doorkeeper 5.3.3 → 5.6.6

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -5,16 +5,16 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
 
       include ::Doorkeeper::AccessGrantMixin
 
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                optional: true,
                                inverse_of: :access_grants
 
-      validates :resource_owner_id,
-                :application_id,
+      validates :application_id,
                 :token,
                 :expires_in,
                 :redirect_uri,
@@ -49,5 +49,15 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         secret_strategy.store_secret(self, :token, @raw_token)
       end
     end
+
+    module ClassMethods
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_grant"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
+    end
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -5,11 +5,12 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
 
       include ::Doorkeeper::AccessTokenMixin
 
-      belongs_to :application, class_name: Doorkeeper.config.application_class,
+      belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                                inverse_of: :access_tokens,
                                optional: true
 
@@ -25,7 +26,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                         on: :create, if: :use_refresh_token?
     end
 
-    class_methods do
+    module ClassMethods
       # Searches for not revoked Access Tokens associated with the
       # specific Resource Owner.
       #
@@ -36,12 +37,41 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       #   active Access Tokens for Resource Owner
       #
       def active_for(resource_owner)
-        where(resource_owner_id: resource_owner.id, revoked_at: nil)
+        by_resource_owner(resource_owner).where(revoked_at: nil)
       end
 
       def refresh_token_revoked_on_use?
         column_names.include?("previous_refresh_token")
       end
+
+      # Returns non-expired and non-revoked access tokens
+      def not_expired
+        relation = where(revoked_at: nil)
+
+        if supports_expiration_time_math?
+          # have not reached the expiration time or it never expires
+          relation.where("#{expiration_time_sql} > ?", Time.now.utc).or(
+            relation.where(expires_in: nil)
+          )
+        else
+          ::Kernel.warn <<~WARNING.squish
+            [DOORKEEPER] Doorkeeper doesn't support expiration time math for your database adapter (#{adapter_name}).
+            Please add a class method `custom_expiration_time_sql` for your AccessToken class/mixin to provide a custom
+            SQL expression to calculate access token expiration time. See lib/doorkeeper/orm/active_record/mixins/access_token.rb
+            for more details.
+          WARNING
+
+          relation
+        end
+      end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_token"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -5,7 +5,8 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
 
       include ::Doorkeeper::ApplicationMixin
 
@@ -43,7 +44,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # @return [String] new transformed secret value
       #
       def renew_secret
-        @raw_secret = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        @raw_secret = secret_generator.generate
         secret_strategy.store_secret(self, :secret, @raw_secret)
       end
 
@@ -101,6 +102,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       private
 
+      def secret_generator
+        generator_name = Doorkeeper.config.application_secret_generator
+        generator = generator_name.constantize
+
+        return generator if generator.respond_to?(:generate)
+
+        raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+      rescue NameError
+        raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
+      end
+
       def generate_uid
         self.uid = Doorkeeper::OAuth::Helpers::UniqueToken.generate if uid.blank?
       end
@@ -137,9 +149,9 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only = Array.wrap(opts[:only]).map(&:to_s)
 
         only = if only.blank?
-                 serializable_attributes
+                 client_serializable_attributes
                else
-                 only & serializable_attributes
+                 only & client_serializable_attributes
                end
 
         only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
@@ -150,7 +162,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # Override this method if you need additional attributes to be serialized.
       #
       # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
+      #
+      # NOTE: `serializable_attributes` method already taken by Rails >= 6
+      #
+      def client_serializable_attributes
         attributes = %w[id name created_at]
         attributes << "uid" unless confidential?
         attributes
@@ -182,6 +197,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.config.access_token_model.revoke_all_for(id, resource_owner)
         Doorkeeper.config.access_grant_model.revoke_all_for(id, resource_owner)
       end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_application"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -21,6 +21,7 @@ module Doorkeeper
           record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
           record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
           record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+          record.errors.add(attribute, :invalid_uri) if unspecified_host?(uri)
         end
       end
     rescue URI::InvalidURIError
@@ -43,8 +44,12 @@ module Doorkeeper
       %w[localhost].include?(uri.try(:scheme))
     end
 
+    def unspecified_host?(uri)
+      uri.is_a?(URI::HTTP) && uri.host.blank?
+    end
+
     def relative_uri?(uri)
-      uri.scheme.nil? && uri.host.nil?
+      uri.scheme.nil? && uri.host.blank?
     end
 
     def invalid_ssl_uri?(uri)

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb

@@ -15,7 +15,8 @@ module Doorkeeper
         def clean_revoked
           table = @base_scope.arel_table
 
-          @base_scope.where.not(revoked_at: nil)
+          @base_scope
+            .where.not(revoked_at: nil)
             .where(table[:revoked_at].lt(Time.current))
             .in_batches(&:delete_all)
         end
@@ -24,7 +25,9 @@ module Doorkeeper
         def clean_expired(ttl)
           table = @base_scope.arel_table
 
-          @base_scope.where(table[:created_at].lt(Time.current - ttl))
+          @base_scope
+            .where.not(expires_in: nil)
+            .where(table[:created_at].lt(Time.current - ttl))
             .in_batches(&:delete_all)
         end
       end

data/lib/doorkeeper/orm/active_record.rb

@@ -1,52 +1,44 @@
 # frozen_string_literal: true
 
-require "active_support/lazy_load_hooks"
-
 module Doorkeeper
+  autoload :AccessGrant, "doorkeeper/orm/active_record/access_grant"
+  autoload :AccessToken, "doorkeeper/orm/active_record/access_token"
+  autoload :Application, "doorkeeper/orm/active_record/application"
+  autoload :RedirectUriValidator, "doorkeeper/orm/active_record/redirect_uri_validator"
+
+  module Models
+    autoload :Ownership, "doorkeeper/models/concerns/ownership"
+  end
+
+  # ActiveRecord ORM for Doorkeeper entity models.
+  # Consists of three main OAuth entities:
+  #   * Access Token
+  #   * Access Grant
+  #   * Application (client)
+  #
+  # Do a lazy loading of all the required and configured stuff.
+  #
   module Orm
-    # ActiveRecord ORM for Doorkeeper entity models.
-    # Consists of three main OAuth entities:
-    #   * Access Token
-    #   * Access Grant
-    #   * Application (client)
-    #
-    # Do a lazy loading of all the required and configured stuff.
-    #
     module ActiveRecord
-      def self.initialize_models!
-        lazy_load do
-          require "doorkeeper/orm/active_record/stale_records_cleaner"
-          require "doorkeeper/orm/active_record/access_grant"
-          require "doorkeeper/orm/active_record/access_token"
-          require "doorkeeper/orm/active_record/application"
+      autoload :StaleRecordsCleaner, "doorkeeper/orm/active_record/stale_records_cleaner"
 
-          if Doorkeeper.config.active_record_options[:establish_connection]
-            Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.config.active_record_options[:establish_connection]
-              model.establish_connection(options)
-            end
-          end
-        end
+      module Mixins
+        autoload :AccessGrant, "doorkeeper/orm/active_record/mixins/access_grant"
+        autoload :AccessToken, "doorkeeper/orm/active_record/mixins/access_token"
+        autoload :Application, "doorkeeper/orm/active_record/mixins/application"
       end
 
-      def self.initialize_application_owner!
-        lazy_load do
-          require "doorkeeper/models/concerns/ownership"
-
-          Doorkeeper.config.application_model.send :include, Doorkeeper::Models::Ownership
-        end
+      def self.run_hooks
+        initialize_configured_associations
       end
 
-      def self.lazy_load(&block)
-        ActiveSupport.on_load(:active_record, {}, &block)
-      end
+      def self.initialize_configured_associations
+        if Doorkeeper.config.enable_application_owner?
+          Doorkeeper.config.application_model.include ::Doorkeeper::Models::Ownership
+        end
 
-      def self.models
-        [
-          Doorkeeper::AccessGrant,
-          Doorkeeper::AccessToken,
-          Doorkeeper::Application,
-        ]
+        Doorkeeper.config.access_grant_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessGrant
+        Doorkeeper.config.access_token_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessToken
       end
     end
   end

data/lib/doorkeeper/rails/routes/abstract_router.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    # Abstract router module that implements base behavior
+    # for generating and mapping Rails routes.
+    #
+    # Could be reused in Doorkeeper extensions.
+    #
+    module AbstractRouter
+      extend ActiveSupport::Concern
+
+      attr_reader :routes
+
+      def initialize(routes, mapper = Mapper.new, &block)
+        @routes = routes
+        @mapping = mapper.map(&block)
+      end
+
+      def generate_routes!(**_options)
+        raise NotImplementedError, "must be redefined for #{self.class.name}!"
+      end
+
+      private
+
+      def map_route(name, method)
+        return if @mapping.skipped?(name)
+
+        send(method, @mapping[name])
+
+        mapping[name] = @mapping[name]
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes/mapper.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module Rails
     class Routes # :nodoc:
       class Mapper
-        def initialize
-          @mapping = Mapping.new
+        def initialize(mapping = Mapping.new)
+          @mapping = mapping
         end
 
         def map(&block)

data/lib/doorkeeper/rails/routes/registry.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Rails
+    class Routes
+      # Thread-safe registry of any Doorkeeper additional routes.
+      # Used to allow implementing of Doorkeeper extensions that must
+      # use their own routes.
+      #
+      module Registry
+        ROUTES_ACCESS_LOCK = Mutex.new
+        ROUTES_DEFINITION_LOCK = Mutex.new
+
+        InvalidRouterClass = Class.new(StandardError)
+
+        # Collection of additional registered routes for Doorkeeper.
+        #
+        # @return [Array<Object>] set of registered routes
+        #
+        def registered_routes
+          ROUTES_DEFINITION_LOCK.synchronize do
+            @registered_routes ||= Set.new
+          end
+        end
+
+        # Registers additional routes in the Doorkeeper registry
+        #
+        # @param [Object] routes
+        #   routes class
+        #
+        def register_routes(routes)
+          if !routes.is_a?(Module) || !(routes < AbstractRouter)
+            raise InvalidRouterClass, "routes class must include Doorkeeper::Rails::AbstractRouter"
+          end
+
+          ROUTES_ACCESS_LOCK.synchronize do
+            registered_routes << routes
+          end
+        end
+
+        alias register register_routes
+      end
+    end
+  end
+end

data/lib/doorkeeper/rails/routes.rb

@@ -2,31 +2,33 @@
 
 require "doorkeeper/rails/routes/mapping"
 require "doorkeeper/rails/routes/mapper"
+require "doorkeeper/rails/routes/abstract_router"
+require "doorkeeper/rails/routes/registry"
 
 module Doorkeeper
   module Rails
     class Routes # :nodoc:
-      mattr_reader :mapping do
-        {}
-      end
-
       module Helper
         def use_doorkeeper(options = {}, &block)
           Doorkeeper::Rails::Routes.new(self, &block).generate_routes!(options)
         end
       end
 
-      def self.install!
-        ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
+      include AbstractRouter
+      extend Registry
+
+      mattr_reader :mapping do
+        {}
       end
 
-      attr_reader :routes
+      def self.install!
+        ActionDispatch::Routing::Mapper.include Doorkeeper::Rails::Routes::Helper
 
-      def initialize(routes, &block)
-        @routes = routes
-        @mapping = Mapper.new.map(&block)
+        registered_routes.each(&:install!)
+      end
 
-        @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
+      def initialize(routes, mapper = Mapper.new, &block)
+        super
       end
 
       def generate_routes!(options)
@@ -34,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) if introspection_routes?
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -43,14 +45,6 @@ module Doorkeeper
 
       private
 
-      def map_route(name, method)
-        return if @mapping.skipped?(name)
-
-        send(method, @mapping[name])
-
-        mapping[name] = @mapping[name]
-      end
-
       def authorization_routes(mapping)
         routes.resource(
           :authorization,
@@ -59,8 +53,8 @@ module Doorkeeper
           as: mapping[:as],
           controller: mapping[:controllers],
         ) do
-          routes.get "/native", action: :show, on: :member
-          routes.get "/", action: :new, on: :member
+          routes.get native_authorization_code_route, action: :show, on: :member
+          routes.get '/', action: :new, on: :member
         end
       end
 
@@ -102,6 +96,15 @@ module Doorkeeper
                          only: %i[index destroy],
                          controller: mapping[:controllers]
       end
+
+      def native_authorization_code_route
+        Doorkeeper.configuration.native_authorization_code_route
+      end
+
+      def introspection_routes?
+        Doorkeeper.configured? &&
+          !Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+      end
     end
   end
 end

data/lib/doorkeeper/rake/db.rake

@@ -13,7 +13,7 @@ namespace :doorkeeper do
     namespace :cleanup do
       desc "Removes stale access tokens"
       task revoked_tokens: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessToken)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_token_model)
         cleaner.clean_revoked
       end
 
@@ -26,13 +26,13 @@ namespace :doorkeeper do
 
       desc "Removes stale access grants"
       task revoked_grants: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
         cleaner.clean_revoked
       end
 
       desc "Removes expired (TTL passed) access grants"
       task expired_grants: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
         cleaner.clean_expired(Doorkeeper.config.authorization_code_expires_in)
       end
     end

data/lib/doorkeeper/request/password.rb

@@ -9,6 +9,7 @@ module Doorkeeper
         @request ||= OAuth::PasswordAccessTokenRequest.new(
           Doorkeeper.config,
           client,
+          credentials,
           resource_owner,
           parameters,
         )

data/lib/doorkeeper/request/refresh_token.rb

@@ -12,7 +12,8 @@ module Doorkeeper
       def request
         @request ||= OAuth::RefreshTokenRequest.new(
           Doorkeeper.config,
-          refresh_token, credentials,
+          refresh_token,
+          credentials,
           parameters,
         )
       end

data/lib/doorkeeper/request/strategy.rb

@@ -3,12 +3,12 @@
 module Doorkeeper
   module Request
     class Strategy
-      attr_accessor :server
+      attr_reader :server
 
       delegate :authorize, to: :request
 
       def initialize(server)
-        self.server = server
+        @server = server
       end
 
       def request

data/lib/doorkeeper/request.rb

@@ -4,32 +4,69 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        build_strategy_class(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
+
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
       end
 
       def token_strategy(grant_type)
         raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-        get_strategy(grant_type, token_grant_types)
-      rescue NameError
-        raise Errors::InvalidTokenStrategy
-      end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-      def get_strategy(grant_type, available)
-        raise NameError unless available.include?(grant_type.to_s)
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_type)
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
       end
 
       private
 
-      def token_grant_types
-        Doorkeeper.config.token_grant_types
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
       end
 
-      def build_strategy_class(grant_or_request_type)
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
         strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
-        "Doorkeeper::Request::#{strategy_class_name}".constantize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
+
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
       end
     end
   end

data/lib/doorkeeper/server.rb

@@ -2,19 +2,19 @@
 
 module Doorkeeper
   class Server
-    attr_accessor :context
+    attr_reader :context
 
-    def initialize(context = nil)
+    def initialize(context)
       @context = context
     end
 
     def authorization_request(strategy)
-      klass = Request.authorization_strategy strategy
+      klass = Request.authorization_strategy(strategy)
       klass.new(self)
     end
 
     def token_request(strategy)
-      klass = Request.token_strategy strategy
+      klass = Request.token_strategy(strategy)
       klass.new(self)
     end
 

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -13,12 +13,12 @@ module Doorkeeper
       raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
     end
 
-    def self.configured_orm
-      Doorkeeper.config.orm
-    end
-
     def self.new(base_scope)
       self.for(base_scope)
     end
+
+    def self.configured_orm
+      Doorkeeper.config.orm
+    end
   end
 end