doorkeeper 5.5.4 → 5.8.1

data/lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module Doorkeeper
+  # Generates migration with which drops NOT NULL constraint and allows not
+  # to bloat the database with redundant secret value.
+  #
+  class RemoveApplicationSecretNotNullConstraint < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path("templates", __dir__)
+    desc "Removes NOT NULL constraint for OAuth2 applications."
+
+    def enable_polymorphic_resource_owner
+      migration_template(
+        "remove_applications_secret_not_null_constraint.rb.erb",
+        "db/migrate/remove_applications_secret_not_null_constraint.rb",
+        migration_version: migration_version,
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -32,7 +32,7 @@ Doorkeeper.configure do
   # You can use your own model classes if you need to extend (or even override) default
   # Doorkeeper models such as `Application`, `AccessToken` and `AccessGrant.
   #
-  # Be default Doorkeeper ActiveRecord ORM uses it's own classes:
+  # By default Doorkeeper ActiveRecord ORM uses its own classes:
   #
   # access_token_class "Doorkeeper::AccessToken"
   # access_grant_class "Doorkeeper::AccessGrant"
@@ -91,7 +91,10 @@ Doorkeeper.configure do
   # authorization_code_expires_in 10.minutes
 
   # Access token expiration time (default: 2 hours).
-  # If you want to disable expiration, set this to `nil`.
+  # If you set this to `nil` Doorkeeper will not expire the token and omit expires_in in response.
+  # It is RECOMMENDED to set expiration time explicitly.
+  # Prefer access_token_expires_in 100.years or similar,
+  # which would be functionally equivalent and avoid the risk of unexpected behavior by callers.
   #
   # access_token_expires_in 2.hours
 
@@ -126,9 +129,10 @@ Doorkeeper.configure do
 
   # Reuse access token for the same resource owner within an application (disabled by default).
   #
-  # This option protects your application from creating new tokens before old valid one becomes
-  # expired so your database doesn't bloat. Keep in mind that when this option is `on` Doorkeeper
-  # doesn't updates existing token expiration time, it will create a new token instead.
+  # This option protects your application from creating new tokens before old **valid** one becomes
+  # expired so your database doesn't bloat. Keep in mind that when this option is enabled Doorkeeper
+  # doesn't update existing token expiration time, it will create a new token instead if no active matching
+  # token found for the application, resources owner and/or set of scopes.
   # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
   #
   # You can not enable this option together with +hash_token_secrets+.
@@ -163,6 +167,17 @@ Doorkeeper.configure do
   #
   # revoke_previous_client_credentials_token
 
+  # Only allow one valid access token obtained via authorization code
+  # per client. If a new access token is obtained before the old one
+  # expired, the old one gets revoked (disabled by default)
+  #
+  # revoke_previous_authorization_code_token
+
+  # Require non-confidential clients to use PKCE when using an authorization code
+  # to obtain an access_token (disabled by default)
+  #
+  # force_pkce
+
   # Hash access and refresh tokens before persisting them.
   # This will disable the possibility to use +reuse_access_token+
   # since plain values can no longer be retrieved.
@@ -311,6 +326,12 @@ Doorkeeper.configure do
   #   Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
   #
   # handle_auth_errors :raise
+  #
+  # If you want to redirect back to the client application in accordance with
+  # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
+  # +handle_auth_errors+ to :redirect
+  #
+  # handle_auth_errors :redirect
 
   # Customize token introspection response.
   # Allows to add your own fields to default one that are required by the OAuth spec
@@ -384,12 +405,29 @@ Doorkeeper.configure do
   # true in case resource owner authorized for the specific application or false in other
   # cases.
   #
-  # Be default all Resource Owners are authorized to any Client (application).
+  # By default all Resource Owners are authorized to any Client (application).
   #
   # authorize_resource_owner_for_client do |client, resource_owner|
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
   # end
 
+  # Allows additional data fields to be sent while granting access to an application,
+  # and for this additional data to be included in subsequently generated access tokens.
+  # The 'authorizations/new' page will need to be overridden to include this additional data
+  # in the request params when granting access. The access grant and access token models
+  # will both need to respond to these additional data fields, and have a database column
+  # to store them in.
+  #
+  # Example:
+  # You have a multi-tenanted platform and want to be able to grant access to a specific
+  # tenant, rather than all the tenants a user has access to. You can use this config
+  # option to specify that a ':tenant_id' will be passed when authorizing. This tenant_id
+  # will be included in the access tokens. When a request is made with one of these access
+  # tokens, you can check that the requested data belongs to the specified tenant.
+  #
+  # Default value is an empty Array: []
+  # custom_access_token_attributes [:tenant_id]
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -5,6 +5,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     create_table :oauth_applications do |t|
       t.string  :name,    null: false
       t.string  :uid,     null: false
+      # Remove `null: false` or use conditional constraint if you are planning to use public clients.
       t.string  :secret,  null: false
 
       # Remove `null: false` if you are planning to use grant flows
@@ -24,9 +25,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       t.string   :token,             null: false
       t.integer  :expires_in,        null: false
       t.text     :redirect_uri,      null: false
+      t.string   :scopes,            null: false, default: ''
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes,            null: false, default: ''
     end
 
     add_index :oauth_access_grants, :token, unique: true
@@ -53,9 +54,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
 
       t.string   :refresh_token
       t.integer  :expires_in
-      t.datetime :revoked_at
-      t.datetime :created_at, null: false
       t.string   :scopes
+      t.datetime :created_at, null: false
+      t.datetime :revoked_at
 
       # The authorization server MAY issue a new refresh token, in which case
       # *the client MUST discard the old refresh token* and replace it with the
@@ -74,7 +75,17 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     end
 
     add_index :oauth_access_tokens, :token, unique: true
-    add_index :oauth_access_tokens, :refresh_token, unique: true
+
+    # See https://github.com/doorkeeper-gem/doorkeeper/issues/1592
+    if ActiveRecord::Base.connection.adapter_name == "SQLServer"
+      execute <<~SQL.squish
+        CREATE UNIQUE NONCLUSTERED INDEX index_oauth_access_tokens_on_refresh_token ON oauth_access_tokens(refresh_token)
+        WHERE refresh_token IS NOT NULL
+      SQL
+    else
+      add_index :oauth_access_tokens, :refresh_token, unique: true
+    end
+
     add_foreign_key(
       :oauth_access_tokens,
       :oauth_applications,

data/lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RemoveApplicationsSecretNotNullConstraint < ActiveRecord::Migration<%= migration_version %>
+  def change
+    change_column_null :oauth_applications, :secret, true
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.5.4
+  version: 5.8.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-05 00:00:00.000000000 Z
+date: 2024-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -56,7 +56,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: coveralls_reborn
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -69,20 +69,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: danger
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '8.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: database_cleaner
   requirement: !ruby/object:Gem::Requirement
@@ -117,14 +103,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.3
+        version: 0.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.3
+        version: 0.10.0
 - !ruby/object:Gem::Dependency
   name: grape
   requirement: !ruby/object:Gem::Requirement
@@ -167,6 +153,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Doorkeeper is an OAuth 2 provider for Rails and Grape.
 email:
 - bulaj.nikita@gmail.com
@@ -221,8 +221,10 @@ files:
 - lib/doorkeeper/models/application_mixin.rb
 - lib/doorkeeper/models/concerns/accessible.rb
 - lib/doorkeeper/models/concerns/expirable.rb
+- lib/doorkeeper/models/concerns/expiration_time_sql_math.rb
 - lib/doorkeeper/models/concerns/orderable.rb
 - lib/doorkeeper/models/concerns/ownership.rb
+- lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb
 - lib/doorkeeper/models/concerns/resource_ownerable.rb
 - lib/doorkeeper/models/concerns/reusable.rb
 - lib/doorkeeper/models/concerns/revocable.rb
@@ -288,6 +290,8 @@ files:
 - lib/doorkeeper/request/refresh_token.rb
 - lib/doorkeeper/request/strategy.rb
 - lib/doorkeeper/request/token.rb
+- lib/doorkeeper/revocable_tokens/revocable_access_token.rb
+- lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb
 - lib/doorkeeper/secret_storing/base.rb
 - lib/doorkeeper/secret_storing/bcrypt.rb
 - lib/doorkeeper/secret_storing/plain.rb
@@ -303,6 +307,7 @@ files:
 - lib/generators/doorkeeper/migration_generator.rb
 - lib/generators/doorkeeper/pkce_generator.rb
 - lib/generators/doorkeeper/previous_refresh_token_generator.rb
+- lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb
 - lib/generators/doorkeeper/templates/README
 - lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb
 - lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb
@@ -311,6 +316,7 @@ files:
 - lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb
 - lib/generators/doorkeeper/templates/initializer.rb
 - lib/generators/doorkeeper/templates/migration.rb.erb
+- lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb
 - lib/generators/doorkeeper/views_generator.rb
 - vendor/assets/stylesheets/doorkeeper/bootstrap.min.css
 homepage: https://github.com/doorkeeper-gem/doorkeeper
@@ -322,6 +328,7 @@ metadata:
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
+  funding_uri: https://opencollective.com/doorkeeper-gem
 post_install_message: "Starting from 5.5.0 RC1 Doorkeeper requires client authentication
   for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
   a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use
@@ -337,14 +344,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.5.15
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape