RubyGems - doorkeeper - Versions diffs - 5.8.0 → 5.8.2 - Mend

doorkeeper 5.8.0 → 5.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -0
data/app/controllers/doorkeeper/tokens_controller.rb +28 -7
data/config/locales/en.yml +5 -1
data/lib/doorkeeper/errors.rb +14 -2
data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -5
data/lib/doorkeeper/oauth/base_request.rb +2 -1
data/lib/doorkeeper/oauth/error.rb +4 -3
data/lib/doorkeeper/oauth/error_response.rb +2 -1
data/lib/doorkeeper/oauth/pre_authorization.rb +8 -4
data/lib/doorkeeper/oauth/scopes.rb +18 -0
data/lib/doorkeeper/rails/helpers.rb +3 -1
data/lib/doorkeeper/revocable_tokens/revocable_access_token.rb +21 -0
data/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb +21 -0
data/lib/doorkeeper/version.rb +1 -1
data/lib/doorkeeper.rb +5 -0
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4907be020648eb5c1dbc6e596c31c72c4133740e849ee1345ff337a4ce01c56
-  data.tar.gz: 831e491b48efe921e43065d393c6a785a9988e6057f1ed3e1e4f2e8626555e65
+  metadata.gz: de574cec8c17af2fd1026081acc0bf592c71ecbf947d92546df6b4d48ce3b5ce
+  data.tar.gz: eb282ce352bbd4491014b753535ff24e804ca801e02aef8a6ded3f7ca5951e64
 SHA512:
-  metadata.gz: 2f97a8c5d6749cea33b31737988b26271d1ad03f4bd8f003b3674e8e81159a44e6a54f5611b868a06a9a074995bcc47165f222aadcd961746cc43776ee993c57
-  data.tar.gz: 3d2e13efa8bba0cedc4a63055d6ecb70f0af8d1dc0644047b4b1ecb3bc3bf5affd2a0a20d46989a4999b4361573c39ae72f516398c67ffe708512f0fd6e23011
+  metadata.gz: 68b668d79eb5532cb4dbe660eb26269d67eb545b5dbd12bae15c087752c7e5447e1f60326725c0d838189a746de5718e8644605dcdd946d4f2cf29a556297369
+  data.tar.gz: 8ad2d79f707129abd0787710cc86ee563af9887f986dec03edc396c691ffb26e18279b3693bc15658d059e78dd7dc2ce3093a137c03bb16e7858832d9e80c368

data/CHANGELOG.md CHANGED Viewed

@@ -9,6 +9,20 @@ User-visible changes worth mentioning.
 Add your entry here.
+## 5.8.2
+- [#1755] Fix the error message for force_pkce
+- [#1761] Memoize authentication failure
+- [#1762] Allow missing client to trigger invalid client error when force_pkce is enabled
+- [#1767] Make sure error handling happens on a controller level opposed to action level to account for the controller being extended
+## 5.8.1
+- [#1752] Bump the range of supported Ruby and Rails versions
+- [#1747] Fix unknown pkce method error when configured
+- [#1744] Allow for expired refresh tokens to be revoked
+- [#1754] Fix refresh tokens with dynamic scopes
 ## 5.8.0
 - [#1739] Add support for dynamic scopes

data/app/controllers/doorkeeper/tokens_controller.rb CHANGED Viewed

@@ -4,12 +4,14 @@ module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
     before_action :validate_presence_of_client, only: [:revoke]
+    rescue_from Errors::DoorkeeperError do |e|
+      handle_token_exception(e)
+    end
     def create
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
              status: authorize_response.status
-    rescue Errors::DoorkeeperError => e
-      handle_token_exception(e)
     end
     # OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
@@ -113,19 +115,38 @@ module Doorkeeper
       # The authorization server responds with HTTP status code 200 if the token
       # has been revoked successfully or if the client submitted an invalid
       # token
-      token.revoke if token&.accessible?
+      revocable_token.revoke if revocable_token.revocable?
     end
     def token
-      @token ||=
+      revocable_token&.token
+    end
+    def revocable_token
+      return @revocable_token if defined? @revocable_token
+      @revocable_token =
         if params[:token_type_hint] == "refresh_token"
-          Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+          refresh_token
         else
-          Doorkeeper.config.access_token_model.by_token(params["token"]) ||
-            Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+          access_token || refresh_token
         end
     end
+    def refresh_token
+      token = Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+      return unless token
+      RevocableTokens::RevocableRefreshToken.new(token)
+    end
+    def access_token
+      token = Doorkeeper.config.access_token_model.by_token(params["token"])
+      return unless token
+      RevocableTokens::RevocableAccessToken.new(token)
+    end
     def strategy
       @strategy ||= server.token_request(params[:grant_type])
     end

data/config/locales/en.yml CHANGED Viewed

@@ -96,11 +96,15 @@ en:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
           request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
+          invalid_code_challenge: 'Code challenge is required.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
-        invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
+        invalid_code_challenge_method:
+          zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.'
+          one: 'The code_challenge_method must be %{challenge_methods}.'
+          other: 'The code_challenge_method must be one of %{challenge_methods}.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'

data/lib/doorkeeper/errors.rb CHANGED Viewed

@@ -6,6 +6,10 @@ module Doorkeeper
       def type
         message
       end
+      def self.translate_options
+        {}
+      end
     end
     class InvalidGrantReuse < DoorkeeperError
@@ -45,6 +49,16 @@ module Doorkeeper
       end
     end
+    class InvalidCodeChallengeMethod < BaseResponseError
+      def self.translate_options
+        challenge_methods = Doorkeeper.config.pkce_code_challenge_methods_supported
+        {
+          challenge_methods: challenge_methods.join(", "),
+          count: challenge_methods.length
+        }
+      end
+    end
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
@@ -54,8 +68,6 @@ module Doorkeeper
     InvalidClient = Class.new(BaseResponseError)
     InvalidScope = Class.new(BaseResponseError)
     InvalidRedirectUri = Class.new(BaseResponseError)
-    InvalidCodeChallenge = Class.new(BaseResponseError)
-    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
     InvalidGrant = Class.new(BaseResponseError)
     UnauthorizedClient = Class.new(BaseResponseError)

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -59,15 +59,11 @@ module Doorkeeper
         Doorkeeper.config.access_grant_model.pkce_supported?
       end
-      def confidential?
-        client&.confidential
-      end
       def validate_params
         @missing_param =
           if grant&.uses_pkce? && code_verifier.blank?
             :code_verifier
-          elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank?
+          elsif client && !client.confidential && Doorkeeper.config.force_pkce? && code_verifier.blank?
             :code_verifier
           elsif redirect_uri.blank?
             :redirect_uri

data/lib/doorkeeper/oauth/base_request.rb CHANGED Viewed

@@ -59,7 +59,8 @@ module Doorkeeper
           client_scopes = @client&.scopes
           return default_scopes if client_scopes.blank?
-          default_scopes & client_scopes
+          # Avoid using Scope#& for dynamic scopes
+          client_scopes.allowed(default_scopes)
         end
       end
     end

data/lib/doorkeeper/oauth/error.rb CHANGED Viewed

@@ -2,13 +2,14 @@
 module Doorkeeper
   module OAuth
-    Error = Struct.new(:name, :state) do
+    Error = Struct.new(:name, :state, :translate_options) do
       def description
-        I18n.translate(
-          name,
+        options = (translate_options || {}).merge(
           scope: %i[doorkeeper errors messages],
           default: :server_error,
         )
+        I18n.translate(name, **options)
       end
     end
   end

data/lib/doorkeeper/oauth/error_response.rb CHANGED Viewed

@@ -12,6 +12,7 @@ module Doorkeeper
           attributes.merge(
             name: error_name_for(request.error),
             exception_class: exception_class_for(request.error),
+            translate_options: request.error.try(:translate_options),
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
@@ -33,7 +34,7 @@ module Doorkeeper
       delegate :name, :description, :state, to: :@error
       def initialize(attributes = {})
-        @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @error = OAuth::Error.new(*attributes.values_at(:name, :state, :translate_options))
         @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]

data/lib/doorkeeper/oauth/pre_authorization.rb CHANGED Viewed

@@ -14,12 +14,13 @@ module Doorkeeper
       validate :response_type, error: Errors::UnsupportedResponseType
       validate :response_mode, error: Errors::UnsupportedResponseMode
       validate :scopes, error: Errors::InvalidScope
-      validate :code_challenge, error: Errors::InvalidCodeChallenge
+      validate :code_challenge, error: Errors::InvalidRequest
       validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes,
+                  :invalid_request_reason
       def initialize(server, parameters = {}, resource_owner = nil)
         @server = server
@@ -75,7 +76,7 @@ module Doorkeeper
         if client_scopes.blank?
           server.default_scopes.to_s
         else
-          (server.default_scopes & client_scopes).to_s
+          server.default_scopes.allowed(client_scopes).to_s
         end
       end
@@ -147,7 +148,10 @@ module Doorkeeper
       def validate_code_challenge
         return true unless Doorkeeper.config.force_pkce?
         return true if client.confidential
-        code_challenge.present?
+        return true if code_challenge.present?
+        @invalid_request_reason = :invalid_code_challenge
+        false
       end
       def validate_code_challenge_method

data/lib/doorkeeper/oauth/scopes.rb CHANGED Viewed

@@ -70,10 +70,28 @@ module Doorkeeper
         end
       end
+      # DEPRECATED: With dynamic scopes, #allowed should be called because
+      # A & B doesn't really make sense with dynamic scopes.
+      #
+      # For example, if A = user:* and B is user:1, A & B = [].
+      # If we modified this method to take dynamic scopes into an account, then order
+      # becomes important, and this would violate the principle that A & B = B & A.
       def &(other)
+        return allowed(other) if dynamic_scopes_enabled?
         self.class.from_array(all & to_array(other))
       end
+      # Returns a set of scopes that are allowed, taking dynamic
+      # scopes into account. This instance's scopes is taken as the allowed set,
+      # and the passed value is the set to filter.
+      #
+      # @param other The set of scopes to filter
+      def allowed(other)
+        filtered_scopes = other.select { |scope| self.exists?(scope) }
+        self.class.from_array(filtered_scopes)
+      end
       private
       def dynamic_scopes_enabled?

data/lib/doorkeeper/rails/helpers.rb CHANGED Viewed

@@ -70,7 +70,9 @@ module Doorkeeper
       end
       def doorkeeper_token
-        @doorkeeper_token ||= OAuth::Token.authenticate(
+        return @doorkeeper_token if defined?(@doorkeeper_token)
+        @doorkeeper_token = OAuth::Token.authenticate(
           request,
           *Doorkeeper.config.access_token_methods,
         )

data/lib/doorkeeper/revocable_tokens/revocable_access_token.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module RevocableTokens
+    class RevocableAccessToken
+      attr_reader :token
+      def initialize(token)
+        @token = token
+      end
+      def revocable?
+        token.accessible?
+      end
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module RevocableTokens
+    class RevocableRefreshToken
+      attr_reader :token
+      def initialize(token)
+        @token = token
+      end
+      def revocable?
+        !token.revoked?
+      end
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 8
-    TINY = 0
+    TINY = 2
     PRE = nil
     # Full version number

data/lib/doorkeeper.rb CHANGED Viewed

@@ -34,6 +34,11 @@ module Doorkeeper
     autoload :Token, "doorkeeper/request/token"
   end
+  module RevocableTokens
+    autoload :RevocableAccessToken, "doorkeeper/revocable_tokens/revocable_access_token"
+    autoload :RevocableRefreshToken, "doorkeeper/revocable_tokens/revocable_refresh_token"
+  end
   module OAuth
     autoload :BaseRequest, "doorkeeper/oauth/base_request"
     autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.8.0
+  version: 5.8.2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 2025-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -290,6 +290,8 @@ files:
 - lib/doorkeeper/request/refresh_token.rb
 - lib/doorkeeper/request/strategy.rb
 - lib/doorkeeper/request/token.rb
+- lib/doorkeeper/revocable_tokens/revocable_access_token.rb
+- lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb
 - lib/doorkeeper/secret_storing/base.rb
 - lib/doorkeeper/secret_storing/bcrypt.rb
 - lib/doorkeeper/secret_storing/plain.rb
@@ -326,6 +328,7 @@ metadata:
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
+  funding_uri: https://opencollective.com/doorkeeper-gem
 post_install_message: "Starting from 5.5.0 RC1 Doorkeeper requires client authentication
   for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
   a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use