doorkeeper 5.3.3 → 5.4.0.rc1

data/lib/doorkeeper/rails/routes/abstract_router.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    # Abstract router module that implements base behavior
+    # for generating and mapping Rails routes.
+    #
+    # Could be reused in Doorkeeper extensions.
+    #
+    module AbstractRouter
+      extend ActiveSupport::Concern
+
+      attr_reader :routes
+
+      def initialize(routes, mapper = Mapper.new, &block)
+        @routes = routes
+        @mapping = mapper.map(&block)
+      end
+
+      def generate_routes!(**_options)
+        raise NotImplementedError, "must be redefined for #{self.class.name}!"
+      end
+
+      private
+
+      def map_route(name, method)
+        return if @mapping.skipped?(name)
+
+        send(method, @mapping[name])
+
+        mapping[name] = @mapping[name]
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes/mapper.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module Rails
     class Routes # :nodoc:
       class Mapper
-        def initialize
-          @mapping = Mapping.new
+        def initialize(mapping = Mapping.new)
+          @mapping = mapping
         end
 
         def map(&block)

data/lib/doorkeeper/rails/routes/registry.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    class Routes
+      # Thread-safe registry of any Doorkeeper additional routes.
+      # Used to allow implementing of Doorkeeper extensions that must
+      # use their own routes.
+      #
+      module Registry
+        ROUTES_ACCESS_LOCK = Mutex.new
+        ROUTES_DEFINITION_LOCK = Mutex.new
+
+        InvalidRouterClass = Class.new(StandardError)
+
+        # Collection of additional registered routes for Doorkeeper.
+        #
+        # @return [Array<Object>] set of registered routes
+        #
+        def registered_routes
+          ROUTES_DEFINITION_LOCK.synchronize do
+            @registered_routes ||= Set.new
+          end
+        end
+
+        # Registers additional routes in the Doorkeeper registry
+        #
+        # @param [Object] routes
+        #   routes class
+        #
+        def register_routes(routes)
+          if !routes.is_a?(Module) || !(routes < AbstractRouter)
+            raise InvalidRouterClass, "routes class must include Doorkeeper::Rails::AbstractRouter"
+          end
+
+          ROUTES_ACCESS_LOCK.synchronize do
+            registered_routes << routes
+          end
+        end
+
+        alias register register_routes
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/strategy.rb

@@ -3,12 +3,12 @@
 module Doorkeeper
   module Request
     class Strategy
-      attr_accessor :server
+      attr_reader :server
 
       delegate :authorize, to: :request
 
       def initialize(server)
-        self.server = server
+        @server = server
       end
 
       def request

data/lib/doorkeeper/server.rb

@@ -2,19 +2,19 @@
 
 module Doorkeeper
   class Server
-    attr_accessor :context
+    attr_reader :context
 
     def initialize(context = nil)
       @context = context
     end
 
     def authorization_request(strategy)
-      klass = Request.authorization_strategy strategy
+      klass = Request.authorization_strategy(strategy)
       klass.new(self)
     end
 
     def token_request(strategy)
-      klass = Request.token_strategy strategy
+      klass = Request.token_strategy(strategy)
       klass.new(self)
     end
 

data/lib/doorkeeper/version.rb

@@ -8,9 +8,9 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 3
-    TINY = 3
-    PRE = nil
+    MINOR = 4
+    TINY = 0
+    PRE = "rc1"
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/generators/doorkeeper/confidential_applications_generator.rb

@@ -12,7 +12,7 @@ module Doorkeeper
     source_root File.expand_path("templates", __dir__)
     desc "Add confidential column to Doorkeeper applications"
 
-    def pkce
+    def confidential_applications
       migration_template(
         "add_confidential_to_applications.rb.erb",
         "db/migrate/add_confidential_to_applications.rb",

data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module Doorkeeper
+  # Generates migration with polymorphic resource owner required
+  # database columns for Doorkeeper Access Token and Access Grant
+  # models.
+  #
+  class EnablePolymorphicResourceOwnerGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path("templates", __dir__)
+    desc "Provide support for polymorphic Resource Owner."
+
+    def enable_polymorphic_resource_owner
+      migration_template(
+        "enable_polymorphic_resource_owner_migration.rb.erb",
+        "db/migrate/enable_polymorphic_resource_owner.rb",
+        migration_version: migration_version,
+      )
+      gsub_file(
+        "config/initializers/doorkeeper.rb",
+        "# use_polymorphic_resource_owner",
+        "use_polymorphic_resource_owner",
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+end

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true

data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column(

data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class EnablePkce < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_access_grants, :code_challenge, :string, null: true

data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class EnablePolymorphicResourceOwner < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :oauth_access_tokens, :resource_owner_type, :string
+    add_column :oauth_access_grants, :resource_owner_type, :string
+    change_column_null :oauth_access_grants, :resource_owner_type, false
+
+    add_index :oauth_access_tokens,
+              [:resource_owner_id, :resource_owner_type],
+              name: 'polymorphic_owner_oauth_access_tokens'
+
+    add_index :oauth_access_grants,
+              [:resource_owner_id, :resource_owner_type],
+              name: 'polymorphic_owner_oauth_access_grants'
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -58,6 +58,23 @@ Doorkeeper.configure do
   #   end
   # end
 
+  # Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
+  # By default this option is disabled.
+  #
+  # Make sure you properly setup you database and have all the required columns (run
+  # `bundle exec rails generate doorkeeper:enable_polymorphic_resource_owner` and execute Rails
+  # migrations).
+  #
+  # If this option enabled, Doorkeeper will store not only Resource Owner primary key
+  # value, but also it's type (class name). See "Polymorphic Associations" section of
+  # Rails guides: https://guides.rubyonrails.org/association_basics.html#polymorphic-associations
+  #
+  # [NOTE] If you apply this option on already existing project don't forget to manually
+  # update `resource_owner_type` column in the database and fix migration template as it will
+  # set NOT NULL constraint for Access Grants table.
+  #
+  # use_polymorphic_resource_owner
+
   # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
   # want to use API mode that will skip all the views management and change the way how
   # Doorkeeper responds to a requests.
@@ -360,6 +377,17 @@ Doorkeeper.configure do
   #   client.grant_flows.include?(grant_flow)
   # end
 
+  # If you need arbitrary Resource Owner-Client authorization you can enable this option
+  # and implement the check your need. Config option must respond to #call and return
+  # true in case resource owner authorized for the specific application or false in other
+  # cases.
+  #
+  # Be default all Resource Owners are authorized to any Client (application).
+  #
+  # authorize_resource_owner_for_client do |client, resource_owner|
+  #   resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
+  # end
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #
@@ -372,17 +400,25 @@ Doorkeeper.configure do
   # end
 
   # Hook into Authorization flow in order to implement Single Sign Out
-  # or add any other functionality.
+  # or add any other functionality. Inside the block you have an access
+  # to `controller` (authorizations controller instance) and `context`
+  # (Doorkeeper::OAuth::Hooks::Context instance) which provides pre auth
+  # or auth objects with issued token based on hook type (before or after).
   #
-  # before_successful_authorization do |controller|
+  # before_successful_authorization do |controller, context|
   #   Rails.logger.info(controller.request.params.inspect)
+  #
+  #   Rails.logger.info(context.pre_auth.inspect)
   # end
   #
-  # after_successful_authorization do |controller|
+  # after_successful_authorization do |controller, context|
   #   controller.session[:logout_urls] <<
   #     Doorkeeper::Application
   #       .find_by(controller.request.params.slice(:redirect_uri))
   #       .logout_uri
+  #
+  #   Rails.logger.info(context.auth.inspect)
+  #   Rails.logger.info(context.issued_token)
   # end
 
   # Under some circumstances you might want to have applications auto-approved,

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|

data/spec/controllers/applications_controller_spec.rb

@@ -167,8 +167,8 @@ module Doorkeeper
 
           # We don't know the application secret here (because its hashed) so we can not assert its text on the page
           # Instead, we read it from the page and then check if it matches the application secret
-          code_element = %r{<code.*id="secret".*>(.*)<\/code>}.match(response.body)
-          secret_from_page = code_element[1]
+          code_element = /code.*id="secret">\s*\K([^<]*)/m.match(response.body)
+          secret_from_page = code_element[1].strip
 
           expect(response.body).to have_selector("code#application_id", text: application.uid)
           expect(response.body).to have_selector("code#secret")

data/spec/controllers/authorizations_controller_spec.rb

@@ -16,7 +16,14 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
 
   let(:client)        { FactoryBot.create :application }
   let(:user)          { User.create!(name: "Joe", password: "sekret") }
-  let(:access_token)  { FactoryBot.build :access_token, resource_owner_id: user.id, application_id: client.id, scopes: "default" }
+
+  let(:access_token) do
+    FactoryBot.build :access_token,
+                     resource_owner_id: user.id,
+                     resource_owner_type: user.class.name,
+                     application_id: client.id,
+                     scopes: "default"
+  end
 
   before do
     Doorkeeper.configure do
@@ -136,6 +143,37 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
       end
     end
 
+    context "when user cannot access application" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:authorize_resource_owner_for_client).and_return(->(*_) { false })
+        post :create, params: {
+          client_id: client.uid,
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+
+      let(:response_json_body) { JSON.parse(response.body) }
+
+      it "renders 400 error" do
+        expect(response.status).to eq 401
+      end
+
+      it "includes error name" do
+        expect(response_json_body["error"]).to eq("invalid_client")
+      end
+
+      it "includes error description" do
+        expect(response_json_body["error_description"]).to eq(
+          translated_error_message(:invalid_client),
+        )
+      end
+
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
+    end
+
     context "when other error happens" do
       before do
         default_scopes_exist :public
@@ -207,6 +245,39 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
       end
     end
 
+    context "when user cannot access application" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+        allow(Doorkeeper.configuration).to receive(:authorize_resource_owner_for_client).and_return(->(*_) { false })
+
+        post :create, params: {
+          client_id: client.uid,
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+
+      let(:response_json_body) { JSON.parse(response.body) }
+
+      it "renders 400 error" do
+        expect(response.status).to eq 401
+      end
+
+      it "includes error name" do
+        expect(response_json_body["error"]).to eq("invalid_client")
+      end
+
+      it "includes error description" do
+        expect(response_json_body["error_description"]).to eq(
+          translated_error_message(:invalid_client),
+        )
+      end
+
+      it "does not issue any access token" do
+        expect(Doorkeeper::AccessToken.all).to be_empty
+      end
+    end
+
     context "when other error happens" do
       before do
         allow(Doorkeeper.config).to receive(:api_only).and_return(true)
@@ -287,12 +358,14 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
 
       it "should call :before_successful_authorization callback" do
         expect(Doorkeeper.config)
-          .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class))
+          .to receive_message_chain(:before_successful_authorization, :call)
+          .with(instance_of(described_class), instance_of(Doorkeeper::OAuth::Hooks::Context))
       end
 
       it "should call :after_successful_authorization callback" do
         expect(Doorkeeper.config)
-          .to receive_message_chain(:after_successful_authorization, :call).with(instance_of(described_class))
+          .to receive_message_chain(:after_successful_authorization, :call)
+          .with(instance_of(described_class), instance_of(Doorkeeper::OAuth::Hooks::Context))
       end
     end
 
@@ -482,46 +555,106 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
   end
 
   describe "GET #new with errors" do
-    before do
-      default_scopes_exist :public
-      get :new, params: { an_invalid: "request" }
-    end
+    context "without valid params" do
+      before do
+        default_scopes_exist :public
+        get :new, params: { an_invalid: "request" }
+      end
 
-    it "does not redirect" do
-      expect(response).to_not be_redirect
+      it "does not redirect" do
+        expect(response).to_not be_redirect
+      end
+
+      it "does not issue any token" do
+        expect(Doorkeeper::AccessGrant.count).to eq 0
+        expect(Doorkeeper::AccessToken.count).to eq 0
+      end
     end
 
-    it "does not issue any token" do
-      expect(Doorkeeper::AccessGrant.count).to eq 0
-      expect(Doorkeeper::AccessToken.count).to eq 0
+    context "when user cannot access application" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:authorize_resource_owner_for_client).and_return(->(*_) { false })
+
+        get :new, params: {
+          client_id: client.uid,
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+
+      it "does not redirect" do
+        expect(response).to_not be_redirect
+      end
+
+      it "does not issue any token" do
+        expect(Doorkeeper::AccessGrant.count).to eq 0
+        expect(Doorkeeper::AccessToken.count).to eq 0
+      end
     end
   end
 
   describe "GET #new in API mode with errors" do
-    let(:response_json_body) { JSON.parse(response.body) }
-
     before do
-      default_scopes_exist :public
       allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-      get :new, params: { an_invalid: "request" }
+      default_scopes_exist :public
     end
 
-    it "should render bad request" do
-      expect(response).to have_http_status(:bad_request)
-    end
+    context "without valid params" do
+      before do
+        get :new, params: { an_invalid: "request" }
+      end
 
-    it "includes error in body" do
-      expect(response_json_body["error"]).to eq("invalid_request")
-    end
+      let(:response_json_body) { JSON.parse(response.body) }
+
+      it "should render bad request" do
+        expect(response).to have_http_status(:bad_request)
+      end
+
+      it "includes error in body" do
+        expect(response_json_body["error"]).to eq("invalid_request")
+      end
 
-    it "includes error description in body" do
-      expect(response_json_body["error_description"])
-        .to eq(translated_invalid_request_error_message(:missing_param, :client_id))
+      it "includes error description in body" do
+        expect(response_json_body["error_description"])
+          .to eq(translated_invalid_request_error_message(:missing_param, :client_id))
+      end
+
+      it "does not issue any token" do
+        expect(Doorkeeper::AccessGrant.count).to eq 0
+        expect(Doorkeeper::AccessToken.count).to eq 0
+      end
     end
 
-    it "does not issue any token" do
-      expect(Doorkeeper::AccessGrant.count).to eq 0
-      expect(Doorkeeper::AccessToken.count).to eq 0
+    context "when user cannot access application" do
+      before do
+        allow(Doorkeeper.configuration).to receive(:authorize_resource_owner_for_client).and_return(->(*_) { false })
+
+        get :new, params: {
+          client_id: client.uid,
+          response_type: "token",
+          redirect_uri: client.redirect_uri,
+        }
+      end
+
+      let(:response_json_body) { JSON.parse(response.body) }
+
+      it "should render bad request" do
+        expect(response).to have_http_status(:bad_request)
+      end
+
+      it "includes error in body" do
+        expect(response_json_body["error"]).to eq("invalid_client")
+      end
+
+      it "includes error description in body" do
+        expect(response_json_body["error_description"])
+          .to eq(translated_error_message(:invalid_client))
+      end
+
+      it "does not issue any token" do
+        expect(Doorkeeper::AccessGrant.count).to eq 0
+        expect(Doorkeeper::AccessToken.count).to eq 0
+      end
     end
   end
 
@@ -538,12 +671,14 @@ describe Doorkeeper::AuthorizationsController, "implicit grant flow" do
 
       it "should call :before_successful_authorization callback" do
         expect(Doorkeeper.configuration)
-          .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class))
+          .to receive_message_chain(:before_successful_authorization, :call)
+          .with(instance_of(described_class), instance_of(Doorkeeper::OAuth::Hooks::Context))
       end
 
       it "should call :after_successful_authorization callback" do
         expect(Doorkeeper.configuration)
-          .to receive_message_chain(:after_successful_authorization, :call).with(instance_of(described_class))
+          .to receive_message_chain(:after_successful_authorization, :call)
+          .with(instance_of(described_class), instance_of(Doorkeeper::OAuth::Hooks::Context))
       end
     end