doorkeeper 5.5.4 → 5.6.6

data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module PolymorphicResourceOwner
+      module ForAccessGrant
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: false
+          else
+            validates :resource_owner_id, presence: true
+          end
+        end
+      end
+
+      module ForAccessToken
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: true
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -45,7 +45,13 @@ module Doorkeeper
             attributes[:resource_owner_id] = resource_owner.id
           end
 
-          pkce_attributes.merge(attributes)
+          pkce_attributes.merge(attributes).merge(custom_attributes)
+        end
+
+        def custom_attributes
+          # Custom access token attributes are saved into the access grant,
+          # and then included in subsequently generated access tokens.
+          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access
         end
 
         def pkce_attributes

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -60,7 +60,7 @@ module Doorkeeper
           )
 
           @token = Doorkeeper.config.access_token_model.find_or_create_for(
-            application: pre_auth.client,
+            application: application,
             resource_owner: resource_owner,
             scopes: pre_auth.scopes,
             expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
@@ -68,6 +68,12 @@ module Doorkeeper
           )
         end
 
+        def application
+          return unless pre_auth.client
+
+          pre_auth.client.is_a?(Doorkeeper.config.application_model) ? pre_auth.client : pre_auth.client.application
+        end
+
         def oob_redirect
           {
             controller: controller,

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -35,6 +35,7 @@ module Doorkeeper
             grant.application,
             resource_owner,
             grant.scopes,
+            custom_token_attributes_with_data,
             server,
           )
         end
@@ -55,11 +56,12 @@ module Doorkeeper
       end
 
       def validate_params
-        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
-                           :code_verifier
-                         elsif redirect_uri.blank?
-                           :redirect_uri
-                         end
+        @missing_param =
+          if grant&.uses_pkce? && code_verifier.blank?
+            :code_verifier
+          elsif redirect_uri.blank?
+            :redirect_uri
+          end
 
         @missing_param.nil?
       end
@@ -97,7 +99,15 @@ module Doorkeeper
       end
 
       def generate_code_challenge(code_verifier)
-        server_config.access_grant_model.generate_code_challenge(code_verifier)
+        Doorkeeper.config.access_grant_model.generate_code_challenge(code_verifier)
+      end
+
+      def custom_token_attributes_with_data
+        grant
+          .attributes
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb

@@ -26,27 +26,28 @@ module Doorkeeper
         @scopes ||= build_scopes
       end
 
-      def find_or_create_access_token(client, resource_owner, scopes, server)
+      def find_or_create_access_token(client, resource_owner, scopes, custom_attributes, server)
         context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
-        @access_token = server_config.access_token_model.find_or_create_for(
-          application: client,
+        application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+
+        token_attributes = {
+          application: application,
           resource_owner: resource_owner,
           scopes: scopes,
           expires_in: Authorization::Token.access_token_expires_in(server, context),
           use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
-        )
+        }
+
+        @access_token =
+          Doorkeeper.config.access_token_model.find_or_create_for(**token_attributes.merge(custom_attributes))
       end
 
       def before_successful_response
-        server_config.before_successful_strategy_response.call(self)
+        Doorkeeper.config.before_successful_strategy_response.call(self)
       end
 
       def after_successful_response
-        server_config.after_successful_strategy_response.call(self, @response)
-      end
-
-      def server_config
-        Doorkeeper.config
+        Doorkeeper.config.after_successful_strategy_response.call(self, @response)
       end
 
       private

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -8,13 +8,14 @@ module Doorkeeper
           existing_token = nil
 
           if lookup_existing_token?
-            existing_token = find_existing_token_for(client, scopes)
-            return existing_token if server_config.reuse_access_token && existing_token&.reusable?
+            existing_token = find_active_existing_token_for(client, scopes)
+            return existing_token if Doorkeeper.config.reuse_access_token && existing_token&.reusable?
           end
 
           with_revocation(existing_token: existing_token) do
-            server_config.access_token_model.find_or_create_for(
-              application: client,
+            application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+            Doorkeeper.config.access_token_model.create_for(
+              application: application,
               resource_owner: nil,
               scopes: scopes,
               **attributes,
@@ -25,7 +26,7 @@ module Doorkeeper
         private
 
         def with_revocation(existing_token:)
-          if existing_token && server_config.revoke_previous_client_credentials_token?
+          if existing_token && Doorkeeper.config.revoke_previous_client_credentials_token?
             existing_token.with_lock do
               raise Errors::DoorkeeperError, :invalid_token_reuse if existing_token.revoked?
 
@@ -39,16 +40,12 @@ module Doorkeeper
         end
 
         def lookup_existing_token?
-          server_config.reuse_access_token ||
-            server_config.revoke_previous_client_credentials_token?
+          Doorkeeper.config.reuse_access_token ||
+            Doorkeeper.config.revoke_previous_client_credentials_token?
         end
 
-        def find_existing_token_for(client, scopes)
-          server_config.access_token_model.matching_token_for(client, nil, scopes)
-        end
-
-        def server_config
-          Doorkeeper.config
+        def find_active_existing_token_for(client, scopes)
+          Doorkeeper.config.access_token_model.matching_token_for(client, nil, scopes, include_expired: false)
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/validator.rb

@@ -35,13 +35,12 @@ module Doorkeeper
         end
 
         def validate_scopes
-          return true if @request.scopes.blank?
-
           application_scopes = if @client.present?
                                  @client.application.scopes
                                else
                                  ""
                                end
+          return true if @request.scopes.blank? && application_scopes.blank?
 
           ScopeChecker.valid?(
             scope_str: @request.scopes.to_s,

data/lib/doorkeeper/oauth/error_response.rb

@@ -55,8 +55,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
           "WWW-Authenticate" => authenticate_info,
         }

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -61,9 +61,9 @@ module Doorkeeper
         end
 
         def self.valid_scheme?(uri)
-          return false if uri.scheme.nil?
+          return false if uri.scheme.blank?
 
-          %w[localhost].include?(uri.scheme) == false
+          %w[localhost].exclude?(uri.scheme)
         end
 
         def self.hypertext_scheme?(uri)
@@ -71,7 +71,7 @@ module Doorkeeper
         end
 
         def self.iff_host?(uri)
-          !(hypertext_scheme?(uri) && uri.host.nil?)
+          !(hypertext_scheme?(uri) && uri.host.blank?)
         end
 
         def self.oob_uri?(uri)

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -25,7 +25,7 @@ module Doorkeeper
       private
 
       def before_successful_response
-        find_or_create_access_token(client, resource_owner, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, {}, server)
         super
       end
 
@@ -68,7 +68,7 @@ module Doorkeeper
       end
 
       def validate_client_supports_grant_flow
-        server_config.allow_grant_flow_for_client?(grant_type, client&.application)
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client&.application)
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -18,19 +18,20 @@ module Doorkeeper
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
 
       def initialize(server, parameters = {}, resource_owner = nil)
-        @server                = server
-        @client_id             = parameters[:client_id]
-        @response_type         = parameters[:response_type]
-        @response_mode         = parameters[:response_mode]
-        @redirect_uri          = parameters[:redirect_uri]
-        @scope                 = parameters[:scope]
-        @state                 = parameters[:state]
-        @code_challenge        = parameters[:code_challenge]
+        @server = server
+        @client_id = parameters[:client_id]
+        @response_type = parameters[:response_type]
+        @response_mode = parameters[:response_mode]
+        @redirect_uri = parameters[:redirect_uri]
+        @scope = parameters[:scope]
+        @state = parameters[:state]
+        @code_challenge = parameters[:code_challenge]
         @code_challenge_method = parameters[:code_challenge_method]
-        @resource_owner        = resource_owner
+        @resource_owner = resource_owner
+        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes)
       end
 
       def authorizable?

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -26,7 +26,7 @@ module Doorkeeper
       private
 
       def load_client(credentials)
-        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
+        Doorkeeper.config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
       end
 
       def before_successful_response
@@ -41,7 +41,7 @@ module Doorkeeper
       end
 
       def refresh_token_revoked_on_use?
-        server_config.access_token_model.refresh_token_revoked_on_use?
+        Doorkeeper.config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -49,7 +49,7 @@ module Doorkeeper
       end
 
       def create_access_token
-        attributes = {}
+        attributes = {}.merge(custom_token_attributes_with_data)
 
         resource_owner =
           if Doorkeeper.config.polymorphic_resource_owner?
@@ -75,7 +75,7 @@ module Doorkeeper
         # Here we assume that TTL of the token received after refreshing should be
         # the same as that of the original token.
         #
-        @access_token = server_config.access_token_model.create_for(
+        @access_token = Doorkeeper.config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,
           scopes: scopes,
@@ -119,6 +119,14 @@ module Doorkeeper
           true
         end
       end
+
+      def custom_token_attributes_with_data
+        refresh_token
+        .attributes
+        .with_indifferent_access
+        .slice(*Doorkeeper.config.custom_access_token_attributes)
+        .symbolize_keys
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -134,7 +134,7 @@ module Doorkeeper
       # Since resource servers using token introspection rely on the
       # authorization server to determine the state of a token, the
       # authorization server MUST perform all applicable checks against a
-      # token's state.  For instance, these tests include the following:
+      # token's state. For instance, these tests include the following:
       #
       #    o  If the token can expire, the authorization server MUST determine
       #       whether or not the token has expired.

data/lib/doorkeeper/oauth/token_response.rb

@@ -26,8 +26,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
         }
       end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -14,12 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                optional: true,
                                inverse_of: :access_grants
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: false
-      else
-        validates :resource_owner_id, presence: true
-      end
-
       validates :application_id,
                 :token,
                 :expires_in,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -14,10 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                inverse_of: :access_tokens,
                                optional: true
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: true
-      end
-
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
@@ -48,6 +44,27 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         column_names.include?("previous_refresh_token")
       end
 
+      # Returns non-expired and non-revoked access tokens
+      def not_expired
+        relation = where(revoked_at: nil)
+
+        if supports_expiration_time_math?
+          # have not reached the expiration time or it never expires
+          relation.where("#{expiration_time_sql} > ?", Time.now.utc).or(
+            relation.where(expires_in: nil)
+          )
+        else
+          ::Kernel.warn <<~WARNING.squish
+            [DOORKEEPER] Doorkeeper doesn't support expiration time math for your database adapter (#{adapter_name}).
+            Please add a class method `custom_expiration_time_sql` for your AccessToken class/mixin to provide a custom
+            SQL expression to calculate access token expiration time. See lib/doorkeeper/orm/active_record/mixins/access_token.rb
+            for more details.
+          WARNING
+
+          relation
+        end
+      end
+
       private
 
       def compute_doorkeeper_table_name

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -44,7 +44,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # @return [String] new transformed secret value
       #
       def renew_secret
-        @raw_secret = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        @raw_secret = secret_generator.generate
         secret_strategy.store_secret(self, :secret, @raw_secret)
       end
 
@@ -102,6 +102,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       private
 
+      def secret_generator
+        generator_name = Doorkeeper.config.application_secret_generator
+        generator = generator_name.constantize
+
+        return generator if generator.respond_to?(:generate)
+
+        raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+      rescue NameError
+        raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
+      end
+
       def generate_uid
         self.uid = Doorkeeper::OAuth::Helpers::UniqueToken.generate if uid.blank?
       end

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -45,11 +45,11 @@ module Doorkeeper
     end
 
     def unspecified_host?(uri)
-      uri.is_a?(URI::HTTP) && uri.host.nil?
+      uri.is_a?(URI::HTTP) && uri.host.blank?
     end
 
     def relative_uri?(uri)
-      uri.scheme.nil? && uri.host.nil?
+      uri.scheme.nil? && uri.host.blank?
     end
 
     def invalid_ssl_uri?(uri)

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb

@@ -15,7 +15,8 @@ module Doorkeeper
         def clean_revoked
           table = @base_scope.arel_table
 
-          @base_scope.where.not(revoked_at: nil)
+          @base_scope
+            .where.not(revoked_at: nil)
             .where(table[:revoked_at].lt(Time.current))
             .in_batches(&:delete_all)
         end
@@ -24,7 +25,9 @@ module Doorkeeper
         def clean_expired(ttl)
           table = @base_scope.arel_table
 
-          @base_scope.where(table[:created_at].lt(Time.current - ttl))
+          @base_scope
+            .where.not(expires_in: nil)
+            .where(table[:created_at].lt(Time.current - ttl))
             .in_batches(&:delete_all)
         end
       end

data/lib/doorkeeper/orm/active_record.rb

@@ -1,51 +1,44 @@
 # frozen_string_literal: true
 
-require "active_support/lazy_load_hooks"
-
 module Doorkeeper
+  autoload :AccessGrant, "doorkeeper/orm/active_record/access_grant"
+  autoload :AccessToken, "doorkeeper/orm/active_record/access_token"
+  autoload :Application, "doorkeeper/orm/active_record/application"
+  autoload :RedirectUriValidator, "doorkeeper/orm/active_record/redirect_uri_validator"
+
+  module Models
+    autoload :Ownership, "doorkeeper/models/concerns/ownership"
+  end
+
+  # ActiveRecord ORM for Doorkeeper entity models.
+  # Consists of three main OAuth entities:
+  #   * Access Token
+  #   * Access Grant
+  #   * Application (client)
+  #
+  # Do a lazy loading of all the required and configured stuff.
+  #
   module Orm
-    # ActiveRecord ORM for Doorkeeper entity models.
-    # Consists of three main OAuth entities:
-    #   * Access Token
-    #   * Access Grant
-    #   * Application (client)
-    #
-    # Do a lazy loading of all the required and configured stuff.
-    #
     module ActiveRecord
-      def self.initialize_models!
-        lazy_load do
-          require "doorkeeper/orm/active_record/stale_records_cleaner"
-          require "doorkeeper/orm/active_record/access_grant"
-          require "doorkeeper/orm/active_record/access_token"
-          require "doorkeeper/orm/active_record/application"
+      autoload :StaleRecordsCleaner, "doorkeeper/orm/active_record/stale_records_cleaner"
 
-          if (options = Doorkeeper.config.active_record_options[:establish_connection])
-            Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              model.establish_connection(options)
-            end
-          end
-        end
+      module Mixins
+        autoload :AccessGrant, "doorkeeper/orm/active_record/mixins/access_grant"
+        autoload :AccessToken, "doorkeeper/orm/active_record/mixins/access_token"
+        autoload :Application, "doorkeeper/orm/active_record/mixins/application"
       end
 
-      def self.initialize_application_owner!
-        lazy_load do
-          require "doorkeeper/models/concerns/ownership"
-
-          Doorkeeper.config.application_model.include(Doorkeeper::Models::Ownership)
-        end
+      def self.run_hooks
+        initialize_configured_associations
       end
 
-      def self.lazy_load(&block)
-        ActiveSupport.on_load(:active_record, {}, &block)
-      end
+      def self.initialize_configured_associations
+        if Doorkeeper.config.enable_application_owner?
+          Doorkeeper.config.application_model.include ::Doorkeeper::Models::Ownership
+        end
 
-      def self.models
-        [
-          Doorkeeper.config.access_grant_model,
-          Doorkeeper.config.access_token_model,
-          Doorkeeper.config.application_model,
-        ]
+        Doorkeeper.config.access_grant_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessGrant
+        Doorkeeper.config.access_token_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessToken
       end
     end
   end

data/lib/doorkeeper/rails/routes.rb

@@ -36,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+          map_route(:tokens, :introspect_routes) if introspection_routes?
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -53,8 +53,8 @@ module Doorkeeper
           as: mapping[:as],
           controller: mapping[:controllers],
         ) do
-          routes.get "/native", action: :show, on: :member
-          routes.get "/", action: :new, on: :member
+          routes.get native_authorization_code_route, action: :show, on: :member
+          routes.get '/', action: :new, on: :member
         end
       end
 
@@ -96,6 +96,15 @@ module Doorkeeper
                          only: %i[index destroy],
                          controller: mapping[:controllers]
       end
+
+      def native_authorization_code_route
+        Doorkeeper.configuration.native_authorization_code_route
+      end
+
+      def introspection_routes?
+        Doorkeeper.configured? &&
+          !Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+      end
     end
   end
 end

data/lib/doorkeeper/rake/setup.rake

@@ -2,10 +2,5 @@
 
 namespace :doorkeeper do
   task setup: :environment do
-    # Dirty hack to manually initialize AR because of lazy auto-loading,
-    # in other case we'll see NameError: uninitialized constant Doorkeeper::AccessToken
-    if Doorkeeper.config.orm == :active_record && defined?(::ActiveRecord::Base)
-      Object.const_get("::ActiveRecord::Base")
-    end
   end
 end

data/lib/doorkeeper/version.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 5
-    TINY = 4
+    MINOR = 6
+    TINY = 6
     PRE = nil
 
     # Full version number