RubyGems - doorkeeper - Versions diffs - 5.6.6 → 5.6.8 - Mend

doorkeeper 5.6.6 → 5.6.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -1
data/app/controllers/doorkeeper/authorizations_controller.rb +7 -4
data/lib/doorkeeper/config.rb +4 -0
data/lib/doorkeeper/errors.rb +18 -0
data/lib/doorkeeper/models/access_token_mixin.rb +4 -0
data/lib/doorkeeper/oauth/authorization_code_request.rb +6 -6
data/lib/doorkeeper/oauth/base_request.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +5 -4
data/lib/doorkeeper/oauth/client_credentials/validator.rb +3 -3
data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -2
data/lib/doorkeeper/oauth/code_request.rb +1 -1
data/lib/doorkeeper/oauth/error_response.rb +4 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +1 -1
data/lib/doorkeeper/oauth/invalid_request_response.rb +4 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +4 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +11 -11
data/lib/doorkeeper/oauth/refresh_token_request.rb +5 -5
data/lib/doorkeeper/oauth/token_introspection.rb +9 -7
data/lib/doorkeeper/oauth/token_request.rb +1 -1
data/lib/doorkeeper/orm/active_record/mixins/application.rb +1 -1
data/lib/doorkeeper/version.rb +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +7 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
-  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
+  metadata.gz: b8a202451362fe346d53be4d16dcb92fea331ee1aad93461283585f93749960b
+  data.tar.gz: 2f042a729cdd68ce19d6181a54a98635715f83e93946de95b62a7521400d4951
 SHA512:
-  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
-  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2
+  metadata.gz: ab8dab957c6cfa382f406c465a187b3d1301a38eac8666789ad87755f2f383cb7f6a0f10f5b18f15dd4cbe5bb80f41697d01486d58739c5fca342c13a1bfe196
+  data.tar.gz: c0490f4072de798755643890309ff8d2ff645a5fa00797e2f5c933c6f1ffa685190cb935b2569a26fff5d282d3efd34f544b8784f598b8228c01259e784fe63b

data/CHANGELOG.md CHANGED Viewed

@@ -7,7 +7,20 @@ User-visible changes worth mentioning.
 ## main
-- [#ID] Add your PR description here.
+- [#PR ID] Add your changelog here.
+## 5.6.8
+- [#1680] Fix handle_auth_errors :raise NotImplementedError
+## 5.6.7
+- [#1662] Specify uri_redirect validation class explicitly.
+- [#1652] Add custom attributes support to token generator.
+- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
+- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
+- [#1676] Improve AuthorizationsController error response handling
+- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
 ## 5.6.6

data/app/controllers/doorkeeper/authorizations_controller.rb CHANGED Viewed

@@ -41,11 +41,14 @@ module Doorkeeper
     end
     def render_error
-      if Doorkeeper.configuration.api_only
-        render json: pre_auth.error_response.body,
-               status: :bad_request
+      pre_auth.error_response.raise_exception! if Doorkeeper.config.raise_on_errors?
+      if Doorkeeper.configuration.redirect_on_errors? && pre_auth.error_response.redirectable?
+        redirect_or_render(pre_auth.error_response)
+      elsif Doorkeeper.configuration.api_only
+        render json: pre_auth.error_response.body, status: pre_auth.error_response.status
       else
-        render :error, locals: { error_response: pre_auth.error_response }
+        render :error, locals: { error_response: pre_auth.error_response }, status: pre_auth.error_response.status
       end
     end

data/lib/doorkeeper/config.rb CHANGED Viewed

@@ -501,6 +501,10 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
+    def redirect_on_errors?
+      handle_auth_errors == :redirect
+    end
     def application_secret_hashed?
       instance_variable_defined?(:"@application_secret_strategy")
     end

data/lib/doorkeeper/errors.rb CHANGED Viewed

@@ -39,13 +39,31 @@ module Doorkeeper
       def initialize(response)
         @response = response
       end
+      def self.name_for_response
+        self.name.demodulize.underscore.to_sym
+      end
     end
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
+    InvalidRequest = Class.new(BaseResponseError)
     InvalidToken = Class.new(BaseResponseError)
+    InvalidClient = Class.new(BaseResponseError)
+    InvalidScope = Class.new(BaseResponseError)
+    InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
+    InvalidGrant = Class.new(BaseResponseError)
+    UnauthorizedClient = Class.new(BaseResponseError)
+    UnsupportedResponseType = Class.new(BaseResponseError)
+    UnsupportedResponseMode = Class.new(BaseResponseError)
+    AccessDenied = Class.new(BaseResponseError)
+    ServerError = Class.new(BaseResponseError)
     TokenExpired = Class.new(InvalidToken)
     TokenRevoked = Class.new(InvalidToken)
     TokenUnknown = Class.new(InvalidToken)

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -435,6 +435,10 @@ module Doorkeeper
         if Doorkeeper.config.polymorphic_resource_owner?
           attributes[:resource_owner] = resource_owner
         end
+        Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+          attributes[attribute_name] = public_send(attribute_name)
+        end
       end
     end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -3,12 +3,12 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :params,       error: :invalid_request
-      validate :client,       error: :invalid_client
-      validate :grant,        error: :invalid_grant
+      validate :params,       error: Errors::InvalidRequest
+      validate :client,       error: Errors::InvalidClient
+      validate :grant,        error: Errors::InvalidGrant
       # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
-      validate :redirect_uri, error: :invalid_grant
-      validate :code_verifier, error: :invalid_grant
+      validate :redirect_uri, error: Errors::InvalidGrant
+      validate :code_verifier, error: Errors::InvalidGrant
       attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
                   :invalid_request_reason, :missing_param
@@ -32,7 +32,7 @@ module Doorkeeper
           grant.revoke
           find_or_create_access_token(
-            grant.application,
+            client,
             resource_owner,
             grant.scopes,
             custom_token_attributes_with_data,

data/lib/doorkeeper/oauth/base_request.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
-        elsif error == :invalid_request
+        elsif error == Errors::InvalidRequest
           @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)

data/lib/doorkeeper/oauth/client_credentials/issuer.rb CHANGED Viewed

@@ -11,10 +11,10 @@ module Doorkeeper
           @validator = validator
         end
-        def create(client, scopes, creator = Creator.new)
+        def create(client, scopes, attributes = {}, creator = Creator.new)
           if validator.valid?
-            @token = create_token(client, scopes, creator)
-            @error = :server_error unless @token
+            @token = create_token(client, scopes, attributes, creator)
+            @error = Errors::ServerError unless @token
           else
             @token = false
             @error = validator.error
@@ -25,7 +25,7 @@ module Doorkeeper
         private
-        def create_token(client, scopes, creator)
+        def create_token(client, scopes, attributes, creator)
           context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
@@ -39,6 +39,7 @@ module Doorkeeper
             scopes,
             use_refresh_token: false,
             expires_in: ttl,
+            **attributes
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials/validator.rb CHANGED Viewed

@@ -7,9 +7,9 @@ module Doorkeeper
         include Validations
         include OAuth::Helpers
-        validate :client, error: :invalid_client
-        validate :client_supports_grant_flow, error: :unauthorized_client
-        validate :scopes, error: :invalid_scope
+        validate :client, error: Errors::InvalidClient
+        validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+        validate :scopes, error: Errors::InvalidScope
         def initialize(server, request)
           @server = server

data/lib/doorkeeper/oauth/client_credentials_request.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      attr_reader :client, :original_scopes, :response
+      attr_reader :client, :original_scopes, :parameters, :response
       alias error_response response
@@ -14,6 +14,7 @@ module Doorkeeper
         @server = server
         @response = nil
         @original_scopes = parameters[:scope]
+        @parameters = parameters.except(:scope)
       end
       def access_token
@@ -30,7 +31,14 @@ module Doorkeeper
       private
       def valid?
-        issuer.create(client, scopes)
+        issuer.create(client, scopes, custom_token_attributes_with_data)
+      end
+      def custom_token_attributes_with_data
+        parameters
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/code_request.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Doorkeeper
       end
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -10,7 +10,8 @@ module Doorkeeper
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
-            name: request.error,
+            name: request.error&.name_for_response,
+            exception_class: request.error,
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
@@ -21,6 +22,7 @@ module Doorkeeper
       def initialize(attributes = {})
         @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]
       end
@@ -72,6 +74,7 @@ module Doorkeeper
       end
       def exception_class
+        return @exception_class if @exception_class
         raise NotImplementedError, "error response must define #exception_class"
       end

data/lib/doorkeeper/oauth/helpers/uri_checker.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module Doorkeeper
         def self.loopback_uri?(uri)
           IPAddr.new(uri.host).loopback?
-        rescue IPAddr::Error
+        rescue IPAddr::Error, IPAddr::InvalidAddressError
           false
         end

data/lib/doorkeeper/oauth/invalid_request_response.rb CHANGED Viewed

@@ -35,6 +35,10 @@ module Doorkeeper
         )
       end
+      def exception_class
+        Doorkeeper::Errors::InvalidRequest
+      end
       def redirectable?
         super && @missing_param != :client_id
       end

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED Viewed

@@ -5,10 +5,10 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner, error: :invalid_grant
-      validate :scopes, error: :invalid_scope
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner, error: Errors::InvalidGrant
+      validate :scopes, error: Errors::InvalidScope
       attr_reader :client, :credentials, :resource_owner, :parameters, :access_token

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -5,16 +5,16 @@ module Doorkeeper
     class PreAuthorization
       include Validations
-      validate :client_id, error: :invalid_request
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner_authorize_for_client, error: :invalid_client
-      validate :redirect_uri, error: :invalid_redirect_uri
-      validate :params, error: :invalid_request
-      validate :response_type, error: :unsupported_response_type
-      validate :response_mode, error: :unsupported_response_mode
-      validate :scopes, error: :invalid_scope
-      validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_id, error: Errors::InvalidRequest
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner_authorize_for_client, error: Errors::InvalidClient
+      validate :redirect_uri, error: Errors::InvalidRedirectUri
+      validate :params, error: Errors::InvalidRequest
+      validate :response_type, error: Errors::UnsupportedResponseType
+      validate :response_mode, error: Errors::UnsupportedResponseMode
+      validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
@@ -47,7 +47,7 @@ module Doorkeeper
       end
       def error_response
-        if error == :invalid_request
+        if error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(
             self,
             response_on_fragment: response_on_fragment?,

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -5,11 +5,11 @@ module Doorkeeper
     class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :token_presence, error: :invalid_request
-      validate :token,        error: :invalid_grant
-      validate :client,       error: :invalid_client
-      validate :client_match, error: :invalid_grant
-      validate :scope,        error: :invalid_scope
+      validate :token_presence, error: Errors::InvalidRequest
+      validate :token,        error: Errors::InvalidGrant
+      validate :client,       error: Errors::InvalidClient
+      validate :client_match, error: Errors::InvalidGrant
+      validate :scope,        error: Errors::InvalidScope
       attr_reader :access_token, :client, :credentials, :refresh_token
       attr_reader :missing_param

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED Viewed

@@ -6,6 +6,8 @@ module Doorkeeper
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
+      attr_reader :error
       def initialize(server, token)
         @server = server
         @token = token
@@ -20,12 +22,12 @@ module Doorkeeper
       def error_response
         return if @error.blank?
-        if @error == :invalid_token
+        if @error == Errors::InvalidToken
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
-        elsif @error == :invalid_request
+        elsif @error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(self)
         else
-          OAuth::ErrorResponse.new(name: @error)
+          OAuth::ErrorResponse.from_request(self)
         end
       end
@@ -36,7 +38,7 @@ module Doorkeeper
       private
       attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
+      attr_reader :invalid_request_reason
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -58,7 +60,7 @@ module Doorkeeper
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = :invalid_client unless authorized_client
+          @error = Errors::InvalidClient unless authorized_client
         elsif authorized_token
           # Requested bearer token authorization
           #
@@ -69,9 +71,9 @@ module Doorkeeper
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token unless valid_authorized_token?
+          @error = Errors::InvalidToken unless valid_authorized_token?
         else
-          @error = :invalid_request
+          @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end

data/lib/doorkeeper/oauth/token_request.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Doorkeeper
       end
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/application.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       validates :name, :secret, :uid, presence: true
       validates :uid, uniqueness: { case_sensitive: true }
-      validates :redirect_uri, "doorkeeper/redirect_uri": true
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
       validate :scopes_match_configured, if: :enforce_scopes?

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 6
-    TINY = 6
+    TINY = 8
     PRE = nil
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb CHANGED Viewed

@@ -312,6 +312,12 @@ Doorkeeper.configure do
   #   Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
   #
   # handle_auth_errors :raise
+  #
+  # If you want to redirect back to the client application in accordance with
+  # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
+  # +handle_auth_errors+ to :redirect
+  #
+  # handle_auth_errors :redirect
   # Customize token introspection response.
   # Allows to add your own fields to default one that are required by the OAuth spec
@@ -385,7 +391,7 @@ Doorkeeper.configure do
   # true in case resource owner authorized for the specific application or false in other
   # cases.
   #
-  # Be default all Resource Owners are authorized to any Client (application).
+  # By default all Resource Owners are authorized to any Client (application).
   #
   # authorize_resource_owner_for_client do |client, resource_owner|
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.6.6
+  version: 5.6.8
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2023-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties