doorkeeper 5.3.3 → 5.4.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d3ed9e21e9d404f1c7f67a48a36a5745d9a5a7aca05b9ae63fbd10c6d170ac1
-  data.tar.gz: 21ab4db448c9404a7067e8223433a8aa2ecfe955fd3729e7038efafd616c4237
+  metadata.gz: 7c9e55b1b52c75ecb1dc18678a2fb5e7683e85859f9a955c27a3197548c2b146
+  data.tar.gz: 59f5eafd45d8a85b7f84c7553f1084ed31c8a7ede3b61d00382b8110aea5e63f
 SHA512:
-  metadata.gz: a03ea8dbf25bc5d48f2fa92942c73dfefa74978d16229b79f1f6d691e0d591ecdc08be84bc243139a1a4df50091fde2d039f5dcae65a8250477e309a31ad054d
-  data.tar.gz: 7f6445f2beb910ba6b3cdeebd5d0d265986f49bb400ccccdbd811f7be8e34e5e029e07acfe22330729fe9065169b1807a4c98094abf3d247fe7175a1cd52daf5
+  metadata.gz: 1d64979c31b76f5f36671bfdea039da232aefdcb590a5fdf154740bb6968ec939cd5b883e163217431f38c6539017c01eb7d8518302f7b769c8a56857f16eab2
+  data.tar.gz: 62e2bae23f51b365d2aab4c8ba10a8efbd5ac860f68b481a2d41b193a5df2576ba08ec4700ab9b8def2a59a4494709dd628c9b9ec7d5a10ddb709ab4466a5ce1

data/Appraisals

@@ -18,23 +18,9 @@ end
 appraise "rails-6-0" do
   gem "rails", "~> 6.0.0"
   gem "sqlite3", "~> 1.4", platform: %i[ruby mswin mingw x64_mingw]
-
-  # TODO: Remove when rspec-rails 4.0 released
-  gem "rspec-core", github: "rspec/rspec-core"
-  gem "rspec-expectations", github: "rspec/rspec-expectations"
-  gem "rspec-mocks", github: "rspec/rspec-mocks"
-  gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-maintenance"
-  gem "rspec-support", github: "rspec/rspec-support"
 end
 
 appraise "rails-master" do
   gem "rails", git: "https://github.com/rails/rails"
   gem "sqlite3", "~> 1.4", platform: %i[ruby mswin mingw x64_mingw]
-
-  # TODO: Remove when rspec-rails 4.0 released
-  gem "rspec-core", github: "rspec/rspec-core"
-  gem "rspec-expectations", github: "rspec/rspec-expectations"
-  gem "rspec-mocks", github: "rspec/rspec-mocks"
-  gem "rspec-rails", github: "rspec/rspec-rails", branch: "4-0-maintenance"
-  gem "rspec-support", github: "rspec/rspec-support"
 end

data/CHANGELOG.md

@@ -5,19 +5,41 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.3.3
+## master
 
-- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+- [#PR number] Your changes description.
 
-## 5.3.2
-
-- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
-  Fixes information disclosure vulnerability (CVE-2020-10187).
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364) 
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+  
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+  
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing 
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
   
-  **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
-  if you previously used `#to_json` serialization with custom options or attributes or rely on
-  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
-  is a breaking change which restricts serialized attributes to a very small set of columns.
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
 
 ## 5.3.1
 
@@ -70,6 +92,9 @@ User-visible changes worth mentioning.
 - [#1298] Slice strong params so doesn't error with Rails forms.
 - [#1300] Limiting access to attributes of pre_authorization.
 - [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
 - [#1293] Move ar specific redirect uri validator to ar orm directory.
 - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
   the PreAuthorization response.

data/Dangerfile

@@ -1,14 +1,14 @@
-CHANGELOG_FILE = 'CHANGELOG.md'
-GITHUB_REPO = 'https://github.com/doorkeeper-gem/doorkeeper'
+CHANGELOG_FILE = "CHANGELOG.md"
+GITHUB_REPO = "https://github.com/doorkeeper-gem/doorkeeper"
 
 def changelog_changed?
   git.modified_files.include?(CHANGELOG_FILE) || git.added_files.include?(CHANGELOG_FILE)
 end
 
 def changelog_entry_example
-  pr_number = github.pr_json['number']
+  pr_number = github.pr_json["number"]
   pr_title = github.pr_title
-                   .sub(/[?.!,;]?$/, '')
+                   .sub(/[?.!,;]?$/, "")
                    .capitalize
 
   "- [##{pr_number}] #{pr_title}."
@@ -31,7 +31,7 @@ end
 # You've made changes to specs, but no library code has changed?
 # --------------------------------------------------------------------------------------------------------------------
 if !has_app_changes && has_spec_changes
-  message('We really appreciate pull requests that demonstrate issues, even without a fix. That said, the next step is to try and fix the failing tests!', sticky: false)
+  message("We really appreciate pull requests that demonstrate issues, even without a fix. That said, the next step is to try and fix the failing tests!", sticky: false)
 end
 
 # Mainly to encourage writing up some reasoning about the PR, rather than
@@ -59,9 +59,9 @@ Here's an example of a #{CHANGELOG_FILE} entry:
 end
 
 if git.commits.any? { |commit| commit.message =~ /^Merge branch '#{github.branch_for_base}'/ }
-  warn('Please rebase to get rid of the merge commits in this PR')
+  warn("Please rebase to get rid of the merge commits in this PR")
 end
 
 if git.commits.length > 1
-  warn('Please squash all your commits to a single one')
+  warn("Please squash all your commits to a single one")
 end

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.6.3-alpine3.9
+FROM ruby:2.6.5-alpine
 
 RUN apk add --no-cache \
   ca-certificates \
@@ -14,7 +14,7 @@ ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US:en
 ENV LC_ALL en_US.UTF-8
 
-ENV BUNDLER_VERSION 2.0.1
+ENV BUNDLER_VERSION 2.1.4
 RUN gem install bundler -v ${BUNDLER_VERSION} -i /usr/local/lib/ruby/gems/$(ls /usr/local/lib/ruby/gems) --force
 
 WORKDIR /srv

data/Gemfile

@@ -5,17 +5,17 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gemspec
 
-gem "rails", "~> 6.0.0"
+gem "rails", "~> 6.0"
 
-# TODO: Remove when rspec-rails 4.0 released
-gem "rspec-core", github: "rspec/rspec-core"
-gem "rspec-expectations", github: "rspec/rspec-expectations"
-gem "rspec-mocks", github: "rspec/rspec-mocks"
-gem "rspec-rails", "4.0.0.beta3"
-gem "rspec-support", github: "rspec/rspec-support"
+gem "rspec-core"
+gem "rspec-expectations"
+gem "rspec-mocks"
+gem "rspec-rails", "~> 4.0"
+gem "rspec-support"
 
-gem "rubocop", "~> 0.75"
-gem "rubocop-performance"
+gem "rubocop", "~> 0.80"
+gem "rubocop-performance", require: false
+gem "rubocop-rails", require: false
 
 gem "bcrypt", "~> 3.1", require: false
 

data/README.md

@@ -6,7 +6,7 @@
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -113,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -160,6 +160,9 @@ tests with a specific Rails version:
 BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +171,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 

data/app/controllers/doorkeeper/applications_controller.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = Application.ordered_by(:created_at)
+      @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
 
       respond_to do |format|
         format.html
@@ -19,16 +19,16 @@ module Doorkeeper
     def show
       respond_to do |format|
         format.html
-        format.json { render json: @application, as_owner: true }
+        format.json { render json: @application }
       end
     end
 
     def new
-      @application = Application.new
+      @application = Doorkeeper.config.application_model.new
     end
 
     def create
-      @application = Application.new(application_params)
+      @application = Doorkeeper.config.application_model.new(application_params)
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -36,7 +36,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|
@@ -58,7 +58,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|
@@ -84,7 +84,7 @@ module Doorkeeper
     private
 
     def set_application
-      @application = Application.find(params[:id])
+      @application = Doorkeeper.config.application_model.find(params[:id])
     end
 
     def application_params

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -42,9 +42,9 @@ module Doorkeeper
     end
 
     def matching_token?
-      AccessToken.matching_token_for(
+      Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
-        current_resource_owner.id,
+        current_resource_owner,
         pre_auth.scopes,
       )
     end
@@ -65,7 +65,11 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+      @pre_auth ||= OAuth::PreAuthorization.new(
+        Doorkeeper.configuration,
+        pre_auth_params,
+        current_resource_owner,
+      )
     end
 
     def pre_auth_params
@@ -73,8 +77,14 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[client_id response_type redirect_uri scope state code_challenge
-         code_challenge_method]
+      %i[
+        client_id
+        code_challenge
+        code_challenge_method
+        response_type
+        redirect_uri
+        scope state
+      ]
     end
 
     def authorization
@@ -82,26 +92,35 @@ module Doorkeeper
     end
 
     def strategy
-      @strategy ||= server.authorization_request pre_auth.response_type
+      @strategy ||= server.authorization_request(pre_auth.response_type)
     end
 
     def authorize_response
       @authorize_response ||= begin
         return pre_auth.error_response unless pre_auth.authorizable?
 
-        before_successful_authorization
+        context = build_context(pre_auth: pre_auth)
+        before_successful_authorization(context)
+
         auth = strategy.authorize
-        after_successful_authorization
+
+        context = build_context(auth: auth)
+        after_successful_authorization(context)
+
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
   end
 end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -5,16 +5,16 @@ module Doorkeeper
     before_action :authenticate_resource_owner!
 
     def index
-      @applications = Application.authorized_for(current_resource_owner)
+      @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
 
       respond_to do |format|
         format.html
-        format.json { render json: @applications, current_resource_owner: current_resource_owner }
+        format.json { render json: @applications }
       end
     end
 
     def destroy
-      Application.revoke_tokens_and_grants_for(
+      Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
         params[:id],
         current_resource_owner,
       )

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -12,14 +12,41 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # The authorization server, if applicable, first authenticates the client
-      # and checks its ownership of the provided token.
+      # @see 2.1.  Revocation Request
       #
-      # Doorkeeper does not use the token_type_hint logic described in the
-      # RFC 7009 due to the refresh token implementation that is a field in
-      # the access token model.
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      unless server.client
+        # If this validation [client credentials / token ownership] fails, the request is
+        # refused and the  client is informed of the error by the authorization server as
+        # described below.
+        #
+        # @see 2.2.1.  Error Response
+        #
+        # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+        render json: revocation_error_response, status: :forbidden
+        return
+      end
 
-      if authorized?
+      # The authorization server responds with HTTP status code 200 if the client
+      # submitted an invalid token or the token has been revoked successfully.
+      if token.blank?
+        render json: {}, status: 200
+      # The authorization server validates [...] and whether the token
+      # was issued to the client making the revocation request. If this
+      # validation fails, the request is refused and the client is informed
+      # of the error by the authorization server as described below.
+      elsif authorized?
         revoke_token
         render json: {}, status: 200
       else
@@ -42,8 +69,12 @@ module Doorkeeper
     private
 
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
-    # Public clients (as per RFC 7009) do not require authentication whereas
-    # confidential clients must be authenticated for their token revocation.
+    # A malicious client may attempt to guess valid tokens on this endpoint
+    # by making revocation requests against potential token strings.
+    # According to this specification, a client's request must contain a
+    # valid client_id, in the case of a public client, or valid client
+    # credentials, in the case of a confidential client. The token being
+    # revoked must also belong to the requesting client.
     #
     # Once a confidential client is authenticated, it must be authorized to
     # revoke the provided access or refresh token. This ensures one client
@@ -58,15 +89,13 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      return unless token.present?
-
-      # Client is confidential, therefore client authentication & authorization
-      # is required
+      # Token belongs to specific client, so we need to check if
+      # authenticated client could access it.
       if token.application_id? && token.application.confidential?
         # We authorize client by checking token's application
         server.client && server.client.application == token.application
       else
-        # Client is public, authentication unnecessary
+        # Token was issued without client, authorization unnecessary
         true
       end
     end
@@ -78,9 +107,12 @@ module Doorkeeper
       token.revoke if token&.accessible?
     end
 
+    # Doorkeeper does not use the token_type_hint logic described in the
+    # RFC 7009 due to the refresh token implementation that is a field in
+    # the access token model.
     def token
-      @token ||= AccessToken.by_token(params["token"]) ||
-                 AccessToken.by_refresh_token(params["token"])
+      @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
+                 Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
     end
 
     def strategy
@@ -91,17 +123,22 @@ module Doorkeeper
       @authorize_response ||= begin
         before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
+        context = build_context(auth: auth)
+        after_successful_authorization(context) unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
 
     def revocation_error_response