doorkeeper 2.0.0.alpha1 → 2.0.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d4bc922834f77e390385c6b9ff4284dc7f68cf0b
-  data.tar.gz: 23f9d1f65f3fe87e7c5f603d6b107230e142b79a
+  metadata.gz: 210e4fe74a245228a17d33cee59e3ca0b623cf6f
+  data.tar.gz: d639da9ead08dc48b5dbe89837bd086e909e14c0
 SHA512:
-  metadata.gz: 494114035eb4172c2ade7e380566e5e28707348a54c71d396028dac19fd4a6746c1f5f1272e916921cda0faa8f22bec6900e3af649fc0ae720bc39671ef63b28
-  data.tar.gz: 0288945e46c7b2b90db5a7e75e3db6405331c1dd2830cf46f88ef2154d139530dc60f7ed587c2f2bc56078645d89a64bb7b1efeaf0ce24b2bc96807a27062170
+  metadata.gz: 9e01e9c004ced7e97eef6920c963fbb27c7fa7e3179c2bd00df7a3474c7e0185409cb029d1f2854ea66288f8d16fc27afc8d3bd50c548e37abb77cfbbcdad97b
+  data.tar.gz: 1516f21f124320f14516e5167fb498075105e3453f683465fe08953b44e779d5d7e68fb7ca3f5a97b9db7e822e1bf151ac81813c45d0932d00cacc1bb1faa0eb

data/.travis.yml

@@ -1,18 +1,46 @@
 language: ruby
+sudo: false
+cache: bundler
+
 rvm:
   - 1.9.3
   - 2.0
   - 2.1
+
 env:
-  - rails=3.1.12
-  - rails=3.2.18
-  - rails=4.0.5
-  - rails=4.1.1
-  - orm=mongoid2
-  - orm=mongoid3
-  - orm=mongoid4
-  - orm=mongo_mapper
-  - table_name_prefix=h_
-  - table_name_suffix=_h
+  # - rails=3.1 # Don't need it in the CI matrix
+  - rails=3.2.0
+  - rails=4.0.0
+  - rails=4.1.0
+  - rails=4.2.0.rc2
+
+gemfile:
+  - Gemfile
+  - gemfiles/Gemfile.mongoid2.rb
+  - gemfiles/Gemfile.mongoid3.rb
+  - gemfiles/Gemfile.mongoid4.rb
+  - gemfiles/Gemfile.mongo_mapper.rb
+
 services:
   - mongodb
+
+matrix:
+  exclude:
+    - gemfile: gemfiles/Gemfile.mongoid2.rb
+      env: rails=4.0.0
+    - gemfile: gemfiles/Gemfile.mongoid2.rb
+      env: rails=4.1.0
+    - gemfile: gemfiles/Gemfile.mongoid2.rb
+      env: rails=4.2.0.rc2
+
+    - gemfile: gemfiles/Gemfile.mongoid3.rb
+      env: rails=4.0.0
+    - gemfile: gemfiles/Gemfile.mongoid3.rb
+      env: rails=4.1.0
+    - gemfile: gemfiles/Gemfile.mongoid3.rb
+      env: rails=4.2.0.rc2
+
+    - gemfile: gemfiles/Gemfile.mongoid4.rb
+      env: rails=3.1.0
+    - gemfile: gemfiles/Gemfile.mongoid4.rb
+      env: rails=3.2.0

data/CHANGELOG.md

@@ -1,14 +1,28 @@
 # Changelog
 
-## master (preparation for 2.0.0)
+## 2.0.0
+
+### Backward incompatible changes
 
-- Removes deprecated option `test_redirect_uri`. Now called
-  `native_redirect_uri`.
-- [#446] Removes deprecated `mount Doorkeeper::Engine`. Now we use
-  `use_doorkeeper`.
 - [#448] Removes `doorkeeper_for` helper. Now we use
-  `before_action :doorkeeper_authorize!`. This change didn't go through the
-  deprecation cycle.
+  `before_action :doorkeeper_authorize!`.
+- [#469] Allow client applications to restrict the set of allowable scopes.
+  Fixes #317. `oauth_applications` relation needs a new `scopes` string column,
+  non nullable, which defaults to an empty string. Run `rails generate
+  doorkeeper:application_scopes` to add the column. If you’d rather do it by
+  hand, your ActiveRecord migration should contain:
+
+  ```ruby
+  add_column :oauth_applications, :scopes, :string, null: false, default: ‘’
+  ```
+
+### Removed deprecations
+
+- Removes `test_redirect_uri` option. It is now called `native_redirect_uri`.
+- [#446] Removes `mount Doorkeeper::Engine`. Now we use `use_doorkeeper`.
+
+### Other changes/enhancements
+
 - [#450] When password is invalid in Password Credentials Grant, Doorkeeper
   returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec
   declares. Fixes #444.
@@ -18,6 +32,10 @@
 - [#491] Reworks of @jasl's #454 and #478. ORM refactor that allows doorkeeper
   to be extended more easily with unsupported ORMs. It also marks the boundaries
   between shared model code and ORM specifics inside of the gem.
+- [#496] Tests with Rails 4.2.
+- [#489] Adds `force_ssl_in_redirect_uri` to force the usage of the HTTPS
+  protocol in non-native redirect uris.
+
 
 ## 1.4.0
 

data/CONTRIBUTING.md

@@ -0,0 +1,35 @@
+# Contributing
+
+We love pull requests. Here's a quick guide.
+
+Fork, then clone the repo:
+
+    git clone git@github.com:your-username/doorkeeper.git
+
+Set up Ruby dependencies via Bundler
+
+    bundle install
+
+Make sure the tests pass:
+
+    rake
+
+Make your change. Add tests for your change. Make the tests pass:
+
+    rake
+
+Push to your fork and submit a pull request.
+
+At this point you're waiting on us. We like to at least comment on pull requests
+within three business days (and, typically, one business day). We may suggest
+some changes or improvements or alternatives.
+
+Some things that will increase the chance that your pull request is accepted:
+
+* Write tests.
+* Follow our [style guide][style]. Address Hound CI comments unless you have a
+  good reason not to.
+* Write a [good commit message][commit].
+
+[style]: https://github.com/thoughtbot/guides/tree/master/style
+[commit]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

data/Gemfile

@@ -1,33 +1,11 @@
-# Defaults. For supported versions check .travis.yml
-ENV['rails'] ||= ENV['orm'] == "mongoid4" ? '4.1.0' : '3.2.0'
-ENV['orm']   ||= 'active_record'
+ENV['rails'] ||= '4.2.0.rc2'
 
 source 'https://rubygems.org'
 
-# Define Rails version
 gem 'rails', "~> #{ENV['rails']}"
 
-gem 'database_cleaner' if ENV['rails'][0] == '4'
-
-case ENV['orm']
-when 'active_record'
-  gem 'activerecord'
-
-when 'mongoid2'
-  gem 'mongoid', '~> 2'
-  gem 'bson_ext', '~> 1.7'
-
-when 'mongoid3'
-  gem 'mongoid', '~> 3'
-
-when 'mongoid4'
-  gem 'mongoid', '~> 4'
-  gem 'moped'
-
-when 'mongo_mapper'
-  gem 'mongo_mapper', '~> 0.12'
-  gem 'bson_ext', '~> 1.7'
-
+if ENV['rails'][0] == '4'
+  gem 'database_cleaner'
 end
 
 gemspec

data/README.md

@@ -151,20 +151,7 @@ models, session or routes helpers. However, since this code is not run in the
 context of your application's `ApplicationController` it doesn't have access to
 the methods defined over there.
 
-If you use [devise](https://github.com/plataformatec/devise), you may want to
-use warden to authenticate the block:
-
-``` ruby
-resource_owner_authenticator do
-  current_user || warden.authenticate!(:scope => :user)
-end
-```
-
-Side note: when using devise you have access to `current_user` as devise extends
-entire `ActionController::Base` with the `current_#{mapping}`.
-
-If you are not using devise, you may want to check other ways of
-authentication
+You may want to check other ways of authentication
 [here](https://github.com/doorkeeper-gem/doorkeeper/wiki/Authenticating-using-Clearance-or-DIY).
 
 ## Protecting resources with OAuth (a.k.a your API endpoint)

data/Rakefile

@@ -5,7 +5,9 @@ desc 'Default: run specs.'
 task :default => :spec
 
 desc "Run all specs"
-RSpec::Core::RakeTask.new(:spec)
+RSpec::Core::RakeTask.new(:spec) do |config|
+  config.verbose = false
+end
 
 namespace :doorkeeper do
   desc "Install doorkeeper in dummy app"

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -4,7 +4,7 @@ module Doorkeeper
 
     def new
       if pre_auth.authorizable?
-        if matching_token? || skip_authorization?
+        if skip_authorization? || matching_token?
           auth = authorization.authorize
           redirect_to auth.redirect_uri
         else
@@ -41,7 +41,9 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, server.client_via_uid, params)
+      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration,
+                                                server.client_via_uid,
+                                                params)
     end
 
     def authorization

data/app/validators/redirect_uri_validator.rb

@@ -14,6 +14,7 @@ class RedirectUriValidator < ActiveModel::EachValidator
         return if native_redirect_uri?(uri)
         record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
         record.errors.add(attribute, :relative_uri) if uri.scheme.nil? || uri.host.nil?
+        record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
       end
     end
   rescue URI::InvalidURIError
@@ -25,4 +26,9 @@ class RedirectUriValidator < ActiveModel::EachValidator
   def native_redirect_uri?(uri)
     self.class.native_redirect_uri.present? && uri.to_s == self.class.native_redirect_uri.to_s
   end
+
+  def invalid_ssl_uri?(uri)
+    forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
+    forces_ssl && uri.try(:scheme) != 'https'
+  end
 end

data/config/locales/en.yml

@@ -8,6 +8,7 @@ en:
               fragment_present: 'cannot contain a fragment.'
               invalid_uri: 'must be a valid URI.'
               relative_uri: 'must be an absolute URI.'
+              secured_uri: 'must be an HTTPS/SSL URI.'
   mongoid:
     errors:
       models:
@@ -17,6 +18,7 @@ en:
               fragment_present: 'cannot contain a fragment.'
               invalid_uri: 'must be a valid URI.'
               relative_uri: 'must be an absolute URI.'
+              secured_uri: 'must be an HTTPS/SSL URI.'
   mongo_mapper:
     errors:
       models:
@@ -26,6 +28,7 @@ en:
               fragment_present: 'cannot contain a fragment.'
               invalid_uri: 'must be a valid URI.'
               relative_uri: 'must be an absolute URI.'
+              secured_uri: 'must be an HTTPS/SSL URI.'
   doorkeeper:
     errors:
       messages:

data/doorkeeper.gemspec

@@ -5,8 +5,8 @@ require "doorkeeper/version"
 Gem::Specification.new do |s|
   s.name        = "doorkeeper"
   s.version     = Doorkeeper::VERSION
-  s.authors     = ["Felipe Elias Philipp", "Piotr Jakubowski"]
-  s.email       = ["felipe@applicake.com", "piotr.jakubowski@applicake.com"]
+  s.authors     = ["Felipe Elias Philipp", "Tute Costa"]
+  s.email       = %w(tutecosta@gmail.com)
   s.homepage    = "https://github.com/doorkeeper-gem/doorkeeper"
   s.summary     = "Doorkeeper is an OAuth 2 provider for Rails."
   s.description = "Doorkeeper is an OAuth 2 provider for Rails."
@@ -22,7 +22,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency "rspec-rails", "~> 2.99.0"
   s.add_development_dependency "capybara", "~> 2.3.0"
   s.add_development_dependency "generator_spec", "~> 0.9.0"
-  s.add_development_dependency "factory_girl", "~> 4.4.0"
+  s.add_development_dependency "factory_girl", "~> 4.5.0"
   s.add_development_dependency "timecop", "~> 0.7.0"
   s.add_development_dependency "database_cleaner", "~> 1.3.0"
   s.add_development_dependency "rspec-activemodel-mocks", "~> 1.0.0"

data/gemfiles/Gemfile.common.rb

@@ -0,0 +1,11 @@
+ENV['rails'] ||= '4.2.0.rc2'
+
+source 'https://rubygems.org'
+
+gem 'rails', "~> #{ENV['rails']}"
+
+if ENV['rails'][0] == '4'
+  gem 'database_cleaner'
+end
+
+gemspec path: '../'

data/gemfiles/Gemfile.mongo_mapper.rb

@@ -0,0 +1,5 @@
+gemfile = 'gemfiles/Gemfile.common.rb'
+instance_eval IO.read(gemfile), gemfile
+
+gem 'mongo_mapper', '~> 0.12'
+gem 'bson_ext', '~> 1.7'

data/gemfiles/Gemfile.mongoid2.rb

@@ -0,0 +1,5 @@
+gemfile = 'gemfiles/Gemfile.common.rb'
+instance_eval IO.read(gemfile), gemfile
+
+gem 'mongoid', '~> 2'
+gem 'bson_ext', '~> 1.7'

data/gemfiles/Gemfile.mongoid3.rb

@@ -0,0 +1,4 @@
+gemfile = 'gemfiles/Gemfile.common.rb'
+instance_eval IO.read(gemfile), gemfile
+
+gem 'mongoid', '~> 3'

data/gemfiles/Gemfile.mongoid4.rb

@@ -0,0 +1,5 @@
+gemfile = 'gemfiles/Gemfile.common.rb'
+instance_eval IO.read(gemfile), gemfile
+
+gem 'mongoid', '~> 4'
+gem 'moped'

data/lib/doorkeeper/config.rb

@@ -87,6 +87,10 @@ and that your `initialize_models!` method doesn't raise any errors.\n
       def reuse_access_token
         @config.instance_variable_set("@reuse_access_token", true)
       end
+
+      def force_ssl_in_redirect_uri(boolean)
+        @config.instance_variable_set("@force_ssl_in_redirect_uri", boolean)
+      end
     end
 
     module Option
@@ -174,6 +178,7 @@ and that your `initialize_models!` method doesn't raise any errors.\n
     option :active_record_options,         default: {}
     option :realm,                         default: 'Doorkeeper'
     option :wildcard_redirect_uri,         default: false
+    option :force_ssl_in_redirect_uri,     default: !Rails.env.development?
     option :grant_flows,
            default: %w(authorization_code implicit password client_credentials)
 
@@ -204,7 +209,7 @@ and that your `initialize_models!` method doesn't raise any errors.\n
     end
 
     def orm_name
-      [:mongoid2, :mongoid3, :mongoid4].include?(orm) ? :mongoid : orm
+      [:mongoid2, :mongoid3, :mongoid4].include?(orm.to_sym) ? :mongoid : orm
     end
 
     def client_credentials_methods

data/lib/doorkeeper/models/application_mixin.rb

@@ -3,6 +3,7 @@ module Doorkeeper
     extend ActiveSupport::Concern
 
     include OAuth::Helpers
+    include Models::Scopes
 
     included do
       has_many :access_grants, dependent: :destroy, class_name: 'Doorkeeper::AccessGrant'
@@ -29,8 +30,25 @@ module Doorkeeper
       end
     end
 
+    alias_method :original_scopes, :scopes
+    def scopes
+      if has_scopes?
+        original_scopes
+      else
+        fail NameError, "Missing column: `applications.scopes`.", <<-MSG.squish
+If you are using ActiveRecord run `rails generate doorkeeper:application_scopes
+&& rake db:migrate` to add it.
+        MSG
+      end
+    end
+
     private
 
+    def has_scopes?
+      Doorkeeper.configuration.orm != :active_record ||
+        Application.new.attributes.include?("scopes")
+    end
+
     def generate_uid
       self.uid ||= UniqueToken.generate
     end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -48,7 +48,11 @@ module Doorkeeper
 
       def validate_scopes
         return true unless scope.present?
-        Helpers::ScopeChecker.valid? scope, server.scopes
+        if client.application.scopes.empty?
+          Helpers::ScopeChecker.valid?(scope, server.scopes)
+        else
+          Helpers::ScopeChecker.valid?(scope, server.scopes & client.application.scopes)
+        end
       end
 
       # TODO: test uri should be matched against the client's one

data/lib/doorkeeper/oauth/scopes.rb

@@ -17,7 +17,7 @@ module Doorkeeper
         end
       end
 
-      delegate :each, to: :@scopes
+      delegate :each, :empty?, to: :@scopes
 
       def initialize
         @scopes = []
@@ -55,6 +55,11 @@ module Doorkeeper
       def <=>(other)
         self.map(&:to_s).sort <=> other.map(&:to_s).sort
       end
+
+      def &(other)
+        other_array = other.present? ? other.all : []
+        self.class.from_array(all & other_array)
+      end
     end
   end
 end

data/lib/doorkeeper/orm/mongoid2/application.rb

@@ -2,6 +2,7 @@ module Doorkeeper
   class Application
     include Mongoid::Document
     include Mongoid::Timestamps
+    include Models::Mongoid2::Scopes
 
     include ApplicationMixin
 

data/lib/doorkeeper/orm/mongoid3/application.rb

@@ -2,6 +2,7 @@ module Doorkeeper
   class Application
     include Mongoid::Document
     include Mongoid::Timestamps
+    include Models::Mongoid3::Scopes
 
     include ApplicationMixin
 

data/lib/doorkeeper/orm/mongoid4/application.rb

@@ -2,6 +2,7 @@ module Doorkeeper
   class Application
     include Mongoid::Document
     include Mongoid::Timestamps
+    include Models::Mongoid4::Scopes
 
     include ApplicationMixin
 

data/lib/doorkeeper/version.rb

@@ -1,3 +1,3 @@
 module Doorkeeper
-  VERSION = '2.0.0.alpha1'
+  VERSION = '2.0.0.rc2'
 end

data/lib/generators/doorkeeper/application_owner_generator.rb

@@ -6,7 +6,10 @@ class Doorkeeper::ApplicationOwnerGenerator < Rails::Generators::Base
   desc 'Provide support for client application ownership.'
 
   def application_owner
-    migration_template 'add_owner_to_application_migration.rb', 'db/migrate/add_owner_to_application.rb'
+    migration_template(
+      'add_owner_to_application_migration.rb',
+      'db/migrate/add_owner_to_application.rb'
+    )
   end
 
   def self.next_migration_number(dirname)

data/lib/generators/doorkeeper/application_scopes_generator.rb

@@ -0,0 +1,34 @@
+require 'rails/generators/active_record'
+
+class Doorkeeper::ApplicationScopesGenerator < Rails::Generators::Base
+  include Rails::Generators::Migration
+  source_root File.expand_path('../templates', __FILE__)
+  desc 'Copies ActiveRecord migrations to handle upgrade to doorkeeper 2'
+
+  def self.next_migration_number(path)
+    ActiveRecord::Generators::Base.next_migration_number(path)
+  end
+
+  def application_scopes
+    if oauth_applications_exists? && !scopes_column_exists?
+      migration_template(
+        'add_scopes_to_oauth_applications.rb',
+        'db/migrate/add_scopes_to_oauth_applications.rb'
+      )
+    end
+  end
+
+  private
+
+  def scopes_column_exists?
+    ActiveRecord::Base.connection.column_exists?(
+      :oauth_applications,
+      :scopes
+    )
+  end
+
+  # Might be running this before install
+  def oauth_applications_exists?
+    ActiveRecord::Base.connection.table_exists? :oauth_applications
+  end
+end

data/lib/generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb

@@ -0,0 +1,5 @@
+class AddScopesToOauthApplications < ActiveRecord::Migration
+  def change
+    add_column :oauth_applications, :scopes, :string, null: false, default: ''
+  end
+end

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -64,6 +64,12 @@ Doorkeeper.configure do
   #
   # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
 
+  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
+  # by default in non-development environments). OAuth2 delegates security in
+  # communication to the HTTPS protocol so it is wise to keep this enabled.
+  #
+  # force_ssl_in_redirect_uri !Rails.env.development?
+
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
   #

data/lib/generators/doorkeeper/templates/migration.rb

@@ -5,6 +5,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration
       t.string  :uid,          null: false
       t.string  :secret,       null: false
       t.text    :redirect_uri, null: false
+      t.string  :scopes,       null: false, default: ''
       t.timestamps
     end
 

data/lib/generators/doorkeeper/views_generator.rb

@@ -1,14 +1,13 @@
 module Doorkeeper
   module Generators
     class ViewsGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('../../../../app/views/doorkeeper', __FILE__)
+      source_root File.expand_path('../../../../app/views', __FILE__)
 
-      desc 'Copies default Doorkeeper views to your application.'
+      desc 'Copies default Doorkeeper views and layouts to your application.'
 
       def manifest
-        directory 'applications', 'app/views/doorkeeper/applications'
-        directory 'authorizations', 'app/views/doorkeeper/authorizations'
-        directory 'authorized_applications', 'app/views/doorkeeper/authorized_applications'
+        directory 'doorkeeper', 'app/views/doorkeeper'
+        directory 'layouts/doorkeeper', 'app/views/layouts/doorkeeper'
       end
     end
   end

data/spec/controllers/applications_controller_spec.rb

@@ -18,7 +18,7 @@ module Doorkeeper
         expect do
           post :create, doorkeeper_application: {
             name: 'Example',
-            redirect_uri: 'http://example.com' }
+            redirect_uri: 'https://example.com' }
         end.to_not change { Doorkeeper::Application.count }
       end
     end
@@ -32,7 +32,7 @@ module Doorkeeper
         expect do
           post :create, doorkeeper_application: {
             name: 'Example',
-            redirect_uri: 'http://example.com' }
+            redirect_uri: 'https://example.com' }
         end.to change { Doorkeeper::Application.count }.by(1)
         expect(response).to be_redirect
       end
@@ -50,7 +50,7 @@ module Doorkeeper
         application = FactoryGirl.create(:application)
         put :update, id: application.id, doorkeeper_application: {
           name: 'Example',
-          redirect_uri: 'http://example.com' }
+          redirect_uri: 'https://example.com' }
         expect(application.reload.name).to eq 'Example'
       end
     end

data/spec/controllers/tokens_controller_spec.rb

@@ -18,20 +18,26 @@ describe Doorkeeper::TokensController do
   end
 
   describe 'when authorization has failed' do
-    let :token do
-      double(:token, authorize: false)
-    end
-
-    before do
+    it 'returns the error response' do
+      token = double(:token, authorize: false)
       allow(controller).to receive(:token) { token }
-    end
 
-    it 'returns the error response' do
-      skip 'verify need of these specs'
-      allow(token).to receive(:error_response).and_return(double(to_json: [], status: :unauthorized))
       post :create
+
       expect(response.status).to eq 401
       expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
     end
   end
+
+  describe 'when revoke authorization has failed' do
+    # http://tools.ietf.org/html/rfc7009#section-2.2
+    it 'returns no error response' do
+      token = double(:token, authorize: false)
+      allow(controller).to receive(:token) { token }
+
+      post :revoke
+
+      expect(response.status).to eq 200
+    end
+  end
 end

data/spec/dummy/app/models/user.rb

@@ -1,8 +1,8 @@
-case DOORKEEPER_ORM
-when :active_record
+case DOORKEEPER_ORM.to_s
+when "active_record"
   class User < ActiveRecord::Base
   end
-when :mongoid2, :mongoid3, :mongoid4
+when /mongoid/
   class User
     include Mongoid::Document
     include Mongoid::Timestamps
@@ -10,7 +10,7 @@ when :mongoid2, :mongoid3, :mongoid4
     field :name, type: String
     field :password, type: String
   end
-when :mongo_mapper
+when "mongo_mapper"
   class User
     include MongoMapper::Document
     timestamps!
@@ -21,7 +21,7 @@ when :mongo_mapper
 end
 
 class User
-  if ::Rails.version.to_i < 4
+  if ::Rails.version.to_i < 4 || defined?(::ProtectedAttributes)
     attr_accessible :name, :password
   end
 

data/spec/dummy/config/application.rb

@@ -5,7 +5,7 @@ require 'sprockets/railtie'
 
 Bundler.require :default
 
-orm = if [:mongoid2, :mongoid3, :mongoid4].include?(DOORKEEPER_ORM)
+orm = if DOORKEEPER_ORM =~ /mongoid/
         Mongoid.load!(File.join(File.dirname(File.expand_path(__FILE__)), "#{DOORKEEPER_ORM}.yml"))
         :mongoid
       else

data/spec/dummy/config/boot.rb

@@ -1,6 +1,9 @@
 require 'rubygems'
 require 'bundler/setup'
 
-DOORKEEPER_ORM = (ENV['orm'] || :active_record).to_sym unless defined?(DOORKEEPER_ORM)
+orm = ENV['BUNDLE_GEMFILE'].match(/Gemfile\.(.+)\.rb/)
+unless defined?(DOORKEEPER_ORM)
+  DOORKEEPER_ORM = (orm && orm[1]) || :active_record
+end
 
 $LOAD_PATH.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb

@@ -0,0 +1,5 @@
+class AddScopesToOauthApplications < ActiveRecord::Migration
+  def change
+    add_column :oauth_applications, :scopes, :string, null: false, default: ''
+  end
+end

data/spec/dummy/db/schema.rb

@@ -9,57 +9,58 @@
 # from scratch. The latter is a flawed and unsustainable approach (the more migrations
 # you'll amass, the slower it'll run and the greater likelihood for issues).
 #
-# It's strongly recommended to check this file into your version control system.
+# It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20130902175349) do
+ActiveRecord::Schema.define(version: 20141209001746) do
 
-  create_table 'oauth_access_grants', force: true do |t|
-    t.integer  'resource_owner_id',                 null: false
-    t.integer  'application_id',                    null: false
-    t.string   'token',                             null: false
-    t.integer  'expires_in',                        null: false
-    t.text     'redirect_uri',                      null: false
-    t.datetime 'created_at',                        null: false
-    t.datetime 'revoked_at'
-    t.string   'scopes'
+  create_table "oauth_access_grants", force: true do |t|
+    t.integer  "resource_owner_id",              null: false
+    t.integer  "application_id",                 null: false
+    t.string   "token",                          null: false
+    t.integer  "expires_in",                     null: false
+    t.string   "redirect_uri",      limit: 2048, null: false
+    t.datetime "created_at",                     null: false
+    t.datetime "revoked_at"
+    t.string   "scopes"
   end
 
-  add_index 'oauth_access_grants', ['token'], name: 'index_oauth_access_grants_on_token', unique: true
+  add_index "oauth_access_grants", ["token"], name: "index_oauth_access_grants_on_token", unique: true
 
-  create_table 'oauth_access_tokens', force: true do |t|
-    t.integer  'resource_owner_id'
-    t.integer  'application_id'
-    t.string   'token',             null: false
-    t.string   'refresh_token'
-    t.integer  'expires_in'
-    t.datetime 'revoked_at'
-    t.datetime 'created_at',        null: false
-    t.string   'scopes'
+  create_table "oauth_access_tokens", force: true do |t|
+    t.integer  "resource_owner_id"
+    t.integer  "application_id"
+    t.string   "token",             null: false
+    t.string   "refresh_token"
+    t.integer  "expires_in"
+    t.datetime "revoked_at"
+    t.datetime "created_at",        null: false
+    t.string   "scopes"
   end
 
-  add_index 'oauth_access_tokens', ['refresh_token'], name: 'index_oauth_access_tokens_on_refresh_token', unique: true
-  add_index 'oauth_access_tokens', ['resource_owner_id'], name: 'index_oauth_access_tokens_on_resource_owner_id'
-  add_index 'oauth_access_tokens', ['token'], name: 'index_oauth_access_tokens_on_token', unique: true
+  add_index "oauth_access_tokens", ["refresh_token"], name: "index_oauth_access_tokens_on_refresh_token", unique: true
+  add_index "oauth_access_tokens", ["resource_owner_id"], name: "index_oauth_access_tokens_on_resource_owner_id"
+  add_index "oauth_access_tokens", ["token"], name: "index_oauth_access_tokens_on_token", unique: true
 
-  create_table 'oauth_applications', force: true do |t|
-    t.string   'name',                         null: false
-    t.string   'uid',                          null: false
-    t.string   'secret',                       null: false
-    t.text     'redirect_uri',                 null: false
-    t.datetime 'created_at',                   null: false
-    t.datetime 'updated_at',                   null: false
-    t.integer  'owner_id'
-    t.string   'owner_type'
+  create_table "oauth_applications", force: true do |t|
+    t.string   "name",                                   null: false
+    t.string   "uid",                                    null: false
+    t.string   "secret",                                 null: false
+    t.string   "redirect_uri", limit: 2048,              null: false
+    t.datetime "created_at",                             null: false
+    t.datetime "updated_at",                             null: false
+    t.integer  "owner_id"
+    t.string   "owner_type"
+    t.string   "scopes",                    default: "", null: false
   end
 
-  add_index 'oauth_applications', %w(owner_id owner_type), name: 'index_oauth_applications_on_owner_id_and_owner_type'
-  add_index 'oauth_applications', ['uid'], name: 'index_oauth_applications_on_uid', unique: true
+  add_index "oauth_applications", ["owner_id", "owner_type"], name: "index_oauth_applications_on_owner_id_and_owner_type"
+  add_index "oauth_applications", ["uid"], name: "index_oauth_applications_on_uid", unique: true
 
-  create_table 'users', force: true do |t|
-    t.string   'name'
-    t.datetime 'created_at', null: false
-    t.datetime 'updated_at', null: false
-    t.string   'password'
+  create_table "users", force: true do |t|
+    t.string   "name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string   "password"
   end
 
 end

data/spec/factories.rb

@@ -0,0 +1,24 @@
+FactoryGirl.define do
+  factory :access_grant, class: Doorkeeper::AccessGrant do
+    sequence(:resource_owner_id) { |n| n }
+    application
+    redirect_uri 'https://app.com/callback'
+    expires_in 100
+    scopes 'public write'
+  end
+
+  factory :access_token, class: Doorkeeper::AccessToken do
+    sequence(:resource_owner_id) { |n| n }
+    application
+    expires_in 2.hours
+
+    factory :clientless_access_token do
+      application nil
+    end
+  end
+
+  factory :application, class: Doorkeeper::Application do
+    sequence(:name) { |n| "Application #{n}" }
+    redirect_uri 'https://app.com/callback'
+  end
+end

data/spec/lib/config_spec.rb

@@ -135,6 +135,20 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
+  describe 'force_ssl_in_redirect_uri' do
+    it 'is true by default in non-development environments' do
+      expect(subject.force_ssl_in_redirect_uri).to be_truthy
+    end
+
+    it 'can change the value' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        force_ssl_in_redirect_uri(false)
+      end
+      expect(subject.force_ssl_in_redirect_uri).to be_falsey
+    end
+  end
+
   describe 'access_token_credentials' do
     it 'has defaults order' do
       expect(subject.access_token_methods).to eq([:from_bearer_authorization, :from_access_token_param, :from_bearer_param])

data/spec/lib/oauth/client_spec.rb

@@ -28,7 +28,7 @@ module Doorkeeper::OAuth
         expect(Client.authenticate(credentials, authenticator)).to be_a(Client)
       end
 
-      it 'retunrs nil if client was not authenticated' do
+      it 'returns nil if client was not authenticated' do
         credentials = Client::Credentials.new('some-uid', 'some-secret')
         authenticator = double
         expect(authenticator).to receive(:call).with('some-uid', 'some-secret').and_return(nil)

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -5,11 +5,19 @@ module Doorkeeper::OAuth
     let(:server) {
       server = Doorkeeper.configuration
       server.stub(:default_scopes) { Scopes.new }
-      server.stub(:scopes) { Scopes.from_string('public') }
+      server.stub(:scopes) { Scopes.from_string('public profile') }
       server
     }
 
-    let(:client) { double :client, redirect_uri: 'http://tst.com/auth' }
+    let(:application) do
+      application = double :application
+      application.stub(:scopes) { Scopes.from_string('') }
+      application
+    end
+
+    let(:client) do
+      double :client, redirect_uri: 'http://tst.com/auth', application: application
+    end
 
     let :attributes do
       {
@@ -71,9 +79,39 @@ module Doorkeeper::OAuth
       end
     end
 
-    it 'accepts valid scopes' do
-      subject.scope = 'public'
-      expect(subject).to be_authorizable
+    context 'client application does not restrict valid scopes' do
+      it 'accepts valid scopes' do
+        subject.scope = 'public'
+        expect(subject).to be_authorizable
+      end
+
+      it 'rejects (globally) non-valid scopes' do
+        subject.scope = 'invalid'
+        expect(subject).not_to be_authorizable
+      end
+    end
+
+    context 'client application restricts valid scopes' do
+      let(:application) do
+        application = double :application
+        application.stub(:scopes) { Scopes.from_string('public nonsense') }
+        application
+      end
+
+      it 'accepts valid scopes' do
+        subject.scope = 'public'
+        expect(subject).to be_authorizable
+      end
+
+      it 'rejects (globally) non-valid scopes' do
+        subject.scope = 'invalid'
+        expect(subject).not_to be_authorizable
+      end
+
+      it 'rejects (application level) non-valid scopes' do
+        subject.scope = 'profile'
+        expect(subject).to_not be_authorizable
+      end
     end
 
     it 'uses default scopes when none is required' do
@@ -112,9 +150,5 @@ module Doorkeeper::OAuth
       expect(subject).not_to be_authorizable
     end
 
-    it 'rejects non-valid scopes' do
-      subject.scope = 'invalid'
-      expect(subject).not_to be_authorizable
-    end
   end
 end

data/spec/models/doorkeeper/application_spec.rb

@@ -173,5 +173,20 @@ module Doorkeeper
         expect(authenticated).to eq(app)
       end
     end
+
+    if Doorkeeper.configuration.orm == :active_record
+      describe :scopes do
+        it 'fails on missing column with an upgrade notice' do
+          app = FactoryGirl.build :application
+          no_scopes_app = double(attributes: [])
+          allow(Application).to receive(:new).and_return(no_scopes_app)
+
+          expect { app.scopes }.to raise_error(
+            NameError,
+            /Missing column: `applications.scopes`/
+          )
+        end
+      end
+    end
   end
 end

data/spec/requests/applications/applications_request_spec.rb

@@ -8,7 +8,9 @@ feature 'Adding applications' do
 
     scenario 'adding a valid app' do
       fill_in 'doorkeeper_application[name]', with: 'My Application'
-      fill_in 'doorkeeper_application[redirect_uri]', with: 'http://example.com'
+      fill_in 'doorkeeper_application[redirect_uri]',
+              with: 'https://example.com'
+
       click_button 'Submit'
       i_should_see 'Application created'
       i_should_see 'My Application'

data/spec/spec_helper_integration.rb

@@ -1,8 +1,10 @@
 ENV['RAILS_ENV'] ||= 'test'
-DOORKEEPER_ORM = (ENV['orm'] || :active_record).to_sym
 TABLE_NAME_PREFIX = ENV['table_name_prefix'] || nil
 TABLE_NAME_SUFFIX = ENV['table_name_suffix'] || nil
 
+orm = ENV['BUNDLE_GEMFILE'].match(/Gemfile\.(.+)\.rb/)
+DOORKEEPER_ORM = (orm && orm[1]) || :active_record
+
 $LOAD_PATH.unshift File.dirname(__FILE__)
 
 require 'capybara/rspec'

data/spec/validators/redirect_uri_validator_spec.rb

@@ -6,7 +6,7 @@ describe RedirectUriValidator do
   end
 
   it 'is valid when the uri is a uri' do
-    subject.redirect_uri = 'http://example.com/callback'
+    subject.redirect_uri = 'https://example.com/callback'
     expect(subject).to be_valid
   end
 
@@ -34,13 +34,40 @@ describe RedirectUriValidator do
   end
 
   it 'is invalid when the uri has a fragment' do
-    subject.redirect_uri = 'http://example.com/abcd#xyz'
+    subject.redirect_uri = 'https://example.com/abcd#xyz'
     expect(subject).not_to be_valid
     expect(subject.errors[:redirect_uri].first).to eq('cannot contain a fragment.')
   end
 
   it 'is invalid when the uri has a query parameter' do
-    subject.redirect_uri = 'http://example.com/abcd?xyz=123'
+    subject.redirect_uri = 'https://example.com/abcd?xyz=123'
     expect(subject).to be_valid
   end
+
+  context 'force secured uri' do
+    it 'accepts an valid uri' do
+      subject.redirect_uri = 'https://example.com/callback'
+      expect(subject).to be_valid
+    end
+
+    it 'accepts native redirect uri' do
+      subject.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
+      expect(subject).to be_valid
+    end
+
+    it 'accepts a non secured protocol when disabled' do
+      subject.redirect_uri = 'http://example.com/callback'
+      allow(Doorkeeper.configuration).to receive(
+                                             :force_ssl_in_redirect_uri
+                                         ).and_return(false)
+      expect(subject).to be_valid
+    end
+
+    it 'invalidates the uri when the uri does not use a secure protocol' do
+      subject.redirect_uri = 'http://example.com/callback'
+      expect(subject).not_to be_valid
+      error = subject.errors[:redirect_uri].first
+      expect(error).to eq('must be an HTTPS/SSL URI.')
+    end
+  end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 2.0.0.alpha1
+  version: 2.0.0.rc2
 platform: ruby
 authors:
 - Felipe Elias Philipp
-- Piotr Jakubowski
+- Tute Costa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-11 00:00:00.000000000 Z
+date: 2014-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -87,14 +87,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.4.0
+        version: 4.5.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.4.0
+        version: 4.5.0
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -167,8 +167,7 @@ dependencies:
         version: 0.10.0
 description: Doorkeeper is an OAuth 2 provider for Rails.
 email:
-- felipe@applicake.com
-- piotr.jakubowski@applicake.com
+- tutecosta@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -178,6 +177,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - CHANGELOG.md
+- CONTRIBUTING.md
 - Gemfile
 - MIT-LICENSE
 - README.md
@@ -208,6 +208,11 @@ files:
 - app/views/layouts/doorkeeper/application.html.erb
 - config/locales/en.yml
 - doorkeeper.gemspec
+- gemfiles/Gemfile.common.rb
+- gemfiles/Gemfile.mongo_mapper.rb
+- gemfiles/Gemfile.mongoid2.rb
+- gemfiles/Gemfile.mongoid3.rb
+- gemfiles/Gemfile.mongoid4.rb
 - lib/doorkeeper.rb
 - lib/doorkeeper/config.rb
 - lib/doorkeeper/engine.rb
@@ -289,10 +294,12 @@ files:
 - lib/doorkeeper/validations.rb
 - lib/doorkeeper/version.rb
 - lib/generators/doorkeeper/application_owner_generator.rb
+- lib/generators/doorkeeper/application_scopes_generator.rb
 - lib/generators/doorkeeper/install_generator.rb
 - lib/generators/doorkeeper/migration_generator.rb
 - lib/generators/doorkeeper/templates/README
 - lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb
+- lib/generators/doorkeeper/templates/add_scopes_to_oauth_applications.rb
 - lib/generators/doorkeeper/templates/initializer.rb
 - lib/generators/doorkeeper/templates/migration.rb
 - lib/generators/doorkeeper/views_generator.rb
@@ -331,19 +338,19 @@ files:
 - spec/dummy/config/mongoid3.yml
 - spec/dummy/config/mongoid4.yml
 - spec/dummy/config/routes.rb
+- spec/dummy/db/development.sqlite3
 - spec/dummy/db/migrate/20111122132257_create_users.rb
 - spec/dummy/db/migrate/20120312140401_add_password_to_users.rb
 - spec/dummy/db/migrate/20130902165751_create_doorkeeper_tables.rb
 - spec/dummy/db/migrate/20130902175349_add_owner_to_application.rb
+- spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb
 - spec/dummy/db/schema.rb
 - spec/dummy/public/404.html
 - spec/dummy/public/422.html
 - spec/dummy/public/500.html
 - spec/dummy/public/favicon.ico
 - spec/dummy/script/rails
-- spec/factories/access_grant.rb
-- spec/factories/access_token.rb
-- spec/factories/application.rb
+- spec/factories.rb
 - spec/generators/application_owner_generator_spec.rb
 - spec/generators/install_generator_spec.rb
 - spec/generators/migration_generator_spec.rb
@@ -442,3 +449,4 @@ signing_key:
 specification_version: 4
 summary: Doorkeeper is an OAuth 2 provider for Rails.
 test_files: []
+has_rdoc: 

data/spec/factories/access_grant.rb

@@ -1,9 +0,0 @@
-FactoryGirl.define do
-  factory :access_grant, class: Doorkeeper::AccessGrant do
-    sequence(:resource_owner_id) { |n| n }
-    application
-    redirect_uri 'https://app.com/callback'
-    expires_in 100
-    scopes 'public write'
-  end
-end

data/spec/factories/access_token.rb

@@ -1,11 +0,0 @@
-FactoryGirl.define do
-  factory :access_token, class: Doorkeeper::AccessToken do
-    sequence(:resource_owner_id) { |n| n }
-    application
-    expires_in 2.hours
-
-    factory :clientless_access_token do
-      application nil
-    end
-  end
-end

data/spec/factories/application.rb

@@ -1,6 +0,0 @@
-FactoryGirl.define do
-  factory :application, class: Doorkeeper::Application do
-    sequence(:name) { |n| "Application #{n}" }
-    redirect_uri 'https://app.com/callback'
-  end
-end