doorkeeper 5.4.0 → 5.5.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76b3a86e21584548c9b0c176512c844bee90ba9c447aaf09741abf54488093bb
-  data.tar.gz: ce7a4ffdf3b0aebaa69f703b70f0109276205c9ec0b2f1e2c7b3e88cb4746f8b
+  metadata.gz: 71ef97409e242e0609d9c327836e2f90f92af440c8f989047b83435f7f8b052d
+  data.tar.gz: f12a030d12ca321fbf1b0acd4534707afba6c584b77d307698943a879cd33500
 SHA512:
-  metadata.gz: 7192f9711713f15d323e85aa3ad4274b314a55dcc89ba945de52dca5dbbad2e267dc3252da353cd4991fae365a1161fd91d06c0bfcaba767163b4c54eafca125
-  data.tar.gz: b5f324cfe8064b32254ca1c045bc24c54ab21a485bf3c6a9726bc995ab9dc24516872bf8ee314850b65f6ce3d879d0497e67416ea78c0f8f7566bdbfd48e024a
+  metadata.gz: bdda34cda76caffdeaec38be0c06ba733cc15480970bd78b48267c66764a64643423d61a2adb6c1c65643d3df2061ab3d86ad82baf970676276d7b1655fb846b
+  data.tar.gz: 8218ad9ad8248192f93253940623564784f339b78594cf00c000c33f9a6a9bd06f6cc5ee9fbcc207d4af3b499712387d39756c7ef6c709e9a7afe991efdfa5af

data/CHANGELOG.md

@@ -7,7 +7,47 @@ User-visible changes worth mentioning.
 
 ## master
 
-- [#PR ID] Your PR description.
+- [#PR ID] Add your PR description here.
+
+## 5.5.0.rc2
+
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+  
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
+  
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
 
 ## 5.4.0
 
@@ -17,7 +57,7 @@ User-visible changes worth mentioning.
 
 - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
-  
+
   **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
   if you previously used `#to_json` serialization with custom options or attributes or rely on
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
@@ -31,17 +71,17 @@ User-visible changes worth mentioning.
 - [#1402] Handle trying authorization with client credentials.
 
 ## 5.4.0.rc1
-- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364) 
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
 - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
 - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
   models (`use_polymorphic_resource_owner` configuration option).
-  
+
   **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
   have such - since now Doorkeeper passes Resource Owner instance to every objects and not
   just it's ID. See PR description for details.
-  
+
 - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
-- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing 
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
   `Stack level too deep` error with AMS (fix #1312).
 - [#1358] Deprecate `active_record_options` configuration option.
 - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
@@ -53,7 +93,7 @@ User-visible changes worth mentioning.
   **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
   (for public clients) and `client_secret` (for private clients). Please update your apps to include that
   info in the revocation request payload.
-  
+
 - [#1373] Make Doorkeeper routes mapper reusable in extensions.
 - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
 - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
@@ -98,9 +138,9 @@ User-visible changes worth mentioning.
 
 - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
-  
+
 ## 5.2.4
-  
+
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
 
 ## 5.2.3

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -52,10 +52,19 @@ module Doorkeeper
     def redirect_or_render(auth)
       if auth.redirectable?
         if Doorkeeper.configuration.api_only
-          render(
-            json: { status: :redirect, redirect_uri: auth.redirect_uri },
-            status: auth.status,
-          )
+          if pre_auth.form_post_response?
+            render(
+              json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
+              status: auth.status,
+            )
+          else
+            render(
+              json: { status: :redirect, redirect_uri: auth.redirect_uri },
+              status: auth.status,
+            )
+          end
+        elsif pre_auth.form_post_response?
+          render :form_post
         else
           redirect_to auth.redirect_uri
         end
@@ -82,8 +91,10 @@ module Doorkeeper
         code_challenge
         code_challenge_method
         response_type
+        response_mode
         redirect_uri
-        scope state
+        scope
+        state
       ]
     end
 

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -2,6 +2,8 @@
 
 module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
+    before_action :validate_presence_of_client, only: [:revoke]
+
     def create
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
@@ -12,32 +14,6 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # @see 2.1.  Revocation Request
-      #
-      #  The client constructs the request by including the following
-      #  parameters using the "application/x-www-form-urlencoded" format in
-      #  the HTTP request entity-body:
-      #     token   REQUIRED.
-      #     token_type_hint  OPTIONAL.
-      #
-      #  The client also includes its authentication credentials as described
-      #  in Section 2.3. of [RFC6749].
-      #
-      #  The authorization server first validates the client credentials (in
-      #  case of a confidential client) and then verifies whether the token
-      #  was issued to the client making the revocation request.
-      unless server.client
-        # If this validation [client credentials / token ownership] fails, the request is
-        # refused and the  client is informed of the error by the authorization server as
-        # described below.
-        #
-        # @see 2.2.1.  Error Response
-        #
-        # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
-        render json: revocation_error_response, status: :forbidden
-        return
-      end
-
       # The authorization server responds with HTTP status code 200 if the client
       # submitted an invalid token or the token has been revoked successfully.
       if token.blank?
@@ -68,7 +44,39 @@ module Doorkeeper
 
     private
 
+    def validate_presence_of_client
+      return if Doorkeeper.config.skip_client_authentication_for_password_grant
+
+      # @see 2.1.  Revocation Request
+      #
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      return if server.client
+
+      # If this validation [client credentials / token ownership] fails, the request is
+      # refused and the  client is informed of the error by the authorization server as
+      # described below.
+      #
+      # @see 2.2.1.  Error Response
+      #
+      # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+      render json: revocation_error_response, status: :forbidden
+    end
+
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
+    #
+    # RFC7009
+    # Section 5. Security Considerations
     # A malicious client may attempt to guess valid tokens on this endpoint
     # by making revocation requests against potential token strings.
     # According to this specification, a client's request must contain a

data/app/views/doorkeeper/applications/show.html.erb

@@ -35,18 +35,22 @@
 
     <h4><%= t('.callback_urls') %>:</h4>
 
-    <table>
-      <% @application.redirect_uri.split.each do |uri| %>
-        <tr>
-          <td>
-            <code class="bg-light"><%= uri %></code>
-          </td>
-          <td>
-            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
-          </td>
-        </tr>
-      <% end %>
-    </table>
+    <% if @application.redirect_uri.present? %>
+      <table>
+        <% @application.redirect_uri.split.each do |uri| %>
+          <tr>
+            <td>
+              <code class="bg-light"><%= uri %></code>
+            </td>
+            <td>
+              <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
+            </td>
+          </tr>
+        <% end %>
+      </table>
+    <% else %>
+      <span class="bg-light font-italic text-uppercase text-muted"><%= t('.not_defined') %></span>
+    <% end %>
   </div>
 
   <div class="col-md-4">

data/app/views/doorkeeper/authorizations/form_post.html.erb

@@ -0,0 +1,11 @@
+<header class="page-header">
+  <h1><%= t('.title') %></h1>
+</header>
+
+<main role="main" onload="document.forms[0].submit()">
+  <%= form_tag @pre_auth.redirect_uri, method: :post do %>
+    <% @authorize_response.body.each do |key, value| %>
+      <%= hidden_field_tag key, value %>
+    <% end %>
+  <% end %>
+</main>

data/config/locales/en.yml

@@ -72,6 +72,8 @@ en:
         able_to: 'This application will be able to'
       show:
         title: 'Authorization code'
+      form_post:
+        title: 'Submit this form'
 
     authorized_applications:
       confirmations:
@@ -93,7 +95,6 @@ en:
         invalid_request:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
-          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
           request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
@@ -110,6 +111,7 @@ en:
 
         # Access grant errors
         unsupported_response_type: 'The authorization server does not support this response type.'
+        unsupported_response_mode: 'The authorization server does not support this response mode.'
 
         # Access token errors
         invalid_client: 'Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.'

data/lib/doorkeeper/config/option.rb

@@ -45,9 +45,7 @@ module Doorkeeper
           define_method name do |*args, &block|
             if (deprecation_opts = options[:deprecated])
               warning = "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
-              if deprecation_opts.is_a?(Hash)
-                warning = "#{warning}\n#{deprecation_opts.fetch(:message)}"
-              end
+              warning = "#{warning}\n#{deprecation_opts.fetch(:message)}" if deprecation_opts.is_a?(Hash)
 
