributes
-        {
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: access_token_expires_in,
-          use_refresh_token: true,
-        }.tap do |attributes|
-          if refresh_token_revoked_on_use?
-            attributes[:previous_refresh_token] = refresh_token.refresh_token
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
           end
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
-      end
-      def access_token_expires_in
-        context = Authorization::Token.build_context(
-          client,
-          Doorkeeper::OAuth::REFRESH_TOKEN,
-          scopes,
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
+        @access_token = server_config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
         )
-        Authorization::Token.access_token_expires_in(server, context)
       end
       def validate_token_presence

data/lib/doorkeeper/oauth/token.rb CHANGED

@@ -8,15 +8,14 @@ module Doorkeeper
           methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
-            break credentials unless credentials.blank?
+            break credentials if credentials.present?
           end
         end
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
             access_token = Doorkeeper.config.access_token_model.by_token(token)
-            refresh_token_enabled = Doorkeeper.config.refresh_token_enabled?
-            if access_token.present? && refresh_token_enabled
+            if access_token.present? && Doorkeeper.config.refresh_token_enabled?
               access_token.revoke_previous_refresh_token!
             end
             access_token
@@ -33,13 +32,13 @@ module Doorkeeper
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
@@ -55,7 +54,7 @@ module Doorkeeper
         end
         def token_from_header(header, pattern)
-          header.gsub pattern, ""
+          header.gsub(pattern, "")
         end
         def match?(header, pattern)

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED

@@ -6,9 +6,6 @@ module Doorkeeper
     #
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
-      attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
       def initialize(server, token)
         @server = server
         @token = token
@@ -38,6 +35,9 @@ module Doorkeeper
       private
+      attr_reader :server, :token
+      attr_reader :error, :invalid_request_reason
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
       # invalid, the authorization server responds with an HTTP 401
@@ -179,11 +179,7 @@ module Doorkeeper
         allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
-        allow_introspection.call(
-          @token,
-          auth_client,
-          auth_token,
-        )
+        allow_introspection.call(@token, auth_client, auth_token)
       end
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb CHANGED

@@ -3,16 +3,16 @@
 module Doorkeeper
   module OAuth
     class TokenRequest
-      attr_accessor :pre_auth, :resource_owner
+      attr_reader :pre_auth, :resource_owner
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
       def authorize
         auth = Authorization::Token.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end

data/lib/doorkeeper/oauth/token_response.rb CHANGED

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class TokenResponse
-      attr_accessor :token
+      attr_reader :token
       def initialize(token)
         @token = token

data/lib/doorkeeper/orm/active_record.rb CHANGED

@@ -33,12 +33,20 @@ module Doorkeeper
         lazy_load do
           require "doorkeeper/models/concerns/ownership"
-          Doorkeeper.config.application_model.send :include, Doorkeeper::Models::Ownership
+          Doorkeeper.config.application_model.include(Doorkeeper::Models::Ownership)
         end
       end
       def self.lazy_load(&block)
-        ActiveSupport.on_load(:active_record, {}, &block)
+        # ActiveSupport has no public interface to check if something
+        # already lazy-loaded :(
+        loaded = ActiveSupport.instance_variable_get(:"@loaded") || {}
+        if loaded.key?(:active_record)
+          block.call
+        else
+          ActiveSupport.on_load(:active_record, {}, &block)
+        end
       end
       def self.models

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb CHANGED

@@ -9,12 +9,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       include ::Doorkeeper::AccessGrantMixin
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                optional: true,
                                inverse_of: :access_grants
-      validates :resource_owner_id,
-                :application_id,
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: false
+      else
+        validates :resource_owner_id, presence: true
+      end
+      validates :application_id,
                 :token,
                 :expires_in,
                 :redirect_uri,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb CHANGED

@@ -9,10 +9,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       include ::Doorkeeper::AccessTokenMixin
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                inverse_of: :access_tokens,
                                optional: true
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: true
+      end
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
@@ -25,7 +29,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                         on: :create, if: :use_refresh_token?
     end
-    class_methods do
+    module ClassMethods
       # Searches for not revoked Access Tokens associated with the
       # specific Resource Owner.
       #
@@ -36,7 +40,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       #   active Access Tokens for Resource Owner
       #
       def active_for(resource_owner)
-        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+        by_resource_owner(resource_owner).where(revoked_at: nil)
       end
       def refresh_token_revoked_on_use?

