doorkeeper 5.3.3 → 5.4.0

data/lib/doorkeeper.rb

@@ -1,89 +1,116 @@
 # frozen_string_literal: true
 
-require "doorkeeper/version"
-require "doorkeeper/engine"
 require "doorkeeper/config"
-
-require "doorkeeper/request/strategy"
-require "doorkeeper/request/authorization_code"
-require "doorkeeper/request/client_credentials"
-require "doorkeeper/request/code"
-require "doorkeeper/request/password"
-require "doorkeeper/request/refresh_token"
-require "doorkeeper/request/token"
-
-require "doorkeeper/errors"
-require "doorkeeper/server"
-require "doorkeeper/request"
-require "doorkeeper/validations"
-
-require "doorkeeper/oauth/authorization/code"
-require "doorkeeper/oauth/authorization/context"
-require "doorkeeper/oauth/authorization/token"
-require "doorkeeper/oauth/authorization/uri_builder"
-require "doorkeeper/oauth/helpers/scope_checker"
-require "doorkeeper/oauth/helpers/uri_checker"
-require "doorkeeper/oauth/helpers/unique_token"
-
-require "doorkeeper/oauth"
-require "doorkeeper/oauth/scopes"
-require "doorkeeper/oauth/error"
-require "doorkeeper/oauth/base_response"
-require "doorkeeper/oauth/code_response"
-require "doorkeeper/oauth/token_response"
-require "doorkeeper/oauth/error_response"
-require "doorkeeper/oauth/pre_authorization"
-require "doorkeeper/oauth/base_request"
-require "doorkeeper/oauth/authorization_code_request"
-require "doorkeeper/oauth/refresh_token_request"
-require "doorkeeper/oauth/password_access_token_request"
-
-require "doorkeeper/oauth/client_credentials/validator"
-require "doorkeeper/oauth/client_credentials/creator"
-require "doorkeeper/oauth/client_credentials/issuer"
-require "doorkeeper/oauth/client/credentials"
-
-require "doorkeeper/oauth/client_credentials_request"
-require "doorkeeper/oauth/code_request"
-require "doorkeeper/oauth/token_request"
-require "doorkeeper/oauth/client"
-require "doorkeeper/oauth/token"
-require "doorkeeper/oauth/token_introspection"
-require "doorkeeper/oauth/invalid_token_response"
-require "doorkeeper/oauth/forbidden_token_response"
-require "doorkeeper/oauth/invalid_request_response"
-require "doorkeeper/oauth/nonstandard"
-
-require "doorkeeper/secret_storing/base"
-require "doorkeeper/secret_storing/plain"
-require "doorkeeper/secret_storing/sha256_hash"
-require "doorkeeper/secret_storing/bcrypt"
-
-require "doorkeeper/models/concerns/orderable"
-require "doorkeeper/models/concerns/scopes"
-require "doorkeeper/models/concerns/expirable"
-require "doorkeeper/models/concerns/reusable"
-require "doorkeeper/models/concerns/revocable"
-require "doorkeeper/models/concerns/accessible"
-require "doorkeeper/models/concerns/secret_storable"
-
-require "doorkeeper/models/access_grant_mixin"
-require "doorkeeper/models/access_token_mixin"
-require "doorkeeper/models/application_mixin"
-
-require "doorkeeper/helpers/controller"
-
-require "doorkeeper/rails/routes"
-require "doorkeeper/rails/helpers"
-
-require "doorkeeper/rake"
-require "doorkeeper/stale_records_cleaner"
-
-require "doorkeeper/orm/active_record"
+require "doorkeeper/engine"
 
 # Main Doorkeeper namespace.
 #
 module Doorkeeper
+  autoload :Errors, "doorkeeper/errors"
+  autoload :OAuth, "doorkeeper/oauth"
+  autoload :Rake, "doorkeeper/rake"
+  autoload :Request, "doorkeeper/request"
+  autoload :Server, "doorkeeper/server"
+  autoload :StaleRecordsCleaner, "doorkeeper/stale_records_cleaner"
+  autoload :Validations, "doorkeeper/validations"
+  autoload :VERSION, "doorkeeper/version"
+
+  autoload :AccessGrantMixin, "doorkeeper/models/access_grant_mixin"
+  autoload :AccessTokenMixin, "doorkeeper/models/access_token_mixin"
+  autoload :ApplicationMixin, "doorkeeper/models/application_mixin"
+
+  module Helpers
+    autoload :Controller, "doorkeeper/helpers/controller"
+  end
+
+  module Request
+    autoload :Strategy, "doorkeeper/request/strategy"
+    autoload :AuthorizationCode, "doorkeeper/request/authorization_code"
+    autoload :ClientCredentials, "doorkeeper/request/client_credentials"
+    autoload :Code, "doorkeeper/request/code"
+    autoload :Password, "doorkeeper/request/password"
+    autoload :RefreshToken, "doorkeeper/request/refresh_token"
+    autoload :Token, "doorkeeper/request/token"
+  end
+
+  module OAuth
+    autoload :BaseRequest, "doorkeeper/oauth/base_request"
+    autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"
+    autoload :BaseResponse, "doorkeeper/oauth/base_response"
+    autoload :CodeResponse, "doorkeeper/oauth/code_response"
+    autoload :Client, "doorkeeper/oauth/client"
+    autoload :ClientCredentialsRequest, "doorkeeper/oauth/client_credentials_request"
+    autoload :CodeRequest, "doorkeeper/oauth/code_request"
+    autoload :ErrorResponse, "doorkeeper/oauth/error_response"
+    autoload :Error, "doorkeeper/oauth/error"
+    autoload :InvalidTokenResponse, "doorkeeper/oauth/invalid_token_response"
+    autoload :InvalidRequestResponse, "doorkeeper/oauth/invalid_request_response"
+    autoload :ForbiddenTokenResponse, "doorkeeper/oauth/forbidden_token_response"
+    autoload :NonStandard, "doorkeeper/oauth/nonstandard"
+    autoload :PasswordAccessTokenRequest, "doorkeeper/oauth/password_access_token_request"
+    autoload :PreAuthorization, "doorkeeper/oauth/pre_authorization"
+    autoload :RefreshTokenRequest, "doorkeeper/oauth/refresh_token_request"
+    autoload :Scopes, "doorkeeper/oauth/scopes"
+    autoload :Token, "doorkeeper/oauth/token"
+    autoload :TokenIntrospection, "doorkeeper/oauth/token_introspection"
+    autoload :TokenRequest, "doorkeeper/oauth/token_request"
+    autoload :TokenResponse, "doorkeeper/oauth/token_response"
+
+    module Authorization
+      autoload :Code, "doorkeeper/oauth/authorization/code"
+      autoload :Context, "doorkeeper/oauth/authorization/context"
+      autoload :Token, "doorkeeper/oauth/authorization/token"
+      autoload :URIBuilder, "doorkeeper/oauth/authorization/uri_builder"
+    end
+
+    class Client
+      autoload :Credentials, "doorkeeper/oauth/client/credentials"
+    end
+
+    module ClientCredentials
+      autoload :Validator, "doorkeeper/oauth/client_credentials/validator"
+      autoload :Creator, "doorkeeper/oauth/client_credentials/creator"
+      autoload :Issuer, "doorkeeper/oauth/client_credentials/issuer"
+    end
+
+    module Helpers
+      autoload :ScopeChecker, "doorkeeper/oauth/helpers/scope_checker"
+      autoload :URIChecker, "doorkeeper/oauth/helpers/uri_checker"
+      autoload :UniqueToken, "doorkeeper/oauth/helpers/unique_token"
+    end
+
+    module Hooks
+      autoload :Context, "doorkeeper/oauth/hooks/context"
+    end
+  end
+
+  module Models
+    autoload :Accessible, "doorkeeper/models/concerns/accessible"
+    autoload :Expirable, "doorkeeper/models/concerns/expirable"
+    autoload :Orderable, "doorkeeper/models/concerns/orderable"
+    autoload :Scopes, "doorkeeper/models/concerns/scopes"
+    autoload :Reusable, "doorkeeper/models/concerns/reusable"
+    autoload :ResourceOwnerable, "doorkeeper/models/concerns/resource_ownerable"
+    autoload :Revocable, "doorkeeper/models/concerns/revocable"
+    autoload :SecretStorable, "doorkeeper/models/concerns/secret_storable"
+  end
+
+  module Orm
+    autoload :ActiveRecord, "doorkeeper/orm/active_record"
+  end
+
+  module Rails
+    autoload :Helpers, "doorkeeper/rails/helpers"
+    autoload :Routes, "doorkeeper/rails/routes"
+  end
+
+  module SecretStoring
+    autoload :Base, "doorkeeper/secret_storing/base"
+    autoload :Plain, "doorkeeper/secret_storing/plain"
+    autoload :Sha256Hash, "doorkeeper/secret_storing/sha256_hash"
+    autoload :BCrypt, "doorkeeper/secret_storing/bcrypt"
+  end
+
   def self.authenticate(request, methods = Doorkeeper.config.access_token_methods)
     OAuth::Token.authenticate(request, *methods)
   end

data/lib/generators/doorkeeper/confidential_applications_generator.rb

@@ -12,7 +12,7 @@ module Doorkeeper
     source_root File.expand_path("templates", __dir__)
     desc "Add confidential column to Doorkeeper applications"
 
-    def pkce
+    def confidential_applications
       migration_template(
         "add_confidential_to_applications.rb.erb",
         "db/migrate/add_confidential_to_applications.rb",

data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module Doorkeeper
+  # Generates migration with polymorphic resource owner required
+  # database columns for Doorkeeper Access Token and Access Grant
+  # models.
+  #
+  class EnablePolymorphicResourceOwnerGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path("templates", __dir__)
+    desc "Provide support for polymorphic Resource Owner."
+
+    def enable_polymorphic_resource_owner
+      migration_template(
+        "enable_polymorphic_resource_owner_migration.rb.erb",
+        "db/migrate/enable_polymorphic_resource_owner.rb",
+        migration_version: migration_version,
+      )
+      gsub_file(
+        "config/initializers/doorkeeper.rb",
+        "# use_polymorphic_resource_owner",
+        "use_polymorphic_resource_owner",
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+end

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true

data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column(

data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class EnablePkce < ActiveRecord::Migration<%= migration_version %>
   def change
     add_column :oauth_access_grants, :code_challenge, :string, null: true

data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class EnablePolymorphicResourceOwner < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :oauth_access_tokens, :resource_owner_type, :string
+    add_column :oauth_access_grants, :resource_owner_type, :string
+    change_column_null :oauth_access_grants, :resource_owner_type, false
+
+    add_index :oauth_access_tokens,
+              [:resource_owner_id, :resource_owner_type],
+              name: 'polymorphic_owner_oauth_access_tokens'
+
+    add_index :oauth_access_grants,
+              [:resource_owner_id, :resource_owner_type],
+              name: 'polymorphic_owner_oauth_access_grants'
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -58,6 +58,23 @@ Doorkeeper.configure do
   #   end
   # end
 
+  # Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
+  # By default this option is disabled.
+  #
+  # Make sure you properly setup you database and have all the required columns (run
+  # `bundle exec rails generate doorkeeper:enable_polymorphic_resource_owner` and execute Rails
+  # migrations).
+  #
+  # If this option enabled, Doorkeeper will store not only Resource Owner primary key
+  # value, but also it's type (class name). See "Polymorphic Associations" section of
+  # Rails guides: https://guides.rubyonrails.org/association_basics.html#polymorphic-associations
+  #
+  # [NOTE] If you apply this option on already existing project don't forget to manually
+  # update `resource_owner_type` column in the database and fix migration template as it will
+  # set NOT NULL constraint for Access Grants table.
+  #
+  # use_polymorphic_resource_owner
+
   # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
   # want to use API mode that will skip all the views management and change the way how
   # Doorkeeper responds to a requests.
@@ -360,6 +377,17 @@ Doorkeeper.configure do
   #   client.grant_flows.include?(grant_flow)
   # end
 
+  # If you need arbitrary Resource Owner-Client authorization you can enable this option
+  # and implement the check your need. Config option must respond to #call and return
+  # true in case resource owner authorized for the specific application or false in other
+  # cases.
+  #
+  # Be default all Resource Owners are authorized to any Client (application).
+  #
+  # authorize_resource_owner_for_client do |client, resource_owner|
+  #   resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
+  # end
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #
@@ -372,17 +400,25 @@ Doorkeeper.configure do
   # end
 
   # Hook into Authorization flow in order to implement Single Sign Out
-  # or add any other functionality.
+  # or add any other functionality. Inside the block you have an access
+  # to `controller` (authorizations controller instance) and `context`
+  # (Doorkeeper::OAuth::Hooks::Context instance) which provides pre auth
+  # or auth objects with issued token based on hook type (before or after).
   #
-  # before_successful_authorization do |controller|
+  # before_successful_authorization do |controller, context|
   #   Rails.logger.info(controller.request.params.inspect)
+  #
+  #   Rails.logger.info(context.pre_auth.inspect)
   # end
   #
-  # after_successful_authorization do |controller|
+  # after_successful_authorization do |controller, context|
   #   controller.session[:logout_urls] <<
   #     Doorkeeper::Application
   #       .find_by(controller.request.params.slice(:redirect_uri))
   #       .logout_uri
+  #
+  #   Rails.logger.info(context.auth.inspect)
+  #   Rails.logger.info(context.issued_token)
   # end
 
   # Under some circumstances you might want to have applications auto-approved,

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
@@ -55,12 +57,19 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       t.datetime :created_at, null: false
       t.string   :scopes
 
-      # If there is a previous_refresh_token column,
+      # The authorization server MAY issue a new refresh token, in which case
+      # *the client MUST discard the old refresh token* and replace it with the
+      # new refresh token. The authorization server MAY revoke the old
+      # refresh token after issuing a new refresh token to the client.
+      # @see https://tools.ietf.org/html/rfc6749#section-6
+      #
+      # Doorkeeper implementation: if there is a `previous_refresh_token` column,
       # refresh tokens will be revoked after a related access token is used.
-      # If there is no previous_refresh_token column,
-      # previous tokens are revoked as soon as a new access token is created.
-      # Comment out this line if you'd rather have refresh tokens
-      # instantly revoked.
+      # If there is no `previous_refresh_token` column, previous tokens are
+      # revoked as soon as a new access token is created.
+      #
+      # Comment out this line if you want refresh tokens to be instantly
+      # revoked after use.
       t.string   :previous_refresh_token, null: false, default: ""
     end