doorkeeper 5.3.3 → 5.4.0.rc1

data/spec/models/doorkeeper/application_spec.rb

@@ -102,7 +102,7 @@ describe Doorkeeper::Application do
     end
 
     context "application owner is required" do
-      before do
+      before(:each) do
         require_owner
         @owner = FactoryBot.build_stubbed(:doorkeeper_testing_user)
       end
@@ -222,13 +222,14 @@ describe Doorkeeper::Application do
       new_application.save
     end
 
-    let(:resource_owner) { FactoryBot.create(:doorkeeper_testing_user) }
+    let(:resource_owner) { FactoryBot.create(:resource_owner) }
 
     it "should destroy its access grants" do
       FactoryBot.create(
         :access_grant,
         application: new_application,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
       )
 
       expect { new_application.destroy }.to change { Doorkeeper::AccessGrant.count }.by(-1)
@@ -287,8 +288,8 @@ describe Doorkeeper::Application do
   end
 
   describe "#authorized_for" do
-    let(:resource_owner) { FactoryBot.create(:doorkeeper_testing_user) }
-    let(:other_resource_owner) { FactoryBot.create(:doorkeeper_testing_user) }
+    let(:resource_owner) { FactoryBot.create(:resource_owner) }
+    let(:other_resource_owner) { FactoryBot.create(:resource_owner) }
 
     it "is empty if the application is not authorized for anyone" do
       expect(described_class.authorized_for(resource_owner)).to be_empty
@@ -298,10 +299,12 @@ describe Doorkeeper::Application do
       FactoryBot.create(
         :access_token,
         resource_owner_id: other_resource_owner.id,
+        resource_owner_type: other_resource_owner.class.name,
       )
       token = FactoryBot.create(
         :access_token,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
       )
       expect(described_class.authorized_for(resource_owner)).to eq([token.application])
     end
@@ -310,6 +313,7 @@ describe Doorkeeper::Application do
       FactoryBot.create(
         :access_token,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
         revoked_at: 2.days.ago,
       )
       expect(described_class.authorized_for(resource_owner)).to be_empty
@@ -319,10 +323,12 @@ describe Doorkeeper::Application do
       token1 = FactoryBot.create(
         :access_token,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
       )
       token2 = FactoryBot.create(
         :access_token,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
       )
       expect(described_class.authorized_for(resource_owner))
         .to eq([token1.application, token2.application])
@@ -333,11 +339,13 @@ describe Doorkeeper::Application do
       FactoryBot.create(
         :access_token,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
         application: application,
       )
       FactoryBot.create(
         :access_token,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
         application: application,
       )
       expect(described_class.authorized_for(resource_owner)).to eq([application])
@@ -413,7 +421,16 @@ describe Doorkeeper::Application do
         .to receive(:application_secret_strategy).and_return(Doorkeeper::SecretStoring::Plain)
     end
 
-    # AR specific feature
+    it "includes plaintext secret" do
+      expect(app.as_json).to include("secret" => "123123123")
+    end
+
+    it "respects custom options" do
+      expect(app.as_json(except: :secret)).not_to include("secret")
+      expect(app.as_json(only: :id)).to match("id" => app.id)
+    end
+
+    # AR specific
     if DOORKEEPER_ORM == :active_record
       it "correctly works with #to_json" do
         ActiveRecord::Base.include_root_in_json = true
@@ -421,62 +438,5 @@ describe Doorkeeper::Application do
         ActiveRecord::Base.include_root_in_json = false
       end
     end
-
-    context "when called without authorized resource owner" do
-      it "includes minimal set of attributes" do
-        expect(app.as_json).to match(
-          "id" => app.id,
-          "name" => app.name,
-          "created_at" => an_instance_of(String),
-        )
-      end
-
-      it "includes application UID if it's public" do
-        app = FactoryBot.create :application, secret: "123123123", confidential: false
-
-        expect(app.as_json).to match(
-          "id" => app.id,
-          "name" => app.name,
-          "created_at" => an_instance_of(String),
-          "uid" => app.uid,
-        )
-      end
-
-      it "respects custom options" do
-        expect(app.as_json(except: :id)).not_to include("id")
-        expect(app.as_json(only: %i[name created_at secret]))
-          .to match(
-            "name" => app.name,
-            "created_at" => an_instance_of(String),
-          )
-      end
-    end
-
-    context "when called with authorized resource owner" do
-      let(:owner) { FactoryBot.create(:doorkeeper_testing_user) }
-      let(:other_owner) { FactoryBot.create(:doorkeeper_testing_user) }
-      let(:app) { FactoryBot.create(:application, secret: "123123123", owner: owner) }
-
-      before do
-        Doorkeeper.configure do
-          orm DOORKEEPER_ORM
-          enable_application_owner confirmation: false
-        end
-      end
-
-      it "includes all the attributes" do
-        expect(app.as_json(current_resource_owner: owner))
-          .to include(
-            "secret" => "123123123",
-            "redirect_uri" => app.redirect_uri,
-            "uid" => app.uid,
-          )
-      end
-
-      it "doesn't include unsafe attributes if current owner isn't the same as owner" do
-        expect(app.as_json(current_resource_owner: other_owner))
-          .not_to include("redirect_uri")
-      end
-    end
   end
 end

data/spec/requests/endpoints/token_spec.rb

@@ -5,7 +5,11 @@ require "spec_helper"
 describe "Token endpoint" do
   before do
     client_exists
-    authorization_code_exists application: @client, scopes: "public"
+    create_resource_owner
+    authorization_code_exists application: @client,
+                              scopes: "public",
+                              resource_owner_id: @resource_owner.id,
+                              resource_owner_type: @resource_owner.class.name
   end
 
   it "respond with correct headers" do

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -50,7 +50,10 @@ end
 describe "Authorization Code Flow Errors", "after authorization" do
   before do
     client_exists
-    authorization_code_exists application: @client
+    create_resource_owner
+    authorization_code_exists application: @client,
+                              resource_owner_id: @resource_owner.id,
+                              resource_owner_type: @resource_owner.class.name
   end
 
   it "returns :invalid_grant error when posting an already revoked grant code" do

data/spec/requests/flows/authorization_code_spec.rb

@@ -182,6 +182,7 @@ feature "Authorization Code Flow" do
     access_token_exists application: @client,
                         expires_in: -100, # even expired token
                         resource_owner_id: @resource_owner.id,
+                        resource_owner_type: @resource_owner.class.name,
                         scopes: "public write"
 
     visit authorization_endpoint_url(client: @client, scope: "public write")
@@ -506,8 +507,12 @@ describe "Authorization Code Flow" do
   end
 
   context "issuing a refresh token" do
+    let(:resource_owner) { FactoryBot.create(:resource_owner) }
+
     before do
-      authorization_code_exists application: @client
+      authorization_code_exists application: @client,
+                                resource_owner_id: resource_owner.id,
+                                resource_owner_type: resource_owner.class.name
     end
 
     it "second of simultaneous client requests get an error for revoked acccess token" do

data/spec/requests/flows/client_credentials_spec.rb

@@ -159,6 +159,47 @@ describe "Client Credentials Request" do
     end
   end
 
+  context "when revoke_previous_client_credentials_token is true" do
+    before do
+      allow(Doorkeeper.config).to receive(:reuse_access_token) { false }
+      allow(Doorkeeper.config).to receive(:revoke_previous_client_credentials_token) { true }
+    end
+
+    it "revokes the previous token" do
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: "client_credentials" }
+
+      post "/oauth/token", params: params, headers: headers
+      should_have_json "access_token", Doorkeeper::AccessToken.first.token
+
+      token = Doorkeeper::AccessToken.first
+
+      post "/oauth/token", params: params, headers: headers
+      should_have_json "access_token", Doorkeeper::AccessToken.last.token
+
+      expect(token.reload.revoked?).to be_truthy
+      expect(Doorkeeper::AccessToken.last.revoked?).to be_falsey
+    end
+
+    context "with a simultaneous request" do
+      let!(:access_token) { FactoryBot.create :access_token, resource_owner_id: nil }
+
+      before do
+        allow(Doorkeeper.config.access_token_model).to receive(:matching_token_for) { access_token }
+        allow(access_token).to receive(:revoked?).and_return(true)
+      end
+
+      it "returns an error" do
+        headers = authorization client.uid, client.secret
+        params  = { grant_type: "client_credentials" }
+
+        post "/oauth/token", params: params, headers: headers
+        should_not_have_json "access_token"
+        should_have_json "error", "invalid_token_reuse"
+      end
+    end
+  end
+
   def authorization(username, password)
     credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
     { "HTTP_AUTHORIZATION" => credentials }

data/spec/requests/flows/refresh_token_spec.rb

@@ -12,9 +12,13 @@ describe "Refresh Token Flow" do
     client_exists
   end
 
+  let(:resource_owner) { FactoryBot.create(:resource_owner) }
+
   context "issuing a refresh token" do
     before do
-      authorization_code_exists application: @client
+      authorization_code_exists application: @client,
+                                resource_owner_id: resource_owner.id,
+                                resource_owner_type: resource_owner.class.name
     end
 
     it "client gets the refresh token and refreshes it" do
@@ -43,7 +47,8 @@ describe "Refresh Token Flow" do
       @token = FactoryBot.create(
         :access_token,
         application: @client,
-        resource_owner_id: 1,
+        resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
         use_refresh_token: true,
       )
     end
@@ -110,7 +115,8 @@ describe "Refresh Token Flow" do
         FactoryBot.create(
           :access_token,
           application: @client,
-          resource_owner_id: 1,
+          resource_owner_id: resource_owner.id,
+          resource_owner_type: resource_owner.class.name,
           use_refresh_token: true,
         )
       end
@@ -119,7 +125,8 @@ describe "Refresh Token Flow" do
         FactoryBot.create(
           :access_token,
           application: public_client,
-          resource_owner_id: 1,
+          resource_owner_id: resource_owner.id,
+          resource_owner_type: resource_owner.class.name,
           use_refresh_token: true,
         )
       end
@@ -185,14 +192,15 @@ describe "Refresh Token Flow" do
       end
       create_resource_owner
       _another_token = post password_token_endpoint_url(
-        client: @client, resource_owner: @resource_owner,
+        client: @client, resource_owner: resource_owner,
       )
-      last_token.update_attribute :created_at, 5.seconds.ago
+      last_token.update(created_at: 5.seconds.ago)
 
       @token = FactoryBot.create(
         :access_token,
         application: @client,
-        resource_owner_id: @resource_owner.id,
+        resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
         use_refresh_token: true,
       )
       @token.update_attribute :expires_in, -100
@@ -226,7 +234,7 @@ describe "Refresh Token Flow" do
 
     def last_token
       Doorkeeper::AccessToken.last_authorized_token_for(
-        @client.id, @resource_owner.id,
+        @client.id, resource_owner,
       )
     end
   end

data/spec/requests/flows/revoke_token_spec.rb

@@ -7,151 +7,190 @@ describe "Revoke Token Flow" do
     Doorkeeper.configure { orm DOORKEEPER_ORM }
   end
 
-  context "with default parameters" do
-    let(:client_application) { FactoryBot.create :application }
-    let(:resource_owner) { User.create!(name: "John", password: "sekret") }
+  let(:private_client_application) { FactoryBot.create :application }
+  let(:public_client_application) { FactoryBot.create :application, confidential: false }
+  let(:resource_owner) { User.create!(name: "John", password: "sekret") }
+
+  context "with authenticated, confidential OAuth 2.0 client/application" do
     let(:access_token) do
       FactoryBot.create(
         :access_token,
-        application: client_application,
+        application: private_client_application,
         resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
         use_refresh_token: true,
       )
     end
 
-    context "with authenticated, confidential OAuth 2.0 client/application" do
+    let(:headers) do
+      client_id = private_client_application.uid
+      client_secret = private_client_application.secret
+      credentials = Base64.encode64("#{client_id}:#{client_secret}")
+      { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
+    end
+
+    it "should revoke the access token provided" do
+      post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
+
+      expect(response).to be_successful
+      expect(access_token.reload.revoked?).to be_truthy
+    end
+
+    it "should revoke the refresh token provided" do
+      post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
+
+      expect(response).to be_successful
+      expect(access_token.reload.revoked?).to be_truthy
+    end
+
+    context "with invalid token to revoke" do
+      it "should not revoke any tokens and must respond with success" do
+        expect do
+          post revocation_token_endpoint_url,
+               params: { token: "I_AM_AN_INVALID_TOKEN" },
+               headers: headers
+        end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
+
+        expect(response).to be_successful
+      end
+    end
+
+    context "with bad credentials and a valid token" do
       let(:headers) do
-        client_id = client_application.uid
-        client_secret = client_application.secret
-        credentials = Base64.encode64("#{client_id}:#{client_secret}")
+        client_id = private_client_application.uid
+        credentials = Base64.encode64("#{client_id}:poop")
         { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
       end
 
-      it "should revoke the access token provided" do
+      it "should not revoke any tokens and respond with forbidden" do
         post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
 
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
+        expect(response).to be_forbidden
+        expect(response.body).to include("unauthorized_client")
+        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
+        expect(access_token.reload.revoked?).to be_falsey
       end
+    end
 
-      it "should revoke the refresh token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
+    context "with no credentials and a valid token" do
+      it "should not revoke any tokens and respond with forbidden" do
+        post revocation_token_endpoint_url, params: { token: access_token.token }
 
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
+        expect(response).to be_forbidden
+        expect(response.body).to include("unauthorized_client")
+        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
+        expect(access_token.reload.revoked?).to be_falsey
       end
+    end
 
-      context "with invalid token to revoke" do
-        it "should not revoke any tokens and respond with forbidden" do
-          expect do
-            post revocation_token_endpoint_url,
-                 params: { token: "I_AM_AN_INVALID_TOKEN" },
-                 headers: headers
-          end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
-
-          expect(response).to be_forbidden
-        end
+    context "with valid token for another client application" do
+      let(:other_client_application) { FactoryBot.create :application }
+      let(:headers) do
+        client_id = other_client_application.uid
+        client_secret = other_client_application.secret
+        credentials = Base64.encode64("#{client_id}:#{client_secret}")
+        { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
       end
 
-      context "with bad credentials and a valid token" do
-        let(:headers) do
-          client_id = client_application.uid
-          credentials = Base64.encode64("#{client_id}:poop")
-          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-        end
-        it "should not revoke any tokens and respond with forbidden" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
+      it "should not revoke the token as it's unauthorized" do
+        post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
+
+        expect(response).to be_forbidden
+        expect(response.body).to include("unauthorized_client")
+        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
+        expect(access_token.reload.revoked?).to be_falsey
       end
+    end
+  end
+
+  context "with authenticated public OAuth 2.0 client/application" do
+    let(:access_token) do
+      FactoryBot.create(
+        :access_token,
+        application: nil,
+        resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
+        use_refresh_token: true,
+      )
+    end
 
-      context "with no credentials and a valid token" do
-        it "should not revoke any tokens and respond with forbidden" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
+    it "should revoke the access token provided" do
+      post revocation_token_endpoint_url,
+           params: { client_id: public_client_application.uid, token: access_token.token },
+           headers: headers
 
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
+      expect(response).to be_successful
+      expect(access_token.reload.revoked?).to be_truthy
+    end
 
-      context "with valid token for another client application" do
-        let(:other_client_application) { FactoryBot.create :application }
-        let(:headers) do
-          client_id = other_client_application.uid
-          client_secret = other_client_application.secret
-          credentials = Base64.encode64("#{client_id}:#{client_secret}")
-          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-        end
-
-        it "should not revoke the token as its unauthorized" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
+    it "should revoke the refresh token provided" do
+      post revocation_token_endpoint_url,
+           params: { client_id: public_client_application.uid, token: access_token.refresh_token },
+           headers: headers
+
+      expect(response).to be_successful
+      expect(access_token.reload.revoked?).to be_truthy
     end
 
-    context "with public OAuth 2.0 client/application" do
+    it "should response with success even for invalid token" do
+      post revocation_token_endpoint_url,
+           params: { client_id: public_client_application.uid, token: "dont_exist" },
+           headers: headers
+
+      expect(response).to be_successful
+    end
+
+    context "with a valid token issued for a confidential client" do
       let(:access_token) do
         FactoryBot.create(
           :access_token,
-          application: nil,
+          application: private_client_application,
           resource_owner_id: resource_owner.id,
+          resource_owner_type: resource_owner.class.name,
           use_refresh_token: true,
         )
       end
 
-      it "should revoke the access token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }
+      it "should not revoke the access token provided" do
+        post revocation_token_endpoint_url,
+             params: { client_id: public_client_application.uid, token: access_token.token }
 
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
+        expect(response).to be_forbidden
+        expect(response.body).to include("unauthorized_client")
+        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
+        expect(access_token.reload.revoked?).to be_falsey
       end
 
-      it "should revoke the refresh token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
+      it "should not revoke the refresh token provided" do
+        post revocation_token_endpoint_url,
+             params: { client_id: public_client_application.uid, token: access_token.token }
 
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
+        expect(response).to be_forbidden
+        expect(response.body).to include("unauthorized_client")
+        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
+        expect(access_token.reload.revoked?).to be_falsey
       end
+    end
+  end
 
-      context "with a valid token issued for a confidential client" do
-        let(:access_token) do
-          FactoryBot.create(
-            :access_token,
-            application: client_application,
-            resource_owner_id: resource_owner.id,
-            use_refresh_token: true,
-          )
-        end
-
-        it "should not revoke the access token provided" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-
-        it "should not revoke the refresh token provided" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
+  context "without client authentication" do
+    let(:access_token) do
+      FactoryBot.create(
+        :access_token,
+        application: nil,
+        resource_owner_id: resource_owner.id,
+        resource_owner_type: resource_owner.class.name,
+        use_refresh_token: true,
+      )
+    end
+
+    it "shouldn't remove the token and must response with an error" do
+      post revocation_token_endpoint_url,
+           params: { token: access_token.token },
+           headers: headers
+
+      expect(response).not_to be_successful
+      expect(access_token.reload.revoked?).to be_falsey
     end
   end
 end