doorkeeper 5.4.0.rc1 → 5.5.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (219) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +108 -9
  3. data/README.md +4 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +3 -3
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +16 -5
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
  7. data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
  8. data/app/controllers/doorkeeper/tokens_controller.rb +34 -26
  9. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  10. data/app/views/doorkeeper/applications/show.html.erb +16 -12
  11. data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
  12. data/config/locales/en.yml +3 -1
  13. data/lib/doorkeeper.rb +6 -1
  14. data/lib/doorkeeper/config.rb +109 -78
  15. data/lib/doorkeeper/config/abstract_builder.rb +1 -1
  16. data/lib/doorkeeper/config/option.rb +1 -3
  17. data/lib/doorkeeper/config/validations.rb +53 -0
  18. data/lib/doorkeeper/engine.rb +1 -1
  19. data/lib/doorkeeper/grant_flow.rb +45 -0
  20. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  21. data/lib/doorkeeper/grant_flow/flow.rb +44 -0
  22. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  23. data/lib/doorkeeper/helpers/controller.rb +8 -4
  24. data/lib/doorkeeper/models/access_grant_mixin.rb +12 -7
  25. data/lib/doorkeeper/models/access_token_mixin.rb +12 -8
  26. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  27. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  28. data/lib/doorkeeper/oauth/authorization/code.rb +5 -1
  29. data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
  30. data/lib/doorkeeper/oauth/authorization/token.rb +11 -5
  31. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +1 -1
  32. data/lib/doorkeeper/oauth/authorization_code_request.rb +10 -17
  33. data/lib/doorkeeper/oauth/base_request.rb +1 -1
  34. data/lib/doorkeeper/oauth/client_credentials/creator.rb +3 -2
  35. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +1 -0
  36. data/lib/doorkeeper/oauth/client_credentials/validator.rb +3 -1
  37. data/lib/doorkeeper/oauth/code_request.rb +2 -2
  38. data/lib/doorkeeper/oauth/code_response.rb +17 -11
  39. data/lib/doorkeeper/oauth/error_response.rb +4 -3
  40. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -3
  41. data/lib/doorkeeper/oauth/password_access_token_request.rb +21 -2
  42. data/lib/doorkeeper/oauth/pre_authorization.rb +37 -11
  43. data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -0
  44. data/lib/doorkeeper/oauth/token.rb +4 -5
  45. data/lib/doorkeeper/oauth/token_introspection.rb +1 -5
  46. data/lib/doorkeeper/oauth/token_request.rb +1 -1
  47. data/lib/doorkeeper/orm/active_record.rb +5 -6
  48. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +12 -2
  49. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +10 -2
  50. data/lib/doorkeeper/orm/active_record/mixins/application.rb +76 -10
  51. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +5 -0
  52. data/lib/doorkeeper/rails/routes.rb +1 -3
  53. data/lib/doorkeeper/rake/db.rake +3 -3
  54. data/lib/doorkeeper/rake/setup.rake +5 -0
  55. data/lib/doorkeeper/request.rb +49 -12
  56. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  57. data/lib/doorkeeper/server.rb +1 -1
  58. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  59. data/lib/doorkeeper/version.rb +2 -6
  60. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +1 -1
  61. data/lib/generators/doorkeeper/templates/initializer.rb +9 -7
  62. data/lib/generators/doorkeeper/templates/migration.rb.erb +12 -5
  63. metadata +25 -306
  64. data/Appraisals +0 -26
  65. data/CODE_OF_CONDUCT.md +0 -46
  66. data/CONTRIBUTING.md +0 -49
  67. data/Dangerfile +0 -67
  68. data/Dockerfile +0 -29
  69. data/Gemfile +0 -25
  70. data/NEWS.md +0 -1
  71. data/RELEASING.md +0 -11
  72. data/Rakefile +0 -28
  73. data/SECURITY.md +0 -15
  74. data/UPGRADE.md +0 -2
  75. data/bin/console +0 -30
  76. data/doorkeeper.gemspec +0 -42
  77. data/gemfiles/rails_5_0.gemfile +0 -19
  78. data/gemfiles/rails_5_1.gemfile +0 -19
  79. data/gemfiles/rails_5_2.gemfile +0 -19
  80. data/gemfiles/rails_6_0.gemfile +0 -19
  81. data/gemfiles/rails_master.gemfile +0 -19
  82. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  83. data/spec/controllers/applications_controller_spec.rb +0 -274
  84. data/spec/controllers/authorizations_controller_spec.rb +0 -743
  85. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  86. data/spec/controllers/token_info_controller_spec.rb +0 -50
  87. data/spec/controllers/tokens_controller_spec.rb +0 -499
  88. data/spec/dummy/Rakefile +0 -9
  89. data/spec/dummy/app/assets/config/manifest.js +0 -2
  90. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  91. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  92. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  93. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  94. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  95. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  96. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  97. data/spec/dummy/app/models/user.rb +0 -11
  98. data/spec/dummy/app/views/home/index.html.erb +0 -0
  99. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  100. data/spec/dummy/config.ru +0 -6
  101. data/spec/dummy/config/application.rb +0 -51
  102. data/spec/dummy/config/boot.rb +0 -7
  103. data/spec/dummy/config/database.yml +0 -15
  104. data/spec/dummy/config/environment.rb +0 -5
  105. data/spec/dummy/config/environments/development.rb +0 -31
  106. data/spec/dummy/config/environments/production.rb +0 -64
  107. data/spec/dummy/config/environments/test.rb +0 -45
  108. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  109. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  110. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  111. data/spec/dummy/config/initializers/session_store.rb +0 -10
  112. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  113. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  114. data/spec/dummy/config/routes.rb +0 -13
  115. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  116. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  117. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  118. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  119. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  120. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  121. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  122. data/spec/dummy/db/schema.rb +0 -70
  123. data/spec/dummy/public/404.html +0 -26
  124. data/spec/dummy/public/422.html +0 -26
  125. data/spec/dummy/public/500.html +0 -26
  126. data/spec/dummy/public/favicon.ico +0 -0
  127. data/spec/dummy/script/rails +0 -9
  128. data/spec/factories.rb +0 -30
  129. data/spec/generators/application_owner_generator_spec.rb +0 -28
  130. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  131. data/spec/generators/enable_polymorphic_resource_owner_generator_spec.rb +0 -47
  132. data/spec/generators/install_generator_spec.rb +0 -36
  133. data/spec/generators/migration_generator_spec.rb +0 -28
  134. data/spec/generators/pkce_generator_spec.rb +0 -28
  135. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  136. data/spec/generators/templates/routes.rb +0 -4
  137. data/spec/generators/views_generator_spec.rb +0 -29
  138. data/spec/grape/grape_integration_spec.rb +0 -137
  139. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  140. data/spec/lib/config_spec.rb +0 -813
  141. data/spec/lib/doorkeeper_spec.rb +0 -27
  142. data/spec/lib/models/expirable_spec.rb +0 -61
  143. data/spec/lib/models/reusable_spec.rb +0 -40
  144. data/spec/lib/models/revocable_spec.rb +0 -58
  145. data/spec/lib/models/scopes_spec.rb +0 -61
  146. data/spec/lib/models/secret_storable_spec.rb +0 -135
  147. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  148. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -180
  149. data/spec/lib/oauth/base_request_spec.rb +0 -210
  150. data/spec/lib/oauth/base_response_spec.rb +0 -45
  151. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  152. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -135
  153. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -110
  154. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -57
  155. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  156. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -108
  157. data/spec/lib/oauth/client_spec.rb +0 -38
  158. data/spec/lib/oauth/code_request_spec.rb +0 -46
  159. data/spec/lib/oauth/code_response_spec.rb +0 -36
  160. data/spec/lib/oauth/error_response_spec.rb +0 -64
  161. data/spec/lib/oauth/error_spec.rb +0 -21
