doorkeeper 5.4.0.rc1 → 5.5.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (219) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +108 -9
  3. data/README.md +4 -4
  4. data/app/controllers/doorkeeper/applications_controller.rb +3 -3
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +16 -5
  6. data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
  7. data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
  8. data/app/controllers/doorkeeper/tokens_controller.rb +34 -26
  9. data/app/views/doorkeeper/applications/_form.html.erb +1 -1
  10. data/app/views/doorkeeper/applications/show.html.erb +16 -12
  11. data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
  12. data/config/locales/en.yml +3 -1
  13. data/lib/doorkeeper.rb +6 -1
  14. data/lib/doorkeeper/config.rb +109 -78
  15. data/lib/doorkeeper/config/abstract_builder.rb +1 -1
  16. data/lib/doorkeeper/config/option.rb +1 -3
  17. data/lib/doorkeeper/config/validations.rb +53 -0
  18. data/lib/doorkeeper/engine.rb +1 -1
  19. data/lib/doorkeeper/grant_flow.rb +45 -0
  20. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  21. data/lib/doorkeeper/grant_flow/flow.rb +44 -0
  22. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  23. data/lib/doorkeeper/helpers/controller.rb +8 -4
  24. data/lib/doorkeeper/models/access_grant_mixin.rb +12 -7
  25. data/lib/doorkeeper/models/access_token_mixin.rb +12 -8
  26. data/lib/doorkeeper/models/application_mixin.rb +5 -4
  27. data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
  28. data/lib/doorkeeper/oauth/authorization/code.rb +5 -1
  29. data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
  30. data/lib/doorkeeper/oauth/authorization/token.rb +11 -5
  31. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +1 -1
  32. data/lib/doorkeeper/oauth/authorization_code_request.rb +10 -17
  33. data/lib/doorkeeper/oauth/base_request.rb +1 -1
  34. data/lib/doorkeeper/oauth/client_credentials/creator.rb +3 -2
  35. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +1 -0
  36. data/lib/doorkeeper/oauth/client_credentials/validator.rb +3 -1
  37. data/lib/doorkeeper/oauth/code_request.rb +2 -2
  38. data/lib/doorkeeper/oauth/code_response.rb +17 -11
  39. data/lib/doorkeeper/oauth/error_response.rb +4 -3
  40. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -3
  41. data/lib/doorkeeper/oauth/password_access_token_request.rb +21 -2
  42. data/lib/doorkeeper/oauth/pre_authorization.rb +37 -11
  43. data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -0
  44. data/lib/doorkeeper/oauth/token.rb +4 -5
  45. data/lib/doorkeeper/oauth/token_introspection.rb +1 -5
  46. data/lib/doorkeeper/oauth/token_request.rb +1 -1
  47. data/lib/doorkeeper/orm/active_record.rb +5 -6
  48. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +12 -2
  49. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +10 -2
  50. data/lib/doorkeeper/orm/active_record/mixins/application.rb +76 -10
  51. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +5 -0
  52. data/lib/doorkeeper/rails/routes.rb +1 -3
  53. data/lib/doorkeeper/rake/db.rake +3 -3
  54. data/lib/doorkeeper/rake/setup.rake +5 -0
  55. data/lib/doorkeeper/request.rb +49 -12
  56. data/lib/doorkeeper/request/refresh_token.rb +2 -1
  57. data/lib/doorkeeper/server.rb +1 -1
  58. data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
  59. data/lib/doorkeeper/version.rb +2 -6
  60. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +1 -1
  61. data/lib/generators/doorkeeper/templates/initializer.rb +9 -7
  62. data/lib/generators/doorkeeper/templates/migration.rb.erb +12 -5
  63. metadata +25 -306
  64. data/Appraisals +0 -26
  65. data/CODE_OF_CONDUCT.md +0 -46
  66. data/CONTRIBUTING.md +0 -49
  67. data/Dangerfile +0 -67
  68. data/Dockerfile +0 -29
  69. data/Gemfile +0 -25
  70. data/NEWS.md +0 -1
  71. data/RELEASING.md +0 -11
  72. data/Rakefile +0 -28
  73. data/SECURITY.md +0 -15
  74. data/UPGRADE.md +0 -2
  75. data/bin/console +0 -30
  76. data/doorkeeper.gemspec +0 -42
  77. data/gemfiles/rails_5_0.gemfile +0 -19
  78. data/gemfiles/rails_5_1.gemfile +0 -19
  79. data/gemfiles/rails_5_2.gemfile +0 -19
  80. data/gemfiles/rails_6_0.gemfile +0 -19
  81. data/gemfiles/rails_master.gemfile +0 -19
  82. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  83. data/spec/controllers/applications_controller_spec.rb +0 -274
  84. data/spec/controllers/authorizations_controller_spec.rb +0 -743
  85. data/spec/controllers/protected_resources_controller_spec.rb +0 -361
  86. data/spec/controllers/token_info_controller_spec.rb +0 -50
  87. data/spec/controllers/tokens_controller_spec.rb +0 -499
  88. data/spec/dummy/Rakefile +0 -9
  89. data/spec/dummy/app/assets/config/manifest.js +0 -2
  90. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  91. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  92. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  93. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  94. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  95. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  96. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  97. data/spec/dummy/app/models/user.rb +0 -11
  98. data/spec/dummy/app/views/home/index.html.erb +0 -0
  99. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  100. data/spec/dummy/config.ru +0 -6
  101. data/spec/dummy/config/application.rb +0 -51
  102. data/spec/dummy/config/boot.rb +0 -7
  103. data/spec/dummy/config/database.yml +0 -15
  104. data/spec/dummy/config/environment.rb +0 -5
  105. data/spec/dummy/config/environments/development.rb +0 -31
  106. data/spec/dummy/config/environments/production.rb +0 -64
  107. data/spec/dummy/config/environments/test.rb +0 -45
  108. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  109. data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
  110. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  111. data/spec/dummy/config/initializers/session_store.rb +0 -10
  112. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  113. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  114. data/spec/dummy/config/routes.rb +0 -13
  115. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  116. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  117. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  118. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  119. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  120. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  121. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  122. data/spec/dummy/db/schema.rb +0 -70
  123. data/spec/dummy/public/404.html +0 -26
  124. data/spec/dummy/public/422.html +0 -26
  125. data/spec/dummy/public/500.html +0 -26
  126. data/spec/dummy/public/favicon.ico +0 -0
  127. data/spec/dummy/script/rails +0 -9
  128. data/spec/factories.rb +0 -30
  129. data/spec/generators/application_owner_generator_spec.rb +0 -28
  130. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  131. data/spec/generators/enable_polymorphic_resource_owner_generator_spec.rb +0 -47
  132. data/spec/generators/install_generator_spec.rb +0 -36
  133. data/spec/generators/migration_generator_spec.rb +0 -28
  134. data/spec/generators/pkce_generator_spec.rb +0 -28
  135. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  136. data/spec/generators/templates/routes.rb +0 -4
  137. data/spec/generators/views_generator_spec.rb +0 -29
  138. data/spec/grape/grape_integration_spec.rb +0 -137
  139. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  140. data/spec/lib/config_spec.rb +0 -813
  141. data/spec/lib/doorkeeper_spec.rb +0 -27
  142. data/spec/lib/models/expirable_spec.rb +0 -61
  143. data/spec/lib/models/reusable_spec.rb +0 -40
  144. data/spec/lib/models/revocable_spec.rb +0 -58
  145. data/spec/lib/models/scopes_spec.rb +0 -61
  146. data/spec/lib/models/secret_storable_spec.rb +0 -135
  147. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  148. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -180
  149. data/spec/lib/oauth/base_request_spec.rb +0 -210
  150. data/spec/lib/oauth/base_response_spec.rb +0 -45
  151. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  152. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -135
  153. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -110
  154. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -57
  155. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
  156. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -108
  157. data/spec/lib/oauth/client_spec.rb +0 -38
  158. data/spec/lib/oauth/code_request_spec.rb +0 -46
  159. data/spec/lib/oauth/code_response_spec.rb +0 -36
  160. data/spec/lib/oauth/error_response_spec.rb +0 -64
  161. data/spec/lib/oauth/error_spec.rb +0 -21
  162. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
  163. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
  164. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  165. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
  166. data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
  167. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
  168. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -201
  169. data/spec/lib/oauth/pre_authorization_spec.rb +0 -218
  170. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -166
  171. data/spec/lib/oauth/scopes_spec.rb +0 -146
  172. data/spec/lib/oauth/token_request_spec.rb +0 -164
  173. data/spec/lib/oauth/token_response_spec.rb +0 -84
  174. data/spec/lib/oauth/token_spec.rb +0 -156
  175. data/spec/lib/option_spec.rb +0 -51
  176. data/spec/lib/request/strategy_spec.rb +0 -54
  177. data/spec/lib/secret_storing/base_spec.rb +0 -60
  178. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  179. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  180. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  181. data/spec/lib/server_spec.rb +0 -49
  182. data/spec/lib/stale_records_cleaner_spec.rb +0 -102
  183. data/spec/models/doorkeeper/access_grant_spec.rb +0 -175
  184. data/spec/models/doorkeeper/access_token_spec.rb +0 -650
  185. data/spec/models/doorkeeper/application_spec.rb +0 -442
  186. data/spec/requests/applications/applications_request_spec.rb +0 -259
  187. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  188. data/spec/requests/endpoints/authorization_spec.rb +0 -91
  189. data/spec/requests/endpoints/token_spec.rb +0 -79
  190. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -82
  191. data/spec/requests/flows/authorization_code_spec.rb +0 -530
  192. data/spec/requests/flows/client_credentials_spec.rb +0 -207
  193. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
  194. data/spec/requests/flows/implicit_grant_spec.rb +0 -91
  195. data/spec/requests/flows/password_spec.rb +0 -316
  196. data/spec/requests/flows/refresh_token_spec.rb +0 -241
  197. data/spec/requests/flows/revoke_token_spec.rb +0 -196
  198. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  199. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  200. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  201. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  202. data/spec/routing/default_routes_spec.rb +0 -41
  203. data/spec/routing/scoped_routes_spec.rb +0 -47
  204. data/spec/spec_helper.rb +0 -54
  205. data/spec/spec_helper_integration.rb +0 -4
  206. data/spec/support/dependencies/factory_bot.rb +0 -4
  207. data/spec/support/doorkeeper_rspec.rb +0 -22
  208. data/spec/support/helpers/access_token_request_helper.rb +0 -14
  209. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  210. data/spec/support/helpers/config_helper.rb +0 -11
  211. data/spec/support/helpers/model_helper.rb +0 -78
  212. data/spec/support/helpers/request_spec_helper.rb +0 -110
  213. data/spec/support/helpers/url_helper.rb +0 -62
  214. data/spec/support/orm/active_record.rb +0 -5
  215. data/spec/support/shared/controllers_shared_context.rb +0 -133
  216. data/spec/support/shared/hashing_shared_context.rb +0 -36
  217. data/spec/support/shared/models_shared_examples.rb +0 -56
  218. data/spec/validators/redirect_uri_validator_spec.rb +0 -183
  219. data/spec/version/version_spec.rb +0 -17
@@ -1,241 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Refresh Token Flow" do
6
- before do
7
- Doorkeeper.configure do
8
- orm DOORKEEPER_ORM
9
- use_refresh_token
10
- end
11
-
12
- client_exists
13
- end
14
-
15
- let(:resource_owner) { FactoryBot.create(:resource_owner) }
16
-
17
- context "issuing a refresh token" do
18
- before do
19
- authorization_code_exists application: @client,
20
- resource_owner_id: resource_owner.id,
21
- resource_owner_type: resource_owner.class.name
22
- end
23
-
24
- it "client gets the refresh token and refreshes it" do
25
- post token_endpoint_url(code: @authorization.token, client: @client)
26
-
27
- token = Doorkeeper::AccessToken.first
28
-
29
- should_have_json "access_token", token.token
30
- should_have_json "refresh_token", token.refresh_token
31
-
32
- expect(@authorization.reload).to be_revoked
33
-
34
- post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
35
-
36
- new_token = Doorkeeper::AccessToken.last
37
- should_have_json "access_token", new_token.token
38
- should_have_json "refresh_token", new_token.refresh_token
39
-
40
- expect(token.token).not_to eq(new_token.token)
41
- expect(token.refresh_token).not_to eq(new_token.refresh_token)
42
- end
43
- end
44
-
45
- context "refreshing the token" do
46
- before do
47
- @token = FactoryBot.create(
48
- :access_token,
49
- application: @client,
50
- resource_owner_id: resource_owner.id,
51
- resource_owner_type: resource_owner.class.name,
52
- use_refresh_token: true,
53
- )
54
- end
55
-
56
- context "refresh_token revoked on use" do
57
- it "client request a token with refresh token" do
58
- post refresh_token_endpoint_url(
59
- client: @client, refresh_token: @token.refresh_token,
60
- )
61
- should_have_json(
62
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
63
- )
64
- expect(@token.reload).not_to be_revoked
65
- end
66
-
67
- it "client request a token with expired access token" do
68
- @token.update_attribute :expires_in, -100
69
- post refresh_token_endpoint_url(
70
- client: @client, refresh_token: @token.refresh_token,
71
- )
72
- should_have_json(
73
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
74
- )
75
- expect(@token.reload).not_to be_revoked
76
- end
77
- end
78
-
79
- context "refresh_token revoked on refresh_token request" do
80
- before do
81
- allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
82
- end
83
-
84
- it "client request a token with refresh token" do
85
- post refresh_token_endpoint_url(
86
- client: @client, refresh_token: @token.refresh_token,
87
- )
88
- should_have_json(
89
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
90
- )
91
- expect(@token.reload).to be_revoked
92
- end
93
-
94
- it "client request a token with expired access token" do
95
- @token.update_attribute :expires_in, -100
96
- post refresh_token_endpoint_url(
97
- client: @client, refresh_token: @token.refresh_token,
98
- )
99
- should_have_json(
100
- "refresh_token", Doorkeeper::AccessToken.last.refresh_token,
101
- )
102
- expect(@token.reload).to be_revoked
103
- end
104
- end
105
-
106
- context "public & private clients" do
107
- let(:public_client) do
108
- FactoryBot.create(
109
- :application,
110
- confidential: false,
111
- )
112
- end
113
-
114
- let(:token_for_private_client) do
115
- FactoryBot.create(
116
- :access_token,
117
- application: @client,
118
- resource_owner_id: resource_owner.id,
119
- resource_owner_type: resource_owner.class.name,
120
- use_refresh_token: true,
121
- )
122
- end
123
-
124
- let(:token_for_public_client) do
125
- FactoryBot.create(
126
- :access_token,
127
- application: public_client,
128
- resource_owner_id: resource_owner.id,
129
- resource_owner_type: resource_owner.class.name,
130
- use_refresh_token: true,
131
- )
132
- end
133
-
134
- it "issues a new token without client_secret when refresh token was issued to a public client" do
135
- post refresh_token_endpoint_url(
136
- client_id: public_client.uid,
137
- refresh_token: token_for_public_client.refresh_token,
138
- )
139
-
140
- new_token = Doorkeeper::AccessToken.last
141
- should_have_json "access_token", new_token.token
142
- should_have_json "refresh_token", new_token.refresh_token
143
- end
144
-
145
- it "returns an error without credentials" do
146
- post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
147
-
148
- should_not_have_json "refresh_token"
149
- should_have_json "error", "invalid_grant"
150
- end
151
-
152
- it "returns an error with wrong credentials" do
153
- post refresh_token_endpoint_url(
154
- client_id: "1",
155
- client_secret: "1",
156
- refresh_token: token_for_private_client.refresh_token,
157
- )
158
-
159
- should_not_have_json "refresh_token"
160
- should_have_json "error", "invalid_client"
161
- end
162
- end
163
-
164
- it "client gets an error for invalid refresh token" do
165
- post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
166
- should_not_have_json "refresh_token"
167
- should_have_json "error", "invalid_grant"
168
- end
169
-
170
- it "client gets an error for revoked access token" do
171
- @token.revoke
172
- post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
173
- should_not_have_json "refresh_token"
174
- should_have_json "error", "invalid_grant"
175
- end
176
-
177
- it "second of simultaneous client requests get an error for revoked access token" do
178
- allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
179
- post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
180
-
181
- should_not_have_json "refresh_token"
182
- should_have_json "error", "invalid_grant"
183
- end
184
- end
185
-
186
- context "refreshing the token with multiple sessions (devices)" do
187
- before do
188
- # enable password auth to simulate other devices
189
- config_is_set(:grant_flows, ["password"])
190
- config_is_set(:resource_owner_from_credentials) do
191
- User.authenticate! params[:username], params[:password]
192
- end
193
- create_resource_owner
194
- _another_token = post password_token_endpoint_url(
195
- client: @client, resource_owner: resource_owner,
196
- )
197
- last_token.update(created_at: 5.seconds.ago)
198
-
199
- @token = FactoryBot.create(
200
- :access_token,
201
- application: @client,
202
- resource_owner_id: resource_owner.id,
203
- resource_owner_type: resource_owner.class.name,
204
- use_refresh_token: true,
205
- )
206
- @token.update_attribute :expires_in, -100
207
- end
208
-
209
- context "refresh_token revoked on use" do
210
- it "client request a token after creating another token with the same user" do
211
- post refresh_token_endpoint_url(
212
- client: @client, refresh_token: @token.refresh_token,
213
- )
214
-
215
- should_have_json "refresh_token", last_token.refresh_token
216
- expect(@token.reload).not_to be_revoked
217
- end
218
- end
219
-
220
- context "refresh_token revoked on refresh_token request" do
221
- before do
222
- allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
223
- end
224
-
225
- it "client request a token after creating another token with the same user" do
226
- post refresh_token_endpoint_url(
227
- client: @client, refresh_token: @token.refresh_token,
228
- )
229
-
230
- should_have_json "refresh_token", last_token.refresh_token
231
- expect(@token.reload).to be_revoked
232
- end
233
- end
234
-
235
- def last_token
236
- Doorkeeper::AccessToken.last_authorized_token_for(
237
- @client.id, resource_owner,
238
- )
239
- end
240
- end
241
- end
@@ -1,196 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- describe "Revoke Token Flow" do
6
- before do
7
- Doorkeeper.configure { orm DOORKEEPER_ORM }
8
- end
9
-
10
- let(:private_client_application) { FactoryBot.create :application }
11
- let(:public_client_application) { FactoryBot.create :application, confidential: false }
12
- let(:resource_owner) { User.create!(name: "John", password: "sekret") }
13
-
14
- context "with authenticated, confidential OAuth 2.0 client/application" do
15
- let(:access_token) do
16
- FactoryBot.create(
17
- :access_token,
18
- application: private_client_application,
19
- resource_owner_id: resource_owner.id,
20
- resource_owner_type: resource_owner.class.name,
21
- use_refresh_token: true,
22
- )
23
- end
24
-
25
- let(:headers) do
26
- client_id = private_client_application.uid
27
- client_secret = private_client_application.secret
28
- credentials = Base64.encode64("#{client_id}:#{client_secret}")
29
- { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
30
- end
31
-
32
- it "should revoke the access token provided" do
33
- post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
34
-
35
- expect(response).to be_successful
36
- expect(access_token.reload.revoked?).to be_truthy
37
- end
38
-
39
- it "should revoke the refresh token provided" do
40
- post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
41
-
42
- expect(response).to be_successful
43
- expect(access_token.reload.revoked?).to be_truthy
44
- end
45
-
46
- context "with invalid token to revoke" do
47
- it "should not revoke any tokens and must respond with success" do
48
- expect do
49
- post revocation_token_endpoint_url,
50
- params: { token: "I_AM_AN_INVALID_TOKEN" },
51
- headers: headers
52
- end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
53
-
54
- expect(response).to be_successful
55
- end
56
- end
57
-
58
- context "with bad credentials and a valid token" do
59
- let(:headers) do
60
- client_id = private_client_application.uid
61
- credentials = Base64.encode64("#{client_id}:poop")
62
- { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
63
- end
64
-
65
- it "should not revoke any tokens and respond with forbidden" do
66
- post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
67
-
68
- expect(response).to be_forbidden
69
- expect(response.body).to include("unauthorized_client")
70
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
71
- expect(access_token.reload.revoked?).to be_falsey
72
- end
73
- end
74
-
75
- context "with no credentials and a valid token" do
76
- it "should not revoke any tokens and respond with forbidden" do
77
- post revocation_token_endpoint_url, params: { token: access_token.token }
78
-
79
- expect(response).to be_forbidden
80
- expect(response.body).to include("unauthorized_client")
81
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
82
- expect(access_token.reload.revoked?).to be_falsey
83
- end
84
- end
85
-
86
- context "with valid token for another client application" do
87
- let(:other_client_application) { FactoryBot.create :application }
88
- let(:headers) do
89
- client_id = other_client_application.uid
90
- client_secret = other_client_application.secret
91
- credentials = Base64.encode64("#{client_id}:#{client_secret}")
92
- { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
93
- end
94
-
95
- it "should not revoke the token as it's unauthorized" do
96
- post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
97
-
98
- expect(response).to be_forbidden
99
- expect(response.body).to include("unauthorized_client")
100
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
101
- expect(access_token.reload.revoked?).to be_falsey
102
- end
103
- end
104
- end
105
-
106
- context "with authenticated public OAuth 2.0 client/application" do
107
- let(:access_token) do
108
- FactoryBot.create(
109
- :access_token,
110
- application: nil,
111
- resource_owner_id: resource_owner.id,
112
- resource_owner_type: resource_owner.class.name,
113
- use_refresh_token: true,
114
- )
115
- end
116
-
117
- it "should revoke the access token provided" do
118
- post revocation_token_endpoint_url,
119
- params: { client_id: public_client_application.uid, token: access_token.token },
120
- headers: headers
121
-
122
- expect(response).to be_successful
123
- expect(access_token.reload.revoked?).to be_truthy
124
- end
125
-
126
- it "should revoke the refresh token provided" do
127
- post revocation_token_endpoint_url,
128
- params: { client_id: public_client_application.uid, token: access_token.refresh_token },
129
- headers: headers
130
-
131
- expect(response).to be_successful
132
- expect(access_token.reload.revoked?).to be_truthy
133
- end
134
-
135
- it "should response with success even for invalid token" do
136
- post revocation_token_endpoint_url,
137
- params: { client_id: public_client_application.uid, token: "dont_exist" },
138
- headers: headers
139
-
140
- expect(response).to be_successful
141
- end
142
-
143
- context "with a valid token issued for a confidential client" do
144
- let(:access_token) do
145
- FactoryBot.create(
146
- :access_token,
147
- application: private_client_application,
148
- resource_owner_id: resource_owner.id,
149
- resource_owner_type: resource_owner.class.name,
150
- use_refresh_token: true,
151
- )
152
- end
153
-
154
- it "should not revoke the access token provided" do
155
- post revocation_token_endpoint_url,
156
- params: { client_id: public_client_application.uid, token: access_token.token }
157
-
158
- expect(response).to be_forbidden
159
- expect(response.body).to include("unauthorized_client")
160
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
161
- expect(access_token.reload.revoked?).to be_falsey
162
- end
163
-
164
- it "should not revoke the refresh token provided" do
165
- post revocation_token_endpoint_url,
166
- params: { client_id: public_client_application.uid, token: access_token.token }
167
-
168
- expect(response).to be_forbidden
169
- expect(response.body).to include("unauthorized_client")
170
- expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
171
- expect(access_token.reload.revoked?).to be_falsey
172
- end
173
- end
174
- end
175
-
176
- context "without client authentication" do
177
- let(:access_token) do
178
- FactoryBot.create(
179
- :access_token,
180
- application: nil,
181
- resource_owner_id: resource_owner.id,
182
- resource_owner_type: resource_owner.class.name,
183
- use_refresh_token: true,
184
- )
185
- end
186
-
187
- it "shouldn't remove the token and must response with an error" do
188
- post revocation_token_endpoint_url,
189
- params: { token: access_token.token },
190
- headers: headers
191
-
192
- expect(response).not_to be_successful
193
- expect(access_token.reload.revoked?).to be_falsey
194
- end
195
- end
196
- end
@@ -1,66 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "spec_helper"
4
-
5
- feature "Skip authorization form" do
6
- background do
7
- config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
8
- client_exists
9
- default_scopes_exist :public
10
- optional_scopes_exist :write
11
- end
12
-
13
- context "for previously authorized clients" do
14
- background do
15
- create_resource_owner
16
- sign_in
17
- end
18
-
19
- scenario "skips the authorization and return a new grant code" do
20
- client_is_authorized(@client, @resource_owner, scopes: "public")
21
- visit authorization_endpoint_url(client: @client, scope: "public")
22
-
23
- i_should_not_see "Authorize"
24
- client_should_be_authorized @client
25
- i_should_be_on_client_callback @client
26
- url_should_have_param "code", Doorkeeper::AccessGrant.first.token
27
- end
28
-
29
- scenario "skips the authorization if other scopes are not requested" do
30
- client_exists scopes: "public read write"
31
- client_is_authorized(@client, @resource_owner, scopes: "public")
32
- visit authorization_endpoint_url(client: @client, scope: "public")
33
-
34
- i_should_not_see "Authorize"
35
- client_should_be_authorized @client
36
- i_should_be_on_client_callback @client
37
- url_should_have_param "code", Doorkeeper::AccessGrant.first.token
38
- end
39
-
40
- scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
41
- client_is_authorized(@client, @resource_owner, scopes: "public write")
42
- visit authorization_endpoint_url(client: @client, scope: "public")
43
- i_should_see "Authorize"
44
- end
45
-
46
- scenario "does not skip authorization when scopes differ (new request has more scopes)" do
47
- client_is_authorized(@client, @resource_owner, scopes: "public write")
48
- visit authorization_endpoint_url(client: @client, scopes: "public write email")
49
- i_should_see "Authorize"
50
- end
51
-
52
- scenario "creates grant with new scope when scopes differ" do
53
- client_is_authorized(@client, @resource_owner, scopes: "public write")
54
- visit authorization_endpoint_url(client: @client, scope: "public")
55
- click_on "Authorize"
56
- access_grant_should_have_scopes :public
57
- end
58
-
59
- scenario "creates grant with new scope when scopes are greater" do
60
- client_is_authorized(@client, @resource_owner, scopes: "public")
61
- visit authorization_endpoint_url(client: @client, scope: "public write")
62
- click_on "Authorize"
63
- access_grant_should_have_scopes :public, :write
64
- end
65
- end
66
- end