doorkeeper 5.4.0.rc2 → 5.5.1

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -62,6 +62,19 @@ module Doorkeeper
           attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
 
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
         @access_token = server_config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,

data/lib/doorkeeper/oauth/token.rb

@@ -32,13 +32,13 @@ module Doorkeeper
 
         def from_bearer_authorization(request)
           pattern = /^Bearer /i
-          header  = request.authorization
+          header = request.authorization
           token_from_header(header, pattern) if match?(header, pattern)
         end
 
         def from_basic_authorization(request)
           pattern = /^Basic /i
-          header  = request.authorization
+          header = request.authorization
           token_from_basic_header(header, pattern) if match?(header, pattern)
         end
 
@@ -54,7 +54,7 @@ module Doorkeeper
         end
 
         def token_from_header(header, pattern)
-          header.gsub pattern, ""
+          header.gsub(pattern, "")
         end
 
         def match?(header, pattern)

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -179,11 +179,7 @@ module Doorkeeper
         allow_introspection = Doorkeeper.config.allow_token_introspection
         return allow_introspection unless allow_introspection.respond_to?(:call)
 
-        allow_introspection.call(
-          @token,
-          auth_client,
-          auth_token,
-        )
+        allow_introspection.call(@token, auth_client, auth_token)
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb

@@ -12,7 +12,7 @@ module Doorkeeper
 
       def authorize
         auth = Authorization::Token.new(pre_auth, resource_owner)
-        auth.issue_token
+        auth.issue_token!
         CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 

data/lib/doorkeeper/orm/active_record.rb

@@ -20,9 +20,8 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
-          if Doorkeeper.config.active_record_options[:establish_connection]
+          if (options = Doorkeeper.config.active_record_options[:establish_connection])
             Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.config.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
           end
@@ -38,22 +37,14 @@ module Doorkeeper
       end
 
       def self.lazy_load(&block)
-        # ActiveSupport has no public interface to check if something
-        # already lazy-loaded :(
-        loaded = ActiveSupport.instance_variable_get(:"@loaded") || {}
-
-        if loaded.key?(:active_record)
-          block.call
-        else
-          ActiveSupport.on_load(:active_record, {}, &block)
-        end
+        ActiveSupport.on_load(:active_record, {}, &block)
       end
 
       def self.models
         [
-          Doorkeeper::AccessGrant,
-          Doorkeeper::AccessToken,
-          Doorkeeper::Application,
+          Doorkeeper.config.access_grant_model,
+          Doorkeeper.config.access_token_model,
+          Doorkeeper.config.application_model,
         ]
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -5,7 +5,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
 
       include ::Doorkeeper::AccessGrantMixin
 
@@ -54,5 +54,15 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         secret_strategy.store_secret(self, :token, @raw_token)
       end
     end
+
+    module ClassMethods
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_grant"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
+    end
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -5,7 +5,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
 
       include ::Doorkeeper::AccessTokenMixin
 
@@ -46,6 +46,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       def refresh_token_revoked_on_use?
         column_names.include?("previous_refresh_token")
       end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_token"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -5,7 +5,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
 
       include ::Doorkeeper::ApplicationMixin
 
@@ -88,6 +88,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.configuration.authorize_resource_owner_for_client.call(self, resource_owner)
       end
 
+      # We need to hook into this method to allow serializing plan-text secrets
+      # when secrets hashing enabled.
+      #
+      # @param key [String] attribute name
+      #
+      def read_attribute_for_serialization(key)
+        return super unless key.to_s == "secret"
+
+        plaintext_secret || secret
+      end
+
       private
 
       def generate_uid
@@ -126,31 +137,23 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only = Array.wrap(opts[:only]).map(&:to_s)
 
         only = if only.blank?
-                 serializable_attributes
+                 client_serializable_attributes
                else
-                 only & serializable_attributes
+                 only & client_serializable_attributes
                end
 
         only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
         only.uniq
       end
 
-      # We need to hook into this method to allow serializing plan-text secrets
-      # when secrets hashing enabled.
-      #
-      # @param key [String] attribute name
-      #
-      def read_attribute_for_serialization(key)
-        return super unless key.to_s == "secret"
-
-        plaintext_secret || secret
-      end
-
       # Collection of attributes that could be serialized for public.
       # Override this method if you need additional attributes to be serialized.
       #
       # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
+      #
+      # NOTE: `serializable_attributes` method already taken by Rails >= 6
+      #
+      def client_serializable_attributes
         attributes = %w[id name created_at]
         attributes << "uid" unless confidential?
         attributes
@@ -182,6 +185,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.config.access_token_model.revoke_all_for(id, resource_owner)
         Doorkeeper.config.access_grant_model.revoke_all_for(id, resource_owner)
       end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_application"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -21,6 +21,7 @@ module Doorkeeper
           record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
           record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
           record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+          record.errors.add(attribute, :invalid_uri) if unspecified_host?(uri)
         end
       end
     rescue URI::InvalidURIError
@@ -43,6 +44,10 @@ module Doorkeeper
       %w[localhost].include?(uri.try(:scheme))
     end
 
+    def unspecified_host?(uri)
+      uri.is_a?(URI::HTTP) && uri.host.nil?
+    end
+
     def relative_uri?(uri)
       uri.scheme.nil? && uri.host.nil?
     end

data/lib/doorkeeper/rails/routes.rb

@@ -29,8 +29,6 @@ module Doorkeeper
 
       def initialize(routes, mapper = Mapper.new, &block)
         super
-
-        @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
 
       def generate_routes!(options)
@@ -38,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)

data/lib/doorkeeper/rake/db.rake

@@ -13,7 +13,7 @@ namespace :doorkeeper do
     namespace :cleanup do
       desc "Removes stale access tokens"
       task revoked_tokens: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessToken)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_token_model)
         cleaner.clean_revoked
       end
 
@@ -26,13 +26,13 @@ namespace :doorkeeper do
 
       desc "Removes stale access grants"
       task revoked_grants: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
         cleaner.clean_revoked
       end
 
       desc "Removes expired (TTL passed) access grants"
       task expired_grants: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
         cleaner.clean_expired(Doorkeeper.config.authorization_code_expires_in)
       end
     end

data/lib/doorkeeper/rake/setup.rake

@@ -2,5 +2,10 @@
 
 namespace :doorkeeper do
   task setup: :environment do
+    # Dirty hack to manually initialize AR because of lazy auto-loading,
+    # in other case we'll see NameError: uninitialized constant Doorkeeper::AccessToken
+    if Doorkeeper.config.orm == :active_record && defined?(::ActiveRecord::Base)
+      Object.const_get("::ActiveRecord::Base")
+    end
   end
 end

data/lib/doorkeeper/request.rb

@@ -4,32 +4,69 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        build_strategy_class(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
+
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
       end
 
       def token_strategy(grant_type)
         raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-        get_strategy(grant_type, token_grant_types)
-      rescue NameError
-        raise Errors::InvalidTokenStrategy
-      end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-      def get_strategy(grant_type, available)
-        raise NameError unless available.include?(grant_type.to_s)
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_type)
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
       end
 
       private
 
-      def token_grant_types
-        Doorkeeper.config.token_grant_types
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
       end
 
-      def build_strategy_class(grant_or_request_type)
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
         strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
-        "Doorkeeper::Request::#{strategy_class_name}".constantize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
+
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
       end
     end
   end

data/lib/doorkeeper/request/password.rb

@@ -9,6 +9,7 @@ module Doorkeeper
         @request ||= OAuth::PasswordAccessTokenRequest.new(
           Doorkeeper.config,
           client,
+          credentials,
           resource_owner,
           parameters,
         )

data/lib/doorkeeper/server.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   class Server
     attr_reader :context
 
-    def initialize(context = nil)
+    def initialize(context)
       @context = context
     end
 

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -13,12 +13,12 @@ module Doorkeeper
       raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
     end
 
-    def self.configured_orm
-      Doorkeeper.config.orm
-    end
-
     def self.new(base_scope)
       self.for(base_scope)
     end
+
+    def self.configured_orm
+      Doorkeeper.config.orm
+    end
   end
 end

data/lib/doorkeeper/version.rb

@@ -1,16 +1,12 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  def self.gem_version
-    Gem::Version.new VERSION::STRING
-  end
-
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 4
-    TINY = 0
-    PRE = "rc2"
+    MINOR = 5
+    TINY = 1
+    PRE = nil
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")