doorkeeper 5.4.0.rc1 → 5.5.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (219) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +108 -9
  3. data/README.md +4 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +3 -3
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +16 -5
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
  7. data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
  8. data/app/controllers/doorkeeper/tokens_controller.rb +34 -26
  9. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  10. data/app/views/doorkeeper/applications/show.html.erb +16 -12
  11. data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
  12. data/config/locales/en.yml +3 -1
  13. data/lib/doorkeeper.rb +6 -1
  14. data/lib/doorkeeper/config.rb +109 -78
  15. data/lib/doorkeeper/config/abstract_builder.rb +1 -1
  16. data/lib/doorkeeper/config/option.rb +1 -3
  17. data/lib/doorkeeper/config/validations.rb +53 -0
  18. data/lib/doorkeeper/engine.rb +1 -1
  19. data/lib/doorkeeper/grant_flow.rb +45 -0
  20. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  21. data/lib/doorkeeper/grant_flow/flow.rb +44 -0
  22. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  23. data/lib/doorkeeper/helpers/controller.rb +8 -4
  24. data/lib/doorkeeper/models/access_grant_mixin.rb +12 -7
  25. data/lib/doorkeeper/models/access_token_mixin.rb +12 -8
  26. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  27. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  28. data/lib/doorkeeper/oauth/authorization/code.rb +5 -1
  29. data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
  30. data/lib/doorkeeper/oauth/authorization/token.rb +11 -5
  31. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +1 -1
  32. data/lib/doorkeeper/oauth/authorization_code_request.rb +10 -17
  33. data/lib/doorkeeper/oauth/base_request.rb +1 -1
  34. data/lib/doorkeeper/oauth/client_credentials/creator.rb +3 -2
  35. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +1 -0
  36. data/lib/doorkeeper/oauth/client_credentials/validator.rb +3 -1
  37. data/lib/doorkeeper/oauth/code_request.rb +2 -2
  38. data/lib/doorkeeper/oauth/code_response.rb +17 -11
  39. data/lib/doorkeeper/oauth/error_response.rb +4 -3
  40. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -3
  41. data/lib/doorkeeper/oauth/password_access_token_request.rb +21 -2
  42. data/lib/doorkeeper/oauth/pre_authorization.rb +37 -11
  43. data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -0
  44. data/lib/doorkeeper/oauth/token.rb +4 -5
  45. data/lib/doorkeeper/oauth/token_introspection.rb +1 -5
  46. data/lib/doorkeeper/oauth/token_request.rb +1 -1
  47. data/lib/doorkeeper/orm/active_record.rb +5 -6
  48. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +12 -2
  49. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +10 -2
  50. data/lib/doorkeeper/orm/active_record/mixins/application.rb +76 -10
  51. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +5 -0
  52. data/lib/doorkeeper/rails/routes.rb +1 -3
  53. data/lib/doorkeeper/rake/db.rake +3 -3
  54. data/lib/doorkeeper/rake/setup.rake +5 -0
  55. data/lib/doorkeeper/request.rb +49 -12
  56. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  57. data/lib/doorkeeper/server.rb +1 -1
  58. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  59. data/lib/doorkeeper/version.rb +2 -6
  60. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +1 -1
  61. data/lib/generators/doorkeeper/templates/initializer.rb +9 -7
  62. data/lib/generators/doorkeeper/templates/migration.rb.erb +12 -5
  63. metadata +25 -306
  64. data/Appraisals +0 -26
  65. data/CODE_OF_CONDUCT.md +0 -46
  66. data/CONTRIBUTING.md +0 -49
  67. data/Dangerfile +0 -67
  68. data/Dockerfile +0 -29
  69. data/Gemfile +0 -25
  70. data/NEWS.md +0 -1
  71. data/RELEASING.md +0 -11
  72. data/Rakefile +0 -28
  73. data/SECURITY.md +0 -15
  74. data/UPGRADE.md +0 -2
  75. data/bin/console +0 -30
  76. data/doorkeeper.gemspec +0 -42
  77. data/gemfiles/rails_5_0.gemfile +0 -19
  78. data/gemfiles/rails_5_1.gemfile +0 -19
  79. data/gemfiles/rails_5_2.gemfile +0 -19
  80. data/gemfiles/rails_6_0.gemfile +0 -19
  81. data/gemfiles/rails_master.gemfile +0 -19
  82. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  83. data/spec/controllers/applications_controller_spec.rb +0 -274
  84. data/spec/controllers/authorizations_controller_spec.rb +0 -743
  85. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  86. data/spec/controllers/token_info_controller_spec.rb +0 -50
  87. data/spec/controllers/tokens_controller_spec.rb +0 -499
  88. data/spec/dummy/Rakefile +0 -9
  89. data/spec/dummy/app/assets/config/manifest.js +0 -2
  90. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  91. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  92. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  93. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  94. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  95. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  96. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  97. data/spec/dummy/app/models/user.rb +0 -11
  98. data/spec/dummy/app/views/home/index.html.erb +0 -0
  99. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  100. data/spec/dummy/config.ru +0 -6
  101. data/spec/dummy/config/application.rb +0 -51
  102. data/spec/dummy/config/boot.rb +0 -7
  103. data/spec/dummy/config/database.yml +0 -15
  104. data/spec/dummy/config/environment.rb +0 -5
  105. data/spec/dummy/config/environments/development.rb +0 -31
  106. data/spec/dummy/config/environments/production.rb +0 -64
  107. data/spec/dummy/config/environments/test.rb +0 -45
  108. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  109. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  110. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  111. data/spec/dummy/config/initializers/session_store.rb +0 -10
  112. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  113. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  114. data/spec/dummy/config/routes.rb +0 -13
  115. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  116. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  117. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  118. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  119. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  120. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  121. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  122. data/spec/dummy/db/schema.rb +0 -70
  123. data/spec/dummy/public/404.html +0 -26
  124. data/spec/dummy/public/422.html +0 -26
  125. data/spec/dummy/public/500.html +0 -26
  126. data/spec/dummy/public/favicon.ico +0 -0
  127. data/spec/dummy/script/rails +0 -9
  128. data/spec/factories.rb +0 -30
  129. data/spec/generators/application_owner_generator_spec.rb +0 -28
  130. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  131. data/spec/generators/enable_polymorphic_resource_owner_generator_spec.rb +0 -47
  132. data/spec/generators/install_generator_spec.rb +0 -36
  133. data/spec/generators/migration_generator_spec.rb +0 -28
  134. data/spec/generators/pkce_generator_spec.rb +0 -28
  135. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  136. data/spec/generators/templates/routes.rb +0 -4
  137. data/spec/generators/views_generator_spec.rb +0 -29
  138. data/spec/grape/grape_integration_spec.rb +0 -137
  139. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  140. data/spec/lib/config_spec.rb +0 -813
  141. data/spec/lib/doorkeeper_spec.rb +0 -27
  142. data/spec/lib/models/expirable_spec.rb +0 -61
  143. data/spec/lib/models/reusable_spec.rb +0 -40
  144. data/spec/lib/models/revocable_spec.rb +0 -58
  145. data/spec/lib/models/scopes_spec.rb +0 -61
  146. data/spec/lib/models/secret_storable_spec.rb +0 -135
  147. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  148. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -180
  149. data/spec/lib/oauth/base_request_spec.rb +0 -210
  150. data/spec/lib/oauth/base_response_spec.rb +0 -45
  151. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  152. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -135
  153. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -110
  154. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -57
  155. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  156. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -108
  157. data/spec/lib/oauth/client_spec.rb +0 -38
  158. data/spec/lib/oauth/code_request_spec.rb +0 -46
  159. data/spec/lib/oauth/code_response_spec.rb +0 -36
  160. data/spec/lib/oauth/error_response_spec.rb +0 -64
  161. data/spec/lib/oauth/error_spec.rb +0 -21
  162. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  163. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  164. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  165. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  166. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  167. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  168. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -201
  169. data/spec/lib/oauth/pre_authorization_spec.rb +0 -218
  170. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -166
  171. data/spec/lib/oauth/scopes_spec.rb +0 -146
  172. data/spec/lib/oauth/token_request_spec.rb +0 -164
  173. data/spec/lib/oauth/token_response_spec.rb +0 -84
  174. data/spec/lib/oauth/token_spec.rb +0 -156
  175. data/spec/lib/option_spec.rb +0 -51
  176. data/spec/lib/request/strategy_spec.rb +0 -54
  177. data/spec/lib/secret_storing/base_spec.rb +0 -60
  178. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  179. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  180. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  181. data/spec/lib/server_spec.rb +0 -49
  182. data/spec/lib/stale_records_cleaner_spec.rb +0 -102
  183. data/spec/models/doorkeeper/access_grant_spec.rb +0 -175
  184. data/spec/models/doorkeeper/access_token_spec.rb +0 -650
  185. data/spec/models/doorkeeper/application_spec.rb +0 -442
  186. data/spec/requests/applications/applications_request_spec.rb +0 -259
  187. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  188. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  189. data/spec/requests/endpoints/token_spec.rb +0 -79
  190. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -82
  191. data/spec/requests/flows/authorization_code_spec.rb +0 -530
  192. data/spec/requests/flows/client_credentials_spec.rb +0 -207
  193. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  194. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  195. data/spec/requests/flows/password_spec.rb +0 -316
  196. data/spec/requests/flows/refresh_token_spec.rb +0 -241
  197. data/spec/requests/flows/revoke_token_spec.rb +0 -196
  198. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  199. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  200. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  201. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  202. data/spec/routing/default_routes_spec.rb +0 -41
  203. data/spec/routing/scoped_routes_spec.rb +0 -47
  204. data/spec/spec_helper.rb +0 -54
  205. data/spec/spec_helper_integration.rb +0 -4
  206. data/spec/support/dependencies/factory_bot.rb +0 -4
  207. data/spec/support/doorkeeper_rspec.rb +0 -22
  208. data/spec/support/helpers/access_token_request_helper.rb +0 -14
  209. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  210. data/spec/support/helpers/config_helper.rb +0 -11
  211. data/spec/support/helpers/model_helper.rb +0 -78
  212. data/spec/support/helpers/request_spec_helper.rb +0 -110
  213. data/spec/support/helpers/url_helper.rb +0 -62
  214. data/spec/support/orm/active_record.rb +0 -5
  215. data/spec/support/shared/controllers_shared_context.rb +0 -133
  216. data/spec/support/shared/hashing_shared_context.rb +0 -36
  217. data/spec/support/shared/models_shared_examples.rb +0 -56
  218. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  219. data/spec/version/version_spec.rb +0 -17
@@ -1,207 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Client Credentials Request" do
6
- let(:client) { FactoryBot.create :application }
7
-
8
- context "a valid request" do
9
- it "authorizes the client and returns the token response" do
10
- headers = authorization client.uid, client.secret
11
- params = { grant_type: "client_credentials" }
12
-
13
- post "/oauth/token", params: params, headers: headers
14
-
15
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
16
- should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
17
- should_not_have_json "scope"
18
- should_not_have_json "refresh_token"
19
-
20
- should_not_have_json "error"
21
- should_not_have_json "error_description"
22
- end
23
-
24
- context "with scopes" do
25
- before do
26
- optional_scopes_exist :write
27
- default_scopes_exist :public
28
- end
29
-
30
- it "adds the scope to the token an returns in the response" do
31
- headers = authorization client.uid, client.secret
32
- params = { grant_type: "client_credentials", scope: "write" }
33
-
34
- post "/oauth/token", params: params, headers: headers
35
-
36
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
37
- should_have_json "scope", "write"
38
- end
39
-
40
- context "that are default" do
41
- it "adds the scope to the token an returns in the response" do
42
- headers = authorization client.uid, client.secret
43
- params = { grant_type: "client_credentials", scope: "public" }
44
-
45
- post "/oauth/token", params: params, headers: headers
46
-
47
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
48
- should_have_json "scope", "public"
49
- end
50
- end
51
-
52
- context "that are invalid" do
53
- it "does not authorize the client and returns the error" do
54
- headers = authorization client.uid, client.secret
55
- params = { grant_type: "client_credentials", scope: "random" }
56
-
57
- post "/oauth/token", params: params, headers: headers
58
-
59
- should_have_json "error", "invalid_scope"
60
- should_have_json "error_description", translated_error_message(:invalid_scope)
61
- should_not_have_json "access_token"
62
-
63
- expect(response.status).to eq(400)
64
- end
65
- end
66
- end
67
- end
68
-
69
- context "when configured to check application supported grant flow" do
70
- before do
71
- Doorkeeper.configuration.instance_variable_set(
72
- :@allow_grant_flow_for_client,
73
- ->(_grant_flow, client) { client.name == "admin" },
74
- )
75
- end
76
-
77
- scenario "forbids the request when doesn't satisfy condition" do
78
- client.update(name: "sample app")
79
-
80
- headers = authorization client.uid, client.secret
81
- params = { grant_type: "client_credentials" }
82
-
83
- post "/oauth/token", params: params, headers: headers
84
-
85
- should_have_json "error", "unauthorized_client"
86
- should_have_json "error_description", translated_error_message(:unauthorized_client)
87
- end
88
-
89
- scenario "allows the request when satisfies condition" do
90
- client.update(name: "admin")
91
-
92
- headers = authorization client.uid, client.secret
93
- params = { grant_type: "client_credentials" }
94
-
95
- post "/oauth/token", params: params, headers: headers
96
-
97
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
98
- should_have_json_within "expires_in", Doorkeeper.configuration.access_token_expires_in, 1
99
- should_not_have_json "scope"
100
- should_not_have_json "refresh_token"
101
-
102
- should_not_have_json "error"
103
- should_not_have_json "error_description"
104
- end
105
- end
106
-
107
- context "when application scopes contain some of the default scopes and no scope is passed" do
108
- before do
109
- client.update(scopes: "read write public")
110
- end
111
-
112
- it "issues new token with one default scope that are present in application scopes" do
113
- default_scopes_exist :public
114
-
115
- headers = authorization client.uid, client.secret
116
- params = { grant_type: "client_credentials" }
117
-
118
- expect do
119
- post "/oauth/token", params: params, headers: headers
120
- end.to change { Doorkeeper::AccessToken.count }.by(1)
121
-
122
- token = Doorkeeper::AccessToken.first
123
-
124
- expect(token.application_id).to eq client.id
125
- should_have_json "access_token", token.token
126
- should_have_json "scope", "public"
127
- end
128
-
129
- it "issues new token with multiple default scopes that are present in application scopes" do
130
- default_scopes_exist :public, :read, :update
131
-
132
- headers = authorization client.uid, client.secret
133
- params = { grant_type: "client_credentials" }
134
-
135
- expect do
136
- post "/oauth/token", params: params, headers: headers
137
- end.to change { Doorkeeper::AccessToken.count }.by(1)
138
-
139
- token = Doorkeeper::AccessToken.first
140
-
141
- expect(token.application_id).to eq client.id
142
- should_have_json "access_token", token.token
143
- should_have_json "scope", "public read"
144
- end
145
- end
146
-
147
- context "an invalid request" do
148
- it "does not authorize the client and returns the error" do
149
- headers = {}
150
- params = { grant_type: "client_credentials" }
151
-
152
- post "/oauth/token", params: params, headers: headers
153
-
154
- should_have_json "error", "invalid_client"
155
- should_have_json "error_description", translated_error_message(:invalid_client)
156
- should_not_have_json "access_token"
157
-
158
- expect(response.status).to eq(401)
159
- end
160
- end
161
-
162
- context "when revoke_previous_client_credentials_token is true" do
163
- before do
164
- allow(Doorkeeper.config).to receive(:reuse_access_token) { false }
165
- allow(Doorkeeper.config).to receive(:revoke_previous_client_credentials_token) { true }
166
- end
167
-
168
- it "revokes the previous token" do
169
- headers = authorization client.uid, client.secret
170
- params = { grant_type: "client_credentials" }
171
-
172
- post "/oauth/token", params: params, headers: headers
173
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
174
-
175
- token = Doorkeeper::AccessToken.first
176
-
177
- post "/oauth/token", params: params, headers: headers
178
- should_have_json "access_token", Doorkeeper::AccessToken.last.token
179
-
180
- expect(token.reload.revoked?).to be_truthy
181
- expect(Doorkeeper::AccessToken.last.revoked?).to be_falsey
182
- end
183
-
184
- context "with a simultaneous request" do
185
- let!(:access_token) { FactoryBot.create :access_token, resource_owner_id: nil }
186
-
187
- before do
188
- allow(Doorkeeper.config.access_token_model).to receive(:matching_token_for) { access_token }
189
- allow(access_token).to receive(:revoked?).and_return(true)
190
- end
191
-
192
- it "returns an error" do
193
- headers = authorization client.uid, client.secret
194
- params = { grant_type: "client_credentials" }
195
-
196
- post "/oauth/token", params: params, headers: headers
197
- should_not_have_json "access_token"
198
- should_have_json "error", "invalid_token_reuse"
199
- end
200
- end
201
- end
202
-
203
- def authorization(username, password)
204
- credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
205
- { "HTTP_AUTHORIZATION" => credentials }
206
- end
207
- end
@@ -1,46 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- feature "Implicit Grant Flow Errors" do
6
- background do
7
- default_scopes_exist :default
8
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
9
- config_is_set(:grant_flows, ["implicit"])
10
- client_exists
11
- create_resource_owner
12
- sign_in
13
- end
14
-
15
- after do
16
- access_token_should_not_exist
17
- end
18
-
19
- context "when validate client_id param" do
20
- scenario "displays invalid_client error for invalid client_id" do
21
- visit authorization_endpoint_url(client_id: "invalid", response_type: "token")
22
- i_should_not_see "Authorize"
23
- i_should_see_translated_error_message :invalid_client
24
- end
25
-
26
- scenario "displays invalid_request error when client_id is missing" do
27
- visit authorization_endpoint_url(client_id: "", response_type: "token")
28
- i_should_not_see "Authorize"
29
- i_should_see_translated_invalid_request_error_message :missing_param, :client_id
30
- end
31
- end
32
-
33
- context "when validate redirect_uri param" do
34
- scenario "displays invalid_redirect_uri error for invalid redirect_uri" do
35
- visit authorization_endpoint_url(client: @client, redirect_uri: "invalid", response_type: "token")
36
- i_should_not_see "Authorize"
37
- i_should_see_translated_error_message :invalid_redirect_uri
38
- end
39
-
40
- scenario "displays invalid_redirect_uri error when redirect_uri is missing" do
41
- visit authorization_endpoint_url(client: @client, redirect_uri: "", response_type: "token")
42
- i_should_not_see "Authorize"
43
- i_should_see_translated_error_message :invalid_redirect_uri
44
- end
45
- end
46
- end
@@ -1,91 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- feature "Implicit Grant Flow (feature spec)" do
6
- background do
7
- default_scopes_exist :default
8
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
9
- config_is_set(:grant_flows, ["implicit"])
10
- client_exists
11
- create_resource_owner
12
- sign_in
13
- end
14
-
15
- scenario "resource owner authorizes the client" do
16
- visit authorization_endpoint_url(client: @client, response_type: "token")
17
- click_on "Authorize"
18
-
19
- access_token_should_exist_for @client, @resource_owner
20
-
21
- i_should_be_on_client_callback @client
22
- end
23
-
24
- context "when application scopes are present and no scope is passed" do
25
- background do
26
- @client.update(scopes: "public write read")
27
- end
28
-
29
- scenario "scope is invalid because default scope is different from application scope" do
30
- default_scopes_exist :admin
31
- visit authorization_endpoint_url(client: @client, response_type: "token")
32
- response_status_should_be 200
33
- i_should_not_see "Authorize"
34
- i_should_see_translated_error_message :invalid_scope
35
- end
36
-
37
- scenario "access token has scopes which are common in application scopes and default scopes" do
38
- default_scopes_exist :public, :write
39
- visit authorization_endpoint_url(client: @client, response_type: "token")
40
- click_on "Authorize"
41
- access_token_should_exist_for @client, @resource_owner
42
- access_token_should_have_scopes :public, :write
43
- end
44
- end
45
- end
46
-
47
- describe "Implicit Grant Flow (request spec)" do
48
- before do
49
- default_scopes_exist :default
50
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
51
- config_is_set(:grant_flows, ["implicit"])
52
- client_exists
53
- create_resource_owner
54
- end
55
-
56
- context "token reuse" do
57
- it "should return a new token each request" do
58
- allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
59
-
60
- token = client_is_authorized(@client, @resource_owner, scopes: "default")
61
-
62
- post "/oauth/authorize",
63
- params: {
64
- client_id: @client.uid,
65
- state: "",
66
- redirect_uri: @client.redirect_uri,
67
- response_type: "token",
68
- commit: "Authorize",
69
- }
70
-
71
- expect(response.location).not_to include(token.token)
72
- end
73
-
74
- it "should return the same token if it is still accessible" do
75
- allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
76
-
77
- token = client_is_authorized(@client, @resource_owner, scopes: "default")
78
-
79
- post "/oauth/authorize",
80
- params: {
81
- client_id: @client.uid,
82
- state: "",
83
- redirect_uri: @client.redirect_uri,
84
- response_type: "token",
85
- commit: "Authorize",
86
- }
87
-
88
- expect(response.location).to include(token.token)
89
- end
90
- end
91
- end
@@ -1,316 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Resource Owner Password Credentials Flow not set up" do
6
- before do
7
- client_exists
8
- create_resource_owner
9
- end
10
-
11
- context "with valid user credentials" do
12
- it "does not issue new token" do
13
- expect do
14
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
15
- end.to_not(change { Doorkeeper::AccessToken.count })
16
- end
17
- end
18
- end
19
-
20
- describe "Resource Owner Password Credentials Flow" do
21
- let(:client_attributes) { { redirect_uri: nil } }
22
-
23
- before do
24
- config_is_set(:grant_flows, ["password"])
25
- config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
26
- client_exists(client_attributes)
27
- create_resource_owner
28
- end
29
-
30
- context "with valid user credentials" do
31
- context "with non-confidential/public client" do
32
- let(:client_attributes) { { confidential: false } }
33
-
34
- context "when configured to check application supported grant flow" do
35
- before do
36
- Doorkeeper.configuration.instance_variable_set(
37
- :@allow_grant_flow_for_client,
38
- ->(_grant_flow, client) { client.name == "admin" },
39
- )
40
- end
41
-
42
- scenario "forbids the request when doesn't satisfy condition" do
43
- @client.update(name: "sample app")
44
-
45
- expect do
46
- post password_token_endpoint_url(
47
- client_id: @client.uid,
48
- client_secret: "foobar",
49
- resource_owner: @resource_owner,
50
- )
51
- end.not_to(change { Doorkeeper::AccessToken.count })
52
-
53
- expect(response.status).to eq(401)
54
- should_have_json "error", "invalid_client"
55
- end
56
-
57
- scenario "allows the request when satisfies condition" do
58
- @client.update(name: "admin")
59
-
60
- expect do
61
- post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
62
- end.to change { Doorkeeper::AccessToken.count }.by(1)
63
-
64
- token = Doorkeeper::AccessToken.first
65
-
66
- expect(token.application_id).to eq @client.id
67
- should_have_json "access_token", token.token
68
- end
69
- end
70
-
71
- context "when client_secret absent" do
72
- it "should issue new token" do
73
- expect do
74
- post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
75
- end.to change { Doorkeeper::AccessToken.count }.by(1)
76
-
77
- token = Doorkeeper::AccessToken.first
78
-
79
- expect(token.application_id).to eq @client.id
80
- should_have_json "access_token", token.token
81
- end
82
- end
83
-
84
- context "when client_secret present" do
85
- it "should issue new token" do
86
- expect do
87
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
88
- end.to change { Doorkeeper::AccessToken.count }.by(1)
89
-
90
- token = Doorkeeper::AccessToken.first
91
-
92
- expect(token.application_id).to eq @client.id
93
- should_have_json "access_token", token.token
94
- end
95
-
96
- context "when client_secret incorrect" do
97
- it "should not issue new token" do
98
- expect do
99
- post password_token_endpoint_url(
100
- client_id: @client.uid,
101
- client_secret: "foobar",
102
- resource_owner: @resource_owner,
103
- )
104
- end.not_to(change { Doorkeeper::AccessToken.count })
105
-
106
- expect(response.status).to eq(401)
107
- should_have_json "error", "invalid_client"
108
- end
109
- end
110
- end
111
- end
112
-
113
- context "with confidential/private client" do
114
- it "should issue new token" do
115
- expect do
116
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
117
- end.to change { Doorkeeper::AccessToken.count }.by(1)
118
-
119
- token = Doorkeeper::AccessToken.first
120
-
121
- expect(token.application_id).to eq @client.id
122
- should_have_json "access_token", token.token
123
- end
124
-
125
- context "when client_secret absent" do
126
- it "should not issue new token" do
127
- expect do
128
- post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
129
- end.not_to(change { Doorkeeper::AccessToken.count })
130
-
131
- expect(response.status).to eq(401)
132
- should_have_json "error", "invalid_client"
133
- end
134
- end
135
- end
136
-
137
- it "should issue new token without client credentials" do
138
- expect do
139
- post password_token_endpoint_url(resource_owner: @resource_owner)
140
- end.to(change { Doorkeeper::AccessToken.count }.by(1))
141
-
142
- token = Doorkeeper::AccessToken.first
143
-
144
- expect(token.application_id).to be_nil
145
- should_have_json "access_token", token.token
146
- end
147
-
148
- it "should issue a refresh token if enabled" do
149
- config_is_set(:refresh_token_enabled, true)
150
-
151
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
152
-
153
- token = Doorkeeper::AccessToken.first
154
-
155
- should_have_json "refresh_token", token.refresh_token
156
- end
157
-
158
- it "should return the same token if it is still accessible" do
159
- allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
160
-
161
- client_is_authorized(@client, @resource_owner)
162
-
163
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
164
-
165
- expect(Doorkeeper::AccessToken.count).to be(1)
166
- should_have_json "access_token", Doorkeeper::AccessToken.first.token
167
- end
168
-
169
- context "with valid, default scope" do
170
- before do
171
- default_scopes_exist :public
172
- end
173
-
174
- it "should issue new token" do
175
- expect do
176
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
177
- end.to change { Doorkeeper::AccessToken.count }.by(1)
178
-
179
- token = Doorkeeper::AccessToken.first
180
-
181
- expect(token.application_id).to eq @client.id
182
- should_have_json "access_token", token.token
183
- should_have_json "scope", "public"
184
- end
185
- end
186
- end
187
-
188
- context "when application scopes are present and differs from configured default scopes and no scope is passed" do
189
- before do
190
- default_scopes_exist :public
191
- @client.update(scopes: "abc")
192
- end
193
-
194
- it "issues new token without any scope" do
195
- expect do
196
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
197
- end.to change { Doorkeeper::AccessToken.count }.by(1)
198
-
199
- token = Doorkeeper::AccessToken.first
200
-
201
- expect(token.application_id).to eq @client.id
202
- expect(token.scopes).to be_empty
203
- should_have_json "access_token", token.token
204
- should_not_have_json "scope"
205
- end
206
- end
207
-
208
- context "when application scopes contain some of the default scopes and no scope is passed" do
209
- before do
210
- @client.update(scopes: "read write public")
211
- end
212
-
213
- it "issues new token with one default scope that are present in application scopes" do
214
- default_scopes_exist :public, :admin
215
-
216
- expect do
217
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
218
- end.to change { Doorkeeper::AccessToken.count }.by(1)
219
-
220
- token = Doorkeeper::AccessToken.first
221
-
222
- expect(token.application_id).to eq @client.id
223
- should_have_json "access_token", token.token
224
- should_have_json "scope", "public"
225
- end
226
-
227
- it "issues new token with multiple default scopes that are present in application scopes" do
228
- default_scopes_exist :public, :read, :update
229
-
230
- expect do
231
- post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
232
- end.to change { Doorkeeper::AccessToken.count }.by(1)
233
-
234
- token = Doorkeeper::AccessToken.first
235
-
236
- expect(token.application_id).to eq @client.id
237
- should_have_json "access_token", token.token
238
- should_have_json "scope", "public read"
239
- end
240
- end
241
-
242
- context "with invalid scopes" do
243
- subject do
244
- post password_token_endpoint_url(
245
- client: @client,
246
- resource_owner: @resource_owner,
247
- scope: "random",
248
- )
249
- end
250
-
251
- it "should not issue new token" do
252
- expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
253
- end
254
-
255
- it "should return invalid_scope error" do
256
- subject
257
- should_have_json "error", "invalid_scope"
258
- should_have_json "error_description", translated_error_message(:invalid_scope)
259
- should_not_have_json "access_token"
260
-
261
- expect(response.status).to eq(400)
262
- end
263
- end
264
-
265
- context "with invalid user credentials" do
266
- it "should not issue new token with bad password" do
267
- expect do
268
- post password_token_endpoint_url(
269
- client: @client,
270
- resource_owner_username: @resource_owner.name,
271
- resource_owner_password: "wrongpassword",
272
- )
273
- end.to_not(change { Doorkeeper::AccessToken.count })
274
- end
275
-
276
- it "should not issue new token without credentials" do
277
- expect do
278
- post password_token_endpoint_url(client: @client)
279
- end.to_not(change { Doorkeeper::AccessToken.count })
280
- end
281
-
282
- it "should not issue new token if resource_owner_from_credentials returned false or nil" do
283
- config_is_set(:resource_owner_from_credentials) { false }
284
-
285
- expect do
286
- post password_token_endpoint_url(client: @client)
287
- end.to_not(change { Doorkeeper::AccessToken.count })
288
-
289
- config_is_set(:resource_owner_from_credentials) { nil }
290
-
291
- expect do
292
- post password_token_endpoint_url(client: @client)
293
- end.to_not(change { Doorkeeper::AccessToken.count })
294
- end
295
- end
296
-
297
- context "with invalid confidential client credentials" do
298
- it "should not issue new token with bad client credentials" do
299
- expect do
300
- post password_token_endpoint_url(
301
- client_id: @client.uid,
302
- client_secret: "bad_secret",
303
- resource_owner: @resource_owner,
304
- )
305
- end.to_not(change { Doorkeeper::AccessToken.count })
306
- end
307
- end
308
-
309
- context "with invalid public client id" do
310
- it "should not issue new token with bad client id" do
311
- expect do
312
- post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
313
- end.to_not(change { Doorkeeper::AccessToken.count })
314
- end
315
- end
316
- end