data/lib/doorkeeper/orm/active_record/mixins/application.rb CHANGED

@@ -12,12 +12,12 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       has_many :access_grants,
                foreign_key: :application_id,
                dependent: :delete_all,
-               class_name: Doorkeeper.config.access_grant_class
+               class_name: Doorkeeper.config.access_grant_class.to_s
       has_many :access_tokens,
                foreign_key: :application_id,
                dependent: :delete_all,
-               class_name: Doorkeeper.config.access_token_class
+               class_name: Doorkeeper.config.access_token_class.to_s
       validates :name, :secret, :uid, presence: true
       validates :uid, uniqueness: { case_sensitive: true }
@@ -31,7 +31,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       has_many :authorized_tokens,
                -> { where(revoked_at: nil) },
                foreign_key: :application_id,
-               class_name: Doorkeeper.config.access_token_class
+               class_name: Doorkeeper.config.access_token_class.to_s
       has_many :authorized_applications,
                through: :authorized_tokens,
@@ -84,6 +84,21 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         end
       end
+      def authorized_for_resource_owner?(resource_owner)
+        Doorkeeper.configuration.authorize_resource_owner_for_client.call(self, resource_owner)
+      end
+      # We need to hook into this method to allow serializing plan-text secrets
+      # when secrets hashing enabled.
+      #
+      # @param key [String] attribute name
+      #
+      def read_attribute_for_serialization(key)
+        return super unless key.to_s == "secret"
+        plaintext_secret || secret
+      end
       private
       def generate_uid
@@ -91,7 +106,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       end
       def generate_secret
-        return unless secret.blank?
+        return if secret.present?
         renew_secret
       end
@@ -131,17 +146,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only.uniq
       end
-      # We need to hook into this method to allow serializing plan-text secrets
-      # when secrets hashing enabled.
-      #
-      # @param key [String] attribute name
-      #
-      def read_attribute_for_serialization(key)
-        return super unless key.to_s == "secret"
-        plaintext_secret || secret
-      end
       # Collection of attributes that could be serialized for public.
       # Override this method if you need additional attributes to be serialized.
       #
@@ -153,7 +157,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       end
     end
-    class_methods do
+    module ClassMethods
       # Returns Applications associated with active (not revoked) Access Tokens
       # that are owned by the specific Resource Owner.
       #

data/lib/doorkeeper/rails/routes.rb CHANGED

@@ -2,29 +2,33 @@
 require "doorkeeper/rails/routes/mapping"
 require "doorkeeper/rails/routes/mapper"
+require "doorkeeper/rails/routes/abstract_router"
+require "doorkeeper/rails/routes/registry"
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
-      mattr_reader :mapping do
-        {}
-      end
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
       end
+      include AbstractRouter
+      extend Registry
+      mattr_reader :mapping do
+        {}
+      end
       def self.install!
         ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
-      end
-      attr_reader :routes
+        registered_routes.each(&:install!)
+      end
-      def initialize(routes, &block)
-        @routes = routes
-        @mapping = Mapper.new.map(&block)
+      def initialize(routes, mapper = Mapper.new, &block)
+        super
         @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
@@ -34,7 +38,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -43,14 +47,6 @@ module Doorkeeper
       private
-      def map_route(name, method)
-        return if @mapping.skipped?(name)
-        send(method, @mapping[name])
-        mapping[name] = @mapping[name]
-      end
       def authorization_routes(mapping)
         routes.resource(
           :authorization,

data/lib/doorkeeper/rails/routes/abstract_router.rb ADDED

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Rails
+    # Abstract router module that implements base behavior
+    # for generating and mapping Rails routes.
+    #
+    # Could be reused in Doorkeeper extensions.
+    #
+    module AbstractRouter
+      extend ActiveSupport::Concern
+      attr_reader :routes
+      def initialize(routes, mapper = Mapper.new, &block)
+        @routes = routes
+        @mapping = mapper.map(&block)
+      end
+      def generate_routes!(**_options)
+        raise NotImplementedError, "must be redefined for #{self.class.name}!"
+      end
+      private
+      def map_route(name, method)
+        return if @mapping.skipped?(name)
+        send(method, @mapping[name])
+        mapping[name] = @mapping[name]
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes/mapper.rb CHANGED

@@ -4,8 +4,8 @@ module Doorkeeper
   module Rails
     class Routes # :nodoc:
       class Mapper
-        def initialize
-          @mapping = Mapping.new
+        def initialize(mapping = Mapping.new)
+          @mapping = mapping
         end
         def map(&block)