RubyGems - doorkeeper - Versions diffs - 5.3.3 → 5.4.0.rc1 - Mend

doorkeeper 5.3.3 → 5.4.0.rc1

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (120) hide show

checksums.yaml +4 -4
data/Appraisals +0 -14
data/CHANGELOG.md +35 -10
data/Dangerfile +7 -7
data/Dockerfile +2 -2
data/Gemfile +9 -9
data/README.md +6 -4
data/app/controllers/doorkeeper/applications_controller.rb +7 -7
data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +3 -3
data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
data/app/views/doorkeeper/applications/show.html.erb +19 -2
data/bin/console +14 -0
data/config/locales/en.yml +3 -1
data/doorkeeper.gemspec +1 -1
data/gemfiles/rails_5_0.gemfile +8 -7
data/gemfiles/rails_5_1.gemfile +8 -7
data/gemfiles/rails_5_2.gemfile +8 -7
data/gemfiles/rails_6_0.gemfile +8 -7
data/gemfiles/rails_master.gemfile +8 -7
data/lib/doorkeeper.rb +106 -79
data/lib/doorkeeper/config.rb +40 -17
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +28 -14
data/lib/doorkeeper/grape/helpers.rb +1 -1
data/lib/doorkeeper/models/access_grant_mixin.rb +9 -11
data/lib/doorkeeper/models/access_token_mixin.rb +100 -41
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
data/lib/doorkeeper/oauth/authorization/code.rb +14 -5
data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
data/lib/doorkeeper/oauth/authorization/token.rb +7 -11
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
data/lib/doorkeeper/oauth/base_request.rb +11 -19
data/lib/doorkeeper/oauth/client.rb +1 -1
data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
data/lib/doorkeeper/oauth/client_credentials/creator.rb +25 -7
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
data/lib/doorkeeper/oauth/client_credentials/validator.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
data/lib/doorkeeper/oauth/code_request.rb +1 -1
data/lib/doorkeeper/oauth/code_response.rb +6 -2
data/lib/doorkeeper/oauth/error_response.rb +2 -4
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
data/lib/doorkeeper/oauth/password_access_token_request.rb +3 -5
data/lib/doorkeeper/oauth/pre_authorization.rb +32 -27
data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
data/lib/doorkeeper/oauth/token.rb +1 -1
data/lib/doorkeeper/oauth/token_introspection.rb +3 -3
data/lib/doorkeeper/oauth/token_request.rb +2 -2
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +7 -2
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +6 -2
data/lib/doorkeeper/orm/active_record/mixins/application.rb +9 -64
data/lib/doorkeeper/rails/routes.rb +13 -17
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/request/strategy.rb +2 -2
data/lib/doorkeeper/server.rb +3 -3
data/lib/doorkeeper/version.rb +3 -3
data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
data/lib/generators/doorkeeper/templates/migration.rb.erb +2 -0
data/spec/controllers/applications_controller_spec.rb +2 -2
data/spec/controllers/authorizations_controller_spec.rb +165 -30
data/spec/controllers/tokens_controller_spec.rb +6 -5
data/spec/dummy/app/helpers/application_helper.rb +1 -1
data/spec/dummy/app/models/user.rb +5 -1
data/spec/dummy/config/application.rb +6 -4
data/spec/dummy/config/boot.rb +4 -4
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/routes.rb +4 -4
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +2 -2
data/spec/dummy/db/schema.rb +3 -1
data/spec/factories.rb +1 -1
data/spec/generators/enable_polymorphic_resource_owner_generator_spec.rb +47 -0
data/spec/lib/config_spec.rb +15 -11
data/spec/lib/models/revocable_spec.rb +2 -3
data/spec/lib/models/scopes_spec.rb +8 -0
data/spec/lib/oauth/authorization_code_request_spec.rb +25 -15
data/spec/lib/oauth/base_request_spec.rb +6 -20
data/spec/lib/oauth/client_credentials/creator_spec.rb +90 -89
data/spec/lib/oauth/client_credentials/issuer_spec.rb +84 -86
data/spec/lib/oauth/client_credentials/validation_spec.rb +38 -40
data/spec/lib/oauth/client_credentials_request_spec.rb +5 -4
data/spec/lib/oauth/code_request_spec.rb +1 -1
data/spec/lib/oauth/code_response_spec.rb +5 -1
data/spec/lib/oauth/error_response_spec.rb +1 -1
data/spec/lib/oauth/password_access_token_request_spec.rb +24 -13
data/spec/lib/oauth/pre_authorization_spec.rb +13 -18
data/spec/lib/oauth/refresh_token_request_spec.rb +19 -30
data/spec/lib/oauth/token_request_spec.rb +14 -7
data/spec/lib/option_spec.rb +51 -0
data/spec/lib/stale_records_cleaner_spec.rb +18 -5
data/spec/models/doorkeeper/access_grant_spec.rb +18 -4
data/spec/models/doorkeeper/access_token_spec.rb +507 -479
data/spec/models/doorkeeper/application_spec.rb +22 -62
data/spec/requests/endpoints/token_spec.rb +5 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +4 -1
data/spec/requests/flows/authorization_code_spec.rb +6 -1
data/spec/requests/flows/client_credentials_spec.rb +41 -0
data/spec/requests/flows/refresh_token_spec.rb +16 -8
data/spec/requests/flows/revoke_token_spec.rb +143 -104
data/spec/support/helpers/access_token_request_helper.rb +1 -0
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/config_helper.rb +1 -1
data/spec/support/shared/controllers_shared_context.rb +2 -2
data/spec/support/shared/models_shared_examples.rb +6 -4
metadata +16 -5

data/lib/doorkeeper/config/abstract_builder.rb ADDED

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module Doorkeeper
+  class Config
+    # Abstract base class for Doorkeeper and it's extensions configuration
+    # builder. Instantiates and validates gem configuration.
+    #
+    class AbstractBuilder
+      attr_reader :config
+      # @param [Class] config class
+      #
+      def initialize(config = Config.new, &block)
+        @config = config
+        instance_eval(&block)
+      end
+      # Builds and validates configuration.
+      #
+      # @return [Doorkeeper::Config] config instance
+      #
+      def build
+        @config.validate if @config.respond_to?(:validate)
+        @config
+      end
+    end
+  end
+end

data/lib/doorkeeper/config/option.rb CHANGED

@@ -36,22 +36,29 @@ module Doorkeeper
         attribute = options[:as] || name
         attribute_builder = options[:builder_class]
-        Builder.instance_eval do
-          remove_method name if method_defined?(name)
-          if options[:deprecated]
-            define_method name do |*_, &_|
-              Kernel.warn "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
-            end
-          else
-            define_method name do |*args, &block|
-              value = if attribute_builder
-                        attribute_builder.new(&block).build
-                      else
-                        block || args.first
-                      end
+        builder_class.instance_eval do
+          if method_defined?(name)
+            Kernel.warn "[DOORKEEPER] Option #{name} already defined and will be overridden"
+            remove_method name
+          end
-              @config.instance_variable_set(:"@#{attribute}", value)
+          define_method name do |*args, &block|
+            if (deprecation_opts = options[:deprecated])
+              warning = "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
+              if deprecation_opts.is_a?(Hash)
+                warning = "#{warning}\n#{deprecation_opts.fetch(:message)}"
+              end
+              Kernel.warn(warning)
             end
+            value = if attribute_builder
+                      attribute_builder.new(&block).build
+                    else
+                      block || args.first
+                    end
+            @config.instance_variable_set(:"@#{attribute}", value)
           end
         end
@@ -65,6 +72,13 @@ module Doorkeeper
         public attribute
       end
+      def self.extended(base)
+        return if base.respond_to?(:builder_class)
+        raise Doorkeeper::MissingConfigurationBuilderClass, "Define `self.builder_class` method " \
+                          "for #{base} that returns your custom Builder class to use options DSL!"
+      end
     end
   end
 end

data/lib/doorkeeper/grape/helpers.rb CHANGED

@@ -18,7 +18,7 @@ module Doorkeeper
         scopes = if endpoint_scopes
                    Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
-                 elsif scopes && !scopes.empty?
+                 elsif scopes.present?
                    Doorkeeper::OAuth::Scopes.from_array(scopes)
                  end

data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED

@@ -11,14 +11,11 @@ module Doorkeeper
     include Models::Orderable
     include Models::SecretStorable
     include Models::Scopes
+    include Models::ResourceOwnerable
     # never uses pkce, if pkce migrations were not generated
     def uses_pkce?
-      pkce_supported? && code_challenge.present?
-    end
-    def pkce_supported?
-      respond_to? :code_challenge
+      self.class.pkce_supported? && code_challenge.present?
     end
     module ClassMethods
@@ -43,11 +40,12 @@ module Doorkeeper
       #   instance of the Resource Owner model
       #
       def revoke_all_for(application_id, resource_owner, clock = Time)
-        where(
-          application_id: application_id,
-          resource_owner_id: resource_owner.id,
-          revoked_at: nil,
-        ).update_all(revoked_at: clock.now.utc)
+        by_resource_owner(resource_owner)
+          .where(
+            application_id: application_id,
+            revoked_at: nil,
+          )
+          .update_all(revoked_at: clock.now.utc)
       end
       # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
@@ -96,7 +94,7 @@ module Doorkeeper
       end
       def pkce_supported?
-        new.pkce_supported?
+        column_names.include?("code_challenge")
       end
       ##

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED

@@ -12,6 +12,7 @@ module Doorkeeper
     include Models::Orderable
     include Models::SecretStorable
     include Models::Scopes
+    include Models::ResourceOwnerable
     module ClassMethods
       # Returns an instance of the Doorkeeper::AccessToken with
@@ -64,11 +65,12 @@ module Doorkeeper
       #   instance of the Resource Owner model
       #
       def revoke_all_for(application_id, resource_owner, clock = Time)
-        where(
-          application_id: application_id,
-          resource_owner_id: resource_owner.id,
-          revoked_at: nil,
-        ).update_all(revoked_at: clock.now.utc)
+        by_resource_owner(resource_owner)
+          .where(
+            application_id: application_id,
+            revoked_at: nil,
+          )
+          .update_all(revoked_at: clock.now.utc)
       end
       # Looking for not revoked Access Token with a matching set of scopes
@@ -76,7 +78,7 @@ module Doorkeeper
       #
       # @param application [Doorkeeper::Application]
       #   Application instance
-      # @param resource_owner_or_id [ActiveRecord::Base, Integer]
+      # @param resource_owner [ActiveRecord::Base, Integer]
       #   Resource Owner model instance or it's ID
       # @param scopes [String, Doorkeeper::OAuth::Scopes]
       #   set of scopes
@@ -84,14 +86,8 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def matching_token_for(application, resource_owner_or_id, scopes)
-        resource_owner_id = if resource_owner_or_id.respond_to?(:to_key)
-                              resource_owner_or_id.id
-                            else
-                              resource_owner_or_id
-                            end
-        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
+      def matching_token_for(application, resource_owner, scopes)
+        tokens = authorized_tokens_for(application&.id, resource_owner)
         find_matching_token(tokens, application, scopes)
       end
@@ -130,7 +126,7 @@ module Doorkeeper
         find_access_token_in_batches(relation, batch_size: batch_size) do |batch|
           tokens = batch.select do |token|
-            scopes_match?(token.scopes, scopes, application.try(:scopes))
+            scopes_match?(token.scopes, scopes, application&.scopes)
           end
           matching_tokens.concat(tokens)
@@ -170,47 +166,78 @@ module Doorkeeper
       #
       # @param application [Doorkeeper::Application]
       #   Application instance
-      # @param resource_owner_id [ActiveRecord::Base, Integer]
+      # @param resource_owner [ActiveRecord::Base, Integer]
       #   Resource Owner model instance or it's ID
       # @param scopes [#to_s]
       #   set of scopes (any object that responds to `#to_s`)
-      # @param expires_in [Integer]
+      # @param token_attributes [Hash]
+      #   Additional attributes to use when creating a token
+      # @option token_attributes [Integer] :expires_in
       #   token lifetime in seconds
-      # @param use_refresh_token [Boolean]
+      # @option token_attributes [Boolean] :use_refresh_token
       #   whether to use the refresh token
       #
       # @return [Doorkeeper::AccessToken] existing record or a new one
       #
-      def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
+      def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
         if Doorkeeper.config.reuse_access_token
-          access_token = matching_token_for(application, resource_owner_id, scopes)
+          access_token = matching_token_for(application, resource_owner, scopes)
           return access_token if access_token&.reusable?
         end
-        create!(
-          application_id: application.try(:id),
-          resource_owner_id: resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: expires_in,
-          use_refresh_token: use_refresh_token,
+        create_for(
+          application: application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          **token_attributes,
         )
       end
+      # Creates a not expired AccessToken record with a matching set of
+      # scopes that belongs to specific Application and Resource Owner.
+      #
+      # @param application [Doorkeeper::Application]
+      #   Application instance
+      # @param resource_owner [ActiveRecord::Base, Integer]
+      #   Resource Owner model instance or it's ID
+      # @param scopes [#to_s]
+      #   set of scopes (any object that responds to `#to_s`)
+      # @param token_attributes [Hash]
+      #   Additional attributes to use when creating a token
+      # @option token_attributes [Integer] :expires_in
+      #   token lifetime in seconds
+      # @option token_attributes [Boolean] :use_refresh_token
+      #   whether to use the refresh token
+      #
+      # @return [Doorkeeper::AccessToken] new access token
+      #
+      def create_for(application:, resource_owner:, scopes:, **token_attributes)
+        token_attributes[:application_id] = application&.id
+        token_attributes[:scopes] = scopes.to_s
+        if Doorkeeper.config.polymorphic_resource_owner?
+          token_attributes[:resource_owner] = resource_owner
+        else
+          token_attributes[:resource_owner_id] = resource_owner_id_for(resource_owner)
+        end
+        create!(token_attributes)
+      end
       # Looking for not revoked Access Token records that belongs to specific
       # Application and Resource Owner.
       #
       # @param application_id [Integer]
       #   ID of the Application model instance
-      # @param resource_owner_id [Integer]
+      # @param resource_owner [Integer]
       #   ID of the Resource Owner model instance
       #
       # @return [Doorkeeper::AccessToken] array of matching AccessToken objects
       #
-      def authorized_tokens_for(application_id, resource_owner_id)
-        where(
+      def authorized_tokens_for(application_id, resource_owner)
+        by_resource_owner(resource_owner).where(
           application_id: application_id,
-          resource_owner_id: resource_owner_id,
           revoked_at: nil,
         )
       end
@@ -220,15 +247,16 @@ module Doorkeeper
       #
       # @param application_id [Integer]
       #   ID of the Application model instance
-      # @param resource_owner_id [Integer]
+      # @param resource_owner [ActiveRecord::Base, Integer]
       #   ID of the Resource Owner model instance
       #
       # @return [Doorkeeper::AccessToken, nil] matching AccessToken object or
       #   nil if nothing was found
       #
-      def last_authorized_token_for(application_id, resource_owner_id)
-        authorized_tokens_for(application_id, resource_owner_id)
-          .ordered_by(:created_at, :desc).first
+      def last_authorized_token_for(application_id, resource_owner)
+        authorized_tokens_for(application_id, resource_owner)
+          .ordered_by(:created_at, :desc)
+          .first
       end
       ##
@@ -269,7 +297,11 @@ module Doorkeeper
         expires_in: expires_in_seconds,
         application: { uid: application.try(:uid) },
         created_at: created_at.to_i,
-      }
+      }.tap do |json|
+        if Doorkeeper.configuration.polymorphic_resource_owner?
+          json[:resource_owner_type] = resource_owner_type
+        end
+      end
     end
     # Indicates whether the token instance have the same credential
@@ -281,7 +313,22 @@ module Doorkeeper
     #
     def same_credential?(access_token)
       application_id == access_token.application_id &&
+        same_resource_owner?(access_token)
+    end
+    # Indicates whether the token instance have the same credential
+    # as the other Access Token.
+    #
+    # @param access_token [Doorkeeper::AccessToken] other token
+    #
+    # @return [Boolean] true if credentials are same of false in other cases
+    #
+    def same_resource_owner?(access_token)
+      if Doorkeeper.configuration.polymorphic_resource_owner?
+        resource_owner == access_token.resource_owner
+      else
         resource_owner_id == access_token.resource_owner_id
+      end
     end
     # Indicates if token is acceptable for specific scopes.
@@ -326,7 +373,7 @@ module Doorkeeper
       return unless self.class.refresh_token_revoked_on_use?
       old_refresh_token&.revoke
-      update_attribute :previous_refresh_token, ""
+      update_column(:previous_refresh_token, "")
     end
     private
@@ -363,16 +410,28 @@ module Doorkeeper
     def generate_token
       self.created_at ||= Time.now.utc
-      @raw_token = token_generator.generate(
+      @raw_token = token_generator.generate(attributes_for_token_generator)
+      secret_strategy.store_secret(self, :token, @raw_token)
+      @raw_token
+    end
+    # Set of attributes that would be passed to token generator to
+    # generate unique token based on them.
+    #
+    #  @return [Hash] set of attributes
+    #
+    def attributes_for_token_generator
+      {
         resource_owner_id: resource_owner_id,
         scopes: scopes,
         application: application,
         expires_in: expires_in,
         created_at: created_at,
-      )
-      secret_strategy.store_secret(self, :token, @raw_token)
-      @raw_token
+      }.tap do |attributes|
+        if Doorkeeper.config.polymorphic_resource_owner?
+          attributes[:resource_owner] = resource_owner
+        end
+      end
     end
     def token_generator

data/lib/doorkeeper/models/concerns/resource_ownerable.rb ADDED

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module Models
+    module ResourceOwnerable
+      extend ActiveSupport::Concern
+      module ClassMethods
+        # Searches for record by Resource Owner considering Doorkeeper
+        # configuration for resource owner association.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [Doorkeeper::AccessGrant, Doorkeeper::AccessToken]
+        #   collection of records
+        #
+        def by_resource_owner(resource_owner)
+          if Doorkeeper.configuration.polymorphic_resource_owner?
+            where(resource_owner: resource_owner)
+          else
+            where(resource_owner_id: resource_owner_id_for(resource_owner))
+          end
+        end
+        protected
+        # Backward compatible way to retrieve resource owner itself (if
+        # polymorphic association enabled) or just it's ID.
+        #
+        # @param resource_owner [ActiveRecord::Base, Integer]
+        #   resource owner
+        #
+        # @return [ActiveRecord::Base, Integer]
+        #   instance of Resource Owner or it's ID
+        #
+        def resource_owner_id_for(resource_owner)
+          if resource_owner.respond_to?(:to_key)
+            resource_owner.id
+          else
+            resource_owner
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/revocable.rb CHANGED

@@ -9,7 +9,7 @@ module Doorkeeper
       # @param clock [Time] time object
       #
       def revoke(clock = Time)
-        update_attribute :revoked_at, clock.now.utc
+        update_column(:revoked_at, clock.now.utc)
       end
       # Indicates whether the object has been revoked.

data/lib/doorkeeper/models/concerns/scopes.rb CHANGED

@@ -8,7 +8,11 @@ module Doorkeeper
       end
       def scopes=(value)
-        super Array(value).join(" ")
+        if value.is_a?(Array)
+          super(Doorkeeper::OAuth::Scopes.from_array(value).to_s)
+        else
+          super(Doorkeeper::OAuth::Scopes.from_string(value.to_s).to_s)
+        end
       end
       def scopes_string