doorkeeper 4.2.6 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b4b94e7f1fb4975a36ad84ccfda9bcfb0b5e2bd7
-  data.tar.gz: fc5914c689e55572a9313caa07f2644c29f37574
+  metadata.gz: 323927e89a9c1c31f4f5dda92873c1959f2455a9
+  data.tar.gz: 956c2a288dbc09fa8cc4bcb7d809ef5dd53bd4ba
 SHA512:
-  metadata.gz: f90cc508667ce0ec9693925a187fbc9ae5b9eeaf95b74648c9981ceea9eaef305d9981f75d48a8b8f0e00929bcc748a51da4b013b814ffa8a9344a4fc44257e1
-  data.tar.gz: 433cafea0488b8d0ab2d7d9b164b9510191f9a6d6534443674064e60c8ea2c0007494a9015b8c9d96a44b603182217496d4221db752c21d1cc5e56b1e377ae86
+  metadata.gz: a1dbfedef840dc12c3e3ce33ba854963df84aaed81b97bc1828b177ef3c9d9ab4454dda6f37abe75f855eb39561a8e524a047bdffd9ddf44bf8a80d9d24b5c59
+  data.tar.gz: 27d2b543b67f67e750e8c317680b38583bb53473d8a0350aecccb7f9723ec00238b0ac07c72df3b2ace2ce74522f67d6e14811eb20acbb136497f71a368e4b2c

data/.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,19 @@
+### Steps to reproduce
+What we need to do to see your problem or bug?
+
+The more detailed the issue, the more likely that we will fix it ASAP.
+
+Don't use GitHub issues for questions like "How can I do that?" —
+use [StackOverflow](https://stackoverflow.com/questions/tagged/doorkeeper)
+instead with the corresponding tag.
+
+### Expected behavior
+Tell us what should happen
+
+### Actual behavior
+Tell us what happens instead
+
+### System configuration
+**Ruby version**:
+
+**Gemfile.lock**

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,17 @@
+### Summary
+
+Provide a general description of the code changes in your pull
+request... were there any bugs you had fixed? If so, mention them. If
+these bugs have open GitHub issues, be sure to tag them here as well,
+to keep the conversation linked together.
+
+### Other Information
+
+If there's anything else that's important and relevant to your pull
+request, mention that information here. This could include
+benchmarks, or other information.
+
+If you are updating NEWS.md file or are asked to update it by reviewers,
+please add the changelog entry at the top of the file.
+
+Thanks for contributing to Doorkeeper project!

data/.gitignore

@@ -6,9 +6,9 @@ pkg/
 spec/dummy/db/*.sqlite3
 spec/dummy/log/*.log
 spec/dummy/tmp/
+spec/generators/tmp
 Gemfile.lock
 gemfiles/*.lock
-spec/generators/tmp
 .rvmrc
 *.swp
 .idea

data/.hound.yml

@@ -1,13 +1,2 @@
-AllCops:
-  Exclude:
-    - "spec/dummy/db/*"
-
-LineLength:
-  Exclude:
-    - spec/**/*
-
-StringLiterals:
-  Enabled: false
-
-TrailingBlankLines:
-  Enabled: true
+ruby:
+  config_file: .rubocop.yml

data/.rubocop.yml

@@ -0,0 +1,13 @@
+AllCops:
+  Exclude:
+    - "spec/dummy/db/*"
+
+LineLength:
+  Exclude:
+    - spec/**/*
+
+StringLiterals:
+  Enabled: false
+
+TrailingBlankLines:
+  Enabled: true

data/.travis.yml

@@ -4,17 +4,21 @@ sudo: false
 
 rvm:
   - 2.1
-  - 2.2.6
-  - 2.3.3
-  - 2.4.0
+  - 2.2.9
+  - 2.3.6
+  - 2.4.3
+  - 2.5.0
 
 before_install:
+  - gem update --system # Need for Ruby 2.5.0. https://github.com/travis-ci/travis-ci/issues/8978
   - gem install bundler -v '~> 1.10'
 
 gemfile:
   - gemfiles/rails_4_2.gemfile
   - gemfiles/rails_5_0.gemfile
   - gemfiles/rails_5_1.gemfile
+  - gemfiles/rails_5_2.gemfile
+  - gemfiles/rails_master.gemfile
 
 matrix:
   exclude:
@@ -22,5 +26,9 @@ matrix:
       rvm: 2.1
     - gemfile: gemfiles/rails_5_1.gemfile
       rvm: 2.1
-  allowed_failures:
-    - gemfile: gemfiles/rails_5_1.gemfile
+    - gemfile: gemfiles/rails_5_2.gemfile
+      rvm: 2.1
+    - gemfile: gemfiles/rails_master.gemfile
+      rvm: 2.1
+  allow_failures:
+    - gemfile: gemfiles/rails_master.gemfile

data/Appraisals

@@ -8,7 +8,11 @@ appraise "rails-5-0" do
 end
 
 appraise "rails-5-1" do
-  gem "rails", github: "rails/rails"
-  gem "arel", github: "rails/arel"
+  gem "rails", "~> 5.1.0"
   gem "rspec-rails", "~> 3.5"
 end
+
+appraise "rails-master" do
+  gem "rails", git: 'https://github.com/rails/rails'
+  gem "arel", git: 'https://github.com/rails/arel'
+end

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team members or current maintainer email, specified in gemspec. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -1,6 +1,6 @@
 source "https://rubygems.org"
 
-gem "rails", "~> 4.2.0"
+gem "rails", "~> 5.1"
 
 gem "appraisal"
 

data/NEWS.md

@@ -4,7 +4,31 @@ User-visible changes worth mentioning.
 
 ## master
 
+- [#976] Fix to invalidate the second redirect URI when the first URI is the native URI
+- [#1035] Allow `Application#redirect_uri=` to handle array of URIs.
+- [#1036] Allow to forbid Application redirect URI's with specific rules.
+- [#1029] Deprecate `order_method` and introduce `ordered_by`. Sort applications
+  by `created_at` in index action.
+- [#1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
+- Fix Grape integration & add specs for it
+- [#913] Deferred ORM (ActiveRecord) models loading
+- [#943] Fix Access Token token generation when certain errors occur in custom token generators
+- [#1026] Implement RFC7662 - OAuth 2.0 Token Introspection
+- [#985] Generate valid migration files for Rails >= 5
+- [#972] Replace Struct subclassing with block-form initialization
+- [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
+- [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
+  object.
+- [#1019] Remove translation not in use: `invalid_resource_owner`.
+- Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
+- [#948] Make Scopes.<=> work with any "other" value.
 - [#970] Escape certain attributes in authorization forms.
+- [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
+- [#1004] More explicit help text for `native_redirect_uri`.
+- [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
+- [#1024] Migrate from FactoryGirl to FactoryBot.
+- [#1025] Improve documentation for adding foreign keys
+- [#1028] Make it possible to have composit strategy names.
 
 ## 4.2.5
 

data/README.md

@@ -1,16 +1,26 @@
 # Doorkeeper - awesome OAuth2 provider for your Rails app.
 
+[![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
 [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
 [![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
-[![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
+[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 
 Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider
 functionality to your Rails or Grape application.
 
-[PR 567]: https://github.com/doorkeeper-gem/doorkeeper/pull/567
+Supported features:
 
+- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
+  - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
+  - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
+  - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
+  - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
+  - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
+  - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
+- [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
+- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 
 ## Documentation valid for `master` branch
 
@@ -19,6 +29,8 @@ https://github.com/doorkeeper-gem/doorkeeper/releases
 
 - See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
 - For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
+- See [SECURITY.md](SECURITY.md) for this project's security disclose
+  policy
 
 ## Table of Contents
 
@@ -27,8 +39,10 @@ https://github.com/doorkeeper-gem/doorkeeper/releases
 
 - [Installation](#installation)
 - [Configuration](#configuration)
-  - [Active Record](#active-record)
-  - [Other ORMs](#other-orms)
+  - [ORM](#orm)
+    - [Active Record](#active-record)
+    - [MongoDB](#mongodb)
+    - [Sequel](#sequel)
   - [Routes](#routes)
   - [Authenticating](#authenticating)
   - [Internationalization (I18n)](#internationalization-i18n)
@@ -69,7 +83,9 @@ This will install the doorkeeper initializer into `config/initializers/doorkeepe
 
 ## Configuration
 
-### Active Record
+### ORM
+
+#### Active Record
 
 By default doorkeeper is configured to use active record, so to start you have
 to generate the migration tables:
@@ -84,19 +100,32 @@ for each table that includes a `resource_owner_id` column:
 add_foreign_key :table_name, :users, column: :resource_owner_id
 ```
 
+Remember to add associations to your model so the related records are deleted.
+If you don't do this an `ActiveRecord::InvalidForeignKey`-error will be raised
+when you try to destroy a model with related access grants or access tokens.
+
+```ruby
+class User < ApplicationRecord
+  has_many :access_grants, class_name: "Doorkeeper::AccessGrant", foreign_key: :resource_owner_id, dependent: :delete_all # or :destroy if you need callbacks
+  has_many :access_tokens, class_name: "Doorkeeper::AccessToken", foreign_key: :resource_owner_id, dependent: :delete_all # or :destroy if you need callbacks
+end
+```
+
 Then run migrations:
 
