doorkeeper 5.5.0.rc2 → 5.5.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +29 -1
- data/README.md +22 -16
- data/app/controllers/doorkeeper/application_controller.rb +1 -0
- data/app/controllers/doorkeeper/authorizations_controller.rb +1 -1
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +1 -1
- data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +3 -3
- data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
- data/app/views/doorkeeper/authorizations/form_post.html.erb +10 -6
- data/app/views/doorkeeper/authorizations/new.html.erb +2 -0
- data/config/locales/en.yml +3 -0
- data/lib/doorkeeper/config.rb +5 -1
- data/lib/doorkeeper/models/access_grant_mixin.rb +1 -1
- data/lib/doorkeeper/models/access_token_mixin.rb +3 -3
- data/lib/doorkeeper/models/concerns/expirable.rb +1 -1
- data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -1
- data/lib/doorkeeper/oauth/code_request.rb +1 -1
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +2 -1
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -2
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +3 -21
- data/lib/doorkeeper/oauth/password_access_token_request.rb +5 -4
- data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -1
- data/lib/doorkeeper/oauth/token_introspection.rb +3 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +12 -1
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +10 -1
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +10 -1
- data/lib/doorkeeper/orm/active_record.rb +1 -9
- data/lib/doorkeeper/rake/db.rake +3 -3
- data/lib/doorkeeper/rake/setup.rake +5 -0
- data/lib/doorkeeper/request/password.rb +1 -0
- data/lib/doorkeeper/version.rb +2 -2
- data/lib/generators/doorkeeper/templates/initializer.rb +5 -5
- data/lib/generators/doorkeeper/templates/migration.rb.erb +1 -1
- metadata +9 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 55ced432e71b3066f090735a7f68d95954ef41ec19f371b6ce4244bd2d462c64
|
4
|
+
data.tar.gz: 35da75b4534aa7ac1ceb3ad35d5bc40a4173c06de05212b9e36f88795c083f65
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8336b6956cfddc0fc8b65923327eddda5ecdf2577c6e5b5cc5bc30aa675624313f3008b4b46cabecfca5b35a8df7f612e0b43974c4668b119254918a3ee1c9a2
|
7
|
+
data.tar.gz: 44ce41f014ea4e04f9626bc929c543ab593fc0087aa70bd011f064a76a6b3f4773c70ed285bcd4996eab5313f8ca278182075b3f912c947fb622a77179e33860
|
data/CHANGELOG.md
CHANGED
@@ -5,10 +5,38 @@ upgrade guides.
|
|
5
5
|
|
6
6
|
User-visible changes worth mentioning.
|
7
7
|
|
8
|
-
##
|
8
|
+
## main
|
9
9
|
|
10
10
|
- [#PR ID] Add your PR description here.
|
11
11
|
|
12
|
+
## 5.5.3
|
13
|
+
|
14
|
+
- [#1528] Don't allow extra query params in redirect_uri.
|
15
|
+
- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
|
16
|
+
- [#1531] Disable `strict-loading` for Doorkeeper models by default.
|
17
|
+
- [#1532] Add support for Rails 7.
|
18
|
+
|
19
|
+
## 5.5.2
|
20
|
+
|
21
|
+
- [#1502] Drop support for Ruby 2.4 because of EOL.
|
22
|
+
- [#1504] Updated the url fragment in the comment for code documentation.
|
23
|
+
- [#1512] Fix form behavior when response mode is form_post.
|
24
|
+
- [#1511] Fix that authorization code is returned by fragment if response_mode is fragament.
|
25
|
+
|
26
|
+
## 5.5.1
|
27
|
+
|
28
|
+
- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
|
29
|
+
- [#1495] Fix `respond_to` undefined in API-only mode
|
30
|
+
- [#1488] Verify client authentication for Resource Owner Password Grant when
|
31
|
+
`config.skip_client_authentication_for_password_grant` is set and the client credentials
|
32
|
+
are sent in a HTTP Basic auth header.
|
33
|
+
|
34
|
+
## 5.5.0
|
35
|
+
|
36
|
+
- [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
|
37
|
+
- [#1478] Fix ownership association and Rake tasks when custom models configured.
|
38
|
+
- [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
|
39
|
+
|
12
40
|
## 5.5.0.rc2
|
13
41
|
|
14
42
|
- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
|
data/README.md
CHANGED
@@ -1,10 +1,10 @@
|
|
1
1
|
# Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
|
2
2
|
|
3
3
|
[![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
|
4
|
-
[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=
|
4
|
+
[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=main)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
|
5
5
|
[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
|
6
|
-
[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=
|
7
|
-
[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/
|
6
|
+
[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
|
7
|
+
[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main)
|
8
8
|
[![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
|
9
9
|
[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
|
10
10
|
[![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
|
@@ -14,18 +14,18 @@ functionality to your Ruby on Rails or Grape application.
|
|
14
14
|
|
15
15
|
Supported features:
|
16
16
|
|
17
|
-
- [The OAuth 2.0 Authorization Framework](https://
|
18
|
-
- [Authorization Code Flow](
|
19
|
-
- [Access Token Scopes](
|
20
|
-
- [Refresh token](
|
21
|
-
- [Implicit grant](
|
22
|
-
- [Resource Owner Password Credentials](
|
23
|
-
- [Client Credentials](
|
24
|
-
- [OAuth 2.0 Token Revocation](
|
25
|
-
- [OAuth 2.0 Token Introspection](https://
|
26
|
-
- [OAuth 2.0 Threat Model and Security Considerations](
|
27
|
-
- [OAuth 2.0 for Native Apps](https://
|
28
|
-
- [Proof Key for Code Exchange by OAuth Public Clients](https://
|
17
|
+
- [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
|
18
|
+
- [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
|
19
|
+
- [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
|
20
|
+
- [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
|
21
|
+
- [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
|
22
|
+
- [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
|
23
|
+
- [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
|
24
|
+
- [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
|
25
|
+
- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
|
26
|
+
- [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
|
27
|
+
- [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
|
28
|
+
- [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
|
29
29
|
|
30
30
|
## Table of Contents
|
31
31
|
|
@@ -51,7 +51,7 @@ Supported features:
|
|
51
51
|
|
52
52
|
## Documentation
|
53
53
|
|
54
|
-
This documentation is valid for `
|
54
|
+
This documentation is valid for `main` branch. Please check the documentation for the version of doorkeeper you are using in:
|
55
55
|
https://github.com/doorkeeper-gem/doorkeeper/releases.
|
56
56
|
|
57
57
|
Additionally, other resources can be found on:
|
@@ -134,6 +134,12 @@ See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-to
|
|
134
134
|
|
135
135
|
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/doorkeeper-gem#sponsor)]
|
136
136
|
|
137
|
+
<a href="https://codecademy.com/about/careers?utm_source=doorkeeper-gem" target="_blank"><img src="https://static-assets.codecademy.com/marketing/codecademy_logo_padded.png"/></a>
|
138
|
+
|
139
|
+
> Codecademy supports open source as part of its mission to democratize tech. Come help us build the education the world deserves: [https://codecademy.com/about/careers](https://codecademy.com/about/careers?utm_source=doorkeeper-gem)
|
140
|
+
|
141
|
+
<br>
|
142
|
+
|
137
143
|
<a href="https://oauth.io/?utm_source=doorkeeper-gem" target="_blank"><img src="https://oauth.io/img/logo_text.png"/></a>
|
138
144
|
|
139
145
|
> If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
|
@@ -4,6 +4,7 @@ module Doorkeeper
|
|
4
4
|
class ApplicationController <
|
5
5
|
Doorkeeper.config.resolve_controller(:base)
|
6
6
|
include Helpers::Controller
|
7
|
+
include ActionController::MimeResponds if Doorkeeper.config.api_only
|
7
8
|
|
8
9
|
unless Doorkeeper.config.api_only
|
9
10
|
protect_from_forgery with: :exception
|
@@ -4,12 +4,22 @@ module Doorkeeper
|
|
4
4
|
class TokenInfoController < Doorkeeper::ApplicationMetalController
|
5
5
|
def show
|
6
6
|
if doorkeeper_token&.accessible?
|
7
|
-
render json:
|
7
|
+
render json: doorkeeper_token_to_json, status: :ok
|
8
8
|
else
|
9
9
|
error = OAuth::InvalidTokenResponse.new
|
10
10
|
response.headers.merge!(error.headers)
|
11
|
-
render json: error
|
11
|
+
render json: error_to_json(error), status: error.status
|
12
12
|
end
|
13
13
|
end
|
14
|
+
|
15
|
+
protected
|
16
|
+
|
17
|
+
def doorkeeper_token_to_json
|
18
|
+
doorkeeper_token
|
19
|
+
end
|
20
|
+
|
21
|
+
def error_to_json(error)
|
22
|
+
error.body
|
23
|
+
end
|
14
24
|
end
|
15
25
|
end
|
@@ -12,7 +12,7 @@ module Doorkeeper
|
|
12
12
|
handle_token_exception(e)
|
13
13
|
end
|
14
14
|
|
15
|
-
# OAuth 2.0 Token Revocation -
|
15
|
+
# OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
|
16
16
|
def revoke
|
17
17
|
# The authorization server responds with HTTP status code 200 if the client
|
18
18
|
# submitted an invalid token or the token has been revoked successfully.
|
@@ -94,8 +94,8 @@ module Doorkeeper
|
|
94
94
|
# types, they set the application_id as null (since the claim cannot be
|
95
95
|
# verified).
|
96
96
|
#
|
97
|
-
# https://
|
98
|
-
# https://
|
97
|
+
# https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
|
98
|
+
# https://datatracker.ietf.org/doc/html/rfc7009
|
99
99
|
def authorized?
|
100
100
|
# Token belongs to specific client, so we need to check if
|
101
101
|
# authenticated client could access it.
|
@@ -2,10 +2,14 @@
|
|
2
2
|
<h1><%= t('.title') %></h1>
|
3
3
|
</header>
|
4
4
|
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
<%= hidden_field_tag key, value %>
|
9
|
-
<% end %>
|
5
|
+
<%= form_tag @pre_auth.redirect_uri, method: :post, name: :redirect_form, authenticity_token: false do %>
|
6
|
+
<% @authorize_response.body.compact.each do |key, value| %>
|
7
|
+
<%= hidden_field_tag key, value %>
|
10
8
|
<% end %>
|
11
|
-
|
9
|
+
<% end %>
|
10
|
+
|
11
|
+
<script>
|
12
|
+
window.onload = function () {
|
13
|
+
document.forms['redirect_form'].submit();
|
14
|
+
};
|
15
|
+
</script>
|
@@ -25,6 +25,7 @@
|
|
25
25
|
<%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri %>
|
26
26
|
<%= hidden_field_tag :state, @pre_auth.state %>
|
27
27
|
<%= hidden_field_tag :response_type, @pre_auth.response_type %>
|
28
|
+
<%= hidden_field_tag :response_mode, @pre_auth.response_mode %>
|
28
29
|
<%= hidden_field_tag :scope, @pre_auth.scope %>
|
29
30
|
<%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
|
30
31
|
<%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
|
@@ -35,6 +36,7 @@
|
|
35
36
|
<%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri %>
|
36
37
|
<%= hidden_field_tag :state, @pre_auth.state %>
|
37
38
|
<%= hidden_field_tag :response_type, @pre_auth.response_type %>
|
39
|
+
<%= hidden_field_tag :response_mode, @pre_auth.response_mode %>
|
38
40
|
<%= hidden_field_tag :scope, @pre_auth.scope %>
|
39
41
|
<%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
|
40
42
|
<%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
|
data/config/locales/en.yml
CHANGED
data/lib/doorkeeper/config.rb
CHANGED
@@ -278,6 +278,10 @@ module Doorkeeper
|
|
278
278
|
# Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
|
279
279
|
option :token_reuse_limit, default: 100
|
280
280
|
|
281
|
+
# Don't require client authentication for password grants. If client credentials
|
282
|
+
# are present they will still be validated, and the grant rejected if the credentials
|
283
|
+
# are invalid.
|
284
|
+
#
|
281
285
|
# This is discouraged. Spec says that password grants always require a client.
|
282
286
|
#
|
283
287
|
# See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422
|
@@ -370,7 +374,7 @@ module Doorkeeper
|
|
370
374
|
|
371
375
|
# The controller Doorkeeper::ApplicationController inherits from.
|
372
376
|
# Defaults to ActionController::Base.
|
373
|
-
# https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-
|
377
|
+
# https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
|
374
378
|
#
|
375
379
|
# @param base_controller [String] the name of the base controller
|
376
380
|
option :base_controller,
|
@@ -49,7 +49,7 @@ module Doorkeeper
|
|
49
49
|
end
|
50
50
|
|
51
51
|
# Implements PKCE code_challenge encoding without base64 padding as described in the spec.
|
52
|
-
# https://
|
52
|
+
# https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
|
53
53
|
# Appendix A. Notes on Implementing Base64url Encoding without Padding
|
54
54
|
#
|
55
55
|
# This appendix describes how to implement a base64url-encoding
|
@@ -279,7 +279,7 @@ module Doorkeeper
|
|
279
279
|
end
|
280
280
|
|
281
281
|
# Access Token type: Bearer.
|
282
|
-
# @see https://
|
282
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6750
|
283
283
|
# The OAuth 2.0 Authorization Framework: Bearer Token Usage
|
284
284
|
#
|
285
285
|
def token_type
|
@@ -374,10 +374,10 @@ module Doorkeeper
|
|
374
374
|
# and clears `:previous_refresh_token` attribute.
|
375
375
|
#
|
376
376
|
def revoke_previous_refresh_token!
|
377
|
-
return
|
377
|
+
return if !self.class.refresh_token_revoked_on_use? || previous_refresh_token.blank?
|
378
378
|
|
379
379
|
old_refresh_token&.revoke
|
380
|
-
update_attribute(:previous_refresh_token, "")
|
380
|
+
update_attribute(:previous_refresh_token, "")
|
381
381
|
end
|
382
382
|
|
383
383
|
private
|
@@ -6,7 +6,7 @@ module Doorkeeper
|
|
6
6
|
validate :params, error: :invalid_request
|
7
7
|
validate :client, error: :invalid_client
|
8
8
|
validate :grant, error: :invalid_grant
|
9
|
-
# @see https://
|
9
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
10
10
|
validate :redirect_uri, error: :invalid_grant
|
11
11
|
validate :code_verifier, error: :invalid_grant
|
12
12
|
|
@@ -13,7 +13,7 @@ module Doorkeeper
|
|
13
13
|
def authorize
|
14
14
|
auth = Authorization::Code.new(pre_auth, resource_owner)
|
15
15
|
auth.issue_token!
|
16
|
-
CodeResponse.new(pre_auth, auth)
|
16
|
+
CodeResponse.new(pre_auth, auth, response_on_fragment: pre_auth.response_mode == "fragment")
|
17
17
|
end
|
18
18
|
|
19
19
|
def deny
|
@@ -23,7 +23,8 @@ module Doorkeeper
|
|
23
23
|
end
|
24
24
|
|
25
25
|
def description
|
26
|
-
@description ||=
|
26
|
+
@description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
|
27
|
+
oauth_scopes: @scopes.map(&:to_s).join(" "),)
|
27
28
|
end
|
28
29
|
|
29
30
|
protected
|
@@ -11,8 +11,8 @@ module Doorkeeper
|
|
11
11
|
# Access Token value must be 1*VSCHAR or
|
12
12
|
# 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
|
13
13
|
#
|
14
|
-
# @see https://
|
15
|
-
# @see https://
|
14
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.12
|
15
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
|
16
16
|
#
|
17
17
|
generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
|
18
18
|
token_size = options.delete(:size) || 32
|
@@ -3,24 +3,6 @@
|
|
3
3
|
require "ipaddr"
|
4
4
|
|
5
5
|
module Doorkeeper
|
6
|
-
module IPAddrLoopback
|
7
|
-
def loopback?
|
8
|
-
case @family
|
9
|
-
when Socket::AF_INET
|
10
|
-
@addr & 0xff000000 == 0x7f000000
|
11
|
-
when Socket::AF_INET6
|
12
|
-
@addr == 1
|
13
|
-
else
|
14
|
-
raise AddressFamilyError, "unsupported address family"
|
15
|
-
end
|
16
|
-
end
|
17
|
-
end
|
18
|
-
|
19
|
-
# For backward compatibility with old rubies
|
20
|
-
if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5.0")
|
21
|
-
IPAddr.include Doorkeeper::IPAddrLoopback
|
22
|
-
end
|
23
|
-
|
24
6
|
module OAuth
|
25
7
|
module Helpers
|
26
8
|
module URIChecker
|
@@ -37,22 +19,22 @@ module Doorkeeper
|
|
37
19
|
url = as_uri(url)
|
38
20
|
client_url = as_uri(client_url)
|
39
21
|
|
40
|
-
unless client_url.query.nil?
|
22
|
+
unless client_url.query.nil? && url.query.nil?
|
41
23
|
return false unless query_matches?(url.query, client_url.query)
|
42
24
|
|
43
25
|
# Clear out queries so rest of URI can be tested. This allows query
|
44
26
|
# params to be in the request but order not mattering.
|
45
27
|
client_url.query = nil
|
28
|
+
url.query = nil
|
46
29
|
end
|
47
30
|
|
48
31
|
# RFC8252, Paragraph 7.3
|
49
|
-
# @see https://
|
32
|
+
# @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
|
50
33
|
if loopback_uri?(url) && loopback_uri?(client_url)
|
51
34
|
url.port = nil
|
52
35
|
client_url.port = nil
|
53
36
|
end
|
54
37
|
|
55
|
-
url.query = nil
|
56
38
|
url == client_url
|
57
39
|
end
|
58
40
|
|
@@ -10,12 +10,13 @@ module Doorkeeper
|
|
10
10
|
validate :resource_owner, error: :invalid_grant
|
11
11
|
validate :scopes, error: :invalid_scope
|
12
12
|
|
13
|
-
attr_reader :client, :resource_owner, :parameters, :access_token
|
13
|
+
attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
|
14
14
|
|
15
|
-
def initialize(server, client, resource_owner, parameters = {})
|
15
|
+
def initialize(server, client, credentials, resource_owner, parameters = {})
|
16
16
|
@server = server
|
17
17
|
@resource_owner = resource_owner
|
18
18
|
@client = client
|
19
|
+
@credentials = credentials
|
19
20
|
@parameters = parameters
|
20
21
|
@original_scopes = parameters[:scope]
|
21
22
|
@grant_type = Doorkeeper::OAuth::PASSWORD
|
@@ -56,11 +57,11 @@ module Doorkeeper
|
|
56
57
|
#
|
57
58
|
# o authenticate the client if client authentication is included,
|
58
59
|
#
|
59
|
-
# @see https://
|
60
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
|
60
61
|
#
|
61
62
|
def validate_client
|
62
63
|
if Doorkeeper.config.skip_client_authentication_for_password_grant
|
63
|
-
!parameters[:client_id]
|
64
|
+
client.present? || (!parameters[:client_id] && credentials.blank?)
|
64
65
|
else
|
65
66
|
client.present?
|
66
67
|
end
|
@@ -101,7 +101,7 @@ module Doorkeeper
|
|
101
101
|
client.present?
|
102
102
|
end
|
103
103
|
|
104
|
-
# @see https://
|
104
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
|
105
105
|
#
|
106
106
|
def validate_client_match
|
107
107
|
return true if refresh_token.application_id.blank?
|
@@ -4,7 +4,7 @@ module Doorkeeper
|
|
4
4
|
module OAuth
|
5
5
|
# RFC7662 OAuth 2.0 Token Introspection
|
6
6
|
#
|
7
|
-
# @see https://
|
7
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7662
|
8
8
|
class TokenIntrospection
|
9
9
|
def initialize(server, token)
|
10
10
|
@server = server
|
@@ -107,7 +107,7 @@ module Doorkeeper
|
|
107
107
|
# authorization server SHOULD NOT include any additional information
|
108
108
|
# about an inactive token, including why the token is inactive.
|
109
109
|
#
|
110
|
-
# @see https://
|
110
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
|
111
111
|
#
|
112
112
|
def failure_response
|
113
113
|
{
|
@@ -186,7 +186,7 @@ module Doorkeeper
|
|
186
186
|
# Provides context (controller) and token for generating developer-specific
|
187
187
|
# response.
|
188
188
|
#
|
189
|
-
# @see https://
|
189
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
|
190
190
|
#
|
191
191
|
def customize_response(response)
|
192
192
|
customized_response = Doorkeeper.config.custom_introspection_response.call(
|
@@ -5,7 +5,8 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
5
5
|
extend ActiveSupport::Concern
|
6
6
|
|
7
7
|
included do
|
8
|
-
self.table_name =
|
8
|
+
self.table_name = compute_doorkeeper_table_name
|
9
|
+
self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
|
9
10
|
|
10
11
|
include ::Doorkeeper::AccessGrantMixin
|
11
12
|
|
@@ -54,5 +55,15 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
54
55
|
secret_strategy.store_secret(self, :token, @raw_token)
|
55
56
|
end
|
56
57
|
end
|
58
|
+
|
59
|
+
module ClassMethods
|
60
|
+
private
|
61
|
+
|
62
|
+
def compute_doorkeeper_table_name
|
63
|
+
table_name = "oauth_access_grant"
|
64
|
+
table_name = table_name.pluralize if pluralize_table_names
|
65
|
+
"#{table_name_prefix}#{table_name}#{table_name_suffix}"
|
66
|
+
end
|
67
|
+
end
|
57
68
|
end
|
58
69
|
end
|
@@ -5,7 +5,8 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
5
5
|
extend ActiveSupport::Concern
|
6
6
|
|
7
7
|
included do
|
8
|
-
self.table_name =
|
8
|
+
self.table_name = compute_doorkeeper_table_name
|
9
|
+
self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
|
9
10
|
|
10
11
|
include ::Doorkeeper::AccessTokenMixin
|
11
12
|
|
@@ -46,6 +47,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
46
47
|
def refresh_token_revoked_on_use?
|
47
48
|
column_names.include?("previous_refresh_token")
|
48
49
|
end
|
50
|
+
|
51
|
+
private
|
52
|
+
|
53
|
+
def compute_doorkeeper_table_name
|
54
|
+
table_name = "oauth_access_token"
|
55
|
+
table_name = table_name.pluralize if pluralize_table_names
|
56
|
+
"#{table_name_prefix}#{table_name}#{table_name_suffix}"
|
57
|
+
end
|
49
58
|
end
|
50
59
|
end
|
51
60
|
end
|
@@ -5,7 +5,8 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
5
5
|
extend ActiveSupport::Concern
|
6
6
|
|
7
7
|
included do
|
8
|
-
self.table_name =
|
8
|
+
self.table_name = compute_doorkeeper_table_name
|
9
|
+
self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
|
9
10
|
|
10
11
|
include ::Doorkeeper::ApplicationMixin
|
11
12
|
|
@@ -185,6 +186,14 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
185
186
|
Doorkeeper.config.access_token_model.revoke_all_for(id, resource_owner)
|
186
187
|
Doorkeeper.config.access_grant_model.revoke_all_for(id, resource_owner)
|
187
188
|
end
|
189
|
+
|
190
|
+
private
|
191
|
+
|
192
|
+
def compute_doorkeeper_table_name
|
193
|
+
table_name = "oauth_application"
|
194
|
+
table_name = table_name.pluralize if pluralize_table_names
|
195
|
+
"#{table_name_prefix}#{table_name}#{table_name_suffix}"
|
196
|
+
end
|
188
197
|
end
|
189
198
|
end
|
190
199
|
end
|
@@ -37,15 +37,7 @@ module Doorkeeper
|
|
37
37
|
end
|
38
38
|
|
39
39
|
def self.lazy_load(&block)
|
40
|
-
|
41
|
-
# already lazy-loaded :(
|
42
|
-
loaded = ActiveSupport.instance_variable_get(:"@loaded") || {}
|
43
|
-
|
44
|
-
if loaded.key?(:active_record)
|
45
|
-
block.call
|
46
|
-
else
|
47
|
-
ActiveSupport.on_load(:active_record, {}, &block)
|
48
|
-
end
|
40
|
+
ActiveSupport.on_load(:active_record, {}, &block)
|
49
41
|
end
|
50
42
|
|
51
43
|
def self.models
|
data/lib/doorkeeper/rake/db.rake
CHANGED
@@ -13,7 +13,7 @@ namespace :doorkeeper do
|
|
13
13
|
namespace :cleanup do
|
14
14
|
desc "Removes stale access tokens"
|
15
15
|
task revoked_tokens: "doorkeeper:setup" do
|
16
|
-
cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper
|
16
|
+
cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_token_model)
|
17
17
|
cleaner.clean_revoked
|
18
18
|
end
|
19
19
|
|
@@ -26,13 +26,13 @@ namespace :doorkeeper do
|
|
26
26
|
|
27
27
|
desc "Removes stale access grants"
|
28
28
|
task revoked_grants: "doorkeeper:setup" do
|
29
|
-
cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper
|
29
|
+
cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
|
30
30
|
cleaner.clean_revoked
|
31
31
|
end
|
32
32
|
|
33
33
|
desc "Removes expired (TTL passed) access grants"
|
34
34
|
task expired_grants: "doorkeeper:setup" do
|
35
|
-
cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper
|
35
|
+
cleaner = Doorkeeper::StaleRecordsCleaner.new(Doorkeeper.config.access_grant_model)
|
36
36
|
cleaner.clean_expired(Doorkeeper.config.authorization_code_expires_in)
|
37
37
|
end
|
38
38
|
end
|
@@ -2,5 +2,10 @@
|
|
2
2
|
|
3
3
|
namespace :doorkeeper do
|
4
4
|
task setup: :environment do
|
5
|
+
# Dirty hack to manually initialize AR because of lazy auto-loading,
|
6
|
+
# in other case we'll see NameError: uninitialized constant Doorkeeper::AccessToken
|
7
|
+
if Doorkeeper.config.orm == :active_record && defined?(::ActiveRecord::Base)
|
8
|
+
Object.const_get("::ActiveRecord::Base")
|
9
|
+
end
|
5
10
|
end
|
6
11
|
end
|
data/lib/doorkeeper/version.rb
CHANGED
@@ -120,7 +120,7 @@ Doorkeeper.configure do
|
|
120
120
|
# The controller +Doorkeeper::ApplicationController+ inherits from.
|
121
121
|
# Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
|
122
122
|
# +ActionController::API+. The return value of this option must be a stringified class name.
|
123
|
-
# See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-
|
123
|
+
# See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
|
124
124
|
#
|
125
125
|
# base_controller 'ApplicationController'
|
126
126
|
|
@@ -276,7 +276,7 @@ Doorkeeper.configure do
|
|
276
276
|
# force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
|
277
277
|
|
278
278
|
# Specify what redirect URI's you want to block during Application creation.
|
279
|
-
# Any redirect URI is
|
279
|
+
# Any redirect URI is allowed by default.
|
280
280
|
#
|
281
281
|
# You can use this option in order to forbid URI's with 'javascript' scheme
|
282
282
|
# for example.
|
@@ -343,8 +343,8 @@ Doorkeeper.configure do
|
|
343
343
|
#
|
344
344
|
# implicit and password grant flows have risks that you should understand
|
345
345
|
# before enabling:
|
346
|
-
#
|
347
|
-
#
|
346
|
+
# https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.2
|
347
|
+
# https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.3
|
348
348
|
#
|
349
349
|
# grant_flows %w[authorization_code client_credentials]
|
350
350
|
|
@@ -387,7 +387,7 @@ Doorkeeper.configure do
|
|
387
387
|
# Be default all Resource Owners are authorized to any Client (application).
|
388
388
|
#
|
389
389
|
# authorize_resource_owner_for_client do |client, resource_owner|
|
390
|
-
# resource_owner.admin? || client.
|
390
|
+
# resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
|
391
391
|
# end
|
392
392
|
|
393
393
|
# Hook into the strategies' request & response life-cycle in case your
|
@@ -61,7 +61,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
|
|
61
61
|
# *the client MUST discard the old refresh token* and replace it with the
|
62
62
|
# new refresh token. The authorization server MAY revoke the old
|
63
63
|
# refresh token after issuing a new refresh token to the client.
|
64
|
-
# @see https://
|
64
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
|
65
65
|
#
|
66
66
|
# Doorkeeper implementation: if there is a `previous_refresh_token` column,
|
67
67
|
# refresh tokens will be revoked after a related access token is used.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: doorkeeper
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.5.
|
4
|
+
version: 5.5.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Felipe Elias Philipp
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date: 2021-
|
14
|
+
date: 2021-09-23 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: railties
|
@@ -89,14 +89,14 @@ dependencies:
|
|
89
89
|
requirements:
|
90
90
|
- - "~>"
|
91
91
|
- !ruby/object:Gem::Version
|
92
|
-
version: '
|
92
|
+
version: '2.0'
|
93
93
|
type: :development
|
94
94
|
prerelease: false
|
95
95
|
version_requirements: !ruby/object:Gem::Requirement
|
96
96
|
requirements:
|
97
97
|
- - "~>"
|
98
98
|
- !ruby/object:Gem::Version
|
99
|
-
version: '
|
99
|
+
version: '2.0'
|
100
100
|
- !ruby/object:Gem::Dependency
|
101
101
|
name: factory_bot
|
102
102
|
requirement: !ruby/object:Gem::Requirement
|
@@ -318,11 +318,11 @@ licenses:
|
|
318
318
|
- MIT
|
319
319
|
metadata:
|
320
320
|
homepage_uri: https://github.com/doorkeeper-gem/doorkeeper
|
321
|
-
changelog_uri: https://github.com/doorkeeper-gem/doorkeeper/blob/
|
321
|
+
changelog_uri: https://github.com/doorkeeper-gem/doorkeeper/blob/main/CHANGELOG.md
|
322
322
|
source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
|
323
323
|
bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
|
324
324
|
documentation_uri: https://doorkeeper.gitbook.io/guides/
|
325
|
-
post_install_message: "Starting from 5.5.0
|
325
|
+
post_install_message: "Starting from 5.5.0 RC1 Doorkeeper requires client authentication
|
326
326
|
for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
|
327
327
|
a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use
|
328
328
|
client credentials in HTTP Basic auth if you previously used this grant flow without\nclient
|
@@ -337,12 +337,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
337
337
|
requirements:
|
338
338
|
- - ">="
|
339
339
|
- !ruby/object:Gem::Version
|
340
|
-
version: '2.
|
340
|
+
version: '2.5'
|
341
341
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
342
342
|
requirements:
|
343
|
-
- - "
|
343
|
+
- - ">="
|
344
344
|
- !ruby/object:Gem::Version
|
345
|
-
version:
|
345
|
+
version: '0'
|
346
346
|
requirements: []
|
347
347
|
rubygems_version: 3.1.2
|
348
348
|
signing_key:
|