doorkeeper 5.6.2 → 5.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c22e5cf14aebfd8b75510d028c123f9a924d13bf08c2717f2d7ce6c8bc202a1
-  data.tar.gz: 5c625f6be3f5412c546a175c310577c737407690328e6696a773ab74dd1abe13
+  metadata.gz: 62a0f5c7fa924d40522d1d290ab0eb3b2f78cdc72c6bba460c0b932803c7e123
+  data.tar.gz: f809019d1bcdb007a71670b74160c7286e2c18bac43c6c98728d99c36370a6f9
 SHA512:
-  metadata.gz: 127dd3e716bfde2c825ba1d6c4fee662a80a809063a8bd0d5480767fc472c41a6208742407f47656dae95cb7d41b1cb30a920b0270fd2c194a3267fc2c843626
-  data.tar.gz: e17e0349cefce41f7767f944fded43b71221b0df82042a9fb9c0dddb464308f3642fe2af7fc61bc1ec4ebb09cb3d2ea1d7a3040adc41130259e495cf3e129386
+  metadata.gz: adf846ec97330aab844f467fd65230f3a6cafeed4457c860f72f3576ce277aa9035994e9cc153b471fb92830f76bfe36fd8661124040c782b4ed5534ad78a09c
+  data.tar.gz: 8a282af87fd1d0cf084a174a95d4fbff50cf8ab03622084cded3c4fbca8725674a2d2bf3045435aee881a67aacb2c372fb79020436f9d76439db46ab74a14a08

data/CHANGELOG.md

@@ -9,6 +9,16 @@ User-visible changes worth mentioning.
 
 - [#ID] Add your PR description here.
 
+# 5.6.3
+
+- [#1622] Drop support for Rubies 2.5 and 2.6
+- [#1605] Fix URI validation for Ruby 3.2+.
+- [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
+- [#1626] Remove deprecated `active_record_options` config option.
+- [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
+- [#1630] Special case unique index creation for refresh_token on SQL Server.
+- [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
+
 ## 5.6.2
 
 - [#1604] Fix fetching of the application when custom application_class defined.
@@ -23,7 +33,7 @@ User-visible changes worth mentioning.
 
 - [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
 
-## 5.6.0.rc1
+## 5.6.0.rc2
 
 - [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the 
   application scopes when using client credentials.
@@ -284,7 +294,7 @@ User-visible changes worth mentioning.
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
 - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
-  option using `Float::INIFINITY` return value.
+  option using `Float::INFINITY` return value.
 - [#1224] Do not try to store token if not found by fallback hashing strategy.
 - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
 - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
@@ -369,7 +379,7 @@ User-visible changes worth mentioning.
 - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
   hitting the `AuthorizedApplicationController#destroy` route.
 - [#1114] Make token info endpoint's attributes consistent with token creation
-- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1108] Simple formatting of callback URLs when listing oauth applications
 - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
   configured by developers.
 

data/README.md

@@ -105,7 +105,7 @@ Extensions that are not included by default and can be installed separately.
 | JWT Token support | [doorkeeper-gem/doorkeeper-jwt](https://github.com/doorkeeper-gem/doorkeeper-jwt) |
 | Assertion grant extension | [doorkeeper-gem/doorkeeper-grants\_assertion](https://github.com/doorkeeper-gem/doorkeeper-grants_assertion) |
 | I18n translations | [doorkeeper-gem/doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) |
-| CIBA - Client Initiated Backchannel Authentication Flow extention | [doorkeeper-ciba](https://github.com/autoseg/doorkeeper-ciba) |
+| CIBA - Client Initiated Backchannel Authentication Flow extension | [doorkeeper-ciba](https://github.com/autoseg/doorkeeper-ciba) |
 | Device Authorization Grant | [doorkeeper-device_authorization_grant](https://github.com/exop-group/doorkeeper-device_authorization_grant) |
 
 ## Example Applications

data/lib/doorkeeper/config/abstract_builder.rb

@@ -12,7 +12,7 @@ module Doorkeeper
       #
       def initialize(config = Config.new, &block)
         @config = config
-        instance_eval(&block)
+        instance_eval(&block) if block_given?
       end
 
       # Builds and validates configuration.

data/lib/doorkeeper/config.rb

@@ -5,81 +5,11 @@ require "doorkeeper/config/option"
 require "doorkeeper/config/validations"
 
 module Doorkeeper
-  # Defines a MissingConfiguration error for a missing Doorkeeper configuration
-  #
-  class MissingConfiguration < StandardError
-    def initialize
-      super("Configuration for doorkeeper missing. Do you have doorkeeper initializer?")
-    end
-  end
-
   # Doorkeeper option DSL could be reused in extensions to build their own
   # configurations. To use the Option DSL gems need to define `builder_class` method
   # that returns configuration Builder class. This exception raises when they don't
   # define it.
   #
-  class MissingConfigurationBuilderClass < StandardError; end
-
-  class << self
-    attr_reader :orm_adapter
-
-    def configure(&block)
-      @config = Config::Builder.new(&block).build
-    end
-
-    # @return [Doorkeeper::Config] configuration instance
-    #
-    def configuration
-      @config || (raise MissingConfiguration)
-    end
-
-    alias config configuration
-
-    def setup
-      setup_orm_adapter
-      run_orm_hooks
-      config.clear_cache!
-
-      # Deprecated, will be removed soon
-      unless configuration.orm == :active_record
-        setup_orm_models
-        setup_application_owner
-      end
-    end
-
-    def setup_orm_adapter
-      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-    rescue NameError => e
-      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
-        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
-        trying to load it.
-
-        You probably need to add the related gem for this adapter to work with
-        doorkeeper.
-      ERROR_MSG
-    end
-
-    def run_orm_hooks
-      if @orm_adapter.respond_to?(:run_hooks)
-        @orm_adapter.run_hooks
-      else
-        ::Kernel.warn <<~MSG.strip_heredoc
-          [DOORKEEPER] ORM "#{configuration.orm}" should move all it's setup logic under `#run_hooks` method for
-          the #{@orm_adapter.name}. Later versions of Doorkeeper will no longer support `setup_orm_models` and
-          `setup_application_owner` API.
-        MSG
-      end
-    end
-
-    def setup_orm_models
-      @orm_adapter.initialize_models!
-    end
-
-    def setup_application_owner
-      @orm_adapter.initialize_application_owner!
-    end
-  end
-
   class Config
     # Default Doorkeeper configuration builder
     class Builder < AbstractBuilder
@@ -324,11 +254,6 @@ module Doorkeeper
     option :skip_client_authentication_for_password_grant,
            default: false
 
-    # TODO: remove the option
-    option :active_record_options,
-           default: {},
-           deprecated: { message: "Customize Doorkeeper models instead" }
-
     # Hook to allow arbitrary user-client authorization
     option :authorize_resource_owner_for_client,
            default: ->(_client, _resource_owner) { true }

data/lib/doorkeeper/engine.rb

@@ -2,10 +2,12 @@
 
 module Doorkeeper
   class Engine < Rails::Engine
-    initializer "doorkeeper.params.filter" do |app|
-      parameters = %w[client_secret authentication_token access_token refresh_token]
-      parameters << "code" if Doorkeeper.config.grant_flows.include?("authorization_code")
-      app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+    initializer "doorkeeper.params.filter", after: :load_config_initializers do |app|
+      if Doorkeeper.configured?
+        parameters = %w[client_secret authentication_token access_token refresh_token]
+        parameters << "code" if Doorkeeper.config.grant_flows.include?("authorization_code")
+        app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+      end
     end
 
     initializer "doorkeeper.routes" do

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -87,8 +87,9 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def matching_token_for(application, resource_owner, scopes)
-        tokens = authorized_tokens_for(application&.id, resource_owner).not_expired
+      def matching_token_for(application, resource_owner, scopes, include_expired: true)
+        tokens = authorized_tokens_for(application&.id, resource_owner)
+        tokens = tokens.not_expired unless include_expired
         find_matching_token(tokens, application, scopes)
       end
 
@@ -180,7 +181,7 @@ module Doorkeeper
       #
       def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
         if Doorkeeper.config.reuse_access_token
-          access_token = matching_token_for(application, resource_owner, scopes)
+          access_token = matching_token_for(application, resource_owner, scopes, include_expired: false)
 
           return access_token if access_token&.reusable?
         end

data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module PolymorphicResourceOwner
+      module ForAccessGrant
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: false
+          else
+            validates :resource_owner_id, presence: true
+          end
+        end
+      end
+
+      module ForAccessToken
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: true
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -45,7 +45,7 @@ module Doorkeeper
         end
 
         def find_active_existing_token_for(client, scopes)
-          server_config.access_token_model.matching_token_for(client, nil, scopes)
+          server_config.access_token_model.matching_token_for(client, nil, scopes, include_expired: false)
         end
 
         def server_config

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -61,9 +61,9 @@ module Doorkeeper
         end
 
         def self.valid_scheme?(uri)
-          return false if uri.scheme.nil?
+          return false if uri.scheme.blank?
 
-          %w[localhost].include?(uri.scheme) == false
+          %w[localhost].exclude?(uri.scheme)
         end
 
         def self.hypertext_scheme?(uri)
@@ -71,7 +71,7 @@ module Doorkeeper
         end
 
         def self.iff_host?(uri)
-          !(hypertext_scheme?(uri) && uri.host.nil?)
+          !(hypertext_scheme?(uri) && uri.host.blank?)
         end
 
         def self.oob_uri?(uri)

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -134,7 +134,7 @@ module Doorkeeper
       # Since resource servers using token introspection rely on the
       # authorization server to determine the state of a token, the
       # authorization server MUST perform all applicable checks against a
-      # token's state.  For instance, these tests include the following:
+      # token's state. For instance, these tests include the following:
       #
       #    o  If the token can expire, the authorization server MUST determine
       #       whether or not the token has expired.

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -14,12 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                optional: true,
                                inverse_of: :access_grants
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: false
-      else
-        validates :resource_owner_id, presence: true
-      end
-
       validates :application_id,
                 :token,
                 :expires_in,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -14,10 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                inverse_of: :access_tokens,
                                optional: true
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: true
-      end
-
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -10,10 +10,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       include ::Doorkeeper::ApplicationMixin
 
-      if Doorkeeper.config.enable_application_owner?
-        include ::Doorkeeper::Models::Ownership
-      end
-
       has_many :access_grants,
                foreign_key: :application_id,
                dependent: :delete_all,

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -45,11 +45,11 @@ module Doorkeeper
     end
 
     def unspecified_host?(uri)
-      uri.is_a?(URI::HTTP) && uri.host.nil?
+      uri.is_a?(URI::HTTP) && uri.host.blank?
     end
 
     def relative_uri?(uri)
-      uri.scheme.nil? && uri.host.nil?
+      uri.scheme.nil? && uri.host.blank?
     end
 
     def invalid_ssl_uri?(uri)

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb

@@ -15,7 +15,8 @@ module Doorkeeper
         def clean_revoked
           table = @base_scope.arel_table
 
-          @base_scope.where.not(revoked_at: nil)
+          @base_scope
+            .where.not(revoked_at: nil)
             .where(table[:revoked_at].lt(Time.current))
             .in_batches(&:delete_all)
         end
@@ -24,7 +25,9 @@ module Doorkeeper
         def clean_expired(ttl)
           table = @base_scope.arel_table
 
-          @base_scope.where(table[:created_at].lt(Time.current - ttl))
+          @base_scope
+            .where.not(expires_in: nil)
+            .where(table[:created_at].lt(Time.current - ttl))
             .in_batches(&:delete_all)
         end
       end

data/lib/doorkeeper/orm/active_record.rb

@@ -29,20 +29,16 @@ module Doorkeeper
       end
 
       def self.run_hooks
-        # Deprecated, will be removed soon
-        return unless (options = Doorkeeper.config.active_record_options[:establish_connection])
+        initialize_configured_associations
+      end
 
-        Doorkeeper::Orm::ActiveRecord.models.each do |model|
-          model.establish_connection(options)
+      def self.initialize_configured_associations
+        if Doorkeeper.config.enable_application_owner?
+          Doorkeeper.config.application_model.include ::Doorkeeper::Models::Ownership
         end
-      end
 
-      def self.models
-        [
-          Doorkeeper.config.access_grant_model,
-          Doorkeeper.config.access_token_model,
-          Doorkeeper.config.application_model,
-        ]
+        Doorkeeper.config.access_grant_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessGrant
+        Doorkeeper.config.access_token_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessToken
       end
     end
   end

data/lib/doorkeeper/rails/routes.rb

@@ -36,7 +36,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+          map_route(:tokens, :introspect_routes) if introspection_routes?
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)
@@ -100,6 +100,11 @@ module Doorkeeper
       def native_authorization_code_route
         Doorkeeper.configuration.native_authorization_code_route
       end
+
+      def introspection_routes?
+        Doorkeeper.configured? &&
+          !Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+      end
     end
   end
 end

data/lib/doorkeeper/version.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 6
-    TINY = 2
+    TINY = 3
     PRE = nil
 
     # Full version number

data/lib/doorkeeper.rb

@@ -90,6 +90,7 @@ module Doorkeeper
     autoload :Expirable, "doorkeeper/models/concerns/expirable"
     autoload :ExpirationTimeSqlMath, "doorkeeper/models/concerns/expiration_time_sql_math"
     autoload :Orderable, "doorkeeper/models/concerns/orderable"
+    autoload :PolymorphicResourceOwner, "doorkeeper/models/concerns/polymorphic_resource_owner"
     autoload :Scopes, "doorkeeper/models/concerns/scopes"
     autoload :Reusable, "doorkeeper/models/concerns/reusable"
     autoload :ResourceOwnerable, "doorkeeper/models/concerns/resource_ownerable"
@@ -113,11 +114,77 @@ module Doorkeeper
     autoload :BCrypt, "doorkeeper/secret_storing/bcrypt"
   end
 
-  def self.authenticate(request, methods = Doorkeeper.config.access_token_methods)
-    OAuth::Token.authenticate(request, *methods)
-  end
+  class << self
+    attr_reader :orm_adapter
+
+    def configure(&block)
+      @config = Config::Builder.new(&block).build
+      setup
+      @config
+    end
+
+    # @return [Doorkeeper::Config] configuration instance
+    #
+    def configuration
+      @config || configure
+    end
+
+    def configured?
+      !@config.nil?
+    end
+
+    alias config configuration
+
+    def setup
+      setup_orm_adapter
+      run_orm_hooks
+      config.clear_cache!
+
+      # Deprecated, will be removed soon
+      unless configuration.orm == :active_record
+        setup_orm_models
+        setup_application_owner
+      end
+    end
+
+    def setup_orm_adapter
+      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
+    rescue NameError => e
+      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
+        trying to load it.
 
-  def self.gem_version
-    ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+        You probably need to add the related gem for this adapter to work with
+        doorkeeper.
+      ERROR_MSG
+    end
+
+    def run_orm_hooks
+      if @orm_adapter.respond_to?(:run_hooks)
+        @orm_adapter.run_hooks
+      else
+        ::Kernel.warn <<~MSG.strip_heredoc
+          [DOORKEEPER] ORM "#{configuration.orm}" should move all it's setup logic under `#run_hooks` method for
+          the #{@orm_adapter.name}. Later versions of Doorkeeper will no longer support `setup_orm_models` and
+          `setup_application_owner` API.
+        MSG
+      end
+    end
+
+    def setup_orm_models
+      @orm_adapter.initialize_models!
+    end
+
+    def setup_application_owner
+      @orm_adapter.initialize_application_owner!
+    end
+
+    def authenticate(request, methods = Doorkeeper.config.access_token_methods)
+      OAuth::Token.authenticate(request, *methods)
+    end
+
+    def gem_version
+      ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+    end
   end
 end

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -24,9 +24,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       t.string   :token,             null: false
       t.integer  :expires_in,        null: false
       t.text     :redirect_uri,      null: false
+      t.string   :scopes,            null: false, default: ''
       t.datetime :created_at,        null: false
       t.datetime :revoked_at
-      t.string   :scopes,            null: false, default: ''
     end
 
     add_index :oauth_access_grants, :token, unique: true
@@ -53,9 +53,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
 
       t.string   :refresh_token
       t.integer  :expires_in
-      t.datetime :revoked_at
-      t.datetime :created_at, null: false
       t.string   :scopes
+      t.datetime :created_at, null: false
+      t.datetime :revoked_at
 
       # The authorization server MAY issue a new refresh token, in which case
       # *the client MUST discard the old refresh token* and replace it with the
@@ -74,7 +74,17 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     end
 
     add_index :oauth_access_tokens, :token, unique: true
-    add_index :oauth_access_tokens, :refresh_token, unique: true
+
+    # See https://github.com/doorkeeper-gem/doorkeeper/issues/1592
+    if ActiveRecord::Base.connection.adapter_name == "SQLServer"
+      execute <<~SQL.squish
+        CREATE UNIQUE NONCLUSTERED INDEX index_oauth_access_tokens_on_refresh_token ON oauth_access_tokens(refresh_token)
+        WHERE refresh_token IS NOT NULL
+      SQL
+    else
+      add_index :oauth_access_tokens, :refresh_token, unique: true
+    end
+
     add_foreign_key(
       :oauth_access_tokens,
       :oauth_applications,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.6.2
+  version: 5.6.3
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-11-29 00:00:00.000000000 Z
+date: 2023-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -69,20 +69,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: danger
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '8.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: database_cleaner
   requirement: !ruby/object:Gem::Requirement
@@ -238,6 +224,7 @@ files:
 - lib/doorkeeper/models/concerns/expiration_time_sql_math.rb
 - lib/doorkeeper/models/concerns/orderable.rb
 - lib/doorkeeper/models/concerns/ownership.rb
+- lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb
 - lib/doorkeeper/models/concerns/resource_ownerable.rb
 - lib/doorkeeper/models/concerns/reusable.rb
 - lib/doorkeeper/models/concerns/revocable.rb
@@ -352,14 +339,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape