RubyGems - doorkeeper - Versions diffs - 5.4.0.rc2 → 5.5.1 - Mend

doorkeeper 5.4.0.rc2 → 5.5.1

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (58) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +90 -10
data/README.md +4 -4
data/app/controllers/doorkeeper/application_controller.rb +1 -0
data/app/controllers/doorkeeper/authorizations_controller.rb +16 -5
data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
data/app/controllers/doorkeeper/tokens_controller.rb +34 -26
data/app/views/doorkeeper/applications/show.html.erb +16 -12
data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
data/config/locales/en.yml +3 -1
data/lib/doorkeeper.rb +5 -0
data/lib/doorkeeper/config.rb +91 -62
data/lib/doorkeeper/config/option.rb +1 -3
data/lib/doorkeeper/config/validations.rb +53 -0
data/lib/doorkeeper/engine.rb +1 -1
data/lib/doorkeeper/grant_flow.rb +45 -0
data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
data/lib/doorkeeper/grant_flow/flow.rb +44 -0
data/lib/doorkeeper/grant_flow/registry.rb +50 -0
data/lib/doorkeeper/helpers/controller.rb +4 -0
data/lib/doorkeeper/models/access_grant_mixin.rb +1 -2
data/lib/doorkeeper/models/access_token_mixin.rb +4 -4
data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
data/lib/doorkeeper/oauth/authorization/code.rb +5 -1
data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
data/lib/doorkeeper/oauth/authorization/token.rb +11 -5
data/lib/doorkeeper/oauth/authorization/uri_builder.rb +1 -1
data/lib/doorkeeper/oauth/authorization_code_request.rb +10 -17
data/lib/doorkeeper/oauth/base_request.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/creator.rb +2 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +1 -0
data/lib/doorkeeper/oauth/code_request.rb +2 -2
data/lib/doorkeeper/oauth/code_response.rb +17 -11
data/lib/doorkeeper/oauth/error_response.rb +4 -3
data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -3
data/lib/doorkeeper/oauth/password_access_token_request.rb +23 -3
data/lib/doorkeeper/oauth/pre_authorization.rb +33 -8
data/lib/doorkeeper/oauth/refresh_token_request.rb +13 -0
data/lib/doorkeeper/oauth/token.rb +3 -3
data/lib/doorkeeper/oauth/token_introspection.rb +1 -5
data/lib/doorkeeper/oauth/token_request.rb +1 -1
data/lib/doorkeeper/orm/active_record.rb +5 -14
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +11 -1
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +9 -1
data/lib/doorkeeper/orm/active_record/mixins/application.rb +26 -15
data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +5 -0
data/lib/doorkeeper/rails/routes.rb +1 -3
data/lib/doorkeeper/rake/db.rake +3 -3
data/lib/doorkeeper/rake/setup.rake +5 -0
data/lib/doorkeeper/request.rb +49 -12
data/lib/doorkeeper/request/password.rb +1 -0
data/lib/doorkeeper/server.rb +1 -1
data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
data/lib/doorkeeper/version.rb +3 -7
data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +9 -7
metadata +26 -13

data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED Viewed

@@ -89,8 +89,7 @@ module Doorkeeper
       # suitable for PKCE validation
       #
       def generate_code_challenge(code_verifier)
-        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
-        padded_result.split("=")[0] # Remove any trailing '='
+        Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
       end
       def pkce_supported?

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -94,8 +94,8 @@ module Doorkeeper
       # Interface to enumerate access token records in batches in order not
       # to bloat the memory. Could be overloaded in any ORM extension.
       #
-      def find_access_token_in_batches(relation, *args, &block)
-        relation.find_in_batches(*args, &block)
+      def find_access_token_in_batches(relation, **args, &block)
+        relation.find_in_batches(**args, &block)
       end
       # Enumerates AccessToken records in batches to find a matching token.
@@ -374,10 +374,10 @@ module Doorkeeper
     # and clears `:previous_refresh_token` attribute.
     #
     def revoke_previous_refresh_token!
-      return unless self.class.refresh_token_revoked_on_use?
+      return if !self.class.refresh_token_revoked_on_use? || previous_refresh_token.blank?
       old_refresh_token&.revoke
-      update_column(:previous_refresh_token, "")
+      update_attribute(:previous_refresh_token, "")
     end
     private

data/lib/doorkeeper/models/concerns/revocable.rb CHANGED Viewed

@@ -9,7 +9,7 @@ module Doorkeeper
       # @param clock [Time] time object
       #
       def revoke(clock = Time)
-        update_column(:revoked_at, clock.now.utc)
+        update_attribute(:revoked_at, clock.now.utc)
       end
       # Indicates whether the object has been revoked.

data/lib/doorkeeper/oauth/authorization/code.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Doorkeeper
           @resource_owner = resource_owner
         end
-        def issue_token
+        def issue_token!
           return @token if defined?(@token)
           @token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
@@ -21,6 +21,10 @@ module Doorkeeper
           { action: :show, code: token.plaintext_token }
         end
+        def access_grant?
+          true
+        end
         private
         def authorization_code_expires_in

data/lib/doorkeeper/oauth/authorization/context.rb CHANGED Viewed

@@ -4,12 +4,12 @@ module Doorkeeper
   module OAuth
     module Authorization
       class Context
-        attr_reader :client, :grant_type, :scopes
+        attr_reader :client, :grant_type, :resource_owner, :scopes
-        def initialize(client, grant_type, scopes)
-          @client = client
-          @grant_type = grant_type
-          @scopes = scopes
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/token.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Doorkeeper
         attr_reader :pre_auth, :resource_owner, :token
         class << self
-          def build_context(pre_auth_or_oauth_client, grant_type, scopes)
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes, resource_owner)
             oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
                              pre_auth_or_oauth_client.application
                            elsif pre_auth_or_oauth_client.respond_to?(:client)
@@ -17,9 +17,10 @@ module Doorkeeper
                            end
             Doorkeeper::OAuth::Authorization::Context.new(
-              oauth_client,
-              grant_type,
-              scopes,
+              client: oauth_client,
+              grant_type: grant_type,
+              scopes: scopes,
+              resource_owner: resource_owner,
             )
           end
@@ -48,13 +49,14 @@ module Doorkeeper
           @resource_owner = resource_owner
         end
-        def issue_token
+        def issue_token!
           return @token if defined?(@token)
           context = self.class.build_context(
             pre_auth.client,
             Doorkeeper::OAuth::IMPLICIT,
             pre_auth.scopes,
+            resource_owner,
           )
           @token = Doorkeeper.config.access_token_model.find_or_create_for(
@@ -74,6 +76,10 @@ module Doorkeeper
           }
         end
+        def access_token?
+          true
+        end
         private
         def controller

data/lib/doorkeeper/oauth/authorization/uri_builder.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module Doorkeeper
           private
           def build_query(parameters = {})
-            parameters = parameters.reject { |_, value| value.blank? }
+            parameters.reject! { |_, value| value.blank? }
             Rack::Utils.build_query(parameters)
           end
         end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -3,7 +3,6 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :pkce_support, error: :invalid_request
       validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
@@ -32,12 +31,6 @@ module Doorkeeper
           grant.revoke
-          resource_owner = if Doorkeeper.config.polymorphic_resource_owner?
-                             grant.resource_owner
-                           else
-                             grant.resource_owner_id
-                           end
           find_or_create_access_token(
             grant.application,
             resource_owner,
@@ -49,16 +42,16 @@ module Doorkeeper
         super
       end
-      def pkce_supported?
-        Doorkeeper.config.access_grant_model.pkce_supported?
+      def resource_owner
+        if Doorkeeper.config.polymorphic_resource_owner?
+          grant.resource_owner
+        else
+          grant.resource_owner_id
+        end
       end
-      def validate_pkce_support
-        @invalid_request_reason = :not_support_pkce if grant &&
-                                                       !pkce_supported? &&
-                                                       code_verifier.present?
-        @invalid_request_reason.nil?
+      def pkce_supported?
+        Doorkeeper.config.access_grant_model.pkce_supported?
       end
       def validate_params
@@ -91,8 +84,8 @@ module Doorkeeper
       # if either side (server or client) request PKCE, check the verifier
       # against the DB - if PKCE is supported
       def validate_code_verifier
-        return true unless grant.uses_pkce? || code_verifier
-        return false unless pkce_supported?
+        return true unless pkce_supported?
+        return grant.code_challenge.blank? if code_verifier.blank?
         if grant.code_challenge_method == "S256"
           grant.code_challenge == generate_code_challenge(code_verifier)

