doorkeeper 5.3.3 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (224) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +82 -4
  3. data/README.md +6 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +4 -4
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
  7. data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
  8. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  9. data/app/views/doorkeeper/applications/show.html.erb +19 -2
  10. data/config/locales/en.yml +3 -1
  11. data/lib/doorkeeper/config/abstract_builder.rb +28 -0
  12. data/lib/doorkeeper/config/option.rb +28 -14
  13. data/lib/doorkeeper/config.rb +64 -35
  14. data/lib/doorkeeper/engine.rb +1 -1
  15. data/lib/doorkeeper/grape/helpers.rb +1 -1
  16. data/lib/doorkeeper/helpers/controller.rb +4 -4
  17. data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
  18. data/lib/doorkeeper/models/access_token_mixin.rb +108 -45
  19. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  20. data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  21. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  22. data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
  23. data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
  24. data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
  25. data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
  26. data/lib/doorkeeper/oauth/authorization/token.rb +8 -12
  27. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
  28. data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
  29. data/lib/doorkeeper/oauth/base_request.rb +11 -19
  30. data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
  31. data/lib/doorkeeper/oauth/client.rb +1 -1
  32. data/lib/doorkeeper/oauth/client_credentials/creator.rb +26 -8
  33. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
  34. data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
  35. data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
  36. data/lib/doorkeeper/oauth/code_request.rb +3 -3
  37. data/lib/doorkeeper/oauth/code_response.rb +6 -2
  38. data/lib/doorkeeper/oauth/error_response.rb +2 -4
  39. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
  40. data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  41. data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
  42. data/lib/doorkeeper/oauth/password_access_token_request.rb +4 -6
  43. data/lib/doorkeeper/oauth/pre_authorization.rb +36 -30
  44. data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
  45. data/lib/doorkeeper/oauth/token.rb +5 -6
  46. data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
  47. data/lib/doorkeeper/oauth/token_request.rb +3 -3
  48. data/lib/doorkeeper/oauth/token_response.rb +1 -1
  49. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
  50. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
  51. data/lib/doorkeeper/orm/active_record.rb +10 -2
  52. data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  53. data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
  54. data/lib/doorkeeper/rails/routes/registry.rb +45 -0
  55. data/lib/doorkeeper/rails/routes.rb +13 -17
  56. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  57. data/lib/doorkeeper/request/strategy.rb +2 -2
  58. data/lib/doorkeeper/server.rb +4 -4
  59. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  60. data/lib/doorkeeper/version.rb +2 -2
  61. data/lib/doorkeeper.rb +106 -79
  62. data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
  63. data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  64. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
  65. data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
  66. data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
  67. data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  68. data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
  69. data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
  70. metadata +13 -296
  71. data/Appraisals +0 -40
  72. data/CODE_OF_CONDUCT.md +0 -46
  73. data/CONTRIBUTING.md +0 -49
  74. data/Dangerfile +0 -67
  75. data/Dockerfile +0 -29
  76. data/Gemfile +0 -25
  77. data/NEWS.md +0 -1
  78. data/RELEASING.md +0 -11
  79. data/Rakefile +0 -28
  80. data/SECURITY.md +0 -15
  81. data/UPGRADE.md +0 -2
  82. data/bin/console +0 -16
  83. data/doorkeeper.gemspec +0 -42
  84. data/gemfiles/rails_5_0.gemfile +0 -18
  85. data/gemfiles/rails_5_1.gemfile +0 -18
  86. data/gemfiles/rails_5_2.gemfile +0 -18
  87. data/gemfiles/rails_6_0.gemfile +0 -18
  88. data/gemfiles/rails_master.gemfile +0 -18
  89. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  90. data/spec/controllers/applications_controller_spec.rb +0 -274
  91. data/spec/controllers/authorizations_controller_spec.rb +0 -608
  92. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  93. data/spec/controllers/token_info_controller_spec.rb +0 -50
  94. data/spec/controllers/tokens_controller_spec.rb +0 -498
  95. data/spec/dummy/Rakefile +0 -9
  96. data/spec/dummy/app/assets/config/manifest.js +0 -2
  97. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  98. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  99. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  100. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  101. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  102. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  103. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  104. data/spec/dummy/app/models/user.rb +0 -7
  105. data/spec/dummy/app/views/home/index.html.erb +0 -0
  106. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  107. data/spec/dummy/config/application.rb +0 -49
  108. data/spec/dummy/config/boot.rb +0 -7
  109. data/spec/dummy/config/database.yml +0 -15
  110. data/spec/dummy/config/environment.rb +0 -5
  111. data/spec/dummy/config/environments/development.rb +0 -31
  112. data/spec/dummy/config/environments/production.rb +0 -64
  113. data/spec/dummy/config/environments/test.rb +0 -45
  114. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  115. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  116. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  117. data/spec/dummy/config/initializers/session_store.rb +0 -10
  118. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  119. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  120. data/spec/dummy/config/routes.rb +0 -13
  121. data/spec/dummy/config.ru +0 -6
  122. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  123. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  124. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  125. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  126. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  127. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  128. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  129. data/spec/dummy/db/schema.rb +0 -68
  130. data/spec/dummy/public/404.html +0 -26
  131. data/spec/dummy/public/422.html +0 -26
  132. data/spec/dummy/public/500.html +0 -26
  133. data/spec/dummy/public/favicon.ico +0 -0
  134. data/spec/dummy/script/rails +0 -9
  135. data/spec/factories.rb +0 -30
  136. data/spec/generators/application_owner_generator_spec.rb +0 -28
  137. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  138. data/spec/generators/install_generator_spec.rb +0 -36
  139. data/spec/generators/migration_generator_spec.rb +0 -28
  140. data/spec/generators/pkce_generator_spec.rb +0 -28
  141. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  142. data/spec/generators/templates/routes.rb +0 -4
  143. data/spec/generators/views_generator_spec.rb +0 -29
  144. data/spec/grape/grape_integration_spec.rb +0 -137
  145. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  146. data/spec/lib/config_spec.rb +0 -809
  147. data/spec/lib/doorkeeper_spec.rb +0 -27
  148. data/spec/lib/models/expirable_spec.rb +0 -61
  149. data/spec/lib/models/reusable_spec.rb +0 -40
  150. data/spec/lib/models/revocable_spec.rb +0 -59
  151. data/spec/lib/models/scopes_spec.rb +0 -53
  152. data/spec/lib/models/secret_storable_spec.rb +0 -135
  153. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  154. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
  155. data/spec/lib/oauth/base_request_spec.rb +0 -224
  156. data/spec/lib/oauth/base_response_spec.rb +0 -45
  157. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  158. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
  159. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
  160. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
  161. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  162. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
  163. data/spec/lib/oauth/client_spec.rb +0 -38
  164. data/spec/lib/oauth/code_request_spec.rb +0 -46
  165. data/spec/lib/oauth/code_response_spec.rb +0 -32
  166. data/spec/lib/oauth/error_response_spec.rb +0 -64
  167. data/spec/lib/oauth/error_spec.rb +0 -21
  168. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  169. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  170. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  171. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  172. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  173. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  174. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
  175. data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
  176. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
  177. data/spec/lib/oauth/scopes_spec.rb +0 -146
  178. data/spec/lib/oauth/token_request_spec.rb +0 -157
  179. data/spec/lib/oauth/token_response_spec.rb +0 -84
  180. data/spec/lib/oauth/token_spec.rb +0 -156
  181. data/spec/lib/request/strategy_spec.rb +0 -54
  182. data/spec/lib/secret_storing/base_spec.rb +0 -60
  183. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  184. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  185. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  186. data/spec/lib/server_spec.rb +0 -49
  187. data/spec/lib/stale_records_cleaner_spec.rb +0 -89
  188. data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
  189. data/spec/models/doorkeeper/access_token_spec.rb +0 -622
  190. data/spec/models/doorkeeper/application_spec.rb +0 -482
  191. data/spec/requests/applications/applications_request_spec.rb +0 -259
  192. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  193. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  194. data/spec/requests/endpoints/token_spec.rb +0 -75
  195. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
  196. data/spec/requests/flows/authorization_code_spec.rb +0 -525
  197. data/spec/requests/flows/client_credentials_spec.rb +0 -166
  198. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  199. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  200. data/spec/requests/flows/password_spec.rb +0 -316
  201. data/spec/requests/flows/refresh_token_spec.rb +0 -233
  202. data/spec/requests/flows/revoke_token_spec.rb +0 -157
  203. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  204. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  205. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  206. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  207. data/spec/routing/default_routes_spec.rb +0 -41
  208. data/spec/routing/scoped_routes_spec.rb +0 -47
  209. data/spec/spec_helper.rb +0 -54
  210. data/spec/spec_helper_integration.rb +0 -4
  211. data/spec/support/dependencies/factory_bot.rb +0 -4
  212. data/spec/support/doorkeeper_rspec.rb +0 -22
  213. data/spec/support/helpers/access_token_request_helper.rb +0 -13
  214. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  215. data/spec/support/helpers/config_helper.rb +0 -11
  216. data/spec/support/helpers/model_helper.rb +0 -78
  217. data/spec/support/helpers/request_spec_helper.rb +0 -110
  218. data/spec/support/helpers/url_helper.rb +0 -62
  219. data/spec/support/orm/active_record.rb +0 -5
  220. data/spec/support/shared/controllers_shared_context.rb +0 -133
  221. data/spec/support/shared/hashing_shared_context.rb +0 -36
  222. data/spec/support/shared/models_shared_examples.rb +0 -54
  223. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  224. data/spec/version/version_spec.rb +0 -17
@@ -1,46 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- feature "Implicit Grant Flow Errors" do
6
- background do
7
- default_scopes_exist :default
8
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
9
- config_is_set(:grant_flows, ["implicit"])
10
- client_exists
11
- create_resource_owner
12
- sign_in
13
- end
14
-
15
- after do
16
- access_token_should_not_exist
17
- end
18
-
19
- context "when validate client_id param" do
20
- scenario "displays invalid_client error for invalid client_id" do
21
- visit authorization_endpoint_url(client_id: "invalid", response_type: "token")
22
- i_should_not_see "Authorize"
23
- i_should_see_translated_error_message :invalid_client
24
- end
25
-
26
- scenario "displays invalid_request error when client_id is missing" do
27
- visit authorization_endpoint_url(client_id: "", response_type: "token")
28
- i_should_not_see "Authorize"
29
- i_should_see_translated_invalid_request_error_message :missing_param, :client_id
30
- end
31
- end
32
-
33
- context "when validate redirect_uri param" do
34
- scenario "displays invalid_redirect_uri error for invalid redirect_uri" do
35
- visit authorization_endpoint_url(client: @client, redirect_uri: "invalid", response_type: "token")
36
- i_should_not_see "Authorize"
37
- i_should_see_translated_error_message :invalid_redirect_uri
38
- end
39
-
40
- scenario "displays invalid_redirect_uri error when redirect_uri is missing" do
41
- visit authorization_endpoint_url(client: @client, redirect_uri: "", response_type: "token")
42
- i_should_not_see "Authorize"
43
- i_should_see_translated_error_message :invalid_redirect_uri
44
- end
45
- end
46
- end
@@ -1,91 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- feature "Implicit Grant Flow (feature spec)" do
6
- background do
7
- default_scopes_exist :default
8
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
9
- config_is_set(:grant_flows, ["implicit"])
10
- client_exists
11
- create_resource_owner
12
- sign_in
13
- end
14
-
15
- scenario "resource owner authorizes the client" do
16
- visit authorization_endpoint_url(client: @client, response_type: "token")
17
- click_on "Authorize"
18
-
19
- access_token_should_exist_for @client, @resource_owner
20
-
21
- i_should_be_on_client_callback @client
22
- end
23
-
24
- context "when application scopes are present and no scope is passed" do
25
- background do
26
- @client.update(scopes: "public write read")
27
- end
28
-
29
- scenario "scope is invalid because default scope is different from application scope" do
30
- default_scopes_exist :admin
31
- visit authorization_endpoint_url(client: @client, response_type: "token")
32
- response_status_should_be 200
33
- i_should_not_see "Authorize"
34
- i_should_see_translated_error_message :invalid_scope
35
- end
36
-
37
- scenario "access token has scopes which are common in application scopes and default scopes" do
38
- default_scopes_exist :public, :write
39
- visit authorization_endpoint_url(client: @client, response_type: "token")
40
- click_on "Authorize"
41
- access_token_should_exist_for @client, @resource_owner
42
- access_token_should_have_scopes :public, :write
43
- end
44
- end
45
- end
46
-
47
- describe "Implicit Grant Flow (request spec)" do
48
- before do
49
- default_scopes_exist :default
50
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
51
- config_is_set(:grant_flows, ["implicit"])
52
- client_exists
53
- create_resource_owner
54
- end
55
-
56
- context "token reuse" do
57
- it "should return a new token each request" do
58
- allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
59
-
60
- token = client_is_authorized(@client, @resource_owner, scopes: "default")
61
-
62
- post "/oauth/authorize",
63
- params: {
64
- client_id: @client.uid,
65
- state: "",
66
- redirect_uri: @client.redirect_uri,
67
- response_type: "token",
68
- commit: "Authorize",
69
- }
70
-
71
- expect(response.location).not_to include(token.token)
72
- end
73
-
74
- it "should return the same token if it is still accessible" do
75
- allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
76
-
77
- token = client_is_authorized(@client, @resource_owner, scopes: "default")
78
-
79
- post "/oauth/authorize",
80
- params: {
81
- client_id: @client.uid,
82
- state: "",
83
- redirect_uri: @client.redirect_uri,
84
- response_type: "token",
85
- commit: "Authorize",
86
- }
87
-
88
- expect(response.location).to include(token.token)
89
- end
90
- end
91
- end
@@ -1,316 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Resource Owner Password Credentials Flow not set up" do
6
- before do
7
- client_exists
8
- create_resource_owner
9
- end
10
-
11
- context "with valid user credentials" do
12
- it "does not issue new token" do
13
- expect do
14
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
15
- end.to_not(change { Doorkeeper::AccessToken.count })
16
- end
17
- end
18
- end
19
-
20
- describe "Resource Owner Password Credentials Flow" do
21
- let(:client_attributes) { { redirect_uri: nil } }
22
-
23
- before do
24
- config_is_set(:grant_flows, ["password"])
25
- config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
26
- client_exists(client_attributes)
27
- create_resource_owner
28
- end
29
-
30
- context "with valid user credentials" do
31
- context "with non-confidential/public client" do
32
- let(:client_attributes) { { confidential: false } }
33
-
34
- context "when configured to check application supported grant flow" do
35
- before do
36
- Doorkeeper.configuration.instance_variable_set(
37
- :@allow_grant_flow_for_client,
38
- ->(_grant_flow, client) { client.name == "admin" },
39
- )
40
- end
41
-
42
- scenario "forbids the request when doesn't satisfy condition" do
43
- @client.update(name: "sample app")
44
-
45
- expect do
46
- post password_token_endpoint_url(
47
- client_id: @client.uid,
48
- client_secret: "foobar",
49
- resource_owner: @resource_owner,
50
- )
51
- end.not_to(change { Doorkeeper::AccessToken.count })
52
-
53
- expect(response.status).to eq(401)
54
- should_have_json "error", "invalid_client"
55
- end
56
-
57
- scenario "allows the request when satisfies condition" do
58
- @client.update(name: "admin")
59
-
60
- expect do
61
- post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
62
- end.to change { Doorkeeper::AccessToken.count }.by(1)
63
-
64
- token = Doorkeeper::AccessToken.first
65
-
66
- expect(token.application_id).to eq @client.id
67
- should_have_json "access_token", token.token
68
- end
69
- end
70
-
71
- context "when client_secret absent" do
72
- it "should issue new token" do
73
- expect do
74
- post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
75
- end.to change { Doorkeeper::AccessToken.count }.by(1)
76
-
77
- token = Doorkeeper::AccessToken.first
78
-
79
- expect(token.application_id).to eq @client.id
80
- should_have_json "access_token", token.token
81
- end
82
- end
83
-
84
- context "when client_secret present" do
85
- it "should issue new token" do
86
- expect do
87
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
88
- end.to change { Doorkeeper::AccessToken.count }.by(1)
89
-
90
- token = Doorkeeper::AccessToken.first
91
-
92
- expect(token.application_id).to eq @client.id
93
- should_have_json "access_token", token.token
94
- end
95
-
96
- context "when client_secret incorrect" do
97
- it "should not issue new token" do
98
- expect do
99
- post password_token_endpoint_url(
100
- client_id: @client.uid,
101
- client_secret: "foobar",
102
- resource_owner: @resource_owner,
103
- )
104
- end.not_to(change { Doorkeeper::AccessToken.count })
105
-
106
- expect(response.status).to eq(401)
107
- should_have_json "error", "invalid_client"
108
- end
109
- end
110
- end
111
- end
112
-
113
- context "with confidential/private client" do
114
- it "should issue new token" do
115
- expect do
116
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
117
- end.to change { Doorkeeper::AccessToken.count }.by(1)
118
-
119
- token = Doorkeeper::AccessToken.first
120
-
121
- expect(token.application_id).to eq @client.id
122
- should_have_json "access_token", token.token
123
- end
124
-
125
- context "when client_secret absent" do
126
- it "should not issue new token" do
127
- expect do
128
- post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
129
- end.not_to(change { Doorkeeper::AccessToken.count })
130
-
131
- expect(response.status).to eq(401)
132
- should_have_json "error", "invalid_client"
133
- end
134
- end
135
- end
136
-
137
- it "should issue new token without client credentials" do
138
- expect do
139
- post password_token_endpoint_url(resource_owner: @resource_owner)
140
- end.to(change { Doorkeeper::AccessToken.count }.by(1))
141
-
142
- token = Doorkeeper::AccessToken.first
143
-
144
- expect(token.application_id).to be_nil
145
- should_have_json "access_token", token.token
146
- end
147
-
148
- it "should issue a refresh token if enabled" do
149
- config_is_set(:refresh_token_enabled, true)
150
-
151
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
152
-
153
- token = Doorkeeper::AccessToken.first
154
-
155
- should_have_json "refresh_token", token.refresh_token
156
- end
157
-
158
- it "should return the same token if it is still accessible" do
159
- allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
160
-
161
- client_is_authorized(@client, @resource_owner)
162
-
163
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
164
-
165
- expect(Doorkeeper::AccessToken.count).to be(1)
166
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
167
- end
168
-
169
- context "with valid, default scope" do
170
- before do
171
- default_scopes_exist :public
172
- end
173
-
174
- it "should issue new token" do
175
- expect do
176
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
177
- end.to change { Doorkeeper::AccessToken.count }.by(1)
178
-
179
- token = Doorkeeper::AccessToken.first
180
-
181
- expect(token.application_id).to eq @client.id
182
- should_have_json "access_token", token.token
183
- should_have_json "scope", "public"
184
- end
185
- end
186
- end
187
-
188
- context "when application scopes are present and differs from configured default scopes and no scope is passed" do
189
- before do
190
- default_scopes_exist :public
191
- @client.update(scopes: "abc")
192
- end
193
-
194
- it "issues new token without any scope" do
195
- expect do
196
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
197
- end.to change { Doorkeeper::AccessToken.count }.by(1)
198
-
199
- token = Doorkeeper::AccessToken.first
200
-
201
- expect(token.application_id).to eq @client.id
202
- expect(token.scopes).to be_empty
203
- should_have_json "access_token", token.token
204
- should_not_have_json "scope"
205
- end
206
- end
207
-
208
- context "when application scopes contain some of the default scopes and no scope is passed" do
209
- before do
210
- @client.update(scopes: "read write public")
211
- end
212
-
213
- it "issues new token with one default scope that are present in application scopes" do
214
- default_scopes_exist :public, :admin
215
-
216
- expect do
217
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
218
- end.to change { Doorkeeper::AccessToken.count }.by(1)
219
-
220
- token = Doorkeeper::AccessToken.first
221
-
222
- expect(token.application_id).to eq @client.id
223
- should_have_json "access_token", token.token
224
- should_have_json "scope", "public"
225
- end
226
-
227
- it "issues new token with multiple default scopes that are present in application scopes" do
228
- default_scopes_exist :public, :read, :update
229
-
230
- expect do
231
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
232
- end.to change { Doorkeeper::AccessToken.count }.by(1)
233
-
234
- token = Doorkeeper::AccessToken.first
235
-
236
- expect(token.application_id).to eq @client.id
237
- should_have_json "access_token", token.token
238
- should_have_json "scope", "public read"
239
- end
240
- end
241
-
242
- context "with invalid scopes" do
243
- subject do
244
- post password_token_endpoint_url(
245
- client: @client,
246
- resource_owner: @resource_owner,
247
- scope: "random",
248
- )
249
- end
250
-
251
- it "should not issue new token" do
252
- expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
253
- end
254
-
255
- it "should return invalid_scope error" do
256
- subject
257
- should_have_json "error", "invalid_scope"
258
- should_have_json "error_description", translated_error_message(:invalid_scope)
259
- should_not_have_json "access_token"
260
-
261
- expect(response.status).to eq(400)
262
- end
263
- end
264
-
265
- context "with invalid user credentials" do
266
- it "should not issue new token with bad password" do
267
- expect do
268
- post password_token_endpoint_url(
269
- client: @client,
270
- resource_owner_username: @resource_owner.name,
271
- resource_owner_password: "wrongpassword",
272
- )
273
- end.to_not(change { Doorkeeper::AccessToken.count })
274
- end
275
-
276
- it "should not issue new token without credentials" do
277
- expect do
278
- post password_token_endpoint_url(client: @client)
279
- end.to_not(change { Doorkeeper::AccessToken.count })
280
- end
281
-
282
- it "should not issue new token if resource_owner_from_credentials returned false or nil" do
283
- config_is_set(:resource_owner_from_credentials) { false }
284
-
285
- expect do
286
- post password_token_endpoint_url(client: @client)
287
- end.to_not(change { Doorkeeper::AccessToken.count })
288
-
289
- config_is_set(:resource_owner_from_credentials) { nil }
290
-
291
- expect do
292
- post password_token_endpoint_url(client: @client)
293
- end.to_not(change { Doorkeeper::AccessToken.count })
294
- end
295
- end
296
-
297
- context "with invalid confidential client credentials" do
298
- it "should not issue new token with bad client credentials" do
299
- expect do
300
- post password_token_endpoint_url(
301
- client_id: @client.uid,
302
- client_secret: "bad_secret",
303
- resource_owner: @resource_owner,
304
- )
305
- end.to_not(change { Doorkeeper::AccessToken.count })
306
- end
307
- end
308
-
309
- context "with invalid public client id" do
310
- it "should not issue new token with bad client id" do
311
- expect do
312
- post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
313
- end.to_not(change { Doorkeeper::AccessToken.count })
314
- end
315
- end
316
- end
@@ -1,233 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Refresh Token Flow" do
6
- before do
7
- Doorkeeper.configure do
8
- orm DOORKEEPER_ORM
9
- use_refresh_token
10
- end
11
-
12
- client_exists
13
- end
14
-
15
- context "issuing a refresh token" do
16
- before do
17
- authorization_code_exists application: @client
18
- end
19
-
20
- it "client gets the refresh token and refreshes it" do
21
- post token_endpoint_url(code: @authorization.token, client: @client)
22
-
23
- token = Doorkeeper::AccessToken.first
24
-
25
- should_have_json "access_token", token.token
26
- should_have_json "refresh_token", token.refresh_token
27
-
28
- expect(@authorization.reload).to be_revoked
29
-
30
- post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
31
-
32
- new_token = Doorkeeper::AccessToken.last
33
- should_have_json "access_token", new_token.token
34
- should_have_json "refresh_token", new_token.refresh_token
35
-
36
- expect(token.token).not_to eq(new_token.token)
37
- expect(token.refresh_token).not_to eq(new_token.refresh_token)
38
- end
39
- end
40
-
41
- context "refreshing the token" do
42
- before do
43
- @token = FactoryBot.create(
44
- :access_token,
45
- application: @client,
46
- resource_owner_id: 1,
47
- use_refresh_token: true,
48
- )
49
- end
50
-
51
- context "refresh_token revoked on use" do
52
- it "client request a token with refresh token" do
53
- post refresh_token_endpoint_url(
54
- client: @client, refresh_token: @token.refresh_token,
55
- )
56
- should_have_json(
57
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
58
- )
59
- expect(@token.reload).not_to be_revoked
60
- end
61
-
62
- it "client request a token with expired access token" do
63
- @token.update_attribute :expires_in, -100
64
- post refresh_token_endpoint_url(
65
- client: @client, refresh_token: @token.refresh_token,
66
- )
67
- should_have_json(
68
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
69
- )
70
- expect(@token.reload).not_to be_revoked
71
- end
72
- end
73
-
74
- context "refresh_token revoked on refresh_token request" do
75
- before do
76
- allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
77
- end
78
-
79
- it "client request a token with refresh token" do
80
- post refresh_token_endpoint_url(
81
- client: @client, refresh_token: @token.refresh_token,
82
- )
83
- should_have_json(
84
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
85
- )
86
- expect(@token.reload).to be_revoked
87
- end
88
-
89
- it "client request a token with expired access token" do
90
- @token.update_attribute :expires_in, -100
91
- post refresh_token_endpoint_url(
92
- client: @client, refresh_token: @token.refresh_token,
93
- )
94
- should_have_json(
95
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
96
- )
97
- expect(@token.reload).to be_revoked
98
- end
99
- end
100
-
101
- context "public & private clients" do
102
- let(:public_client) do
103
- FactoryBot.create(
104
- :application,
105
- confidential: false,
106
- )
107
- end
108
-
109
- let(:token_for_private_client) do
110
- FactoryBot.create(
111
- :access_token,
112
- application: @client,
113
- resource_owner_id: 1,
114
- use_refresh_token: true,
115
- )
116
- end
117
-
118
- let(:token_for_public_client) do
119
- FactoryBot.create(
120
- :access_token,
121
- application: public_client,
122
- resource_owner_id: 1,
123
- use_refresh_token: true,
124
- )
125
- end
126
-
127
- it "issues a new token without client_secret when refresh token was issued to a public client" do
128
- post refresh_token_endpoint_url(
129
- client_id: public_client.uid,
130
- refresh_token: token_for_public_client.refresh_token,
131
- )
132
-
133
- new_token = Doorkeeper::AccessToken.last
134
- should_have_json "access_token", new_token.token
135
- should_have_json "refresh_token", new_token.refresh_token
136
- end
137
-
138
- it "returns an error without credentials" do
139
- post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
140
-
141
- should_not_have_json "refresh_token"
142
- should_have_json "error", "invalid_grant"
143
- end
144
-
145
- it "returns an error with wrong credentials" do
146
- post refresh_token_endpoint_url(
147
- client_id: "1",
148
- client_secret: "1",
149
- refresh_token: token_for_private_client.refresh_token,
150
- )
151
-
152
- should_not_have_json "refresh_token"
153
- should_have_json "error", "invalid_client"
154
- end
155
- end
156
-
157
- it "client gets an error for invalid refresh token" do
158
- post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
159
- should_not_have_json "refresh_token"
160
- should_have_json "error", "invalid_grant"
161
- end
162
-
163
- it "client gets an error for revoked access token" do
164
- @token.revoke
165
- post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
166
- should_not_have_json "refresh_token"
167
- should_have_json "error", "invalid_grant"
168
- end
169
-
170
- it "second of simultaneous client requests get an error for revoked access token" do
171
- allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
172
- post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
173
-
174
- should_not_have_json "refresh_token"
175
- should_have_json "error", "invalid_grant"
176
- end
177
- end
178
-
179
- context "refreshing the token with multiple sessions (devices)" do
180
- before do
181
- # enable password auth to simulate other devices
182
- config_is_set(:grant_flows, ["password"])
183
- config_is_set(:resource_owner_from_credentials) do
184
- User.authenticate! params[:username], params[:password]
185
- end
186
- create_resource_owner
187
- _another_token = post password_token_endpoint_url(
188
- client: @client, resource_owner: @resource_owner,
189
- )
190
- last_token.update_attribute :created_at, 5.seconds.ago
191
-
192
- @token = FactoryBot.create(
193
- :access_token,
194
- application: @client,
195
- resource_owner_id: @resource_owner.id,
196
- use_refresh_token: true,
197
- )
198
- @token.update_attribute :expires_in, -100
199
- end
200
-
201
- context "refresh_token revoked on use" do
202
- it "client request a token after creating another token with the same user" do
203
- post refresh_token_endpoint_url(
204
- client: @client, refresh_token: @token.refresh_token,
205
- )
206
-
207
- should_have_json "refresh_token", last_token.refresh_token
208
- expect(@token.reload).not_to be_revoked
209
- end
210
- end
211
-
212
- context "refresh_token revoked on refresh_token request" do
213
- before do
214
- allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
215
- end
216
-
217
- it "client request a token after creating another token with the same user" do
218
- post refresh_token_endpoint_url(
219
- client: @client, refresh_token: @token.refresh_token,
220
- )
221
-
222
- should_have_json "refresh_token", last_token.refresh_token
223
- expect(@token.reload).to be_revoked
224
- end
225
- end
226
-
227
- def last_token
228
- Doorkeeper::AccessToken.last_authorized_token_for(
229
- @client.id, @resource_owner.id,
230
- )
231
- end
232
- end
233
- end