doorkeeper 5.3.3 → 5.5.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d3ed9e21e9d404f1c7f67a48a36a5745d9a5a7aca05b9ae63fbd10c6d170ac1
-  data.tar.gz: 21ab4db448c9404a7067e8223433a8aa2ecfe955fd3729e7038efafd616c4237
+  metadata.gz: 71ef97409e242e0609d9c327836e2f90f92af440c8f989047b83435f7f8b052d
+  data.tar.gz: f12a030d12ca321fbf1b0acd4534707afba6c584b77d307698943a879cd33500
 SHA512:
-  metadata.gz: a03ea8dbf25bc5d48f2fa92942c73dfefa74978d16229b79f1f6d691e0d591ecdc08be84bc243139a1a4df50091fde2d039f5dcae65a8250477e309a31ad054d
-  data.tar.gz: 7f6445f2beb910ba6b3cdeebd5d0d265986f49bb400ccccdbd811f7be8e34e5e029e07acfe22330729fe9065169b1807a4c98094abf3d247fe7175a1cd52daf5
+  metadata.gz: bdda34cda76caffdeaec38be0c06ba733cc15480970bd78b48267c66764a64643423d61a2adb6c1c65643d3df2061ab3d86ad82baf970676276d7b1655fb846b
+  data.tar.gz: 8218ad9ad8248192f93253940623564784f339b78594cf00c000c33f9a6a9bd06f6cc5ee9fbcc207d4af3b499712387d39756c7ef6c709e9a7afe991efdfa5af

data/CHANGELOG.md

@@ -5,20 +5,112 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.3.3
+## master
 
-- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+- [#PR ID] Add your PR description here.
 
-## 5.3.2
+## 5.5.0.rc2
 
-- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
-  Fixes information disclosure vulnerability (CVE-2020-10187).
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+  
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
   
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
+
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
   **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
   if you previously used `#to_json` serialization with custom options or attributes or rely on
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
   is a breaking change which restricts serialized attributes to a very small set of columns.
 
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
+
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
+
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
+
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.3.1
 
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -37,9 +129,18 @@ User-visible changes worth mentioning.
   If you were relying on access tokens being revoked once the same client
   requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
   initialization file.
-  
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.2.4
-  
+
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
 
 ## 5.2.3
@@ -70,6 +171,9 @@ User-visible changes worth mentioning.
 - [#1298] Slice strong params so doesn't error with Rails forms.
 - [#1300] Limiting access to attributes of pre_authorization.
 - [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
 - [#1293] Move ar specific redirect uri validator to ar orm directory.
 - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
   the PreAuthorization response.
@@ -102,6 +206,15 @@ User-visible changes worth mentioning.
 - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
 - [#1238] Better support for native app with support for custom scheme and localhost redirection.
 
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.1.0
 
 - [#1243] Add nil check operator in token checking at token introspection.
@@ -163,6 +276,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option

data/README.md

@@ -6,7 +6,7 @@
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -113,7 +113,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -160,6 +160,9 @@ tests with a specific Rails version:
 BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +171,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 

data/app/controllers/doorkeeper/applications_controller.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = Application.ordered_by(:created_at)
+      @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
 
       respond_to do |format|
         format.html
@@ -24,11 +24,11 @@ module Doorkeeper
     end
 
     def new
-      @application = Application.new
+      @application = Doorkeeper.config.application_model.new
     end
 
     def create
-      @application = Application.new(application_params)
+      @application = Doorkeeper.config.application_model.new(application_params)
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -84,7 +84,7 @@ module Doorkeeper
     private
 
     def set_application
-      @application = Application.find(params[:id])
+      @application = Doorkeeper.config.application_model.find(params[:id])
     end
 
     def application_params

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -42,9 +42,9 @@ module Doorkeeper
     end
 
     def matching_token?
-      AccessToken.matching_token_for(
+      Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
-        current_resource_owner.id,
+        current_resource_owner,
         pre_auth.scopes,
       )
     end
@@ -52,10 +52,19 @@ module Doorkeeper
     def redirect_or_render(auth)
       if auth.redirectable?
         if Doorkeeper.configuration.api_only
-          render(
-            json: { status: :redirect, redirect_uri: auth.redirect_uri },
-            status: auth.status,
-          )
+          if pre_auth.form_post_response?
+            render(
+              json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
+              status: auth.status,
+            )
+          else
+            render(
+              json: { status: :redirect, redirect_uri: auth.redirect_uri },
+              status: auth.status,
+            )
+          end
+        elsif pre_auth.form_post_response?
+          render :form_post
         else
           redirect_to auth.redirect_uri
         end
@@ -65,7 +74,11 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+      @pre_auth ||= OAuth::PreAuthorization.new(
+        Doorkeeper.configuration,
+        pre_auth_params,
+        current_resource_owner,
+      )
     end
 
     def pre_auth_params
@@ -73,8 +86,16 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[client_id response_type redirect_uri scope state code_challenge
-         code_challenge_method]
+      %i[
+        client_id
+        code_challenge
+        code_challenge_method
+        response_type
+        response_mode
+        redirect_uri
+        scope
+        state
+      ]
     end
 
     def authorization
@@ -82,26 +103,35 @@ module Doorkeeper
     end
 
     def strategy
-      @strategy ||= server.authorization_request pre_auth.response_type
+      @strategy ||= server.authorization_request(pre_auth.response_type)
     end
 
     def authorize_response
       @authorize_response ||= begin
         return pre_auth.error_response unless pre_auth.authorizable?
 
-        before_successful_authorization
+        context = build_context(pre_auth: pre_auth)
+        before_successful_authorization(context)
+
         auth = strategy.authorize
-        after_successful_authorization
+
+        context = build_context(auth: auth)
+        after_successful_authorization(context)
+
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
   end
 end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     before_action :authenticate_resource_owner!
 
     def index
-      @applications = Application.authorized_for(current_resource_owner)
+      @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
 
       respond_to do |format|
         format.html
@@ -14,7 +14,7 @@ module Doorkeeper
     end
 
     def destroy
-      Application.revoke_tokens_and_grants_for(
+      Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
         params[:id],
         current_resource_owner,
       )

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -2,6 +2,8 @@
 
 module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
+    before_action :validate_presence_of_client, only: [:revoke]
+
     def create
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
@@ -12,14 +14,15 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # The authorization server, if applicable, first authenticates the client
-      # and checks its ownership of the provided token.
-      #
-      # Doorkeeper does not use the token_type_hint logic described in the
-      # RFC 7009 due to the refresh token implementation that is a field in
-      # the access token model.
-
-      if authorized?
+      # The authorization server responds with HTTP status code 200 if the client
+      # submitted an invalid token or the token has been revoked successfully.
+      if token.blank?
+        render json: {}, status: 200
+      # The authorization server validates [...] and whether the token
+      # was issued to the client making the revocation request. If this
+      # validation fails, the request is refused and the client is informed
+      # of the error by the authorization server as described below.
+      elsif authorized?
         revoke_token
         render json: {}, status: 200
       else
@@ -41,9 +44,45 @@ module Doorkeeper
 
     private
 
+    def validate_presence_of_client
+      return if Doorkeeper.config.skip_client_authentication_for_password_grant
+
+      # @see 2.1.  Revocation Request
+      #
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      return if server.client
+
+      # If this validation [client credentials / token ownership] fails, the request is
+      # refused and the  client is informed of the error by the authorization server as
+      # described below.
+      #
+      # @see 2.2.1.  Error Response
+      #
+      # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+      render json: revocation_error_response, status: :forbidden
+    end
+
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
-    # Public clients (as per RFC 7009) do not require authentication whereas
-    # confidential clients must be authenticated for their token revocation.
+    #
+    # RFC7009
+    # Section 5. Security Considerations
+    # A malicious client may attempt to guess valid tokens on this endpoint
+    # by making revocation requests against potential token strings.
+    # According to this specification, a client's request must contain a
+    # valid client_id, in the case of a public client, or valid client
+    # credentials, in the case of a confidential client. The token being
+    # revoked must also belong to the requesting client.
     #
     # Once a confidential client is authenticated, it must be authorized to
     # revoke the provided access or refresh token. This ensures one client
@@ -58,15 +97,13 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      return unless token.present?
-
-      # Client is confidential, therefore client authentication & authorization
-      # is required
+      # Token belongs to specific client, so we need to check if
+      # authenticated client could access it.
       if token.application_id? && token.application.confidential?
         # We authorize client by checking token's application
         server.client && server.client.application == token.application
       else
-        # Client is public, authentication unnecessary
+        # Token was issued without client, authorization unnecessary
         true
       end
     end
@@ -78,9 +115,12 @@ module Doorkeeper
       token.revoke if token&.accessible?
     end
 
+    # Doorkeeper does not use the token_type_hint logic described in the
+    # RFC 7009 due to the refresh token implementation that is a field in
+    # the access token model.
     def token
-      @token ||= AccessToken.by_token(params["token"]) ||
-                 AccessToken.by_refresh_token(params["token"])
+      @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
+                 Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
     end
 
     def strategy
@@ -91,17 +131,22 @@ module Doorkeeper
       @authorize_response ||= begin
         before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
+        context = build_context(auth: auth)
+        after_successful_authorization(context) unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
 
     def revocation_error_response