  162. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  163. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  164. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  165. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  166. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  167. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  168. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -201
  169. data/spec/lib/oauth/pre_authorization_spec.rb +0 -218
  170. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -166
  171. data/spec/lib/oauth/scopes_spec.rb +0 -146
  172. data/spec/lib/oauth/token_request_spec.rb +0 -164
  173. data/spec/lib/oauth/token_response_spec.rb +0 -84
  174. data/spec/lib/oauth/token_spec.rb +0 -156
  175. data/spec/lib/option_spec.rb +0 -51
  176. data/spec/lib/request/strategy_spec.rb +0 -54
  177. data/spec/lib/secret_storing/base_spec.rb +0 -60
  178. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  179. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  180. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  181. data/spec/lib/server_spec.rb +0 -49
  182. data/spec/lib/stale_records_cleaner_spec.rb +0 -102
  183. data/spec/models/doorkeeper/access_grant_spec.rb +0 -175
  184. data/spec/models/doorkeeper/access_token_spec.rb +0 -650
  185. data/spec/models/doorkeeper/application_spec.rb +0 -442
  186. data/spec/requests/applications/applications_request_spec.rb +0 -259
  187. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  188. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  189. data/spec/requests/endpoints/token_spec.rb +0 -79
  190. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -82
  191. data/spec/requests/flows/authorization_code_spec.rb +0 -530
  192. data/spec/requests/flows/client_credentials_spec.rb +0 -207
  193. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  194. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  195. data/spec/requests/flows/password_spec.rb +0 -316
  196. data/spec/requests/flows/refresh_token_spec.rb +0 -241
  197. data/spec/requests/flows/revoke_token_spec.rb +0 -196
  198. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  199. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  200. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  201. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  202. data/spec/routing/default_routes_spec.rb +0 -41
  203. data/spec/routing/scoped_routes_spec.rb +0 -47
  204. data/spec/spec_helper.rb +0 -54
  205. data/spec/spec_helper_integration.rb +0 -4
  206. data/spec/support/dependencies/factory_bot.rb +0 -4
  207. data/spec/support/doorkeeper_rspec.rb +0 -22
  208. data/spec/support/helpers/access_token_request_helper.rb +0 -14
  209. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  210. data/spec/support/helpers/config_helper.rb +0 -11
  211. data/spec/support/helpers/model_helper.rb +0 -78
  212. data/spec/support/helpers/request_spec_helper.rb +0 -110
  213. data/spec/support/helpers/url_helper.rb +0 -62
  214. data/spec/support/orm/active_record.rb +0 -5
  215. data/spec/support/shared/controllers_shared_context.rb +0 -133
  216. data/spec/support/shared/hashing_shared_context.rb +0 -36
  217. data/spec/support/shared/models_shared_examples.rb +0 -56
  218. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  219. data/spec/version/version_spec.rb +0 -17
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7c9e55b1b52c75ecb1dc18678a2fb5e7683e85859f9a955c27a3197548c2b146
4
- data.tar.gz: 59f5eafd45d8a85b7f84c7553f1084ed31c8a7ede3b61d00382b8110aea5e63f
3
+ metadata.gz: 8d0646462c8fd51891c70b06dbccf9d4c2a2db2d19f71fb9e358c9401843053a
4
+ data.tar.gz: 17669cf7be5a1f0053850c6f00c03b63df477438a7aa6805558d48dfb35541b0
5
5
  SHA512:
6
- metadata.gz: 1d64979c31b76f5f36671bfdea039da232aefdcb590a5fdf154740bb6968ec939cd5b883e163217431f38c6539017c01eb7d8518302f7b769c8a56857f16eab2
7
- data.tar.gz: 62e2bae23f51b365d2aab4c8ba10a8efbd5ac860f68b481a2d41b193a5df2576ba08ec4700ab9b8def2a59a4494709dd628c9b9ec7d5a10ddb709ab4466a5ce1
6
+ metadata.gz: 54c0fadb672bb09b4e33b6df5476694a0e7f1fb7795b3e2d4172e6c77671bbd7f929dec42f37d9b17bede5cb0659c5a95a30771fd8c69dbdddcb80d4d291aa81
7
+ data.tar.gz: 462977a3eae6d5705ce246814a66f0bd29cd64647e43ba4df2502b9b72eea9c0e848ce3c1789fa97cb6953a07661eef025665a9fa29a97080c1d61acc3e559b6
data/CHANGELOG.md CHANGED
@@ -5,22 +5,89 @@ upgrade guides.
5
5
 
6
6
  User-visible changes worth mentioning.
7
7
 
8
- ## master
8
+ ## main
9
9
 
10
- - [#PR number] Your changes description.
10
+ - [#PR ID] Add your PR description here.
11
+
12
+ ## 5.5.0
13
+
14
+ - [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
15
+ - [#1478] Fix ownership association and Rake tasks when custom models configured.
16
+ - [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
17
+
18
+ ## 5.5.0.rc2
19
+
20
+ - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
21
+
22
+ **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
23
+ `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
24
+
25
+ - [#1472] Fix `establish_connection` configuration for custom defined models.
26
+ - [#1471] Add support for Ruby 3.0.
27
+ - [#1469] Check if `redirect_uri` exists.
28
+ - [#1465] Memoize nil doorkeeper_token.
29
+ - [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
30
+ - [#1457] Make owner_id a bigint for newly-generated owner migrations
31
+ - [#1452] Empty previous_refresh_token only if present.
32
+ - [#1440] Validate empty host in redirect_uri.
33
+ - [#1438] Add form post response mode.
34
+ - [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
35
+
36
+ ## 5.5.0.rc1
37
+
38
+ - [#1435] Make error response not redirectable when client is unauthorized
39
+ - [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
40
+ - [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
41
+ - [#1416] Don't add introspection route if token introspection completely disabled.
42
+ - [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
43
+ - [#1415] Ignore PKCE params for non-PKCE grants.
44
+ - [#1418] Add ability to register custom OAuth Grant Flows.
45
+ - [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
46
+
47
+ **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
48
+ have it before and use client credentials in HTTP Basic auth if you previously used this grant
49
+ flow without client authentication. To opt out of this you could set the
50
+ `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
51
+ this is in violation of the OAuth spec and represents a security risk.
52
+ All the users of your provider application now need to include client credentials when they use
53
+ this grant flow.
54
+
55
+ - [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
56
+ configuration option to allow resource owner based Access Tokens TTL.
57
+
58
+ ## 5.4.0
59
+
60
+ - [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
61
+
62
+ ## 5.4.0.rc2
63
+
64
+ - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
65
+ Fixes information disclosure vulnerability (CVE-2020-10187).
66
+
67
+ **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
68
+ if you previously used `#to_json` serialization with custom options or attributes or rely on
69
+ JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
70
+ is a breaking change which restricts serialized attributes to a very small set of columns.
71
+
72
+ - [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
73
+ - [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
74
+ custom configured application model.
75
+ - [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
76
+ option (fixes #1398).
77
+ - [#1402] Handle trying authorization with client credentials.
11
78
 
12
79
  ## 5.4.0.rc1
13
- - [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
80
+ - [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
14
81
  - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
15
82
  - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
16
83
  models (`use_polymorphic_resource_owner` configuration option).
17
-
84
+
18
85
  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
19
86
  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
20
87
  just it's ID. See PR description for details.
21
-
88
+
22
89
  - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
23
- - [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
90
+ - [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
24
91
  `Stack level too deep` error with AMS (fix #1312).
25
92
  - [#1358] Deprecate `active_record_options` configuration option.
26
93
  - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
@@ -32,7 +99,7 @@ User-visible changes worth mentioning.
32
99
  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
33
100
  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
34
101
  info in the revocation request payload.
35
-
102
+
36
103
  - [#1373] Make Doorkeeper routes mapper reusable in extensions.
37
104
  - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
38
105
  - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
@@ -41,6 +108,15 @@ User-visible changes worth mentioning.
41
108
  - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
42
109
  - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
43
110
 
111
+ ## 5.3.3
112
+
113
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
114
+
115
+ ## 5.3.2
116
+
117
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
118
+ Fixes information disclosure vulnerability (CVE-2020-10187).
119
+
44
120
  ## 5.3.1
45
121
 
46
122
  - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -59,9 +135,18 @@ User-visible changes worth mentioning.
59
135
  If you were relying on access tokens being revoked once the same client
60
136
  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
61
137
  initialization file.
62
-
138
+
139
+ ## 5.2.6
140
+
141
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
142
+
143
+ ## 5.2.5
144
+
145
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
146
+ Fixes information disclosure vulnerability (CVE-2020-10187).
147
+
63
148
  ## 5.2.4
64
-
149
+
65
150
  - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
66
151
 
67
152
  ## 5.2.3
@@ -127,6 +212,15 @@ User-visible changes worth mentioning.
127
212
  - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
128
213
  - [#1238] Better support for native app with support for custom scheme and localhost redirection.
129
214
 
215
+ ## 5.1.2
216
+
217
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
218
+
219
+ ## 5.1.1
220
+
221
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
222
+ Fixes information disclosure vulnerability (CVE-2020-10187).
223
+
130
224
  ## 5.1.0
131
225
 
132
226
  - [#1243] Add nil check operator in token checking at token introspection.
@@ -188,6 +282,11 @@ User-visible changes worth mentioning.
188
282
  - [#1164] Fix error when `root_path` is not defined.
189
283
  - [#1162] Fix `enforce_content_type` for requests without body.
190
284
 
285
+ ## 5.0.3
286
+
287
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
288
+ Fixes information disclosure vulnerability (CVE-2020-10187).
289
+
191
290
  ## 5.0.2
192
291
 
193
292
  - [#1158] Fix initializer template: change `handle_auth_errors` option
data/README.md CHANGED
@@ -1,10 +1,10 @@
1
1
  # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
2
2
 
3
3
  [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
4
- [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
4
+ [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=main)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
5
5
  [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
6
- [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
7
- [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
6
+ [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
7
+ [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main)
8
8
  [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
9
9
  [![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
10
10
  [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
@@ -51,7 +51,7 @@ Supported features:
51
51
 
52
52
  ## Documentation
53
53
 
54
- This documentation is valid for `master` branch. Please check the documentation for the version of doorkeeper you are using in:
54
+ This documentation is valid for `main` branch. Please check the documentation for the version of doorkeeper you are using in:
55
55
  https://github.com/doorkeeper-gem/doorkeeper/releases.
56
56
 
57
57
  Additionally, other resources can be found on:
@@ -19,7 +19,7 @@ module Doorkeeper
19
19
  def show
20
20
  respond_to do |format|
21
21
  format.html
22
- format.json { render json: @application }
22
+ format.json { render json: @application, as_owner: true }
23
23
  end
24
24
  end
25
25
 
@@ -36,7 +36,7 @@ module Doorkeeper
36
36
 
37
37
  respond_to do |format|
38
38
  format.html { redirect_to oauth_application_url(@application) }
39
- format.json { render json: @application }
39
+ format.json { render json: @application, as_owner: true }
40
40
  end
41
41
  else
42
42
  respond_to do |format|
@@ -58,7 +58,7 @@ module Doorkeeper
58
58
 
59
59
  respond_to do |format|
60
60
  format.html { redirect_to oauth_application_url(@application) }
61
- format.json { render json: @application }
61
+ format.json { render json: @application, as_owner: true }
62
62
  end
63
63
  else
64
64
  respond_to do |format|
@@ -52,10 +52,19 @@ module Doorkeeper
52
52
  def redirect_or_render(auth)
53
53
  if auth.redirectable?
54
54
  if Doorkeeper.configuration.api_only
55
- render(
56
- json: { status: :redirect, redirect_uri: auth.redirect_uri },
57
- status: auth.status,
58
- )
55
+ if pre_auth.form_post_response?
56
+ render(
57
+ json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
58
+ status: auth.status,
59
+ )
60
+ else
61
+ render(
62
+ json: { status: :redirect, redirect_uri: auth.redirect_uri },
63
+ status: auth.status,
64
+ )
65
+ end
66
+ elsif pre_auth.form_post_response?
67
+ render :form_post
59
68
  else
60
69
  redirect_to auth.redirect_uri
61
70
  end
@@ -82,8 +91,10 @@ module Doorkeeper
82
91
  code_challenge
83
92
  code_challenge_method
84
93
  response_type
94
+ response_mode
85
95
  redirect_uri
86
- scope state
96
+ scope
97
+ state
87
98
  ]
88
99
  end
89
100
 
@@ -9,7 +9,7 @@ module Doorkeeper
9
9
 
10
10
  respond_to do |format|
11
11
  format.html
12
- format.json { render json: @applications }
12
+ format.json { render json: @applications, current_resource_owner: current_resource_owner }
13
13
  end
14
14
  end
15
15
 
@@ -4,12 +4,22 @@ module Doorkeeper
4
4
  class TokenInfoController < Doorkeeper::ApplicationMetalController
5
5
  def show
6
6
  if doorkeeper_token&.accessible?
7
- render json: doorkeeper_token, status: :ok
7
+ render json: doorkeeper_token_to_json, status: :ok
8
8
  else
9
9
  error = OAuth::InvalidTokenResponse.new
10
10
  response.headers.merge!(error.headers)
11
- render json: error.body, status: error.status
11
+ render json: error_to_json(error), status: error.status
12
12
  end
13
13
  end
14
+
15
+ protected
16
+
17
+ def doorkeeper_token_to_json
18
+ doorkeeper_token
19
+ end
20
+
21
+ def error_to_json(error)
22
+ error.body
23
+ end
14
24
  end
15
25
  end
@@ -2,6 +2,8 @@
2
2
 
3
3
  module Doorkeeper
4
4
  class TokensController < Doorkeeper::ApplicationMetalController
5
+ before_action :validate_presence_of_client, only: [:revoke]
6
+
5
7
  def create
6
8
  headers.merge!(authorize_response.headers)
7
9
  render json: authorize_response.body,
@@ -12,32 +14,6 @@ module Doorkeeper
12
14
 
13
15
  # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
14
16
  def revoke
15
- # @see 2.1. Revocation Request
16
- #
17
- # The client constructs the request by including the following
18
- # parameters using the "application/x-www-form-urlencoded" format in
19
- # the HTTP request entity-body:
20
- # token REQUIRED.
21
- # token_type_hint OPTIONAL.
22
- #
23
- # The client also includes its authentication credentials as described
24
- # in Section 2.3. of [RFC6749].
25
- #
26
- # The authorization server first validates the client credentials (in
27
- # case of a confidential client) and then verifies whether the token
28
- # was issued to the client making the revocation request.
29
- unless server.client
30
- # If this validation [client credentials / token ownership] fails, the request is
31
- # refused and the client is informed of the error by the authorization server as
32
- # described below.
33
- #
34
- # @see 2.2.1. Error Response
35
- #
36
- # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
37
- render json: revocation_error_response, status: :forbidden
38
- return
39
- end
40
-
41
17
  # The authorization server responds with HTTP status code 200 if the client
42
18
  # submitted an invalid token or the token has been revoked successfully.
43
19
  if token.blank?
@@ -68,7 +44,39 @@ module Doorkeeper
68
44
 
69
45
  private
70
46
 
47
+ def validate_presence_of_client
48
+ return if Doorkeeper.config.skip_client_authentication_for_password_grant
49
+
50
+ # @see 2.1. Revocation Request
51
+ #
52
+ # The client constructs the request by including the following
53
+ # parameters using the "application/x-www-form-urlencoded" format in
54
+ # the HTTP request entity-body:
55
+ # token REQUIRED.
56
+ # token_type_hint OPTIONAL.
57
+ #
58
+ # The client also includes its authentication credentials as described
59
+ # in Section 2.3. of [RFC6749].
60
+ #
61
+ # The authorization server first validates the client credentials (in
62
+ # case of a confidential client) and then verifies whether the token
63
+ # was issued to the client making the revocation request.
64
+ return if server.client
65
+
66
+ # If this validation [client credentials / token ownership] fails, the request is
67
+ # refused and the client is informed of the error by the authorization server as
68
+ # described below.
69
+ #
70
+ # @see 2.2.1. Error Response
71
+ #
72
+ # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
73
+ render json: revocation_error_response, status: :forbidden
74
+ end
75
+
71
76
  # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
77
+ #
78
+ # RFC7009
79
+ # Section 5. Security Considerations
72
80
  # A malicious client may attempt to guess valid tokens on this endpoint
73
81
  # by making revocation requests against potential token strings.
74
82
  # According to this specification, a client's request must contain a
@@ -1,4 +1,4 @@
1
- <%= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form' } do |f| %>
1
+ <%= form_for application, url: doorkeeper_submit_path(application), as: :doorkeeper_application, html: { role: 'form' } do |f| %>
2
2
  <% if application.errors.any? %>
3
3
  <div class="alert alert-danger" data-alert><p><%= t('doorkeeper.applications.form.error') %></p></div>
4
4
  <% end %>
@@ -35,18 +35,22 @@
35
35
 
36
36
  <h4><%= t('.callback_urls') %>:</h4>
37
37
 
38
- <table>
39
- <% @application.redirect_uri.split.each do |uri| %>
40
- <tr>
41
- <td>
42
- <code class="bg-light"><%= uri %></code>
43
- </td>
44
- <td>
45
- <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
46
- </td>
47
- </tr>
48
- <% end %>
49
- </table>
38
+ <% if @application.redirect_uri.present? %>
39
+ <table>
40
+ <% @application.redirect_uri.split.each do |uri| %>
41
+ <tr>
42
+ <td>
43
+ <code class="bg-light"><%= uri %></code>
44
+ </td>
45
+ <td>
46
+ <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
47
+ </td>
48
+ </tr>
49
+ <% end %>
50
+ </table>
51
+ <% else %>
52
+ <span class="bg-light font-italic text-uppercase text-muted"><%= t('.not_defined') %></span>
53
+ <% end %>
50
54
  </div>
51
55
 
52
56
  <div class="col-md-4">
@@ -0,0 +1,11 @@
1
+ <header class="page-header">
2
+ <h1><%= t('.title') %></h1>
3
+ </header>
4
+
5
+ <main role="main" onload="document.forms[0].submit()">
6
+ <%= form_tag @pre_auth.redirect_uri, method: :post do %>
7
+ <% @authorize_response.body.each do |key, value| %>
8
+ <%= hidden_field_tag key, value %>
9
+ <% end %>
10
+ <% end %>
11
+ </main>
@@ -72,6 +72,8 @@ en:
72
72
  able_to: 'This application will be able to'
73
73
  show:
74
74
  title: 'Authorization code'
75
+ form_post:
76
+ title: 'Submit this form'
75
77
 
76
78
  authorized_applications:
77
79
  confirmations:
@@ -93,7 +95,6 @@ en:
93
95
  invalid_request:
94
96
  unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
95
97
  missing_param: 'Missing required parameter: %{value}.'
96
- not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
97
98
  request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
98
99
  invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
99
100
  unauthorized_client: 'The client is not authorized to perform this request using this method.'
@@ -110,6 +111,7 @@ en:
110
111
 
111
112
  # Access grant errors
112
113
  unsupported_response_type: 'The authorization server does not support this response type.'
114
+ unsupported_response_mode: 'The authorization server does not support this response mode.'
113
115
 
114
116
  # Access token errors
115
117
  invalid_client: 'Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.'