doorkeeper 5.3.3 → 5.6.6

data/spec/requests/flows/revoke_token_spec.rb

@@ -1,157 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "Revoke Token Flow" do
-  before do
-    Doorkeeper.configure { orm DOORKEEPER_ORM }
-  end
-
-  context "with default parameters" do
-    let(:client_application) { FactoryBot.create :application }
-    let(:resource_owner) { User.create!(name: "John", password: "sekret") }
-    let(:access_token) do
-      FactoryBot.create(
-        :access_token,
-        application: client_application,
-        resource_owner_id: resource_owner.id,
-        use_refresh_token: true,
-      )
-    end
-
-    context "with authenticated, confidential OAuth 2.0 client/application" do
-      let(:headers) do
-        client_id = client_application.uid
-        client_secret = client_application.secret
-        credentials = Base64.encode64("#{client_id}:#{client_secret}")
-        { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-      end
-
-      it "should revoke the access token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-
-      it "should revoke the refresh token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
-
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-
-      context "with invalid token to revoke" do
-        it "should not revoke any tokens and respond with forbidden" do
-          expect do
-            post revocation_token_endpoint_url,
-                 params: { token: "I_AM_AN_INVALID_TOKEN" },
-                 headers: headers
-          end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
-
-          expect(response).to be_forbidden
-        end
-      end
-
-      context "with bad credentials and a valid token" do
-        let(:headers) do
-          client_id = client_application.uid
-          credentials = Base64.encode64("#{client_id}:poop")
-          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-        end
-        it "should not revoke any tokens and respond with forbidden" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-
-      context "with no credentials and a valid token" do
-        it "should not revoke any tokens and respond with forbidden" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-
-      context "with valid token for another client application" do
-        let(:other_client_application) { FactoryBot.create :application }
-        let(:headers) do
-          client_id = other_client_application.uid
-          client_secret = other_client_application.secret
-          credentials = Base64.encode64("#{client_id}:#{client_secret}")
-          { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-        end
-
-        it "should not revoke the token as its unauthorized" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-    end
-
-    context "with public OAuth 2.0 client/application" do
-      let(:access_token) do
-        FactoryBot.create(
-          :access_token,
-          application: nil,
-          resource_owner_id: resource_owner.id,
-          use_refresh_token: true,
-        )
-      end
-
-      it "should revoke the access token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }
-
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-
-      it "should revoke the refresh token provided" do
-        post revocation_token_endpoint_url, params: { token: access_token.refresh_token }
-
-        expect(response).to be_successful
-        expect(access_token.reload.revoked?).to be_truthy
-      end
-
-      context "with a valid token issued for a confidential client" do
-        let(:access_token) do
-          FactoryBot.create(
-            :access_token,
-            application: client_application,
-            resource_owner_id: resource_owner.id,
-            use_refresh_token: true,
-          )
-        end
-
-        it "should not revoke the access token provided" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-
-        it "should not revoke the refresh token provided" do
-          post revocation_token_endpoint_url, params: { token: access_token.token }
-
-          expect(response).to be_forbidden
-          expect(response.body).to include("unauthorized_client")
-          expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-          expect(access_token.reload.revoked?).to be_falsey
-        end
-      end
-    end
-  end
-end

data/spec/requests/flows/skip_authorization_spec.rb

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-feature "Skip authorization form" do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
-    client_exists
-    default_scopes_exist  :public
-    optional_scopes_exist :write
-  end
-
-  context "for previously authorized clients" do
-    background do
-      create_resource_owner
-      sign_in
-    end
-
-    scenario "skips the authorization and return a new grant code" do
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-
-      i_should_not_see "Authorize"
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
-    end
-
-    scenario "skips the authorization if other scopes are not requested" do
-      client_exists scopes: "public read write"
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-
-      i_should_not_see "Authorize"
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
-    end
-
-    scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_see "Authorize"
-    end
-
-    scenario "does not skip authorization when scopes differ (new request has more scopes)" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scopes: "public write email")
-      i_should_see "Authorize"
-    end
-
-    scenario "creates grant with new scope when scopes differ" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      click_on "Authorize"
-      access_grant_should_have_scopes :public
-    end
-
-    scenario "creates grant with new scope when scopes are greater" do
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public write")
-      click_on "Authorize"
-      access_grant_should_have_scopes :public, :write
-    end
-  end
-end

data/spec/requests/protected_resources/metal_spec.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "ActionController::Metal API" do
-  before do
-    @client   = FactoryBot.create(:application)
-    @resource = User.create!(name: "Joe", password: "sekret")
-    @token    = client_is_authorized(@client, @resource)
-  end
-
-  it "client requests protected resource with valid token" do
-    get "/metal.json?access_token=#{@token.token}"
-    should_have_json "ok", true
-  end
-end

data/spec/requests/protected_resources/private_api_spec.rb

@@ -1,83 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-feature "Private API" do
-  background do
-    @client   = FactoryBot.create(:application)
-    @resource = User.create!(name: "Joe", password: "sekret")
-    @token    = client_is_authorized(@client, @resource)
-  end
-
-  scenario "client requests protected resource with valid token" do
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    expect(page.body).to have_content("index")
-  end
-
-  scenario "client requests protected resource with disabled header authentication" do
-    config_is_set :access_token_methods, [:from_access_token_param]
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    response_status_should_be 401
-  end
-
-  scenario "client attempts to request protected resource with invalid token" do
-    with_access_token_header "invalid"
-    visit "/full_protected_resources"
-    response_status_should_be 401
-  end
-
-  scenario "client attempts to request protected resource with expired token" do
-    @token.update_attribute :expires_in, -100 # expires token
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    response_status_should_be 401
-  end
-
-  scenario "client requests protected resource with permanent token" do
-    @token.update_attribute :expires_in, nil # never expires
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    expect(page.body).to have_content("index")
-  end
-
-  scenario "access token with no default scopes" do
-    Doorkeeper.configuration.instance_eval do
-      @default_scopes = Doorkeeper::OAuth::Scopes.from_array([:public])
-      @scopes = default_scopes + optional_scopes
-    end
-    @token.update_attribute :scopes, "dummy"
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    response_status_should_be 403
-  end
-
-  scenario "access token with no allowed scopes" do
-    @token.update_attribute :scopes, nil
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    response_status_should_be 403
-  end
-
-  scenario "access token with one of allowed scopes" do
-    @token.update_attribute :scopes, "admin"
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    expect(page.body).to have_content("show")
-  end
-
-  scenario "access token with another of allowed scopes" do
-    @token.update_attribute :scopes, "write"
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    expect(page.body).to have_content("show")
-  end
-
-  scenario "access token with both allowed scopes" do
-    @token.update_attribute :scopes, "write admin"
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    expect(page.body).to have_content("show")
-  end
-end

data/spec/routing/custom_controller_routes_spec.rb

@@ -1,133 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "Custom controller for routes" do
-  before :all do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-    end
-
-    Rails.application.routes.disable_clear_and_finalize = true
-
-    Rails.application.routes.draw do
-      scope "inner_space" do
-        use_doorkeeper scope: "scope" do
-          controllers authorizations: "custom_authorizations",
-                      tokens: "custom_authorizations",
-                      applications: "custom_authorizations",
-                      token_info: "custom_authorizations"
-
-          as authorizations: "custom_auth",
-             tokens: "custom_token",
-             token_info: "custom_token_info"
-        end
-      end
-
-      scope "space" do
-        use_doorkeeper do
-          controllers authorizations: "custom_authorizations",
-                      tokens: "custom_authorizations",
-                      applications: "custom_authorizations",
-                      token_info: "custom_authorizations"
-
-          as authorizations: "custom_auth",
-             tokens: "custom_token",
-             token_info: "custom_token_info"
-        end
-      end
-
-      scope "outer_space" do
-        use_doorkeeper do
-          controllers authorizations: "custom_authorizations",
-                      tokens: "custom_authorizations",
-                      token_info: "custom_authorizations"
-
-          as authorizations: "custom_auth",
-             tokens: "custom_token",
-             token_info: "custom_token_info"
-
-          skip_controllers :tokens, :applications, :token_info
-        end
-      end
-    end
-  end
-
-  after :all do
-    Rails.application.routes.clear!
-
-    load File.expand_path("../dummy/config/routes.rb", __dir__)
-  end
-
-  it "GET /inner_space/scope/authorize routes to custom authorizations controller" do
-    expect(get("/inner_space/scope/authorize")).to route_to("custom_authorizations#new")
-  end
-
-  it "POST /inner_space/scope/authorize routes to custom authorizations controller" do
-    expect(post("/inner_space/scope/authorize")).to route_to("custom_authorizations#create")
-  end
-
-  it "DELETE /inner_space/scope/authorize routes to custom authorizations controller" do
-    expect(delete("/inner_space/scope/authorize")).to route_to("custom_authorizations#destroy")
-  end
-
-  it "POST /inner_space/scope/token routes to tokens controller" do
-    expect(post("/inner_space/scope/token")).to route_to("custom_authorizations#create")
-  end
-
-  it "GET /inner_space/scope/applications routes to applications controller" do
-    expect(get("/inner_space/scope/applications")).to route_to("custom_authorizations#index")
-  end
-
-  it "GET /inner_space/scope/token/info routes to the token_info controller" do
-    expect(get("/inner_space/scope/token/info")).to route_to("custom_authorizations#show")
-  end
-
-  it "GET /space/oauth/authorize routes to custom authorizations controller" do
-    expect(get("/space/oauth/authorize")).to route_to("custom_authorizations#new")
-  end
-
-  it "POST /space/oauth/authorize routes to custom authorizations controller" do
-    expect(post("/space/oauth/authorize")).to route_to("custom_authorizations#create")
-  end
-
-  it "DELETE /space/oauth/authorize routes to custom authorizations controller" do
-    expect(delete("/space/oauth/authorize")).to route_to("custom_authorizations#destroy")
-  end
-
-  it "POST /space/oauth/token routes to tokens controller" do
-    expect(post("/space/oauth/token")).to route_to("custom_authorizations#create")
-  end
-
-  it "POST /space/oauth/revoke routes to tokens controller" do
-    expect(post("/space/oauth/revoke")).to route_to("custom_authorizations#revoke")
-  end
-
-  it "POST /space/oauth/introspect routes to tokens controller" do
-    expect(post("/space/oauth/introspect")).to route_to("custom_authorizations#introspect")
-  end
-
-  it "GET /space/oauth/applications routes to applications controller" do
-    expect(get("/space/oauth/applications")).to route_to("custom_authorizations#index")
-  end
-
-  it "GET /space/oauth/token/info routes to the token_info controller" do
-    expect(get("/space/oauth/token/info")).to route_to("custom_authorizations#show")
-  end
-
-  it "POST /outer_space/oauth/token is not be routable" do
-    expect(post("/outer_space/oauth/token")).not_to be_routable
-  end
-
-  it "GET /outer_space/oauth/authorize routes to custom authorizations controller" do
-    expect(get("/outer_space/oauth/authorize")).to be_routable
-  end
-
-  it "GET /outer_space/oauth/applications is not routable" do
-    expect(get("/outer_space/oauth/applications")).not_to be_routable
-  end
-
-  it "GET /outer_space/oauth/token_info is not routable" do
-    expect(get("/outer_space/oauth/token/info")).not_to be_routable
-  end
-end

data/spec/routing/default_routes_spec.rb

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "Default routes" do
-  it "GET /oauth/authorize routes to authorizations controller" do
-    expect(get("/oauth/authorize")).to route_to("doorkeeper/authorizations#new")
-  end
-
-  it "POST /oauth/authorize routes to authorizations controller" do
-    expect(post("/oauth/authorize")).to route_to("doorkeeper/authorizations#create")
-  end
-
-  it "DELETE /oauth/authorize routes to authorizations controller" do
-    expect(delete("/oauth/authorize")).to route_to("doorkeeper/authorizations#destroy")
-  end
-
-  it "POST /oauth/token routes to tokens controller" do
-    expect(post("/oauth/token")).to route_to("doorkeeper/tokens#create")
-  end
-
-  it "POST /oauth/revoke routes to tokens controller" do
-    expect(post("/oauth/revoke")).to route_to("doorkeeper/tokens#revoke")
-  end
-
-  it "POST /oauth/introspect routes to tokens controller" do
-    expect(post("/oauth/introspect")).to route_to("doorkeeper/tokens#introspect")
-  end
-
-  it "GET /oauth/applications routes to applications controller" do
-    expect(get("/oauth/applications")).to route_to("doorkeeper/applications#index")
-  end
-
-  it "GET /oauth/authorized_applications routes to authorized applications controller" do
-    expect(get("/oauth/authorized_applications")).to route_to("doorkeeper/authorized_applications#index")
-  end
-
-  it "GET /oauth/token/info route to authorized TokenInfo controller" do
-    expect(get("/oauth/token/info")).to route_to("doorkeeper/token_info#show")
-  end
-end

data/spec/routing/scoped_routes_spec.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-require "spec_helper"
-
-describe "Scoped routes" do
-  before :all do
-    Rails.application.routes.disable_clear_and_finalize = true
-
-    Rails.application.routes.draw do
-      use_doorkeeper scope: "scope"
-    end
-  end
-
-  after :all do
-    Rails.application.routes.clear!
-
-    load File.expand_path("../dummy/config/routes.rb", __dir__)
-  end
-
-  it "GET /scope/authorize routes to authorizations controller" do
-    expect(get("/scope/authorize")).to route_to("doorkeeper/authorizations#new")
-  end
-
-  it "POST /scope/authorize routes to authorizations controller" do
-    expect(post("/scope/authorize")).to route_to("doorkeeper/authorizations#create")
-  end
-
-  it "DELETE /scope/authorize routes to authorizations controller" do
-    expect(delete("/scope/authorize")).to route_to("doorkeeper/authorizations#destroy")
-  end
-
-  it "POST /scope/token routes to tokens controller" do
-    expect(post("/scope/token")).to route_to("doorkeeper/tokens#create")
-  end
-
-  it "GET /scope/applications routes to applications controller" do
-    expect(get("/scope/applications")).to route_to("doorkeeper/applications#index")
-  end
-
-  it "GET /scope/authorized_applications routes to authorized applications controller" do
-    expect(get("/scope/authorized_applications")).to route_to("doorkeeper/authorized_applications#index")
-  end
-
-  it "GET /scope/token/info route to authorized TokenInfo controller" do
-    expect(get("/scope/token/info")).to route_to("doorkeeper/token_info#show")
-  end
-end

data/spec/spec_helper.rb

@@ -1,54 +0,0 @@
-# frozen_string_literal: true
-
-require "coveralls"
-
-Coveralls.wear!("rails") do
-  add_filter("/spec/")
-  add_filter("/lib/generators/doorkeeper/templates/")
-end
-
-ENV["RAILS_ENV"] ||= "test"
-
-$LOAD_PATH.unshift File.dirname(__FILE__)
-
-require "#{File.dirname(__FILE__)}/support/doorkeeper_rspec.rb"
-
-DOORKEEPER_ORM = Doorkeeper::RSpec.detect_orm
-
-require "dummy/config/environment"
-require "rspec/rails"
-require "capybara/rspec"
-require "database_cleaner"
-require "generator_spec/test_case"
-
-# Load JRuby SQLite3 if in that platform
-if defined? JRUBY_VERSION
-  require "jdbc/sqlite3"
-  Jdbc::SQLite3.load_driver
-end
-
-Doorkeeper::RSpec.print_configuration_info
-
-require "support/orm/#{DOORKEEPER_ORM}"
-
-Dir["#{File.dirname(__FILE__)}/support/{dependencies,helpers,shared}/*.rb"].sort.each { |file| require file }
-
-RSpec.configure do |config|
-  config.infer_spec_type_from_file_location!
-  config.mock_with :rspec
-
-  config.infer_base_class_for_anonymous_controllers = false
-
-  config.include RSpec::Rails::RequestExampleGroup, type: :request
-
-  config.before do
-    DatabaseCleaner.start
-    Doorkeeper.configure { orm DOORKEEPER_ORM }
-  end
-
-  config.after do
-    DatabaseCleaner.clean
-  end
-
-  config.order = "random"
-end

data/spec/spec_helper_integration.rb

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-
-# For compatibility only
-require "spec_helper"

data/spec/support/dependencies/factory_bot.rb

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-
-require "factory_bot"
-FactoryBot.find_definitions

data/spec/support/doorkeeper_rspec.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  class RSpec
-    # Print's useful information about env: Ruby / Rails versions,
-    # Doorkeeper configuration, etc.
-    def self.print_configuration_info
-      puts <<-INFO.strip_heredoc
-        ====> Doorkeeper ORM: '#{Doorkeeper.configuration.orm}'
-        ====> Doorkeeper version: #{Doorkeeper.gem_version}
-        ====> Rails version: #{::Rails.version}
-        ====> Ruby version: #{RUBY_VERSION} on #{RUBY_PLATFORM}
-      INFO
-    end
-
-    # Tries to find ORM from the Gemfile used to run test suite
-    def self.detect_orm
-      orm = (ENV["BUNDLE_GEMFILE"] || "").match(/Gemfile\.(.+)\.rb/)
-      (orm && orm[1] || ENV["ORM"] || :active_record).to_sym
-    end
-  end
-end

data/spec/support/helpers/access_token_request_helper.rb

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-module AccessTokenRequestHelper
-  def client_is_authorized(client, resource_owner, access_token_attributes = {})
-    attributes = {
-      application: client,
-      resource_owner_id: resource_owner.id,
-    }.merge(access_token_attributes)
-    FactoryBot.create(:access_token, attributes)
-  end
-end
-
-RSpec.configuration.send :include, AccessTokenRequestHelper