doorkeeper 5.3.3 → 5.5.0.rc2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (233) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +125 -7
  3. data/README.md +6 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +4 -4
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +46 -16
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
  7. data/app/controllers/doorkeeper/tokens_controller.rb +67 -22
  8. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  9. data/app/views/doorkeeper/applications/show.html.erb +35 -14
  10. data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
  11. data/config/locales/en.yml +6 -2
  12. data/lib/doorkeeper.rb +111 -79
  13. data/lib/doorkeeper/config.rb +148 -94
  14. data/lib/doorkeeper/config/abstract_builder.rb +28 -0
  15. data/lib/doorkeeper/config/option.rb +26 -14
  16. data/lib/doorkeeper/config/validations.rb +53 -0
  17. data/lib/doorkeeper/engine.rb +1 -1
  18. data/lib/doorkeeper/grant_flow.rb +45 -0
  19. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  20. data/lib/doorkeeper/grant_flow/flow.rb +44 -0
  21. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  22. data/lib/doorkeeper/grape/helpers.rb +1 -1
  23. data/lib/doorkeeper/helpers/controller.rb +8 -4
  24. data/lib/doorkeeper/models/access_grant_mixin.rb +21 -18
  25. data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
  26. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  27. data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  28. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  29. data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
  30. data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
  31. data/lib/doorkeeper/oauth/authorization/code.rb +19 -6
  32. data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
  33. data/lib/doorkeeper/oauth/authorization/token.rb +18 -16
  34. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
  35. data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
  36. data/lib/doorkeeper/oauth/base_request.rb +12 -20
  37. data/lib/doorkeeper/oauth/client.rb +1 -1
  38. data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
  39. data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
  40. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
  41. data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
  42. data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
  43. data/lib/doorkeeper/oauth/code_request.rb +3 -3
  44. data/lib/doorkeeper/oauth/code_response.rb +22 -12
  45. data/lib/doorkeeper/oauth/error_response.rb +6 -7
  46. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
  47. data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  48. data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
  49. data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
  50. data/lib/doorkeeper/oauth/pre_authorization.rb +63 -32
  51. data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
  52. data/lib/doorkeeper/oauth/token.rb +5 -6
  53. data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
  54. data/lib/doorkeeper/oauth/token_request.rb +3 -3
  55. data/lib/doorkeeper/oauth/token_response.rb +1 -1
  56. data/lib/doorkeeper/orm/active_record.rb +14 -7
  57. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
  58. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
  59. data/lib/doorkeeper/orm/active_record/mixins/application.rb +6 -3
  60. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +5 -0
  61. data/lib/doorkeeper/rails/routes.rb +14 -20
  62. data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  63. data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
  64. data/lib/doorkeeper/rails/routes/registry.rb +45 -0
  65. data/lib/doorkeeper/request.rb +49 -12
  66. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  67. data/lib/doorkeeper/request/strategy.rb +2 -2
  68. data/lib/doorkeeper/server.rb +4 -4
  69. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  70. data/lib/doorkeeper/version.rb +3 -7
  71. data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
  72. data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  73. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
  74. data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
  75. data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
  76. data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  77. data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
  78. data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
  79. metadata +30 -300
  80. data/Appraisals +0 -40
  81. data/CODE_OF_CONDUCT.md +0 -46
  82. data/CONTRIBUTING.md +0 -49
  83. data/Dangerfile +0 -67
  84. data/Dockerfile +0 -29
  85. data/Gemfile +0 -25
  86. data/NEWS.md +0 -1
  87. data/RELEASING.md +0 -11
  88. data/Rakefile +0 -28
  89. data/SECURITY.md +0 -15
  90. data/UPGRADE.md +0 -2
  91. data/bin/console +0 -16
  92. data/doorkeeper.gemspec +0 -42
  93. data/gemfiles/rails_5_0.gemfile +0 -18
  94. data/gemfiles/rails_5_1.gemfile +0 -18
  95. data/gemfiles/rails_5_2.gemfile +0 -18
  96. data/gemfiles/rails_6_0.gemfile +0 -18
  97. data/gemfiles/rails_master.gemfile +0 -18
  98. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  99. data/spec/controllers/applications_controller_spec.rb +0 -274
  100. data/spec/controllers/authorizations_controller_spec.rb +0 -608
  101. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  102. data/spec/controllers/token_info_controller_spec.rb +0 -50
  103. data/spec/controllers/tokens_controller_spec.rb +0 -498
  104. data/spec/dummy/Rakefile +0 -9
  105. data/spec/dummy/app/assets/config/manifest.js +0 -2
  106. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  107. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  108. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  109. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  110. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  111. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  112. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  113. data/spec/dummy/app/models/user.rb +0 -7
  114. data/spec/dummy/app/views/home/index.html.erb +0 -0
  115. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  116. data/spec/dummy/config.ru +0 -6
  117. data/spec/dummy/config/application.rb +0 -49
  118. data/spec/dummy/config/boot.rb +0 -7
  119. data/spec/dummy/config/database.yml +0 -15
  120. data/spec/dummy/config/environment.rb +0 -5
  121. data/spec/dummy/config/environments/development.rb +0 -31
  122. data/spec/dummy/config/environments/production.rb +0 -64
  123. data/spec/dummy/config/environments/test.rb +0 -45
  124. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  125. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  126. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  127. data/spec/dummy/config/initializers/session_store.rb +0 -10
  128. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  129. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  130. data/spec/dummy/config/routes.rb +0 -13
  131. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  132. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  133. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  134. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  135. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  136. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  137. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  138. data/spec/dummy/db/schema.rb +0 -68
  139. data/spec/dummy/public/404.html +0 -26
  140. data/spec/dummy/public/422.html +0 -26
  141. data/spec/dummy/public/500.html +0 -26
  142. data/spec/dummy/public/favicon.ico +0 -0
  143. data/spec/dummy/script/rails +0 -9
  144. data/spec/factories.rb +0 -30
  145. data/spec/generators/application_owner_generator_spec.rb +0 -28
  146. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  147. data/spec/generators/install_generator_spec.rb +0 -36
  148. data/spec/generators/migration_generator_spec.rb +0 -28
  149. data/spec/generators/pkce_generator_spec.rb +0 -28
  150. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  151. data/spec/generators/templates/routes.rb +0 -4
  152. data/spec/generators/views_generator_spec.rb +0 -29
  153. data/spec/grape/grape_integration_spec.rb +0 -137
  154. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  155. data/spec/lib/config_spec.rb +0 -809
  156. data/spec/lib/doorkeeper_spec.rb +0 -27
  157. data/spec/lib/models/expirable_spec.rb +0 -61
  158. data/spec/lib/models/reusable_spec.rb +0 -40
  159. data/spec/lib/models/revocable_spec.rb +0 -59
  160. data/spec/lib/models/scopes_spec.rb +0 -53
  161. data/spec/lib/models/secret_storable_spec.rb +0 -135
  162. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  163. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
  164. data/spec/lib/oauth/base_request_spec.rb +0 -224
  165. data/spec/lib/oauth/base_response_spec.rb +0 -45
  166. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  167. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
  168. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
  169. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
  170. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  171. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
  172. data/spec/lib/oauth/client_spec.rb +0 -38
  173. data/spec/lib/oauth/code_request_spec.rb +0 -46
  174. data/spec/lib/oauth/code_response_spec.rb +0 -32
  175. data/spec/lib/oauth/error_response_spec.rb +0 -64
  176. data/spec/lib/oauth/error_spec.rb +0 -21
  177. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  178. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  179. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  180. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  181. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  182. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  183. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
  184. data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
  185. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
  186. data/spec/lib/oauth/scopes_spec.rb +0 -146
  187. data/spec/lib/oauth/token_request_spec.rb +0 -157
  188. data/spec/lib/oauth/token_response_spec.rb +0 -84
  189. data/spec/lib/oauth/token_spec.rb +0 -156
  190. data/spec/lib/request/strategy_spec.rb +0 -54
  191. data/spec/lib/secret_storing/base_spec.rb +0 -60
  192. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  193. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  194. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  195. data/spec/lib/server_spec.rb +0 -49
  196. data/spec/lib/stale_records_cleaner_spec.rb +0 -89
  197. data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
  198. data/spec/models/doorkeeper/access_token_spec.rb +0 -622
  199. data/spec/models/doorkeeper/application_spec.rb +0 -482
  200. data/spec/requests/applications/applications_request_spec.rb +0 -259
  201. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  202. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  203. data/spec/requests/endpoints/token_spec.rb +0 -75
  204. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
  205. data/spec/requests/flows/authorization_code_spec.rb +0 -525
  206. data/spec/requests/flows/client_credentials_spec.rb +0 -166
  207. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  208. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  209. data/spec/requests/flows/password_spec.rb +0 -316
  210. data/spec/requests/flows/refresh_token_spec.rb +0 -233
  211. data/spec/requests/flows/revoke_token_spec.rb +0 -157
  212. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  213. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  214. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  215. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  216. data/spec/routing/default_routes_spec.rb +0 -41
  217. data/spec/routing/scoped_routes_spec.rb +0 -47
  218. data/spec/spec_helper.rb +0 -54
  219. data/spec/spec_helper_integration.rb +0 -4
  220. data/spec/support/dependencies/factory_bot.rb +0 -4
  221. data/spec/support/doorkeeper_rspec.rb +0 -22
  222. data/spec/support/helpers/access_token_request_helper.rb +0 -13
  223. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  224. data/spec/support/helpers/config_helper.rb +0 -11
  225. data/spec/support/helpers/model_helper.rb +0 -78
  226. data/spec/support/helpers/request_spec_helper.rb +0 -110
  227. data/spec/support/helpers/url_helper.rb +0 -62
  228. data/spec/support/orm/active_record.rb +0 -5
  229. data/spec/support/shared/controllers_shared_context.rb +0 -133
  230. data/spec/support/shared/hashing_shared_context.rb +0 -36
  231. data/spec/support/shared/models_shared_examples.rb +0 -54
  232. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  233. data/spec/version/version_spec.rb +0 -17
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4d3ed9e21e9d404f1c7f67a48a36a5745d9a5a7aca05b9ae63fbd10c6d170ac1
4
- data.tar.gz: 21ab4db448c9404a7067e8223433a8aa2ecfe955fd3729e7038efafd616c4237
3
+ metadata.gz: 71ef97409e242e0609d9c327836e2f90f92af440c8f989047b83435f7f8b052d
4
+ data.tar.gz: f12a030d12ca321fbf1b0acd4534707afba6c584b77d307698943a879cd33500
5
5
  SHA512:
6
- metadata.gz: a03ea8dbf25bc5d48f2fa92942c73dfefa74978d16229b79f1f6d691e0d591ecdc08be84bc243139a1a4df50091fde2d039f5dcae65a8250477e309a31ad054d
7
- data.tar.gz: 7f6445f2beb910ba6b3cdeebd5d0d265986f49bb400ccccdbd811f7be8e34e5e029e07acfe22330729fe9065169b1807a4c98094abf3d247fe7175a1cd52daf5
6
+ metadata.gz: bdda34cda76caffdeaec38be0c06ba733cc15480970bd78b48267c66764a64643423d61a2adb6c1c65643d3df2061ab3d86ad82baf970676276d7b1655fb846b
7
+ data.tar.gz: 8218ad9ad8248192f93253940623564784f339b78594cf00c000c33f9a6a9bd06f6cc5ee9fbcc207d4af3b499712387d39756c7ef6c709e9a7afe991efdfa5af
@@ -5,20 +5,112 @@ upgrade guides.
5
5
 
6
6
  User-visible changes worth mentioning.
7
7
 
8
- ## 5.3.3
8
+ ## master
9
9
 
10
- - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
10
+ - [#PR ID] Add your PR description here.
11
11
 
12
- ## 5.3.2
12
+ ## 5.5.0.rc2
13
13
 
14
- - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
15
- Fixes information disclosure vulnerability (CVE-2020-10187).
14
+ - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
15
+
16
+ **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
17
+ `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
16
18
 
19
+ - [#1472] Fix `establish_connection` configuration for custom defined models.
20
+ - [#1471] Add support for Ruby 3.0.
21
+ - [#1469] Check if `redirect_uri` exists.
22
+ - [#1465] Memoize nil doorkeeper_token.
23
+ - [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
24
+ - [#1457] Make owner_id a bigint for newly-generated owner migrations
25
+ - [#1452] Empty previous_refresh_token only if present.
26
+ - [#1440] Validate empty host in redirect_uri.
27
+ - [#1438] Add form post response mode.
28
+ - [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
29
+
30
+ ## 5.5.0.rc1
31
+
32
+ - [#1435] Make error response not redirectable when client is unauthorized
33
+ - [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
34
+ - [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
35
+ - [#1416] Don't add introspection route if token introspection completely disabled.
36
+ - [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
37
+ - [#1415] Ignore PKCE params for non-PKCE grants.
38
+ - [#1418] Add ability to register custom OAuth Grant Flows.
39
+ - [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
40
+
41
+ **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
42
+ have it before and use client credentials in HTTP Basic auth if you previously used this grant
43
+ flow without client authentication. To opt out of this you could set the
44
+ `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
45
+ this is in violation of the OAuth spec and represents a security risk.
46
+ All the users of your provider application now need to include client credentials when they use
47
+ this grant flow.
48
+
49
+ - [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
50
+ configuration option to allow resource owner based Access Tokens TTL.
51
+
52
+ ## 5.4.0
53
+
54
+ - [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
55
+
56
+ ## 5.4.0.rc2
57
+
58
+ - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
59
+ Fixes information disclosure vulnerability (CVE-2020-10187).
60
+
17
61
  **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
18
62
  if you previously used `#to_json` serialization with custom options or attributes or rely on
19
63
  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
20
64
  is a breaking change which restricts serialized attributes to a very small set of columns.
21
65
 
66
+ - [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
67
+ - [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
68
+ custom configured application model.
69
+ - [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
70
+ option (fixes #1398).
71
+ - [#1402] Handle trying authorization with client credentials.
72
+
73
+ ## 5.4.0.rc1
74
+ - [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
75
+ - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
76
+ - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
77
+ models (`use_polymorphic_resource_owner` configuration option).
78
+
79
+ **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
80
+ have such - since now Doorkeeper passes Resource Owner instance to every objects and not
81
+ just it's ID. See PR description for details.
82
+
83
+ - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
84
+ - [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
85
+ `Stack level too deep` error with AMS (fix #1312).
86
+ - [#1358] Deprecate `active_record_options` configuration option.
87
+ - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
88
+ in external extensions.
89
+ - [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
90
+ - [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
91
+ - [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
92
+
93
+ **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
94
+ (for public clients) and `client_secret` (for private clients). Please update your apps to include that
95
+ info in the revocation request payload.
96
+
97
+ - [#1373] Make Doorkeeper routes mapper reusable in extensions.
98
+ - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
99
+ - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
100
+ - [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
101
+ - [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
102
+ - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
103
+ - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
104
+
105
+ ## 5.3.3
106
+
107
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
108
+
109
+ ## 5.3.2
110
+
111
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
112
+ Fixes information disclosure vulnerability (CVE-2020-10187).
113
+
22
114
  ## 5.3.1
23
115
 
24
116
  - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -37,9 +129,18 @@ User-visible changes worth mentioning.
37
129
  If you were relying on access tokens being revoked once the same client
38
130
  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
39
131
  initialization file.
40
-
132
+
133
+ ## 5.2.6
134
+
135
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
136
+
137
+ ## 5.2.5
138
+
139
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
140
+ Fixes information disclosure vulnerability (CVE-2020-10187).
141
+
41
142
  ## 5.2.4
42
-
143
+
43
144
  - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
44
145
 
45
146
  ## 5.2.3
@@ -70,6 +171,9 @@ User-visible changes worth mentioning.
70
171
  - [#1298] Slice strong params so doesn't error with Rails forms.
71
172
  - [#1300] Limiting access to attributes of pre_authorization.
72
173
  - [#1296] Adding client_id to strong parameters.
174
+
175
+ **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
176
+
73
177
  - [#1293] Move ar specific redirect uri validator to ar orm directory.
74
178
  - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
75
179
  the PreAuthorization response.
@@ -102,6 +206,15 @@ User-visible changes worth mentioning.
102
206
  - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
103
207
  - [#1238] Better support for native app with support for custom scheme and localhost redirection.
104
208
 
209
+ ## 5.1.2
210
+
211
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
212
+
213
+ ## 5.1.1
214
+
215
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
216
+ Fixes information disclosure vulnerability (CVE-2020-10187).
217
+
105
218
  ## 5.1.0
106
219
 
107
220
  - [#1243] Add nil check operator in token checking at token introspection.
@@ -163,6 +276,11 @@ User-visible changes worth mentioning.
163
276
  - [#1164] Fix error when `root_path` is not defined.
164
277
  - [#1162] Fix `enforce_content_type` for requests without body.
165
278
 
279
+ ## 5.0.3
280
+
281
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
282
+ Fixes information disclosure vulnerability (CVE-2020-10187).
283
+
166
284
  ## 5.0.2
167
285
 
168
286
  - [#1158] Fix initializer template: change `handle_auth_errors` option
data/README.md CHANGED
@@ -6,7 +6,7 @@
6
6
  [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
7
7
  [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
8
8
  [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
9
- [![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
9
+ [![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
10
10
  [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
11
11
 
12
12
  Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -113,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
113
113
 
114
114
  | Application | Link |
115
115
  | :--- | :--- |
116
- | oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
116
+ | OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
117
117
  | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
118
118
  | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
119
119
 
@@ -160,6 +160,9 @@ tests with a specific Rails version:
160
160
  BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
161
161
  ```
162
162
 
163
+ You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
164
+ Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
165
+
163
166
  ## Contributing
164
167
 
165
168
  Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +171,7 @@ create [example
168
171
  apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
169
172
  integrate the gem with your app and let us know!
170
173
 
171
- Also, check out our [contributing guidelines
172
- page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
174
+ Also, check out our [contributing guidelines page](CONTRIBUTING.md).
173
175
 
174
176
  ## Contributors
175
177
 
@@ -8,7 +8,7 @@ module Doorkeeper
8
8
  before_action :set_application, only: %i[show edit update destroy]
9
9
 
10
10
  def index
11
- @applications = Application.ordered_by(:created_at)
11
+ @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
12
12
 
13
13
  respond_to do |format|
14
14
  format.html
@@ -24,11 +24,11 @@ module Doorkeeper
24
24
  end
25
25
 
26
26
  def new
27
- @application = Application.new
27
+ @application = Doorkeeper.config.application_model.new
28
28
  end
29
29
 
30
30
  def create
31
- @application = Application.new(application_params)
31
+ @application = Doorkeeper.config.application_model.new(application_params)
32
32
 
33
33
  if @application.save
34
34
  flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -84,7 +84,7 @@ module Doorkeeper
84
84
  private
85
85
 
86
86
  def set_application
87
- @application = Application.find(params[:id])
87
+ @application = Doorkeeper.config.application_model.find(params[:id])
88
88
  end
89
89
 
90
90
  def application_params
@@ -42,9 +42,9 @@ module Doorkeeper
42
42
  end
43
43
 
44
44
  def matching_token?
45
- AccessToken.matching_token_for(
45
+ Doorkeeper.config.access_token_model.matching_token_for(
46
46
  pre_auth.client,
47
- current_resource_owner.id,
47
+ current_resource_owner,
48
48
  pre_auth.scopes,
49
49
  )
50
50
  end
@@ -52,10 +52,19 @@ module Doorkeeper
52
52
  def redirect_or_render(auth)
53
53
  if auth.redirectable?
54
54
  if Doorkeeper.configuration.api_only
55
- render(
56
- json: { status: :redirect, redirect_uri: auth.redirect_uri },
57
- status: auth.status,
58
- )
55
+ if pre_auth.form_post_response?
56
+ render(
57
+ json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
58
+ status: auth.status,
59
+ )
60
+ else
61
+ render(
62
+ json: { status: :redirect, redirect_uri: auth.redirect_uri },
63
+ status: auth.status,
64
+ )
65
+ end
66
+ elsif pre_auth.form_post_response?
67
+ render :form_post
59
68
  else
60
69
  redirect_to auth.redirect_uri
61
70
  end
@@ -65,7 +74,11 @@ module Doorkeeper
65
74
  end
66
75
 
67
76
  def pre_auth
68
- @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
77
+ @pre_auth ||= OAuth::PreAuthorization.new(
78
+ Doorkeeper.configuration,
79
+ pre_auth_params,
80
+ current_resource_owner,
81
+ )
69
82
  end
70
83
 
71
84
  def pre_auth_params
@@ -73,8 +86,16 @@ module Doorkeeper
73
86
  end
74
87
 
75
88
  def pre_auth_param_fields
76
- %i[client_id response_type redirect_uri scope state code_challenge
77
- code_challenge_method]
89
+ %i[
90
+ client_id
91
+ code_challenge
92
+ code_challenge_method
93
+ response_type
94
+ response_mode
95
+ redirect_uri
96
+ scope
97
+ state
98
+ ]
78
99
  end
79
100
 
80
101
  def authorization
@@ -82,26 +103,35 @@ module Doorkeeper
82
103
  end
83
104
 
84
105
  def strategy
85
- @strategy ||= server.authorization_request pre_auth.response_type
106
+ @strategy ||= server.authorization_request(pre_auth.response_type)
86
107
  end
87
108
 
88
109
  def authorize_response
89
110
  @authorize_response ||= begin
90
111
  return pre_auth.error_response unless pre_auth.authorizable?
91
112
 
92
- before_successful_authorization
113
+ context = build_context(pre_auth: pre_auth)
114
+ before_successful_authorization(context)
115
+
93
116
  auth = strategy.authorize
94
- after_successful_authorization
117
+
118
+ context = build_context(auth: auth)
119
+ after_successful_authorization(context)
120
+
95
121
  auth
96
122
  end
97
123
  end
98
124
 
99
- def after_successful_authorization
100
- Doorkeeper.configuration.after_successful_authorization.call(self)
125
+ def build_context(**attributes)
126
+ Doorkeeper::OAuth::Hooks::Context.new(**attributes)
127
+ end
128
+
129
+ def before_successful_authorization(context = nil)
130
+ Doorkeeper.config.before_successful_authorization.call(self, context)
101
131
  end
102
132
 
103
- def before_successful_authorization
104
- Doorkeeper.configuration.before_successful_authorization.call(self)
133
+ def after_successful_authorization(context)
134
+ Doorkeeper.config.after_successful_authorization.call(self, context)
105
135
  end
106
136
  end
107
137
  end
@@ -5,7 +5,7 @@ module Doorkeeper
5
5
  before_action :authenticate_resource_owner!
6
6
 
7
7
  def index
8
- @applications = Application.authorized_for(current_resource_owner)
8
+ @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
9
9
 
10
10
  respond_to do |format|
11
11
  format.html
@@ -14,7 +14,7 @@ module Doorkeeper
14
14
  end
15
15
 
16
16
  def destroy
17
- Application.revoke_tokens_and_grants_for(
17
+ Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
18
18
  params[:id],
19
19
  current_resource_owner,
20
20
  )
@@ -2,6 +2,8 @@
2
2
 
3
3
  module Doorkeeper
4
4
  class TokensController < Doorkeeper::ApplicationMetalController
5
+ before_action :validate_presence_of_client, only: [:revoke]
6
+
5
7
  def create
6
8
  headers.merge!(authorize_response.headers)
7
9
  render json: authorize_response.body,
@@ -12,14 +14,15 @@ module Doorkeeper
12
14
 
13
15
  # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
14
16
  def revoke
15
- # The authorization server, if applicable, first authenticates the client
16
- # and checks its ownership of the provided token.
17
- #
18
- # Doorkeeper does not use the token_type_hint logic described in the
19
- # RFC 7009 due to the refresh token implementation that is a field in
20
- # the access token model.
21
-
22
- if authorized?
17
+ # The authorization server responds with HTTP status code 200 if the client
18
+ # submitted an invalid token or the token has been revoked successfully.
19
+ if token.blank?
20
+ render json: {}, status: 200
21
+ # The authorization server validates [...] and whether the token
22
+ # was issued to the client making the revocation request. If this
23
+ # validation fails, the request is refused and the client is informed
24
+ # of the error by the authorization server as described below.
25
+ elsif authorized?
23
26
  revoke_token
24
27
  render json: {}, status: 200
25
28
  else
@@ -41,9 +44,45 @@ module Doorkeeper
41
44
 
42
45
  private
43
46
 
47
+ def validate_presence_of_client
48
+ return if Doorkeeper.config.skip_client_authentication_for_password_grant
49
+
50
+ # @see 2.1. Revocation Request
51
+ #
52
+ # The client constructs the request by including the following
53
+ # parameters using the "application/x-www-form-urlencoded" format in
54
+ # the HTTP request entity-body:
55
+ # token REQUIRED.
56
+ # token_type_hint OPTIONAL.
57
+ #
58
+ # The client also includes its authentication credentials as described
59
+ # in Section 2.3. of [RFC6749].
60
+ #
61
+ # The authorization server first validates the client credentials (in
62
+ # case of a confidential client) and then verifies whether the token
63
+ # was issued to the client making the revocation request.
64
+ return if server.client
65
+
66
+ # If this validation [client credentials / token ownership] fails, the request is
67
+ # refused and the client is informed of the error by the authorization server as
68
+ # described below.
69
+ #
70
+ # @see 2.2.1. Error Response
71
+ #
72
+ # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
73
+ render json: revocation_error_response, status: :forbidden
74
+ end
75
+
44
76
  # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
45
- # Public clients (as per RFC 7009) do not require authentication whereas
46
- # confidential clients must be authenticated for their token revocation.
77
+ #
78
+ # RFC7009
79
+ # Section 5. Security Considerations
80
+ # A malicious client may attempt to guess valid tokens on this endpoint
81
+ # by making revocation requests against potential token strings.
82
+ # According to this specification, a client's request must contain a
83
+ # valid client_id, in the case of a public client, or valid client
84
+ # credentials, in the case of a confidential client. The token being
85
+ # revoked must also belong to the requesting client.
47
86
  #
48
87
  # Once a confidential client is authenticated, it must be authorized to
49
88
  # revoke the provided access or refresh token. This ensures one client
@@ -58,15 +97,13 @@ module Doorkeeper
58
97
  # https://tools.ietf.org/html/rfc6749#section-2.1
59
98
  # https://tools.ietf.org/html/rfc7009
60
99
  def authorized?
61
- return unless token.present?
62
-
63
- # Client is confidential, therefore client authentication & authorization
64
- # is required
100
+ # Token belongs to specific client, so we need to check if
101
+ # authenticated client could access it.
65
102
  if token.application_id? && token.application.confidential?
66
103
  # We authorize client by checking token's application
67
104
  server.client && server.client.application == token.application
68
105
  else
69
- # Client is public, authentication unnecessary
106
+ # Token was issued without client, authorization unnecessary
70
107
  true
71
108
  end
72
109
  end
@@ -78,9 +115,12 @@ module Doorkeeper
78
115
  token.revoke if token&.accessible?
79
116
  end
80
117
 
118
+ # Doorkeeper does not use the token_type_hint logic described in the
119
+ # RFC 7009 due to the refresh token implementation that is a field in
120
+ # the access token model.
81
121
  def token
82
- @token ||= AccessToken.by_token(params["token"]) ||
83
- AccessToken.by_refresh_token(params["token"])
122
+ @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
123
+ Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
84
124
  end
85
125
 
86
126
  def strategy
@@ -91,17 +131,22 @@ module Doorkeeper
91
131
  @authorize_response ||= begin
92
132
  before_successful_authorization
93
133
  auth = strategy.authorize
94
- after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
134
+ context = build_context(auth: auth)
135
+ after_successful_authorization(context) unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
95
136
  auth
96
137
  end
97
138
  end
98
139
 
99
- def after_successful_authorization
100
- Doorkeeper.configuration.after_successful_authorization.call(self)
140
+ def build_context(**attributes)
141
+ Doorkeeper::OAuth::Hooks::Context.new(**attributes)
142
+ end
143
+
144
+ def before_successful_authorization(context = nil)
145
+ Doorkeeper.config.before_successful_authorization.call(self, context)
101
146
  end
102
147
 
103
- def before_successful_authorization
104
- Doorkeeper.configuration.before_successful_authorization.call(self)
148
+ def after_successful_authorization(context)
149
+ Doorkeeper.config.after_successful_authorization.call(self, context)
105
150
  end
106
151
 
107
152
  def revocation_error_response