doorkeeper 5.6.4 → 5.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1f7bb9a1bb5e08c4b7c3ccb920bef61fbbd1dc0b11f76bba3a3d76a6fc8eeed
-  data.tar.gz: 456ffe74dac831f3b797565041e46ecf241fb4cfc597d0bc39aa7a3893abeecb
+  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
+  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
 SHA512:
-  metadata.gz: 6e23087c44495ce91c7e23f1bf8cd771dc82bdb92ffa1cac8f8bef2e42919bf8eea1ac86b1ed76580537c4b5a6b2ba571452470677259fb61e4be0e151091ad7
-  data.tar.gz: fcafc844c46bab18f03d5dd7e8bd345111fb57530275adbf8d9954f8e8c1436b29ded79e15f6321e9f86c845836b713c65aca23398114cfdb5c77e9b87a01647
+  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
+  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2

data/CHANGELOG.md

@@ -9,6 +9,19 @@ User-visible changes worth mentioning.
 
 - [#ID] Add your PR description here.
 
+## 5.6.6
+
+- [#1644] Update HTTP headers.
+- [#1646] Block public clients automatic authorization skip.
+- [#1648] Add custom token attributes to Refresh Token Request.
+- [#1649] Fixed custom_access_token_attributes related errors.
+
+# 5.6.5
+
+- [#1602] Allow custom data to be stored inside access grants/tokens.
+- [#1634] Code refactoring for custom token attributes.
+- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
+
 # 5.6.4
 
 - [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
@@ -39,7 +52,7 @@ User-visible changes worth mentioning.
 
 ## 5.6.0.rc2
 
-- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the 
+- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
   application scopes when using client credentials.
 - [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
 
@@ -74,7 +87,7 @@ User-visible changes worth mentioning.
 ## 5.5.1
 
 - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
-- [#1495] Fix `respond_to` undefined in API-only mode 
+- [#1495] Fix `respond_to` undefined in API-only mode
 - [#1488] Verify client authentication for Resource Owner Password Grant when
   `config.skip_client_authentication_for_password_grant` is set and the client credentials
   are sent in a HTTP Basic auth header.
@@ -88,10 +101,10 @@ User-visible changes worth mentioning.
 ## 5.5.0.rc2
 
 - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
-  
-  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
     `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
-  
+
 - [#1472] Fix `establish_connection` configuration for custom defined models.
 - [#1471] Add support for Ruby 3.0.
 - [#1469] Check if `redirect_uri` exists.

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -13,17 +13,25 @@ module Doorkeeper
     end
 
     def create
-      redirect_or_render authorize_response
+      redirect_or_render(authorize_response)
     end
 
     def destroy
-      redirect_or_render authorization.deny
+      redirect_or_render(authorization.deny)
+    rescue Doorkeeper::Errors::InvalidTokenStrategy => e
+      error_response = get_error_response_from_exception(e)
+
+      if Doorkeeper.configuration.api_only
+        render json: error_response.body, status: :bad_request
+      else
+        render :error, locals: { error_response: error_response }
+      end
     end
 
     private
 
     def render_success
-      if skip_authorization? || matching_token?
+      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
         redirect_or_render(authorize_response)
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
@@ -37,7 +45,7 @@ module Doorkeeper
         render json: pre_auth.error_response.body,
                status: :bad_request
       else
-        render :error
+        render :error, locals: { error_response: pre_auth.error_response }
       end
     end
 
@@ -88,7 +96,7 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[
+      custom_access_token_attributes + %i[
         client_id
         code_challenge
         code_challenge_method
@@ -100,6 +108,10 @@ module Doorkeeper
       ]
     end
 
+    def custom_access_token_attributes
+      Doorkeeper.config.custom_access_token_attributes.map(&:to_sym)
+    end
+
     def authorization
       @authorization ||= strategy.request
     end

data/app/views/doorkeeper/authorizations/error.html.erb

@@ -3,5 +3,7 @@
 </div>
 
 <main role="main">
-  <pre><%= @pre_auth.error_response.body[:error_description] %></pre>
+  <pre>
+    <%= (respond_to?(:error_response) ? error_response : @pre_auth.error_response).body[:error_description] %>
+  </pre>
 </main>

data/lib/doorkeeper/config.rb

@@ -321,6 +321,15 @@ module Doorkeeper
     option :access_token_generator,
            default: "Doorkeeper::OAuth::Helpers::UniqueToken"
 
+    # Allows additional data to be received when granting access to an Application, and for this
+    # additional data to be sent with subsequently generated access tokens. The access grant and
+    # access token models will both need to respond to the specified attribute names.
+    #
+    # @param attributes [Array] The array of custom attribute names to be saved
+    #
+    option :custom_access_token_attributes,
+           default: []
+
     # Use a custom class for generating the application secret.
     # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-application-secret-generator
     #

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -45,7 +45,13 @@ module Doorkeeper
             attributes[:resource_owner_id] = resource_owner.id
           end
 
-          pkce_attributes.merge(attributes)
+          pkce_attributes.merge(attributes).merge(custom_attributes)
+        end
+
+        def custom_attributes
+          # Custom access token attributes are saved into the access grant,
+          # and then included in subsequently generated access tokens.
+          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access
         end
 
         def pkce_attributes

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -35,6 +35,7 @@ module Doorkeeper
             grant.application,
             resource_owner,
             grant.scopes,
+            custom_token_attributes_with_data,
             server,
           )
         end
@@ -55,11 +56,12 @@ module Doorkeeper
       end
 
       def validate_params
-        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
-                           :code_verifier
-                         elsif redirect_uri.blank?
-                           :redirect_uri
-                         end
+        @missing_param =
+          if grant&.uses_pkce? && code_verifier.blank?
+            :code_verifier
+          elsif redirect_uri.blank?
+            :redirect_uri
+          end
 
         @missing_param.nil?
       end
@@ -97,7 +99,15 @@ module Doorkeeper
       end
 
       def generate_code_challenge(code_verifier)
-        server_config.access_grant_model.generate_code_challenge(code_verifier)
+        Doorkeeper.config.access_grant_model.generate_code_challenge(code_verifier)
+      end
+
+      def custom_token_attributes_with_data
+        grant
+          .attributes
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb

@@ -26,27 +26,28 @@ module Doorkeeper
         @scopes ||= build_scopes
       end
 
-      def find_or_create_access_token(client, resource_owner, scopes, server)
+      def find_or_create_access_token(client, resource_owner, scopes, custom_attributes, server)
         context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
-        @access_token = server_config.access_token_model.find_or_create_for(
-          application: client.is_a?(server_config.application_model) ? client : client&.application,
+        application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+
+        token_attributes = {
+          application: application,
           resource_owner: resource_owner,
           scopes: scopes,
           expires_in: Authorization::Token.access_token_expires_in(server, context),
           use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
-        )
+        }
+
+        @access_token =
+          Doorkeeper.config.access_token_model.find_or_create_for(**token_attributes.merge(custom_attributes))
       end
 
       def before_successful_response
-        server_config.before_successful_strategy_response.call(self)
+        Doorkeeper.config.before_successful_strategy_response.call(self)
       end
 
       def after_successful_response
-        server_config.after_successful_strategy_response.call(self, @response)
-      end
-
-      def server_config
-        Doorkeeper.config
+        Doorkeeper.config.after_successful_strategy_response.call(self, @response)
       end
 
       private

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -9,12 +9,12 @@ module Doorkeeper
 
           if lookup_existing_token?
             existing_token = find_active_existing_token_for(client, scopes)
-            return existing_token if server_config.reuse_access_token && existing_token&.reusable?
+            return existing_token if Doorkeeper.config.reuse_access_token && existing_token&.reusable?
           end
 
           with_revocation(existing_token: existing_token) do
-            application = client.is_a?(server_config.application_model) ? client : client&.application
-            server_config.access_token_model.create_for(
+            application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+            Doorkeeper.config.access_token_model.create_for(
               application: application,
               resource_owner: nil,
               scopes: scopes,
@@ -26,7 +26,7 @@ module Doorkeeper
         private
 
         def with_revocation(existing_token:)
-          if existing_token && server_config.revoke_previous_client_credentials_token?
+          if existing_token && Doorkeeper.config.revoke_previous_client_credentials_token?
             existing_token.with_lock do
               raise Errors::DoorkeeperError, :invalid_token_reuse if existing_token.revoked?
 
@@ -40,16 +40,12 @@ module Doorkeeper
         end
 
         def lookup_existing_token?
-          server_config.reuse_access_token ||
-            server_config.revoke_previous_client_credentials_token?
+          Doorkeeper.config.reuse_access_token ||
+            Doorkeeper.config.revoke_previous_client_credentials_token?
         end
 
         def find_active_existing_token_for(client, scopes)
-          server_config.access_token_model.matching_token_for(client, nil, scopes, include_expired: false)
-        end
-
-        def server_config
-          Doorkeeper.config
+          Doorkeeper.config.access_token_model.matching_token_for(client, nil, scopes, include_expired: false)
         end
       end
     end

data/lib/doorkeeper/oauth/error_response.rb

@@ -55,8 +55,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
           "WWW-Authenticate" => authenticate_info,
         }

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -25,7 +25,7 @@ module Doorkeeper
       private
 
       def before_successful_response
-        find_or_create_access_token(client, resource_owner, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, {}, server)
         super
       end
 
@@ -68,7 +68,7 @@ module Doorkeeper
       end
 
       def validate_client_supports_grant_flow
-        server_config.allow_grant_flow_for_client?(grant_type, client&.application)
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client&.application)
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -18,19 +18,20 @@ module Doorkeeper
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
 
       def initialize(server, parameters = {}, resource_owner = nil)
-        @server                = server
-        @client_id             = parameters[:client_id]
-        @response_type         = parameters[:response_type]
-        @response_mode         = parameters[:response_mode]
-        @redirect_uri          = parameters[:redirect_uri]
-        @scope                 = parameters[:scope]
-        @state                 = parameters[:state]
-        @code_challenge        = parameters[:code_challenge]
+        @server = server
+        @client_id = parameters[:client_id]
+        @response_type = parameters[:response_type]
+        @response_mode = parameters[:response_mode]
+        @redirect_uri = parameters[:redirect_uri]
+        @scope = parameters[:scope]
+        @state = parameters[:state]
+        @code_challenge = parameters[:code_challenge]
         @code_challenge_method = parameters[:code_challenge_method]
-        @resource_owner        = resource_owner
+        @resource_owner = resource_owner
+        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes)
       end
 
       def authorizable?

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -26,7 +26,7 @@ module Doorkeeper
       private
 
       def load_client(credentials)
-        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
+        Doorkeeper.config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
       end
 
       def before_successful_response
@@ -41,7 +41,7 @@ module Doorkeeper
       end
 
       def refresh_token_revoked_on_use?
-        server_config.access_token_model.refresh_token_revoked_on_use?
+        Doorkeeper.config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -49,7 +49,7 @@ module Doorkeeper
       end
 
       def create_access_token
-        attributes = {}
+        attributes = {}.merge(custom_token_attributes_with_data)
 
         resource_owner =
           if Doorkeeper.config.polymorphic_resource_owner?
@@ -75,7 +75,7 @@ module Doorkeeper
         # Here we assume that TTL of the token received after refreshing should be
         # the same as that of the original token.
         #
-        @access_token = server_config.access_token_model.create_for(
+        @access_token = Doorkeeper.config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,
           scopes: scopes,
@@ -119,6 +119,14 @@ module Doorkeeper
           true
         end
       end
+
+      def custom_token_attributes_with_data
+        refresh_token
+        .attributes
+        .with_indifferent_access
+        .slice(*Doorkeeper.config.custom_access_token_attributes)
+        .symbolize_keys
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/token_response.rb

@@ -26,8 +26,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
         }
       end

data/lib/doorkeeper/version.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 6
-    TINY = 4
+    TINY = 6
     PRE = nil
 
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -391,6 +391,23 @@ Doorkeeper.configure do
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
   # end
 
+  # Allows additional data fields to be sent while granting access to an application,
+  # and for this additional data to be included in subsequently generated access tokens.
+  # The 'authorizations/new' page will need to be overridden to include this additional data
+  # in the request params when granting access. The access grant and access token models
+  # will both need to respond to these additional data fields, and have a database column
+  # to store them in.
+  #
+  # Example:
+  # You have a multi-tenanted platform and want to be able to grant access to a specific
+  # tenant, rather than all the tenants a user has access to. You can use this config
+  # option to specify that a ':tenant_id' will be passed when authorizing. This tenant_id
+  # will be included in the access tokens. When a request is made with one of these access
+  # tokens, you can check that the requested data belongs to the specified tenant.
+  #
+  # Default value is an empty Array: []
+  # custom_access_token_attributes [:tenant_id]
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.6.4
+  version: 5.6.6
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2023-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties