doorkeeper 5.4.0 → 5.5.0.rc2

data/lib/doorkeeper/request.rb

@@ -4,32 +4,69 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        build_strategy_class(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
+
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
       end
 
       def token_strategy(grant_type)
         raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-        get_strategy(grant_type, token_grant_types)
-      rescue NameError
-        raise Errors::InvalidTokenStrategy
-      end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-      def get_strategy(grant_type, available)
-        raise NameError unless available.include?(grant_type.to_s)
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_type)
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
       end
 
       private
 
-      def token_grant_types
-        Doorkeeper.config.token_grant_types
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
       end
 
-      def build_strategy_class(grant_or_request_type)
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
         strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
-        "Doorkeeper::Request::#{strategy_class_name}".constantize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
+
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
       end
     end
   end

data/lib/doorkeeper/version.rb

@@ -1,16 +1,12 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  def self.gem_version
-    Gem::Version.new VERSION::STRING
-  end
-
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 4
+    MINOR = 5
     TINY = 0
-    PRE = nil
+    PRE = "rc2"
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/doorkeeper.rb

@@ -7,6 +7,7 @@ require "doorkeeper/engine"
 #
 module Doorkeeper
   autoload :Errors, "doorkeeper/errors"
+  autoload :GrantFlow, "doorkeeper/grant_flow"
   autoload :OAuth, "doorkeeper/oauth"
   autoload :Rake, "doorkeeper/rake"
   autoload :Request, "doorkeeper/request"
@@ -114,4 +115,8 @@ module Doorkeeper
   def self.authenticate(request, methods = Doorkeeper.config.access_token_methods)
     OAuth::Token.authenticate(request, *methods)
   end
+
+  def self.gem_version
+    ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+  end
 end

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb

@@ -2,7 +2,7 @@
 
 class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
-    add_column :oauth_applications, :owner_id, :integer, null: true
+    add_column :oauth_applications, :owner_id, :bigint, null: true
     add_column :oauth_applications, :owner_type, :string, null: true
     add_index :oauth_applications, [:owner_id, :owner_type]
   end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -103,12 +103,13 @@ Doorkeeper.configure do
   #
   # `context` has the following properties available:
   #
-  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
-  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
-  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #   * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  #   * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  #   * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #   * `resource_owner` - authorized resource owner instance (if present)
   #
   # custom_access_token_expires_in do |context|
-  #   context.client.application.additional_settings.implicit_oauth_expiration
+  #   context.client.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
@@ -167,8 +168,7 @@ Doorkeeper.configure do
   # since plain values can no longer be retrieved.
   #
   # Note: If you are already a user of doorkeeper and have existing tokens
-  # in your installation, they will be invalid without enabling the additional
-  # setting `fallback_to_plain_secrets` below.
+  # in your installation, they will be invalid without adding 'fallback: :plain'.
   #
   # hash_token_secrets
   # By default, token secrets will be hashed using the
@@ -202,7 +202,9 @@ Doorkeeper.configure do
   # This will ensure that old access tokens and secrets
   # will remain valid even if the hashing above is enabled.
   #
-  # fallback_to_plain_secrets
+  # This can be done by adding 'fallback: plain', e.g. :
+  #
+  # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
 
   # Issue access tokens with refresh token (disabled by default), you may also
   # pass a block which accepts `context` to customize when to give a refresh

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.4.0
+  version: 5.5.0.rc2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2021-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -103,14 +103,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: generator_spec
   requirement: !ruby/object:Gem::Requirement
@@ -194,6 +194,7 @@ files:
 - app/views/doorkeeper/applications/new.html.erb
 - app/views/doorkeeper/applications/show.html.erb
 - app/views/doorkeeper/authorizations/error.html.erb
+- app/views/doorkeeper/authorizations/form_post.html.erb
 - app/views/doorkeeper/authorizations/new.html.erb
 - app/views/doorkeeper/authorizations/show.html.erb
 - app/views/doorkeeper/authorized_applications/_delete_form.html.erb
@@ -205,8 +206,13 @@ files:
 - lib/doorkeeper/config.rb
 - lib/doorkeeper/config/abstract_builder.rb
 - lib/doorkeeper/config/option.rb
+- lib/doorkeeper/config/validations.rb
 - lib/doorkeeper/engine.rb
 - lib/doorkeeper/errors.rb
+- lib/doorkeeper/grant_flow.rb
+- lib/doorkeeper/grant_flow/fallback_flow.rb
+- lib/doorkeeper/grant_flow/flow.rb
+- lib/doorkeeper/grant_flow/registry.rb
 - lib/doorkeeper/grape/authorization_decorator.rb
 - lib/doorkeeper/grape/helpers.rb
 - lib/doorkeeper/helpers/controller.rb
@@ -316,7 +322,14 @@ metadata:
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
-post_install_message: 
+post_install_message: "Starting from 5.5.0.rc1 Doorkeeper requires client authentication
+  for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
+  a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use
+  client credentials in HTTP Basic auth if you previously used this grant flow without\nclient
+  authentication. \n\nTo opt out of this you could set the \"skip_client_authentication_for_password_grant\"
+  configuration option\nto \"true\", but note that this is in violation of the OAuth
+  spec and represents a security risk.\n\nRead https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-612857163
+  for more details."
 rdoc_options: []
 require_paths:
 - lib
@@ -327,11 +340,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape