doorkeeper 5.4.0 → 5.5.0.rc2

data/lib/doorkeeper/grant_flow/registry.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    module Registry
+      mattr_accessor :flows
+      self.flows = {}
+
+      mattr_accessor :aliases
+      self.aliases = {}
+
+      # Allows to register custom OAuth grant flow so that Doorkeeper
+      # could recognize and process it.
+      #
+      def register(name_or_flow, **options)
+        unless name_or_flow.is_a?(Doorkeeper::GrantFlow::Flow)
+          name_or_flow = Flow.new(name_or_flow, **options)
+        end
+
+        flow_key = name_or_flow.name.to_sym
+
+        if flows.key?(flow_key)
+          ::Kernel.warn <<~WARNING
+            [DOORKEEPER] '#{flow_key}' grant flow already registered and will be overridden
+            in #{caller(1..1).first}
+          WARNING
+        end
+
+        flows[flow_key] = name_or_flow
+      end
+
+      # Allows to register aliases that could be used in `grant_flows`
+      # configuration option. It is possible to have aliases like 1:1 or
+      # 1:N, i.e. "implicit_oidc" => ['token', 'id_token', 'id_token token'].
+      #
+      def register_alias(alias_name, **options)
+        aliases[alias_name.to_sym] = Array.wrap(options.fetch(:as))
+      end
+
+      def expand_alias(alias_name)
+        aliases.fetch(alias_name.to_sym, [])
+      end
+
+      # [NOTE]: make it to use #fetch after removing fallbacks
+      def get(name)
+        flows[name.to_sym]
+      end
+    end
+  end
+end

data/lib/doorkeeper/grant_flow.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "doorkeeper/grant_flow/flow"
+require "doorkeeper/grant_flow/fallback_flow"
+require "doorkeeper/grant_flow/registry"
+
+module Doorkeeper
+  module GrantFlow
+    extend Registry
+
+    register(
+      :implicit,
+      response_type_matches: "token",
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::Token,
+    )
+
+    register(
+      :authorization_code,
+      response_type_matches: "code",
+      response_mode_matches: %w[query fragment form_post],
+      response_type_strategy: Doorkeeper::Request::Code,
+      grant_type_matches: "authorization_code",
+      grant_type_strategy: Doorkeeper::Request::AuthorizationCode,
+    )
+
+    register(
+      :client_credentials,
+      grant_type_matches: "client_credentials",
+      grant_type_strategy: Doorkeeper::Request::ClientCredentials,
+    )
+
+    register(
+      :password,
+      grant_type_matches: "password",
+      grant_type_strategy: Doorkeeper::Request::Password,
+    )
+
+    register(
+      :refresh_token,
+      grant_type_matches: "refresh_token",
+      grant_type_strategy: Doorkeeper::Request::RefreshToken,
+    )
+  end
+end

data/lib/doorkeeper/helpers/controller.rb

@@ -16,6 +16,8 @@ module Doorkeeper
 
       # :doc:
       def current_resource_owner
+        return @current_resource_owner if defined?(@current_resource_owner)
+
         @current_resource_owner ||= begin
           instance_eval(&Doorkeeper.config.authenticate_resource_owner)
         end
@@ -36,6 +38,8 @@ module Doorkeeper
 
       # :doc:
       def doorkeeper_token
+        return @doorkeeper_token if defined?(@doorkeeper_token)
+
         @doorkeeper_token ||= OAuth::Token.authenticate(request, *config_methods)
       end
 

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -89,8 +89,7 @@ module Doorkeeper
       # suitable for PKCE validation
       #
       def generate_code_challenge(code_verifier)
-        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
-        padded_result.split("=")[0] # Remove any trailing '='
+        Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
       end
 
       def pkce_supported?

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -94,8 +94,8 @@ module Doorkeeper
       # Interface to enumerate access token records in batches in order not
       # to bloat the memory. Could be overloaded in any ORM extension.
       #
-      def find_access_token_in_batches(relation, *args, &block)
-        relation.find_in_batches(*args, &block)
+      def find_access_token_in_batches(relation, **args, &block)
+        relation.find_in_batches(**args, &block)
       end
 
       # Enumerates AccessToken records in batches to find a matching token.
@@ -377,7 +377,7 @@ module Doorkeeper
       return unless self.class.refresh_token_revoked_on_use?
 
       old_refresh_token&.revoke
-      update_column(:previous_refresh_token, "")
+      update_attribute(:previous_refresh_token, "") if previous_refresh_token.present?
     end
 
     private

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -9,7 +9,7 @@ module Doorkeeper
       # @param clock [Time] time object
       #
       def revoke(clock = Time)
-        update_column(:revoked_at, clock.now.utc)
+        update_attribute(:revoked_at, clock.now.utc)
       end
 
       # Indicates whether the object has been revoked.

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -21,6 +21,10 @@ module Doorkeeper
           { action: :show, code: token.plaintext_token }
         end
 
+        def access_grant?
+          true
+        end
+
         private
 
         def authorization_code_expires_in

data/lib/doorkeeper/oauth/authorization/context.rb

@@ -4,12 +4,12 @@ module Doorkeeper
   module OAuth
     module Authorization
       class Context
-        attr_reader :client, :grant_type, :scopes
+        attr_reader :client, :grant_type, :resource_owner, :scopes
 
-        def initialize(client, grant_type, scopes)
-          @client = client
-          @grant_type = grant_type
-          @scopes = scopes
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         attr_reader :pre_auth, :resource_owner, :token
 
         class << self
-          def build_context(pre_auth_or_oauth_client, grant_type, scopes)
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes, resource_owner)
             oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
                              pre_auth_or_oauth_client.application
                            elsif pre_auth_or_oauth_client.respond_to?(:client)
@@ -17,9 +17,10 @@ module Doorkeeper
                            end
 
             Doorkeeper::OAuth::Authorization::Context.new(
-              oauth_client,
-              grant_type,
-              scopes,
+              client: oauth_client,
+              grant_type: grant_type,
+              scopes: scopes,
+              resource_owner: resource_owner,
             )
           end
 
@@ -55,6 +56,7 @@ module Doorkeeper
             pre_auth.client,
             Doorkeeper::OAuth::IMPLICIT,
             pre_auth.scopes,
+            resource_owner,
           )
 
           @token = Doorkeeper.config.access_token_model.find_or_create_for(
@@ -74,6 +76,10 @@ module Doorkeeper
           }
         end
 
+        def access_token?
+          true
+        end
+
         private
 
         def controller

data/lib/doorkeeper/oauth/authorization/uri_builder.rb

@@ -23,7 +23,7 @@ module Doorkeeper
           private
 
           def build_query(parameters = {})
-            parameters = parameters.reject { |_, value| value.blank? }
+            parameters.reject! { |_, value| value.blank? }
             Rack::Utils.build_query(parameters)
           end
         end

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,7 +3,6 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :pkce_support, error: :invalid_request
       validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
@@ -32,12 +31,6 @@ module Doorkeeper
 
           grant.revoke
 
-          resource_owner = if Doorkeeper.config.polymorphic_resource_owner?
-                             grant.resource_owner
-                           else
-                             grant.resource_owner_id
-                           end
-
           find_or_create_access_token(
             grant.application,
             resource_owner,
@@ -49,16 +42,16 @@ module Doorkeeper
         super
       end
 
-      def pkce_supported?
-        Doorkeeper.config.access_grant_model.pkce_supported?
+      def resource_owner
+        if Doorkeeper.config.polymorphic_resource_owner?
+          grant.resource_owner
+        else
+          grant.resource_owner_id
+        end
       end
 
-      def validate_pkce_support
-        @invalid_request_reason = :not_support_pkce if grant &&
-                                                       !pkce_supported? &&
-                                                       code_verifier.present?
-
-        @invalid_request_reason.nil?
+      def pkce_supported?
+        Doorkeeper.config.access_grant_model.pkce_supported?
       end
 
       def validate_params
@@ -91,8 +84,8 @@ module Doorkeeper
       # if either side (server or client) request PKCE, check the verifier
       # against the DB - if PKCE is supported
       def validate_code_verifier
-        return true unless grant.uses_pkce? || code_verifier
-        return false unless pkce_supported?
+        return true unless pkce_supported?
+        return grant.code_challenge.blank? if code_verifier.blank?
 
         if grant.code_challenge_method == "S256"
           grant.code_challenge == generate_code_challenge(code_verifier)

data/lib/doorkeeper/oauth/base_request.rb

@@ -27,7 +27,7 @@ module Doorkeeper
       end
 
       def find_or_create_access_token(client, resource_owner, scopes, server)
-        context = Authorization::Token.build_context(client, grant_type, scopes)
+        context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
         @access_token = server_config.access_token_model.find_or_create_for(
           application: client,
           resource_owner: resource_owner,

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -39,7 +39,8 @@ module Doorkeeper
         end
 
         def lookup_existing_token?
-          server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token?
+          server_config.reuse_access_token ||
+            server_config.revoke_previous_client_credentials_token?
         end
 
         def find_existing_token_for(client, scopes)

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -30,6 +30,7 @@ module Doorkeeper
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
             scopes,
+            nil,
           )
           ttl = Authorization::Token.access_token_expires_in(@server, context)
 

data/lib/doorkeeper/oauth/code_response.rb

@@ -21,23 +21,29 @@ module Doorkeeper
         auth.token
       end
 
-      def redirect_uri
-        if URIChecker.oob_uri?(pre_auth.redirect_uri)
-          auth.oob_redirect
-        elsif response_on_fragment
-          Authorization::URIBuilder.uri_with_fragment(
-            pre_auth.redirect_uri,
+      def body
+        if auth.try(:access_token?)
+          {
             access_token: auth.token.plaintext_token,
             token_type: auth.token.token_type,
             expires_in: auth.token.expires_in_seconds,
             state: pre_auth.state,
-          )
-        else
-          Authorization::URIBuilder.uri_with_query(
-            pre_auth.redirect_uri,
+          }
+        elsif auth.try(:access_grant?)
+          {
             code: auth.token.plaintext_token,
             state: pre_auth.state,
-          )
+          }
+        end
+      end
+
+      def redirect_uri
+        if URIChecker.oob_uri?(pre_auth.redirect_uri)
+          auth.oob_redirect
+        elsif response_on_fragment
+          Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
+        else
+          Authorization::URIBuilder.uri_with_query(pre_auth.redirect_uri, body)
         end
       end
     end

data/lib/doorkeeper/oauth/error_response.rb

@@ -5,6 +5,8 @@ module Doorkeeper
     class ErrorResponse < BaseResponse
       include OAuth::Helpers
 
+      NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze
+
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
@@ -32,7 +34,7 @@ module Doorkeeper
       end
 
       def status
-        if name == :invalid_client
+        if name == :invalid_client || name == :unauthorized_client
           :unauthorized
         else
           :bad_request
@@ -40,8 +42,7 @@ module Doorkeeper
       end
 
       def redirectable?
-        name != :invalid_redirect_uri && name != :invalid_client &&
-          !URIChecker.oob_uri?(@redirect_uri)
+        !NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri)
       end
 
       def redirect_uri

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -12,9 +12,7 @@ module Doorkeeper
             @scope_str = scope_str
             @valid_scopes = valid_scopes(server_scopes, app_scopes)
 
-            if grant_type
-              @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym]
-            end
+            @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym] if grant_type
           end
 
           def valid?

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -43,8 +43,27 @@ module Doorkeeper
         resource_owner.present?
       end
 
+      # Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
+      #
+      #   If the client type is confidential or the client was issued client credentials (or assigned
+      #   other authentication requirements), the client MUST authenticate with the authorization
+      #   server as described in Section 3.2.1.
+      #
+      #   The authorization server MUST:
+      #
+      #    o  require client authentication for confidential clients or for any  client that was
+      #       issued client credentials (or with other authentication requirements)
+      #
+      #    o  authenticate the client if client authentication is included,
+      #
+      #   @see https://tools.ietf.org/html/rfc6749#section-4.3
+      #
       def validate_client
-        !parameters[:client_id] || client.present?
+        if Doorkeeper.config.skip_client_authentication_for_password_grant
+          !parameters[:client_id] || client.present?
+        else
+          client.present?
+        end
       end
 
       def validate_client_supports_grant_flow

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -12,16 +12,19 @@ module Doorkeeper
       validate :redirect_uri, error: :invalid_redirect_uri
       validate :params, error: :invalid_request
       validate :response_type, error: :unsupported_response_type
+      validate :response_mode, error: :unsupported_response_mode
       validate :scopes, error: :invalid_scope
       validate :code_challenge_method, error: :invalid_code_challenge_method
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
-                  :redirect_uri, :resource_owner, :response_type, :state
+                  :redirect_uri, :resource_owner, :response_type, :state,
+                  :authorization_response_flow, :response_mode
 
       def initialize(server, parameters = {}, resource_owner = nil)
         @server                = server
         @client_id             = parameters[:client_id]
         @response_type         = parameters[:response_type]
+        @response_mode         = parameters[:response_mode]
         @redirect_uri          = parameters[:redirect_uri]
         @scope                 = parameters[:scope]
         @state                 = parameters[:state]
@@ -57,6 +60,10 @@ module Doorkeeper
         pre_auth_hash
       end
 
+      def form_post_response?
+        response_mode == "form_post"
+      end
+
       private
 
       attr_reader :client_id, :server
@@ -84,6 +91,11 @@ module Doorkeeper
         Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
       end
 
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
+
       def validate_redirect_uri
         return false if redirect_uri.blank?
 
@@ -104,7 +116,21 @@ module Doorkeeper
       end
 
       def validate_response_type
-        server.authorization_response_types.include?(response_type)
+        server.authorization_response_flows.any? do |flow|
+          if flow.matches_response_type?(response_type)
+            @authorization_response_flow = flow
+            true
+          end
+        end
+      end
+
+      def validate_response_mode
+        if response_mode.blank?
+          @response_mode = authorization_response_flow.default_response_mode
+          return true
+        end
+
+        authorization_response_flow.matches_response_mode?(response_mode)
       end
 
       def validate_scopes
@@ -117,17 +143,16 @@ module Doorkeeper
       end
 
       def validate_code_challenge_method
+        return true unless Doorkeeper.config.access_grant_model.pkce_supported?
+
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
 
-      def validate_resource_owner_authorize_for_client
-        # The `authorize_resource_owner_for_client` config option is used for this validation
-        client.application.authorized_for_resource_owner?(@resource_owner)
-      end
-
       def response_on_fragment?
-        response_type == "token"
+        return response_type == "token" if response_mode.nil?
+
+        response_mode == "fragment"
       end
 
       def grant_type

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -62,6 +62,19 @@ module Doorkeeper
           attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
 
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
         @access_token = server_config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -137,9 +137,9 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only = Array.wrap(opts[:only]).map(&:to_s)
 
         only = if only.blank?
-                 serializable_attributes
+                 client_serializable_attributes
                else
-                 only & serializable_attributes
+                 only & client_serializable_attributes
                end
 
         only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
@@ -150,7 +150,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # Override this method if you need additional attributes to be serialized.
       #
       # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
+      #
+      # NOTE: `serializable_attributes` method already taken by Rails >= 6
+      #
+      def client_serializable_attributes
         attributes = %w[id name created_at]
         attributes << "uid" unless confidential?
         attributes

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -21,6 +21,7 @@ module Doorkeeper
           record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
           record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
           record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+          record.errors.add(attribute, :invalid_uri) if unspecified_host?(uri)
         end
       end
     rescue URI::InvalidURIError
@@ -43,6 +44,10 @@ module Doorkeeper
       %w[localhost].include?(uri.try(:scheme))
     end
 
+    def unspecified_host?(uri)
+      uri.is_a?(URI::HTTP) && uri.host.nil?
+    end
+
     def relative_uri?(uri)
       uri.scheme.nil? && uri.host.nil?
     end

data/lib/doorkeeper/orm/active_record.rb

@@ -20,9 +20,8 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
-          if Doorkeeper.config.active_record_options[:establish_connection]
+          if (options = Doorkeeper.config.active_record_options[:establish_connection])
             Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.config.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
           end
@@ -51,9 +50,9 @@ module Doorkeeper
 
       def self.models
         [
-          Doorkeeper::AccessGrant,
-          Doorkeeper::AccessToken,
-          Doorkeeper::Application,
+          Doorkeeper.config.access_grant_model,
+          Doorkeeper.config.access_token_model,
+          Doorkeeper.config.application_model,
         ]
       end
     end

data/lib/doorkeeper/rails/routes.rb

@@ -29,8 +29,6 @@ module Doorkeeper
 
       def initialize(routes, mapper = Mapper.new, &block)
         super
-
-        @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
 
       def generate_routes!(options)
@@ -38,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)