RubyGems - doorkeeper - Versions diffs - 5.3.3 → 5.4.0.rc1 - Mend

doorkeeper 5.3.3 → 5.4.0.rc1

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (120) hide show

checksums.yaml +4 -4
data/Appraisals +0 -14
data/CHANGELOG.md +35 -10
data/Dangerfile +7 -7
data/Dockerfile +2 -2
data/Gemfile +9 -9
data/README.md +6 -4
data/app/controllers/doorkeeper/applications_controller.rb +7 -7
data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
data/app/controllers/doorkeeper/authorized_applications_controller.rb +3 -3
data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
data/app/views/doorkeeper/applications/show.html.erb +19 -2
data/bin/console +14 -0
data/config/locales/en.yml +3 -1
data/doorkeeper.gemspec +1 -1
data/gemfiles/rails_5_0.gemfile +8 -7
data/gemfiles/rails_5_1.gemfile +8 -7
data/gemfiles/rails_5_2.gemfile +8 -7
data/gemfiles/rails_6_0.gemfile +8 -7
data/gemfiles/rails_master.gemfile +8 -7
data/lib/doorkeeper.rb +106 -79
data/lib/doorkeeper/config.rb +40 -17
data/lib/doorkeeper/config/abstract_builder.rb +28 -0
data/lib/doorkeeper/config/option.rb +28 -14
data/lib/doorkeeper/grape/helpers.rb +1 -1
data/lib/doorkeeper/models/access_grant_mixin.rb +9 -11
data/lib/doorkeeper/models/access_token_mixin.rb +100 -41
data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
data/lib/doorkeeper/oauth/authorization/code.rb +14 -5
data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
data/lib/doorkeeper/oauth/authorization/token.rb +7 -11
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
data/lib/doorkeeper/oauth/base_request.rb +11 -19
data/lib/doorkeeper/oauth/client.rb +1 -1
data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
data/lib/doorkeeper/oauth/client_credentials/creator.rb +25 -7
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
data/lib/doorkeeper/oauth/client_credentials/validator.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
data/lib/doorkeeper/oauth/code_request.rb +1 -1
data/lib/doorkeeper/oauth/code_response.rb +6 -2
data/lib/doorkeeper/oauth/error_response.rb +2 -4
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
data/lib/doorkeeper/oauth/password_access_token_request.rb +3 -5
data/lib/doorkeeper/oauth/pre_authorization.rb +32 -27
data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
data/lib/doorkeeper/oauth/token.rb +1 -1
data/lib/doorkeeper/oauth/token_introspection.rb +3 -3
data/lib/doorkeeper/oauth/token_request.rb +2 -2
data/lib/doorkeeper/oauth/token_response.rb +1 -1
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +7 -2
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +6 -2
data/lib/doorkeeper/orm/active_record/mixins/application.rb +9 -64
data/lib/doorkeeper/rails/routes.rb +13 -17
data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
data/lib/doorkeeper/rails/routes/registry.rb +45 -0
data/lib/doorkeeper/request/strategy.rb +2 -2
data/lib/doorkeeper/server.rb +3 -3
data/lib/doorkeeper/version.rb +3 -3
data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
data/lib/generators/doorkeeper/templates/migration.rb.erb +2 -0
data/spec/controllers/applications_controller_spec.rb +2 -2
data/spec/controllers/authorizations_controller_spec.rb +165 -30
data/spec/controllers/tokens_controller_spec.rb +6 -5
data/spec/dummy/app/helpers/application_helper.rb +1 -1
data/spec/dummy/app/models/user.rb +5 -1
data/spec/dummy/config/application.rb +6 -4
data/spec/dummy/config/boot.rb +4 -4
data/spec/dummy/config/environment.rb +1 -1
data/spec/dummy/config/routes.rb +4 -4
data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +2 -2
data/spec/dummy/db/schema.rb +3 -1
data/spec/factories.rb +1 -1
data/spec/generators/enable_polymorphic_resource_owner_generator_spec.rb +47 -0
data/spec/lib/config_spec.rb +15 -11
data/spec/lib/models/revocable_spec.rb +2 -3
data/spec/lib/models/scopes_spec.rb +8 -0
data/spec/lib/oauth/authorization_code_request_spec.rb +25 -15
data/spec/lib/oauth/base_request_spec.rb +6 -20
data/spec/lib/oauth/client_credentials/creator_spec.rb +90 -89
data/spec/lib/oauth/client_credentials/issuer_spec.rb +84 -86
data/spec/lib/oauth/client_credentials/validation_spec.rb +38 -40
data/spec/lib/oauth/client_credentials_request_spec.rb +5 -4
data/spec/lib/oauth/code_request_spec.rb +1 -1
data/spec/lib/oauth/code_response_spec.rb +5 -1
data/spec/lib/oauth/error_response_spec.rb +1 -1
data/spec/lib/oauth/password_access_token_request_spec.rb +24 -13
data/spec/lib/oauth/pre_authorization_spec.rb +13 -18
data/spec/lib/oauth/refresh_token_request_spec.rb +19 -30
data/spec/lib/oauth/token_request_spec.rb +14 -7
data/spec/lib/option_spec.rb +51 -0
data/spec/lib/stale_records_cleaner_spec.rb +18 -5
data/spec/models/doorkeeper/access_grant_spec.rb +18 -4
data/spec/models/doorkeeper/access_token_spec.rb +507 -479
data/spec/models/doorkeeper/application_spec.rb +22 -62
data/spec/requests/endpoints/token_spec.rb +5 -1
data/spec/requests/flows/authorization_code_errors_spec.rb +4 -1
data/spec/requests/flows/authorization_code_spec.rb +6 -1
data/spec/requests/flows/client_credentials_spec.rb +41 -0
data/spec/requests/flows/refresh_token_spec.rb +16 -8
data/spec/requests/flows/revoke_token_spec.rb +143 -104
data/spec/support/helpers/access_token_request_helper.rb +1 -0
data/spec/support/helpers/authorization_request_helper.rb +4 -4
data/spec/support/helpers/config_helper.rb +1 -1
data/spec/support/shared/controllers_shared_context.rb +2 -2
data/spec/support/shared/models_shared_examples.rb +6 -4
metadata +16 -5

data/spec/lib/oauth/client_credentials/validation_spec.rb CHANGED

@@ -2,58 +2,56 @@
 require "spec_helper"
-class Doorkeeper::OAuth::ClientCredentialsRequest
-  describe Validator do
-    let(:server)      { double :server, scopes: nil }
-    let(:application) { double scopes: nil }
-    let(:client)      { double application: application }
-    let(:request)     { double :request, client: client, scopes: nil }
+describe Doorkeeper::OAuth::ClientCredentials::Validator do
+  let(:server)      { double :server, scopes: nil }
+  let(:application) { double scopes: nil }
+  let(:client)      { double application: application }
+  let(:request)     { double :request, client: client, scopes: nil }
-    subject { described_class.new(server, request) }
+  subject { described_class.new(server, request) }
-    it "is valid with valid request" do
-      expect(subject).to be_valid
-    end
+  it "is valid with valid request" do
+    expect(subject).to be_valid
+  end
-    it "is invalid when client is not present" do
-      allow(request).to receive(:client).and_return(nil)
+  it "is invalid when client is not present" do
+    allow(request).to receive(:client).and_return(nil)
+    expect(subject).not_to be_valid
+  end
+  context "with scopes" do
+    it "is invalid when scopes are not included in the server" do
+      server_scopes = Doorkeeper::OAuth::Scopes.from_string "email"
+      allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
+      allow(server).to receive(:scopes).and_return(server_scopes)
+      allow(request).to receive(:scopes).and_return(
+        Doorkeeper::OAuth::Scopes.from_string("invalid"),
+      )
       expect(subject).not_to be_valid
     end
-    context "with scopes" do
-      it "is invalid when scopes are not included in the server" do
-        server_scopes = Doorkeeper::OAuth::Scopes.from_string "email"
+    context "with application scopes" do
+      it "is valid when scopes are included in the application" do
+        application_scopes = Doorkeeper::OAuth::Scopes.from_string "app"
+        server_scopes = Doorkeeper::OAuth::Scopes.from_string "email app"
+        allow(application).to receive(:scopes).and_return(application_scopes)
+        allow(server).to receive(:scopes).and_return(server_scopes)
+        allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
+        allow(request).to receive(:scopes).and_return(application_scopes)
+        expect(subject).to be_valid
+      end
+      it "is invalid when scopes are not included in the application" do
+        application_scopes = Doorkeeper::OAuth::Scopes.from_string "app"
+        server_scopes = Doorkeeper::OAuth::Scopes.from_string "email app"
+        allow(application).to receive(:scopes).and_return(application_scopes)
         allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
         allow(server).to receive(:scopes).and_return(server_scopes)
         allow(request).to receive(:scopes).and_return(
-          Doorkeeper::OAuth::Scopes.from_string("invalid"),
+          Doorkeeper::OAuth::Scopes.from_string("email"),
         )
         expect(subject).not_to be_valid
       end
-      context "with application scopes" do
-        it "is valid when scopes are included in the application" do
-          application_scopes = Doorkeeper::OAuth::Scopes.from_string "app"
-          server_scopes = Doorkeeper::OAuth::Scopes.from_string "email app"
-          allow(application).to receive(:scopes).and_return(application_scopes)
-          allow(server).to receive(:scopes).and_return(server_scopes)
-          allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
-          allow(request).to receive(:scopes).and_return(application_scopes)
-          expect(subject).to be_valid
-        end
-        it "is invalid when scopes are not included in the application" do
-          application_scopes = Doorkeeper::OAuth::Scopes.from_string "app"
-          server_scopes = Doorkeeper::OAuth::Scopes.from_string "email app"
-          allow(application).to receive(:scopes).and_return(application_scopes)
-          allow(request).to receive(:grant_type).and_return(Doorkeeper::OAuth::CLIENT_CREDENTIALS)
-          allow(server).to receive(:scopes).and_return(server_scopes)
-          allow(request).to receive(:scopes).and_return(
-            Doorkeeper::OAuth::Scopes.from_string("email"),
-          )
-          expect(subject).not_to be_valid
-        end
-      end
     end
   end
 end

data/spec/lib/oauth/client_credentials_request_spec.rb CHANGED

@@ -12,7 +12,7 @@ describe Doorkeeper::OAuth::ClientCredentialsRequest do
   end
   let(:application)   { FactoryBot.create(:application, scopes: "") }
-  let(:client)        { double :client, application: application }
+  let(:client)        { double :client, application: application, scopes: "" }
   let(:token_creator) { double :issuer, create: true, token: double }
   before do
@@ -22,7 +22,7 @@ describe Doorkeeper::OAuth::ClientCredentialsRequest do
   subject { Doorkeeper::OAuth::ClientCredentialsRequest.new(server, client) }
   before do
-    subject.issuer = token_creator
+    allow(subject).to receive(:issuer).and_return(token_creator)
   end
   it "issues an access token for the current client" do
@@ -37,7 +37,8 @@ describe Doorkeeper::OAuth::ClientCredentialsRequest do
   context "if issue was not created" do
     before do
-      subject.issuer = double create: false, error: :invalid
+      issuer = double create: false, error: :invalid
+      allow(subject).to receive(:issuer).and_return(issuer)
     end
     it "has an error response" do
@@ -65,7 +66,7 @@ describe Doorkeeper::OAuth::ClientCredentialsRequest do
     it "issues an access token with requested scopes" do
       subject = Doorkeeper::OAuth::ClientCredentialsRequest.new(server, client, scope: "email")
-      subject.issuer = token_creator
+      allow(subject).to receive(:issuer).and_return(token_creator)
       expect(token_creator).to receive(:create).with(client, Doorkeeper::OAuth::Scopes.from_string("email"))
       subject.authorize
     end

data/spec/lib/oauth/code_request_spec.rb CHANGED

@@ -24,7 +24,7 @@ describe Doorkeeper::OAuth::CodeRequest do
     pre_auth
   end
-  let(:owner) { double :owner, id: 8900 }
+  let(:owner) { FactoryBot.create(:resource_owner) }
   subject do
     described_class.new(pre_auth, owner)

data/spec/lib/oauth/code_response_spec.rb CHANGED

@@ -15,8 +15,12 @@ describe Doorkeeper::OAuth::CodeResponse do
         )
       end
+      let :owner do
+        FactoryBot.create(:resource_owner)
+      end
       let :auth do
-        Doorkeeper::OAuth::Authorization::Token.new(pre_auth, double(id: 1)).tap do |c|
+        Doorkeeper::OAuth::Authorization::Token.new(pre_auth, owner).tap do |c|
           c.issue_token
           allow(c.token).to receive(:expires_in_seconds).and_return(3600)
         end

data/spec/lib/oauth/error_response_spec.rb CHANGED

@@ -56,7 +56,7 @@ describe Doorkeeper::OAuth::ErrorResponse do
     describe "WWW-Authenticate header" do
       subject { error_response.headers["WWW-Authenticate"] }
-      it { expect(subject).to include("realm=\"#{error_response.realm}\"") }
+      it { expect(subject).to include("realm=\"#{error_response.send(:realm)}\"") }
       it { expect(subject).to include("error=\"#{error_response.name}\"") }
       it { expect(subject).to include("error_description=\"#{error_response.description}\"") }
     end

data/spec/lib/oauth/password_access_token_request_spec.rb CHANGED

@@ -15,7 +15,7 @@ describe Doorkeeper::OAuth::PasswordAccessTokenRequest do
     )
   end
   let(:client) { FactoryBot.create(:application) }
-  let(:owner)  { double :owner, id: 99 }
+  let(:owner)  { FactoryBot.create(:resource_owner) }
   before do
     allow(server).to receive(:option_defined?).with(:custom_access_token_expires_in).and_return(true)
@@ -34,16 +34,17 @@ describe Doorkeeper::OAuth::PasswordAccessTokenRequest do
   end
   it "issues a new token without a client" do
+    subject = described_class.new(server, nil, owner)
+    expect(subject).to be_valid
     expect do
-      subject.client = nil
       subject.authorize
     end.to change { Doorkeeper::AccessToken.count }.by(1)
   end
   it "does not issue a new token with an invalid client" do
+    subject = described_class.new(server, nil, owner, { client_id: "bad_id" })
     expect do
-      subject.client = nil
-      subject.parameters = { client_id: "bad_id" }
       subject.authorize
     end.not_to(change { Doorkeeper::AccessToken.count })
@@ -51,18 +52,18 @@ describe Doorkeeper::OAuth::PasswordAccessTokenRequest do
   end
   it "requires the owner" do
-    subject.resource_owner = nil
+    subject = described_class.new(server, client, nil)
     subject.validate
     expect(subject.error).to eq(:invalid_grant)
   end
-  it "optionally accepts the client" do
-    subject.client = nil
-    expect(subject).to be_valid
-  end
   it "creates token even when there is already one (default)" do
-    FactoryBot.create(:access_token, application_id: client.id, resource_owner_id: owner.id)
+    FactoryBot.create(
+      :access_token,
+      application_id: client.id,
+      resource_owner_id: owner.id,
+      resource_owner_type: owner.class.name,
+    )
     expect do
       subject.authorize
@@ -71,7 +72,12 @@ describe Doorkeeper::OAuth::PasswordAccessTokenRequest do
   it "skips token creation if there is already one reusable" do
     allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-    FactoryBot.create(:access_token, application_id: client.id, resource_owner_id: owner.id)
+    FactoryBot.create(
+      :access_token,
+      application_id: client.id,
+      resource_owner_id: owner.id,
+      resource_owner_type: owner.class.name,
+    )
     expect do
       subject.authorize
@@ -80,7 +86,12 @@ describe Doorkeeper::OAuth::PasswordAccessTokenRequest do
   it "creates token when there is already one but non reusable" do
     allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-    FactoryBot.create(:access_token, application_id: client.id, resource_owner_id: owner.id)
+    FactoryBot.create(
+      :access_token,
+      application_id: client.id,
+      resource_owner_id: owner.id,
+      resource_owner_type: owner.class.name,
+    )
     allow_any_instance_of(Doorkeeper::AccessToken).to receive(:reusable?).and_return(false)
     expect do

data/spec/lib/oauth/pre_authorization_spec.rb CHANGED

@@ -19,6 +19,7 @@ describe Doorkeeper::OAuth::PreAuthorization do
       response_type: "code",
       redirect_uri: "https://app.com/callback",
       state: "save-this",
+      current_resource_owner: Object.new,
     }
   end
@@ -177,6 +178,14 @@ describe Doorkeeper::OAuth::PreAuthorization do
     expect(subject).not_to be_authorizable
   end
+  context "when resource_owner cannot access client application" do
+    before { allow(Doorkeeper.configuration).to receive(:authorize_resource_owner_for_client).and_return(->(*_) { false }) }
+    it "is not authorizable" do
+      expect(subject).not_to be_authorizable
+    end
+  end
   describe "as_json" do
     before { subject.authorizable? }
@@ -194,30 +203,16 @@ describe Doorkeeper::OAuth::PreAuthorization do
       end
     end
-    context "when attributes param is not passed" do
+    context "when called without params" do
       let(:json) { subject.as_json }
       include_examples "returns the pre authorization"
     end
-    context "when attributes param is passed" do
-      context "when attributes is a hash" do
-        let(:custom_attributes) { { custom_id: "1234", custom_name: "a pretty good name" } }
-        let(:json) { subject.as_json(custom_attributes) }
-        include_examples "returns the pre authorization"
+    context "when called with params" do
+      let(:json) { subject.as_json(foo: "bar") }
-        it "merges the attributes in params" do
-          expect(json[:custom_id]).to eq custom_attributes[:custom_id]
-          expect(json[:custom_name]).to eq custom_attributes[:custom_name]
-        end
-      end
-      context "when attributes is not a hash" do
-        let(:json) { subject.as_json(nil) }
-        include_examples "returns the pre authorization"
-      end
+      include_examples "returns the pre authorization"
     end
   end
 end

data/spec/lib/oauth/refresh_token_request_spec.rb CHANGED

@@ -4,8 +4,7 @@ require "spec_helper"
 describe Doorkeeper::OAuth::RefreshTokenRequest do
   let(:server) do
-    double :server,
-           access_token_expires_in: 2.minutes
+    double :server, access_token_expires_in: 2.minutes
   end
   let(:refresh_token) do
@@ -20,28 +19,22 @@ describe Doorkeeper::OAuth::RefreshTokenRequest do
     allow(server).to receive(:option_defined?).with(:custom_access_token_expires_in).and_return(false)
   end
-  subject { described_class.new server, refresh_token, credentials }
+  subject { described_class.new(server, refresh_token, credentials) }
   it "issues a new token for the client" do
     expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
     # #sort_by used for MongoDB ORM extensions for valid ordering
-    expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(120)
+    expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(refresh_token.expires_in)
   end
-  it "issues a new token for the client with custom expires_in" do
-    server = double :server,
-                    access_token_expires_in: 2.minutes,
-                    custom_access_token_expires_in: lambda { |context|
-                      context.grant_type == Doorkeeper::OAuth::REFRESH_TOKEN ? 1234 : nil
-                    }
+  it "issues a new token for the client with the same expiry as of original token" do
     allow(server).to receive(:option_defined?).with(:custom_access_token_expires_in).and_return(true)
     allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
     described_class.new(server, refresh_token, credentials).authorize
     # #sort_by used for MongoDB ORM extensions for valid ordering
-    expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(1234)
+    expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(refresh_token.expires_in)
   end
   it "revokes the previous token" do
@@ -59,22 +52,26 @@ describe Doorkeeper::OAuth::RefreshTokenRequest do
   end
   it "requires the refresh token" do
-    subject.refresh_token = nil
-    subject.validate
-    expect(subject.error).to eq(:invalid_request)
-    expect(subject.missing_param).to eq(:refresh_token)
+    request = described_class.new(server, nil, credentials)
+    request.validate
+    expect(request.error).to eq(:invalid_request)
+    expect(request.missing_param).to eq(:refresh_token)
   end
   it "requires credentials to be valid if provided" do
-    subject.client = nil
-    subject.validate
-    expect(subject.error).to eq(:invalid_client)
+    credentials = Doorkeeper::OAuth::Client::Credentials.new("invalid", "invalid")
+    request = described_class.new(server, refresh_token, credentials)
+    request.validate
+    expect(request.error).to eq(:invalid_client)
   end
   it "requires the token's client and current client to match" do
-    subject.client = FactoryBot.create(:application)
-    subject.validate
-    expect(subject.error).to eq(:invalid_grant)
+    other_app = FactoryBot.create(:application)
+    credentials = Doorkeeper::OAuth::Client::Credentials.new(other_app.uid, other_app.secret)
+    request = described_class.new(server, refresh_token, credentials)
+    request.validate
+    expect(request.error).to eq(:invalid_grant)
   end
   it "rejects revoked tokens" do
@@ -91,14 +88,6 @@ describe Doorkeeper::OAuth::RefreshTokenRequest do
   end
   context "refresh tokens expire on access token use" do
-    let(:server) do
-      double :server,
-             access_token_expires_in: 2.minutes,
-             custom_access_token_expires_in: lambda { |context|
-               context.grant_type == Doorkeeper::OAuth::REFRESH_TOKEN ? 1234 : nil
-             }
-    end
     before do
       allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(true)
     end

data/spec/lib/oauth/token_request_spec.rb CHANGED

@@ -8,7 +8,7 @@ describe Doorkeeper::OAuth::TokenRequest do
   end
   let :pre_auth do
-    server = Doorkeeper.configuration
+    server = Doorkeeper.config
     allow(server).to receive(:default_scopes).and_return(Doorkeeper::OAuth::Scopes.from_string("public"))
     allow(server).to receive(:grant_flows).and_return(Doorkeeper::OAuth::Scopes.from_string("implicit"))
@@ -26,7 +26,7 @@ describe Doorkeeper::OAuth::TokenRequest do
   end
   let :owner do
-    double :owner, id: 7866
+    FactoryBot.create(:doorkeeper_testing_user)
   end
   subject do
@@ -116,9 +116,13 @@ describe Doorkeeper::OAuth::TokenRequest do
     it "creates a new token if scopes do not match" do
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
       FactoryBot.create(
-        :access_token, application_id: pre_auth.client.id,
-                       resource_owner_id: owner.id, scopes: "",
+        :access_token,
+        application_id: pre_auth.client.id,
+        resource_owner_id: owner.id,
+        resource_owner_type: owner.class.name,
+        scopes: "",
       )
       expect do
         subject.authorize
       end.to change { Doorkeeper::AccessToken.count }.by(1)
@@ -131,7 +135,7 @@ describe Doorkeeper::OAuth::TokenRequest do
       FactoryBot.create(
         :access_token, application_id: pre_auth.client.id,
-                       resource_owner_id: owner.id, scopes: "public",
+                       resource_owner_id: owner.id, resource_owner_type: owner.class.name, scopes: "public",
       )
       expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
@@ -143,8 +147,11 @@ describe Doorkeeper::OAuth::TokenRequest do
       allow(application.scopes).to receive(:all?).and_return(true)
       FactoryBot.create(
-        :access_token, application_id: pre_auth.client.id,
-                       resource_owner_id: owner.id, scopes: "public",
+        :access_token,
+        application_id: pre_auth.client.id,
+        resource_owner_id: owner.id,
+        resource_owner_type: owner.class.name,
+        scopes: "public",
       )
       allow_any_instance_of(Doorkeeper::AccessToken).to receive(:reusable?).and_return(false)