doorkeeper 5.7.1 → 5.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df8ee24bf06e6b24c9ee822c24abf45ce0424b93ff05361dcdff76c930fa3c5a
-  data.tar.gz: 56e84b30480a60d02eea4b417f41c1cd6b322365bfce0e9fa31aad504def3807
+  metadata.gz: 8364fc5d75f9cbe96cc3ef67c8010dde471eb51ced0cf328f9ca84705553976f
+  data.tar.gz: db817023f41b070185ae9d6fae32b9d9b0eb0fc7abf8bdd99961c80e8bece1dd
 SHA512:
-  metadata.gz: d25945505890cb67e1e2db1e0a7eb8d49cd8bcccf05d2732883df6ace7269fe4bbe3de491a563ea3e254e1ac16e2daa407f665078cf243f7131a26db00b39842
-  data.tar.gz: 2269f220720be56f31928a1ab4180254058bc2b636994160db72030bc32f0a5db695e76b3186f6b0c24b8d77565bd4c49911d4f5a632b14c6bd57e213c278694
+  metadata.gz: 940f6253760d9117390495e97fa270aa0337a7379d2070d2be5ce2a44cf8148f451ffe7a3ba0451ab88d1cbb5bd4242f6d4a7de90204cf2749a57bdeaa4005ed
+  data.tar.gz: 728ea65c1e37f7f77183e5528c441cf7b9c8a4493428bbafbfe7815dec4b227d8bd033e05c4ee2dde50b9cc252cad7241b5d287d2df28e6631f9ccada5c7afc5

data/CHANGELOG.md

@@ -9,6 +9,23 @@ User-visible changes worth mentioning.
 
 Add your entry here.
 
+## 5.8.1
+
+- [#1752] Bump the range of supported Ruby and Rails versions
+- [#1747] Fix unknown pkce method error when configured
+- [#1744] Allow for expired refresh tokens to be revoked
+- [#1754] Fix refresh tokens with dynamic scopes
+
+## 5.8.0
+
+- [#1739] Add support for dynamic scopes
+- [#1715] Fix token introspection invalid request reason
+- [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError
+- [#1712] Add `Pragma: no-cache` to token response
+- [#1726] Refactor token introspection class.
+- [#1727] Allow to set null secret value for Applications if they are public.
+- [#1735] Add `pkce_code_challenge_methods` config option. 
+
 ## 5.7.1
 
 - [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -113,19 +113,38 @@ module Doorkeeper
       # The authorization server responds with HTTP status code 200 if the token
       # has been revoked successfully or if the client submitted an invalid
       # token
-      token.revoke if token&.accessible?
+      revocable_token.revoke if revocable_token.revocable?
     end
 
     def token
-      @token ||=
+      revocable_token&.token
+    end
+
+    def revocable_token
+      return @revocable_token if defined? @revocable_token
+
+      @revocable_token =
         if params[:token_type_hint] == "refresh_token"
-          Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+          refresh_token
         else
-          Doorkeeper.config.access_token_model.by_token(params["token"]) ||
-            Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+          access_token || refresh_token
         end
     end
 
+    def refresh_token
+      token = Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+      return unless token
+
+      RevocableTokens::RevocableRefreshToken.new(token)
+    end
+
+    def access_token
+      token = Doorkeeper.config.access_token_model.by_token(params["token"])
+      return unless token
+
+      RevocableTokens::RevocableAccessToken.new(token)
+    end
+
     def strategy
       @strategy ||= server.token_request(params[:grant_type])
     end

data/config/locales/en.yml

@@ -100,7 +100,10 @@ en:
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
-        invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
+        invalid_code_challenge_method:
+          zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.'
+          one: 'The code_challenge_method must be %{challenge_methods}.'
+          other: 'The code_challenge_method must be one of %{challenge_methods}.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
 

data/lib/doorkeeper/config/validations.rb

@@ -11,6 +11,7 @@ module Doorkeeper
         validate_reuse_access_token_value
         validate_token_reuse_limit
         validate_secret_strategies
+        validate_pkce_code_challenge_methods
       end
 
       private
@@ -48,6 +49,17 @@ module Doorkeeper
         )
         @token_reuse_limit = 100
       end
+
+      def validate_pkce_code_challenge_methods
+        return if pkce_code_challenge_methods.all? {|method| method =~ /^plain$|^S256$/ }
+
+        ::Rails.logger.warn(
+          "[DOORKEEPER] You have configured an invalid value for pkce_code_challenge_methods option. " \
+          "It will be set to default ['plain', 'S256']",
+        )
+
+        @pkce_code_challenge_methods = ['plain', 'S256']
+      end
     end
   end
 end

data/lib/doorkeeper/config.rb

@@ -31,6 +31,16 @@ module Doorkeeper
         @config.instance_variable_set(:@confirm_application_owner, true)
       end
 
+      # Provide support for dynamic scopes (e.g. user:*) (disabled by default)
+      # Optional parameter delimiter (default ":") if you want to customize
+      # the delimiter separating the scope name and matching value.
+      #
+      # @param opts [Hash] the options to configure dynamic scopes
+      def enable_dynamic_scopes(opts = {})
+        @config.instance_variable_set(:@enable_dynamic_scopes, true)
+        @config.instance_variable_set(:@dynamic_scopes_delimiter, opts[:delimiter] || ':')
+      end
+
       # Define default access token scopes for your provider
       #
       # @param scopes [Array] Default set of access (OAuth::Scopes.new)
@@ -243,6 +253,7 @@ module Doorkeeper
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: "urn:ietf:wg:oauth:2.0:oob", deprecated: true
     option :grant_flows,                    default: %w[authorization_code client_credentials]
+    option :pkce_code_challenge_methods,    default: %w[plain S256]
     option :handle_auth_errors,             default: :render
     option :token_lookup_batch_size,        default: 10_000
     # Sets the token_reuse_limit
@@ -418,7 +429,7 @@ module Doorkeeper
            default: (lambda do |token, authorized_client, authorized_token|
              if authorized_token
                authorized_token.application == token&.application
-             elsif token.application
+             elsif token&.application
                authorized_client == token.application
              else
                true
@@ -510,6 +521,14 @@ module Doorkeeper
       option_set? :enable_application_owner
     end
 
+    def enable_dynamic_scopes?
+      option_set? :enable_dynamic_scopes
+    end
+
+    def dynamic_scopes_delimiter
+      @dynamic_scopes_delimiter
+    end
+
     def polymorphic_resource_owner?
       option_set? :polymorphic_resource_owner
     end
@@ -554,6 +573,12 @@ module Doorkeeper
       @scopes_by_grant_type ||= {}
     end
 
+    def pkce_code_challenge_methods_supported
+      return [] unless access_grant_model.pkce_supported?
+      
+      pkce_code_challenge_methods
+    end
+
     def client_credentials_methods
       @client_credentials_methods ||= %i[from_basic from_params]
     end

data/lib/doorkeeper/errors.rb

@@ -6,6 +6,10 @@ module Doorkeeper
       def type
         message
       end
+
+      def self.translate_options
+        {}
+      end
     end
 
     class InvalidGrantReuse < DoorkeeperError
@@ -45,6 +49,16 @@ module Doorkeeper
       end
     end
 
+    class InvalidCodeChallengeMethod < BaseResponseError
+      def self.translate_options
+        challenge_methods = Doorkeeper.config.pkce_code_challenge_methods_supported
+        {
+          challenge_methods: challenge_methods.join(", "),
+          count: challenge_methods.length
+        }
+      end
+    end
+
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
@@ -55,7 +69,6 @@ module Doorkeeper
     InvalidScope = Class.new(BaseResponseError)
     InvalidRedirectUri = Class.new(BaseResponseError)
     InvalidCodeChallenge = Class.new(BaseResponseError)
-    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
     InvalidGrant = Class.new(BaseResponseError)
 
     UnauthorizedClient = Class.new(BaseResponseError)

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -214,6 +214,8 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] existing record or a new one
       #
       def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
+        scopes = Doorkeeper::OAuth::Scopes.from_string(scopes) if scopes.is_a?(String)
+
         if Doorkeeper.config.reuse_access_token
           custom_attributes = extract_custom_attributes(token_attributes).presence
           access_token = matching_token_for(

data/lib/doorkeeper/oauth/base_request.rb

@@ -59,7 +59,8 @@ module Doorkeeper
           client_scopes = @client&.scopes
           return default_scopes if client_scopes.blank?
 
-          default_scopes & client_scopes
+          # Avoid using Scope#& for dynamic scopes
+          client_scopes.allowed(default_scopes)
         end
       end
     end

data/lib/doorkeeper/oauth/error.rb

@@ -2,13 +2,14 @@
 
 module Doorkeeper
   module OAuth
-    Error = Struct.new(:name, :state) do
+    Error = Struct.new(:name, :state, :translate_options) do
       def description
-        I18n.translate(
-          name,
+        options = (translate_options || {}).merge(
           scope: %i[doorkeeper errors messages],
           default: :server_error,
         )
+
+        I18n.translate(name, **options)
       end
     end
   end

data/lib/doorkeeper/oauth/error_response.rb

@@ -12,6 +12,7 @@ module Doorkeeper
           attributes.merge(
             name: error_name_for(request.error),
             exception_class: exception_class_for(request.error),
+            translate_options: request.error.try(:translate_options),
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
@@ -33,7 +34,7 @@ module Doorkeeper
       delegate :name, :description, :state, to: :@error
 
       def initialize(attributes = {})
-        @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @error = OAuth::Error.new(*attributes.values_at(:name, :state, :translate_options))
         @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -75,7 +75,7 @@ module Doorkeeper
         if client_scopes.blank?
           server.default_scopes.to_s
         else
-          (server.default_scopes & client_scopes).to_s
+          server.default_scopes.allowed(client_scopes).to_s
         end
       end
 
@@ -154,7 +154,7 @@ module Doorkeeper
         return true unless Doorkeeper.config.access_grant_model.pkce_supported?
 
         code_challenge.blank? ||
-          (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
+          (code_challenge_method.present? && Doorkeeper.config.pkce_code_challenge_methods_supported.include?(code_challenge_method))
       end
 
       def response_on_fragment?

data/lib/doorkeeper/oauth/scopes.rb

@@ -6,6 +6,8 @@ module Doorkeeper
       include Enumerable
       include Comparable
 
+      DYNAMIC_SCOPE_WILDCARD = "*"
+
       def self.from_string(string)
         string ||= ""
         new.tap do |scope|
@@ -26,7 +28,15 @@ module Doorkeeper
       end
 
       def exists?(scope)
-        @scopes.include? scope.to_s
+        scope = scope.to_s
+
+        @scopes.any? do |allowed_scope|
+          if dynamic_scopes_enabled? && dynamic_scopes_present?(allowed_scope, scope)
+            dynamic_scope_match?(allowed_scope, scope)
+          else
+            allowed_scope == scope
+          end
+        end
       end
 
       def add(*scopes)
@@ -60,12 +70,56 @@ module Doorkeeper
         end
       end
 
+      # DEPRECATED: With dynamic scopes, #allowed should be called because
+      # A & B doesn't really make sense with dynamic scopes.
+      #
+      # For example, if A = user:* and B is user:1, A & B = [].
+      # If we modified this method to take dynamic scopes into an account, then order
+      # becomes important, and this would violate the principle that A & B = B & A.
       def &(other)
+        return allowed(other) if dynamic_scopes_enabled?
+
         self.class.from_array(all & to_array(other))
       end
 
+      # Returns a set of scopes that are allowed, taking dynamic
+      # scopes into account. This instance's scopes is taken as the allowed set,
+      # and the passed value is the set to filter.
+      #
+      # @param other The set of scopes to filter
+      def allowed(other)
+        filtered_scopes = other.select { |scope| self.exists?(scope) }
+        self.class.from_array(filtered_scopes)
+      end
+
       private
 
+      def dynamic_scopes_enabled?
+        Doorkeeper.config.enable_dynamic_scopes?
+      end
+
+      def dynamic_scope_delimiter
+        return unless dynamic_scopes_enabled?
+
+        @dynamic_scope_delimiter ||= Doorkeeper.config.dynamic_scopes_delimiter
+      end
+
+      def dynamic_scopes_present?(allowed, requested)
+        allowed.include?(dynamic_scope_delimiter) && requested.include?(dynamic_scope_delimiter)
+      end
+
+      def dynamic_scope_match?(allowed, requested)
+        allowed_pattern = allowed.split(dynamic_scope_delimiter, 2)
+        request_pattern = requested.split(dynamic_scope_delimiter, 2)
+
+        return false if allowed_pattern[0] != request_pattern[0]
+        return false if allowed_pattern[1].blank?
+        return false if request_pattern[1].blank?
+        return true  if allowed_pattern[1] == DYNAMIC_SCOPE_WILDCARD && allowed_pattern[1].present?
+
+        allowed_pattern[1] == request_pattern[1]
+      end
+
       def to_array(other)
         case other
         when Scopes

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -6,16 +6,15 @@ module Doorkeeper
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
-      attr_reader :error
+      attr_reader :token, :error, :invalid_request_reason
 
       def initialize(server, token)
         @server = server
         @token = token
-
-        authorize!
       end
 
       def authorized?
+        authorize!
         @error.blank?
       end
 
@@ -37,8 +36,7 @@ module Doorkeeper
 
       private
 
-      attr_reader :server, :token
-      attr_reader :invalid_request_reason
+      attr_reader :server
 
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -60,24 +58,38 @@ module Doorkeeper
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = Errors::InvalidClient unless authorized_client
+          authorize_using_basic_auth!
         elsif authorized_token
-          # Requested bearer token authorization
-          #
-          #  If the protected resource uses an OAuth 2.0 bearer token to authorize
-          #  its call to the introspection endpoint and the token used for
-          #  authorization does not contain sufficient privileges or is otherwise
-          #  invalid for this request, the authorization server responds with an
-          #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
-          #  Usage [RFC6750].
-          #
-          @error = Errors::InvalidToken unless valid_authorized_token?
+          authorize_using_bearer_token!
         else
           @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end
 
+      def authorize_using_basic_auth!
+        # Note that a properly formed and authorized query for an inactive or
+        # otherwise invalid token (or a token the protected resource is not
+        # allowed to know about) is not considered an error response by this
+        # specification. In these cases, the authorization server MUST instead
+        # respond with an introspection response with the "active" field set to
+        # "false" as described in Section 2.2.
+        @error = Errors::InvalidClient unless authorized_client
+      end
+
+      def authorize_using_bearer_token!
+        # Requested bearer token authorization
+        #
+        #  If the protected resource uses an OAuth 2.0 bearer token to authorize
+        #  its call to the introspection endpoint and the token used for
+        #  authorization does not contain sufficient privileges or is otherwise
+        #  invalid for this request, the authorization server responds with an
+        #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
+        #  Usage [RFC6750].
+        #
+        @error = Errors::InvalidToken unless valid_authorized_token?
+      end
+
       # Client Authentication
       def authorized_client
         @authorized_client ||= server.credentials && server.client

data/lib/doorkeeper/oauth/token_response.rb

@@ -30,6 +30,7 @@ module Doorkeeper
         {
           "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
+          "Pragma" => "no-cache",
         }
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -20,11 +20,13 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                dependent: :delete_all,
                class_name: Doorkeeper.config.access_token_class.to_s
 
-      validates :name, :secret, :uid, presence: true
+      validates :name, :uid, presence: true
+      validates :secret, presence: true, if: -> { secret_required? }
       validates :uid, uniqueness: { case_sensitive: true }
-      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
 
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
+
       validate :scopes_match_configured, if: :enforce_scopes?
 
       before_validation :generate_uid, :generate_secret, on: :create
@@ -118,7 +120,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       end
 
       def generate_secret
-        return if secret.present?
+        return if secret.present? || !secret_required?
 
         renew_secret
       end
@@ -136,6 +138,11 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         Doorkeeper.config.enforce_configured_scopes?
       end
 
+      def secret_required?
+        confidential? ||
+          !self.class.columns.detect { |column| column.name == "secret" }&.null
+      end
+
       # Helper method to extract collection of serializable attribute names
       # considering serialization options (like `only`, `except` and so on).
       #

data/lib/doorkeeper/revocable_tokens/revocable_access_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module RevocableTokens
+    class RevocableAccessToken
+      attr_reader :token
+
+      def initialize(token)
+        @token = token
+      end
+
+      def revocable?
+        token.accessible?
+      end
+
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module RevocableTokens
+    class RevocableRefreshToken
+      attr_reader :token
+
+      def initialize(token)
+        @token = token
+      end
+
+      def revocable?
+        !token.revoked?
+      end
+
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/version.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 7
+    MINOR = 8
     TINY = 1
     PRE = nil
 

data/lib/doorkeeper.rb

@@ -34,6 +34,11 @@ module Doorkeeper
     autoload :Token, "doorkeeper/request/token"
   end
 
+  module RevocableTokens
+    autoload :RevocableAccessToken, "doorkeeper/revocable_tokens/revocable_access_token"
+    autoload :RevocableRefreshToken, "doorkeeper/revocable_tokens/revocable_refresh_token"
+  end
+
   module OAuth
     autoload :BaseRequest, "doorkeeper/oauth/base_request"
     autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"

data/lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module Doorkeeper
+  # Generates migration with which drops NOT NULL constraint and allows not
+  # to bloat the database with redundant secret value.
+  #
+  class RemoveApplicationSecretNotNullConstraint < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+    source_root File.expand_path("templates", __dir__)
+    desc "Removes NOT NULL constraint for OAuth2 applications."
+
+    def enable_polymorphic_resource_owner
+      migration_template(
+        "remove_applications_secret_not_null_constraint.rb.erb",
+        "db/migrate/remove_applications_secret_not_null_constraint.rb",
+        migration_version: migration_version,
+      )
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    private
+
+    def migration_version
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+end

data/lib/generators/doorkeeper/templates/migration.rb.erb

@@ -5,6 +5,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     create_table :oauth_applications do |t|
       t.string  :name,    null: false
       t.string  :uid,     null: false
+      # Remove `null: false` or use conditional constraint if you are planning to use public clients.
       t.string  :secret,  null: false
 
       # Remove `null: false` if you are planning to use grant flows

data/lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RemoveApplicationsSecretNotNullConstraint < ActiveRecord::Migration<%= migration_version %>
+  def change
+    change_column_null :oauth_applications, :secret, true
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.7.1
+  version: 5.8.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-25 00:00:00.000000000 Z
+date: 2024-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -290,6 +290,8 @@ files:
 - lib/doorkeeper/request/refresh_token.rb
 - lib/doorkeeper/request/strategy.rb
 - lib/doorkeeper/request/token.rb
+- lib/doorkeeper/revocable_tokens/revocable_access_token.rb
+- lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb
 - lib/doorkeeper/secret_storing/base.rb
 - lib/doorkeeper/secret_storing/bcrypt.rb
 - lib/doorkeeper/secret_storing/plain.rb
@@ -305,6 +307,7 @@ files:
 - lib/generators/doorkeeper/migration_generator.rb
 - lib/generators/doorkeeper/pkce_generator.rb
 - lib/generators/doorkeeper/previous_refresh_token_generator.rb
+- lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb
 - lib/generators/doorkeeper/templates/README
 - lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb
 - lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb
@@ -313,6 +316,7 @@ files:
 - lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb
 - lib/generators/doorkeeper/templates/initializer.rb
 - lib/generators/doorkeeper/templates/migration.rb.erb
+- lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb
 - lib/generators/doorkeeper/views_generator.rb
 - vendor/assets/stylesheets/doorkeeper/bootstrap.min.css
 homepage: https://github.com/doorkeeper-gem/doorkeeper
@@ -324,6 +328,7 @@ metadata:
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
+  funding_uri: https://opencollective.com/doorkeeper-gem
 post_install_message: "Starting from 5.5.0 RC1 Doorkeeper requires client authentication
   for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
   a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use
@@ -346,7 +351,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.5.15
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape