RubyGems - doorkeeper - Versions diffs - 5.6.6 → 5.6.8 - Mend

doorkeeper 5.6.6 → 5.6.8

Files changed (24) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -1
data/app/controllers/doorkeeper/authorizations_controller.rb +7 -4
data/lib/doorkeeper/config.rb +4 -0
data/lib/doorkeeper/errors.rb +18 -0
data/lib/doorkeeper/models/access_token_mixin.rb +4 -0
data/lib/doorkeeper/oauth/authorization_code_request.rb +6 -6
data/lib/doorkeeper/oauth/base_request.rb +1 -1
data/lib/doorkeeper/oauth/client_credentials/issuer.rb +5 -4
data/lib/doorkeeper/oauth/client_credentials/validator.rb +3 -3
data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -2
data/lib/doorkeeper/oauth/code_request.rb +1 -1
data/lib/doorkeeper/oauth/error_response.rb +4 -1
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +1 -1
data/lib/doorkeeper/oauth/invalid_request_response.rb +4 -0
data/lib/doorkeeper/oauth/password_access_token_request.rb +4 -4
data/lib/doorkeeper/oauth/pre_authorization.rb +11 -11
data/lib/doorkeeper/oauth/refresh_token_request.rb +5 -5
data/lib/doorkeeper/oauth/token_introspection.rb +9 -7
data/lib/doorkeeper/oauth/token_request.rb +1 -1
data/lib/doorkeeper/orm/active_record/mixins/application.rb +1 -1
data/lib/doorkeeper/version.rb +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +7 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
-  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
+  metadata.gz: b8a202451362fe346d53be4d16dcb92fea331ee1aad93461283585f93749960b
+  data.tar.gz: 2f042a729cdd68ce19d6181a54a98635715f83e93946de95b62a7521400d4951
 SHA512:
-  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
-  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2
+  metadata.gz: ab8dab957c6cfa382f406c465a187b3d1301a38eac8666789ad87755f2f383cb7f6a0f10f5b18f15dd4cbe5bb80f41697d01486d58739c5fca342c13a1bfe196
+  data.tar.gz: c0490f4072de798755643890309ff8d2ff645a5fa00797e2f5c933c6f1ffa685190cb935b2569a26fff5d282d3efd34f544b8784f598b8228c01259e784fe63b

data/CHANGELOG.md CHANGED Viewed

@@ -7,7 +7,20 @@ User-visible changes worth mentioning.
 ## main
-- [#ID] Add your PR description here.
+- [#PR ID] Add your changelog here.
+## 5.6.8
+- [#1680] Fix handle_auth_errors :raise NotImplementedError
+## 5.6.7
+- [#1662] Specify uri_redirect validation class explicitly.
+- [#1652] Add custom attributes support to token generator.
+- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
+- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
+- [#1676] Improve AuthorizationsController error response handling
+- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
 ## 5.6.6

data/app/controllers/doorkeeper/authorizations_controller.rb CHANGED Viewed

@@ -41,11 +41,14 @@ module Doorkeeper
     end
     def render_error
-      if Doorkeeper.configuration.api_only
-        render json: pre_auth.error_response.body,
-               status: :bad_request
+      pre_auth.error_response.raise_exception! if Doorkeeper.config.raise_on_errors?
+      if Doorkeeper.configuration.redirect_on_errors? && pre_auth.error_response.redirectable?
+        redirect_or_render(pre_auth.error_response)
+      elsif Doorkeeper.configuration.api_only
+        render json: pre_auth.error_response.body, status: pre_auth.error_response.status
       else
-        render :error, locals: { error_response: pre_auth.error_response }
+        render :error, locals: { error_response: pre_auth.error_response }, status: pre_auth.error_response.status
       end
     end

data/lib/doorkeeper/config.rb CHANGED Viewed

@@ -501,6 +501,10 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
+    def redirect_on_errors?
+      handle_auth_errors == :redirect
+    end
     def application_secret_hashed?
       instance_variable_defined?(:"@application_secret_strategy")
     end

data/lib/doorkeeper/errors.rb CHANGED Viewed

@@ -39,13 +39,31 @@ module Doorkeeper
       def initialize(response)
         @response = response
       end
+      def self.name_for_response
+        self.name.demodulize.underscore.to_sym
+      end
     end
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
+    InvalidRequest = Class.new(BaseResponseError)
     InvalidToken = Class.new(BaseResponseError)
+    InvalidClient = Class.new(BaseResponseError)
+    InvalidScope = Class.new(BaseResponseError)
+    InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
+    InvalidGrant = Class.new(BaseResponseError)
+    UnauthorizedClient = Class.new(BaseResponseError)
+    UnsupportedResponseType = Class.new(BaseResponseError)
+    UnsupportedResponseMode = Class.new(BaseResponseError)
+    AccessDenied = Class.new(BaseResponseError)
+    ServerError = Class.new(BaseResponseError)
     TokenExpired = Class.new(InvalidToken)
     TokenRevoked = Class.new(InvalidToken)
     TokenUnknown = Class.new(InvalidToken)

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -435,6 +435,10 @@ module Doorkeeper
         if Doorkeeper.config.polymorphic_resource_owner?
           attributes[:resource_owner] = resource_owner
         end
+        Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+          attributes[attribute_name] = public_send(attribute_name)
+        end
       end
     end

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -3,12 +3,12 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :params,       error: :invalid_request
-      validate :client,       error: :invalid_client
-      validate :grant,        error: :invalid_grant
+      validate :params,       error: Errors::InvalidRequest
+      validate :client,       error: Errors::InvalidClient
+      validate :grant,        error: Errors::InvalidGrant
       # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
-      validate :redirect_uri, error: :invalid_grant
-      validate :code_verifier, error: :invalid_grant
+      validate :redirect_uri, error: Errors::InvalidGrant
+      validate :code_verifier, error: Errors::InvalidGrant
       attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
                   :invalid_request_reason, :missing_param
@@ -32,7 +32,7 @@ module Doorkeeper
           grant.revoke
           find_or_create_access_token(
-            grant.application,
+            client,
             resource_owner,
             grant.scopes,
             custom_token_attributes_with_data,

data/lib/doorkeeper/oauth/base_request.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
-        elsif error == :invalid_request
+        elsif error == Errors::InvalidRequest
           @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)

data/lib/doorkeeper/oauth/client_credentials/issuer.rb CHANGED Viewed

@@ -11,10 +11,10 @@ module Doorkeeper
           @validator = validator
         end
-        def create(client, scopes, creator = Creator.new)
+        def create(client, scopes, attributes = {}, creator = Creator.new)
           if validator.valid?
-            @token = create_token(client, scopes, creator)
-            @error = :server_error unless @token
+            @token = create_token(client, scopes, attributes, creator)
+            @error = Errors::ServerError unless @token
           else
             @token = false
             @error = validator.error
@@ -25,7 +25,7 @@ module Doorkeeper
         private
-        def create_token(client, scopes, creator)
+        def create_token(client, scopes, attributes, creator)
           context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
@@ -39,6 +39,7 @@ module Doorkeeper
             scopes,
             use_refresh_token: false,
             expires_in: ttl,
+            **attributes
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials/validator.rb CHANGED Viewed

@@ -7,9 +7,9 @@ module Doorkeeper
         include Validations
         include OAuth::Helpers
-        validate :client, error: :invalid_client
-        validate :client_supports_grant_flow, error: :unauthorized_client
-        validate :scopes, error: :invalid_scope
+        validate :client, error: Errors::InvalidClient
+        validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+        validate :scopes, error: Errors::InvalidScope
         def initialize(server, request)
           @server = server

data/lib/doorkeeper/oauth/client_credentials_request.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      attr_reader :client, :original_scopes, :response
+      attr_reader :client, :original_scopes, :parameters, :response
       alias error_response response
@@ -14,6 +14,7 @@ module Doorkeeper
         @server = server
         @response = nil
         @original_scopes = parameters[:scope]
+        @parameters = parameters.except(:scope)
       end
       def access_token
@@ -30,7 +31,14 @@ module Doorkeeper
       private
       def valid?
-        issuer.create(client, scopes)
+        issuer.create(client, scopes, custom_token_attributes_with_data)
+      end
+      def custom_token_attributes_with_data
+        parameters
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/code_request.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Doorkeeper
       end
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -10,7 +10,8 @@ module Doorkeeper
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
-            name: request.error,
+            name: request.error&.name_for_response,
+            exception_class: request.error,
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
@@ -21,6 +22,7 @@ module Doorkeeper
       def initialize(attributes = {})
         @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]
       end
@@ -72,6 +74,7 @@ module Doorkeeper
       end
       def exception_class
+        return @exception_class if @exception_class
         raise NotImplementedError, "error response must define #exception_class"
       end

data/lib/doorkeeper/oauth/helpers/uri_checker.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module Doorkeeper
         def self.loopback_uri?(uri)
           IPAddr.new(uri.host).loopback?
-        rescue IPAddr::Error
+        rescue IPAddr::Error, IPAddr::InvalidAddressError
           false
         end

data/lib/doorkeeper/oauth/invalid_request_response.rb CHANGED Viewed

@@ -35,6 +35,10 @@ module Doorkeeper
         )
       end
+      def exception_class
+        Doorkeeper::Errors::InvalidRequest
+      end
       def redirectable?
         super && @missing_param != :client_id
       end

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED Viewed

@@ -5,10 +5,10 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner, error: :invalid_grant
-      validate :scopes, error: :invalid_scope
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner, error: Errors::InvalidGrant
+      validate :scopes, error: Errors::InvalidScope
       attr_reader :client, :credentials, :resource_owner, :parameters, :access_token

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -5,16 +5,16 @@ module Doorkeeper
     class PreAuthorization
       include Validations
-      validate :client_id, error: :invalid_request
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner_authorize_for_client, error: :invalid_client
-      validate :redirect_uri, error: :invalid_redirect_uri
-      validate :params, error: :invalid_request
-      validate :response_type, error: :unsupported_response_type
-      validate :response_mode, error: :unsupported_response_mode
-      validate :scopes, error: :invalid_scope
-      validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_id, error: Errors::InvalidRequest
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner_authorize_for_client, error: Errors::InvalidClient
+      validate :redirect_uri, error: Errors::InvalidRedirectUri
+      validate :params, error: Errors::InvalidRequest
+      validate :response_type, error: Errors::UnsupportedResponseType
+      validate :response_mode, error: Errors::UnsupportedResponseMode
+      validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
@@ -47,7 +47,7 @@ module Doorkeeper
       end
       def error_response
-        if error == :invalid_request
+        if error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(
             self,
             response_on_fragment: response_on_fragment?,

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -5,11 +5,11 @@ module Doorkeeper
     class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
-      validate :token_presence, error: :invalid_request
-      validate :token,        error: :invalid_grant
-      validate :client,       error: :invalid_client
-      validate :client_match, error: :invalid_grant
-      validate :scope,        error: :invalid_scope
+      validate :token_presence, error: Errors::InvalidRequest
+      validate :token,        error: Errors::InvalidGrant
+      validate :client,       error: Errors::InvalidClient
+      validate :client_match, error: Errors::InvalidGrant
+      validate :scope,        error: Errors::InvalidScope
       attr_reader :access_token, :client, :credentials, :refresh_token
       attr_reader :missing_param

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED Viewed

@@ -6,6 +6,8 @@ module Doorkeeper
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
+      attr_reader :error
       def initialize(server, token)
         @server = server
         @token = token
@@ -20,12 +22,12 @@ module Doorkeeper
       def error_response
         return if @error.blank?
-        if @error == :invalid_token
+        if @error == Errors::InvalidToken
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
-        elsif @error == :invalid_request
+        elsif @error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(self)
         else
-          OAuth::ErrorResponse.new(name: @error)
+          OAuth::ErrorResponse.from_request(self)
         end
       end
@@ -36,7 +38,7 @@ module Doorkeeper
       private
       attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
+      attr_reader :invalid_request_reason
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -58,7 +60,7 @@ module Doorkeeper
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = :invalid_client unless authorized_client
+          @error = Errors::InvalidClient unless authorized_client
         elsif authorized_token
           # Requested bearer token authorization
           #
@@ -69,9 +71,9 @@ module Doorkeeper
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token unless valid_authorized_token?
+          @error = Errors::InvalidToken unless valid_authorized_token?
         else
-          @error = :invalid_request
+          @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end

data/lib/doorkeeper/oauth/token_request.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Doorkeeper
       end
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/application.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       validates :name, :secret, :uid, presence: true
       validates :uid, uniqueness: { case_sensitive: true }
-      validates :redirect_uri, "doorkeeper/redirect_uri": true
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
       validate :scopes_match_configured, if: :enforce_scopes?

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 6
-    TINY = 6
+    TINY = 8
     PRE = nil
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb CHANGED Viewed

@@ -312,6 +312,12 @@ Doorkeeper.configure do
   #   Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
   #
   # handle_auth_errors :raise
+  #
+  # If you want to redirect back to the client application in accordance with
+  # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
+  # +handle_auth_errors+ to :redirect
+  #
+  # handle_auth_errors :redirect
   # Customize token introspection response.
   # Allows to add your own fields to default one that are required by the OAuth spec
@@ -385,7 +391,7 @@ Doorkeeper.configure do
   # true in case resource owner authorized for the specific application or false in other
   # cases.
   #
-  # Be default all Resource Owners are authorized to any Client (application).
+  # By default all Resource Owners are authorized to any Client (application).
   #
   # authorize_resource_owner_for_client do |client, resource_owner|
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.6.6
+  version: 5.6.8
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2023-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties