doorkeeper 4.3.1 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/NEWS.md +4 -2
- data/README.md +2 -1
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +14 -0
- data/lib/doorkeeper/version.rb +1 -1
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +105 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c3122dbcfcc7470b2460319fee999036c26810c3
|
|
4
|
+
data.tar.gz: 9c0096009a2af6d32074d63711fb72a2078101a1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7178420e74461146ac3525056a9398e51df2e659107532e1e8577e90359d474a96b1275d99f05dc85b43f692ab9eda1e49bb1edc91c80f906d59318c5e788163
|
|
7
|
+
data.tar.gz: 5c6a9177e6efd616f7345bc26e15a978ae7d89295600356bf9ec922a0c94f0da1b47fe827328d7edcbcafe0855761a17a77851d3a1b9155d0c8608917c3e4610
|
data/NEWS.md
CHANGED
|
@@ -4,7 +4,9 @@ User-visible changes worth mentioning.
|
|
|
4
4
|
|
|
5
5
|
## master
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
## 4.3.2
|
|
8
|
+
|
|
9
|
+
- [#1053] Support authorizing with query params in the request `redirect_uri` if explicitly present in app's `Application#redirect_uri`
|
|
8
10
|
|
|
9
11
|
## 4.3.1
|
|
10
12
|
|
|
@@ -39,7 +41,7 @@ Replace this text with you changelog entry. Look at the examples below.
|
|
|
39
41
|
- [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
|
|
40
42
|
- [#1024] Migrate from FactoryGirl to FactoryBot.
|
|
41
43
|
- [#1025] Improve documentation for adding foreign keys
|
|
42
|
-
- [#1028] Make it possible to have
|
|
44
|
+
- [#1028] Make it possible to have composite strategy names.
|
|
43
45
|
|
|
44
46
|
## 4.2.6
|
|
45
47
|
|
data/README.md
CHANGED
|
@@ -56,6 +56,7 @@ https://github.com/doorkeeper-gem/doorkeeper/releases
|
|
|
56
56
|
- [Authenticated resource owner](#authenticated-resource-owner)
|
|
57
57
|
- [Applications list](#applications-list)
|
|
58
58
|
- [Other customizations](#other-customizations)
|
|
59
|
+
- [Testing](#testing)
|
|
59
60
|
- [Upgrading](#upgrading)
|
|
60
61
|
- [Development](#development)
|
|
61
62
|
- [Contributing](#contributing)
|
|
@@ -408,7 +409,7 @@ For more information see the page
|
|
|
408
409
|
|
|
409
410
|
You can use Doorkeeper models in your application test suite. Note that starting from
|
|
410
411
|
Doorkeeper 4.3.0 it uses [ActiveSupport lazy loading hooks](http://api.rubyonrails.org/classes/ActiveSupport/LazyLoadHooks.html)
|
|
411
|
-
to load models. There are [known
|
|
412
|
+
to load models. There are [known issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1043)
|
|
412
413
|
with the `factory_bot_rails` gem (it executes factories building before `ActiveRecord::Base`
|
|
413
414
|
is initialized using hooks in gem railtie, so you can catch a `uninitialized constant` error).
|
|
414
415
|
It is recommended to use pure `factory_bot` gem to solve this problem.
|
|
@@ -12,6 +12,13 @@ module Doorkeeper
|
|
|
12
12
|
def self.matches?(url, client_url)
|
|
13
13
|
url = as_uri(url)
|
|
14
14
|
client_url = as_uri(client_url)
|
|
15
|
+
|
|
16
|
+
if client_url.query.present?
|
|
17
|
+
return false unless query_matches?(url.query, client_url.query)
|
|
18
|
+
# Clear out queries so rest of URI can be tested. This allows query
|
|
19
|
+
# params to be in the request but order not mattering.
|
|
20
|
+
client_url.query = nil
|
|
21
|
+
end
|
|
15
22
|
url.query = nil
|
|
16
23
|
url == client_url
|
|
17
24
|
end
|
|
@@ -24,6 +31,13 @@ module Doorkeeper
|
|
|
24
31
|
URI.parse(url)
|
|
25
32
|
end
|
|
26
33
|
|
|
34
|
+
def self.query_matches?(query, client_query)
|
|
35
|
+
return true if client_query.nil? && query.nil?
|
|
36
|
+
return false if client_query.nil? || query.nil?
|
|
37
|
+
# Will return true independent of query order
|
|
38
|
+
client_query.split('&').sort == query.split('&').sort
|
|
39
|
+
end
|
|
40
|
+
|
|
27
41
|
def self.native_uri?(url)
|
|
28
42
|
url == Doorkeeper.configuration.native_redirect_uri
|
|
29
43
|
end
|
data/lib/doorkeeper/version.rb
CHANGED
|
@@ -69,6 +69,44 @@ module Doorkeeper::OAuth::Helpers
|
|
|
69
69
|
client_uri = 'http://example.com?app.co=test'
|
|
70
70
|
expect(URIChecker.matches?(uri, client_uri)).to be_falsey
|
|
71
71
|
end
|
|
72
|
+
|
|
73
|
+
context "client registered query params" do
|
|
74
|
+
it "doesn't allow query being absent" do
|
|
75
|
+
uri = 'http://app.co'
|
|
76
|
+
client_uri = 'http://app.co/?vendorId=AJ4L7XXW9'
|
|
77
|
+
expect(URIChecker.matches?(uri, client_uri)).to be_falsey
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
it "is false if query values differ but key same" do
|
|
81
|
+
uri = 'http://app.co/?vendorId=pancakes'
|
|
82
|
+
client_uri = 'http://app.co/?vendorId=waffles'
|
|
83
|
+
expect(URIChecker.matches?(uri, client_uri)).to be_falsey
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
it "is false if query values same but key differs" do
|
|
87
|
+
uri = 'http://app.co/?foo=pancakes'
|
|
88
|
+
client_uri = 'http://app.co/?bar=pancakes'
|
|
89
|
+
expect(URIChecker.matches?(uri, client_uri)).to be_falsey
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
it "is false if query present and match, but unknown queries present" do
|
|
93
|
+
uri = 'http://app.co/?vendorId=pancakes&unknown=query'
|
|
94
|
+
client_uri = 'http://app.co/?vendorId=waffles'
|
|
95
|
+
expect(URIChecker.matches?(uri, client_uri)).to be_falsey
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
it "is true if queries are present and matche" do
|
|
99
|
+
uri = 'http://app.co/?vendorId=AJ4L7XXW9&foo=bar'
|
|
100
|
+
client_uri = 'http://app.co/?vendorId=AJ4L7XXW9&foo=bar'
|
|
101
|
+
expect(URIChecker.matches?(uri, client_uri)).to be_truthy
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
it "is true if queries are present, match and in different order" do
|
|
105
|
+
uri = 'http://app.co/?bing=bang&foo=bar'
|
|
106
|
+
client_uri = 'http://app.co/?foo=bar&bing=bang'
|
|
107
|
+
expect(URIChecker.matches?(uri, client_uri)).to be_truthy
|
|
108
|
+
end
|
|
109
|
+
end
|
|
72
110
|
end
|
|
73
111
|
|
|
74
112
|
describe '.valid_for_authorization?' do
|
|
@@ -101,9 +139,75 @@ module Doorkeeper::OAuth::Helpers
|
|
|
101
139
|
end
|
|
102
140
|
|
|
103
141
|
it 'is false if invalid' do
|
|
104
|
-
uri =
|
|
142
|
+
uri = 'http://app.co/aaa?pankcakes=abc'
|
|
143
|
+
client_uri = 'http://app.co/aaa?waffles=abc'
|
|
105
144
|
expect(URIChecker.valid_for_authorization?(uri, client_uri)).to be false
|
|
106
145
|
end
|
|
146
|
+
|
|
147
|
+
it 'calls .matches?' do
|
|
148
|
+
uri = 'http://app.co/aaa?pankcakes=abc'
|
|
149
|
+
client_uri = 'http://app.co/aaa?waffles=abc'
|
|
150
|
+
expect(URIChecker).to receive(:matches?).with(uri, client_uri).once
|
|
151
|
+
URIChecker.valid_for_authorization?(uri, client_uri)
|
|
152
|
+
end
|
|
153
|
+
|
|
154
|
+
it 'calls .valid?' do
|
|
155
|
+
uri = 'http://app.co/aaa?pankcakes=abc'
|
|
156
|
+
client_uri = 'http://app.co/aaa?waffles=abc'
|
|
157
|
+
expect(URIChecker).to receive(:valid?).with(uri).once
|
|
158
|
+
URIChecker.valid_for_authorization?(uri, client_uri)
|
|
159
|
+
end
|
|
160
|
+
end
|
|
161
|
+
|
|
162
|
+
describe '.query_matches?' do
|
|
163
|
+
it 'is true if no queries' do
|
|
164
|
+
expect(URIChecker.query_matches?('', '')).to be_truthy
|
|
165
|
+
expect(URIChecker.query_matches?(nil, nil)).to be_truthy
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
it 'is true if same query' do
|
|
169
|
+
expect(URIChecker.query_matches?('foo', 'foo')).to be_truthy
|
|
170
|
+
end
|
|
171
|
+
|
|
172
|
+
it 'is false if different query' do
|
|
173
|
+
expect(URIChecker.query_matches?('foo', 'bar')).to be_falsey
|
|
174
|
+
end
|
|
175
|
+
|
|
176
|
+
it 'is true if same queries' do
|
|
177
|
+
expect(URIChecker.query_matches?('foo&bar', 'foo&bar')).to be_truthy
|
|
178
|
+
end
|
|
179
|
+
|
|
180
|
+
it 'is true if same queries, different order' do
|
|
181
|
+
expect(URIChecker.query_matches?('foo&bar', 'bar&foo')).to be_truthy
|
|
182
|
+
end
|
|
183
|
+
|
|
184
|
+
it 'is false if one different query' do
|
|
185
|
+
expect(URIChecker.query_matches?('foo&bang', 'foo&bing')).to be_falsey
|
|
186
|
+
end
|
|
187
|
+
|
|
188
|
+
it 'is true if same query with same value' do
|
|
189
|
+
expect(URIChecker.query_matches?('foo=bar', 'foo=bar')).to be_truthy
|
|
190
|
+
end
|
|
191
|
+
|
|
192
|
+
it 'is true if same queries with same values' do
|
|
193
|
+
expect(URIChecker.query_matches?('foo=bar&bing=bang', 'foo=bar&bing=bang')).to be_truthy
|
|
194
|
+
end
|
|
195
|
+
|
|
196
|
+
it 'is true if same queries with same values, different order' do
|
|
197
|
+
expect(URIChecker.query_matches?('foo=bar&bing=bang', 'bing=bang&foo=bar')).to be_truthy
|
|
198
|
+
end
|
|
199
|
+
|
|
200
|
+
it 'is false if same query with different value' do
|
|
201
|
+
expect(URIChecker.query_matches?('foo=bar', 'foo=bang')).to be_falsey
|
|
202
|
+
end
|
|
203
|
+
|
|
204
|
+
it 'is false if some queries missing' do
|
|
205
|
+
expect(URIChecker.query_matches?('foo=bar', 'foo=bar&bing=bang')).to be_falsey
|
|
206
|
+
end
|
|
207
|
+
|
|
208
|
+
it 'is false if some queries different value' do
|
|
209
|
+
expect(URIChecker.query_matches?('foo=bar&bing=bang', 'foo=bar&bing=banana')).to be_falsey
|
|
210
|
+
end
|
|
107
211
|
end
|
|
108
212
|
end
|
|
109
213
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Felipe Elias Philipp
|
|
@@ -11,7 +11,7 @@ authors:
|
|
|
11
11
|
autorequire:
|
|
12
12
|
bindir: bin
|
|
13
13
|
cert_chain: []
|
|
14
|
-
date: 2018-03-
|
|
14
|
+
date: 2018-03-28 00:00:00.000000000 Z
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
17
17
|
name: railties
|