doorkeeper 5.4.0 → 5.5.2

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -62,6 +62,19 @@ module Doorkeeper
           attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
 
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
         @access_token = server_config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,

data/lib/doorkeeper/orm/active_record.rb

@@ -20,9 +20,8 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
-          if Doorkeeper.config.active_record_options[:establish_connection]
+          if (options = Doorkeeper.config.active_record_options[:establish_connection])
             Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.config.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
           end
@@ -38,22 +37,14 @@ module Doorkeeper
       end
 
       def self.lazy_load(&block)
-        # ActiveSupport has no public interface to check if something
-        # already lazy-loaded :(
-        loaded = ActiveSupport.instance_variable_get(:"@loaded") || {}
-
-        if loaded.key?(:active_record)
-          block.call
-        else
-          ActiveSupport.on_load(:active_record, {}, &block)
-        end
+        ActiveSupport.on_load(:active_record, {}, &block)
       end
 
       def self.models
         [
-          Doorkeeper::AccessGrant,
-          Doorkeeper::AccessToken,
-          Doorkeeper::Application,
+          Doorkeeper.config.access_grant_model,
+          Doorkeeper.config.access_token_model,
+          Doorkeeper.config.application_model,
         ]
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -5,7 +5,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
 
       include ::Doorkeeper::AccessGrantMixin
 
@@ -54,5 +54,15 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         secret_strategy.store_secret(self, :token, @raw_token)
       end
     end
+
+    module ClassMethods
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_grant"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
+    end
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -5,7 +5,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
 
       include ::Doorkeeper::AccessTokenMixin
 
@@ -46,6 +46,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       def refresh_token_revoked_on_use?
         column_names.include?("previous_refresh_token")
       end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_access_token"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -5,7 +5,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     extend ActiveSupport::Concern
 
     included do
-      self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}"
+      self.table_name = compute_doorkeeper_table_name
 
       include ::Doorkeeper::ApplicationMixin
 
@@ -137,9 +137,9 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only = Array.wrap(opts[:only]).map(&:to_s)
 
         only = if only.blank?
-                 serializable_attributes
+                 client_serializable_attributes
                else
-                 only & serializable_attributes
+                 only & client_serializable_attributes
                end
 
         only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
@@ -150,7 +150,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # Override this method if you need additional attributes to be serialized.
       #
       # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
+      #
+      # NOTE: `serializable_attributes` method already taken by Rails >= 6
+      #
+      def client_serializable_attributes
         attributes = %w[id name created_at]
         attributes << "uid" unless confidential?
         attributes
@@ -182,6 +185,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.config.access_token_model.revoke_all_for(id, resource_owner)
         Doorkeeper.config.access_grant_model.revoke_all_for(id, resource_owner)
       end
+
+      private
+
+      def compute_doorkeeper_table_name
+        table_name = "oauth_application"
+        table_name = table_name.pluralize if pluralize_table_names
+        "#{table_name_prefix}#{table_name}#{table_name_suffix}"
+      end
     end
   end
 end

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -21,6 +21,7 @@ module Doorkeeper
           record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
           record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
           record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+          record.errors.add(attribute, :invalid_uri) if unspecified_host?(uri)
         end
       end
     rescue URI::InvalidURIError
@@ -43,6 +44,10 @@ module Doorkeeper
       %w[localhost].include?(uri.try(:scheme))
     end
 
+    def unspecified_host?(uri)
+      uri.is_a?(URI::HTTP) && uri.host.nil?
+    end
+
     def relative_uri?(uri)
       uri.scheme.nil? && uri.host.nil?
     end

data/lib/doorkeeper/rails/routes.rb

@@ -29,8 +29,6 @@ module Doorkeeper
 
       def initialize(routes, mapper = Mapper.new, &block)
         super
-
-        @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
 
       def generate_routes!(options)
@@ -38,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)

data/lib/doorkeeper/rake/db.rake

@@ -13,7 +13,7 @@ namespace :doorkeeper do
     namespace :cleanup do
       desc "Removes stale access tokens"
       task revoked_tokens: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessToken)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_token_model)
         cleaner.clean_revoked
       end
 
@@ -26,13 +26,13 @@ namespace :doorkeeper do
 
       desc "Removes stale access grants"
       task revoked_grants: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
         cleaner.clean_revoked
       end
 
       desc "Removes expired (TTL passed) access grants"
       task expired_grants: "doorkeeper:setup" do
-        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper::AccessGrant)
+        cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
         cleaner.clean_expired(Doorkeeper.config.authorization_code_expires_in)
       end
     end

data/lib/doorkeeper/rake/setup.rake

@@ -2,5 +2,10 @@
 
 namespace :doorkeeper do
   task setup: :environment do
+    # Dirty hack to manually initialize AR because of lazy auto-loading,
+    # in other case we'll see NameError: uninitialized constant Doorkeeper::AccessToken
+    if Doorkeeper.config.orm == :active_record && defined?(::ActiveRecord::Base)
+      Object.const_get("::ActiveRecord::Base")
+    end
   end
 end

data/lib/doorkeeper/request.rb

@@ -4,32 +4,69 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        build_strategy_class(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
+
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
       end
 
       def token_strategy(grant_type)
         raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-        get_strategy(grant_type, token_grant_types)
-      rescue NameError
-        raise Errors::InvalidTokenStrategy
-      end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-      def get_strategy(grant_type, available)
-        raise NameError unless available.include?(grant_type.to_s)
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_type)
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
       end
 
       private
 
-      def token_grant_types
-        Doorkeeper.config.token_grant_types
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
       end
 
-      def build_strategy_class(grant_or_request_type)
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
         strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
-        "Doorkeeper::Request::#{strategy_class_name}".constantize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
+
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
       end
     end
   end

data/lib/doorkeeper/request/password.rb

@@ -9,6 +9,7 @@ module Doorkeeper
         @request ||= OAuth::PasswordAccessTokenRequest.new(
           Doorkeeper.config,
           client,
+          credentials,
           resource_owner,
           parameters,
         )

data/lib/doorkeeper/version.rb

@@ -1,15 +1,11 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  def self.gem_version
-    Gem::Version.new VERSION::STRING
-  end
-
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 4
-    TINY = 0
+    MINOR = 5
+    TINY = 2
     PRE = nil
 
     # Full version number

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb

@@ -2,7 +2,7 @@
 
 class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
-    add_column :oauth_applications, :owner_id, :integer, null: true
+    add_column :oauth_applications, :owner_id, :bigint, null: true
     add_column :oauth_applications, :owner_type, :string, null: true
     add_index :oauth_applications, [:owner_id, :owner_type]
   end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -103,12 +103,13 @@ Doorkeeper.configure do
   #
   # `context` has the following properties available:
   #
-  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
-  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
-  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #   * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  #   * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  #   * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #   * `resource_owner` - authorized resource owner instance (if present)
   #
   # custom_access_token_expires_in do |context|
-  #   context.client.application.additional_settings.implicit_oauth_expiration
+  #   context.client.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
@@ -119,7 +120,7 @@ Doorkeeper.configure do
   # The controller +Doorkeeper::ApplicationController+ inherits from.
   # Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
   # +ActionController::API+. The return value of this option must be a stringified class name.
-  # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
+  # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
   #
   # base_controller 'ApplicationController'
 
@@ -167,8 +168,7 @@ Doorkeeper.configure do
   # since plain values can no longer be retrieved.
   #
   # Note: If you are already a user of doorkeeper and have existing tokens
-  # in your installation, they will be invalid without enabling the additional
-  # setting `fallback_to_plain_secrets` below.
+  # in your installation, they will be invalid without adding 'fallback: :plain'.
   #
   # hash_token_secrets
   # By default, token secrets will be hashed using the
@@ -202,7 +202,9 @@ Doorkeeper.configure do
   # This will ensure that old access tokens and secrets
   # will remain valid even if the hashing above is enabled.
   #
-  # fallback_to_plain_secrets
+  # This can be done by adding 'fallback: plain', e.g. :
+  #
+  # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
 
   # Issue access tokens with refresh token (disabled by default), you may also
   # pass a block which accepts `context` to customize when to give a refresh

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.4.0
+  version: 5.5.2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2021-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -89,28 +89,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: factory_bot
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: generator_spec
   requirement: !ruby/object:Gem::Requirement
@@ -194,6 +194,7 @@ files:
 - app/views/doorkeeper/applications/new.html.erb
 - app/views/doorkeeper/applications/show.html.erb
 - app/views/doorkeeper/authorizations/error.html.erb
+- app/views/doorkeeper/authorizations/form_post.html.erb
 - app/views/doorkeeper/authorizations/new.html.erb
 - app/views/doorkeeper/authorizations/show.html.erb
 - app/views/doorkeeper/authorized_applications/_delete_form.html.erb
@@ -205,8 +206,13 @@ files:
 - lib/doorkeeper/config.rb
 - lib/doorkeeper/config/abstract_builder.rb
 - lib/doorkeeper/config/option.rb
+- lib/doorkeeper/config/validations.rb
 - lib/doorkeeper/engine.rb
 - lib/doorkeeper/errors.rb
+- lib/doorkeeper/grant_flow.rb
+- lib/doorkeeper/grant_flow/fallback_flow.rb
+- lib/doorkeeper/grant_flow/flow.rb
+- lib/doorkeeper/grant_flow/registry.rb
 - lib/doorkeeper/grape/authorization_decorator.rb
 - lib/doorkeeper/grape/helpers.rb
 - lib/doorkeeper/helpers/controller.rb
@@ -312,11 +318,18 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/doorkeeper-gem/doorkeeper
-  changelog_uri: https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/doorkeeper-gem/doorkeeper/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
-post_install_message: 
+post_install_message: "Starting from 5.5.0 RC1 Doorkeeper requires client authentication
+  for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
+  a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use
+  client credentials in HTTP Basic auth if you previously used this grant flow without\nclient
+  authentication. \n\nTo opt out of this you could set the \"skip_client_authentication_for_password_grant\"
+  configuration option\nto \"true\", but note that this is in violation of the OAuth
+  spec and represents a security risk.\n\nRead https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-612857163
+  for more details."
 rdoc_options: []
 require_paths:
 - lib
@@ -324,14 +337,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape