doorkeeper 5.5.2 → 5.5.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/README.md +12 -12
- data/app/controllers/doorkeeper/authorizations_controller.rb +1 -1
- data/app/controllers/doorkeeper/tokens_controller.rb +3 -3
- data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
- data/config/locales/en.yml +3 -0
- data/lib/doorkeeper/models/access_grant_mixin.rb +1 -1
- data/lib/doorkeeper/models/access_token_mixin.rb +1 -1
- data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -1
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +2 -1
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -2
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +3 -3
- data/lib/doorkeeper/oauth/password_access_token_request.rb +1 -1
- data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -1
- data/lib/doorkeeper/oauth/token_introspection.rb +3 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +1 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +1 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +1 -0
- data/lib/doorkeeper/version.rb +1 -1
- data/lib/generators/doorkeeper/templates/initializer.rb +4 -4
- data/lib/generators/doorkeeper/templates/migration.rb.erb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 55ced432e71b3066f090735a7f68d95954ef41ec19f371b6ce4244bd2d462c64
|
4
|
+
data.tar.gz: 35da75b4534aa7ac1ceb3ad35d5bc40a4173c06de05212b9e36f88795c083f65
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8336b6956cfddc0fc8b65923327eddda5ecdf2577c6e5b5cc5bc30aa675624313f3008b4b46cabecfca5b35a8df7f612e0b43974c4668b119254918a3ee1c9a2
|
7
|
+
data.tar.gz: 44ce41f014ea4e04f9626bc929c543ab593fc0087aa70bd011f064a76a6b3f4773c70ed285bcd4996eab5313f8ca278182075b3f912c947fb622a77179e33860
|
data/CHANGELOG.md
CHANGED
@@ -9,6 +9,13 @@ User-visible changes worth mentioning.
|
|
9
9
|
|
10
10
|
- [#PR ID] Add your PR description here.
|
11
11
|
|
12
|
+
## 5.5.3
|
13
|
+
|
14
|
+
- [#1528] Don't allow extra query params in redirect_uri.
|
15
|
+
- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
|
16
|
+
- [#1531] Disable `strict-loading` for Doorkeeper models by default.
|
17
|
+
- [#1532] Add support for Rails 7.
|
18
|
+
|
12
19
|
## 5.5.2
|
13
20
|
|
14
21
|
- [#1502] Drop support for Ruby 2.4 because of EOL.
|
data/README.md
CHANGED
@@ -14,18 +14,18 @@ functionality to your Ruby on Rails or Grape application.
|
|
14
14
|
|
15
15
|
Supported features:
|
16
16
|
|
17
|
-
- [The OAuth 2.0 Authorization Framework](https://
|
18
|
-
- [Authorization Code Flow](
|
19
|
-
- [Access Token Scopes](
|
20
|
-
- [Refresh token](
|
21
|
-
- [Implicit grant](
|
22
|
-
- [Resource Owner Password Credentials](
|
23
|
-
- [Client Credentials](
|
24
|
-
- [OAuth 2.0 Token Revocation](
|
25
|
-
- [OAuth 2.0 Token Introspection](https://
|
26
|
-
- [OAuth 2.0 Threat Model and Security Considerations](
|
27
|
-
- [OAuth 2.0 for Native Apps](https://
|
28
|
-
- [Proof Key for Code Exchange by OAuth Public Clients](https://
|
17
|
+
- [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
|
18
|
+
- [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
|
19
|
+
- [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
|
20
|
+
- [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
|
21
|
+
- [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
|
22
|
+
- [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
|
23
|
+
- [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
|
24
|
+
- [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
|
25
|
+
- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
|
26
|
+
- [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
|
27
|
+
- [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
|
28
|
+
- [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
|
29
29
|
|
30
30
|
## Table of Contents
|
31
31
|
|
@@ -12,7 +12,7 @@ module Doorkeeper
|
|
12
12
|
handle_token_exception(e)
|
13
13
|
end
|
14
14
|
|
15
|
-
# OAuth 2.0 Token Revocation -
|
15
|
+
# OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
|
16
16
|
def revoke
|
17
17
|
# The authorization server responds with HTTP status code 200 if the client
|
18
18
|
# submitted an invalid token or the token has been revoked successfully.
|
@@ -94,8 +94,8 @@ module Doorkeeper
|
|
94
94
|
# types, they set the application_id as null (since the claim cannot be
|
95
95
|
# verified).
|
96
96
|
#
|
97
|
-
# https://
|
98
|
-
# https://
|
97
|
+
# https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
|
98
|
+
# https://datatracker.ietf.org/doc/html/rfc7009
|
99
99
|
def authorized?
|
100
100
|
# Token belongs to specific client, so we need to check if
|
101
101
|
# authenticated client could access it.
|
data/config/locales/en.yml
CHANGED
@@ -49,7 +49,7 @@ module Doorkeeper
|
|
49
49
|
end
|
50
50
|
|
51
51
|
# Implements PKCE code_challenge encoding without base64 padding as described in the spec.
|
52
|
-
# https://
|
52
|
+
# https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
|
53
53
|
# Appendix A. Notes on Implementing Base64url Encoding without Padding
|
54
54
|
#
|
55
55
|
# This appendix describes how to implement a base64url-encoding
|
@@ -279,7 +279,7 @@ module Doorkeeper
|
|
279
279
|
end
|
280
280
|
|
281
281
|
# Access Token type: Bearer.
|
282
|
-
# @see https://
|
282
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6750
|
283
283
|
# The OAuth 2.0 Authorization Framework: Bearer Token Usage
|
284
284
|
#
|
285
285
|
def token_type
|
@@ -6,7 +6,7 @@ module Doorkeeper
|
|
6
6
|
validate :params, error: :invalid_request
|
7
7
|
validate :client, error: :invalid_client
|
8
8
|
validate :grant, error: :invalid_grant
|
9
|
-
# @see https://
|
9
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
10
10
|
validate :redirect_uri, error: :invalid_grant
|
11
11
|
validate :code_verifier, error: :invalid_grant
|
12
12
|
|
@@ -23,7 +23,8 @@ module Doorkeeper
|
|
23
23
|
end
|
24
24
|
|
25
25
|
def description
|
26
|
-
@description ||=
|
26
|
+
@description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
|
27
|
+
oauth_scopes: @scopes.map(&:to_s).join(" "),)
|
27
28
|
end
|
28
29
|
|
29
30
|
protected
|
@@ -11,8 +11,8 @@ module Doorkeeper
|
|
11
11
|
# Access Token value must be 1*VSCHAR or
|
12
12
|
# 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
|
13
13
|
#
|
14
|
-
# @see https://
|
15
|
-
# @see https://
|
14
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.12
|
15
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
|
16
16
|
#
|
17
17
|
generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
|
18
18
|
token_size = options.delete(:size) || 32
|
@@ -19,22 +19,22 @@ module Doorkeeper
|
|
19
19
|
url = as_uri(url)
|
20
20
|
client_url = as_uri(client_url)
|
21
21
|
|
22
|
-
unless client_url.query.nil?
|
22
|
+
unless client_url.query.nil? && url.query.nil?
|
23
23
|
return false unless query_matches?(url.query, client_url.query)
|
24
24
|
|
25
25
|
# Clear out queries so rest of URI can be tested. This allows query
|
26
26
|
# params to be in the request but order not mattering.
|
27
27
|
client_url.query = nil
|
28
|
+
url.query = nil
|
28
29
|
end
|
29
30
|
|
30
31
|
# RFC8252, Paragraph 7.3
|
31
|
-
# @see https://
|
32
|
+
# @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
|
32
33
|
if loopback_uri?(url) && loopback_uri?(client_url)
|
33
34
|
url.port = nil
|
34
35
|
client_url.port = nil
|
35
36
|
end
|
36
37
|
|
37
|
-
url.query = nil
|
38
38
|
url == client_url
|
39
39
|
end
|
40
40
|
|
@@ -57,7 +57,7 @@ module Doorkeeper
|
|
57
57
|
#
|
58
58
|
# o authenticate the client if client authentication is included,
|
59
59
|
#
|
60
|
-
# @see https://
|
60
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
|
61
61
|
#
|
62
62
|
def validate_client
|
63
63
|
if Doorkeeper.config.skip_client_authentication_for_password_grant
|
@@ -101,7 +101,7 @@ module Doorkeeper
|
|
101
101
|
client.present?
|
102
102
|
end
|
103
103
|
|
104
|
-
# @see https://
|
104
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
|
105
105
|
#
|
106
106
|
def validate_client_match
|
107
107
|
return true if refresh_token.application_id.blank?
|
@@ -4,7 +4,7 @@ module Doorkeeper
|
|
4
4
|
module OAuth
|
5
5
|
# RFC7662 OAuth 2.0 Token Introspection
|
6
6
|
#
|
7
|
-
# @see https://
|
7
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7662
|
8
8
|
class TokenIntrospection
|
9
9
|
def initialize(server, token)
|
10
10
|
@server = server
|
@@ -107,7 +107,7 @@ module Doorkeeper
|
|
107
107
|
# authorization server SHOULD NOT include any additional information
|
108
108
|
# about an inactive token, including why the token is inactive.
|
109
109
|
#
|
110
|
-
# @see https://
|
110
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
|
111
111
|
#
|
112
112
|
def failure_response
|
113
113
|
{
|
@@ -186,7 +186,7 @@ module Doorkeeper
|
|
186
186
|
# Provides context (controller) and token for generating developer-specific
|
187
187
|
# response.
|
188
188
|
#
|
189
|
-
# @see https://
|
189
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
|
190
190
|
#
|
191
191
|
def customize_response(response)
|
192
192
|
customized_response = Doorkeeper.config.custom_introspection_response.call(
|
data/lib/doorkeeper/version.rb
CHANGED
@@ -276,7 +276,7 @@ Doorkeeper.configure do
|
|
276
276
|
# force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
|
277
277
|
|
278
278
|
# Specify what redirect URI's you want to block during Application creation.
|
279
|
-
# Any redirect URI is
|
279
|
+
# Any redirect URI is allowed by default.
|
280
280
|
#
|
281
281
|
# You can use this option in order to forbid URI's with 'javascript' scheme
|
282
282
|
# for example.
|
@@ -343,8 +343,8 @@ Doorkeeper.configure do
|
|
343
343
|
#
|
344
344
|
# implicit and password grant flows have risks that you should understand
|
345
345
|
# before enabling:
|
346
|
-
#
|
347
|
-
#
|
346
|
+
# https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.2
|
347
|
+
# https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.3
|
348
348
|
#
|
349
349
|
# grant_flows %w[authorization_code client_credentials]
|
350
350
|
|
@@ -387,7 +387,7 @@ Doorkeeper.configure do
|
|
387
387
|
# Be default all Resource Owners are authorized to any Client (application).
|
388
388
|
#
|
389
389
|
# authorize_resource_owner_for_client do |client, resource_owner|
|
390
|
-
# resource_owner.admin? || client.
|
390
|
+
# resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
|
391
391
|
# end
|
392
392
|
|
393
393
|
# Hook into the strategies' request & response life-cycle in case your
|
@@ -61,7 +61,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
|
|
61
61
|
# *the client MUST discard the old refresh token* and replace it with the
|
62
62
|
# new refresh token. The authorization server MAY revoke the old
|
63
63
|
# refresh token after issuing a new refresh token to the client.
|
64
|
-
# @see https://
|
64
|
+
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
|
65
65
|
#
|
66
66
|
# Doorkeeper implementation: if there is a `previous_refresh_token` column,
|
67
67
|
# refresh tokens will be revoked after a related access token is used.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: doorkeeper
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.5.
|
4
|
+
version: 5.5.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Felipe Elias Philipp
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date: 2021-
|
14
|
+
date: 2021-09-23 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: railties
|