doorkeeper 5.3.3 → 5.5.0.rc2

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -11,9 +11,8 @@ module Doorkeeper
       validate :client_match, error: :invalid_grant
       validate :scope,        error: :invalid_scope
 
-      attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
-      attr_reader   :missing_param
+      attr_reader :access_token, :client, :credentials, :refresh_token
+      attr_reader :missing_param
 
       def initialize(server, refresh_token, credentials, parameters = {})
         @server = server
@@ -50,30 +49,40 @@ module Doorkeeper
       end
 
       def create_access_token
-        @access_token = server_config.access_token_model.create!(access_token_attributes)
-      end
+        attributes = {}
 
-      def access_token_attributes
-        {
-          application_id: refresh_token.application_id,
-          resource_owner_id: refresh_token.resource_owner_id,
-          scopes: scopes.to_s,
-          expires_in: access_token_expires_in,
-          use_refresh_token: true,
-        }.tap do |attributes|
-          if refresh_token_revoked_on_use?
-            attributes[:previous_refresh_token] = refresh_token.refresh_token
+        resource_owner =
+          if Doorkeeper.config.polymorphic_resource_owner?
+            refresh_token.resource_owner
+          else
+            refresh_token.resource_owner_id
           end
+
+        if refresh_token_revoked_on_use?
+          attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
-      end
 
-      def access_token_expires_in
-        context = Authorization::Token.build_context(
-          client,
-          Doorkeeper::OAuth::REFRESH_TOKEN,
-          scopes,
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
+        @access_token = server_config.access_token_model.create_for(
+          application: refresh_token.application,
+          resource_owner: resource_owner,
+          scopes: scopes,
+          expires_in: refresh_token.expires_in,
+          use_refresh_token: true,
+          **attributes,
         )
-        Authorization::Token.access_token_expires_in(server, context)
       end
 
       def validate_token_presence

data/lib/doorkeeper/oauth/token.rb

@@ -8,15 +8,14 @@ module Doorkeeper
           methods.inject(nil) do |_, method|
             method = self.method(method) if method.is_a?(Symbol)
             credentials = method.call(request)
-            break credentials unless credentials.blank?
+            break credentials if credentials.present?
           end
         end
 
         def authenticate(request, *methods)
           if (token = from_request(request, *methods))
             access_token = Doorkeeper.config.access_token_model.by_token(token)
-            refresh_token_enabled = Doorkeeper.config.refresh_token_enabled?
-            if access_token.present? && refresh_token_enabled
+            if access_token.present? && Doorkeeper.config.refresh_token_enabled?
               access_token.revoke_previous_refresh_token!
             end
             access_token
@@ -33,13 +32,13 @@ module Doorkeeper
 
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
 
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
 
@@ -55,7 +54,7 @@ module Doorkeeper
         end
 
         def token_from_header(header, pattern)
-          header.gsub pattern, ""
+          header.gsub(pattern, "")
         end
 
         def match?(header, pattern)

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -6,9 +6,6 @@ module Doorkeeper
     #
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
-      attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
-
       def initialize(server, token)
         @server = server
         @token = token
@@ -38,6 +35,9 @@ module Doorkeeper
 
       private
 
+      attr_reader :server, :token
+      attr_reader :error, :invalid_request_reason
+
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
       # invalid, the authorization server responds with an HTTP 401
@@ -179,11 +179,7 @@ module Doorkeeper
         allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
-        allow_introspection.call(
-          @token,
-          auth_client,
-          auth_token,
-        )
+        allow_introspection.call(@token, auth_client, auth_token)
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb

@@ -3,16 +3,16 @@
 module Doorkeeper
   module OAuth
     class TokenRequest
-      attr_accessor :pre_auth, :resource_owner
+      attr_reader :pre_auth, :resource_owner
 
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
 
       def authorize
         auth = Authorization::Token.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 

data/lib/doorkeeper/oauth/token_response.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class TokenResponse
-      attr_accessor :token
+      attr_reader :token
 
       def initialize(token)
         @token = token

data/lib/doorkeeper/orm/active_record.rb

@@ -20,9 +20,8 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
-          if Doorkeeper.config.active_record_options[:establish_connection]
+          if (options = Doorkeeper.config.active_record_options[:establish_connection])
             Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.config.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
           end
@@ -33,19 +32,27 @@ module Doorkeeper
         lazy_load do
           require "doorkeeper/models/concerns/ownership"
 
-          Doorkeeper.config.application_model.send :include, Doorkeeper::Models::Ownership
+          Doorkeeper.config.application_model.include(Doorkeeper::Models::Ownership)
         end
       end
 
       def self.lazy_load(&block)
-        ActiveSupport.on_load(:active_record, {}, &block)
+        # ActiveSupport has no public interface to check if something
+        # already lazy-loaded :(
+        loaded = ActiveSupport.instance_variable_get(:"@loaded") || {}
+
+        if loaded.key?(:active_record)
+          block.call
+        else
+          ActiveSupport.on_load(:active_record, {}, &block)
+        end
       end
 
       def self.models
         [
-          Doorkeeper::AccessGrant,
-          Doorkeeper::AccessToken,
-          Doorkeeper::Application,
+          Doorkeeper.config.access_grant_model,
+          Doorkeeper.config.access_token_model,
+          Doorkeeper.config.application_model,
         ]
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -9,12 +9,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       include ::Doorkeeper::AccessGrantMixin
 
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                optional: true,
                                inverse_of: :access_grants
 
-      validates :resource_owner_id,
-                :application_id,
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: false
+      else
+        validates :resource_owner_id, presence: true
+      end
+
+      validates :application_id,
                 :token,
                 :expires_in,
                 :redirect_uri,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -9,10 +9,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       include ::Doorkeeper::AccessTokenMixin
 
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                inverse_of: :access_tokens,
                                optional: true
 
+      if Doorkeeper.config.polymorphic_resource_owner?
+        belongs_to :resource_owner, polymorphic: true, optional: true
+      end
+
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
@@ -25,7 +29,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                         on: :create, if: :use_refresh_token?
     end
 
-    class_methods do
+    module ClassMethods
       # Searches for not revoked Access Tokens associated with the
       # specific Resource Owner.
       #
@@ -36,7 +40,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       #   active Access Tokens for Resource Owner
       #
       def active_for(resource_owner)
-        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+        by_resource_owner(resource_owner).where(revoked_at: nil)
       end
 
       def refresh_token_revoked_on_use?

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -137,9 +137,9 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only = Array.wrap(opts[:only]).map(&:to_s)
 
         only = if only.blank?
-                 serializable_attributes
+                 client_serializable_attributes
                else
-                 only & serializable_attributes
+                 only & client_serializable_attributes
                end
 
         only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
@@ -150,7 +150,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # Override this method if you need additional attributes to be serialized.
       #
       # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
+      #
+      # NOTE: `serializable_attributes` method already taken by Rails >= 6
+      #
+      def client_serializable_attributes
         attributes = %w[id name created_at]
         attributes << "uid" unless confidential?
         attributes

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -21,6 +21,7 @@ module Doorkeeper
           record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
           record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
           record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+          record.errors.add(attribute, :invalid_uri) if unspecified_host?(uri)
         end
       end
     rescue URI::InvalidURIError
@@ -43,6 +44,10 @@ module Doorkeeper
       %w[localhost].include?(uri.try(:scheme))
     end
 
+    def unspecified_host?(uri)
+      uri.is_a?(URI::HTTP) && uri.host.nil?
+    end
+
     def relative_uri?(uri)
       uri.scheme.nil? && uri.host.nil?
     end

data/lib/doorkeeper/rails/routes.rb

@@ -2,31 +2,33 @@
 
 require "doorkeeper/rails/routes/mapping"
 require "doorkeeper/rails/routes/mapper"
+require "doorkeeper/rails/routes/abstract_router"
+require "doorkeeper/rails/routes/registry"
 
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
-      mattr_reader :mapping do
-        {}
-      end
-
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
       end
 
-      def self.install!
-        ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
+      include AbstractRouter
+      extend Registry
+
+      mattr_reader :mapping do
+        {}
       end
 
-      attr_reader :routes
+      def self.install!
+        ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
 
-      def initialize(routes, &block)
-        @routes = routes
-        @mapping = Mapper.new.map(&block)
+        registered_routes.each(&:install!)
+      end
 
-        @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
+      def initialize(routes, mapper = Mapper.new, &block)
+        super
       end
 
       def generate_routes!(options)
@@ -34,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -43,14 +45,6 @@ module Doorkeeper
 
       private
 
-      def map_route(name, method)
-        return if @mapping.skipped?(name)
-
-        send(method, @mapping[name])
-
-        mapping[name] = @mapping[name]
-      end
-
       def authorization_routes(mapping)
         routes.resource(
           :authorization,

data/lib/doorkeeper/rails/routes/abstract_router.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    # Abstract router module that implements base behavior
+    # for generating and mapping Rails routes.
+    #
+    # Could be reused in Doorkeeper extensions.
+    #
+    module AbstractRouter
+      extend ActiveSupport::Concern
+
+      attr_reader :routes
+
+      def initialize(routes, mapper = Mapper.new, &block)
+        @routes = routes
+        @mapping = mapper.map(&block)
+      end
+
+      def generate_routes!(**_options)
+        raise NotImplementedError, "must be redefined for #{self.class.name}!"
+      end
+
+      private
+
+      def map_route(name, method)
+        return if @mapping.skipped?(name)
+
+        send(method, @mapping[name])
+
+        mapping[name] = @mapping[name]
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes/mapper.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module Rails
     class Routes # :nodoc:
       class Mapper
-        def initialize
-          @mapping = Mapping.new
+        def initialize(mapping = Mapping.new)
+          @mapping = mapping
         end
 
         def map(&block)

data/lib/doorkeeper/rails/routes/registry.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    class Routes
+      # Thread-safe registry of any Doorkeeper additional routes.
+      # Used to allow implementing of Doorkeeper extensions that must
+      # use their own routes.
+      #
+      module Registry
+        ROUTES_ACCESS_LOCK = Mutex.new
+        ROUTES_DEFINITION_LOCK = Mutex.new
+
+        InvalidRouterClass = Class.new(StandardError)
+
+        # Collection of additional registered routes for Doorkeeper.
+        #
+        # @return [Array<Object>] set of registered routes
+        #
+        def registered_routes
+          ROUTES_DEFINITION_LOCK.synchronize do
+            @registered_routes ||= Set.new
+          end
+        end
+
+        # Registers additional routes in the Doorkeeper registry
+        #
+        # @param [Object] routes
+        #   routes class
+        #
+        def register_routes(routes)
+          if !routes.is_a?(Module) || !(routes < AbstractRouter)
+            raise InvalidRouterClass, "routes class must include Doorkeeper::Rails::AbstractRouter"
+          end
+
+          ROUTES_ACCESS_LOCK.synchronize do
+            registered_routes << routes
+          end
+        end
+
+        alias register register_routes
+      end
+    end
+  end
+end