               Kernel.warn(warning)
             end

data/lib/doorkeeper/config/validations.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  class Config
+    # Doorkeeper configuration validator.
+    #
+    module Validations
+      # Validates configuration options to be set properly.
+      #
+      def validate!
+        validate_reuse_access_token_value
+        validate_token_reuse_limit
+        validate_secret_strategies
+      end
+
+      private
+
+      # Determine whether +reuse_access_token+ and a non-restorable
+      # +token_secret_strategy+ have both been activated.
+      #
+      # In that case, disable reuse_access_token value and warn the user.
+      def validate_reuse_access_token_value
+        strategy = token_secret_strategy
+        return if !reuse_access_token || strategy.allows_restoring_secrets?
+
+        ::Rails.logger.warn(
+          "You have configured both reuse_access_token " \
+          "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
+          "This combination is unsupported. reuse_access_token will be disabled",
+        )
+        @reuse_access_token = false
+      end
+
+      # Validate that the provided strategies are valid for
+      # tokens and applications
+      def validate_secret_strategies
+        token_secret_strategy.validate_for(:token)
+        application_secret_strategy.validate_for(:application)
+      end
+
+      def validate_token_reuse_limit
+        return if !reuse_access_token ||
+                  (token_reuse_limit > 0 && token_reuse_limit <= 100)
+
+        ::Rails.logger.warn(
+          "You have configured an invalid value for token_reuse_limit option. " \
+          "It will be set to default 100",
+        )
+        @token_reuse_limit = 100
+      end
+    end
+  end
+end

data/lib/doorkeeper/config.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
-require "doorkeeper/config/option"
 require "doorkeeper/config/abstract_builder"
+require "doorkeeper/config/option"
+require "doorkeeper/config/validations"
 
 module Doorkeeper
   # Defines a MissingConfiguration error for a missing Doorkeeper configuration
@@ -28,6 +29,8 @@ module Doorkeeper
       @config
     end
 
+    # @return [Doorkeeper::Config] configuration instance
+    #
     def configuration
       @config || (raise MissingConfiguration)
     end
@@ -219,6 +222,7 @@ module Doorkeeper
     mattr_reader(:builder_class) { Builder }
 
     extend Option
+    include Validations
 
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
@@ -267,7 +271,6 @@ module Doorkeeper
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
     option :token_lookup_batch_size,        default: 10_000
-
     # Sets the token_reuse_limit
     # It will be used only when reuse_access_token option in enabled
     # By default it will be 100
@@ -275,6 +278,17 @@ module Doorkeeper
     # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
     option :token_reuse_limit,              default: 100
 
+    # This is discouraged. Spec says that password grants always require a client.
+    #
+    # See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422
+    # and https://github.com/doorkeeper-gem/doorkeeper/pull/1420
+    #
+    # Since many applications use this unsafe behavior in the wild, this is kept as a
+    # not-recommended option. You should be aware that you are not following the OAuth
+    # spec, and understand the security implications of doing so.
+    option :skip_client_authentication_for_password_grant,
+           default: false
+
     option :active_record_options,
            default: {},
            deprecated: { message: "Customize Doorkeeper models instead" }
@@ -423,13 +437,6 @@ module Doorkeeper
                 :token_secret_fallback_strategy,
                 :application_secret_fallback_strategy
 
-    # Return the valid subset of this configuration
-    def validate!
-      validate_reuse_access_token_value
-      validate_token_reuse_limit
-      validate_secret_strategies
-    end
-
     # Doorkeeper Access Token model class.
     #
     # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
@@ -545,12 +552,77 @@ module Doorkeeper
       ]
     end
 
+    def enabled_grant_flows
+      @enabled_grant_flows ||= calculate_grant_flows.map { |name| Doorkeeper::GrantFlow.get(name) }.compact
+    end
+
+    def authorization_response_flows
+      @authorization_response_flows ||= enabled_grant_flows.select(&:handles_response_type?) +
+                                        deprecated_authorization_flows
+    end
+
+    def token_grant_flows
+      @token_grant_flows ||= calculate_token_grant_flows
+    end
+
     def authorization_response_types
-      @authorization_response_types ||= calculate_authorization_response_types.freeze
+      authorization_response_flows.map(&:response_type_matches)
     end
 
     def token_grant_types
-      @token_grant_types ||= calculate_token_grant_types.freeze
+      token_grant_flows.map(&:grant_type_matches)
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_token_grant_types_resolver
+      @deprecated_token_grant_types ||= calculate_token_grant_types
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_authorization_flows
+      response_types = calculate_authorization_response_types
+
+      if response_types.any?
+        ::Kernel.warn <<~WARNING
+          Please, don't patch Doorkeeper::Config#calculate_authorization_response_types method.
+          Register your custom grant flows using the public API:
+          `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+        WARNING
+      end
+
+      response_types.map do |response_type|
+        Doorkeeper::GrantFlow::FallbackFlow.new(response_type, response_type_matches: response_type)
+      end
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def calculate_authorization_response_types
+      []
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def calculate_token_grant_types
+      types = grant_flows - ["implicit"]
+      types << "refresh_token" if refresh_token_enabled?
+      types
+    end
+
+    # Calculates grant flows configured by the user in Doorkeeper
+    # configuration considering registered aliases that is exposed
+    # to single or multiple other flows.
+    #
+    def calculate_grant_flows
+      configured_flows = grant_flows.map(&:to_s)
+      aliases = Doorkeeper::GrantFlow.aliases.keys.map(&:to_s)
+
+      flows = configured_flows - aliases
+      aliases.each do |flow_alias|
+        next unless configured_flows.include?(flow_alias)
+
+        flows.concat(Doorkeeper::GrantFlow.expand_alias(flow_alias))
+      end
+
+      flows.flatten.uniq
     end
 
     def allow_blank_redirect_uri?(application = nil)
@@ -579,57 +651,10 @@ module Doorkeeper
       !!(defined?(var) && var)
     end
 
-    # Determines what values are acceptable for 'response_type' param in
-    # authorization request endpoint, and return them as an array of strings.
-    #
-    def calculate_authorization_response_types
-      types = []
-      types << "code"  if grant_flows.include? "authorization_code"
-      types << "token" if grant_flows.include? "implicit"
-      types
-    end
-
-    # Determines what values are acceptable for 'grant_type' param token
-    # request endpoint, and return them in array.
-    #
-    def calculate_token_grant_types
-      types = grant_flows - ["implicit"]
-      types << "refresh_token" if refresh_token_enabled?
-      types
-    end
-
-    # Determine whether +reuse_access_token+ and a non-restorable
-    # +token_secret_strategy+ have both been activated.
-    #
-    # In that case, disable reuse_access_token value and warn the user.
-    def validate_reuse_access_token_value
-      strategy = token_secret_strategy
-      return if !reuse_access_token || strategy.allows_restoring_secrets?
-
-      ::Rails.logger.warn(
-        "You have configured both reuse_access_token " \
-        "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
-        "This combination is unsupported. reuse_access_token will be disabled",
-      )
-      @reuse_access_token = false
-    end
-
-    # Validate that the provided strategies are valid for
-    # tokens and applications
-    def validate_secret_strategies
-      token_secret_strategy.validate_for :token
-      application_secret_strategy.validate_for :application
-    end
-
-    def validate_token_reuse_limit
-      return if !reuse_access_token ||
-                (token_reuse_limit > 0 && token_reuse_limit <= 100)
-
-      ::Rails.logger.warn(
-        "You have configured an invalid value for token_reuse_limit option. " \
-        "It will be set to default 100",
-      )
-      @token_reuse_limit = 100
+    def calculate_token_grant_flows
+      flows = enabled_grant_flows.select(&:handles_grant_type?)
+      flows << Doorkeeper::GrantFlow.get("refresh_token") if refresh_token_enabled?
+      flows
     end
   end
 end

data/lib/doorkeeper/grant_flow/fallback_flow.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    class FallbackFlow < Flow
+      def handles_grant_type?
+        false
+      end
+
+      def handles_response_type?
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/grant_flow/flow.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    class Flow
+      attr_reader :name, :grant_type_matches, :grant_type_strategy,
+                  :response_type_matches, :response_type_strategy,
+                  :response_mode_matches
+
+      def initialize(name, **options)
+        @name = name
+        @grant_type_matches = options[:grant_type_matches]
+        @grant_type_strategy = options[:grant_type_strategy]
+        @response_type_matches = options[:response_type_matches]
+        @response_type_strategy = options[:response_type_strategy]
+        @response_mode_matches = options[:response_mode_matches]
+      end
+
+      def handles_grant_type?
+        grant_type_matches.present?
+      end
+
+      def handles_response_type?
+        response_type_matches.present?
+      end
+
+      def matches_grant_type?(value)
+        grant_type_matches === value
+      end
+
+      def matches_response_type?(value)
+        response_type_matches === value
+      end
+
+      def default_response_mode
+        response_mode_matches[0]
+      end
+
+      def matches_response_mode?(value)
+        response_mode_matches.include?(value)
+      end
+    end
+  end
+end