doorkeeper 5.5.4 → 5.8.1

data/lib/doorkeeper/oauth/scopes.rb

@@ -6,6 +6,8 @@ module Doorkeeper
       include Enumerable
       include Comparable
 
+      DYNAMIC_SCOPE_WILDCARD = "*"
+
       def self.from_string(string)
         string ||= ""
         new.tap do |scope|
@@ -26,7 +28,15 @@ module Doorkeeper
       end
 
       def exists?(scope)
-        @scopes.include? scope.to_s
+        scope = scope.to_s
+
+        @scopes.any? do |allowed_scope|
+          if dynamic_scopes_enabled? && dynamic_scopes_present?(allowed_scope, scope)
+            dynamic_scope_match?(allowed_scope, scope)
+          else
+            allowed_scope == scope
+          end
+        end
       end
 
       def add(*scopes)
@@ -60,12 +70,56 @@ module Doorkeeper
         end
       end
 
+      # DEPRECATED: With dynamic scopes, #allowed should be called because
+      # A & B doesn't really make sense with dynamic scopes.
+      #
+      # For example, if A = user:* and B is user:1, A & B = [].
+      # If we modified this method to take dynamic scopes into an account, then order
+      # becomes important, and this would violate the principle that A & B = B & A.
       def &(other)
+        return allowed(other) if dynamic_scopes_enabled?
+
         self.class.from_array(all & to_array(other))
       end
 
+      # Returns a set of scopes that are allowed, taking dynamic
+      # scopes into account. This instance's scopes is taken as the allowed set,
+      # and the passed value is the set to filter.
+      #
+      # @param other The set of scopes to filter
+      def allowed(other)
+        filtered_scopes = other.select { |scope| self.exists?(scope) }
+        self.class.from_array(filtered_scopes)
+      end
+
       private
 
+      def dynamic_scopes_enabled?
+        Doorkeeper.config.enable_dynamic_scopes?
+      end
+
+      def dynamic_scope_delimiter
+        return unless dynamic_scopes_enabled?
+
+        @dynamic_scope_delimiter ||= Doorkeeper.config.dynamic_scopes_delimiter
+      end
+
+      def dynamic_scopes_present?(allowed, requested)
+        allowed.include?(dynamic_scope_delimiter) && requested.include?(dynamic_scope_delimiter)
+      end
+
+      def dynamic_scope_match?(allowed, requested)
+        allowed_pattern = allowed.split(dynamic_scope_delimiter, 2)
+        request_pattern = requested.split(dynamic_scope_delimiter, 2)
+
+        return false if allowed_pattern[0] != request_pattern[0]
+        return false if allowed_pattern[1].blank?
+        return false if request_pattern[1].blank?
+        return true  if allowed_pattern[1] == DYNAMIC_SCOPE_WILDCARD && allowed_pattern[1].present?
+
+        allowed_pattern[1] == request_pattern[1]
+      end
+
       def to_array(other)
         case other
         when Scopes

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -6,26 +6,27 @@ module Doorkeeper
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
+      attr_reader :token, :error, :invalid_request_reason
+
       def initialize(server, token)
         @server = server
         @token = token
-
-        authorize!
       end
 
       def authorized?
+        authorize!
         @error.blank?
       end
 
       def error_response
         return if @error.blank?
 
-        if @error == :invalid_token
+        if @error == Errors::InvalidToken
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
-        elsif @error == :invalid_request
+        elsif @error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(self)
         else
-          OAuth::ErrorResponse.new(name: @error)
+          OAuth::ErrorResponse.from_request(self)
         end
       end
 
@@ -35,8 +36,7 @@ module Doorkeeper
 
       private
 
-      attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
+      attr_reader :server
 
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -58,24 +58,38 @@ module Doorkeeper
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = :invalid_client unless authorized_client
+          authorize_using_basic_auth!
         elsif authorized_token
-          # Requested bearer token authorization
-          #
-          #  If the protected resource uses an OAuth 2.0 bearer token to authorize
-          #  its call to the introspection endpoint and the token used for
-          #  authorization does not contain sufficient privileges or is otherwise
-          #  invalid for this request, the authorization server responds with an
-          #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
-          #  Usage [RFC6750].
-          #
-          @error = :invalid_token unless valid_authorized_token?
+          authorize_using_bearer_token!
         else
-          @error = :invalid_request
+          @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end
 
+      def authorize_using_basic_auth!
+        # Note that a properly formed and authorized query for an inactive or
+        # otherwise invalid token (or a token the protected resource is not
+        # allowed to know about) is not considered an error response by this
+        # specification. In these cases, the authorization server MUST instead
+        # respond with an introspection response with the "active" field set to
+        # "false" as described in Section 2.2.
+        @error = Errors::InvalidClient unless authorized_client
+      end
+
+      def authorize_using_bearer_token!
+        # Requested bearer token authorization
+        #
+        #  If the protected resource uses an OAuth 2.0 bearer token to authorize
+        #  its call to the introspection endpoint and the token used for
+        #  authorization does not contain sufficient privileges or is otherwise
+        #  invalid for this request, the authorization server responds with an
+        #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
+        #  Usage [RFC6750].
+        #
+        @error = Errors::InvalidToken unless valid_authorized_token?
+      end
+
       # Client Authentication
       def authorized_client
         @authorized_client ||= server.credentials && server.client
@@ -134,7 +148,7 @@ module Doorkeeper
       # Since resource servers using token introspection rely on the
       # authorization server to determine the state of a token, the
       # authorization server MUST perform all applicable checks against a
-      # token's state.  For instance, these tests include the following:
+      # token's state. For instance, these tests include the following:
       #
       #    o  If the token can expire, the authorization server MUST determine
       #       whether or not the token has expired.

data/lib/doorkeeper/oauth/token_request.rb

@@ -17,7 +17,7 @@ module Doorkeeper
       end
 
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/oauth/token_response.rb

@@ -5,12 +5,14 @@ module Doorkeeper
     class TokenResponse
       attr_reader :token
 
+      alias issued_token token
+
       def initialize(token)
         @token = token
       end
 
       def body
-        {
+        @body ||= {
           "access_token" => token.plaintext_token,
           "token_type" => token.token_type,
           "expires_in" => token.expires_in_seconds,
@@ -26,9 +28,9 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
+          "Pragma" => "no-cache",
         }
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -14,12 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                optional: true,
                                inverse_of: :access_grants
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: false
-      else
-        validates :resource_owner_id, presence: true
-      end
-
       validates :application_id,
                 :token,
                 :expires_in,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -14,10 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                inverse_of: :access_tokens,
                                optional: true
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: true
-      end
-
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
@@ -48,6 +44,27 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         column_names.include?("previous_refresh_token")
       end
 
+      # Returns non-expired and non-revoked access tokens
+      def not_expired
+        relation = where(revoked_at: nil)
+
+        if supports_expiration_time_math?
+          # have not reached the expiration time or it never expires
+          relation.where("#{expiration_time_sql} > ?", Time.now.utc).or(
+            relation.where(expires_in: nil)
+          )
+        else
+          ::Kernel.warn <<~WARNING.squish
+            [DOORKEEPER] Doorkeeper doesn't support expiration time math for your database adapter (#{adapter_name}).
+            Please add a class method `custom_expiration_time_sql` for your AccessToken class/mixin to provide a custom
+            SQL expression to calculate access token expiration time. See lib/doorkeeper/orm/active_record/mixins/access_token.rb
+            for more details.
+          WARNING
+
+          relation
+        end
+      end
+
       private
 
       def compute_doorkeeper_table_name

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -20,11 +20,13 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                dependent: :delete_all,
                class_name: Doorkeeper.config.access_token_class.to_s
 
-      validates :name, :secret, :uid, presence: true
+      validates :name, :uid, presence: true
+      validates :secret, presence: true, if: -> { secret_required? }
       validates :uid, uniqueness: { case_sensitive: true }
-      validates :redirect_uri, "doorkeeper/redirect_uri": true
       validates :confidential, inclusion: { in: [true, false] }
 
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
+
       validate :scopes_match_configured, if: :enforce_scopes?
 
       before_validation :generate_uid, :generate_secret, on: :create
@@ -44,7 +46,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # @return [String] new transformed secret value
       #
       def renew_secret
-        @raw_secret = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        @raw_secret = secret_generator.generate
         secret_strategy.store_secret(self, :secret, @raw_secret)
       end
 
@@ -102,12 +104,23 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       private
 
+      def secret_generator
+        generator_name = Doorkeeper.config.application_secret_generator
+        generator = generator_name.constantize
+
+        return generator if generator.respond_to?(:generate)
+
+        raise Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
+      rescue NameError
+        raise Errors::TokenGeneratorNotFound, "#{generator_name} not found"
+      end
+
       def generate_uid
         self.uid = Doorkeeper::OAuth::Helpers::UniqueToken.generate if uid.blank?
       end
 
       def generate_secret
-        return if secret.present?
+        return if secret.present? || !secret_required?
 
         renew_secret
       end
@@ -125,6 +138,11 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.config.enforce_configured_scopes?
       end
 
+      def secret_required?
+        confidential? ||
+          !self.class.columns.detect { |column| column.name == "secret" }&.null
+      end
+
       # Helper method to extract collection of serializable attribute names
       # considering serialization options (like `only`, `except` and so on).
       #

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -45,11 +45,11 @@ module Doorkeeper
     end
 
     def unspecified_host?(uri)
-      uri.is_a?(URI::HTTP) && uri.host.nil?
+      uri.is_a?(URI::HTTP) && uri.host.blank?
     end
 
     def relative_uri?(uri)
-      uri.scheme.nil? && uri.host.nil?
+      uri.scheme.nil? && uri.host.blank?
     end
 
     def invalid_ssl_uri?(uri)

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb

@@ -15,7 +15,8 @@ module Doorkeeper
         def clean_revoked
           table = @base_scope.arel_table
 
-          @base_scope.where.not(revoked_at: nil)
+          @base_scope
+            .where.not(revoked_at: nil)
             .where(table[:revoked_at].lt(Time.current))
             .in_batches(&:delete_all)
         end
@@ -24,7 +25,9 @@ module Doorkeeper
         def clean_expired(ttl)
           table = @base_scope.arel_table
 
-          @base_scope.where(table[:created_at].lt(Time.current - ttl))
+          @base_scope
+            .where.not(expires_in: nil)
+            .where(table[:created_at].lt(Time.current - ttl))
             .in_batches(&:delete_all)
         end
       end

data/lib/doorkeeper/orm/active_record.rb

@@ -1,51 +1,44 @@
 # frozen_string_literal: true
 
-require "active_support/lazy_load_hooks"
-
 module Doorkeeper
+  autoload :AccessGrant, "doorkeeper/orm/active_record/access_grant"
+  autoload :AccessToken, "doorkeeper/orm/active_record/access_token"
+  autoload :Application, "doorkeeper/orm/active_record/application"
+  autoload :RedirectUriValidator, "doorkeeper/orm/active_record/redirect_uri_validator"
+
+  module Models
+    autoload :Ownership, "doorkeeper/models/concerns/ownership"
+  end
+
+  # ActiveRecord ORM for Doorkeeper entity models.
+  # Consists of three main OAuth entities:
+  #   * Access Token
+  #   * Access Grant
+  #   * Application (client)
+  #
+  # Do a lazy loading of all the required and configured stuff.
+  #
   module Orm
-    # ActiveRecord ORM for Doorkeeper entity models.
-    # Consists of three main OAuth entities:
-    #   * Access Token
-    #   * Access Grant
-    #   * Application (client)
-    #
-    # Do a lazy loading of all the required and configured stuff.
-    #
     module ActiveRecord
-      def self.initialize_models!
-        lazy_load do
-          require "doorkeeper/orm/active_record/stale_records_cleaner"
-          require "doorkeeper/orm/active_record/access_grant"
-          require "doorkeeper/orm/active_record/access_token"
-          require "doorkeeper/orm/active_record/application"
+      autoload :StaleRecordsCleaner, "doorkeeper/orm/active_record/stale_records_cleaner"
 
-          if (options = Doorkeeper.config.active_record_options[:establish_connection])
-            Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              model.establish_connection(options)
-            end
-          end
-        end
+      module Mixins
+        autoload :AccessGrant, "doorkeeper/orm/active_record/mixins/access_grant"
+        autoload :AccessToken, "doorkeeper/orm/active_record/mixins/access_token"
+        autoload :Application, "doorkeeper/orm/active_record/mixins/application"
       end
 
-      def self.initialize_application_owner!
-        lazy_load do
-          require "doorkeeper/models/concerns/ownership"
-
-          Doorkeeper.config.application_model.include(Doorkeeper::Models::Ownership)
-        end
+      def self.run_hooks
+        initialize_configured_associations
       end
 
-      def self.lazy_load(&block)
-        ActiveSupport.on_load(:active_record, {}, &block)
-      end
+      def self.initialize_configured_associations
+        if Doorkeeper.config.enable_application_owner?
+          Doorkeeper.config.application_model.include ::Doorkeeper::Models::Ownership
+        end
 
-      def self.models
-        [
-          Doorkeeper.config.access_grant_model,
-          Doorkeeper.config.access_token_model,
-          Doorkeeper.config.application_model,
-        ]
+        Doorkeeper.config.access_grant_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessGrant
+        Doorkeeper.config.access_token_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessToken
       end
     end
   end

data/lib/doorkeeper/rails/routes.rb

@@ -36,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+          map_route(:tokens, :introspect_routes) if introspection_routes?
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -53,8 +53,8 @@ module Doorkeeper
           as: mapping[:as],
           controller: mapping[:controllers],
         ) do
-          routes.get "/native", action: :show, on: :member
-          routes.get "/", action: :new, on: :member
+          routes.get native_authorization_code_route, action: :show, on: :member
+          routes.get '/', action: :new, on: :member
         end
       end
 
@@ -96,6 +96,15 @@ module Doorkeeper
                          only: %i[index destroy],
                          controller: mapping[:controllers]
       end
+
+      def native_authorization_code_route
+        Doorkeeper.configuration.native_authorization_code_route
+      end
+
+      def introspection_routes?
+        Doorkeeper.configured? &&
+          !Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+      end
     end
   end
 end

data/lib/doorkeeper/rake/setup.rake

@@ -2,10 +2,5 @@
 
 namespace :doorkeeper do
   task setup: :environment do
-    # Dirty hack to manually initialize AR because of lazy auto-loading,
-    # in other case we'll see NameError: uninitialized constant Doorkeeper::AccessToken
-    if Doorkeeper.config.orm == :active_record && defined?(::ActiveRecord::Base)
-      Object.const_get("::ActiveRecord::Base")
-    end
   end
 end

data/lib/doorkeeper/revocable_tokens/revocable_access_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module RevocableTokens
+    class RevocableAccessToken
+      attr_reader :token
+
+      def initialize(token)
+        @token = token
+      end
+
+      def revocable?
+        token.accessible?
+      end
+
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module RevocableTokens
+    class RevocableRefreshToken
+      attr_reader :token
+
+      def initialize(token)
+        @token = token
+      end
+
+      def revocable?
+        !token.revoked?
+      end
+
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/version.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 5
-    TINY = 4
+    MINOR = 8
+    TINY = 1
     PRE = nil
 
     # Full version number

data/lib/doorkeeper.rb

@@ -34,6 +34,11 @@ module Doorkeeper
     autoload :Token, "doorkeeper/request/token"
   end
 
+  module RevocableTokens
+    autoload :RevocableAccessToken, "doorkeeper/revocable_tokens/revocable_access_token"
+    autoload :RevocableRefreshToken, "doorkeeper/revocable_tokens/revocable_refresh_token"
+  end
+
   module OAuth
     autoload :BaseRequest, "doorkeeper/oauth/base_request"
     autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"
@@ -88,7 +93,9 @@ module Doorkeeper
   module Models
     autoload :Accessible, "doorkeeper/models/concerns/accessible"
     autoload :Expirable, "doorkeeper/models/concerns/expirable"
+    autoload :ExpirationTimeSqlMath, "doorkeeper/models/concerns/expiration_time_sql_math"
     autoload :Orderable, "doorkeeper/models/concerns/orderable"
+    autoload :PolymorphicResourceOwner, "doorkeeper/models/concerns/polymorphic_resource_owner"
     autoload :Scopes, "doorkeeper/models/concerns/scopes"
     autoload :Reusable, "doorkeeper/models/concerns/reusable"
     autoload :ResourceOwnerable, "doorkeeper/models/concerns/resource_ownerable"
@@ -112,11 +119,77 @@ module Doorkeeper
     autoload :BCrypt, "doorkeeper/secret_storing/bcrypt"
   end
 
-  def self.authenticate(request, methods = Doorkeeper.config.access_token_methods)
-    OAuth::Token.authenticate(request, *methods)
-  end
+  class << self
+    attr_reader :orm_adapter
+
+    def configure(&block)
+      @config = Config::Builder.new(&block).build
+      setup
+      @config
+    end
+
+    # @return [Doorkeeper::Config] configuration instance
+    #
+    def configuration
+      @config || configure
+    end
+
+    def configured?
+      !@config.nil?
+    end
+
+    alias config configuration
+
+    def setup
+      setup_orm_adapter
+
+      # Deprecated, will be removed soon
+      unless configuration.orm == :active_record
+        setup_orm_models
+        setup_application_owner
+      end
+    end
 
-  def self.gem_version
-    ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+    def setup_orm_adapter
+      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
+    rescue NameError => e
+      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
+        trying to load it.
+
+        You probably need to add the related gem for this adapter to work with
+        doorkeeper.
+      ERROR_MSG
+    end
+
+    def run_orm_hooks
+      config.clear_cache!
+
+      if @orm_adapter.respond_to?(:run_hooks)
+        @orm_adapter.run_hooks
+      else
+        ::Kernel.warn <<~MSG.strip_heredoc
+          [DOORKEEPER] ORM "#{configuration.orm}" should move all it's setup logic under `#run_hooks` method for
+          the #{@orm_adapter.name}. Later versions of Doorkeeper will no longer support `setup_orm_models` and
+          `setup_application_owner` API.
+        MSG
+      end
+    end
+
+    def setup_orm_models
+      @orm_adapter.initialize_models!
+    end
+
+    def setup_application_owner
+      @orm_adapter.initialize_application_owner!
+    end
+
+    def authenticate(request, methods = Doorkeeper.config.access_token_methods)
+      OAuth::Token.authenticate(request, *methods)
+    end
+
+    def gem_version
+      ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+    end
   end
 end