doorkeeper 5.3.3 → 5.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d3ed9e21e9d404f1c7f67a48a36a5745d9a5a7aca05b9ae63fbd10c6d170ac1
-  data.tar.gz: 21ab4db448c9404a7067e8223433a8aa2ecfe955fd3729e7038efafd616c4237
+  metadata.gz: 76b3a86e21584548c9b0c176512c844bee90ba9c447aaf09741abf54488093bb
+  data.tar.gz: ce7a4ffdf3b0aebaa69f703b70f0109276205c9ec0b2f1e2c7b3e88cb4746f8b
 SHA512:
-  metadata.gz: a03ea8dbf25bc5d48f2fa92942c73dfefa74978d16229b79f1f6d691e0d591ecdc08be84bc243139a1a4df50091fde2d039f5dcae65a8250477e309a31ad054d
-  data.tar.gz: 7f6445f2beb910ba6b3cdeebd5d0d265986f49bb400ccccdbd811f7be8e34e5e029e07acfe22330729fe9065169b1807a4c98094abf3d247fe7175a1cd52daf5
+  metadata.gz: 7192f9711713f15d323e85aa3ad4274b314a55dcc89ba945de52dca5dbbad2e267dc3252da353cd4991fae365a1161fd91d06c0bfcaba767163b4c54eafca125
+  data.tar.gz: b5f324cfe8064b32254ca1c045bc24c54ab21a485bf3c6a9726bc995ab9dc24516872bf8ee314850b65f6ce3d879d0497e67416ea78c0f8f7566bdbfd48e024a

data/CHANGELOG.md

@@ -5,13 +5,17 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.3.3
+## master
 
-- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+- [#PR ID] Your PR description.
 
-## 5.3.2
+## 5.4.0
 
-- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
   
   **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
@@ -19,6 +23,54 @@ User-visible changes worth mentioning.
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
   is a breaking change which restricts serialized attributes to a very small set of columns.
 
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
+
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364) 
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+  
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+  
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing 
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
+  
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
+
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.3.1
 
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -37,6 +89,15 @@ User-visible changes worth mentioning.
   If you were relying on access tokens being revoked once the same client
   requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
   initialization file.
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
   
 ## 5.2.4
   
@@ -70,6 +131,9 @@ User-visible changes worth mentioning.
 - [#1298] Slice strong params so doesn't error with Rails forms.
 - [#1300] Limiting access to attributes of pre_authorization.
 - [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
 - [#1293] Move ar specific redirect uri validator to ar orm directory.
 - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
   the PreAuthorization response.
@@ -102,6 +166,15 @@ User-visible changes worth mentioning.
 - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
 - [#1238] Better support for native app with support for custom scheme and localhost redirection.
 
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.1.0
 
 - [#1243] Add nil check operator in token checking at token introspection.
@@ -163,6 +236,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option

data/README.md

@@ -6,7 +6,7 @@
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -113,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -160,6 +160,9 @@ tests with a specific Rails version:
 BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +171,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 

data/app/controllers/doorkeeper/applications_controller.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = Application.ordered_by(:created_at)
+      @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
 
       respond_to do |format|
         format.html
@@ -24,11 +24,11 @@ module Doorkeeper
     end
 
     def new
-      @application = Application.new
+      @application = Doorkeeper.config.application_model.new
     end
 
     def create
-      @application = Application.new(application_params)
+      @application = Doorkeeper.config.application_model.new(application_params)
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -84,7 +84,7 @@ module Doorkeeper
     private
 
     def set_application
-      @application = Application.find(params[:id])
+      @application = Doorkeeper.config.application_model.find(params[:id])
     end
 
     def application_params

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -42,9 +42,9 @@ module Doorkeeper
     end
 
     def matching_token?
-      AccessToken.matching_token_for(
+      Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
-        current_resource_owner.id,
+        current_resource_owner,
         pre_auth.scopes,
       )
     end
@@ -65,7 +65,11 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+      @pre_auth ||= OAuth::PreAuthorization.new(
+        Doorkeeper.configuration,
+        pre_auth_params,
+        current_resource_owner,
+      )
     end
 
     def pre_auth_params
@@ -73,8 +77,14 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[client_id response_type redirect_uri scope state code_challenge
-         code_challenge_method]
+      %i[
+        client_id
+        code_challenge
+        code_challenge_method
+        response_type
+        redirect_uri
+        scope state
+      ]
     end
 
     def authorization
@@ -82,26 +92,35 @@ module Doorkeeper
     end
 
     def strategy
-      @strategy ||= server.authorization_request pre_auth.response_type
+      @strategy ||= server.authorization_request(pre_auth.response_type)
     end
 
     def authorize_response
       @authorize_response ||= begin
         return pre_auth.error_response unless pre_auth.authorizable?
 
-        before_successful_authorization
+        context = build_context(pre_auth: pre_auth)
+        before_successful_authorization(context)
+
         auth = strategy.authorize
-        after_successful_authorization
+
+        context = build_context(auth: auth)
+        after_successful_authorization(context)
+
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
   end
 end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     before_action :authenticate_resource_owner!
 
     def index
-      @applications = Application.authorized_for(current_resource_owner)
+      @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
 
       respond_to do |format|
         format.html
@@ -14,7 +14,7 @@ module Doorkeeper
     end
 
     def destroy
-      Application.revoke_tokens_and_grants_for(
+      Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
         params[:id],
         current_resource_owner,
       )

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -12,14 +12,41 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # The authorization server, if applicable, first authenticates the client
-      # and checks its ownership of the provided token.
+      # @see 2.1.  Revocation Request
       #
-      # Doorkeeper does not use the token_type_hint logic described in the
-      # RFC 7009 due to the refresh token implementation that is a field in
-      # the access token model.
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      unless server.client
+        # If this validation [client credentials / token ownership] fails, the request is
+        # refused and the  client is informed of the error by the authorization server as
+        # described below.
+        #
+        # @see 2.2.1.  Error Response
+        #
+        # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+        render json: revocation_error_response, status: :forbidden
+        return
+      end
 
-      if authorized?
+      # The authorization server responds with HTTP status code 200 if the client
+      # submitted an invalid token or the token has been revoked successfully.
+      if token.blank?
+        render json: {}, status: 200
+      # The authorization server validates [...] and whether the token
+      # was issued to the client making the revocation request. If this
+      # validation fails, the request is refused and the client is informed
+      # of the error by the authorization server as described below.
+      elsif authorized?
         revoke_token
         render json: {}, status: 200
       else
@@ -42,8 +69,12 @@ module Doorkeeper
     private
 
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
-    # Public clients (as per RFC 7009) do not require authentication whereas
-    # confidential clients must be authenticated for their token revocation.
+    # A malicious client may attempt to guess valid tokens on this endpoint
+    # by making revocation requests against potential token strings.
+    # According to this specification, a client's request must contain a
+    # valid client_id, in the case of a public client, or valid client
+    # credentials, in the case of a confidential client. The token being
+    # revoked must also belong to the requesting client.
     #
     # Once a confidential client is authenticated, it must be authorized to
     # revoke the provided access or refresh token. This ensures one client
@@ -58,15 +89,13 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      return unless token.present?
-
-      # Client is confidential, therefore client authentication & authorization
-      # is required
+      # Token belongs to specific client, so we need to check if
+      # authenticated client could access it.
       if token.application_id? && token.application.confidential?
         # We authorize client by checking token's application
         server.client && server.client.application == token.application
       else
-        # Client is public, authentication unnecessary
+        # Token was issued without client, authorization unnecessary
         true
       end
     end
@@ -78,9 +107,12 @@ module Doorkeeper
       token.revoke if token&.accessible?
     end
 
+    # Doorkeeper does not use the token_type_hint logic described in the
+    # RFC 7009 due to the refresh token implementation that is a field in
+    # the access token model.
     def token
-      @token ||= AccessToken.by_token(params["token"]) ||
-                 AccessToken.by_refresh_token(params["token"])
+      @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
+                 Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
     end
 
     def strategy
@@ -91,17 +123,22 @@ module Doorkeeper
       @authorize_response ||= begin
         before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
+        context = build_context(auth: auth)
+        after_successful_authorization(context) unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
 
     def revocation_error_response

data/app/views/doorkeeper/applications/_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form' } do |f| %>
+<%= form_for application, url: doorkeeper_submit_path(application), as: :doorkeeper_application, html: { role: 'form' } do |f| %>
   <% if application.errors.any? %>
     <div class="alert alert-danger" data-alert><p><%= t('doorkeeper.applications.form.error') %></p></div>
   <% end %>

data/app/views/doorkeeper/applications/show.html.erb

@@ -8,10 +8,27 @@
     <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
 
     <h4><%= t('.secret') %>:</h4>
-    <p><code class="bg-light" id="secret"><%= flash[:application_secret].presence || @application.plaintext_secret %></code></p>
+    <p>
+      <code class="bg-light" id="secret">
+        <% secret = flash[:application_secret].presence || @application.plaintext_secret %>
+        <% if secret.blank? && Doorkeeper.config.application_secret_hashed? %>
+          <span class="bg-light font-italic text-uppercase text-muted"><%= t('.secret_hashed') %></span>
+        <% else %>
+          <%= secret %>
+        <% end %>
+      </code>
+    </p>
 
     <h4><%= t('.scopes') %>:</h4>
-    <p><code class="bg-light" id="scopes"><%= @application.scopes.presence || raw('&nbsp;') %></code></p>
+    <p>
+      <code class="bg-light" id="scopes">
+        <% if @application.scopes.present? %>
+          <%= @application.scopes %>
+        <% else %>
+          <span class="bg-light font-italic text-uppercase text-muted"><%= t('.not_defined') %></span>
+        <% end %>
+      </code>
+    </p>
 
     <h4><%= t('.confidential') %>:</h4>
     <p><code class="bg-light" id="confidential"><%= @application.confidential? %></code></p>

data/config/locales/en.yml

@@ -51,12 +51,14 @@ en:
         title: 'New Application'
       show:
         title: 'Application: %{name}'
-        application_id: 'Application UID'
+        application_id: 'UID'
         secret: 'Secret'
+        secret_hashed: 'Secret hashed'
         scopes: 'Scopes'
         confidential: 'Confidential'
         callback_urls: 'Callback urls'
         actions: 'Actions'
+        not_defined: 'Not defined'
 
     authorizations:
       buttons:

data/lib/doorkeeper/config/abstract_builder.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  class Config
+    # Abstract base class for Doorkeeper and it's extensions configuration
+    # builder. Instantiates and validates gem configuration.
+    #
+    class AbstractBuilder
+      attr_reader :config
+
+      # @param [Class] config class
+      #
+      def initialize(config = Config.new, &block)
+        @config = config
+        instance_eval(&block)
+      end
+
+      # Builds and validates configuration.
+      #
+      # @return [Doorkeeper::Config] config instance
+      #
+      def build
+        @config.validate! if @config.respond_to?(:validate!)
+        @config
+      end
+    end
+  end
+end

data/lib/doorkeeper/config/option.rb

@@ -36,22 +36,29 @@ module Doorkeeper
         attribute = options[:as] || name
         attribute_builder = options[:builder_class]
 
-        Builder.instance_eval do
-          remove_method name if method_defined?(name)
-          if options[:deprecated]
-            define_method name do |*_, &_|
-              Kernel.warn "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
-            end
-          else
-            define_method name do |*args, &block|
-              value = if attribute_builder
-                        attribute_builder.new(&block).build
-                      else
-                        block || args.first
-                      end
+        builder_class.instance_eval do
+          if method_defined?(name)
+            Kernel.warn "[DOORKEEPER] Option #{name} already defined and will be overridden"
+            remove_method name
+          end
 
-              @config.instance_variable_set(:"@#{attribute}", value)
+          define_method name do |*args, &block|
+            if (deprecation_opts = options[:deprecated])
+              warning = "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
+              if deprecation_opts.is_a?(Hash)
+                warning = "#{warning}\n#{deprecation_opts.fetch(:message)}"
+              end
+
+              Kernel.warn(warning)
             end
+
+            value = if attribute_builder
+                      attribute_builder.new(&block).build
+                    else
+                      block || args.first
+                    end
+
+            @config.instance_variable_set(:"@#{attribute}", value)
           end
         end
 
@@ -65,6 +72,13 @@ module Doorkeeper
 
         public attribute
       end
+
+      def self.extended(base)
+        return if base.respond_to?(:builder_class)
+
+        raise Doorkeeper::MissingConfigurationBuilderClass, "Define `self.builder_class` method " \
+                          "for #{base} that returns your custom Builder class to use options DSL!"
+      end
     end
   end
 end