doorkeeper 5.6.5 → 5.6.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -5
- data/app/controllers/doorkeeper/authorizations_controller.rb +8 -5
- data/lib/doorkeeper/config/validations.rb +0 -15
- data/lib/doorkeeper/config.rb +4 -0
- data/lib/doorkeeper/errors.rb +1 -1
- data/lib/doorkeeper/models/access_token_mixin.rb +4 -0
- data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -3
- data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -2
- data/lib/doorkeeper/oauth/error_response.rb +1 -2
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +1 -1
- data/lib/doorkeeper/oauth/invalid_request_response.rb +4 -0
- data/lib/doorkeeper/oauth/refresh_token_request.rb +9 -1
- data/lib/doorkeeper/oauth/token_response.rb +1 -2
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +1 -1
- data/lib/doorkeeper/version.rb +1 -1
- data/lib/generators/doorkeeper/templates/initializer.rb +7 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fe1238848f221c9cccf2a7d110e8d05dde7ebc0aab59f702fe258b4d2e415aa0
|
|
4
|
+
data.tar.gz: 46709212a318983949375e9e0c22a63e8a24256f50d47c660693a1bbbe40566c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 286b26e562e901d950a52618f6e7699cc29f3e4af5df202d20b466c782fcb9a7d844c00f59b04a0ace41f177cd45f788d934c0c812ebae818066d74d2ce89f1a
|
|
7
|
+
data.tar.gz: 23f2d816febe32008283607b1979b48c236ce66dc9086b9fd700c3ebe124557a548dbf9166175706e2cd4f5415b26d32210cd7e290a85c013becc8cb5185a417
|
data/CHANGELOG.md
CHANGED
|
@@ -9,6 +9,22 @@ User-visible changes worth mentioning.
|
|
|
9
9
|
|
|
10
10
|
- [#ID] Add your PR description here.
|
|
11
11
|
|
|
12
|
+
## 5.6.7
|
|
13
|
+
|
|
14
|
+
- [#1662] Specify uri_redirect validation class explicitly.
|
|
15
|
+
- [#1652] Add custom attributes support to token generator.
|
|
16
|
+
- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
|
|
17
|
+
- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
|
|
18
|
+
- [#1676] Improve AuthorizationsController error response handling
|
|
19
|
+
- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
|
|
20
|
+
|
|
21
|
+
## 5.6.6
|
|
22
|
+
|
|
23
|
+
- [#1644] Update HTTP headers.
|
|
24
|
+
- [#1646] Block public clients automatic authorization skip.
|
|
25
|
+
- [#1648] Add custom token attributes to Refresh Token Request.
|
|
26
|
+
- [#1649] Fixed custom_access_token_attributes related errors.
|
|
27
|
+
|
|
12
28
|
# 5.6.5
|
|
13
29
|
|
|
14
30
|
- [#1602] Allow custom data to be stored inside access grants/tokens.
|
|
@@ -45,7 +61,7 @@ User-visible changes worth mentioning.
|
|
|
45
61
|
|
|
46
62
|
## 5.6.0.rc2
|
|
47
63
|
|
|
48
|
-
- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
|
|
64
|
+
- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
|
|
49
65
|
application scopes when using client credentials.
|
|
50
66
|
- [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
|
|
51
67
|
|
|
@@ -80,7 +96,7 @@ User-visible changes worth mentioning.
|
|
|
80
96
|
## 5.5.1
|
|
81
97
|
|
|
82
98
|
- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
|
|
83
|
-
- [#1495] Fix `respond_to` undefined in API-only mode
|
|
99
|
+
- [#1495] Fix `respond_to` undefined in API-only mode
|
|
84
100
|
- [#1488] Verify client authentication for Resource Owner Password Grant when
|
|
85
101
|
`config.skip_client_authentication_for_password_grant` is set and the client credentials
|
|
86
102
|
are sent in a HTTP Basic auth header.
|
|
@@ -94,10 +110,10 @@ User-visible changes worth mentioning.
|
|
|
94
110
|
## 5.5.0.rc2
|
|
95
111
|
|
|
96
112
|
- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
|
|
97
|
-
|
|
98
|
-
**[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
|
|
113
|
+
|
|
114
|
+
**[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
|
|
99
115
|
`use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
|
|
100
|
-
|
|
116
|
+
|
|
101
117
|
- [#1472] Fix `establish_connection` configuration for custom defined models.
|
|
102
118
|
- [#1471] Add support for Ruby 3.0.
|
|
103
119
|
- [#1469] Check if `redirect_uri` exists.
|
|
@@ -31,7 +31,7 @@ module Doorkeeper
|
|
|
31
31
|
private
|
|
32
32
|
|
|
33
33
|
def render_success
|
|
34
|
-
if skip_authorization? || matching_token?
|
|
34
|
+
if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
|
|
35
35
|
redirect_or_render(authorize_response)
|
|
36
36
|
elsif Doorkeeper.configuration.api_only
|
|
37
37
|
render json: pre_auth
|
|
@@ -41,11 +41,14 @@ module Doorkeeper
|
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
def render_error
|
|
44
|
-
if Doorkeeper.
|
|
45
|
-
|
|
46
|
-
|
|
44
|
+
pre_auth.error_response.raise_exception! if Doorkeeper.config.raise_on_errors?
|
|
45
|
+
|
|
46
|
+
if Doorkeeper.configuration.redirect_on_errors? && pre_auth.error_response.redirectable?
|
|
47
|
+
redirect_or_render(pre_auth.error_response)
|
|
48
|
+
elsif Doorkeeper.configuration.api_only
|
|
49
|
+
render json: pre_auth.error_response.body, status: pre_auth.error_response.status
|
|
47
50
|
else
|
|
48
|
-
render :error, locals: { error_response: pre_auth.error_response }
|
|
51
|
+
render :error, locals: { error_response: pre_auth.error_response }, status: pre_auth.error_response.status
|
|
49
52
|
end
|
|
50
53
|
end
|
|
51
54
|
|
|
@@ -11,7 +11,6 @@ module Doorkeeper
|
|
|
11
11
|
validate_reuse_access_token_value
|
|
12
12
|
validate_token_reuse_limit
|
|
13
13
|
validate_secret_strategies
|
|
14
|
-
validate_custom_access_token_attributes
|
|
15
14
|
end
|
|
16
15
|
|
|
17
16
|
private
|
|
@@ -49,20 +48,6 @@ module Doorkeeper
|
|
|
49
48
|
)
|
|
50
49
|
@token_reuse_limit = 100
|
|
51
50
|
end
|
|
52
|
-
|
|
53
|
-
# Validate that the access_token and access_grant models
|
|
54
|
-
# both respond to all of the custom attributes
|
|
55
|
-
def validate_custom_access_token_attributes
|
|
56
|
-
return if custom_access_token_attributes.blank?
|
|
57
|
-
|
|
58
|
-
custom_access_token_attributes.each do |attribute_name|
|
|
59
|
-
[access_token_model, access_grant_model].each do |model|
|
|
60
|
-
next if model.has_attribute?(attribute_name)
|
|
61
|
-
|
|
62
|
-
raise Doorkeeper::Errors::ConfigError, "#{model} does not recognize custom attribute: #{attribute_name}."
|
|
63
|
-
end
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
51
|
end
|
|
67
52
|
end
|
|
68
53
|
end
|
data/lib/doorkeeper/config.rb
CHANGED
data/lib/doorkeeper/errors.rb
CHANGED
|
@@ -44,8 +44,8 @@ module Doorkeeper
|
|
|
44
44
|
UnableToGenerateToken = Class.new(DoorkeeperError)
|
|
45
45
|
TokenGeneratorNotFound = Class.new(DoorkeeperError)
|
|
46
46
|
NoOrmCleaner = Class.new(DoorkeeperError)
|
|
47
|
-
ConfigError = Class.new(DoorkeeperError)
|
|
48
47
|
|
|
48
|
+
InvalidRequest = Class.new(BaseResponseError)
|
|
49
49
|
InvalidToken = Class.new(BaseResponseError)
|
|
50
50
|
TokenExpired = Class.new(InvalidToken)
|
|
51
51
|
TokenRevoked = Class.new(InvalidToken)
|
|
@@ -435,6 +435,10 @@ module Doorkeeper
|
|
|
435
435
|
if Doorkeeper.config.polymorphic_resource_owner?
|
|
436
436
|
attributes[:resource_owner] = resource_owner
|
|
437
437
|
end
|
|
438
|
+
|
|
439
|
+
Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
|
|
440
|
+
attributes[attribute_name] = public_send(attribute_name)
|
|
441
|
+
end
|
|
438
442
|
end
|
|
439
443
|
end
|
|
440
444
|
|
|
@@ -11,9 +11,9 @@ module Doorkeeper
|
|
|
11
11
|
@validator = validator
|
|
12
12
|
end
|
|
13
13
|
|
|
14
|
-
def create(client, scopes, creator = Creator.new)
|
|
14
|
+
def create(client, scopes, attributes = {}, creator = Creator.new)
|
|
15
15
|
if validator.valid?
|
|
16
|
-
@token = create_token(client, scopes, creator)
|
|
16
|
+
@token = create_token(client, scopes, attributes, creator)
|
|
17
17
|
@error = :server_error unless @token
|
|
18
18
|
else
|
|
19
19
|
@token = false
|
|
@@ -25,7 +25,7 @@ module Doorkeeper
|
|
|
25
25
|
|
|
26
26
|
private
|
|
27
27
|
|
|
28
|
-
def create_token(client, scopes, creator)
|
|
28
|
+
def create_token(client, scopes, attributes, creator)
|
|
29
29
|
context = Authorization::Token.build_context(
|
|
30
30
|
client,
|
|
31
31
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
@@ -39,6 +39,7 @@ module Doorkeeper
|
|
|
39
39
|
scopes,
|
|
40
40
|
use_refresh_token: false,
|
|
41
41
|
expires_in: ttl,
|
|
42
|
+
**attributes
|
|
42
43
|
)
|
|
43
44
|
end
|
|
44
45
|
end
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class ClientCredentialsRequest < BaseRequest
|
|
6
|
-
attr_reader :client, :original_scopes, :response
|
|
6
|
+
attr_reader :client, :original_scopes, :parameters, :response
|
|
7
7
|
|
|
8
8
|
alias error_response response
|
|
9
9
|
|
|
@@ -14,6 +14,7 @@ module Doorkeeper
|
|
|
14
14
|
@server = server
|
|
15
15
|
@response = nil
|
|
16
16
|
@original_scopes = parameters[:scope]
|
|
17
|
+
@parameters = parameters.except(:scope)
|
|
17
18
|
end
|
|
18
19
|
|
|
19
20
|
def access_token
|
|
@@ -30,7 +31,14 @@ module Doorkeeper
|
|
|
30
31
|
private
|
|
31
32
|
|
|
32
33
|
def valid?
|
|
33
|
-
issuer.create(client, scopes)
|
|
34
|
+
issuer.create(client, scopes, custom_token_attributes_with_data)
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def custom_token_attributes_with_data
|
|
38
|
+
parameters
|
|
39
|
+
.with_indifferent_access
|
|
40
|
+
.slice(*Doorkeeper.config.custom_access_token_attributes)
|
|
41
|
+
.symbolize_keys
|
|
34
42
|
end
|
|
35
43
|
end
|
|
36
44
|
end
|
|
@@ -49,7 +49,7 @@ module Doorkeeper
|
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
def create_access_token
|
|
52
|
-
attributes = {}
|
|
52
|
+
attributes = {}.merge(custom_token_attributes_with_data)
|
|
53
53
|
|
|
54
54
|
resource_owner =
|
|
55
55
|
if Doorkeeper.config.polymorphic_resource_owner?
|
|
@@ -119,6 +119,14 @@ module Doorkeeper
|
|
|
119
119
|
true
|
|
120
120
|
end
|
|
121
121
|
end
|
|
122
|
+
|
|
123
|
+
def custom_token_attributes_with_data
|
|
124
|
+
refresh_token
|
|
125
|
+
.attributes
|
|
126
|
+
.with_indifferent_access
|
|
127
|
+
.slice(*Doorkeeper.config.custom_access_token_attributes)
|
|
128
|
+
.symbolize_keys
|
|
129
|
+
end
|
|
122
130
|
end
|
|
123
131
|
end
|
|
124
132
|
end
|
|
@@ -22,7 +22,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
|
|
|
22
22
|
|
|
23
23
|
validates :name, :secret, :uid, presence: true
|
|
24
24
|
validates :uid, uniqueness: { case_sensitive: true }
|
|
25
|
-
|
|
25
|
+
validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
|
|
26
26
|
validates :confidential, inclusion: { in: [true, false] }
|
|
27
27
|
|
|
28
28
|
validate :scopes_match_configured, if: :enforce_scopes?
|
data/lib/doorkeeper/version.rb
CHANGED
|
@@ -312,6 +312,12 @@ Doorkeeper.configure do
|
|
|
312
312
|
# Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
|
|
313
313
|
#
|
|
314
314
|
# handle_auth_errors :raise
|
|
315
|
+
#
|
|
316
|
+
# If you want to redirect back to the client application in accordance with
|
|
317
|
+
# https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
|
|
318
|
+
# +handle_auth_errors+ to :redirect
|
|
319
|
+
#
|
|
320
|
+
# handle_auth_errors :redirect
|
|
315
321
|
|
|
316
322
|
# Customize token introspection response.
|
|
317
323
|
# Allows to add your own fields to default one that are required by the OAuth spec
|
|
@@ -385,7 +391,7 @@ Doorkeeper.configure do
|
|
|
385
391
|
# true in case resource owner authorized for the specific application or false in other
|
|
386
392
|
# cases.
|
|
387
393
|
#
|
|
388
|
-
#
|
|
394
|
+
# By default all Resource Owners are authorized to any Client (application).
|
|
389
395
|
#
|
|
390
396
|
# authorize_resource_owner_for_client do |client, resource_owner|
|
|
391
397
|
# resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.6.
|
|
4
|
+
version: 5.6.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Felipe Elias Philipp
|
|
@@ -11,7 +11,7 @@ authors:
|
|
|
11
11
|
autorequire:
|
|
12
12
|
bindir: bin
|
|
13
13
|
cert_chain: []
|
|
14
|
-
date: 2023-
|
|
14
|
+
date: 2023-11-23 00:00:00.000000000 Z
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
17
17
|
name: railties
|