doorkeeper 5.6.6 → 5.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
-  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
+  metadata.gz: df8ee24bf06e6b24c9ee822c24abf45ce0424b93ff05361dcdff76c930fa3c5a
+  data.tar.gz: 56e84b30480a60d02eea4b417f41c1cd6b322365bfce0e9fa31aad504def3807
 SHA512:
-  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
-  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2
+  metadata.gz: d25945505890cb67e1e2db1e0a7eb8d49cd8bcccf05d2732883df6ace7269fe4bbe3de491a563ea3e254e1ac16e2daa407f665078cf243f7131a26db00b39842
+  data.tar.gz: 2269f220720be56f31928a1ab4180254058bc2b636994160db72030bc32f0a5db695e76b3186f6b0c24b8d77565bd4c49911d4f5a632b14c6bd57e213c278694

data/CHANGELOG.md

@@ -7,7 +7,36 @@ User-visible changes worth mentioning.
 
 ## main
 
-- [#ID] Add your PR description here.
+Add your entry here.
+
+## 5.7.1
+
+- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code
+
+## 5.7.0
+
+- [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse`
+- [#1697] Allow a TokenResponse body to be customized (memoize response body).
+- [#1702] Fix bugs for error response in the form_post and error view
+- [#1660] Custom access token attributes are now considered when finding matching tokens (fixes #1665).
+  Introduce `revoke_previous_client_credentials_token` configuration option.
+
+## 5.6.9
+
+- [#1691] Make new Doorkeeper errors backward compatible with older extensions.
+
+## 5.6.8
+
+- [#1680] Fix handle_auth_errors :raise NotImplementedError
+
+## 5.6.7
+
+- [#1662] Specify uri_redirect validation class explicitly.
+- [#1652] Add custom attributes support to token generator.
+- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
+- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
+- [#1676] Improve AuthorizationsController error response handling
+- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
 
 ## 5.6.6
 
@@ -16,17 +45,17 @@ User-visible changes worth mentioning.
 - [#1648] Add custom token attributes to Refresh Token Request.
 - [#1649] Fixed custom_access_token_attributes related errors.
 
-# 5.6.5
+## 5.6.5
 
 - [#1602] Allow custom data to be stored inside access grants/tokens.
 - [#1634] Code refactoring for custom token attributes.
 - [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
 
-# 5.6.4
+## 5.6.4
 
 - [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
 
-# 5.6.3
+## 5.6.3
 
 - [#1622] Drop support for Rubies 2.5 and 2.6
 - [#1605] Fix URI validation for Ruby 3.2+.

data/README.md

@@ -39,7 +39,6 @@ Supported features:
 - [ORMs](#orms)
 - [Extensions](#extensions)
 - [Example Applications](#example-applications)
-- [Tutorials](#tutorials)
 - [Sponsors](#sponsors)
 - [Development](#development)
 - [Contributing](#contributing)
@@ -56,7 +55,7 @@ https://github.com/doorkeeper-gem/doorkeeper/releases.
 Additionally, other resources can be found on:
 
 - [Guides](https://doorkeeper.gitbook.io/guides/) with how-to get started and configuration documentation
-- See the [Wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki) with articles and other documentation
+- See the [Wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki) for articles on how to integrate with other solutions
 - Screencast from [railscasts.com](http://railscasts.com/): [#353
 OAuth with
 Doorkeeper](http://railscasts.com/episodes/353-oauth-with-doorkeeper)
@@ -124,10 +123,6 @@ examples](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications
 in our wiki or follow this [tutorial
 here](https://github.com/doorkeeper-gem/doorkeeper/wiki/Testing-your-provider-with-OAuth2-gem).
 
-## Tutorials
-
-See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-tos--tutorials) in order to learn how to use the gem or integrate it with other solutions / gems.
-
 ## Sponsors
 
 [![OpenCollective](https://opencollective.com/doorkeeper-gem/backers/badge.svg)](#backers) 

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -31,7 +31,7 @@ module Doorkeeper
     private
 
     def render_success
-      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
+      if skip_authorization? || can_authorize_response?
         redirect_or_render(authorize_response)
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
@@ -41,18 +41,27 @@ module Doorkeeper
     end
 
     def render_error
-      if Doorkeeper.configuration.api_only
-        render json: pre_auth.error_response.body,
-               status: :bad_request
+      pre_auth.error_response.raise_exception! if Doorkeeper.config.raise_on_errors?
+
+      if Doorkeeper.configuration.redirect_on_errors? && pre_auth.error_response.redirectable?
+        redirect_or_render(pre_auth.error_response)
+      elsif Doorkeeper.configuration.api_only
+        render json: pre_auth.error_response.body, status: pre_auth.error_response.status
       else
-        render :error, locals: { error_response: pre_auth.error_response }
+        render :error, locals: { error_response: pre_auth.error_response }, status: pre_auth.error_response.status
       end
     end
 
+    def can_authorize_response?
+      Doorkeeper.config.custom_access_token_attributes.empty? && pre_auth.client.application.confidential? && matching_token?
+    end
+
     # Active access token issued for the same client and resource owner with
     # the same set of the scopes exists?
     def matching_token?
-      Doorkeeper.config.access_token_model.matching_token_for(
+      # We don't match tokens on the custom attributes here - we're in the pre-auth here,
+      # so they haven't been supplied yet (there are no custom attributes to match on yet)
+      @matching_token ||= Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
         current_resource_owner,
         pre_auth.scopes,
@@ -74,7 +83,7 @@ module Doorkeeper
             )
           end
         elsif pre_auth.form_post_response?
-          render :form_post
+          render :form_post, locals: { auth: auth }
         else
           redirect_to auth.redirect_uri, allow_other_host: true
         end

data/app/views/doorkeeper/authorizations/error.html.erb

@@ -4,6 +4,6 @@
 
 <main role="main">
   <pre>
-    <%= (respond_to?(:error_response) ? error_response : @pre_auth.error_response).body[:error_description] %>
+    <%= (local_assigns[:error_response] ? error_response : @pre_auth.error_response).body[:error_description] %>
   </pre>
 </main>

data/app/views/doorkeeper/authorizations/form_post.html.erb

@@ -3,7 +3,7 @@
 </header>
 
 <%= form_tag @pre_auth.redirect_uri, method: :post, name: :redirect_form, authenticity_token: false do %>
-  <% @authorize_response.body.compact.each do |key, value| %>
+  <% auth.body.compact.each do |key, value| %>
     <%= hidden_field_tag key, value %>
   <% end %>
 <% end %>

data/lib/doorkeeper/config.rb

@@ -106,6 +106,19 @@ module Doorkeeper
         @config.instance_variable_set(:@revoke_previous_client_credentials_token, true)
       end
 
+      # Only allow one valid access token obtained via authorization code
+      # per client. If a new access token is obtained before the old one
+      # expired, the old one gets revoked (disabled by default)
+      def revoke_previous_authorization_code_token
+        @config.instance_variable_set(:@revoke_previous_authorization_code_token, true)
+      end
+
+      # Require non-confidential apps to use PKCE (send a code_verifier) when requesting
+      # an access_token using an authorization code (disabled by default)
+      def force_pkce
+        @config.instance_variable_set(:@force_pkce, true)
+      end
+
       # Use an API mode for applications generated with --api argument
       # It will skip applications controller, disable forgery protection
       def api_only
@@ -481,6 +494,14 @@ module Doorkeeper
       option_set? :revoke_previous_client_credentials_token
     end
 
+    def revoke_previous_authorization_code_token?
+      option_set? :revoke_previous_authorization_code_token
+    end
+
+    def force_pkce?
+      option_set? :force_pkce
+    end
+
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end
@@ -501,6 +522,10 @@ module Doorkeeper
       handle_auth_errors == :raise
     end
 
+    def redirect_on_errors?
+      handle_auth_errors == :redirect
+    end
+
     def application_secret_hashed?
       instance_variable_defined?(:"@application_secret_strategy")
     end

data/lib/doorkeeper/errors.rb

@@ -39,13 +39,32 @@ module Doorkeeper
       def initialize(response)
         @response = response
       end
+
+      def self.name_for_response
+        self.name.demodulize.underscore.to_sym
+      end
     end
 
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
 
+    InvalidRequest = Class.new(BaseResponseError)
     InvalidToken = Class.new(BaseResponseError)
+    InvalidClient = Class.new(BaseResponseError)
+    InvalidScope = Class.new(BaseResponseError)
+    InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallenge = Class.new(BaseResponseError)
+    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
+    InvalidGrant = Class.new(BaseResponseError)
+
+    UnauthorizedClient = Class.new(BaseResponseError)
+    UnsupportedResponseType = Class.new(BaseResponseError)
+    UnsupportedResponseMode = Class.new(BaseResponseError)
+
+    AccessDenied = Class.new(BaseResponseError)
+    ServerError = Class.new(BaseResponseError)
+
     TokenExpired = Class.new(InvalidToken)
     TokenRevoked = Class.new(InvalidToken)
     TokenUnknown = Class.new(InvalidToken)

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -83,14 +83,18 @@ module Doorkeeper
       #   Resource Owner model instance or it's ID
       # @param scopes [String, Doorkeeper::OAuth::Scopes]
       #   set of scopes
+      # @param custom_attributes [Nilable Hash]
+      #   A nil value, or hash with keys corresponding to the custom attributes
+      #   configured with the `custom_access_token_attributes` config option.
+      #   A nil value will ignore custom attributes.
       #
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def matching_token_for(application, resource_owner, scopes, include_expired: true)
+      def matching_token_for(application, resource_owner, scopes, custom_attributes: nil, include_expired: true)
         tokens = authorized_tokens_for(application&.id, resource_owner)
         tokens = tokens.not_expired unless include_expired
-        find_matching_token(tokens, application, scopes)
+        find_matching_token(tokens, application, custom_attributes, scopes)
       end
 
       # Interface to enumerate access token records in batches in order not
@@ -114,11 +118,15 @@ module Doorkeeper
       #   Application instance
       # @param scopes [String, Doorkeeper::OAuth::Scopes]
       #   set of scopes
+      # @param custom_attributes [Nilable Hash]
+      #   A nil value, or hash with keys corresponding to the custom attributes
+      #   configured with the `custom_access_token_attributes` config option.
+      #   A nil value will ignore custom attributes.
       #
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def find_matching_token(relation, application, scopes)
+      def find_matching_token(relation, application, custom_attributes, scopes)
         return nil unless relation
 
         matching_tokens = []
@@ -126,7 +134,8 @@ module Doorkeeper
 
         find_access_token_in_batches(relation, batch_size: batch_size) do |batch|
           tokens = batch.select do |token|
-            scopes_match?(token.scopes, scopes, application&.scopes)
+            scopes_match?(token.scopes, scopes, application&.scopes) &&
+              custom_attributes_match?(token, custom_attributes)
           end
 
           matching_tokens.concat(tokens)
@@ -160,6 +169,31 @@ module Doorkeeper
           )
       end
 
+      # Checks whether the token custom attribute values match the custom
+      # attributes from the parameters.
+      #
+      # @param token [Doorkeeper::AccessToken]
+      #   The access token whose custom attributes are being compared
+      #   to the custom_attributes.
+      #
+      # @param custom_attributes [Hash]
+      #   A hash of the attributes for which we want to determine whether
+      #   the token's custom attributes match.
+      #
+      # @return [Boolean] true if the token's custom attribute values
+      #   match those in the custom_attributes, or if both are empty/blank.
+      #   False otherwise.
+      def custom_attributes_match?(token, custom_attributes)
+        return true if custom_attributes.nil?
+
+        token_attribs = token.custom_attributes
+        return true if token_attribs.blank? && custom_attributes.blank?
+
+        Doorkeeper.config.custom_access_token_attributes.all? do |attribute|
+          token_attribs[attribute] == custom_attributes[attribute]
+        end
+      end
+
       # Looking for not expired AccessToken record with a matching set of
       # scopes that belongs to specific Application and Resource Owner.
       # If it doesn't exists - then creates it.
@@ -181,7 +215,9 @@ module Doorkeeper
       #
       def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
         if Doorkeeper.config.reuse_access_token
-          access_token = matching_token_for(application, resource_owner, scopes, include_expired: false)
+          custom_attributes = extract_custom_attributes(token_attributes).presence
+          access_token = matching_token_for(
+            application, resource_owner, scopes, custom_attributes: custom_attributes, include_expired: false)
 
           return access_token if access_token&.reusable?
         end
@@ -276,6 +312,18 @@ module Doorkeeper
       def fallback_secret_strategy
         ::Doorkeeper.config.token_secret_fallback_strategy
       end
+
+      # Extracts the token's custom attributes (defined by the
+      # custom_access_token_attributes config option) from the token's attributes.
+      #
+      # @param attributes [Hash]
+      #   A hash of the access token's attributes.
+      # @return [Hash]
+      #   A hash containing only the custom access token attributes.
+      def extract_custom_attributes(attributes)
+        attributes.with_indifferent_access.slice(
+          *Doorkeeper.configuration.custom_access_token_attributes)
+      end
     end
 
     # Access Token type: Bearer.
@@ -308,6 +356,14 @@ module Doorkeeper
       end
     end
 
+    # The token's custom attributes, as defined by
+    # the custom_access_token_attributes config option.
+    #
+    # @return [Hash] hash of custom access token attributes.
+    def custom_attributes
+      self.class.extract_custom_attributes(attributes)
+    end
+
     # Indicates whether the token instance have the same credential
     # as the other Access Token.
     #
@@ -435,6 +491,10 @@ module Doorkeeper
         if Doorkeeper.config.polymorphic_resource_owner?
           attributes[:resource_owner] = resource_owner
         end
+
+        Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+          attributes[attribute_name] = public_send(attribute_name)
+        end
       end
     end
 

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,12 +3,12 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :params,       error: :invalid_request
-      validate :client,       error: :invalid_client
-      validate :grant,        error: :invalid_grant
+      validate :params,       error: Errors::InvalidRequest
+      validate :client,       error: Errors::InvalidClient
+      validate :grant,        error: Errors::InvalidGrant
       # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
-      validate :redirect_uri, error: :invalid_grant
-      validate :code_verifier, error: :invalid_grant
+      validate :redirect_uri, error: Errors::InvalidGrant
+      validate :code_verifier, error: Errors::InvalidGrant
 
       attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
                   :invalid_request_reason, :missing_param
@@ -29,10 +29,14 @@ module Doorkeeper
           grant.lock!
           raise Errors::InvalidGrantReuse if grant.revoked?
 
+          if Doorkeeper.config.revoke_previous_authorization_code_token?
+            revoke_previous_tokens(grant.application, resource_owner)
+          end
+
           grant.revoke
 
           find_or_create_access_token(
-            grant.application,
+            client,
             resource_owner,
             grant.scopes,
             custom_token_attributes_with_data,
@@ -55,10 +59,16 @@ module Doorkeeper
         Doorkeeper.config.access_grant_model.pkce_supported?
       end
 
+      def confidential?
+        client&.confidential
+      end
+
       def validate_params
         @missing_param =
           if grant&.uses_pkce? && code_verifier.blank?
             :code_verifier
+          elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank?
+            :code_verifier
           elsif redirect_uri.blank?
             :redirect_uri
           end
@@ -109,6 +119,10 @@ module Doorkeeper
           .slice(*Doorkeeper.config.custom_access_token_attributes)
           .symbolize_keys
       end
+
+      def revoke_previous_tokens(application, resource_owner)
+        Doorkeeper.config.access_token_model.revoke_all_for(application.id, resource_owner)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/base_request.rb

@@ -15,7 +15,7 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
-        elsif error == :invalid_request
+        elsif error == Errors::InvalidRequest
           @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)

data/lib/doorkeeper/oauth/client.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     class Client
       attr_reader :application
 
-      delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application
+      delegate :id, :name, :uid, :redirect_uri, :scopes, :confidential, to: :@application
 
       def initialize(application)
         @application = application

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -8,7 +8,7 @@ module Doorkeeper
           existing_token = nil
 
           if lookup_existing_token?
-            existing_token = find_active_existing_token_for(client, scopes)
+            existing_token = find_active_existing_token_for(client, scopes, attributes)
             return existing_token if Doorkeeper.config.reuse_access_token && existing_token&.reusable?
           end
 
@@ -44,8 +44,11 @@ module Doorkeeper
             Doorkeeper.config.revoke_previous_client_credentials_token?
         end
 
-        def find_active_existing_token_for(client, scopes)
-          Doorkeeper.config.access_token_model.matching_token_for(client, nil, scopes, include_expired: false)
+        def find_active_existing_token_for(client, scopes, attributes)
+          custom_attributes = Doorkeeper.config.access_token_model.
+            extract_custom_attributes(attributes).presence
+          Doorkeeper.config.access_token_model.matching_token_for(
+            client, nil, scopes, custom_attributes: custom_attributes, include_expired: false)
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -11,10 +11,10 @@ module Doorkeeper
           @validator = validator
         end
 
-        def create(client, scopes, creator = Creator.new)
+        def create(client, scopes, attributes = {}, creator = Creator.new)
           if validator.valid?
-            @token = create_token(client, scopes, creator)
-            @error = :server_error unless @token
+            @token = create_token(client, scopes, attributes, creator)
+            @error = Errors::ServerError unless @token
           else
             @token = false
             @error = validator.error
@@ -25,7 +25,7 @@ module Doorkeeper
 
         private
 
-        def create_token(client, scopes, creator)
+        def create_token(client, scopes, attributes, creator)
           context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
@@ -39,6 +39,7 @@ module Doorkeeper
             scopes,
             use_refresh_token: false,
             expires_in: ttl,
+            **attributes
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials/validator.rb

@@ -7,9 +7,9 @@ module Doorkeeper
         include Validations
         include OAuth::Helpers
 
-        validate :client, error: :invalid_client
-        validate :client_supports_grant_flow, error: :unauthorized_client
-        validate :scopes, error: :invalid_scope
+        validate :client, error: Errors::InvalidClient
+        validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+        validate :scopes, error: Errors::InvalidScope
 
         def initialize(server, request)
           @server = server

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
-      attr_reader :client, :original_scopes, :response
+      attr_reader :client, :original_scopes, :parameters, :response
 
       alias error_response response
 
@@ -14,6 +14,7 @@ module Doorkeeper
         @server = server
         @response = nil
         @original_scopes = parameters[:scope]
+        @parameters = parameters.except(:scope)
       end
 
       def access_token
@@ -30,7 +31,14 @@ module Doorkeeper
       private
 
       def valid?
-        issuer.create(client, scopes)
+        issuer.create(client, scopes, custom_token_attributes_with_data)
+      end
+
+      def custom_token_attributes_with_data
+        parameters
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/code_request.rb

@@ -17,7 +17,7 @@ module Doorkeeper
       end
 
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/oauth/error_response.rb

@@ -10,17 +10,31 @@ module Doorkeeper
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
-            name: request.error,
+            name: error_name_for(request.error),
+            exception_class: exception_class_for(request.error),
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
         )
       end
 
+      def self.error_name_for(error)
+        error.respond_to?(:name_for_response) ? error.name_for_response : error
+      end
+
+      def self.exception_class_for(error)
+        return error if error.respond_to?(:name_for_response)
+
+        "Doorkeeper::Errors::#{error.to_s.classify}".safe_constantize
+      end
+
+      private_class_method :error_name_for, :exception_class_for
+
       delegate :name, :description, :state, to: :@error
 
       def initialize(attributes = {})
         @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]
       end
@@ -72,6 +86,7 @@ module Doorkeeper
       end
 
       def exception_class
+        return @exception_class if @exception_class
         raise NotImplementedError, "error response must define #exception_class"
       end
 

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -40,7 +40,7 @@ module Doorkeeper
 
         def self.loopback_uri?(uri)
           IPAddr.new(uri.host).loopback?
-        rescue IPAddr::Error
+        rescue IPAddr::Error, IPAddr::InvalidAddressError
           false
         end
 

data/lib/doorkeeper/oauth/invalid_request_response.rb

@@ -35,6 +35,10 @@ module Doorkeeper
         )
       end
 
+      def exception_class
+        Doorkeeper::Errors::InvalidRequest
+      end
+
       def redirectable?
         super && @missing_param != :client_id
       end

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -5,10 +5,10 @@ module Doorkeeper
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner, error: :invalid_grant
-      validate :scopes, error: :invalid_scope
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner, error: Errors::InvalidGrant
+      validate :scopes, error: Errors::InvalidScope
 
       attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
 

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -5,16 +5,17 @@ module Doorkeeper
     class PreAuthorization
       include Validations
 
-      validate :client_id, error: :invalid_request
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner_authorize_for_client, error: :invalid_client
-      validate :redirect_uri, error: :invalid_redirect_uri
-      validate :params, error: :invalid_request
-      validate :response_type, error: :unsupported_response_type
-      validate :response_mode, error: :unsupported_response_mode
-      validate :scopes, error: :invalid_scope
-      validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_id, error: Errors::InvalidRequest
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner_authorize_for_client, error: Errors::InvalidClient
+      validate :redirect_uri, error: Errors::InvalidRedirectUri
+      validate :params, error: Errors::InvalidRequest
+      validate :response_type, error: Errors::UnsupportedResponseType
+      validate :response_mode, error: Errors::UnsupportedResponseMode
+      validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge, error: Errors::InvalidCodeChallenge
+      validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
@@ -31,7 +32,7 @@ module Doorkeeper
         @code_challenge = parameters[:code_challenge]
         @code_challenge_method = parameters[:code_challenge_method]
         @resource_owner = resource_owner
-        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes)
+        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes).to_h
       end
 
       def authorizable?
@@ -47,7 +48,7 @@ module Doorkeeper
       end
 
       def error_response
-        if error == :invalid_request
+        if error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(
             self,
             response_on_fragment: response_on_fragment?,
@@ -143,6 +144,12 @@ module Doorkeeper
         )
       end
 
+      def validate_code_challenge
+        return true unless Doorkeeper.config.force_pkce?
+        return true if client.confidential
+        code_challenge.present?
+      end
+
       def validate_code_challenge_method
         return true unless Doorkeeper.config.access_grant_model.pkce_supported?
 

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -5,11 +5,11 @@ module Doorkeeper
     class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :token_presence, error: :invalid_request
-      validate :token,        error: :invalid_grant
-      validate :client,       error: :invalid_client
-      validate :client_match, error: :invalid_grant
-      validate :scope,        error: :invalid_scope
+      validate :token_presence, error: Errors::InvalidRequest
+      validate :token,        error: Errors::InvalidGrant
+      validate :client,       error: Errors::InvalidClient
+      validate :client_match, error: Errors::InvalidGrant
+      validate :scope,        error: Errors::InvalidScope
 
       attr_reader :access_token, :client, :credentials, :refresh_token
       attr_reader :missing_param

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -6,6 +6,8 @@ module Doorkeeper
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
+      attr_reader :error
+
       def initialize(server, token)
         @server = server
         @token = token
@@ -20,12 +22,12 @@ module Doorkeeper
       def error_response
         return if @error.blank?
 
-        if @error == :invalid_token
+        if @error == Errors::InvalidToken
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
-        elsif @error == :invalid_request
+        elsif @error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(self)
         else
-          OAuth::ErrorResponse.new(name: @error)
+          OAuth::ErrorResponse.from_request(self)
         end
       end
 
@@ -36,7 +38,7 @@ module Doorkeeper
       private
 
       attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
+      attr_reader :invalid_request_reason
 
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -58,7 +60,7 @@ module Doorkeeper
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = :invalid_client unless authorized_client
+          @error = Errors::InvalidClient unless authorized_client
         elsif authorized_token
           # Requested bearer token authorization
           #
@@ -69,9 +71,9 @@ module Doorkeeper
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token unless valid_authorized_token?
+          @error = Errors::InvalidToken unless valid_authorized_token?
         else
-          @error = :invalid_request
+          @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end

data/lib/doorkeeper/oauth/token_request.rb

@@ -17,7 +17,7 @@ module Doorkeeper
       end
 
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

data/lib/doorkeeper/oauth/token_response.rb

@@ -5,12 +5,14 @@ module Doorkeeper
     class TokenResponse
       attr_reader :token
 
+      alias issued_token token
+
       def initialize(token)
         @token = token
       end
 
       def body
-        {
+        @body ||= {
           "access_token" => token.plaintext_token,
           "token_type" => token.token_type,
           "expires_in" => token.expires_in_seconds,

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -22,7 +22,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
       validates :name, :secret, :uid, presence: true
       validates :uid, uniqueness: { case_sensitive: true }
-      validates :redirect_uri, "doorkeeper/redirect_uri": true
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
 
       validate :scopes_match_configured, if: :enforce_scopes?

data/lib/doorkeeper/version.rb

@@ -4,8 +4,8 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 6
-    TINY = 6
+    MINOR = 7
+    TINY = 1
     PRE = nil
 
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -32,7 +32,7 @@ Doorkeeper.configure do
   # You can use your own model classes if you need to extend (or even override) default
   # Doorkeeper models such as `Application`, `AccessToken` and `AccessGrant.
   #
-  # Be default Doorkeeper ActiveRecord ORM uses it's own classes:
+  # By default Doorkeeper ActiveRecord ORM uses its own classes:
   #
   # access_token_class "Doorkeeper::AccessToken"
   # access_grant_class "Doorkeeper::AccessGrant"
@@ -91,7 +91,10 @@ Doorkeeper.configure do
   # authorization_code_expires_in 10.minutes
 
   # Access token expiration time (default: 2 hours).
-  # If you want to disable expiration, set this to `nil`.
+  # If you set this to `nil` Doorkeeper will not expire the token and omit expires_in in response.
+  # It is RECOMMENDED to set expiration time explicitly.
+  # Prefer access_token_expires_in 100.years or similar,
+  # which would be functionally equivalent and avoid the risk of unexpected behavior by callers.
   #
   # access_token_expires_in 2.hours
 
@@ -164,6 +167,17 @@ Doorkeeper.configure do
   #
   # revoke_previous_client_credentials_token
 
+  # Only allow one valid access token obtained via authorization code
+  # per client. If a new access token is obtained before the old one
+  # expired, the old one gets revoked (disabled by default)
+  #
+  # revoke_previous_authorization_code_token
+
+  # Require non-confidential clients to use PKCE when using an authorization code
+  # to obtain an access_token (disabled by default)
+  #
+  # force_pkce
+
   # Hash access and refresh tokens before persisting them.
   # This will disable the possibility to use +reuse_access_token+
   # since plain values can no longer be retrieved.
@@ -312,6 +326,12 @@ Doorkeeper.configure do
   #   Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
   #
   # handle_auth_errors :raise
+  #
+  # If you want to redirect back to the client application in accordance with
+  # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
+  # +handle_auth_errors+ to :redirect
+  #
+  # handle_auth_errors :redirect
 
   # Customize token introspection response.
   # Allows to add your own fields to default one that are required by the OAuth spec
@@ -385,7 +405,7 @@ Doorkeeper.configure do
   # true in case resource owner authorized for the specific application or false in other
   # cases.
   #
-  # Be default all Resource Owners are authorized to any Client (application).
+  # By default all Resource Owners are authorized to any Client (application).
   #
   # authorize_resource_owner_for_client do |client, resource_owner|
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.6.6
+  version: 5.7.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2024-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -103,14 +103,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.3
+        version: 0.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.3
+        version: 0.10.0
 - !ruby/object:Gem::Dependency
   name: grape
   requirement: !ruby/object:Gem::Requirement
@@ -346,7 +346,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape