doorkeeper 4.0.0.rc2 → 4.0.0.rc3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cf9f87edf2bb97b62628659cd77adbf6b8efb103
-  data.tar.gz: d5481740fd13dc62cc157deb6cb2c75890612e82
+  metadata.gz: 7970dc66221f5d0ae37df19896a059af6583c3b4
+  data.tar.gz: 9946ccd3e46137c0ed1e51430848ed0ea6e42c9d
 SHA512:
-  metadata.gz: daac8f9ffc3dc10f4a3a7f5836641958b5a079569e09e7a623f1119169e93cef1db5f534d9dfbfa1bf355728f9e119158d10de215a0cc45f9eaa19e435df9d91
-  data.tar.gz: 66b9b8c90fe75e89d6831f034bfb580ca6d1a2f20157de569bdb67168e15f1e5f9c0b1b26b6b37cc6d11e550deb3b7da621d62a3411a6292f5973d333d328dfa
+  metadata.gz: bf56405349f6d0c3e1402a57b962ba25c17dbd78116cb20045088bdf0981f2a2b7539f96d57afff02b00cf62273457b50b388f9fa45aad9cc38e6fd4e5a13b1f
+  data.tar.gz: 6fccbea56797d79ebc29e33e9fc13139308e92a5e09f48f70b12a5f97088c9e9f4ded86e12bc7fa595c7517dad3b4ab76dbed4e0aa6d7306c437db114eb2b74a

data/.travis.yml

@@ -6,7 +6,9 @@ rvm:
   - 2.1
   - 2.2.4
   - 2.3.0
-  - jruby-head
+
+before_install:
+  - gem install bundler -v '~> 1.10'
 
 env:
   - rails=4.2.0
@@ -16,5 +18,3 @@ matrix:
   exclude:
     - env: rails=5.0.0.beta3
       rvm: 2.1
-    - env: rails=5.0.0.beta3
-      rvm: jruby-head

data/Gemfile

@@ -4,10 +4,6 @@ source "https://rubygems.org"
 
 gem "rails", "~> #{ENV["rails"]}"
 
-if ENV["rails"] == "5.0.0.beta1"
-  gem "capybara", github: "jnicklas/capybara"
-end
-
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", platform: [:ruby, :mswin, :mingw]
 

data/NEWS.md

@@ -4,9 +4,28 @@ User-visible changes worth mentioning.
 
 ---
 
+## 4.0.0.rc3
+
+- [#769] Revoke refresh token on access token use. To make use of the new config
+  add `previous_refresh_token` column to `oauth_access_tokens`:
+
+  ```
+  rails generate doorkeeper:previous_refresh_token
+  ```
+- [#811] Toughen parameters filter with exact match
+- [#813] Applications admin bugfix
+- [#799] Fix Ruby Warnings
+- Drop `attr_accessible` from models
+
+### Backward incompatible changes
+
+- [#730] Force all timezones to use UTC to prevent comparison issues.
+- [#802] Remove `config.i18n.fallbacks` from engine
+
 ## 4.0.0.rc2
 
 - Fix optional belongs_to for Rails 5
+- Fix Ruby warnings
 
 ## 4.0.0.rc1
 
@@ -87,7 +106,7 @@ User-visible changes worth mentioning.
 - Remove `applications.scopes` upgrade notice.
 
 
-## 2.2.2 (unreleased)
+## 2.2.2
 
 - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
     (happens only when ProtectedAttributes gem is used) in #599

data/README.md

@@ -16,43 +16,41 @@ functionality to your Rails or Grape application.
 Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases
 
+- See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+
 ## Table of Contents
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-- [Useful links](#useful-links)
+
 - [Installation](#installation)
 - [Configuration](#configuration)
-    - [Active Record](#active-record)
-    - [Other ORMs](#other-orms)
-    - [Routes](#routes)
-    - [Authenticating](#authenticating)
-    - [Internationalization (I18n)](#internationalization-i18n)
+  - [Active Record](#active-record)
+  - [Other ORMs](#other-orms)
+  - [Routes](#routes)
+  - [Authenticating](#authenticating)
+  - [Internationalization (I18n)](#internationalization-i18n)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
-    - [Protect your API with OAuth when using Grape](#protect-your-api-with-oauth-when-using-grape)
-    - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
-    - [Access Token Scopes](#access-token-scopes)
-    - [Custom Access Token Generator](#custom-access-token-generator)
-    - [Authenticated resource owner](#authenticated-resource-owner)
-    - [Applications list](#applications-list)
+  - [Protect your API with OAuth when using Grape](#protect-your-api-with-oauth-when-using-grape)
+  - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
+  - [Access Token Scopes](#access-token-scopes)
+  - [Custom Access Token Generator](#custom-access-token-generator)
+  - [Authenticated resource owner](#authenticated-resource-owner)
+  - [Applications list](#applications-list)
 - [Other customizations](#other-customizations)
 - [Upgrading](#upgrading)
 - [Development](#development)
 - [Contributing](#contributing)
 - [Other resources](#other-resources)
-    - [Wiki](#wiki)
-    - [Screencast](#screencast)
-    - [Client applications](#client-applications)
-    - [Contributors](#contributors)
-    - [IETF Standards](#ietf-standards)
-    - [License](#license)
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+  - [Wiki](#wiki)
+  - [Screencast](#screencast)
+  - [Client applications](#client-applications)
+  - [Contributors](#contributors)
+  - [IETF Standards](#ietf-standards)
+  - [License](#license)
 
-
-## Useful links
-
-- For documentation, please check out our [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
-- For general questions, please post it in [stack overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Installation
 
@@ -78,7 +76,7 @@ to generate the migration tables:
     rails generate doorkeeper:migration
 
 You may want to add foreign keys to your migration. For example, if you plan on
-using making `User` the resource owner, change the two lines in the migration
+using `User` as the resource owner, change the line in the migration
 file:
 
 ```ruby

data/app/views/doorkeeper/applications/show.html.erb

@@ -22,7 +22,7 @@
             <code><%= uri %></code>
           </td>
           <td>
-            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code'), class: 'btn btn-success', target: '_blank' %>
+            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
           </td>
         </tr>
       <% end %>

data/doorkeeper.gemspec

@@ -18,10 +18,11 @@ Gem::Specification.new do |s|
 
   s.add_dependency "railties", ">= 4.2"
 
-  s.add_development_dependency "rspec-rails"
   s.add_development_dependency "capybara"
-  s.add_development_dependency "generator_spec", "~> 0.9.0"
+  s.add_development_dependency "database_cleaner", "~> 1.3.0"
   s.add_development_dependency "factory_girl", "~> 4.5.0"
+  s.add_development_dependency "generator_spec", "~> 0.9.0"
+  s.add_development_dependency "rake", "> 10.5.0"
+  s.add_development_dependency "rspec-rails"
   s.add_development_dependency "timecop", "~> 0.7.0"
-  s.add_development_dependency "database_cleaner", "~> 1.3.0"
 end

data/lib/doorkeeper/config.rb

@@ -133,6 +133,7 @@ doorkeeper.
         attribute_builder = options[:builder_class]
 
         Builder.instance_eval do
+          remove_method name if method_defined?(name)
           define_method name do |*args, &block|
             # TODO: is builder_class option being used?
             value = unless attribute_builder
@@ -193,14 +194,17 @@ doorkeeper.
     attr_reader :reuse_access_token
 
     def refresh_token_enabled?
+      @refresh_token_enabled ||= false
       !!@refresh_token_enabled
     end
 
     def enable_application_owner?
+      @enable_application_owner ||= false
       !!@enable_application_owner
     end
 
     def confirm_application_owner?
+      @confirm_application_owner ||= false
       !!@confirm_application_owner
     end
 
@@ -224,10 +228,6 @@ doorkeeper.
       @access_token_methods ||= [:from_bearer_authorization, :from_access_token_param, :from_bearer_param]
     end
 
-    def realm
-      @realm ||= 'Doorkeeper'
-    end
-
     def authorization_response_types
       @authorization_response_types ||= calculate_authorization_response_types
     end
@@ -236,6 +236,18 @@ doorkeeper.
       @token_grant_types ||= calculate_token_grant_types
     end
 
+    def refresh_token_revoked_on_use?
+      unless @refresh_token_revoked_on_use.nil?
+        return @refresh_token_revoked_on_use
+      end
+
+      @refresh_token_revoked_on_use =
+        ActiveRecord::Base.connection.column_exists?(
+          :oauth_access_tokens,
+          :previous_refresh_token
+        )
+    end
+
     private
 
     # Determines what values are acceptable for 'response_type' param in

data/lib/doorkeeper/engine.rb

@@ -1,13 +1,8 @@
 module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|
-      app.config.filter_parameters += [:client_secret, :code, :token]
-    end
-
-    initializer "doorkeeper.locales" do |app|
-      if app.config.i18n.fallbacks.blank?
-        app.config.i18n.fallbacks = [:en]
-      end
+      parameters = %w(client_secret code authentication_token access_token refresh_token)
+      app.config.filter_parameters << /^(#{Regexp.union parameters})$/
     end
 
     initializer "doorkeeper.routes" do

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -20,10 +20,6 @@ module Doorkeeper
 
       belongs_to :application, belongs_to_options
 
-      if respond_to?(:attr_accessible)
-        attr_accessible :resource_owner_id, :application_id, :expires_in, :redirect_uri, :scopes
-      end
-
       validates :resource_owner_id, :application_id, :token, :expires_in, :redirect_uri, presence: true
       validates :token, uniqueness: true
 

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -25,11 +25,6 @@ module Doorkeeper
 
       attr_writer :use_refresh_token
 
-      if respond_to?(:attr_accessible)
-        attr_accessible :application_id, :resource_owner_id, :expires_in,
-                        :scopes, :use_refresh_token
-      end
-
       before_validation :generate_token, on: :create
       before_validation :generate_refresh_token,
                         on: :create,
@@ -105,6 +100,7 @@ module Doorkeeper
     end
 
     def use_refresh_token?
+      @use_refresh_token ||= false
       !!@use_refresh_token
     end
 

data/lib/doorkeeper/models/application_mixin.rb

@@ -15,10 +15,6 @@ module Doorkeeper
       validates :redirect_uri, redirect_uri: true
 
       before_validation :generate_uid, :generate_secret, on: :create
-
-      if respond_to?(:attr_accessible)
-        attr_accessible :name, :redirect_uri, :scopes
-      end
     end
 
     module ClassMethods

data/lib/doorkeeper/models/concerns/expirable.rb

@@ -2,12 +2,12 @@ module Doorkeeper
   module Models
     module Expirable
       def expired?
-        expires_in && Time.now > expired_time
+        expires_in && Time.now.utc > expired_time
       end
 
       def expires_in_seconds
         return nil if expires_in.nil?
-        expires = (created_at + expires_in.seconds) - Time.now
+        expires = (created_at + expires_in.seconds) - Time.now.utc
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -2,11 +2,28 @@ module Doorkeeper
   module Models
     module Revocable
       def revoke(clock = Time)
-        update_attribute :revoked_at, clock.now
+        update_attribute :revoked_at, clock.now.utc
       end
 
       def revoked?
-        !!(revoked_at && revoked_at <= Time.now)
+        !!(revoked_at && revoked_at <= Time.now.utc)
+      end
+
+      def revoke_previous_refresh_token!
+        return unless refresh_token_revoked_on_use?
+        old_refresh_token.revoke if old_refresh_token
+        update_attribute :previous_refresh_token, ""
+      end
+
+      private
+
+      def old_refresh_token
+        @old_refresh_token ||=
+          AccessToken.by_refresh_token(previous_refresh_token)
+      end
+
+      def refresh_token_revoked_on_use?
+        Doorkeeper.configuration.refresh_token_revoked_on_use?
       end
     end
   end

data/lib/doorkeeper/oauth/client/credentials.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         def self.from_request(request, *credentials_methods)
           credentials_methods.inject(nil) do |credentials, method|
             method = self.method(method) if method.is_a?(Symbol)
-            credentials = Credentials.new *method.call(request)
+            credentials = Credentials.new(*method.call(request))
             break credentials unless credentials.blank?
           end
         end

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -8,8 +8,10 @@ module Doorkeeper
       include Validations
       include OAuth::RequestConcern
 
-      attr_accessor :issuer, :server, :client, :original_scopes
+      attr_accessor :server, :client, :original_scopes
       attr_reader :response
+      attr_writer :issuer
+
       alias :error_response :response
 
       delegate :error, to: :issuer

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -13,7 +13,7 @@ module Doorkeeper
 
           def valid?
             scope_str.present? &&
-              scope_str !~ /[\n|\r|\t]/ &&
+              scope_str !~ /[\n\r\t]/ &&
               @valid_scopes.has_scopes?(parsed_scopes)
           end
 

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -12,7 +12,9 @@ module Doorkeeper
       validate :scope,        error: :invalid_scope
 
       attr_accessor :access_token, :client, :credentials, :refresh_token,
-                    :server
+                    :server, :refresh_token_parameter
+
+      private :refresh_token_parameter, :refresh_token_parameter=
 
       def initialize(server, refresh_token, credentials, parameters = {})
         @server          = server
@@ -29,34 +31,44 @@ module Doorkeeper
 
       private
 
-      attr_reader :refresh_token_parameter
-
       def before_successful_response
         refresh_token.transaction do
           refresh_token.lock!
           raise Errors::InvalidTokenReuse if refresh_token.revoked?
 
-          refresh_token.revoke
+          refresh_token.revoke unless refresh_token_revoked_on_use?
           create_access_token
         end
       end
 
+      def refresh_token_revoked_on_use?
+        server.refresh_token_revoked_on_use?
+      end
+
       def default_scopes
         refresh_token.scopes
       end
 
       def create_access_token
-        expires_in = Authorization::Token.access_token_expires_in(
-          server,
-          client
-        )
+        @access_token = AccessToken.create!(access_token_attributes)
+      end
 
-        @access_token = AccessToken.create!(
+      def access_token_attributes
+        {
           application_id: refresh_token.application_id,
           resource_owner_id: refresh_token.resource_owner_id,
           scopes: scopes.to_s,
-          expires_in: expires_in,
-          use_refresh_token: true)
+          expires_in: access_token_expires_in,
+          use_refresh_token: true
+        }.tap do |attributes|
+          if refresh_token_revoked_on_use?
+            attributes[:previous_refresh_token] = refresh_token.refresh_token
+          end
+        end
+      end
+
+      def access_token_expires_in
+        Authorization::Token.access_token_expires_in(server, client)
       end
 
       def validate_token_presence