RubyGems - doorkeeper - Versions diffs - 5.3.3 → 5.4.0.rc1 - Mend

doorkeeper 5.3.3 → 5.4.0.rc1

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (120) hide show

checksums.yaml +4 -4
data/Appraisals +0 -14
data/CHANGELOG.md +35 -10
data/Dangerfile +7 -7
data/Dockerfile +2 -2
data/Gemfile +9 -9
data/README.md +6 -4
data/app/controllers/doorkeeper/applications_controller.rb +7 -7
data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +3 -3
data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
data/app/views/doorkeeper/applications/show.html.erb +19 -2
data/bin/console +14 -0
data/config/locales/en.yml +3 -1
data/doorkeeper.gemspec +1 -1
data/gemfiles/rails_5_0.gemfile +8 -7
data/gemfiles/rails_5_1.gemfile +8 -7
data/gemfiles/rails_5_2.gemfile +8 -7
data/gemfiles/rails_6_0.gemfile +8 -7
data/gemfiles/rails_master.gemfile +8 -7
data/lib/doorkeeper.rb +106 -79
data/lib/doorkeeper/config.rb +40 -17
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +28 -14
data/lib/doorkeeper/grape/helpers.rb +1 -1
data/lib/doorkeeper/models/access_grant_mixin.rb +9 -11
data/lib/doorkeeper/models/access_token_mixin.rb +100 -41
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
data/lib/doorkeeper/oauth/authorization/code.rb +14 -5
data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
data/lib/doorkeeper/oauth/authorization/token.rb +7 -11
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
data/lib/doorkeeper/oauth/base_request.rb +11 -19
data/lib/doorkeeper/oauth/client.rb +1 -1
data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
data/lib/doorkeeper/oauth/client_credentials/creator.rb +25 -7
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
data/lib/doorkeeper/oauth/client_credentials/validator.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
data/lib/doorkeeper/oauth/code_request.rb +1 -1
data/lib/doorkeeper/oauth/code_response.rb +6 -2
data/lib/doorkeeper/oauth/error_response.rb +2 -4
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
data/lib/doorkeeper/oauth/password_access_token_request.rb +3 -5
data/lib/doorkeeper/oauth/pre_authorization.rb +32 -27
data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
data/lib/doorkeeper/oauth/token.rb +1 -1
data/lib/doorkeeper/oauth/token_introspection.rb +3 -3
data/lib/doorkeeper/oauth/token_request.rb +2 -2
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +7 -2
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +6 -2
data/lib/doorkeeper/orm/active_record/mixins/application.rb +9 -64
data/lib/doorkeeper/rails/routes.rb +13 -17
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/request/strategy.rb +2 -2
data/lib/doorkeeper/server.rb +3 -3
data/lib/doorkeeper/version.rb +3 -3
data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
data/lib/generators/doorkeeper/templates/migration.rb.erb +2 -0
data/spec/controllers/applications_controller_spec.rb +2 -2
data/spec/controllers/authorizations_controller_spec.rb +165 -30
data/spec/controllers/tokens_controller_spec.rb +6 -5
data/spec/dummy/app/helpers/application_helper.rb +1 -1
data/spec/dummy/app/models/user.rb +5 -1
data/spec/dummy/config/application.rb +6 -4
data/spec/dummy/config/boot.rb +4 -4
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/routes.rb +4 -4
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +2 -2
data/spec/dummy/db/schema.rb +3 -1
data/spec/factories.rb +1 -1
data/spec/generators/enable_polymorphic_resource_owner_generator_spec.rb +47 -0
data/spec/lib/config_spec.rb +15 -11
data/spec/lib/models/revocable_spec.rb +2 -3
data/spec/lib/models/scopes_spec.rb +8 -0
data/spec/lib/oauth/authorization_code_request_spec.rb +25 -15
data/spec/lib/oauth/base_request_spec.rb +6 -20
data/spec/lib/oauth/client_credentials/creator_spec.rb +90 -89
data/spec/lib/oauth/client_credentials/issuer_spec.rb +84 -86
data/spec/lib/oauth/client_credentials/validation_spec.rb +38 -40
data/spec/lib/oauth/client_credentials_request_spec.rb +5 -4
data/spec/lib/oauth/code_request_spec.rb +1 -1
data/spec/lib/oauth/code_response_spec.rb +5 -1
data/spec/lib/oauth/error_response_spec.rb +1 -1
data/spec/lib/oauth/password_access_token_request_spec.rb +24 -13
data/spec/lib/oauth/pre_authorization_spec.rb +13 -18
data/spec/lib/oauth/refresh_token_request_spec.rb +19 -30
data/spec/lib/oauth/token_request_spec.rb +14 -7
data/spec/lib/option_spec.rb +51 -0
data/spec/lib/stale_records_cleaner_spec.rb +18 -5
data/spec/models/doorkeeper/access_grant_spec.rb +18 -4
data/spec/models/doorkeeper/access_token_spec.rb +507 -479
data/spec/models/doorkeeper/application_spec.rb +22 -62
data/spec/requests/endpoints/token_spec.rb +5 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +4 -1
data/spec/requests/flows/authorization_code_spec.rb +6 -1
data/spec/requests/flows/client_credentials_spec.rb +41 -0
data/spec/requests/flows/refresh_token_spec.rb +16 -8
data/spec/requests/flows/revoke_token_spec.rb +143 -104
data/spec/support/helpers/access_token_request_helper.rb +1 -0
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/config_helper.rb +1 -1
data/spec/support/shared/controllers_shared_context.rb +2 -2
data/spec/support/shared/models_shared_examples.rb +6 -4
metadata +16 -5

data/lib/doorkeeper/oauth/hooks/context.rb ADDED

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OAuth
+    module Hooks
+      class Context
+        attr_reader :auth, :pre_auth
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
+        end
+        def issued_token
+          auth&.issued_token
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/invalid_token_response.rb CHANGED

@@ -6,9 +6,9 @@ module Doorkeeper
       attr_reader :reason
       def self.from_access_token(access_token, attributes = {})
-        reason = if access_token.try(:revoked?)
+        reason = if access_token&.revoked?
                    :revoked
-                 elsif access_token.try(:expired?)
+                 elsif access_token&.expired?
                    :expired
                  else
                    :unknown

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED

@@ -10,8 +10,7 @@ module Doorkeeper
       validate :resource_owner, error: :invalid_grant
       validate :scopes, error: :invalid_scope
-      attr_accessor :server, :client, :resource_owner, :parameters,
-                    :access_token
+      attr_reader :client, :resource_owner, :parameters, :access_token
       def initialize(server, client, resource_owner, parameters = {})
         @server          = server
@@ -25,18 +24,17 @@ module Doorkeeper
       private
       def before_successful_response
-        find_or_create_access_token(client, resource_owner.id, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, server)
         super
       end
       def validate_scopes
-        client_scopes = client.try(:scopes)
         return true if scopes.blank?
         ScopeChecker.valid?(
           scope_str: scopes.to_s,
           server_scopes: server.scopes,
-          app_scopes: client_scopes,
+          app_scopes: client.try(:scopes),
           grant_type: grant_type,
         )
       end

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED

@@ -5,39 +5,37 @@ module Doorkeeper
     class PreAuthorization
       include Validations
-      validate :client_id,             error: :invalid_request
-      validate :client,                error: :invalid_client
-      validate :redirect_uri,          error: :invalid_redirect_uri
-      validate :params,                error: :invalid_request
-      validate :response_type,         error: :unsupported_response_type
-      validate :scopes,                error: :invalid_scope
+      validate :client_id, error: :invalid_request
+      validate :client, error: :invalid_client
+      validate :resource_owner_authorize_for_client, error: :invalid_client
+      validate :redirect_uri, error: :invalid_redirect_uri
+      validate :params, error: :invalid_request
+      validate :response_type, error: :unsupported_response_type
+      validate :scopes, error: :invalid_scope
       validate :code_challenge_method, error: :invalid_code_challenge_method
       validate :client_supports_grant_flow, error: :unauthorized_client
       attr_reader :server, :client_id, :client, :redirect_uri, :response_type, :state,
-                  :code_challenge, :code_challenge_method, :missing_param
+                  :code_challenge, :code_challenge_method, :missing_param, :resource_owner
-      def initialize(server, attrs = {})
+      def initialize(server, parameters = {}, resource_owner = nil)
         @server                = server
-        @client_id             = attrs[:client_id]
-        @response_type         = attrs[:response_type]
-        @redirect_uri          = attrs[:redirect_uri]
-        @scope                 = attrs[:scope]
-        @state                 = attrs[:state]
-        @code_challenge        = attrs[:code_challenge]
-        @code_challenge_method = attrs[:code_challenge_method]
+        @client_id             = parameters[:client_id]
+        @response_type         = parameters[:response_type]
+        @redirect_uri          = parameters[:redirect_uri]
+        @scope                 = parameters[:scope]
+        @state                 = parameters[:state]
+        @code_challenge        = parameters[:code_challenge]
+        @code_challenge_method = parameters[:code_challenge_method]
+        @resource_owner        = resource_owner
       end
       def authorizable?
         valid?
       end
-      def validate_client_supports_grant_flow
-        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
-      end
       def scopes
-        Scopes.from_string scope
+        Scopes.from_string(scope)
       end
       def scope
@@ -55,9 +53,7 @@ module Doorkeeper
         end
       end
-      def as_json(attributes = {})
-        return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
+      def as_json(_options = nil)
         pre_auth_hash
       end
@@ -83,6 +79,10 @@ module Doorkeeper
         @client.present?
       end
+      def validate_client_supports_grant_flow
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
+      end
       def validate_redirect_uri
         return false if redirect_uri.blank?
@@ -115,19 +115,24 @@ module Doorkeeper
         )
       end
-      def grant_type
-        response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
-      end
       def validate_code_challenge_method
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
       def response_on_fragment?
         response_type == "token"
       end
+      def grant_type
+        response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
+      end
       def pre_auth_hash
         {
           client_id: client.uid,

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED

@@ -11,9 +11,8 @@ module Doorkeeper
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
-      attr_reader   :missing_param
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
       def initialize(server, refresh_token, credentials, parameters = {})
         @server = server
@@ -50,30 +49,27 @@ module Doorkeeper
       end
       def create_access_token
-        @access_token = server_config.access_token_model.create!(access_token_attributes)
-      end
+        attributes = {}
-      def access_token_attributes
-        {
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: access_token_expires_in,
-          use_refresh_token: true,
-        }.tap do |attributes|
-          if refresh_token_revoked_on_use?
-            attributes[:previous_refresh_token] = refresh_token.refresh_token
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
           end
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
-      end
-      def access_token_expires_in
-        context = Authorization::Token.build_context(
-          client,
-          Doorkeeper::OAuth::REFRESH_TOKEN,
-          scopes,
+        @access_token = server_config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
         )
-        Authorization::Token.access_token_expires_in(server, context)
       end
       def validate_token_presence

data/lib/doorkeeper/oauth/token.rb CHANGED

@@ -8,7 +8,7 @@ module Doorkeeper
           methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
-            break credentials unless credentials.blank?
+            break credentials if credentials.present?
           end
         end

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED

@@ -6,9 +6,6 @@ module Doorkeeper
     #
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
-      attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
       def initialize(server, token)
         @server = server
         @token = token
@@ -38,6 +35,9 @@ module Doorkeeper
       private
+      attr_reader :server, :token
+      attr_reader :error, :invalid_request_reason
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
       # invalid, the authorization server responds with an HTTP 401

data/lib/doorkeeper/oauth/token_request.rb CHANGED

@@ -3,10 +3,10 @@
 module Doorkeeper
   module OAuth
     class TokenRequest
-      attr_accessor :pre_auth, :resource_owner
+      attr_reader :pre_auth, :resource_owner
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end

data/lib/doorkeeper/oauth/token_response.rb CHANGED

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class TokenResponse
-      attr_accessor :token
+      attr_reader :token
       def initialize(token)
         @token = token

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb CHANGED

@@ -13,8 +13,13 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                optional: true,
                                inverse_of: :access_grants
-      validates :resource_owner_id,
-                :application_id,
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: false
+      else
+        validates :resource_owner_id, presence: true
+      end
+      validates :application_id,
                 :token,
                 :expires_in,
                 :redirect_uri,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb CHANGED

@@ -13,6 +13,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                inverse_of: :access_tokens,
                                optional: true
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: true
+      end
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
@@ -25,7 +29,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                         on: :create, if: :use_refresh_token?
     end
-    class_methods do
+    module ClassMethods
       # Searches for not revoked Access Tokens associated with the
       # specific Resource Owner.
       #
@@ -36,7 +40,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       #   active Access Tokens for Resource Owner
       #
       def active_for(resource_owner)
-        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+        by_resource_owner(resource_owner).where(revoked_at: nil)
       end
       def refresh_token_revoked_on_use?

data/lib/doorkeeper/orm/active_record/mixins/application.rb CHANGED

@@ -12,12 +12,12 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       has_many :access_grants,
                foreign_key: :application_id,
                dependent: :delete_all,
-               class_name: Doorkeeper.config.access_grant_class.to_s
+               class_name: Doorkeeper.config.access_grant_class
       has_many :access_tokens,
                foreign_key: :application_id,
                dependent: :delete_all,
-               class_name: Doorkeeper.config.access_token_class.to_s
+               class_name: Doorkeeper.config.access_token_class
       validates :name, :secret, :uid, presence: true
       validates :uid, uniqueness: { case_sensitive: true }
@@ -31,7 +31,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       has_many :authorized_tokens,
                -> { where(revoked_at: nil) },
                foreign_key: :application_id,
-               class_name: Doorkeeper.config.access_token_class.to_s
+               class_name: Doorkeeper.config.access_token_class
       has_many :authorized_applications,
                through: :authorized_tokens,
@@ -61,44 +61,21 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         end
       end
-      # Represents client as set of it's attributes in JSON format.
-      # This is the right way how we want to override ActiveRecord #to_json.
+      # This is the right way how we want to override ActiveRecord #to_json
       #
-      # Respects privacy settings and serializes minimum set of attributes
-      # for public/private clients and full set for authorized owners.
-      #
-      # @return [Hash] entity attributes for JSON
+      # @return [String] entity attributes as JSON
       #
       def as_json(options = {})
-        # if application belongs to some owner we need to check if it's the same as
-        # the one passed in the options or check if we render the client as an owner
-        if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
-           options[:as_owner]
-          # Owners can see all the client attributes, fallback to ActiveModel serialization
-          super
-        else
-          # if application has no owner or it's owner doesn't match one from the options
-          # we render only minimum set of attributes that could be exposed to a public
-          only = extract_serializable_attributes(options)
-          super(options.merge(only: only))
-        end
+        hash = super
+        hash["secret"] = plaintext_secret if hash.key?("secret")
+        hash
       end
       def authorized_for_resource_owner?(resource_owner)
         Doorkeeper.configuration.authorize_resource_owner_for_client.call(self, resource_owner)
       end
-      # We need to hook into this method to allow serializing plan-text secrets
-      # when secrets hashing enabled.
-      #
-      # @param key [String] attribute name
-      #
-      def read_attribute_for_serialization(key)
-        return super unless key.to_s == "secret"
-        plaintext_secret || secret
-      end
       private
       def generate_uid
@@ -123,38 +100,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       def enforce_scopes?
         Doorkeeper.config.enforce_configured_scopes?
       end
-      # Helper method to extract collection of serializable attribute names
-      # considering serialization options (like `only`, `except` and so on).
-      #
-      # @param options [Hash] serialization options
-      #
-      # @return [Array<String>]
-      #   collection of attributes to be serialized using #as_json
-      #
-      def extract_serializable_attributes(options = {})
-        opts = options.try(:dup) || {}
-        only = Array.wrap(opts[:only]).map(&:to_s)
-        only = if only.blank?
-                 serializable_attributes
-               else
-                 only & serializable_attributes
-               end
-        only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
-        only.uniq
-      end
-      # Collection of attributes that could be serialized for public.
-      # Override this method if you need additional attributes to be serialized.
-      #
-      # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
-        attributes = %w[id name created_at]
-        attributes << "uid" unless confidential?
-        attributes
-      end
     end
     module ClassMethods

data/lib/doorkeeper/rails/routes.rb CHANGED

@@ -2,29 +2,33 @@
 require "doorkeeper/rails/routes/mapping"
 require "doorkeeper/rails/routes/mapper"
+require "doorkeeper/rails/routes/abstract_router"
+require "doorkeeper/rails/routes/registry"
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
-      mattr_reader :mapping do
-        {}
-      end
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
       end
+      include AbstractRouter
+      extend Registry
+      mattr_reader :mapping do
+        {}
+      end
       def self.install!
         ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
-      end
-      attr_reader :routes
+        registered_routes.each(&:install!)
+      end
-      def initialize(routes, &block)
-        @routes = routes
-        @mapping = Mapper.new.map(&block)
+      def initialize(routes, mapper = Mapper.new, &block)
+        super
         @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
@@ -43,14 +47,6 @@ module Doorkeeper
       private
-      def map_route(name, method)
-        return if @mapping.skipped?(name)
-        send(method, @mapping[name])
-        mapping[name] = @mapping[name]
-      end
       def authorization_routes(mapping)
         routes.resource(
           :authorization,