doorkeeper 5.3.3 → 5.4.0

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -5,39 +5,37 @@ module Doorkeeper
     class PreAuthorization
       include Validations
 
-      validate :client_id,             error: :invalid_request
-      validate :client,                error: :invalid_client
-      validate :redirect_uri,          error: :invalid_redirect_uri
-      validate :params,                error: :invalid_request
-      validate :response_type,         error: :unsupported_response_type
-      validate :scopes,                error: :invalid_scope
-      validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_id, error: :invalid_request
+      validate :client, error: :invalid_client
       validate :client_supports_grant_flow, error: :unauthorized_client
+      validate :resource_owner_authorize_for_client, error: :invalid_client
+      validate :redirect_uri, error: :invalid_redirect_uri
+      validate :params, error: :invalid_request
+      validate :response_type, error: :unsupported_response_type
+      validate :scopes, error: :invalid_scope
+      validate :code_challenge_method, error: :invalid_code_challenge_method
 
-      attr_reader :server, :client_id, :client, :redirect_uri, :response_type, :state,
-                  :code_challenge, :code_challenge_method, :missing_param
+      attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
+                  :redirect_uri, :resource_owner, :response_type, :state
 
-      def initialize(server, attrs = {})
+      def initialize(server, parameters = {}, resource_owner = nil)
         @server                = server
-        @client_id             = attrs[:client_id]
-        @response_type         = attrs[:response_type]
-        @redirect_uri          = attrs[:redirect_uri]
-        @scope                 = attrs[:scope]
-        @state                 = attrs[:state]
-        @code_challenge        = attrs[:code_challenge]
-        @code_challenge_method = attrs[:code_challenge_method]
+        @client_id             = parameters[:client_id]
+        @response_type         = parameters[:response_type]
+        @redirect_uri          = parameters[:redirect_uri]
+        @scope                 = parameters[:scope]
+        @state                 = parameters[:state]
+        @code_challenge        = parameters[:code_challenge]
+        @code_challenge_method = parameters[:code_challenge_method]
+        @resource_owner        = resource_owner
       end
 
       def authorizable?
         valid?
       end
 
-      def validate_client_supports_grant_flow
-        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
-      end
-
       def scopes
-        Scopes.from_string scope
+        Scopes.from_string(scope)
       end
 
       def scope
@@ -55,14 +53,14 @@ module Doorkeeper
         end
       end
 
-      def as_json(attributes = {})
-        return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
-
+      def as_json(_options = nil)
         pre_auth_hash
       end
 
       private
 
+      attr_reader :client_id, :server
+
       def build_scopes
         client_scopes = client.scopes
         if client_scopes.blank?
@@ -74,7 +72,6 @@ module Doorkeeper
 
       def validate_client_id
         @missing_param = :client_id if client_id.blank?
-
         @missing_param.nil?
       end
 
@@ -83,6 +80,10 @@ module Doorkeeper
         @client.present?
       end
 
+      def validate_client_supports_grant_flow
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
+      end
+
       def validate_redirect_uri
         return false if redirect_uri.blank?
 
@@ -115,19 +116,24 @@ module Doorkeeper
         )
       end
 
-      def grant_type
-        response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
-      end
-
       def validate_code_challenge_method
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
 
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
+
       def response_on_fragment?
         response_type == "token"
       end
 
+      def grant_type
+        response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
+      end
+
       def pre_auth_hash
         {
           client_id: client.uid,

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -11,9 +11,8 @@ module Doorkeeper
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
 
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
-      attr_reader   :missing_param
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
 
       def initialize(server, refresh_token, credentials, parameters = {})
         @server = server
@@ -50,30 +49,27 @@ module Doorkeeper
       end
 
       def create_access_token
-        @access_token = server_config.access_token_model.create!(access_token_attributes)
-      end
+        attributes = {}
 
-      def access_token_attributes
-        {
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: access_token_expires_in,
-          use_refresh_token: true,
-        }.tap do |attributes|
-          if refresh_token_revoked_on_use?
-            attributes[:previous_refresh_token] = refresh_token.refresh_token
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
           end
+
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
-      end
 
-      def access_token_expires_in
-        context = Authorization::Token.build_context(
-          client,
-          Doorkeeper::OAuth::REFRESH_TOKEN,
-          scopes,
+        @access_token = server_config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
         )
-        Authorization::Token.access_token_expires_in(server, context)
       end
 
       def validate_token_presence

data/lib/doorkeeper/oauth/token.rb

@@ -8,15 +8,14 @@ module Doorkeeper
           methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
-            break credentials unless credentials.blank?
+            break credentials if credentials.present?
           end
         end
 
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
             access_token = Doorkeeper.config.access_token_model.by_token(token)
-            refresh_token_enabled = Doorkeeper.config.refresh_token_enabled?
-            if access_token.present? && refresh_token_enabled
+            if access_token.present? && Doorkeeper.config.refresh_token_enabled?
               access_token.revoke_previous_refresh_token!
             end
             access_token
@@ -33,13 +32,13 @@ module Doorkeeper
 
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
 
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
 
@@ -55,7 +54,7 @@ module Doorkeeper
         end
 
         def token_from_header(header, pattern)
-          header.gsub pattern, ""
+          header.gsub(pattern, "")
         end
 
         def match?(header, pattern)

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -6,9 +6,6 @@ module Doorkeeper
     #
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
-      attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
-
       def initialize(server, token)
         @server = server
         @token = token
@@ -38,6 +35,9 @@ module Doorkeeper
 
       private
 
+      attr_reader :server, :token
+      attr_reader :error, :invalid_request_reason
+
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
       # invalid, the authorization server responds with an HTTP 401
@@ -179,11 +179,7 @@ module Doorkeeper
         allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
-        allow_introspection.call(
-          @token,
-          auth_client,
-          auth_token,
-        )
+        allow_introspection.call(@token, auth_client, auth_token)
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb

@@ -3,16 +3,16 @@
 module Doorkeeper
   module OAuth
     class TokenRequest
-      attr_accessor :pre_auth, :resource_owner
+      attr_reader :pre_auth, :resource_owner
 
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
 
       def authorize
         auth = Authorization::Token.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 

data/lib/doorkeeper/oauth/token_response.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class TokenResponse
-      attr_accessor :token
+      attr_reader :token
 
       def initialize(token)
         @token = token

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -9,12 +9,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       include ::Doorkeeper::AccessGrantMixin
 
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                optional: true,
                                inverse_of: :access_grants
 
-      validates :resource_owner_id,
-                :application_id,
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: false
+      else
+        validates :resource_owner_id, presence: true
+      end
+
+      validates :application_id,
                 :token,
                 :expires_in,
                 :redirect_uri,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -9,10 +9,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       include ::Doorkeeper::AccessTokenMixin
 
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                inverse_of: :access_tokens,
                                optional: true
 
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: true
+      end
+
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
@@ -25,7 +29,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                         on: :create, if: :use_refresh_token?
     end
 
-    class_methods do
+    module ClassMethods
       # Searches for not revoked Access Tokens associated with the
       # specific Resource Owner.
       #
@@ -36,7 +40,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       #   active Access Tokens for Resource Owner
       #
       def active_for(resource_owner)
-        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+        by_resource_owner(resource_owner).where(revoked_at: nil)
       end
 
       def refresh_token_revoked_on_use?

data/lib/doorkeeper/orm/active_record.rb

@@ -33,12 +33,20 @@ module Doorkeeper
         lazy_load do
           require "doorkeeper/models/concerns/ownership"
 
-          Doorkeeper.config.application_model.send :include, Doorkeeper::Models::Ownership
+          Doorkeeper.config.application_model.include(Doorkeeper::Models::Ownership)
         end
       end
 
       def self.lazy_load(&block)
-        ActiveSupport.on_load(:active_record, {}, &block)
+        # ActiveSupport has no public interface to check if something
+        # already lazy-loaded :(
+        loaded = ActiveSupport.instance_variable_get(:"@loaded") || {}
+
+        if loaded.key?(:active_record)
+          block.call
+        else
+          ActiveSupport.on_load(:active_record, {}, &block)
+        end
       end
 
       def self.models

data/lib/doorkeeper/rails/routes/abstract_router.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    # Abstract router module that implements base behavior
+    # for generating and mapping Rails routes.
+    #
+    # Could be reused in Doorkeeper extensions.
+    #
+    module AbstractRouter
+      extend ActiveSupport::Concern
+
+      attr_reader :routes
+
+      def initialize(routes, mapper = Mapper.new, &block)
+        @routes = routes
+        @mapping = mapper.map(&block)
+      end
+
+      def generate_routes!(**_options)
+        raise NotImplementedError, "must be redefined for #{self.class.name}!"
+      end
+
+      private
+
+      def map_route(name, method)
+        return if @mapping.skipped?(name)
+
+        send(method, @mapping[name])
+
+        mapping[name] = @mapping[name]
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes/mapper.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module Rails
     class Routes # :nodoc:
       class Mapper
-        def initialize
-          @mapping = Mapping.new
+        def initialize(mapping = Mapping.new)
+          @mapping = mapping
         end
 
         def map(&block)

data/lib/doorkeeper/rails/routes/registry.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    class Routes
+      # Thread-safe registry of any Doorkeeper additional routes.
+      # Used to allow implementing of Doorkeeper extensions that must
+      # use their own routes.
+      #
+      module Registry
+        ROUTES_ACCESS_LOCK = Mutex.new
+        ROUTES_DEFINITION_LOCK = Mutex.new
+
+        InvalidRouterClass = Class.new(StandardError)
+
+        # Collection of additional registered routes for Doorkeeper.
+        #
+        # @return [Array<Object>] set of registered routes
+        #
+        def registered_routes
+          ROUTES_DEFINITION_LOCK.synchronize do
+            @registered_routes ||= Set.new
+          end
+        end
+
+        # Registers additional routes in the Doorkeeper registry
+        #
+        # @param [Object] routes
+        #   routes class
+        #
+        def register_routes(routes)
+          if !routes.is_a?(Module) || !(routes < AbstractRouter)
+            raise InvalidRouterClass, "routes class must include Doorkeeper::Rails::AbstractRouter"
+          end
+
+          ROUTES_ACCESS_LOCK.synchronize do
+            registered_routes << routes
+          end
+        end
+
+        alias register register_routes
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes.rb

@@ -2,29 +2,33 @@
 
 require "doorkeeper/rails/routes/mapping"
 require "doorkeeper/rails/routes/mapper"
+require "doorkeeper/rails/routes/abstract_router"
+require "doorkeeper/rails/routes/registry"
 
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
-      mattr_reader :mapping do
-        {}
-      end
-
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
       end
 
+      include AbstractRouter
+      extend Registry
+
+      mattr_reader :mapping do
+        {}
+      end
+
       def self.install!
         ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
-      end
 
-      attr_reader :routes
+        registered_routes.each(&:install!)
+      end
 
-      def initialize(routes, &block)
-        @routes = routes
-        @mapping = Mapper.new.map(&block)
+      def initialize(routes, mapper = Mapper.new, &block)
+        super
 
         @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
@@ -43,14 +47,6 @@ module Doorkeeper
 
       private
 
-      def map_route(name, method)
-        return if @mapping.skipped?(name)
-
-        send(method, @mapping[name])
-
-        mapping[name] = @mapping[name]
-      end
-
       def authorization_routes(mapping)
         routes.resource(
           :authorization,

data/lib/doorkeeper/request/refresh_token.rb

@@ -12,7 +12,8 @@ module Doorkeeper
       def request
         @request ||= OAuth::RefreshTokenRequest.new(
           Doorkeeper.config,
-          refresh_token, credentials,
+          refresh_token,
+          credentials,
           parameters,
         )
       end

data/lib/doorkeeper/request/strategy.rb

@@ -3,12 +3,12 @@
 module Doorkeeper
   module Request
     class Strategy
-      attr_accessor :server
+      attr_reader :server
 
       delegate :authorize, to: :request
 
       def initialize(server)
-        self.server = server
+        @server = server
       end
 
       def request

data/lib/doorkeeper/server.rb

@@ -2,19 +2,19 @@
 
 module Doorkeeper
   class Server
-    attr_accessor :context
+    attr_reader :context
 
-    def initialize(context = nil)
+    def initialize(context)
       @context = context
     end
 
     def authorization_request(strategy)
-      klass = Request.authorization_strategy strategy
+      klass = Request.authorization_strategy(strategy)
       klass.new(self)
     end
 
     def token_request(strategy)
-      klass = Request.token_strategy strategy
+      klass = Request.token_strategy(strategy)
       klass.new(self)
     end
 

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -13,12 +13,12 @@ module Doorkeeper
       raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
     end
 
-    def self.configured_orm
-      Doorkeeper.config.orm
-    end
-
     def self.new(base_scope)
       self.for(base_scope)
     end
+
+    def self.configured_orm
+      Doorkeeper.config.orm
+    end
   end
 end

data/lib/doorkeeper/version.rb

@@ -8,8 +8,8 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 3
-    TINY = 3
+    MINOR = 4
+    TINY = 0
     PRE = nil
 
     # Full version number