doorkeeper 5.4.0.rc1 → 5.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c9e55b1b52c75ecb1dc18678a2fb5e7683e85859f9a955c27a3197548c2b146
-  data.tar.gz: 59f5eafd45d8a85b7f84c7553f1084ed31c8a7ede3b61d00382b8110aea5e63f
+  metadata.gz: 8d0646462c8fd51891c70b06dbccf9d4c2a2db2d19f71fb9e358c9401843053a
+  data.tar.gz: 17669cf7be5a1f0053850c6f00c03b63df477438a7aa6805558d48dfb35541b0
 SHA512:
-  metadata.gz: 1d64979c31b76f5f36671bfdea039da232aefdcb590a5fdf154740bb6968ec939cd5b883e163217431f38c6539017c01eb7d8518302f7b769c8a56857f16eab2
-  data.tar.gz: 62e2bae23f51b365d2aab4c8ba10a8efbd5ac860f68b481a2d41b193a5df2576ba08ec4700ab9b8def2a59a4494709dd628c9b9ec7d5a10ddb709ab4466a5ce1
+  metadata.gz: 54c0fadb672bb09b4e33b6df5476694a0e7f1fb7795b3e2d4172e6c77671bbd7f929dec42f37d9b17bede5cb0659c5a95a30771fd8c69dbdddcb80d4d291aa81
+  data.tar.gz: 462977a3eae6d5705ce246814a66f0bd29cd64647e43ba4df2502b9b72eea9c0e848ce3c1789fa97cb6953a07661eef025665a9fa29a97080c1d61acc3e559b6

data/CHANGELOG.md

@@ -5,22 +5,89 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## master
+## main
 
-- [#PR number] Your changes description.
+- [#PR ID] Add your PR description here.
+
+## 5.5.0
+
+- [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
+- [#1478] Fix ownership association and Rake tasks when custom models configured.
+- [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
+
+## 5.5.0.rc2
+
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+  
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
+  
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
+
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
+  **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
+  if you previously used `#to_json` serialization with custom options or attributes or rely on
+  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
+  is a breaking change which restricts serialized attributes to a very small set of columns.
+
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
 
 ## 5.4.0.rc1
-- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364) 
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
 - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
 - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
   models (`use_polymorphic_resource_owner` configuration option).
-  
+
   **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
   have such - since now Doorkeeper passes Resource Owner instance to every objects and not
   just it's ID. See PR description for details.
-  
+
 - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
-- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing 
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
   `Stack level too deep` error with AMS (fix #1312).
 - [#1358] Deprecate `active_record_options` configuration option.
 - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
@@ -32,7 +99,7 @@ User-visible changes worth mentioning.
   **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
   (for public clients) and `client_secret` (for private clients). Please update your apps to include that
   info in the revocation request payload.
-  
+
 - [#1373] Make Doorkeeper routes mapper reusable in extensions.
 - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
 - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
@@ -41,6 +108,15 @@ User-visible changes worth mentioning.
 - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
 - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
 
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.3.1
 
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -59,9 +135,18 @@ User-visible changes worth mentioning.
   If you were relying on access tokens being revoked once the same client
   requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
   initialization file.
-  
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.2.4
-  
+
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
 
 ## 5.2.3
@@ -127,6 +212,15 @@ User-visible changes worth mentioning.
 - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
 - [#1238] Better support for native app with support for custom scheme and localhost redirection.
 
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.1.0
 
 - [#1243] Add nil check operator in token checking at token introspection.
@@ -188,6 +282,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option

data/README.md

@@ -1,10 +1,10 @@
 # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
+[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=main)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
-[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
-[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
+[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
+[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 [![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
@@ -51,7 +51,7 @@ Supported features:
 
 ## Documentation
 
-This documentation is valid for `master` branch. Please check the documentation for the version of doorkeeper you are using in:
+This documentation is valid for `main` branch. Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases.
 
 Additionally, other resources can be found on:

data/app/controllers/doorkeeper/applications_controller.rb

@@ -19,7 +19,7 @@ module Doorkeeper
     def show
       respond_to do |format|
         format.html
-        format.json { render json: @application }
+        format.json { render json: @application, as_owner: true }
       end
     end
 
@@ -36,7 +36,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application }
+          format.json { render json: @application, as_owner: true }
         end
       else
         respond_to do |format|
@@ -58,7 +58,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application }
+          format.json { render json: @application, as_owner: true }
         end
       else
         respond_to do |format|

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -52,10 +52,19 @@ module Doorkeeper
     def redirect_or_render(auth)
       if auth.redirectable?
         if Doorkeeper.configuration.api_only
-          render(
-            json: { status: :redirect, redirect_uri: auth.redirect_uri },
-            status: auth.status,
-          )
+          if pre_auth.form_post_response?
+            render(
+              json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
+              status: auth.status,
+            )
+          else
+            render(
+              json: { status: :redirect, redirect_uri: auth.redirect_uri },
+              status: auth.status,
+            )
+          end
+        elsif pre_auth.form_post_response?
+          render :form_post
         else
           redirect_to auth.redirect_uri
         end
@@ -82,8 +91,10 @@ module Doorkeeper
         code_challenge
         code_challenge_method
         response_type
+        response_mode
         redirect_uri
-        scope state
+        scope
+        state
       ]
     end
 

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -9,7 +9,7 @@ module Doorkeeper
 
       respond_to do |format|
         format.html
-        format.json { render json: @applications }
+        format.json { render json: @applications, current_resource_owner: current_resource_owner }
       end
     end
 

data/app/controllers/doorkeeper/token_info_controller.rb

@@ -4,12 +4,22 @@ module Doorkeeper
   class TokenInfoController < Doorkeeper::ApplicationMetalController
     def show
       if doorkeeper_token&.accessible?
-        render json: doorkeeper_token, status: :ok
+        render json: doorkeeper_token_to_json, status: :ok
       else
         error = OAuth::InvalidTokenResponse.new
         response.headers.merge!(error.headers)
-        render json: error.body, status: error.status
+        render json: error_to_json(error), status: error.status
       end
     end
+
+    protected
+
+    def doorkeeper_token_to_json
+      doorkeeper_token
+    end
+
+    def error_to_json(error)
+      error.body
+    end
   end
 end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -2,6 +2,8 @@
 
 module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
+    before_action :validate_presence_of_client, only: [:revoke]
+
     def create
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
@@ -12,32 +14,6 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # @see 2.1.  Revocation Request
-      #
-      #  The client constructs the request by including the following
-      #  parameters using the "application/x-www-form-urlencoded" format in
-      #  the HTTP request entity-body:
-      #     token   REQUIRED.
-      #     token_type_hint  OPTIONAL.
-      #
-      #  The client also includes its authentication credentials as described
-      #  in Section 2.3. of [RFC6749].
-      #
-      #  The authorization server first validates the client credentials (in
-      #  case of a confidential client) and then verifies whether the token
-      #  was issued to the client making the revocation request.
-      unless server.client
-        # If this validation [client credentials / token ownership] fails, the request is
-        # refused and the  client is informed of the error by the authorization server as
-        # described below.
-        #
-        # @see 2.2.1.  Error Response
-        #
-        # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
-        render json: revocation_error_response, status: :forbidden
-        return
-      end
-
       # The authorization server responds with HTTP status code 200 if the client
       # submitted an invalid token or the token has been revoked successfully.
       if token.blank?
@@ -68,7 +44,39 @@ module Doorkeeper
 
     private
 
+    def validate_presence_of_client
+      return if Doorkeeper.config.skip_client_authentication_for_password_grant
+
+      # @see 2.1.  Revocation Request
+      #
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      return if server.client
+
+      # If this validation [client credentials / token ownership] fails, the request is
+      # refused and the  client is informed of the error by the authorization server as
+      # described below.
+      #
+      # @see 2.2.1.  Error Response
+      #
+      # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+      render json: revocation_error_response, status: :forbidden
+    end
+
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
+    #
+    # RFC7009
+    # Section 5. Security Considerations
     # A malicious client may attempt to guess valid tokens on this endpoint
     # by making revocation requests against potential token strings.
     # According to this specification, a client's request must contain a

data/app/views/doorkeeper/applications/_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form' } do |f| %>
+<%= form_for application, url: doorkeeper_submit_path(application), as: :doorkeeper_application, html: { role: 'form' } do |f| %>
   <% if application.errors.any? %>
     <div class="alert alert-danger" data-alert><p><%= t('doorkeeper.applications.form.error') %></p></div>
   <% end %>

data/app/views/doorkeeper/applications/show.html.erb

@@ -35,18 +35,22 @@
 
     <h4><%= t('.callback_urls') %>:</h4>
 
-    <table>
-      <% @application.redirect_uri.split.each do |uri| %>
-        <tr>
-          <td>
-            <code class="bg-light"><%= uri %></code>
-          </td>
-          <td>
-            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
-          </td>
-        </tr>
-      <% end %>
-    </table>
+    <% if @application.redirect_uri.present? %>
+      <table>
+        <% @application.redirect_uri.split.each do |uri| %>
+          <tr>
+            <td>
+              <code class="bg-light"><%= uri %></code>
+            </td>
+            <td>
+              <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
+            </td>
+          </tr>
+        <% end %>
+      </table>
+    <% else %>
+      <span class="bg-light font-italic text-uppercase text-muted"><%= t('.not_defined') %></span>
+    <% end %>
   </div>
 
   <div class="col-md-4">

data/app/views/doorkeeper/authorizations/form_post.html.erb

@@ -0,0 +1,11 @@
+<header class="page-header">
+  <h1><%= t('.title') %></h1>
+</header>
+
+<main role="main" onload="document.forms[0].submit()">
+  <%= form_tag @pre_auth.redirect_uri, method: :post do %>
+    <% @authorize_response.body.each do |key, value| %>
+      <%= hidden_field_tag key, value %>
+    <% end %>
+  <% end %>
+</main>

data/config/locales/en.yml

@@ -72,6 +72,8 @@ en:
         able_to: 'This application will be able to'
       show:
         title: 'Authorization code'
+      form_post:
+        title: 'Submit this form'
 
     authorized_applications:
       confirmations:
@@ -93,7 +95,6 @@ en:
         invalid_request:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
-          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
           request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
@@ -110,6 +111,7 @@ en:
 
         # Access grant errors
         unsupported_response_type: 'The authorization server does not support this response type.'
+        unsupported_response_mode: 'The authorization server does not support this response mode.'
 
         # Access token errors
         invalid_client: 'Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.'