doorkeeper 5.7.0 → 5.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aeb5db3b840c0c214129e69fb029c1daf95974b033856ab550e9abd3b529b0c1
-  data.tar.gz: 6f948a7fa2b8a2796c56e94a762b1e256228c13f972bbd056d1b4e246bea5001
+  metadata.gz: f4907be020648eb5c1dbc6e596c31c72c4133740e849ee1345ff337a4ce01c56
+  data.tar.gz: 831e491b48efe921e43065d393c6a785a9988e6057f1ed3e1e4f2e8626555e65
 SHA512:
-  metadata.gz: 2da3aca020ed25ba334d5dfbcbffd1c46818eaa79bbc67e38bcf01dada8105c6683bfb5552dae1cdce34a68e5baafa0c9a9b49b5c980f78464925f2f7576b873
-  data.tar.gz: 865a9c03a28b309624e8058a251c92d002199f9072015efafafb622fad5878274042bee32aba169a0395fc1ba0558ca86c1bd7b32b9dc288c5136b69c6a68e69
+  metadata.gz: 2f97a8c5d6749cea33b31737988b26271d1ad03f4bd8f003b3674e8e81159a44e6a54f5611b868a06a9a074995bcc47165f222aadcd961746cc43776ee993c57
+  data.tar.gz: 3d2e13efa8bba0cedc4a63055d6ecb70f0af8d1dc0644047b4b1ecb3bc3bf5affd2a0a20d46989a4999b4361573c39ae72f516398c67ffe708512f0fd6e23011

data/CHANGELOG.md

@@ -9,6 +9,20 @@ User-visible changes worth mentioning.
 
 Add your entry here.
 
+## 5.8.0
+
+- [#1739] Add support for dynamic scopes
+- [#1715] Fix token introspection invalid request reason
+- [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError
+- [#1712] Add `Pragma: no-cache` to token response
+- [#1726] Refactor token introspection class.
+- [#1727] Allow to set null secret value for Applications if they are public.
+- [#1735] Add `pkce_code_challenge_methods` config option. 
+
+## 5.7.1
+
+- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code
+
 ## 5.7.0
 
 - [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse`

data/lib/doorkeeper/config/validations.rb

@@ -11,6 +11,7 @@ module Doorkeeper
         validate_reuse_access_token_value
         validate_token_reuse_limit
         validate_secret_strategies
+        validate_pkce_code_challenge_methods
       end
 
       private
@@ -48,6 +49,17 @@ module Doorkeeper
         )
         @token_reuse_limit = 100
       end
+
+      def validate_pkce_code_challenge_methods
+        return if pkce_code_challenge_methods.all? {|method| method =~ /^plain$|^S256$/ }
+
+        ::Rails.logger.warn(
+          "[DOORKEEPER] You have configured an invalid value for pkce_code_challenge_methods option. " \
+          "It will be set to default ['plain', 'S256']",
+        )
+
+        @pkce_code_challenge_methods = ['plain', 'S256']
+      end
     end
   end
 end

data/lib/doorkeeper/config.rb

@@ -31,6 +31,16 @@ module Doorkeeper
         @config.instance_variable_set(:@confirm_application_owner, true)
       end
 
+      # Provide support for dynamic scopes (e.g. user:*) (disabled by default)
+      # Optional parameter delimiter (default ":") if you want to customize
+      # the delimiter separating the scope name and matching value.
+      #
+      # @param opts [Hash] the options to configure dynamic scopes
+      def enable_dynamic_scopes(opts = {})
+        @config.instance_variable_set(:@enable_dynamic_scopes, true)
+        @config.instance_variable_set(:@dynamic_scopes_delimiter, opts[:delimiter] || ':')
+      end
+
       # Define default access token scopes for your provider
       #
       # @param scopes [Array] Default set of access (OAuth::Scopes.new)
@@ -113,6 +123,12 @@ module Doorkeeper
         @config.instance_variable_set(:@revoke_previous_authorization_code_token, true)
       end
 
+      # Require non-confidential apps to use PKCE (send a code_verifier) when requesting
+      # an access_token using an authorization code (disabled by default)
+      def force_pkce
+        @config.instance_variable_set(:@force_pkce, true)
+      end
+
       # Use an API mode for applications generated with --api argument
       # It will skip applications controller, disable forgery protection
       def api_only
@@ -237,6 +253,7 @@ module Doorkeeper
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :grant_flows,                    default: %w[authorization_code client_credentials]
+    option :pkce_code_challenge_methods,    default: %w[plain S256]
     option :handle_auth_errors,             default: :render
     option :token_lookup_batch_size,        default: 10_000
     # Sets the token_reuse_limit
@@ -412,7 +429,7 @@ module Doorkeeper
            default: (lambda do |token, authorized_client, authorized_token|
              if authorized_token
                authorized_token.application == token&.application
-             elsif token.application
+             elsif token&.application
                authorized_client == token.application
              else
                true
@@ -492,6 +509,10 @@ module Doorkeeper
       option_set? :revoke_previous_authorization_code_token
     end
 
+    def force_pkce?
+      option_set? :force_pkce
+    end
+
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end
@@ -500,6 +521,14 @@ module Doorkeeper
       option_set? :enable_application_owner
     end
 
+    def enable_dynamic_scopes?
+      option_set? :enable_dynamic_scopes
+    end
+
+    def dynamic_scopes_delimiter
+      @dynamic_scopes_delimiter
+    end
+
     def polymorphic_resource_owner?
       option_set? :polymorphic_resource_owner
     end
@@ -544,6 +573,12 @@ module Doorkeeper
       @scopes_by_grant_type ||= {}
     end
 
+    def pkce_code_challenge_methods_supported
+      return [] unless access_grant_model.pkce_supported?
+      
+      pkce_code_challenge_methods
+    end
+
     def client_credentials_methods
       @client_credentials_methods ||= %i[from_basic from_params]
     end

data/lib/doorkeeper/errors.rb

@@ -54,6 +54,7 @@ module Doorkeeper
     InvalidClient = Class.new(BaseResponseError)
     InvalidScope = Class.new(BaseResponseError)
     InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallenge = Class.new(BaseResponseError)
     InvalidCodeChallengeMethod = Class.new(BaseResponseError)
     InvalidGrant = Class.new(BaseResponseError)
 

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -214,6 +214,8 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] existing record or a new one
       #
       def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
+        scopes = Doorkeeper::OAuth::Scopes.from_string(scopes) if scopes.is_a?(String)
+
         if Doorkeeper.config.reuse_access_token
           custom_attributes = extract_custom_attributes(token_attributes).presence
           access_token = matching_token_for(

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -59,10 +59,16 @@ module Doorkeeper
         Doorkeeper.config.access_grant_model.pkce_supported?
       end
 
+      def confidential?
+        client&.confidential
+      end
+
       def validate_params
         @missing_param =
           if grant&.uses_pkce? && code_verifier.blank?
             :code_verifier
+          elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank?
+            :code_verifier
           elsif redirect_uri.blank?
             :redirect_uri
           end

data/lib/doorkeeper/oauth/client.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     class Client
       attr_reader :application
 
-      delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application
+      delegate :id, :name, :uid, :redirect_uri, :scopes, :confidential, to: :@application
 
       def initialize(application)
         @application = application

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -14,6 +14,7 @@ module Doorkeeper
       validate :response_type, error: Errors::UnsupportedResponseType
       validate :response_mode, error: Errors::UnsupportedResponseMode
       validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge, error: Errors::InvalidCodeChallenge
       validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
@@ -143,11 +144,17 @@ module Doorkeeper
         )
       end
 
+      def validate_code_challenge
+        return true unless Doorkeeper.config.force_pkce?
+        return true if client.confidential
+        code_challenge.present?
+      end
+
       def validate_code_challenge_method
         return true unless Doorkeeper.config.access_grant_model.pkce_supported?
 
         code_challenge.blank? ||
-          (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+          (code_challenge_method.present? && Doorkeeper.config.pkce_code_challenge_methods_supported.include?(code_challenge_method))
       end
 
       def response_on_fragment?

data/lib/doorkeeper/oauth/scopes.rb

@@ -6,6 +6,8 @@ module Doorkeeper
       include Enumerable
       include Comparable
 
+      DYNAMIC_SCOPE_WILDCARD = "*"
+
       def self.from_string(string)
         string ||= ""
         new.tap do |scope|
@@ -26,7 +28,15 @@ module Doorkeeper
       end
 
       def exists?(scope)
-        @scopes.include? scope.to_s
+        scope = scope.to_s
+
+        @scopes.any? do |allowed_scope|
+          if dynamic_scopes_enabled? && dynamic_scopes_present?(allowed_scope, scope)
+            dynamic_scope_match?(allowed_scope, scope)
+          else
+            allowed_scope == scope
+          end
+        end
       end
 
       def add(*scopes)
@@ -66,6 +76,32 @@ module Doorkeeper
 
       private
 
+      def dynamic_scopes_enabled?
+        Doorkeeper.config.enable_dynamic_scopes?
+      end
+
+      def dynamic_scope_delimiter
+        return unless dynamic_scopes_enabled?
+
+        @dynamic_scope_delimiter ||= Doorkeeper.config.dynamic_scopes_delimiter
+      end
+
+      def dynamic_scopes_present?(allowed, requested)
+        allowed.include?(dynamic_scope_delimiter) && requested.include?(dynamic_scope_delimiter)
+      end
+
+      def dynamic_scope_match?(allowed, requested)
+        allowed_pattern = allowed.split(dynamic_scope_delimiter, 2)
+        request_pattern = requested.split(dynamic_scope_delimiter, 2)
+
+        return false if allowed_pattern[0] != request_pattern[0]
+        return false if allowed_pattern[1].blank?
+        return false if request_pattern[1].blank?
+        return true  if allowed_pattern[1] == DYNAMIC_SCOPE_WILDCARD && allowed_pattern[1].present?
+
+        allowed_pattern[1] == request_pattern[1]
+      end
+
       def to_array(other)
         case other
         when Scopes

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -6,16 +6,15 @@ module Doorkeeper
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
-      attr_reader :error
+      attr_reader :token, :error, :invalid_request_reason
 
       def initialize(server, token)
         @server = server
         @token = token
-
-        authorize!
       end
 
       def authorized?
+        authorize!
         @error.blank?
       end
 
@@ -37,8 +36,7 @@ module Doorkeeper
 
       private
 
-      attr_reader :server, :token
-      attr_reader :invalid_request_reason
+      attr_reader :server
 
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -60,24 +58,38 @@ module Doorkeeper
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = Errors::InvalidClient unless authorized_client
+          authorize_using_basic_auth!
         elsif authorized_token
-          # Requested bearer token authorization
-          #
-          #  If the protected resource uses an OAuth 2.0 bearer token to authorize
-          #  its call to the introspection endpoint and the token used for
-          #  authorization does not contain sufficient privileges or is otherwise
-          #  invalid for this request, the authorization server responds with an
-          #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
-          #  Usage [RFC6750].
-          #
-          @error = Errors::InvalidToken unless valid_authorized_token?
+          authorize_using_bearer_token!
         else
           @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end
 
+      def authorize_using_basic_auth!
+        # Note that a properly formed and authorized query for an inactive or
+        # otherwise invalid token (or a token the protected resource is not
+        # allowed to know about) is not considered an error response by this
+        # specification. In these cases, the authorization server MUST instead
+        # respond with an introspection response with the "active" field set to
+        # "false" as described in Section 2.2.
+        @error = Errors::InvalidClient unless authorized_client
+      end
+
+      def authorize_using_bearer_token!
+        # Requested bearer token authorization
+        #
+        #  If the protected resource uses an OAuth 2.0 bearer token to authorize
+        #  its call to the introspection endpoint and the token used for
+        #  authorization does not contain sufficient privileges or is otherwise
+        #  invalid for this request, the authorization server responds with an
+        #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
+        #  Usage [RFC6750].
+        #
+        @error = Errors::InvalidToken unless valid_authorized_token?
+      end
+
       # Client Authentication
       def authorized_client
         @authorized_client ||= server.credentials && server.client

data/lib/doorkeeper/oauth/token_response.rb

@@ -30,6 +30,7 @@ module Doorkeeper
         {
           "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
+          "Pragma" => "no-cache",
         }
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -20,11 +20,13 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                dependent: :delete_all,
                class_name: Doorkeeper.config.access_token_class.to_s
 
-      validates :name, :secret, :uid, presence: true
+      validates :name, :uid, presence: true
+      validates :secret, presence: true, if: -> { secret_required? }
       validates :uid, uniqueness: { case_sensitive: true }
-      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
 
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
+
       validate :scopes_match_configured, if: :enforce_scopes?
 
       before_validation :generate_uid, :generate_secret, on: :create
@@ -118,7 +120,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       end
 
       def generate_secret
-        return if secret.present?
+        return if secret.present? || !secret_required?
 
         renew_secret
       end
@@ -136,6 +138,11 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.config.enforce_configured_scopes?
       end
 
+      def secret_required?
+        confidential? ||
+          !self.class.columns.detect { |column| column.name == "secret" }&.null
+      end
+
       # Helper method to extract collection of serializable attribute names
       # considering serialization options (like `only`, `except` and so on).
       #

data/lib/doorkeeper/version.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 7
+    MINOR = 8
     TINY = 0
     PRE = nil
 

data/lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module Doorkeeper
+  # Generates migration with which drops NOT NULL constraint and allows not
+  # to bloat the database with redundant secret value.
+  #
+  class RemoveApplicationSecretNotNullConstraint < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path("templates", __dir__)
+    desc "Removes NOT NULL constraint for OAuth2 applications."
+
+    def enable_polymorphic_resource_owner
+      migration_template(
+        "remove_applications_secret_not_null_constraint.rb.erb",
+        "db/migrate/remove_applications_secret_not_null_constraint.rb",
+        migration_version: migration_version,
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -173,6 +173,11 @@ Doorkeeper.configure do
   #
   # revoke_previous_authorization_code_token
 
+  # Require non-confidential clients to use PKCE when using an authorization code
+  # to obtain an access_token (disabled by default)
+  #
+  # force_pkce
+
   # Hash access and refresh tokens before persisting them.
   # This will disable the possibility to use +reuse_access_token+
   # since plain values can no longer be retrieved.

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -5,6 +5,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     create_table :oauth_applications do |t|
       t.string  :name,    null: false
       t.string  :uid,     null: false
+      # Remove `null: false` or use conditional constraint if you are planning to use public clients.
       t.string  :secret,  null: false
 
       # Remove `null: false` if you are planning to use grant flows

data/lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RemoveApplicationsSecretNotNullConstraint < ActiveRecord::Migration<%= migration_version %>
+  def change
+    change_column_null :oauth_applications, :secret, true
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.7.0
+  version: 5.8.0
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-04-24 00:00:00.000000000 Z
+date: 2024-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -305,6 +305,7 @@ files:
 - lib/generators/doorkeeper/migration_generator.rb
 - lib/generators/doorkeeper/pkce_generator.rb
 - lib/generators/doorkeeper/previous_refresh_token_generator.rb
+- lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb
 - lib/generators/doorkeeper/templates/README
 - lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb
 - lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb
@@ -313,6 +314,7 @@ files:
 - lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb
 - lib/generators/doorkeeper/templates/initializer.rb
 - lib/generators/doorkeeper/templates/migration.rb.erb
+- lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb
 - lib/generators/doorkeeper/views_generator.rb
 - vendor/assets/stylesheets/doorkeeper/bootstrap.min.css
 homepage: https://github.com/doorkeeper-gem/doorkeeper
@@ -346,7 +348,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.5.15
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape