RubyGems - doorkeeper - Versions diffs - 5.6.5 → 5.6.7 - Mend

doorkeeper 5.6.5 → 5.6.7

Files changed (19) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +21 -5
data/app/controllers/doorkeeper/authorizations_controller.rb +8 -5
data/lib/doorkeeper/config/validations.rb +0 -15
data/lib/doorkeeper/config.rb +4 -0
data/lib/doorkeeper/errors.rb +1 -1
data/lib/doorkeeper/models/access_token_mixin.rb +4 -0
data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -3
data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -2
data/lib/doorkeeper/oauth/error_response.rb +1 -2
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +1 -1
data/lib/doorkeeper/oauth/invalid_request_response.rb +4 -0
data/lib/doorkeeper/oauth/refresh_token_request.rb +9 -1
data/lib/doorkeeper/oauth/token_response.rb +1 -2
data/lib/doorkeeper/orm/active_record/mixins/application.rb +1 -1
data/lib/doorkeeper/version.rb +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +7 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8430b36ebe602cb716e1d404c53e17cbe41a6e122fb3004e77dc5b16ea70a7bd
-  data.tar.gz: 7d8033e2051e21776c0d57e3bbe23d6d2cea04e615c48b9d82a7a704373ff7cb
+  metadata.gz: fe1238848f221c9cccf2a7d110e8d05dde7ebc0aab59f702fe258b4d2e415aa0
+  data.tar.gz: 46709212a318983949375e9e0c22a63e8a24256f50d47c660693a1bbbe40566c
 SHA512:
-  metadata.gz: a89cf897778ebd53736ff57f9e7f5eb587ffa6da110e04a62a99816b3719ab9d109700a6cace1d36208bfb34eeb4fd7153aeaef7792275b57cde34e189904510
-  data.tar.gz: bc943f37ca582f1badaa25d98715f1e5ec2a86f8da3f99ef7367cbcc63a99a20a0cc3458d1c2919bb1088e6a09ffd47e33a6634b78b8fcc0e49993681c56a683
+  metadata.gz: 286b26e562e901d950a52618f6e7699cc29f3e4af5df202d20b466c782fcb9a7d844c00f59b04a0ace41f177cd45f788d934c0c812ebae818066d74d2ce89f1a
+  data.tar.gz: 23f2d816febe32008283607b1979b48c236ce66dc9086b9fd700c3ebe124557a548dbf9166175706e2cd4f5415b26d32210cd7e290a85c013becc8cb5185a417

data/CHANGELOG.md CHANGED Viewed

@@ -9,6 +9,22 @@ User-visible changes worth mentioning.
 - [#ID] Add your PR description here.
+## 5.6.7
+- [#1662] Specify uri_redirect validation class explicitly.
+- [#1652] Add custom attributes support to token generator.
+- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
+- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
+- [#1676] Improve AuthorizationsController error response handling
+- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
+## 5.6.6
+- [#1644] Update HTTP headers.
+- [#1646] Block public clients automatic authorization skip.
+- [#1648] Add custom token attributes to Refresh Token Request.
+- [#1649] Fixed custom_access_token_attributes related errors.
 # 5.6.5
 - [#1602] Allow custom data to be stored inside access grants/tokens.
@@ -45,7 +61,7 @@ User-visible changes worth mentioning.
 ## 5.6.0.rc2
-- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
+- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
   application scopes when using client credentials.
 - [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
@@ -80,7 +96,7 @@ User-visible changes worth mentioning.
 ## 5.5.1
 - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
-- [#1495] Fix `respond_to` undefined in API-only mode
+- [#1495] Fix `respond_to` undefined in API-only mode
 - [#1488] Verify client authentication for Resource Owner Password Grant when
   `config.skip_client_authentication_for_password_grant` is set and the client credentials
   are sent in a HTTP Basic auth header.
@@ -94,10 +110,10 @@ User-visible changes worth mentioning.
 ## 5.5.0.rc2
 - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
-  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
     `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
 - [#1472] Fix `establish_connection` configuration for custom defined models.
 - [#1471] Add support for Ruby 3.0.
 - [#1469] Check if `redirect_uri` exists.

data/app/controllers/doorkeeper/authorizations_controller.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module Doorkeeper
     private
     def render_success
-      if skip_authorization? || matching_token?
+      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
         redirect_or_render(authorize_response)
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
@@ -41,11 +41,14 @@ module Doorkeeper
     end
     def render_error
-      if Doorkeeper.configuration.api_only
-        render json: pre_auth.error_response.body,
-               status: :bad_request
+      pre_auth.error_response.raise_exception! if Doorkeeper.config.raise_on_errors?
+      if Doorkeeper.configuration.redirect_on_errors? && pre_auth.error_response.redirectable?
+        redirect_or_render(pre_auth.error_response)
+      elsif Doorkeeper.configuration.api_only
+        render json: pre_auth.error_response.body, status: pre_auth.error_response.status
       else
-        render :error, locals: { error_response: pre_auth.error_response }
+        render :error, locals: { error_response: pre_auth.error_response }, status: pre_auth.error_response.status
       end
     end

data/lib/doorkeeper/config/validations.rb CHANGED Viewed

@@ -11,7 +11,6 @@ module Doorkeeper
         validate_reuse_access_token_value
         validate_token_reuse_limit
         validate_secret_strategies
-        validate_custom_access_token_attributes
       end
       private
@@ -49,20 +48,6 @@ module Doorkeeper
         )
         @token_reuse_limit = 100
       end
-      # Validate that the access_token and access_grant models
-      # both respond to all of the custom attributes
-      def validate_custom_access_token_attributes
-        return if custom_access_token_attributes.blank?
-        custom_access_token_attributes.each do |attribute_name|
-          [access_token_model, access_grant_model].each do |model|
-            next if model.has_attribute?(attribute_name)
-            raise Doorkeeper::Errors::ConfigError, "#{model} does not recognize custom attribute: #{attribute_name}."
-          end
-        end
-      end
     end
   end
 end

data/lib/doorkeeper/config.rb CHANGED Viewed

@@ -501,6 +501,10 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
+    def redirect_on_errors?
+      handle_auth_errors == :redirect
+    end
     def application_secret_hashed?
       instance_variable_defined?(:"@application_secret_strategy")
     end

data/lib/doorkeeper/errors.rb CHANGED Viewed

@@ -44,8 +44,8 @@ module Doorkeeper
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
-    ConfigError = Class.new(DoorkeeperError)
+    InvalidRequest = Class.new(BaseResponseError)
     InvalidToken = Class.new(BaseResponseError)
     TokenExpired = Class.new(InvalidToken)
     TokenRevoked = Class.new(InvalidToken)

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -435,6 +435,10 @@ module Doorkeeper
         if Doorkeeper.config.polymorphic_resource_owner?
           attributes[:resource_owner] = resource_owner
         end
+        Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+          attributes[attribute_name] = public_send(attribute_name)
+        end
       end
     end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -32,7 +32,7 @@ module Doorkeeper
           grant.revoke
           find_or_create_access_token(
-            grant.application,
+            client,
             resource_owner,
             grant.scopes,
             custom_token_attributes_with_data,

data/lib/doorkeeper/oauth/client_credentials/issuer.rb CHANGED Viewed

@@ -11,9 +11,9 @@ module Doorkeeper
           @validator = validator
         end
-        def create(client, scopes, creator = Creator.new)
+        def create(client, scopes, attributes = {}, creator = Creator.new)
           if validator.valid?
-            @token = create_token(client, scopes, creator)
+            @token = create_token(client, scopes, attributes, creator)
             @error = :server_error unless @token
           else
             @token = false
@@ -25,7 +25,7 @@ module Doorkeeper
         private
-        def create_token(client, scopes, creator)
+        def create_token(client, scopes, attributes, creator)
           context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
@@ -39,6 +39,7 @@ module Doorkeeper
             scopes,
             use_refresh_token: false,
             expires_in: ttl,
+            **attributes
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials_request.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      attr_reader :client, :original_scopes, :response
+      attr_reader :client, :original_scopes, :parameters, :response
       alias error_response response
@@ -14,6 +14,7 @@ module Doorkeeper
         @server = server
         @response = nil
         @original_scopes = parameters[:scope]
+        @parameters = parameters.except(:scope)
       end
       def access_token
@@ -30,7 +31,14 @@ module Doorkeeper
       private
       def valid?
-        issuer.create(client, scopes)
+        issuer.create(client, scopes, custom_token_attributes_with_data)
+      end
+      def custom_token_attributes_with_data
+        parameters
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -55,8 +55,7 @@ module Doorkeeper
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
           "WWW-Authenticate" => authenticate_info,
         }

data/lib/doorkeeper/oauth/helpers/uri_checker.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module Doorkeeper
         def self.loopback_uri?(uri)
           IPAddr.new(uri.host).loopback?
-        rescue IPAddr::Error
+        rescue IPAddr::Error, IPAddr::InvalidAddressError
           false
         end

data/lib/doorkeeper/oauth/invalid_request_response.rb CHANGED Viewed

@@ -35,6 +35,10 @@ module Doorkeeper
         )
       end
+      def exception_class
+        Doorkeeper::Errors::InvalidRequest
+      end
       def redirectable?
         super && @missing_param != :client_id
       end

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -49,7 +49,7 @@ module Doorkeeper
       end
       def create_access_token
-        attributes = {}
+        attributes = {}.merge(custom_token_attributes_with_data)
         resource_owner =
           if Doorkeeper.config.polymorphic_resource_owner?
@@ -119,6 +119,14 @@ module Doorkeeper
           true
         end
       end
+      def custom_token_attributes_with_data
+        refresh_token
+        .attributes
+        .with_indifferent_access
+        .slice(*Doorkeeper.config.custom_access_token_attributes)
+        .symbolize_keys
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/token_response.rb CHANGED Viewed

@@ -26,8 +26,7 @@ module Doorkeeper
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
         }
       end

data/lib/doorkeeper/orm/active_record/mixins/application.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       validates :name, :secret, :uid, presence: true
       validates :uid, uniqueness: { case_sensitive: true }
-      validates :redirect_uri, "doorkeeper/redirect_uri": true
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
       validate :scopes_match_configured, if: :enforce_scopes?

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 6
-    TINY = 5
+    TINY = 7
     PRE = nil
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb CHANGED Viewed

@@ -312,6 +312,12 @@ Doorkeeper.configure do
   #   Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
   #
   # handle_auth_errors :raise
+  #
+  # If you want to redirect back to the client application in accordance with
+  # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
+  # +handle_auth_errors+ to :redirect
+  #
+  # handle_auth_errors :redirect
   # Customize token introspection response.
   # Allows to add your own fields to default one that are required by the OAuth spec
@@ -385,7 +391,7 @@ Doorkeeper.configure do
   # true in case resource owner authorized for the specific application or false in other
   # cases.
   #
-  # Be default all Resource Owners are authorized to any Client (application).
+  # By default all Resource Owners are authorized to any Client (application).
   #
   # authorize_resource_owner_for_client do |client, resource_owner|
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.6.5
+  version: 5.6.7
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-22 00:00:00.000000000 Z
+date: 2023-11-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties