doorkeeper 5.5.2 → 5.5.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9b8f700b4b7e5e40df07c8679ec477db21fe96ed05d70a5e6cb50c62cac886c2
4
- data.tar.gz: cc34f22bd2800620f9b901a0025f569a0299a1105a7350ba95b62b34b7f5cdad
3
+ metadata.gz: 55ced432e71b3066f090735a7f68d95954ef41ec19f371b6ce4244bd2d462c64
4
+ data.tar.gz: 35da75b4534aa7ac1ceb3ad35d5bc40a4173c06de05212b9e36f88795c083f65
5
5
  SHA512:
6
- metadata.gz: 27d0ae20071180742cb735351165d808d8d3a6f0571ce12fc741f572fb9f69c789d760c299fa5a31814790611474e3eed12fb2a8ab4902151c21a847855fa8d3
7
- data.tar.gz: 64e39c64aa61cf27ee0418be14880b9bb1ce23159a6ee61af4d32b1a187ddcb32f70402799bb9f673a1d3a1efe1abd2e9b940564d05e161a7aee737497af1d54
6
+ metadata.gz: 8336b6956cfddc0fc8b65923327eddda5ecdf2577c6e5b5cc5bc30aa675624313f3008b4b46cabecfca5b35a8df7f612e0b43974c4668b119254918a3ee1c9a2
7
+ data.tar.gz: 44ce41f014ea4e04f9626bc929c543ab593fc0087aa70bd011f064a76a6b3f4773c70ed285bcd4996eab5313f8ca278182075b3f912c947fb622a77179e33860
data/CHANGELOG.md CHANGED
@@ -9,6 +9,13 @@ User-visible changes worth mentioning.
9
9
 
10
10
  - [#PR ID] Add your PR description here.
11
11
 
12
+ ## 5.5.3
13
+
14
+ - [#1528] Don't allow extra query params in redirect_uri.
15
+ - [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
16
+ - [#1531] Disable `strict-loading` for Doorkeeper models by default.
17
+ - [#1532] Add support for Rails 7.
18
+
12
19
  ## 5.5.2
13
20
 
14
21
  - [#1502] Drop support for Ruby 2.4 because of EOL.
data/README.md CHANGED
@@ -14,18 +14,18 @@ functionality to your Ruby on Rails or Grape application.
14
14
 
15
15
  Supported features:
16
16
 
17
- - [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
18
- - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
19
- - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
20
- - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
21
- - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
22
- - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
23
- - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
24
- - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
25
- - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
26
- - [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
27
- - [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
28
- - [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
17
+ - [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
18
+ - [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
19
+ - [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
20
+ - [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
21
+ - [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
22
+ - [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
23
+ - [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
24
+ - [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
25
+ - [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
26
+ - [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
27
+ - [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
28
+ - [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
29
29
 
30
30
  ## Table of Contents
31
31
 
@@ -66,7 +66,7 @@ module Doorkeeper
66
66
  elsif pre_auth.form_post_response?
67
67
  render :form_post
68
68
  else
69
- redirect_to auth.redirect_uri
69
+ redirect_to auth.redirect_uri, allow_other_host: true
70
70
  end
71
71
  else
72
72
  render json: auth.body, status: auth.status
@@ -12,7 +12,7 @@ module Doorkeeper
12
12
  handle_token_exception(e)
13
13
  end
14
14
 
15
- # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
15
+ # OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
16
16
  def revoke
17
17
  # The authorization server responds with HTTP status code 200 if the client
18
18
  # submitted an invalid token or the token has been revoked successfully.
@@ -94,8 +94,8 @@ module Doorkeeper
94
94
  # types, they set the application_id as null (since the claim cannot be
95
95
  # verified).
96
96
  #
97
- # https://tools.ietf.org/html/rfc6749#section-2.1
98
- # https://tools.ietf.org/html/rfc7009
97
+ # https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
98
+ # https://datatracker.ietf.org/doc/html/rfc7009
99
99
  def authorized?
100
100
  # Token belongs to specific client, so we need to check if
101
101
  # authenticated client could access it.
@@ -6,7 +6,7 @@ module Doorkeeper
6
6
  return if object.errors[method].blank?
7
7
 
8
8
  output = object.errors[method].map do |msg|
9
- content_tag(:span, class: "form-text") do
9
+ content_tag(:span, class: "invalid-feedback") do
10
10
  msg.capitalize
11
11
  end
12
12
  end
@@ -125,6 +125,9 @@ en:
125
125
  revoke:
126
126
  unauthorized: "You are not authorized to revoke this token"
127
127
 
128
+ forbidden_token:
129
+ missing_scope: 'Access to this resource requires scope "%{oauth_scopes}".'
130
+
128
131
  flash:
129
132
  applications:
130
133
  create:
@@ -49,7 +49,7 @@ module Doorkeeper
49
49
  end
50
50
 
51
51
  # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
52
- # https://tools.ietf.org/html/rfc7636#appendix-A
52
+ # https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
53
53
  # Appendix A. Notes on Implementing Base64url Encoding without Padding
54
54
  #
55
55
  # This appendix describes how to implement a base64url-encoding
@@ -279,7 +279,7 @@ module Doorkeeper
279
279
  end
280
280
 
281
281
  # Access Token type: Bearer.
282
- # @see https://tools.ietf.org/html/rfc6750
282
+ # @see https://datatracker.ietf.org/doc/html/rfc6750
283
283
  # The OAuth 2.0 Authorization Framework: Bearer Token Usage
284
284
  #
285
285
  def token_type
@@ -6,7 +6,7 @@ module Doorkeeper
6
6
  validate :params, error: :invalid_request
7
7
  validate :client, error: :invalid_client
8
8
  validate :grant, error: :invalid_grant
9
- # @see https://tools.ietf.org/html/rfc6749#section-5.2
9
+ # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
10
10
  validate :redirect_uri, error: :invalid_grant
11
11
  validate :code_verifier, error: :invalid_grant
12
12
 
@@ -23,7 +23,8 @@ module Doorkeeper
23
23
  end
24
24
 
25
25
  def description
26
- @description ||= @scopes.map { |s| I18n.t(s, scope: %i[doorkeeper scopes]) }.join("\n")
26
+ @description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
27
+ oauth_scopes: @scopes.map(&:to_s).join(" "),)
27
28
  end
28
29
 
29
30
  protected
@@ -11,8 +11,8 @@ module Doorkeeper
11
11
  # Access Token value must be 1*VSCHAR or
12
12
  # 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
13
13
  #
14
- # @see https://tools.ietf.org/html/rfc6749#appendix-A.12
15
- # @see https://tools.ietf.org/html/rfc6750#section-2.1
14
+ # @see https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.12
15
+ # @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
16
16
  #
17
17
  generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
18
18
  token_size = options.delete(:size) || 32
@@ -19,22 +19,22 @@ module Doorkeeper
19
19
  url = as_uri(url)
20
20
  client_url = as_uri(client_url)
21
21
 
22
- unless client_url.query.nil?
22
+ unless client_url.query.nil? && url.query.nil?
23
23
  return false unless query_matches?(url.query, client_url.query)
24
24
 
25
25
  # Clear out queries so rest of URI can be tested. This allows query
26
26
  # params to be in the request but order not mattering.
27
27
  client_url.query = nil
28
+ url.query = nil
28
29
  end
29
30
 
30
31
  # RFC8252, Paragraph 7.3
31
- # @see https://tools.ietf.org/html/rfc8252#section-7.3
32
+ # @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
32
33
  if loopback_uri?(url) && loopback_uri?(client_url)
33
34
  url.port = nil
34
35
  client_url.port = nil
35
36
  end
36
37
 
37
- url.query = nil
38
38
  url == client_url
39
39
  end
40
40
 
@@ -57,7 +57,7 @@ module Doorkeeper
57
57
  #
58
58
  # o authenticate the client if client authentication is included,
59
59
  #
60
- # @see https://tools.ietf.org/html/rfc6749#section-4.3
60
+ # @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
61
61
  #
62
62
  def validate_client
63
63
  if Doorkeeper.config.skip_client_authentication_for_password_grant
@@ -101,7 +101,7 @@ module Doorkeeper
101
101
  client.present?
102
102
  end
103
103
 
104
- # @see https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5
104
+ # @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
105
105
  #
106
106
  def validate_client_match
107
107
  return true if refresh_token.application_id.blank?
@@ -4,7 +4,7 @@ module Doorkeeper
4
4
  module OAuth
5
5
  # RFC7662 OAuth 2.0 Token Introspection
6
6
  #
7
- # @see https://tools.ietf.org/html/rfc7662
7
+ # @see https://datatracker.ietf.org/doc/html/rfc7662
8
8
  class TokenIntrospection
9
9
  def initialize(server, token)
10
10
  @server = server
@@ -107,7 +107,7 @@ module Doorkeeper
107
107
  # authorization server SHOULD NOT include any additional information
108
108
  # about an inactive token, including why the token is inactive.
109
109
  #
110
- # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
110
+ # @see https://datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
111
111
  #
112
112
  def failure_response
113
113
  {
@@ -186,7 +186,7 @@ module Doorkeeper
186
186
  # Provides context (controller) and token for generating developer-specific
187
187
  # response.
188
188
  #
189
- # @see https://tools.ietf.org/html/rfc7662#section-2.2
189
+ # @see https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
190
190
  #
191
191
  def customize_response(response)
192
192
  customized_response = Doorkeeper.config.custom_introspection_response.call(
@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
6
6
 
7
7
  included do
8
8
  self.table_name = compute_doorkeeper_table_name
9
+ self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
9
10
 
10
11
  include ::Doorkeeper::AccessGrantMixin
11
12
 
@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
6
6
 
7
7
  included do
8
8
  self.table_name = compute_doorkeeper_table_name
9
+ self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
9
10
 
10
11
  include ::Doorkeeper::AccessTokenMixin
11
12
 
@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
6
6
 
7
7
  included do
8
8
  self.table_name = compute_doorkeeper_table_name
9
+ self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
9
10
 
10
11
  include ::Doorkeeper::ApplicationMixin
11
12
 
@@ -5,7 +5,7 @@ module Doorkeeper
5
5
  # Semantic versioning
6
6
  MAJOR = 5
7
7
  MINOR = 5
8
- TINY = 2
8
+ TINY = 3
9
9
  PRE = nil
10
10
 
11
11
  # Full version number
@@ -276,7 +276,7 @@ Doorkeeper.configure do
276
276
  # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
277
277
 
278
278
  # Specify what redirect URI's you want to block during Application creation.
279
- # Any redirect URI is whitelisted by default.
279
+ # Any redirect URI is allowed by default.
280
280
  #
281
281
  # You can use this option in order to forbid URI's with 'javascript' scheme
282
282
  # for example.
@@ -343,8 +343,8 @@ Doorkeeper.configure do
343
343
  #
344
344
  # implicit and password grant flows have risks that you should understand
345
345
  # before enabling:
346
- # http://tools.ietf.org/html/rfc6819#section-4.4.2
347
- # http://tools.ietf.org/html/rfc6819#section-4.4.3
346
+ # https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.2
347
+ # https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.3
348
348
  #
349
349
  # grant_flows %w[authorization_code client_credentials]
350
350
 
@@ -387,7 +387,7 @@ Doorkeeper.configure do
387
387
  # Be default all Resource Owners are authorized to any Client (application).
388
388
  #
389
389
  # authorize_resource_owner_for_client do |client, resource_owner|
390
- # resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
390
+ # resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
391
391
  # end
392
392
 
393
393
  # Hook into the strategies' request & response life-cycle in case your
@@ -61,7 +61,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
61
61
  # *the client MUST discard the old refresh token* and replace it with the
62
62
  # new refresh token. The authorization server MAY revoke the old
63
63
  # refresh token after issuing a new refresh token to the client.
64
- # @see https://tools.ietf.org/html/rfc6749#section-6
64
+ # @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
65
65
  #
66
66
  # Doorkeeper implementation: if there is a `previous_refresh_token` column,
67
67
  # refresh tokens will be revoked after a related access token is used.
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.5.2
4
+ version: 5.5.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2021-06-11 00:00:00.000000000 Z
14
+ date: 2021-09-23 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: railties