doorkeeper 5.3.3 → 5.4.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +82 -4
- data/README.md +6 -4
- data/app/controllers/doorkeeper/applications_controller.rb +4 -4
- data/app/controllers/doorkeeper/authorizations_controller.rb +31 -12
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +57 -20
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +19 -2
- data/config/locales/en.yml +3 -1
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +28 -14
- data/lib/doorkeeper/config.rb +64 -35
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +4 -4
- data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
- data/lib/doorkeeper/models/access_token_mixin.rb +108 -45
- data/lib/doorkeeper/models/application_mixin.rb +5 -4
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
- data/lib/doorkeeper/oauth/authorization/context.rb +2 -2
- data/lib/doorkeeper/oauth/authorization/token.rb +8 -12
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +18 -8
- data/lib/doorkeeper/oauth/base_request.rb +11 -19
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +26 -8
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +3 -2
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +3 -3
- data/lib/doorkeeper/oauth/code_response.rb +6 -2
- data/lib/doorkeeper/oauth/error_response.rb +2 -4
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -5
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +4 -6
- data/lib/doorkeeper/oauth/pre_authorization.rb +36 -30
- data/lib/doorkeeper/oauth/refresh_token_request.rb +18 -22
- data/lib/doorkeeper/oauth/token.rb +5 -6
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
- data/lib/doorkeeper/orm/active_record.rb +10 -2
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +13 -17
- data/lib/doorkeeper/request/refresh_token.rb +2 -1
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/server.rb +4 -4
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +2 -2
- data/lib/doorkeeper.rb +106 -79
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +39 -3
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +13 -296
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -274
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -361
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -809
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
- data/spec/lib/oauth/base_request_spec.rb +0 -224
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -32
- data/spec/lib/oauth/error_response_spec.rb +0 -64
- data/spec/lib/oauth/error_spec.rb +0 -21
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -146
- data/spec/lib/oauth/token_request_spec.rb +0 -157
- data/spec/lib/oauth/token_response_spec.rb +0 -84
- data/spec/lib/oauth/token_spec.rb +0 -156
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -482
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -91
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -525
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -316
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -54
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -133
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
|
@@ -8,7 +8,11 @@ module Doorkeeper
|
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def scopes=(value)
|
|
11
|
-
|
|
11
|
+
if value.is_a?(Array)
|
|
12
|
+
super(Doorkeeper::OAuth::Scopes.from_array(value).to_s)
|
|
13
|
+
else
|
|
14
|
+
super(Doorkeeper::OAuth::Scopes.from_string(value.to_s).to_s)
|
|
15
|
+
end
|
|
12
16
|
end
|
|
13
17
|
|
|
14
18
|
def scopes_string
|
|
@@ -25,9 +25,7 @@ module Doorkeeper
|
|
|
25
25
|
# @return [Boolean]
|
|
26
26
|
# Whether input matches secret as per the secret strategy
|
|
27
27
|
#
|
|
28
|
-
|
|
29
|
-
secret_strategy.secret_matches?(input, secret)
|
|
30
|
-
end
|
|
28
|
+
delegate :secret_matches?, to: :secret_strategy
|
|
31
29
|
|
|
32
30
|
# Returns an instance of the Doorkeeper::AccessToken with
|
|
33
31
|
# specific token value.
|
|
@@ -4,15 +4,17 @@ module Doorkeeper
|
|
|
4
4
|
module OAuth
|
|
5
5
|
module Authorization
|
|
6
6
|
class Code
|
|
7
|
-
|
|
7
|
+
attr_reader :pre_auth, :resource_owner, :token
|
|
8
8
|
|
|
9
9
|
def initialize(pre_auth, resource_owner)
|
|
10
10
|
@pre_auth = pre_auth
|
|
11
11
|
@resource_owner = resource_owner
|
|
12
12
|
end
|
|
13
13
|
|
|
14
|
-
def issue_token
|
|
15
|
-
@token
|
|
14
|
+
def issue_token!
