doorkeeper 5.4.0.rc2 → 5.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4bd9636505ce9c77f93c052d721fb3dad5fb6e135375a3fd3cc6f492e211c7df
-  data.tar.gz: 967a846ecfe1713842133555b9fd793c2f8600c9382aa13ffc209b7448a9aabd
+  metadata.gz: 76b3a86e21584548c9b0c176512c844bee90ba9c447aaf09741abf54488093bb
+  data.tar.gz: ce7a4ffdf3b0aebaa69f703b70f0109276205c9ec0b2f1e2c7b3e88cb4746f8b
 SHA512:
-  metadata.gz: a45ad0f893f9c47dc3a50672e668b9b3519db22bd6a6a05dfaf57d7f00c4d5bb228c4913ad6ab5886a063a4fdea4fe435eb886ad2b61f7274cbbf1c2d7be5166
-  data.tar.gz: c8fd9f47a74bc6735802ee90a3d63e266e928a59801e13becc8b345dc46902e80bfeb6b6830c9c44d7b90093a0cd4727f6d67e5519b137dd31cc9339d42901ec
+  metadata.gz: 7192f9711713f15d323e85aa3ad4274b314a55dcc89ba945de52dca5dbbad2e267dc3252da353cd4991fae365a1161fd91d06c0bfcaba767163b4c54eafca125
+  data.tar.gz: b5f324cfe8064b32254ca1c045bc24c54ab21a485bf3c6a9726bc995ab9dc24516872bf8ee314850b65f6ce3d879d0497e67416ea78c0f8f7566bdbfd48e024a

data/CHANGELOG.md

@@ -9,6 +9,10 @@ User-visible changes worth mentioning.
 
 - [#PR ID] Your PR description.
 
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
 ## 5.4.0.rc2
 
 - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
@@ -58,6 +62,10 @@ User-visible changes worth mentioning.
 - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
 - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
 
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
 ## 5.3.2
 
 - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
@@ -82,6 +90,10 @@ User-visible changes worth mentioning.
   requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
   initialization file.
 
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
 ## 5.2.5
 
 - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
@@ -154,6 +166,15 @@ User-visible changes worth mentioning.
 - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
 - [#1238] Better support for native app with support for custom scheme and localhost redirection.
 
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.1.0
 
 - [#1243] Add nil check operator in token checking at token introspection.
@@ -215,6 +236,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option

data/lib/doorkeeper/engine.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|
       parameters = %w[client_secret code authentication_token access_token refresh_token]
-      app.config.filter_parameters << /^(#{Regexp.union parameters})$/
+      app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
     end
 
     initializer "doorkeeper.routes" do

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -11,7 +11,7 @@ module Doorkeeper
           @resource_owner = resource_owner
         end
 
-        def issue_token
+        def issue_token!
           return @token if defined?(@token)
 
           @token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -48,7 +48,7 @@ module Doorkeeper
           @resource_owner = resource_owner
         end
 
-        def issue_token
+        def issue_token!
           return @token if defined?(@token)
 
           context = self.class.build_context(

data/lib/doorkeeper/oauth/code_request.rb

@@ -6,13 +6,13 @@ module Doorkeeper
       attr_reader :pre_auth, :resource_owner
 
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
 
       def authorize
         auth = Authorization::Code.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth)
       end
 

data/lib/doorkeeper/oauth/token.rb

@@ -32,13 +32,13 @@ module Doorkeeper
 
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
 
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
 
@@ -54,7 +54,7 @@ module Doorkeeper
         end
 
         def token_from_header(header, pattern)
-          header.gsub pattern, ""
+          header.gsub(pattern, "")
         end
 
         def match?(header, pattern)

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -179,11 +179,7 @@ module Doorkeeper
         allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
-        allow_introspection.call(
-          @token,
-          auth_client,
-          auth_token,
-        )
+        allow_introspection.call(@token, auth_client, auth_token)
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb

@@ -12,7 +12,7 @@ module Doorkeeper
 
       def authorize
         auth = Authorization::Token.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -88,6 +88,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.configuration.authorize_resource_owner_for_client.call(self, resource_owner)
       end
 
+      # We need to hook into this method to allow serializing plan-text secrets
+      # when secrets hashing enabled.
+      #
+      # @param key [String] attribute name
+      #
+      def read_attribute_for_serialization(key)
+        return super unless key.to_s == "secret"
+
+        plaintext_secret || secret
+      end
+
       private
 
       def generate_uid
@@ -135,17 +146,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only.uniq
       end
 
-      # We need to hook into this method to allow serializing plan-text secrets
-      # when secrets hashing enabled.
-      #
-      # @param key [String] attribute name
-      #
-      def read_attribute_for_serialization(key)
-        return super unless key.to_s == "secret"
-
-        plaintext_secret || secret
-      end
-
       # Collection of attributes that could be serialized for public.
       # Override this method if you need additional attributes to be serialized.
       #

data/lib/doorkeeper/server.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   class Server
     attr_reader :context
 
-    def initialize(context = nil)
+    def initialize(context)
       @context = context
     end
 

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -13,12 +13,12 @@ module Doorkeeper
       raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
     end
 
-    def self.configured_orm
-      Doorkeeper.config.orm
-    end
-
     def self.new(base_scope)
       self.for(base_scope)
     end
+
+    def self.configured_orm
+      Doorkeeper.config.orm
+    end
   end
 end

data/lib/doorkeeper/version.rb

@@ -10,7 +10,7 @@ module Doorkeeper
     MAJOR = 5
     MINOR = 4
     TINY = 0
-    PRE = "rc2"
+    PRE = nil
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.4.0.rc2
+  version: 5.4.0
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-02 00:00:00.000000000 Z
+date: 2020-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -75,14 +75,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '8.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: database_cleaner
   requirement: !ruby/object:Gem::Requirement
@@ -327,9 +327,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.0.2
 signing_key: