doorkeeper 5.5.0 → 5.5.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8d0646462c8fd51891c70b06dbccf9d4c2a2db2d19f71fb9e358c9401843053a
4
- data.tar.gz: 17669cf7be5a1f0053850c6f00c03b63df477438a7aa6805558d48dfb35541b0
3
+ metadata.gz: '08f9f8fec2b33300cb7ed4a09ff5682330698f51515404339a1ef40621f1d0d0'
4
+ data.tar.gz: 6d53afbc73dfdb731b0641575ffd7156ad3a74e11452654a99a1f24ad7f1093f
5
5
  SHA512:
6
- metadata.gz: 54c0fadb672bb09b4e33b6df5476694a0e7f1fb7795b3e2d4172e6c77671bbd7f929dec42f37d9b17bede5cb0659c5a95a30771fd8c69dbdddcb80d4d291aa81
7
- data.tar.gz: 462977a3eae6d5705ce246814a66f0bd29cd64647e43ba4df2502b9b72eea9c0e848ce3c1789fa97cb6953a07661eef025665a9fa29a97080c1d61acc3e559b6
6
+ metadata.gz: 345be4d8d397eacb61d21a749b0c8e1fe38a9f6f2868c14a76006a2cc0686c6e192b9828e7f37df39f83f80c69a4a8394191f9d28691db43616f47f52b2505bb
7
+ data.tar.gz: 4c96d9ad3d31305f1fb9fc135de3ee5a4e187a38f317307da6d83fc8dabe265dab741c52f25d7f907930a195918b1713aa3db6495b37626a2cfe5fe621f9e240
data/CHANGELOG.md CHANGED
@@ -9,6 +9,14 @@ User-visible changes worth mentioning.
9
9
 
10
10
  - [#PR ID] Add your PR description here.
11
11
 
12
+ ## 5.5.1
13
+
14
+ - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
15
+ - [#1495] Fix `respond_to` undefined in API-only mode
16
+ - [#1488] Verify client authentication for Resource Owner Password Grant when
17
+ `config.skip_client_authentication_for_password_grant` is set and the client credentials
18
+ are sent in a HTTP Basic auth header.
19
+
12
20
  ## 5.5.0
13
21
 
14
22
  - [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
@@ -4,6 +4,7 @@ module Doorkeeper
4
4
  class ApplicationController <
5
5
  Doorkeeper.config.resolve_controller(:base)
6
6
  include Helpers::Controller
7
+ include ActionController::MimeResponds if Doorkeeper.config.api_only
7
8
 
8
9
  unless Doorkeeper.config.api_only
9
10
  protect_from_forgery with: :exception
@@ -26,7 +26,7 @@ module Doorkeeper
26
26
  )
27
27
  end
28
28
 
29
- format.json { render :no_content }
29
+ format.json { head :no_content }
30
30
  end
31
31
  end
32
32
  end
@@ -278,6 +278,10 @@ module Doorkeeper
278
278
  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
279
279
  option :token_reuse_limit, default: 100
280
280
 
281
+ # Don't require client authentication for password grants. If client credentials
282
+ # are present they will still be validated, and the grant rejected if the credentials
283
+ # are invalid.
284
+ #
281
285
  # This is discouraged. Spec says that password grants always require a client.
282
286
  #
283
287
  # See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422
@@ -374,10 +374,10 @@ module Doorkeeper
374
374
  # and clears `:previous_refresh_token` attribute.
375
375
  #
376
376
  def revoke_previous_refresh_token!
377
- return unless self.class.refresh_token_revoked_on_use?
377
+ return if !self.class.refresh_token_revoked_on_use? || previous_refresh_token.blank?
378
378
 
379
379
  old_refresh_token&.revoke
380
- update_attribute(:previous_refresh_token, "") if previous_refresh_token.present?
380
+ update_attribute(:previous_refresh_token, "")
381
381
  end
382
382
 
383
383
  private
@@ -10,12 +10,13 @@ module Doorkeeper
10
10
  validate :resource_owner, error: :invalid_grant
11
11
  validate :scopes, error: :invalid_scope
12
12
 
13
- attr_reader :client, :resource_owner, :parameters, :access_token
13
+ attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
14
14
 
15
- def initialize(server, client, resource_owner, parameters = {})
15
+ def initialize(server, client, credentials, resource_owner, parameters = {})
16
16
  @server = server
17
17
  @resource_owner = resource_owner
18
18
  @client = client
19
+ @credentials = credentials
19
20
  @parameters = parameters
20
21
  @original_scopes = parameters[:scope]
21
22
  @grant_type = Doorkeeper::OAuth::PASSWORD
@@ -60,7 +61,7 @@ module Doorkeeper
60
61
  #
61
62
  def validate_client
62
63
  if Doorkeeper.config.skip_client_authentication_for_password_grant
63
- !parameters[:client_id] || client.present?
64
+ client.present? || (!parameters[:client_id] && credentials.blank?)
64
65
  else
65
66
  client.present?
66
67
  end
@@ -9,6 +9,7 @@ module Doorkeeper
9
9
  @request ||= OAuth::PasswordAccessTokenRequest.new(
10
10
  Doorkeeper.config,
11
11
  client,
12
+ credentials,
12
13
  resource_owner,
13
14
  parameters,
14
15
  )
@@ -5,7 +5,7 @@ module Doorkeeper
5
5
  # Semantic versioning
6
6
  MAJOR = 5
7
7
  MINOR = 5
8
- TINY = 0
8
+ TINY = 1
9
9
  PRE = nil
10
10
 
11
11
  # Full version number
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.5.0
4
+ version: 5.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2021-02-19 00:00:00.000000000 Z
14
+ date: 2021-04-06 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: railties
@@ -89,14 +89,14 @@ dependencies:
89
89
  requirements:
90
90
  - - "~>"
91
91
  - !ruby/object:Gem::Version
92
- version: '1.6'
92
+ version: '2.0'
93
93
  type: :development
94
94
  prerelease: false
95
95
  version_requirements: !ruby/object:Gem::Requirement
96
96
  requirements:
97
97
  - - "~>"
98
98
  - !ruby/object:Gem::Version
99
- version: '1.6'
99
+ version: '2.0'
100
100
  - !ruby/object:Gem::Dependency
101
101
  name: factory_bot
102
102
  requirement: !ruby/object:Gem::Requirement