|
|
15
|
+
return @token if defined?(@token)
|
|
16
|
+
|
|
17
|
+
@token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
|
|
16
18
|
end
|
|
17
19
|
|
|
18
20
|
def oob_redirect
|
|
@@ -26,13 +28,20 @@ module Doorkeeper
|
|
|
26
28
|
end
|
|
27
29
|
|
|
28
30
|
def access_grant_attributes
|
|
29
|
-
|
|
31
|
+
attributes = {
|
|
30
32
|
application_id: pre_auth.client.id,
|
|
31
|
-
resource_owner_id: resource_owner.id,
|
|
32
33
|
expires_in: authorization_code_expires_in,
|
|
33
34
|
redirect_uri: pre_auth.redirect_uri,
|
|
34
35
|
scopes: pre_auth.scopes.to_s,
|
|
35
|
-
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
if Doorkeeper.config.polymorphic_resource_owner?
|
|
39
|
+
attributes[:resource_owner] = resource_owner
|
|
40
|
+
else
|
|
41
|
+
attributes[:resource_owner_id] = resource_owner.id
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
pkce_attributes.merge(attributes)
|
|
36
45
|
end
|
|
37
46
|
|
|
38
47
|
def pkce_attributes
|
|
@@ -4,7 +4,7 @@ module Doorkeeper
|
|
|
4
4
|
module OAuth
|
|
5
5
|
module Authorization
|
|
6
6
|
class Token
|
|
7
|
-
|
|
7
|
+
attr_reader :pre_auth, :resource_owner, :token
|
|
8
8
|
|
|
9
9
|
class << self
|
|
10
10
|
def build_context(pre_auth_or_oauth_client, grant_type, scopes)
|
|
@@ -48,7 +48,7 @@ module Doorkeeper
|
|
|
48
48
|
@resource_owner = resource_owner
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
-
def issue_token
|
|
51
|
+
def issue_token!
|
|
52
52
|
return @token if defined?(@token)
|
|
53
53
|
|
|
54
54
|
context = self.class.build_context(
|
|
@@ -57,12 +57,12 @@ module Doorkeeper
|
|
|
57
57
|
pre_auth.scopes,
|
|
58
58
|
)
|
|
59
59
|
|
|
60
|
-
@token =
|
|
61
|
-
pre_auth.client,
|
|
62
|
-
resource_owner
|
|
63
|
-
pre_auth.scopes,
|
|
64
|
-
self.class.access_token_expires_in(
|
|
65
|
-
false,
|
|
60
|
+
@token = Doorkeeper.config.access_token_model.find_or_create_for(
|
|
61
|
+
application: pre_auth.client,
|
|
62
|
+
resource_owner: resource_owner,
|
|
63
|
+
scopes: pre_auth.scopes,
|
|
64
|
+
expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
|
|
65
|
+
use_refresh_token: false,
|
|
66
66
|
)
|
|
67
67
|
end
|
|
68
68
|
|
|
@@ -76,10 +76,6 @@ module Doorkeeper
|
|
|
76
76
|
|
|
77
77
|
private
|
|
78
78
|
|
|
79
|
-
def configuration
|
|
80
|
-
Doorkeeper.config
|
|
81
|
-
end
|
|
82
|
-
|
|
83
79
|
def controller
|
|
84
80
|
@controller ||= begin
|
|
85
81
|
mapping = Doorkeeper::Rails::Routes.mapping[:token_info] || {}
|
|
@@ -8,9 +8,9 @@ module Doorkeeper
|
|
|
8
8
|
class URIBuilder
|
|
9
9
|
class << self
|
|
10
10
|
def uri_with_query(url, parameters = {})
|
|
11
|
-
uri
|
|
11
|
+
uri = URI.parse(url)
|
|
12
12
|
original_query = Rack::Utils.parse_query(uri.query)
|
|
13
|
-
uri.query
|
|
13
|
+
uri.query = build_query(original_query.merge(parameters))
|
|
14
14
|
uri.to_s
|
|
15
15
|
end
|
|
16
16
|
|
|
@@ -23,8 +23,8 @@ module Doorkeeper
|
|
|
23
23
|
private
|
|
24
24
|
|
|
25
25
|
def build_query(parameters = {})
|
|
26
|
-
parameters = parameters.reject { |_,
|
|
27
|
-
Rack::Utils.build_query
|
|
26
|
+
parameters = parameters.reject { |_, value| value.blank? }
|
|
27
|
+
Rack::Utils.build_query(parameters)
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
end
|
|
@@ -11,9 +11,8 @@ module Doorkeeper
|
|
|
11
11
|
validate :redirect_uri, error: :invalid_grant
|
|
12
12
|
validate :code_verifier, error: :invalid_grant
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
attr_reader :invalid_request_reason, :missing_param
|
|
14
|
+
attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
|
|
15
|
+
:invalid_request_reason, :missing_param
|
|
17
16
|
|
|
18
17
|
def initialize(server, grant, client, parameters = {})
|
|
19
18
|
@server = server
|
|
@@ -33,19 +32,30 @@ module Doorkeeper
|
|
|
33
32
|
|
|
34
33
|
grant.revoke
|
|
35
34
|
|
|
35
|
+
resource_owner = if Doorkeeper.config.polymorphic_resource_owner?
|
|
36
|
+
grant.resource_owner
|
|
37
|
+
else
|
|
38
|
+
grant.resource_owner_id
|
|
39
|
+
end
|
|
40
|
+
|
|
36
41
|
find_or_create_access_token(
|
|
37
42
|
grant.application,
|
|
38
|
-
|
|
43
|
+
resource_owner,
|
|
39
44
|
grant.scopes,
|
|
40
45
|
server,
|
|
41
46
|
)
|
|
42
47
|
end
|
|
48
|
+
|
|
43
49
|
super
|
|
44
50
|
end
|
|
45
51
|
|
|
52
|
+
def pkce_supported?
|
|
53
|
+
Doorkeeper.config.access_grant_model.pkce_supported?
|
|
54
|
+
end
|
|
55
|
+
|
|
46
56
|
def validate_pkce_support
|
|
47
57
|
@invalid_request_reason = :not_support_pkce if grant &&
|
|
48
|
-
!
|
|
58
|
+
!pkce_supported? &&
|
|
49
59
|
code_verifier.present?
|
|
50
60
|
|
|
51
61
|
@invalid_request_reason.nil?
|
|
@@ -78,11 +88,11 @@ module Doorkeeper
|
|
|
78
88
|
)
|
|
79
89
|
end
|
|
80
90
|
|
|
81
|
-
# if either side (server or client) request
|
|
82
|
-
# against the DB - if
|
|
91
|
+
# if either side (server or client) request PKCE, check the verifier
|
|
92
|
+
# against the DB - if PKCE is supported
|
|
83
93
|
def validate_code_verifier
|
|
84
94
|
return true unless grant.uses_pkce? || code_verifier
|
|
85
|
-
return false unless
|
|
95
|
+
return false unless pkce_supported?
|
|
86
96
|
|
|
87
97
|
if grant.code_challenge_method == "S256"
|
|
88
98
|
grant.code_challenge == generate_code_challenge(code_verifier)
|
|
@@ -5,11 +5,11 @@ module Doorkeeper
|
|
|
5
5
|
class BaseRequest
|
|
6
6
|
include Validations
|
|
7
7
|
|
|
8
|
-
attr_reader :grant_type
|
|
8
|
+
attr_reader :grant_type, :server
|
|
9
9
|
|
|
10
|
-
|
|
11
|
-
validate
|
|
10
|
+
delegate :default_scopes, to: :server
|
|
12
11
|
|
|
12
|
+
def authorize
|
|
13
13
|
if valid?
|
|
14
14
|
before_successful_response
|
|
15
15
|
@response = TokenResponse.new(access_token)
|
|
@@ -26,22 +26,14 @@ module Doorkeeper
|
|
|
26
26
|
@scopes ||= build_scopes
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
def
|
|
30
|
-
server.default_scopes
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
def valid?
|
|
34
|
-
error.nil?
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
def find_or_create_access_token(client, resource_owner_id, scopes, server)
|
|
29
|
+
def find_or_create_access_token(client, resource_owner, scopes, server)
|
|
38
30
|
context = Authorization::Token.build_context(client, grant_type, scopes)
|
|
39
31
|
@access_token = server_config.access_token_model.find_or_create_for(
|
|
40
|
-
client,
|
|
41
|
-
|
|
42
|
-
scopes,
|
|
43
|
-
Authorization::Token.access_token_expires_in(server, context),
|
|
44
|
-
Authorization::Token.refresh_token_enabled?(server, context),
|
|
32
|
+
application: client,
|
|
33
|
+
resource_owner: resource_owner,
|
|
34
|
+
scopes: scopes,
|
|
35
|
+
expires_in: Authorization::Token.access_token_expires_in(server, context),
|
|
36
|
+
use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
|
|
45
37
|
)
|
|
46
38
|
end
|
|
47
39
|
|
|
@@ -63,10 +55,10 @@ module Doorkeeper
|
|
|
63
55
|
if @original_scopes.present?
|
|
64
56
|
OAuth::Scopes.from_string(@original_scopes)
|
|
65
57
|
else
|
|
66
|
-
client_scopes = @client
|
|
58
|
+
client_scopes = @client&.scopes
|
|
67
59
|
return default_scopes if client_scopes.blank?
|
|
68
60
|
|
|
69
|
-
default_scopes &
|
|
61
|
+
default_scopes & client_scopes
|
|
70
62
|
end
|
|
71
63
|
end
|
|
72
64
|
end
|
|
@@ -9,7 +9,7 @@ module Doorkeeper
|
|
|
9
9
|
credentials_methods.inject(nil) do |_, method|
|
|
10
10
|
method = self.method(method) if method.is_a?(Symbol)
|
|
11
11
|
credentials = Credentials.new(*method.call(request))
|
|
12
|
-
break credentials
|
|
12
|
+
break credentials if credentials.present?
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
|
|
@@ -27,9 +27,7 @@ module Doorkeeper
|
|
|
27
27
|
|
|
28
28
|
# Public clients may have their secret blank, but "credentials" are
|
|
29
29
|
# still present
|
|
30
|
-
|
|
31
|
-
uid.blank?
|
|
32
|
-
end
|
|
30
|
+
delegate :blank?, to: :uid
|
|
33
31
|
end
|
|
34
32
|
end
|
|
35
33
|
end
|
|
@@ -2,26 +2,44 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Creator
|
|
7
7
|
def call(client, scopes, attributes = {})
|
|
8
|
+
existing_token = nil
|
|
9
|
+
|
|
8
10
|
if lookup_existing_token?
|
|
9
11
|
existing_token = find_existing_token_for(client, scopes)
|
|
10
12
|
return existing_token if server_config.reuse_access_token && existing_token&.reusable?
|
|
11
|
-
|
|
12
|
-
existing_token&.revoke if server_config.revoke_previous_client_credentials_token
|
|
13
13
|
end
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
15
|
+
with_revocation(existing_token: existing_token) do
|
|
16
|
+
server_config.access_token_model.find_or_create_for(
|
|
17
|
+
application: client,
|
|
18
|
+
resource_owner: nil,
|
|
19
|
+
scopes: scopes,
|
|
20
|
+
**attributes,
|
|
21
|
+
)
|
|
22
|
+
end
|
|
19
23
|
end
|
|
20
24
|
|
|
21
25
|
private
|
|
22
26
|
|
|
27
|
+
def with_revocation(existing_token:)
|
|
28
|
+
if existing_token && server_config.revoke_previous_client_credentials_token?
|
|
29
|
+
existing_token.with_lock do
|
|
30
|
+
raise Errors::DoorkeeperError, :invalid_token_reuse if existing_token.revoked?
|
|
31
|
+
|
|
32
|
+
existing_token.revoke
|
|
33
|
+
|
|
34
|
+
yield
|
|
35
|
+
end
|
|
36
|
+
else
|
|
37
|
+
yield
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
23
41
|
def lookup_existing_token?
|
|
24
|
-
server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token
|
|
42
|
+
server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token?
|
|
25
43
|
end
|
|
26
44
|
|
|
27
45
|
def find_existing_token_for(client, scopes)
|
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Issuer
|
|
7
|
-
|
|
7
|
+
attr_reader :token, :validator, :error
|
|
8
8
|
|
|
9
9
|
def initialize(server, validator)
|
|
10
10
|
@server = server
|
|
@@ -19,6 +19,7 @@ module Doorkeeper
|
|
|
19
19
|
@token = false
|
|
20
20
|
@error = validator.error
|
|
21
21
|
end
|
|
22
|
+
|
|
22
23
|
@token
|
|
23
24
|
end
|
|
24
25
|
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Validator
|
|
7
7
|
include Validations
|
|
8
8
|
include OAuth::Helpers
|
|
@@ -26,9 +26,11 @@ module Doorkeeper
|
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def validate_client_supports_grant_flow
|
|
29
|
+
return if @client.blank?
|
|
30
|
+
|
|
29
31
|
Doorkeeper.config.allow_grant_flow_for_client?(
|
|
30
32
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
31
|
-
@client,
|
|
33
|
+
@client.application,
|
|
32
34
|
)
|
|
33
35
|
end
|
|
34
36
|
|
|
@@ -3,18 +3,12 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class ClientCredentialsRequest < BaseRequest
|
|
6
|
-
|
|
7
|
-
attr_reader :response
|
|
8
|
-
attr_writer :issuer
|
|
6
|
+
attr_reader :client, :original_scopes, :response
|
|
9
7
|
|
|
10
8
|
alias error_response response
|
|
11
9
|
|
|
12
10
|
delegate :error, to: :issuer
|
|
13
11
|
|
|
14
|
-
def issuer
|
|
15
|
-
@issuer ||= Issuer.new(server, Validator.new(server, self))
|
|
16
|
-
end
|
|
17
|
-
|
|
18
12
|
def initialize(server, client, parameters = {})
|
|
19
13
|
@client = client
|
|
20
14
|
@server = server
|
|
@@ -26,6 +20,13 @@ module Doorkeeper
|
|
|
26
20
|
issuer.token
|
|
27
21
|
end
|
|
28
22
|
|
|
23
|
+
def issuer
|
|
24
|
+
@issuer ||= ClientCredentials::Issuer.new(
|
|
25
|
+
server,
|
|
26
|
+
ClientCredentials::Validator.new(server, self),
|
|
27
|
+
)
|
|
28
|
+
end
|
|
29
|
+
|
|
29
30
|
private
|
|
30
31
|
|
|
31
32
|
def valid?
|
|
@@ -3,16 +3,16 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class CodeRequest
|
|
6
|
-
|
|
6
|
+
attr_reader :pre_auth, :resource_owner
|
|
7
7
|
|
|
8
8
|
def initialize(pre_auth, resource_owner)
|
|
9
|
-
@pre_auth
|
|
9
|
+
@pre_auth = pre_auth
|
|
10
10
|
@resource_owner = resource_owner
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def authorize
|
|
14
14
|
auth = Authorization::Code.new(pre_auth, resource_owner)
|
|
15
|
-
auth.issue_token
|
|
15
|
+
auth.issue_token!
|
|
16
16
|
CodeResponse.new(pre_auth, auth)
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -5,7 +5,7 @@ module Doorkeeper
|
|
|
5
5
|
class CodeResponse < BaseResponse
|
|
6
6
|
include OAuth::Helpers
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
attr_reader :pre_auth, :auth, :response_on_fragment
|
|
9
9
|
|
|
10
10
|
def initialize(pre_auth, auth, options = {})
|
|
11
11
|
@pre_auth = pre_auth
|
|
@@ -17,8 +17,12 @@ module Doorkeeper
|
|
|
17
17
|
true
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
+
def issued_token
|
|
21
|
+
auth.token
|
|
22
|
+
end
|
|
23
|
+
|
|
20
24
|
def redirect_uri
|
|
21
|
-
if URIChecker.oob_uri?
|
|
25
|
+
if URIChecker.oob_uri?(pre_auth.redirect_uri)
|
|
22
26
|
auth.oob_redirect
|
|
23
27
|
elsif response_on_fragment
|
|
24
28
|
Authorization::URIBuilder.uri_with_fragment(
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Doorkeeper
|
|
4
|
+
module OAuth
|
|
5
|
+
module Hooks
|
|
6
|
+
class Context
|
|
7
|
+
attr_reader :auth, :pre_auth
|
|
8
|
+
|
|
9
|
+
def initialize(**attributes)
|
|
10
|
+
attributes.each do |name, value|
|
|
11
|
+
instance_variable_set(:"@#{name}", value) if respond_to?(name)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def issued_token
|
|
16
|
+
auth&.issued_token
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -6,9 +6,9 @@ module Doorkeeper
|
|
|
6
6
|
attr_reader :reason
|
|
7
7
|
|
|
8
8
|
def self.from_access_token(access_token, attributes = {})
|
|
9
|
-
reason = if access_token
|
|
9
|
+
reason = if access_token&.revoked?
|
|
10
10
|
:revoked
|
|
11
|
-
elsif access_token
|
|
11
|
+
elsif access_token&.expired?
|
|
12
12
|
:expired
|
|
13
13
|
else
|
|
14
14
|
:unknown
|
|
@@ -10,8 +10,7 @@ module Doorkeeper
|
|
|
10
10
|
validate :resource_owner, error: :invalid_grant
|
|
11
11
|
validate :scopes, error: :invalid_scope
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
:access_token
|
|
13
|
+
attr_reader :client, :resource_owner, :parameters, :access_token
|
|
15
14
|
|
|
16
15
|
def initialize(server, client, resource_owner, parameters = {})
|
|
17
16
|
@server = server
|
|
@@ -25,18 +24,17 @@ module Doorkeeper
|
|
|
25
24
|
private
|
|
26
25
|
|
|
27
26
|
def before_successful_response
|
|
28
|
-
find_or_create_access_token(client, resource_owner
|
|
27
|
+
find_or_create_access_token(client, resource_owner, scopes, server)
|
|
29
28
|
super
|
|
30
29
|
end
|
|
31
30
|
|
|
32
31
|
def validate_scopes
|
|
33
|
-
client_scopes = client.try(:scopes)
|
|
34
32
|
return true if scopes.blank?
|
|
35
33
|
|
|
36
34
|
ScopeChecker.valid?(
|
|
37
35
|
scope_str: scopes.to_s,
|
|
38
36
|
server_scopes: server.scopes,
|
|
39
|
-
app_scopes:
|
|
37
|
+
app_scopes: client.try(:scopes),
|
|
40
38
|
grant_type: grant_type,
|
|
41
39
|
)
|
|
42
40
|
end
|
|
@@ -50,7 +48,7 @@ module Doorkeeper
|
|
|
50
48
|
end
|
|
51
49
|
|
|
52
50
|
def validate_client_supports_grant_flow
|
|
53
|
-
server_config.allow_grant_flow_for_client?(grant_type, client)
|
|
51
|
+
server_config.allow_grant_flow_for_client?(grant_type, client&.application)
|
|
54
52
|
end
|
|
55
53
|
end
|
|
56
54
|
end
|