 ```sh
 rake db:migrate
 ```
 
-### Other ORMs
+#### MongoDB
 
 See [doorkeeper-mongodb project] for Mongoid and MongoMapper support. Follow along
 the implementation in that repository to extend doorkeeper with other ORMs.
 
 [doorkeeper-mongodb project]: https://github.com/doorkeeper-gem/doorkeeper-mongodb
 
+#### Sequel
+
 If you are using [Sequel gem] then you can add [doorkeeper-sequel extension] to your project.
 Follow configuration instructions for setting up the necessary Doorkeeper ORM.
 
@@ -117,12 +146,13 @@ end
 
 This will mount following routes:
 
-    GET       /oauth/authorize/:code
+    GET       /oauth/authorize/native?code
     GET       /oauth/authorize
     POST      /oauth/authorize
     DELETE    /oauth/authorize
     POST      /oauth/token
     POST      /oauth/revoke
+    POST      /oauth/introspect
     resources /oauth/applications
     GET       /oauth/authorized_applications
     DELETE    /oauth/authorized_applications/:id
@@ -198,8 +228,8 @@ module API
         doorkeeper_authorize!
       end
 
-      route_setting :scopes, ['user:email']
-      get :emails do
+      # route_setting :scopes, ['user:email'] - for old versions of Grape
+      get :emails, scopes: [:user, :write] do
         [{'email' => current_user.email}]
       end
 

data/SECURITY.md

@@ -0,0 +1,13 @@
+# Reporting security issues in Doorkeeper
+
+Hello! Thank you for wanting to disclose a possible security
+vulnerability within the Doorkeeper gem! Please follow our disclosure
+policy as outlined below:
+
+1. Do NOT open up a GitHub issue with your report. Security reports
+   should be kept private until a possible fix is determined.
+2. Send an email to Jon Moss, Doorkeeper's maintainer, at doorkeeper AT jonathanmoss.me. You should receive a prompt response.
+3. Be patient. Since Doorkeeper is in a stable maintenance phase, we want to
+   do as little as possible to rock the boat of the project.
+
+Thank you very much for adhering for these policies!

data/app/controllers/doorkeeper/application_controller.rb

@@ -4,11 +4,7 @@ module Doorkeeper
 
     include Helpers::Controller
 
-    if ::Rails.version.to_i < 4
-      protect_from_forgery
-    else
-      protect_from_forgery with: :exception
-    end
+    protect_from_forgery with: :exception
 
     helper 'doorkeeper/dashboard'
   end

data/app/controllers/doorkeeper/applications_controller.rb

@@ -6,9 +6,20 @@ module Doorkeeper
     before_action :set_application, only: [:show, :edit, :update, :destroy]
 
     def index
-      @applications = Application.all
+      @applications = if Application.respond_to?(:ordered_by)
+                        Application.ordered_by(:created_at)
+                      else
+                        ActiveSupport::Deprecation.warn <<-MSG.squish
+                          Doorkeeper #{Doorkeeper.configuration.orm} extension must implement #ordered_by
+                          method for it's models as it will be used by default in Doorkeeper 5.
+                        MSG
+
+                        Application.all
+                      end
     end
 
+    def show; end
+
     def new
       @application = Application.new
     end
@@ -23,6 +34,8 @@ module Doorkeeper
       end
     end
 
+    def edit; end
+
     def update
       if @application.update_attributes(application_params)
         flash[:notice] = I18n.t(:notice, scope: [:doorkeeper, :flash, :applications, :update])

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -4,7 +4,7 @@ module Doorkeeper
       response = authorize_response
       headers.merge! response.headers
       self.response_body = response.body.to_json
-      self.status        = response.status
+      self.status = response.status
     rescue Errors::DoorkeeperError => e
       handle_token_exception e
     end
@@ -27,6 +27,18 @@ module Doorkeeper
       render json: {}, status: 200
     end
 
+    def introspect
+      introspection = OAuth::TokenIntrospection.new(server, token)
+
+      if introspection.authorized?
+        render json: introspection.to_json, status: 200
+      else
+        error = OAuth::ErrorResponse.new(name: introspection.error)
+        response.headers.merge!(error.headers)
+        render json: error.body, status: error.status
+      end
+    end
+
     private
 
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".

data/app/helpers/doorkeeper/dashboard_helper.rb

@@ -2,11 +2,13 @@ module Doorkeeper
   module DashboardHelper
     def doorkeeper_errors_for(object, method)
       if object.errors[method].present?
-        object.errors[method].map do |msg|
+        output = object.errors[method].map do |msg|
           content_tag(:span, class: 'help-block') do
             msg.capitalize
           end
-        end.join.html_safe
+        end
+
+        safe_join(output)
       end
     end