doorkeeper 5.9.0 → 5.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d1b95ea3d64e410d8469ac2ba820cc6df74c03400236a162182eb8b8821ed9b
-  data.tar.gz: 5b73ae5b6e76bf333adffc34ff49f3bb13d385edda710b7319598dd0a6ce165c
+  metadata.gz: dd9d528da47dec74a5bb12a6e9ce672279cebd0a52cc6a714347df6c17828dfd
+  data.tar.gz: 61e4dcc2434b3e1c0400e35bf80eef980b3adb81c2a33cbe74e9797fef3963b0
 SHA512:
-  metadata.gz: f99c5eec8a04660db855c9f881e32387ea8ed11404f425c0008cc760f4497944ca4c483484070e5371e961c9f4ee7456207a9f09120539709b74c42752ef08c2
-  data.tar.gz: c644e25d872bda11e3d97dfc3d6acdd1e59f71e27fb0eba626edb3a21fb29837709f52ba777123b1505a952aaf273aacefe8912fec7dcd8b76bdad9b86ae8780
+  metadata.gz: 8a3e115278bfb5540ccde8b7ecc4084138935a4a7c928011f38684908c4e5cd0dadbfb14a93bcb4ce39da91a8bcaf599970d39de6d7953752e7c77aa6c03c31e
+  data.tar.gz: b62a19e584648c28bd9d4a24e21d3501ac35c85c77de950050c8942bb82be4f821d241b41ebc8544b03c354f93f96e4588c051d1b4eafe77ce6b13c06941ab7c

data/CHANGELOG.md

@@ -7,7 +7,34 @@ User-visible changes worth mentioning.
 
 ## main
 
-Add your entry here.
+- Add here
+
+## 5.9.1
+
+- [#1781] Honor `handle_auth_errors :raise` in `AuthorizationsController#authorize_response`
+- [#1795] Fix: detailed error 'insufficient_scope' in protected resources 403s
+- [#1797] Fix `doorkeeper:db:cleanup` rake task failure on PostgreSQL
+- [#1800] Set `@grant_type` in `ClientCredentialsRequest` and `RefreshTokenRequest` constructors so `request.grant_type` returns
+  the correct value in hooks like `before_successful_strategy_response`.
+- [#1802] Fix `filter_parameters` not applied when `Doorkeeper.configure` is called inside to_prepare.
+- [#1804] Use `ActiveSupport.on_load(:active_record)` in ORM hooks to prevent loading ActiveRecord models too early
+- [#1806] Fix token revocation bypass for public clients (RFC 7009)
+- [#1815] Expose `current_resource_owner` as a view helper in `Doorkeeper::ApplicationController`.
+- [#1818] Fix token introspection returning `exp: 0` for non-expiring tokens.
+- [#1784] Remove hardcoded colons from view templates, move punctuation to i18n translation strings.
+
+  **[IMPORTANT]**: if you have customized Doorkeeper views (`authorizations/new`, `authorizations/show`,
+  `applications/show`) or overridden the default `en.yml` translations, you may need to update them.
+  Colons are no longer hardcoded in the views — they are now part of the translation strings.
+  Update the [doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) gem to get the
+  updated translations for all locales.
+- [#1820] Remove dead wildcard presence check in `Scopes#dynamic_scope_match?` (internal cleanup, no behavior change).
+- [#1822] Update Rubocop config, auto-corrections.
+- [#1823] Update Rubocop config, part 2.
+- [#1825] Update Rubocop config, part 3.
+- [#1821] Fix noisy `Could not find command "no_previous_refresh_token_column?"` Thor output during the
+  `PreviousRefreshTokenGenerator` spec by stubbing the underlying DB column check instead of the generator's
+  private method (test-only change).
 
 ## 5.9.0
 

data/README.md

@@ -4,7 +4,6 @@
 [![CI](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml)
 [![Maintainability](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper/maintainability.svg)](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper)
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
-[![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 [![GuardRails badge](https://api.guardrails.io/v2/badges/21183?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/gh/doorkeeper-gem/repos/21183)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -131,7 +131,11 @@ module Doorkeeper
 
     def authorize_response
       @authorize_response ||= begin
-        return pre_auth.error_response unless pre_auth.authorizable?
+        unless pre_auth.authorizable?
+          response = pre_auth.error_response
+          response.raise_exception! if Doorkeeper.config.raise_on_errors?
+          return response
+        end
 
         context = build_context(pre_auth: pre_auth)
         before_successful_authorization(context)

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -87,24 +87,22 @@ module Doorkeeper
     # credentials, in the case of a confidential client. The token being
     # revoked must also belong to the requesting client.
     #
-    # Once a confidential client is authenticated, it must be authorized to
+    # Once a client is authenticated, it must be authorized to
     # revoke the provided access or refresh token. This ensures one client
     # cannot revoke another's tokens.
     #
-    # Doorkeeper determines the client type implicitly via the presence of the
-    # OAuth client associated with a given access or refresh token. Since public
-    # clients authenticate the resource owner via "password" or "implicit" grant
-    # types, they set the application_id as null (since the claim cannot be
-    # verified).
+    # Doorkeeper checks token ownership for any token that has an
+    # application_id set. Tokens issued without a client (application_id
+    # is null) can be revoked without client authorization.
     #
     # https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
     # https://datatracker.ietf.org/doc/html/rfc7009
     def authorized?
       # Token belongs to specific client, so we need to check if
       # authenticated client could access it.
-      if token.application_id? && token.application.confidential?
-        # We authorize client by checking token's application
-        server.client && server.client.application == token.application
+      if token.application_id?
+        # We authorize client by comparing client and token application IDs
+        server.client && server.client.id == token.application_id
       else
         # Token was issued without client, authorization unnecessary
         true

data/app/views/doorkeeper/applications/show.html.erb

@@ -4,10 +4,10 @@
 
 <div class="row">
   <div class="col-md-8">
-    <h4><%= t('.application_id') %>:</h4>
+    <h4><%= t('.application_id') %></h4>
     <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
 
-    <h4><%= t('.secret') %>:</h4>
+    <h4><%= t('.secret') %></h4>
     <p>
       <code class="bg-light" id="secret">
         <% secret = flash[:application_secret].presence || @application.plaintext_secret %>
@@ -19,7 +19,7 @@
       </code>
     </p>
 
-    <h4><%= t('.scopes') %>:</h4>
+    <h4><%= t('.scopes') %></h4>
     <p>
       <code class="bg-light" id="scopes">
         <% if @application.scopes.present? %>
@@ -30,10 +30,10 @@
       </code>
     </p>
 
-    <h4><%= t('.confidential') %>:</h4>
+    <h4><%= t('.confidential') %></h4>
     <p><code class="bg-light" id="confidential"><%= @application.confidential? %></code></p>
 
-    <h4><%= t('.callback_urls') %>:</h4>
+    <h4><%= t('.callback_urls') %></h4>
 
     <% if @application.redirect_uri.present? %>
       <table>

data/app/views/doorkeeper/authorizations/new.html.erb

@@ -9,7 +9,7 @@
 
   <% if @pre_auth.scopes.count > 0 %>
     <div id="oauth-permissions">
-      <p><%= t('.able_to') %>:</p>
+      <p><%= t('.able_to') %></p>
 
       <ul class="text-info">
         <% @pre_auth.scopes.each do |scope| %>

data/app/views/doorkeeper/authorizations/show.html.erb

@@ -1,5 +1,5 @@
 <header class="page-header">
-  <h1><%= t('.title') %>:</h1>
+  <h1><%= t('.title') %></h1>
 </header>
 
 <main role="main">

data/config/locales/en.yml

@@ -16,7 +16,7 @@ en:
               secured_uri: 'must be an HTTPS/SSL URI.'
               forbidden_uri: 'is forbidden by the server.'
             scopes:
-              not_match_configured: "doesn't match configured on the server."
+              not_match_configured: "doesn't match those configured on the server."
 
   doorkeeper:
     applications:
@@ -33,7 +33,7 @@ en:
       help:
         confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
         redirect_uri: 'Use one line per URI'
-        blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI."
+        blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require a redirect URI."
         scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
       edit:
         title: 'Edit application'
@@ -51,12 +51,12 @@ en:
         title: 'New Application'
       show:
         title: 'Application: %{name}'
-        application_id: 'UID'
-        secret: 'Secret'
+        application_id: 'UID:'
+        secret: 'Secret:'
         secret_hashed: 'Secret hashed'
-        scopes: 'Scopes'
-        confidential: 'Confidential'
-        callback_urls: 'Callback urls'
+        scopes: 'Scopes:'
+        confidential: 'Confidential:'
+        callback_urls: 'Callback URLs:'
         actions: 'Actions'
         not_defined: 'Not defined'
 
@@ -69,9 +69,9 @@ en:
       new:
         title: 'Authorization required'
         prompt: 'Authorize %{client_name} to use your account?'
-        able_to: 'This application will be able to'
+        able_to: 'This application will be able to:'
       show:
-        title: 'Authorization code'
+        title: 'Authorization code:'
       form_post:
         title: 'Submit this form'
 
@@ -95,9 +95,9 @@ en:
         invalid_request:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
-          request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
+          request_not_authorized: 'Request needs to be authorized. Required parameter for authorizing the request is missing or invalid.'
           invalid_code_challenge: 'Code challenge is required.'
-        invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
+        invalid_redirect_uri: "The requested redirect URI is malformed or doesn't match the client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'

data/lib/doorkeeper/config/validations.rb

@@ -51,14 +51,14 @@ module Doorkeeper
       end
 
       def validate_pkce_code_challenge_methods
-        return if pkce_code_challenge_methods.all? {|method| method =~ /^plain$|^S256$/ }
+        return if pkce_code_challenge_methods.all? { |method| method =~ /^plain$|^S256$/ }
 
         ::Rails.logger.warn(
           "[DOORKEEPER] You have configured an invalid value for pkce_code_challenge_methods option. " \
           "It will be set to default ['plain', 'S256']",
         )
 
-        @pkce_code_challenge_methods = ['plain', 'S256']
+        @pkce_code_challenge_methods = ["plain", "S256"]
       end
     end
   end

data/lib/doorkeeper/config.rb

@@ -38,7 +38,7 @@ module Doorkeeper
       # @param opts [Hash] the options to configure dynamic scopes
       def enable_dynamic_scopes(opts = {})
         @config.instance_variable_set(:@enable_dynamic_scopes, true)
-        @config.instance_variable_set(:@dynamic_scopes_delimiter, opts[:delimiter] || ':')
+        @config.instance_variable_set(:@dynamic_scopes_delimiter, opts[:delimiter] || ":")
       end
 
       # Define default access token scopes for your provider
@@ -115,7 +115,7 @@ module Doorkeeper
         @config.instance_variable_set(:@enable_multiple_database_roles, true)
       end
 
-      # Choose to use the url path for native autorization codes 
+      # Choose to use the url path for native autorization codes
       # Enabling this flag sets the authorization code response route for
       # native redirect uris to oauth/authorize/<code>. The default is
       # oauth/authorize/native?code=<code>.
@@ -592,7 +592,7 @@ module Doorkeeper
 
     def pkce_code_challenge_methods_supported
       return [] unless access_grant_model.pkce_supported?
-      
+
       pkce_code_challenge_methods
     end
 
@@ -633,10 +633,10 @@ module Doorkeeper
     def deprecated_token_grant_types_resolver
       @deprecated_token_grant_types ||= calculate_token_grant_types
     end
-    
+
     def native_authorization_code_route
       @use_url_path_for_native_authorization = false unless defined?(@use_url_path_for_native_authorization)
-      @use_url_path_for_native_authorization ? '/:code' : '/native'
+      @use_url_path_for_native_authorization ? "/:code" : "/native"
     end
 
     # [NOTE]: deprecated and will be removed soon

data/lib/doorkeeper/engine.rb

@@ -3,10 +3,8 @@
 module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter", after: :load_config_initializers do |app|
-      if Doorkeeper.configured?
-        parameters = %w[client_secret authentication_token access_token refresh_token]
-        parameters << "code" if Doorkeeper.config.grant_flows.include?("authorization_code")
-        app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+      app.config.to_prepare do
+        Doorkeeper.setup_filter_parameters
       end
     end
 

data/lib/doorkeeper/errors.rb

@@ -45,7 +45,7 @@ module Doorkeeper
       end
 
       def self.name_for_response
-        self.name.demodulize.underscore.to_sym
+        name.demodulize.underscore.to_sym
       end
     end
 
@@ -54,7 +54,7 @@ module Doorkeeper
         challenge_methods = Doorkeeper.config.pkce_code_challenge_methods_supported
         {
           challenge_methods: challenge_methods.join(", "),
-          count: challenge_methods.length
+          count: challenge_methods.length,
         }
       end
     end

data/lib/doorkeeper/helpers/controller.rb

@@ -7,6 +7,10 @@ module Doorkeeper
     # Rails controller helpers.
     #
     module Controller
+      def self.included(base)
+        base.helper_method :current_resource_owner if base.respond_to?(:helper_method)
+      end
+
       private
 
       # :doc:
@@ -18,9 +22,7 @@ module Doorkeeper
       def current_resource_owner
         return @current_resource_owner if defined?(@current_resource_owner)
 
-        @current_resource_owner ||= begin
-          instance_eval(&Doorkeeper.config.authenticate_resource_owner)
-        end
+        @current_resource_owner ||= instance_eval(&Doorkeeper.config.authenticate_resource_owner)
       end
 
       def resource_owner_from_credentials

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -13,6 +13,7 @@ module Doorkeeper
     include Models::Scopes
     include Models::ResourceOwnerable
     include Models::Concerns::WriteToPrimary
+    include Models::ExpirationTimeSqlMath
 
     # Never uses PKCE if PKCE migrations were not generated
     def uses_pkce?

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -222,7 +222,8 @@ module Doorkeeper
         if Doorkeeper.config.reuse_access_token
           custom_attributes = extract_custom_attributes(token_attributes).presence
           access_token = matching_token_for(
-            application, resource_owner, scopes, custom_attributes: custom_attributes, include_expired: false)
+            application, resource_owner, scopes, custom_attributes: custom_attributes, include_expired: false,
+          )
 
           return access_token if access_token&.reusable?
         end
@@ -329,7 +330,8 @@ module Doorkeeper
       #   A hash containing only the custom access token attributes.
       def extract_custom_attributes(attributes)
         attributes.with_indifferent_access.slice(
-          *Doorkeeper.configuration.custom_access_token_attributes)
+          *Doorkeeper.configuration.custom_access_token_attributes,
+        )
       end
     end
 

data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb

@@ -5,6 +5,14 @@ module Doorkeeper
     module ExpirationTimeSqlMath
       extend ::ActiveSupport::Concern
 
+      WARNING_MESSAGE = <<~WARNING.squish
+        [DOORKEEPER] Doorkeeper doesn't support expiration time math for your database adapter.
+        Records with an individual expires_in value longer than the global TTL may be incorrectly processed.
+        Please add a class method `custom_expiration_time_sql` to your AccessToken/AccessGrant models/mixins to provide a custom
+        SQL expression to calculate access token expiration time. See lib/doorkeeper/orm/active_record/mixins/access_token.rb
+        for more details.
+      WARNING
+
       class ExpirationTimeSqlGenerator
         attr_reader :model
 

data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb

@@ -27,4 +27,3 @@ module Doorkeeper
     end
   end
 end
-

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -14,6 +14,7 @@ module Doorkeeper
                   :invalid_request_reason, :missing_param
 
       def initialize(server, grant, client, parameters = {})
+        super()
         @server = server
         @client = client
         @grant  = grant

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -45,10 +45,11 @@ module Doorkeeper
         end
 
         def find_active_existing_token_for(client, scopes, attributes)
-          custom_attributes = Doorkeeper.config.access_token_model.
-            extract_custom_attributes(attributes).presence
+          custom_attributes = Doorkeeper.config.access_token_model
+            .extract_custom_attributes(attributes).presence
           Doorkeeper.config.access_token_model.matching_token_for(
-            client, nil, scopes, custom_attributes: custom_attributes, include_expired: false)
+            client, nil, scopes, custom_attributes: custom_attributes, include_expired: false,
+          )
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -39,7 +39,7 @@ module Doorkeeper
             scopes,
             use_refresh_token: false,
             expires_in: ttl,
-            **attributes
+            **attributes,
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -13,6 +13,7 @@ module Doorkeeper
         @client = client
         @server = server
         @response = nil
+        @grant_type = Doorkeeper::OAuth::CLIENT_CREDENTIALS
         @original_scopes = parameters[:scope]
         @parameters = parameters.except(:scope)
       end

data/lib/doorkeeper/oauth/error_response.rb

@@ -88,13 +88,33 @@ module Doorkeeper
 
       def exception_class
         return @exception_class if @exception_class
+
         raise NotImplementedError, "error response must define #exception_class"
       end
 
       private
 
       def authenticate_info
-        %(Bearer realm="#{realm}", error="#{name}", error_description="#{description}")
+        %(Bearer realm="#{realm}", error="#{sanitize_error_values(name)}", error_description="#{sanitize_error_values(description)}")
+      end
+
+      # This method removes any characters that are invalid in error
+      # details per RFC6750.
+      #
+      # > Values for the "error" and "error_description" attributes
+      # > (specified in Appendixes A.7 and A.8 of [RFC6749]) MUST NOT
+      # > include characters outside the set %x20-21 (" " or "!") / %x23-5B /
+      # > %x5D-7E (ascii "#" to "~" without "\").
+      def sanitize_error_values(string)
+        string.to_s.each_char.map do |char|
+          if char.in?("\x20".encode("utf-8").."\x21".encode("utf-8")) ||
+             char.in?("\x23".encode("utf-8").."\x5B".encode("utf-8")) ||
+             char.in?("\x5D".encode("utf-8").."\x7E".encode("utf-8"))
+            char
+          else
+            "_"
+          end
+        end.join("")
       end
     end
   end

data/lib/doorkeeper/oauth/forbidden_token_response.rb

@@ -8,7 +8,7 @@ module Doorkeeper
       end
 
       def initialize(attributes = {})
-        super(attributes.merge(name: :invalid_scope, state: :forbidden))
+        super(attributes.merge(name: :insufficient_scope, state: :forbidden))
         @scopes = attributes[:scopes]
       end
 
@@ -16,12 +16,6 @@ module Doorkeeper
         :forbidden
       end
 
-      def headers
-        headers = super
-        headers.delete "WWW-Authenticate"
-        headers
-      end
-
       def description
         @description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
                                 oauth_scopes: @scopes.map(&:to_s).join(" "),)

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -18,6 +18,7 @@ module Doorkeeper
         @server = server
         @refresh_token = refresh_token
         @credentials = credentials
+        @grant_type = Doorkeeper::OAuth::REFRESH_TOKEN
         @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
         @client = load_client(credentials) if credentials
@@ -36,12 +37,14 @@ module Doorkeeper
           # This allows multiple concurrent refresh requests to succeed during the
           # transition period, after which the old refresh token will be revoked.
           raise Errors::InvalidGrantReuse if refresh_token.revoked?
+
           create_access_token
         else
           # Use locking when refresh tokens are revoked immediately
           # to prevent race conditions where multiple tokens could be created
           refresh_token.with_lock do
             raise Errors::InvalidGrantReuse if refresh_token.revoked?
+
             refresh_token.revoke
             create_access_token
           end
@@ -131,10 +134,10 @@ module Doorkeeper
 
       def custom_token_attributes_with_data
         refresh_token
-        .attributes
-        .with_indifferent_access
-        .slice(*Doorkeeper.config.custom_access_token_attributes)
-        .symbolize_keys
+          .attributes
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/scopes.rb

@@ -88,7 +88,7 @@ module Doorkeeper
       #
       # @param other The set of scopes to filter
       def allowed(other)
-        filtered_scopes = other.select { |scope| self.exists?(scope) }
+        filtered_scopes = other.select { |scope| exists?(scope) }
         self.class.from_array(filtered_scopes)
       end
 
@@ -115,7 +115,8 @@ module Doorkeeper
         return false if allowed_pattern[0] != request_pattern[0]
         return false if allowed_pattern[1].blank?
         return false if request_pattern[1].blank?
-        return true  if allowed_pattern[1] == DYNAMIC_SCOPE_WILDCARD && allowed_pattern[1].present?
+
+        return true if allowed_pattern[1] == DYNAMIC_SCOPE_WILDCARD
 
         allowed_pattern[1] == request_pattern[1]
       end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -102,14 +102,18 @@ module Doorkeeper
 
       # 2.2. Introspection Response
       def success_response
-        customize_response(
+        response = {
           active: true,
           scope: @token.scopes_string,
           client_id: @token.try(:application).try(:uid),
           token_type: @token.token_type,
-          exp: @token.expires_at.to_i,
           iat: @token.created_at.to_i,
-        )
+        }
+        # `exp` is OPTIONAL per RFC 7662 §2.2; omit it for non-expiring tokens
+        # so clients don't interpret `0` as "expired at 1970-01-01".
+        response[:exp] = @token.expires_at.to_i if @token.expires_at
+
+        customize_response(response)
       end
 
       # If the introspection call is properly authorized but the token is not

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -73,15 +73,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         if supports_expiration_time_math?
           # have not reached the expiration time or it never expires
           relation.where("#{expiration_time_sql} > ?", Time.now.utc).or(
-            relation.where(expires_in: nil)
+            relation.where(expires_in: nil),
           )
         else
-          ::Kernel.warn <<~WARNING.squish
-            [DOORKEEPER] Doorkeeper doesn't support expiration time math for your database adapter (#{adapter_name}).
-            Please add a class method `custom_expiration_time_sql` for your AccessToken class/mixin to provide a custom
-            SQL expression to calculate access token expiration time. See lib/doorkeeper/orm/active_record/mixins/access_token.rb
-            for more details.
-          WARNING
+          ::Kernel.warn(::Doorkeeper::Models::ExpirationTimeSqlMath::WARNING_MESSAGE)
 
           relation
         end

data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb

@@ -24,12 +24,19 @@ module Doorkeeper
         # Clears expired records
         def clean_expired(ttl)
           table = @base_scope.arel_table
+          model_class = @base_scope.is_a?(::ActiveRecord::Relation) ? @base_scope.klass : @base_scope
 
-          @base_scope
+          scope = @base_scope
             .where.not(expires_in: nil)
             .where(table[:created_at].lt(Time.current - ttl))
-            .where(table[:created_at] + table[:expires_in].lt(Time.current))
-            .in_batches(&:delete_all)
+
+          if model_class.respond_to?(:supports_expiration_time_math?) && model_class.supports_expiration_time_math?
+            scope = scope.where("#{model_class.expiration_time_sql} < ?", Time.current)
+          else
+            ::Kernel.warn(::Doorkeeper::Models::ExpirationTimeSqlMath::WARNING_MESSAGE)
+          end
+
+          scope.in_batches(&:delete_all)
         end
       end
     end

data/lib/doorkeeper/orm/active_record.rb

@@ -33,12 +33,16 @@ module Doorkeeper
       end
 
       def self.initialize_configured_associations
-        if Doorkeeper.config.enable_application_owner?
-          Doorkeeper.config.application_model.include ::Doorkeeper::Models::Ownership
-        end
+        # NOTE: on_load block is instance_exec'd on ActiveRecord::Base,
+        #       so use fully qualified references (e.g. Doorkeeper.config).
+        ActiveSupport.on_load(:active_record) do
+          if Doorkeeper.config.enable_application_owner?
+            Doorkeeper.config.application_model.include ::Doorkeeper::Models::Ownership
+          end
 
-        Doorkeeper.config.access_grant_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessGrant
-        Doorkeeper.config.access_token_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessToken
+          Doorkeeper.config.access_grant_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessGrant
+          Doorkeeper.config.access_token_model.include ::Doorkeeper::Models::PolymorphicResourceOwner::ForAccessToken
+        end
       end
     end
   end

data/lib/doorkeeper/rails/routes.rb

@@ -54,7 +54,7 @@ module Doorkeeper
           controller: mapping[:controllers],
         ) do
           routes.get native_authorization_code_route, action: :show, on: :member
-          routes.get '/', action: :new, on: :member
+          routes.get "/", action: :new, on: :member
         end
       end
 

data/lib/doorkeeper/version.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 9
-    TINY = 0
+    TINY = 1
     PRE = nil
 
     # Full version number

data/lib/doorkeeper.rb

@@ -154,6 +154,16 @@ module Doorkeeper
       end
     end
 
+    def setup_filter_parameters
+      return unless defined?(::Rails) && ::Rails.application && configured?
+
+      parameters = %w[client_secret authentication_token access_token refresh_token]
+      parameters << "code" if configuration.grant_flows.include?("authorization_code")
+      filter = /^(#{Regexp.union(parameters)})$/
+      filter_params = ::Rails.application.config.filter_parameters
+      filter_params << filter unless filter_params.include?(filter)
+    end
+
     def setup_orm_adapter
       @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
     rescue NameError => e

metadata

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.9.0
+  version: 5.9.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
 - Tute Costa
 - Jon Moss
 - Nikita Bulai
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-03-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -330,7 +329,6 @@ metadata:
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
   funding_uri: https://opencollective.com/doorkeeper-gem
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -345,8 +343,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.15
-signing_key: 
+rubygems_version: 4.0.11
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape
 test_files: []