doorkeeper 5.5.4 → 5.8.1

data/lib/doorkeeper/config.rb

@@ -5,59 +5,11 @@ require "doorkeeper/config/option"
 require "doorkeeper/config/validations"
 
 module Doorkeeper
-  # Defines a MissingConfiguration error for a missing Doorkeeper configuration
-  #
-  class MissingConfiguration < StandardError
-    def initialize
-      super("Configuration for doorkeeper missing. Do you have doorkeeper initializer?")
-    end
-  end
-
   # Doorkeeper option DSL could be reused in extensions to build their own
   # configurations. To use the Option DSL gems need to define `builder_class` method
   # that returns configuration Builder class. This exception raises when they don't
   # define it.
   #
-  class MissingConfigurationBuilderClass < StandardError; end
-
-  class << self
-    def configure(&block)
-      @config = Config::Builder.new(&block).build
-      setup_orm_adapter
-      setup_orm_models
-      setup_application_owner if @config.enable_application_owner?
-      @config
-    end
-
-    # @return [Doorkeeper::Config] configuration instance
-    #
-    def configuration
-      @config || (raise MissingConfiguration)
-    end
-
-    alias config configuration
-
-    def setup_orm_adapter
-      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-    rescue NameError => e
-      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
-        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
-        trying to load it.
-
-        You probably need to add the related gem for this adapter to work with
-        doorkeeper.
-      ERROR_MSG
-    end
-
-    def setup_orm_models
-      @orm_adapter.initialize_models!
-    end
-
-    def setup_application_owner
-      @orm_adapter.initialize_application_owner!
-    end
-  end
-
   class Config
     # Default Doorkeeper configuration builder
     class Builder < AbstractBuilder
@@ -79,6 +31,16 @@ module Doorkeeper
         @config.instance_variable_set(:@confirm_application_owner, true)
       end
 
+      # Provide support for dynamic scopes (e.g. user:*) (disabled by default)
+      # Optional parameter delimiter (default ":") if you want to customize
+      # the delimiter separating the scope name and matching value.
+      #
+      # @param opts [Hash] the options to configure dynamic scopes
+      def enable_dynamic_scopes(opts = {})
+        @config.instance_variable_set(:@enable_dynamic_scopes, true)
+        @config.instance_variable_set(:@dynamic_scopes_delimiter, opts[:delimiter] || ':')
+      end
+
       # Define default access token scopes for your provider
       #
       # @param scopes [Array] Default set of access (OAuth::Scopes.new)
@@ -137,6 +99,15 @@ module Doorkeeper
         @config.instance_variable_set(:@reuse_access_token, true)
       end
 
+      # Choose to use the url path for native autorization codes 
+      # Enabling this flag sets the authorization code response route for
+      # native redirect uris to oauth/authorize/<code>. The default is
+      # oauth/authorize/native?code=<code>.
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+      def use_url_path_for_native_authorization
+        @config.instance_variable_set(:@use_url_path_for_native_authorization, true)
+      end
+
       # TODO: maybe make it more generic for other flows too?
       # Only allow one valid access token obtained via client credentials
       # per client. If a new access token is obtained before the old one
@@ -145,6 +116,19 @@ module Doorkeeper
         @config.instance_variable_set(:@revoke_previous_client_credentials_token, true)
       end
 
+      # Only allow one valid access token obtained via authorization code
+      # per client. If a new access token is obtained before the old one
+      # expired, the old one gets revoked (disabled by default)
+      def revoke_previous_authorization_code_token
+        @config.instance_variable_set(:@revoke_previous_authorization_code_token, true)
+      end
+
+      # Require non-confidential apps to use PKCE (send a code_verifier) when requesting
+      # an access_token using an authorization code (disabled by default)
+      def force_pkce
+        @config.instance_variable_set(:@force_pkce, true)
+      end
+
       # Use an API mode for applications generated with --api argument
       # It will skip applications controller, disable forgery protection
       def api_only
@@ -269,6 +253,7 @@ module Doorkeeper
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :grant_flows,                    default: %w[authorization_code client_credentials]
+    option :pkce_code_challenge_methods,    default: %w[plain S256]
     option :handle_auth_errors,             default: :render
     option :token_lookup_batch_size,        default: 10_000
     # Sets the token_reuse_limit
@@ -293,10 +278,6 @@ module Doorkeeper
     option :skip_client_authentication_for_password_grant,
            default: false
 
-    option :active_record_options,
-           default: {},
-           deprecated: { message: "Customize Doorkeeper models instead" }
-
     # Hook to allow arbitrary user-client authorization
     option :authorize_resource_owner_for_client,
            default: ->(_client, _resource_owner) { true }
@@ -364,11 +345,29 @@ module Doorkeeper
     option :access_token_generator,
            default: "Doorkeeper::OAuth::Helpers::UniqueToken"
 
+    # Allows additional data to be received when granting access to an Application, and for this
+    # additional data to be sent with subsequently generated access tokens. The access grant and
+    # access token models will both need to respond to the specified attribute names.
+    #
+    # @param attributes [Array] The array of custom attribute names to be saved
+    #
+    option :custom_access_token_attributes,
+           default: []
+
+    # Use a custom class for generating the application secret.
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-application-secret-generator
+    #
+    # @param application_secret_generator [String]
+    #   the name of the application secret generator class
+    #
+    option :application_secret_generator,
+           default: "Doorkeeper::OAuth::Helpers::UniqueToken"
+
     # Default access token generator is a SecureRandom class from Ruby stdlib.
     # This option defines which method will be used to generate a unique token value.
     #
-    # @param access_token_generator [String]
-    #   the name of the access token generator class
+    # @param default_generator_method [Symbol]
+    #   the method name of the default access token generator
     #
     option :default_generator_method, default: :urlsafe_base64
 
@@ -430,7 +429,7 @@ module Doorkeeper
            default: (lambda do |token, authorized_client, authorized_token|
              if authorized_token
                authorized_token.application == token&.application
-             elsif token.application
+             elsif token&.application
                authorized_client == token.application
              else
                true
@@ -441,6 +440,16 @@ module Doorkeeper
                 :token_secret_fallback_strategy,
                 :application_secret_fallback_strategy
 
+    def clear_cache!
+      %i[
+        application_model
+        access_token_model
+        access_grant_model
+      ].each do |var|
+        remove_instance_variable("@#{var}") if instance_variable_defined?("@#{var}")
+      end
+    end
+
     # Doorkeeper Access Token model class.
     #
     # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
@@ -496,6 +505,14 @@ module Doorkeeper
       option_set? :revoke_previous_client_credentials_token
     end
 
+    def revoke_previous_authorization_code_token?
+      option_set? :revoke_previous_authorization_code_token
+    end
+
+    def force_pkce?
+      option_set? :force_pkce
+    end
+
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end
@@ -504,6 +521,14 @@ module Doorkeeper
       option_set? :enable_application_owner
     end
 
+    def enable_dynamic_scopes?
+      option_set? :enable_dynamic_scopes
+    end
+
+    def dynamic_scopes_delimiter
+      @dynamic_scopes_delimiter
+    end
+
     def polymorphic_resource_owner?
       option_set? :polymorphic_resource_owner
     end
@@ -516,6 +541,10 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
 
+    def redirect_on_errors?
+      handle_auth_errors == :redirect
+    end
+
     def application_secret_hashed?
       instance_variable_defined?(:"@application_secret_strategy")
     end
@@ -544,6 +573,12 @@ module Doorkeeper
       @scopes_by_grant_type ||= {}
     end
 
+    def pkce_code_challenge_methods_supported
+      return [] unless access_grant_model.pkce_supported?
+      
+      pkce_code_challenge_methods
+    end
+
     def client_credentials_methods
       @client_credentials_methods ||= %i[from_basic from_params]
     end
@@ -581,6 +616,11 @@ module Doorkeeper
     def deprecated_token_grant_types_resolver
       @deprecated_token_grant_types ||= calculate_token_grant_types
     end
+    
+    def native_authorization_code_route
+      @use_url_path_for_native_authorization = false unless defined?(@use_url_path_for_native_authorization)
+      @use_url_path_for_native_authorization ? '/:code' : '/native'
+    end
 
     # [NOTE]: deprecated and will be removed soon
     def deprecated_authorization_flows

data/lib/doorkeeper/engine.rb

@@ -2,9 +2,12 @@
 
 module Doorkeeper
   class Engine < Rails::Engine
-    initializer "doorkeeper.params.filter" do |app|
-      parameters = %w[client_secret code authentication_token access_token refresh_token]
-      app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+    initializer "doorkeeper.params.filter", after: :load_config_initializers do |app|
+      if Doorkeeper.configured?
+        parameters = %w[client_secret authentication_token access_token refresh_token]
+        parameters << "code" if Doorkeeper.config.grant_flows.include?("authorization_code")
+        app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+      end
     end
 
     initializer "doorkeeper.routes" do
@@ -17,6 +20,10 @@ module Doorkeeper
       end
     end
 
+    config.to_prepare do
+      Doorkeeper.run_orm_hooks
+    end
+
     if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
       initializer "doorkeeper.assets.precompile" do |app|
         # Force users to use:

data/lib/doorkeeper/errors.rb

@@ -6,6 +6,10 @@ module Doorkeeper
       def type
         message
       end
+
+      def self.translate_options
+        {}
+      end
     end
 
     class InvalidGrantReuse < DoorkeeperError
@@ -39,13 +43,41 @@ module Doorkeeper
       def initialize(response)
         @response = response
       end
+
+      def self.name_for_response
+        self.name.demodulize.underscore.to_sym
+      end
+    end
+
+    class InvalidCodeChallengeMethod < BaseResponseError
+      def self.translate_options
+        challenge_methods = Doorkeeper.config.pkce_code_challenge_methods_supported
+        {
+          challenge_methods: challenge_methods.join(", "),
+          count: challenge_methods.length
+        }
+      end
     end
 
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
 
+    InvalidRequest = Class.new(BaseResponseError)
     InvalidToken = Class.new(BaseResponseError)
+    InvalidClient = Class.new(BaseResponseError)
+    InvalidScope = Class.new(BaseResponseError)
+    InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallenge = Class.new(BaseResponseError)
+    InvalidGrant = Class.new(BaseResponseError)
+
+    UnauthorizedClient = Class.new(BaseResponseError)
+    UnsupportedResponseType = Class.new(BaseResponseError)
+    UnsupportedResponseMode = Class.new(BaseResponseError)
+
+    AccessDenied = Class.new(BaseResponseError)
+    ServerError = Class.new(BaseResponseError)
+
     TokenExpired = Class.new(InvalidToken)
     TokenRevoked = Class.new(InvalidToken)
     TokenUnknown = Class.new(InvalidToken)

data/lib/doorkeeper/helpers/controller.rb

@@ -82,7 +82,7 @@ module Doorkeeper
       end
 
       def x_www_form_urlencoded?
-        request.content_type == "application/x-www-form-urlencoded"
+        request.media_type == "application/x-www-form-urlencoded"
       end
     end
   end

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -13,6 +13,7 @@ module Doorkeeper
     include Models::SecretStorable
     include Models::Scopes
     include Models::ResourceOwnerable
+    include Models::ExpirationTimeSqlMath
 
     module ClassMethods
       # Returns an instance of the Doorkeeper::AccessToken with
@@ -82,13 +83,18 @@ module Doorkeeper
       #   Resource Owner model instance or it's ID
       # @param scopes [String, Doorkeeper::OAuth::Scopes]
       #   set of scopes
+      # @param custom_attributes [Nilable Hash]
+      #   A nil value, or hash with keys corresponding to the custom attributes
+      #   configured with the `custom_access_token_attributes` config option.
+      #   A nil value will ignore custom attributes.
       #
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def matching_token_for(application, resource_owner, scopes)
+      def matching_token_for(application, resource_owner, scopes, custom_attributes: nil, include_expired: true)
         tokens = authorized_tokens_for(application&.id, resource_owner)
-        find_matching_token(tokens, application, scopes)
+        tokens = tokens.not_expired unless include_expired
+        find_matching_token(tokens, application, custom_attributes, scopes)
       end
 
       # Interface to enumerate access token records in batches in order not
@@ -104,9 +110,7 @@ module Doorkeeper
       #
       # ActiveRecord 5.x - 6.x ignores custom ordering so we can't perform a
       # database sort by created_at, so we need to load all the matching records,
-      # sort them and find latest one. Probably it would be better to rewrite this
-      # query using Time math if possible, but we n eed to consider ORM and
-      # different databases support.
+      # sort them and find latest one.
       #
       # @param relation [ActiveRecord::Relation]
       #   Access tokens relation
@@ -114,11 +118,15 @@ module Doorkeeper
       #   Application instance
       # @param scopes [String, Doorkeeper::OAuth::Scopes]
       #   set of scopes
+      # @param custom_attributes [Nilable Hash]
+      #   A nil value, or hash with keys corresponding to the custom attributes
+      #   configured with the `custom_access_token_attributes` config option.
+      #   A nil value will ignore custom attributes.
       #
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def find_matching_token(relation, application, scopes)
+      def find_matching_token(relation, application, custom_attributes, scopes)
         return nil unless relation
 
         matching_tokens = []
@@ -126,7 +134,8 @@ module Doorkeeper
 
         find_access_token_in_batches(relation, batch_size: batch_size) do |batch|
           tokens = batch.select do |token|
-            scopes_match?(token.scopes, scopes, application&.scopes)
+            scopes_match?(token.scopes, scopes, application&.scopes) &&
+              custom_attributes_match?(token, custom_attributes)
           end
 
           matching_tokens.concat(tokens)
@@ -160,6 +169,31 @@ module Doorkeeper
           )
       end
 
+      # Checks whether the token custom attribute values match the custom
+      # attributes from the parameters.
+      #
+      # @param token [Doorkeeper::AccessToken]
+      #   The access token whose custom attributes are being compared
+      #   to the custom_attributes.
+      #
+      # @param custom_attributes [Hash]
+      #   A hash of the attributes for which we want to determine whether
+      #   the token's custom attributes match.
+      #
+      # @return [Boolean] true if the token's custom attribute values
+      #   match those in the custom_attributes, or if both are empty/blank.
+      #   False otherwise.
+      def custom_attributes_match?(token, custom_attributes)
+        return true if custom_attributes.nil?
+
+        token_attribs = token.custom_attributes
+        return true if token_attribs.blank? && custom_attributes.blank?
+
+        Doorkeeper.config.custom_access_token_attributes.all? do |attribute|
+          token_attribs[attribute] == custom_attributes[attribute]
+        end
+      end
+
       # Looking for not expired AccessToken record with a matching set of
       # scopes that belongs to specific Application and Resource Owner.
       # If it doesn't exists - then creates it.
@@ -180,8 +214,12 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] existing record or a new one
       #
       def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
+        scopes = Doorkeeper::OAuth::Scopes.from_string(scopes) if scopes.is_a?(String)
+
         if Doorkeeper.config.reuse_access_token
-          access_token = matching_token_for(application, resource_owner, scopes)
+          custom_attributes = extract_custom_attributes(token_attributes).presence
+          access_token = matching_token_for(
+            application, resource_owner, scopes, custom_attributes: custom_attributes, include_expired: false)
 
           return access_token if access_token&.reusable?
         end
@@ -213,7 +251,7 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] new access token
       #
       def create_for(application:, resource_owner:, scopes:, **token_attributes)
-        token_attributes[:application_id] = application&.id
+        token_attributes[:application] = application
         token_attributes[:scopes] = scopes.to_s
 
         if Doorkeeper.config.polymorphic_resource_owner?
@@ -276,6 +314,18 @@ module Doorkeeper
       def fallback_secret_strategy
         ::Doorkeeper.config.token_secret_fallback_strategy
       end
+
+      # Extracts the token's custom attributes (defined by the
+      # custom_access_token_attributes config option) from the token's attributes.
+      #
+      # @param attributes [Hash]
+      #   A hash of the access token's attributes.
+      # @return [Hash]
+      #   A hash containing only the custom access token attributes.
+      def extract_custom_attributes(attributes)
+        attributes.with_indifferent_access.slice(
+          *Doorkeeper.configuration.custom_access_token_attributes)
+      end
     end
 
     # Access Token type: Bearer.
@@ -308,6 +358,14 @@ module Doorkeeper
       end
     end
 
+    # The token's custom attributes, as defined by
+    # the custom_access_token_attributes config option.
+    #
+    # @return [Hash] hash of custom access token attributes.
+    def custom_attributes
+      self.class.extract_custom_attributes(attributes)
+    end
+
     # Indicates whether the token instance have the same credential
     # as the other Access Token.
     #
@@ -435,6 +493,10 @@ module Doorkeeper
         if Doorkeeper.config.polymorphic_resource_owner?
           attributes[:resource_owner] = resource_owner
         end
+
+        Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+          attributes[attribute_name] = public_send(attribute_name)
+        end
       end
     end
 

data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module ExpirationTimeSqlMath
+      extend ::ActiveSupport::Concern
+
+      class ExpirationTimeSqlGenerator
+        attr_reader :model
+
+        delegate :table_name, to: :@model
+
+        def initialize(model)
+          @model = model
+        end
+
+        def generate_sql
+          raise "`generate_sql` should be overridden for a #{self.class.name}!"
+        end
+      end
+
+      class MySqlExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATE_ADD(#{table_name}.created_at, INTERVAL #{table_name}.expires_in SECOND)")
+        end
+      end
+
+      class SqlLiteExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATETIME(#{table_name}.created_at, '+' || #{table_name}.expires_in || ' SECONDS')")
+        end
+      end
+
+      class SqlServerExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATEADD(second, #{table_name}.expires_in, #{table_name}.created_at) AT TIME ZONE 'UTC'")
+        end
+      end
+
+      class OracleExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("#{table_name}.created_at + INTERVAL to_char(#{table_name}.expires_in) second")
+        end
+      end
+
+      class PostgresExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("#{table_name}.created_at + #{table_name}.expires_in * INTERVAL '1 SECOND'")
+        end
+      end
+
+      ADAPTERS_MAPPING = {
+        "sqlite" => SqlLiteExpirationTimeSqlGenerator,
+        "sqlite3" => SqlLiteExpirationTimeSqlGenerator,
+        "postgis" => PostgresExpirationTimeSqlGenerator,
+        "postgresql" => PostgresExpirationTimeSqlGenerator,
+        "mysql" => MySqlExpirationTimeSqlGenerator,
+        "mysql2" => MySqlExpirationTimeSqlGenerator,
+        "trilogy" => MySqlExpirationTimeSqlGenerator,
+        "sqlserver" => SqlServerExpirationTimeSqlGenerator,
+        "oracleenhanced" => OracleExpirationTimeSqlGenerator,
+      }.freeze
+
+      module ClassMethods
+        def supports_expiration_time_math?
+          ADAPTERS_MAPPING.key?(adapter_name.downcase) ||
+            respond_to?(:custom_expiration_time_sql)
+        end
+
+        def expiration_time_sql
+          if respond_to?(:custom_expiration_time_sql)
+            custom_expiration_time_sql
+          else
+            expiration_time_sql_expression
+          end
+        end
+
+        def expiration_time_sql_expression
+          ADAPTERS_MAPPING.fetch(adapter_name.downcase).new(self).generate_sql
+        end
+
+        def adapter_name
+          ActiveRecord::Base.connection.adapter_name
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module PolymorphicResourceOwner
+      module ForAccessGrant
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: false
+          else
+            validates :resource_owner_id, presence: true
+          end
+        end
+      end
+
+      module ForAccessToken
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: true
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -45,7 +45,13 @@ module Doorkeeper
             attributes[:resource_owner_id] = resource_owner.id
           end
 
-          pkce_attributes.merge(attributes)
+          pkce_attributes.merge(attributes).merge(custom_attributes)
+        end
+
+        def custom_attributes
+          # Custom access token attributes are saved into the access grant,
+          # and then included in subsequently generated access tokens.
+          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access
         end
 
         def pkce_attributes

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -60,7 +60,7 @@ module Doorkeeper
           )
 
           @token = Doorkeeper.config.access_token_model.find_or_create_for(
-            application: pre_auth.client,
+            application: application,
             resource_owner: resource_owner,
             scopes: pre_auth.scopes,
             expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
@@ -68,6 +68,12 @@ module Doorkeeper
           )
         end
 
+        def application
+          return unless pre_auth.client
+
+          pre_auth.client.is_a?(Doorkeeper.config.application_model) ? pre_auth.client : pre_auth.client.application
+        end
+
         def oob_redirect
           {
             controller: controller,