data/lib/doorkeeper/oauth/base_request.rb CHANGED Viewed

@@ -27,7 +27,7 @@ module Doorkeeper
       end
       def find_or_create_access_token(client, resource_owner, scopes, server)
-        context = Authorization::Token.build_context(client, grant_type, scopes)
+        context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
         @access_token = server_config.access_token_model.find_or_create_for(
           application: client,
           resource_owner: resource_owner,

data/lib/doorkeeper/oauth/client_credentials/creator.rb CHANGED Viewed

@@ -39,7 +39,8 @@ module Doorkeeper
         end
         def lookup_existing_token?
-          server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token?
+          server_config.reuse_access_token ||
+            server_config.revoke_previous_client_credentials_token?
         end
         def find_existing_token_for(client, scopes)

data/lib/doorkeeper/oauth/client_credentials/issuer.rb CHANGED Viewed

@@ -30,6 +30,7 @@ module Doorkeeper
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
             scopes,
+            nil,
           )
           ttl = Authorization::Token.access_token_expires_in(@server, context)

data/lib/doorkeeper/oauth/code_request.rb CHANGED Viewed

@@ -6,13 +6,13 @@ module Doorkeeper
       attr_reader :pre_auth, :resource_owner
       def initialize(pre_auth, resource_owner)
-        @pre_auth       = pre_auth
+        @pre_auth = pre_auth
         @resource_owner = resource_owner
       end
       def authorize
         auth = Authorization::Code.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth)
       end

data/lib/doorkeeper/oauth/code_response.rb CHANGED Viewed

@@ -21,23 +21,29 @@ module Doorkeeper
         auth.token
       end
-      def redirect_uri
-        if URIChecker.oob_uri?(pre_auth.redirect_uri)
-          auth.oob_redirect
-        elsif response_on_fragment
-          Authorization::URIBuilder.uri_with_fragment(
-            pre_auth.redirect_uri,
+      def body
+        if auth.try(:access_token?)
+          {
             access_token: auth.token.plaintext_token,
             token_type: auth.token.token_type,
             expires_in: auth.token.expires_in_seconds,
             state: pre_auth.state,
-          )
-        else
-          Authorization::URIBuilder.uri_with_query(
-            pre_auth.redirect_uri,
+          }
+        elsif auth.try(:access_grant?)
+          {
             code: auth.token.plaintext_token,
             state: pre_auth.state,
-          )
+          }
+        end
+      end
+      def redirect_uri
+        if URIChecker.oob_uri?(pre_auth.redirect_uri)
+          auth.oob_redirect
+        elsif response_on_fragment
+          Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
+        else
+          Authorization::URIBuilder.uri_with_query(pre_auth.redirect_uri, body)
         end
       end
     end

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -5,6 +5,8 @@ module Doorkeeper
     class ErrorResponse < BaseResponse
       include OAuth::Helpers
+      NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
@@ -32,7 +34,7 @@ module Doorkeeper
       end
       def status
-        if name == :invalid_client
+        if name == :invalid_client || name == :unauthorized_client
           :unauthorized
         else
           :bad_request
@@ -40,8 +42,7 @@ module Doorkeeper
       end
       def redirectable?
-        name != :invalid_redirect_uri && name != :invalid_client &&
-          !URIChecker.oob_uri?(@redirect_uri)
+        !NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri)
       end
       def redirect_uri

data/lib/doorkeeper/oauth/helpers/scope_checker.rb CHANGED Viewed

@@ -12,9 +12,7 @@ module Doorkeeper
             @scope_str = scope_str
             @valid_scopes = valid_scopes(server_scopes, app_scopes)
-            if grant_type
-              @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym]
-            end
+            @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym] if grant_type
           end
           def valid?

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED Viewed

@@ -10,12 +10,13 @@ module Doorkeeper
       validate :resource_owner, error: :invalid_grant
       validate :scopes, error: :invalid_scope
-      attr_reader :client, :resource_owner, :parameters, :access_token
+      attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
-      def initialize(server, client, resource_owner, parameters = {})
+      def initialize(server, client, credentials, resource_owner, parameters = {})
         @server          = server
         @resource_owner  = resource_owner
         @client          = client
+        @credentials     = credentials
         @parameters      = parameters
         @original_scopes = parameters[:scope]
         @grant_type      = Doorkeeper::OAuth::PASSWORD
@@ -43,8 +44,27 @@ module Doorkeeper
         resource_owner.present?
       end
+      # Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
+      #
+      #   If the client type is confidential or the client was issued client credentials (or assigned
+      #   other authentication requirements), the client MUST authenticate with the authorization
+      #   server as described in Section 3.2.1.
+      #
+      #   The authorization server MUST:
+      #
+      #    o  require client authentication for confidential clients or for any  client that was
+      #       issued client credentials (or with other authentication requirements)
+      #
+      #    o  authenticate the client if client authentication is included,
+      #
+      #   @see https://tools.ietf.org/html/rfc6749#section-4.3
+      #
       def validate_client
-        !parameters[:client_id] || client.present?
+        if Doorkeeper.config.skip_client_authentication_for_password_grant
+          client.present? || (!parameters[:client_id] && credentials.blank?)
+        else
+          client.present?
+        end
       end
       def validate_client_supports_grant_flow

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -12,16 +12,19 @@ module Doorkeeper
       validate :redirect_uri, error: :invalid_redirect_uri
       validate :params, error: :invalid_request
       validate :response_type, error: :unsupported_response_type
+      validate :response_mode, error: :unsupported_response_mode
       validate :scopes, error: :invalid_scope
       validate :code_challenge_method, error: :invalid_code_challenge_method
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
-                  :redirect_uri, :resource_owner, :response_type, :state
+                  :redirect_uri, :resource_owner, :response_type, :state,
+                  :authorization_response_flow, :response_mode
       def initialize(server, parameters = {}, resource_owner = nil)
         @server                = server
         @client_id             = parameters[:client_id]
         @response_type         = parameters[:response_type]
+        @response_mode         = parameters[:response_mode]
         @redirect_uri          = parameters[:redirect_uri]
         @scope                 = parameters[:scope]
         @state                 = parameters[:state]
@@ -57,6 +60,10 @@ module Doorkeeper
         pre_auth_hash
       end
+      def form_post_response?
+        response_mode == "form_post"
+      end
       private
       attr_reader :client_id, :server
@@ -84,6 +91,11 @@ module Doorkeeper
         Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
       end
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
       def validate_redirect_uri
         return false if redirect_uri.blank?
@@ -104,7 +116,21 @@ module Doorkeeper
       end
       def validate_response_type
-        server.authorization_response_types.include?(response_type)
+        server.authorization_response_flows.any? do |flow|
+          if flow.matches_response_type?(response_type)
+            @authorization_response_flow = flow
+            true
+          end
+        end
+      end
+      def validate_response_mode
+        if response_mode.blank?
+          @response_mode = authorization_response_flow.default_response_mode
+          return true
+        end
+        authorization_response_flow.matches_response_mode?(response_mode)
       end
       def validate_scopes
@@ -117,17 +143,16 @@ module Doorkeeper
       end
       def validate_code_challenge_method
+        return true unless Doorkeeper.config.access_grant_model.pkce_supported?
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
-      def validate_resource_owner_authorize_for_client
-        # The `authorize_resource_owner_for_client` config option is used for this validation
-        client.application.authorized_for_resource_owner?(@resource_owner)
-      end
       def response_on_fragment?
-        response_type == "token"
+        return response_type == "token" if response_mode.nil?
+        response_mode == "fragment"
       end
       def grant_type