doorkeeper 5.5.4 → 5.8.1

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,12 +3,12 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :params,       error: :invalid_request
-      validate :client,       error: :invalid_client
-      validate :grant,        error: :invalid_grant
+      validate :params,       error: Errors::InvalidRequest
+      validate :client,       error: Errors::InvalidClient
+      validate :grant,        error: Errors::InvalidGrant
       # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
-      validate :redirect_uri, error: :invalid_grant
-      validate :code_verifier, error: :invalid_grant
+      validate :redirect_uri, error: Errors::InvalidGrant
+      validate :code_verifier, error: Errors::InvalidGrant
 
       attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
                   :invalid_request_reason, :missing_param
@@ -29,12 +29,17 @@ module Doorkeeper
           grant.lock!
           raise Errors::InvalidGrantReuse if grant.revoked?
 
+          if Doorkeeper.config.revoke_previous_authorization_code_token?
+            revoke_previous_tokens(grant.application, resource_owner)
+          end
+
           grant.revoke
 
           find_or_create_access_token(
-            grant.application,
+            client,
             resource_owner,
             grant.scopes,
+            custom_token_attributes_with_data,
             server,
           )
         end
@@ -54,12 +59,19 @@ module Doorkeeper
         Doorkeeper.config.access_grant_model.pkce_supported?
       end
 
+      def confidential?
+        client&.confidential
+      end
+
       def validate_params
-        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
-                           :code_verifier
-                         elsif redirect_uri.blank?
-                           :redirect_uri
-                         end
+        @missing_param =
+          if grant&.uses_pkce? && code_verifier.blank?
+            :code_verifier
+          elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank?
+            :code_verifier
+          elsif redirect_uri.blank?
+            :redirect_uri
+          end
 
         @missing_param.nil?
       end
@@ -97,7 +109,19 @@ module Doorkeeper
       end
 
       def generate_code_challenge(code_verifier)
-        server_config.access_grant_model.generate_code_challenge(code_verifier)
+        Doorkeeper.config.access_grant_model.generate_code_challenge(code_verifier)
+      end
+
+      def custom_token_attributes_with_data
+        grant
+          .attributes
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
+      end
+
+      def revoke_previous_tokens(application, resource_owner)
+        Doorkeeper.config.access_token_model.revoke_all_for(application.id, resource_owner)
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb

@@ -15,7 +15,7 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
-        elsif error == :invalid_request
+        elsif error == Errors::InvalidRequest
           @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)
@@ -26,27 +26,28 @@ module Doorkeeper
         @scopes ||= build_scopes
       end
 
-      def find_or_create_access_token(client, resource_owner, scopes, server)
+      def find_or_create_access_token(client, resource_owner, scopes, custom_attributes, server)
         context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
-        @access_token = server_config.access_token_model.find_or_create_for(
-          application: client,
+        application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+
+        token_attributes = {
+          application: application,
           resource_owner: resource_owner,
           scopes: scopes,
           expires_in: Authorization::Token.access_token_expires_in(server, context),
           use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
-        )
+        }
+
+        @access_token =
+          Doorkeeper.config.access_token_model.find_or_create_for(**token_attributes.merge(custom_attributes))
       end
 
       def before_successful_response
-        server_config.before_successful_strategy_response.call(self)
+        Doorkeeper.config.before_successful_strategy_response.call(self)
       end
 
       def after_successful_response
-        server_config.after_successful_strategy_response.call(self, @response)
-      end
-
-      def server_config
-        Doorkeeper.config
+        Doorkeeper.config.after_successful_strategy_response.call(self, @response)
       end
 
       private
@@ -58,7 +59,8 @@ module Doorkeeper
           client_scopes = @client&.scopes
           return default_scopes if client_scopes.blank?
 
-          default_scopes & client_scopes
+          # Avoid using Scope#& for dynamic scopes
+          client_scopes.allowed(default_scopes)
         end
       end
     end

data/lib/doorkeeper/oauth/client.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     class Client
       attr_reader :application
 
-      delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application
+      delegate :id, :name, :uid, :redirect_uri, :scopes, :confidential, to: :@application
 
       def initialize(application)
         @application = application

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -8,13 +8,14 @@ module Doorkeeper
           existing_token = nil
 
           if lookup_existing_token?
-            existing_token = find_existing_token_for(client, scopes)
-            return existing_token if server_config.reuse_access_token && existing_token&.reusable?
+            existing_token = find_active_existing_token_for(client, scopes, attributes)
+            return existing_token if Doorkeeper.config.reuse_access_token && existing_token&.reusable?
           end
 
           with_revocation(existing_token: existing_token) do
-            server_config.access_token_model.find_or_create_for(
-              application: client,
+            application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+            Doorkeeper.config.access_token_model.create_for(
+              application: application,
               resource_owner: nil,
               scopes: scopes,
               **attributes,
@@ -25,7 +26,7 @@ module Doorkeeper
         private
 
         def with_revocation(existing_token:)
-          if existing_token && server_config.revoke_previous_client_credentials_token?
+          if existing_token && Doorkeeper.config.revoke_previous_client_credentials_token?
             existing_token.with_lock do
               raise Errors::DoorkeeperError, :invalid_token_reuse if existing_token.revoked?
 
@@ -39,16 +40,15 @@ module Doorkeeper
         end
 
         def lookup_existing_token?
-          server_config.reuse_access_token ||
-            server_config.revoke_previous_client_credentials_token?
+          Doorkeeper.config.reuse_access_token ||
+            Doorkeeper.config.revoke_previous_client_credentials_token?
         end
 
-        def find_existing_token_for(client, scopes)
-          server_config.access_token_model.matching_token_for(client, nil, scopes)
-        end
-
-        def server_config
-          Doorkeeper.config
+        def find_active_existing_token_for(client, scopes, attributes)
+          custom_attributes = Doorkeeper.config.access_token_model.
+            extract_custom_attributes(attributes).presence
+          Doorkeeper.config.access_token_model.matching_token_for(
+            client, nil, scopes, custom_attributes: custom_attributes, include_expired: false)
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -11,10 +11,10 @@ module Doorkeeper
           @validator = validator
         end
 
-        def create(client, scopes, creator = Creator.new)
+        def create(client, scopes, attributes = {}, creator = Creator.new)
           if validator.valid?
-            @token = create_token(client, scopes, creator)
-            @error = :server_error unless @token
+            @token = create_token(client, scopes, attributes, creator)
+            @error = Errors::ServerError unless @token
           else
             @token = false
             @error = validator.error
@@ -25,7 +25,7 @@ module Doorkeeper
 
         private
 
-        def create_token(client, scopes, creator)
+        def create_token(client, scopes, attributes, creator)
           context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
@@ -39,6 +39,7 @@ module Doorkeeper
             scopes,
             use_refresh_token: false,
             expires_in: ttl,
+            **attributes
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials/validator.rb

@@ -7,9 +7,9 @@ module Doorkeeper
         include Validations
         include OAuth::Helpers
 
-        validate :client, error: :invalid_client
-        validate :client_supports_grant_flow, error: :unauthorized_client
-        validate :scopes, error: :invalid_scope
+        validate :client, error: Errors::InvalidClient
+        validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+        validate :scopes, error: Errors::InvalidScope
 
         def initialize(server, request)
           @server = server
@@ -35,13 +35,12 @@ module Doorkeeper
         end
 
         def validate_scopes
-          return true if @request.scopes.blank?
-
           application_scopes = if @client.present?
                                  @client.application.scopes
                                else
                                  ""
                                end
+          return true if @request.scopes.blank? && application_scopes.blank?
 
           ScopeChecker.valid?(
             scope_str: @request.scopes.to_s,

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      attr_reader :client, :original_scopes, :response
+      attr_reader :client, :original_scopes, :parameters, :response
 
       alias error_response response
 
@@ -14,6 +14,7 @@ module Doorkeeper
         @server = server
         @response = nil
         @original_scopes = parameters[:scope]
+        @parameters = parameters.except(:scope)
       end
 
       def access_token
@@ -30,7 +31,14 @@ module Doorkeeper
       private
 
       def valid?
-        issuer.create(client, scopes)
+        issuer.create(client, scopes, custom_token_attributes_with_data)
+      end
+
+      def custom_token_attributes_with_data
+        parameters
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/code_request.rb

@@ -17,7 +17,7 @@ module Doorkeeper
       end
 
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/oauth/error.rb

@@ -2,13 +2,14 @@
 
 module Doorkeeper
   module OAuth
-    Error = Struct.new(:name, :state) do
+    Error = Struct.new(:name, :state, :translate_options) do
       def description
-        I18n.translate(
-          name,
+        options = (translate_options || {}).merge(
           scope: %i[doorkeeper errors messages],
           default: :server_error,
         )
+
+        I18n.translate(name, **options)
       end
     end
   end

data/lib/doorkeeper/oauth/error_response.rb

@@ -10,17 +10,32 @@ module Doorkeeper
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
-            name: request.error,
+            name: error_name_for(request.error),
+            exception_class: exception_class_for(request.error),
+            translate_options: request.error.try(:translate_options),
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
         )
       end
 
+      def self.error_name_for(error)
+        error.respond_to?(:name_for_response) ? error.name_for_response : error
+      end
+
+      def self.exception_class_for(error)
+        return error if error.respond_to?(:name_for_response)
+
+        "Doorkeeper::Errors::#{error.to_s.classify}".safe_constantize
+      end
+
+      private_class_method :error_name_for, :exception_class_for
+
       delegate :name, :description, :state, to: :@error
 
       def initialize(attributes = {})
-        @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @error = OAuth::Error.new(*attributes.values_at(:name, :state, :translate_options))
+        @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]
       end
@@ -55,8 +70,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
           "WWW-Authenticate" => authenticate_info,
         }
@@ -73,6 +87,7 @@ module Doorkeeper
       end
 
       def exception_class
+        return @exception_class if @exception_class
         raise NotImplementedError, "error response must define #exception_class"
       end
 

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -40,7 +40,7 @@ module Doorkeeper
 
         def self.loopback_uri?(uri)
           IPAddr.new(uri.host).loopback?
-        rescue IPAddr::Error
+        rescue IPAddr::Error, IPAddr::InvalidAddressError
           false
         end
 
@@ -61,9 +61,9 @@ module Doorkeeper
         end
 
         def self.valid_scheme?(uri)
-          return false if uri.scheme.nil?
+          return false if uri.scheme.blank?
 
-          %w[localhost].include?(uri.scheme) == false
+          %w[localhost].exclude?(uri.scheme)
         end
 
         def self.hypertext_scheme?(uri)
@@ -71,7 +71,7 @@ module Doorkeeper
         end
 
         def self.iff_host?(uri)
-          !(hypertext_scheme?(uri) && uri.host.nil?)
+          !(hypertext_scheme?(uri) && uri.host.blank?)
         end
 
         def self.oob_uri?(uri)

data/lib/doorkeeper/oauth/invalid_request_response.rb

@@ -35,6 +35,10 @@ module Doorkeeper
         )
       end
 
+      def exception_class
+        Doorkeeper::Errors::InvalidRequest
+      end
+
       def redirectable?
         super && @missing_param != :client_id
       end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -5,10 +5,10 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner, error: :invalid_grant
-      validate :scopes, error: :invalid_scope
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner, error: Errors::InvalidGrant
+      validate :scopes, error: Errors::InvalidScope
 
       attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
 
@@ -25,7 +25,7 @@ module Doorkeeper
       private
 
       def before_successful_response
-        find_or_create_access_token(client, resource_owner, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, {}, server)
         super
       end
 
@@ -68,7 +68,7 @@ module Doorkeeper
       end
 
       def validate_client_supports_grant_flow
-        server_config.allow_grant_flow_for_client?(grant_type, client&.application)
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client&.application)
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -5,32 +5,34 @@ module Doorkeeper
     class PreAuthorization
       include Validations
 
-      validate :client_id, error: :invalid_request
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner_authorize_for_client, error: :invalid_client
-      validate :redirect_uri, error: :invalid_redirect_uri
-      validate :params, error: :invalid_request
-      validate :response_type, error: :unsupported_response_type
-      validate :response_mode, error: :unsupported_response_mode
-      validate :scopes, error: :invalid_scope
-      validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_id, error: Errors::InvalidRequest
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner_authorize_for_client, error: Errors::InvalidClient
+      validate :redirect_uri, error: Errors::InvalidRedirectUri
+      validate :params, error: Errors::InvalidRequest
+      validate :response_type, error: Errors::UnsupportedResponseType
+      validate :response_mode, error: Errors::UnsupportedResponseMode
+      validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge, error: Errors::InvalidCodeChallenge
+      validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
 
       def initialize(server, parameters = {}, resource_owner = nil)
-        @server                = server
-        @client_id             = parameters[:client_id]
-        @response_type         = parameters[:response_type]
-        @response_mode         = parameters[:response_mode]
-        @redirect_uri          = parameters[:redirect_uri]
-        @scope                 = parameters[:scope]
-        @state                 = parameters[:state]
-        @code_challenge        = parameters[:code_challenge]
+        @server = server
+        @client_id = parameters[:client_id]
+        @response_type = parameters[:response_type]
+        @response_mode = parameters[:response_mode]
+        @redirect_uri = parameters[:redirect_uri]
+        @scope = parameters[:scope]
+        @state = parameters[:state]
+        @code_challenge = parameters[:code_challenge]
         @code_challenge_method = parameters[:code_challenge_method]
-        @resource_owner        = resource_owner
+        @resource_owner = resource_owner
+        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes).to_h
       end
 
       def authorizable?
@@ -46,7 +48,7 @@ module Doorkeeper
       end
 
       def error_response
-        if error == :invalid_request
+        if error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(
             self,
             response_on_fragment: response_on_fragment?,
@@ -73,7 +75,7 @@ module Doorkeeper
         if client_scopes.blank?
           server.default_scopes.to_s
         else
-          (server.default_scopes & client_scopes).to_s
+          server.default_scopes.allowed(client_scopes).to_s
         end
       end
 
@@ -142,11 +144,17 @@ module Doorkeeper
         )
       end
 
+      def validate_code_challenge
+        return true unless Doorkeeper.config.force_pkce?
+        return true if client.confidential
+        code_challenge.present?
+      end
+
       def validate_code_challenge_method
         return true unless Doorkeeper.config.access_grant_model.pkce_supported?
 
         code_challenge.blank? ||
-          (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+          (code_challenge_method.present? && Doorkeeper.config.pkce_code_challenge_methods_supported.include?(code_challenge_method))
       end
 
       def response_on_fragment?

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -5,11 +5,11 @@ module Doorkeeper
     class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :token_presence, error: :invalid_request
-      validate :token,        error: :invalid_grant
-      validate :client,       error: :invalid_client
-      validate :client_match, error: :invalid_grant
-      validate :scope,        error: :invalid_scope
+      validate :token_presence, error: Errors::InvalidRequest
+      validate :token,        error: Errors::InvalidGrant
+      validate :client,       error: Errors::InvalidClient
+      validate :client_match, error: Errors::InvalidGrant
+      validate :scope,        error: Errors::InvalidScope
 
       attr_reader :access_token, :client, :credentials, :refresh_token
       attr_reader :missing_param
@@ -26,7 +26,7 @@ module Doorkeeper
       private
 
       def load_client(credentials)
-        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
+        Doorkeeper.config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
       end
 
       def before_successful_response
@@ -41,7 +41,7 @@ module Doorkeeper
       end
 
       def refresh_token_revoked_on_use?
-        server_config.access_token_model.refresh_token_revoked_on_use?
+        Doorkeeper.config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -49,7 +49,7 @@ module Doorkeeper
       end
 
       def create_access_token
-        attributes = {}
+        attributes = {}.merge(custom_token_attributes_with_data)
 
         resource_owner =
           if Doorkeeper.config.polymorphic_resource_owner?
@@ -75,7 +75,7 @@ module Doorkeeper
         # Here we assume that TTL of the token received after refreshing should be
         # the same as that of the original token.
         #
-        @access_token = server_config.access_token_model.create_for(
+        @access_token = Doorkeeper.config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,
           scopes: scopes,
@@ -119,6 +119,14 @@ module Doorkeeper
           true
         end
       end
+
+      def custom_token_attributes_with_data
+        refresh_token
+        .attributes
+        .with_indifferent_access
+        .slice(*Doorkeeper.config.custom_access_token_attributes)
+        .symbolize_keys
+      end
     end
   end
 end