doorkeeper 4.4.3 → 5.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8d8d3550d8406d4abb224c4960d1d6e8a0c4c706
-  data.tar.gz: b12408cb8b0dc2b14ee69b57798943b5c1bfaa30
+  metadata.gz: 1294d2df3309f8b266a7b9de07d4ebf8dd96fe27
+  data.tar.gz: 9eea101d6a9b5e72412a373224e8160d0d4cd897
 SHA512:
-  metadata.gz: 0674af950f6070d6457e09f73fc89736b092ae6595e484ca6e67e7f126912ea007509d9249fdc4eb01e66bf981c1e49da33712203d8428d10401a43faabd1cfd
-  data.tar.gz: e447513c202dfde4c622b898da2a98dff64272193136fe399b890bb97488e7915156a2588caa6de3566db411f4c7dfa89e88be3a8b8d0a76511251f2f980c382
+  metadata.gz: a7146828263c150652126e56c7a4a177bfaecf44a02d93f7f630d99edbc5a91767e4e86964b52f68c590022ff85375dd5004b78cd621b386b9c767cc67b90a3c
+  data.tar.gz: 15d04141cfc2bc9161531bc5b2a5cd98ee55f8cb144b76878ffe7fffb790c6de380a3857cc30813cd979a6c301bec188da6554dcb04d2d2e910b2cb0f240e857

data/.gitignore

@@ -17,3 +17,4 @@ gemfiles/*.lock
 /doc/
 /rdoc/
 coverage
+*.gem

data/.travis.yml

@@ -8,6 +8,7 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
+  - ruby-2.6.0-preview1
 
 before_install:
   - gem update --system # Need for Ruby 2.5.0. https://github.com/travis-ci/travis-ci/issues/8978
@@ -21,6 +22,7 @@ gemfile:
   - gemfiles/rails_master.gemfile
 
 matrix:
+  fast_finish: true
   exclude:
     - gemfile: gemfiles/rails_5_0.gemfile
       rvm: 2.1

data/Appraisals

@@ -4,12 +4,12 @@ end
 
 appraise "rails-5-0" do
   gem "rails", "~> 5.0.0"
-  gem "rspec-rails", "~> 3.5"
+  gem "rspec-rails", "~> 3.7"
 end
 
 appraise "rails-5-1" do
   gem "rails", "~> 5.1.0"
-  gem "rspec-rails", "~> 3.5"
+  gem "rspec-rails", "~> 3.7"
 end
 
 appraise "rails-master" do

data/Gemfile

@@ -1,6 +1,6 @@
 source "https://rubygems.org"
 
-gem "rails", "~> 5.1"
+gem "rails", "~> 5.2"
 
 gem "appraisal"
 

data/NEWS.md

@@ -1,25 +1,44 @@
 # News
 
+See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
+upgrade guides.
+
 User-visible changes worth mentioning.
 
 ## master
-
-## 4.4.3
-- [#1143] Adds a config option opt_out_native_route_change to opt out of the
-  breaking api changed introduced in
-  https://github.com/doorkeeper-gem/doorkeeper/pull/1003
-
-## 4.4.2
-- [#1130] Backport fix for native redirect_uri from 5.x.
-
-## 4.4.1
-
-- [#1127] Backport token type to comply with the RFC6750 specification.
-- [#1125] Backport Quote surround I18n yes/no keys
-
-## 4.4.0
-
-- [#1120] Backport security fix from 5.x for token revocation when using public clients
+- [#1089] Removed enable_pkce_without_secret configuration option
+- [#1102] Expiration time based on scopes
+- [#1099] All the configuration variables in `Doorkeeper.configuration` now
+          always return a non-nil value (`true` or `false`)
+- [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
+          in `doorkeeper.rb`
+- [#996] Expiration Time Base On Grant Type
+- [#997] Allow PKCE authorization_code flow as specified in RFC7636
+- [#907] Fix lookup for matching tokens in certain edge-cases
+- [#992] Add API option to use Doorkeeper without management views for API only
+  Rails applications (`api_only`)
+- [#1045] Validate redirect_uri as the native URI when making authorization code requests
+- [#1048] Remove deprecated `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
+  `Doorkeeper#installed?` method
+- [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
+  either public or private/confidential
+- [#1010] Add configuration to enforce configured scopes (`default_scopes` and
+  `optional_scopes`) for applications
+- [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
+- [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
+- [#1069] Upgrade Bootstrap to 4 for Admin
+- [#1068] Add rake task to cleanup databases that can become large over time
+- [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
+  subclasses to use the response object.
+- [#1075] Call `before_successful_authorization` and `after_successful_authorization` hooks
+  on `create` action as well as `new`
+- [#1082] Fix #916: remember routes mapping and use it required places (fix error with
+  customized Token Info route).
+- [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
+  not present in the application scopes (use scopes intersection).
+- [#1076] Add config to enforce content type to application/x-www-form-urlencoded
+- Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
+  SSL redirect_uri.
 
 ## 4.3.2
 

data/README.md

@@ -19,6 +19,7 @@ Supported features:
   - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
   - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
   - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
+  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 
@@ -28,6 +29,7 @@ Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases
 
 - See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- See [upgrade guides](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions)
 - For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
 - See [SECURITY.md](SECURITY.md) for this project's security disclose
   policy
@@ -44,9 +46,11 @@ https://github.com/doorkeeper-gem/doorkeeper/releases
     - [MongoDB](#mongodb)
     - [Sequel](#sequel)
     - [Couchbase](#couchbase)
+  - [API mode](#api-mode)
   - [Routes](#routes)
   - [Authenticating](#authenticating)
   - [Internationalization (I18n)](#internationalization-i18n)
+  - [Rake Tasks](#rake-tasks)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
   - [Ruby on Rails controllers](#ruby-on-rails-controllers)
   - [Grape endpoints](#grape-endpoints)
@@ -103,12 +107,26 @@ for each table that includes a `resource_owner_id` column:
 add_foreign_key :table_name, :users, column: :resource_owner_id
 ```
 
+If you want to enable [PKCE flow] for mobile apps, you need to generate another
+migration:
+
+[PKCE flow]: https://tools.ietf.org/html/rfc7636
+
+```sh
+    rails generate doorkeeper:pkce
+```
+
 Then run migrations:
 
 ```sh
 rake db:migrate
 ```
 
+Ensure to use non-confidential apps for pkce. PKCE is created, because
+you cannot trust its apps' secret. So whatever app needs pkce: it means, it cannot
+be a confidential app by design.
+
+
 Remember to add associations to your model so the related records are deleted.
 If you don't do this an `ActiveRecord::InvalidForeignKey`-error will be raised
 when you try to destroy a model with related access grants or access tokens.
@@ -146,6 +164,25 @@ Use [doorkeeper-couchbase] extension if you are using Couchbase database.
 
 [doorkeeper-couchbase]: https://github.com/acaprojects/doorkeeper-couchbase
 
+### API mode
+
+By default Doorkeeper uses full Rails stack to provide all the OAuth 2 functionality
+with additional features like administration area for managing applications. By the
+way, starting from Doorkeeper 5 you can use API mode for your [API only Rails 5 applications](http://edgeguides.rubyonrails.org/api_app.html).
+All you need is just to configure the gem to work in desired mode:
+
+``` ruby
+Doorkeeper.configure do
+  # ...
+
+  api_only
+end
+```
+
+Keep in mind, that in this mode you will not be able to access `Applications` or
+`Authorized Applications` controllers because they will be skipped. Also all the
+redirects will be returned as JSON response with corresponding locations.
+
 ### Routes
 
 The installation script will also automatically add the Doorkeeper routes into
@@ -198,7 +235,36 @@ You may want to check other ways of authentication
 
 ### Internationalization (I18n)
 
-See language files in [the I18n repository](https://github.com/doorkeeper-gem/doorkeeper-i18n).
+Doorkeeper support multiple languages. See language files in
+[the I18n repository](https://github.com/doorkeeper-gem/doorkeeper-i18n).
+
+### Rake Tasks
+
+If you are using `rake`, you can load rake tasks provided by this gem, by adding
+the following line to your `Rakefile`:
+
+```ruby
+Doorkeeper::Rake.load_tasks
+```
+
+#### Cleaning up
+
+By default Doorkeeper is retaining expired and revoked access tokens and grants.
+This allows to keep an audit log of those records, but it also leads to the
+corresponding tables to grow large over the lifetime of your application.
+
+If you are concerned about those tables growing too large,
+you can regularly run the following rake task to remove stale entries
+from the database:
+
+```rake
+rake doorkeeper:db:cleanup
+```
+
+Note that this will remove tokens that are expired according to the configured TTL
+in `Doorkeeper.configuration.access_token_expires_in`. The specific `expires_in`
+value of each access token **is not considered**. The same is true for access
+grants.
 
 ## Protecting resources with OAuth (a.k.a your API endpoint)
 
@@ -399,6 +465,22 @@ customize the controller used by the list or skip the controller all together.
 For more information see the page
 [in the wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes).
 
+By default, everybody can create application with any scopes. However,
+you can enforce users to create applications only with configured scopes
+(`default_scopes` and `optional_scopes` from the Doorkeeper initializer):
+
+```ruby
+# config/initializers/doorkeeper.rb
+Doorkeeper.configure do
+  # ...
+
+  default_scopes :read, :write
+  optional_scopes :create, :update
+
+  enforce_configured_scopes
+end
+```
+
 ## Other customizations
 
 - [Associate users to OAuth applications (ownership)](https://github.com/doorkeeper-gem/doorkeeper/wiki/Associate-users-to-OAuth-applications-%28ownership%29)
@@ -412,7 +494,7 @@ Doorkeeper 4.3.0 it uses [ActiveSupport lazy loading hooks](http://api.rubyonrai
 to load models. There are [known issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1043)
 with the `factory_bot_rails` gem (it executes factories building before `ActiveRecord::Base`
 is initialized using hooks in gem railtie, so you can catch a `uninitialized constant` error).
-It is recommended to use pure `factory_bot` gem to solve this problem. 
+It is recommended to use pure `factory_bot` gem to solve this problem.
 
 ## Upgrading
 
@@ -429,7 +511,7 @@ To run the local engine server:
 
 ```
 bundle install
-bundle exec rails server
+bundle exec rake doorkeeper:server
 ````
 
 By default, it uses the latest Rails version with ActiveRecord. To run the

data/Rakefile

@@ -15,6 +15,12 @@ namespace :doorkeeper do
     cd 'spec/dummy'
     system 'bundle exec rails g doorkeeper:install --force'
   end
+
+  desc 'Runs local test server'
+  task :server do
+    cd 'spec/dummy'
+    system 'bundle exec rails server'
+  end
 end
 
 Bundler::GemHelper.install_tasks

data/app/assets/stylesheets/doorkeeper/admin/application.css

@@ -5,6 +5,6 @@
  *= require_tree .
 */
 
-td {
-  vertical-align: middle !important;
+.doorkeeper-admin .form-group > .field_with_errors {
+  width: 16.66667%;
 }

data/app/controllers/doorkeeper/application_controller.rb

@@ -4,8 +4,9 @@ module Doorkeeper
 
     include Helpers::Controller
 
-    protect_from_forgery with: :exception
-
-    helper 'doorkeeper/dashboard'
+    unless Doorkeeper.configuration.api_only
+      protect_from_forgery with: :exception
+      helper 'doorkeeper/dashboard'
+    end
   end
 end

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -5,6 +5,7 @@ module Doorkeeper
       AbstractController::Rendering,
       ActionController::Rendering,
       ActionController::Renderers::All,
+      AbstractController::Callbacks,
       Helpers::Controller
     ].freeze
 
@@ -12,6 +13,9 @@ module Doorkeeper
       include mod
     end
 
+    before_action :enforce_content_type,
+                  if: -> { Doorkeeper.configuration.enforce_content_type }
+
     ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end
 end

data/app/controllers/doorkeeper/applications_controller.rb

@@ -1,24 +1,25 @@
 module Doorkeeper
   class ApplicationsController < Doorkeeper::ApplicationController
-    layout 'doorkeeper/admin'
+    layout 'doorkeeper/admin' unless Doorkeeper.configuration.api_only
 
     before_action :authenticate_admin!
-    before_action :set_application, only: [:show, :edit, :update, :destroy]
+    before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = if Application.respond_to?(:ordered_by)
-                        Application.ordered_by(:created_at)
-                      else
-                        ActiveSupport::Deprecation.warn <<-MSG.squish
-                          Doorkeeper #{Doorkeeper.configuration.orm} extension must implement #ordered_by
-                          method for it's models as it will be used by default in Doorkeeper 5.
-                        MSG
-
-                        Application.all
-                      end
+      @applications = Application.ordered_by(:created_at)
+
+      respond_to do |format|
+        format.html
+        format.json { head :no_content }
+      end
     end
 
-    def show; end
+    def show
+      respond_to do |format|
+        format.html
+        format.json { render json: @application }
+      end
+    end
 
     def new
       @application = Application.new
@@ -26,28 +27,47 @@ module Doorkeeper
 
     def create
       @application = Application.new(application_params)
+
       if @application.save
-        flash[:notice] = I18n.t(:notice, scope: [:doorkeeper, :flash, :applications, :create])
-        redirect_to oauth_application_url(@application)
+        flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
+
+        respond_to do |format|
+          format.html { redirect_to oauth_application_url(@application) }
+          format.json { render json: @application }
+        end
       else
-        render :new
+        respond_to do |format|
+          format.html { render :new }
+          format.json { render json: { errors: @application.errors.full_messages }, status: :unprocessable_entity }
+        end
       end
     end
 
     def edit; end
 
     def update
-      if @application.update_attributes(application_params)
-        flash[:notice] = I18n.t(:notice, scope: [:doorkeeper, :flash, :applications, :update])
-        redirect_to oauth_application_url(@application)
+      if @application.update(application_params)
+        flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications update])
+
+        respond_to do |format|
+          format.html { redirect_to oauth_application_url(@application) }
+          format.json { render json: @application }
+        end
       else
-        render :edit
+        respond_to do |format|
+          format.html { render :edit }
+          format.json { render json: { errors: @application.errors.full_messages }, status: :unprocessable_entity }
+        end
       end
     end
 
     def destroy
-      flash[:notice] = I18n.t(:notice, scope: [:doorkeeper, :flash, :applications, :destroy]) if @application.destroy
-      redirect_to oauth_applications_url
+      flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications destroy]) if @application.destroy
+
+      respond_to do |format|
+        format.html { redirect_to oauth_applications_url }
+        format.json { head :no_content }
+      end
     end
 
     private

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -4,20 +4,15 @@ module Doorkeeper
 
     def new
       if pre_auth.authorizable?
-        if skip_authorization? || matching_token?
-          auth = authorization.authorize
-          redirect_to auth.redirect_uri
-        else
-          render :new
-        end
+        render_success
       else
-        render :error
+        render_error
       end
     end
 
     # TODO: Handle raise invalid authorization
     def create
-      redirect_or_render authorization.authorize
+      redirect_or_render authorize_response
     end
 
     def destroy
@@ -26,15 +21,45 @@ module Doorkeeper
 
     private
 
+    def render_success
+      if skip_authorization? || matching_token?
+        redirect_or_render authorize_response
+      elsif Doorkeeper.configuration.api_only
+        render json: pre_auth
+      else
+        render :new
+      end
+    end
+
+    def render_error
+      if Doorkeeper.configuration.api_only
+        render json: pre_auth.error_response.body[:error_description],
+               status: :bad_request
+      else
+        render :error
+      end
+    end
+
     def matching_token?
-      AccessToken.matching_token_for pre_auth.client,
-                                     current_resource_owner.id,
-                                     pre_auth.scopes
+      token = AccessToken.matching_token_for(
+        pre_auth.client,
+        current_resource_owner.id,
+        pre_auth.scopes
+      )
+
+      token && token.accessible?
     end
 
     def redirect_or_render(auth)
       if auth.redirectable?
-        redirect_to auth.redirect_uri
+        if Doorkeeper.configuration.api_only
+          render(
+            json: { status: :redirect, redirect_uri: auth.redirect_uri },
+            status: auth.status
+          )
+        else
+          redirect_to auth.redirect_uri
+        end
       else
         render json: auth.body, status: auth.status
       end
@@ -53,5 +78,23 @@ module Doorkeeper
     def strategy
       @strategy ||= server.authorization_request pre_auth.response_type
     end
+
+    def authorize_response
+      @authorize_response ||= begin
+        authorizable = pre_auth.authorizable?
+        before_successful_authorization if authorizable
+        auth = strategy.authorize
+        after_successful_authorization if authorizable
+        auth
+      end
+    end
+
+    def after_successful_authorization
+      Doorkeeper.configuration.after_successful_authorization.call(self)
+    end
+
+    def before_successful_authorization
+      Doorkeeper.configuration.before_successful_authorization.call(self)
+    end
   end
 end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -4,11 +4,25 @@ module Doorkeeper
 
     def index
       @applications = Application.authorized_for(current_resource_owner)
+
+      respond_to do |format|
+        format.html
+        format.json { render json: @applications }
+      end
     end
 
     def destroy
       AccessToken.revoke_all_for params[:id], current_resource_owner
-      redirect_to oauth_authorized_applications_url, notice: I18n.t(:notice, scope: [:doorkeeper, :flash, :authorized_applications, :destroy])
+
+      respond_to do |format|
+        format.html do
+          redirect_to oauth_authorized_applications_url, notice: I18n.t(
+            :notice, scope: %i[doorkeeper flash authorized_applications destroy]
+          )
+        end
+
+        format.json { render :no_content }
+      end
     end
   end
 end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -17,9 +17,7 @@ module Doorkeeper
       # Doorkeeper does not use the token_type_hint logic described in the
       # RFC 7009 due to the refresh token implementation that is a field in
       # the access token model.
-      if authorized?
-        revoke_token
-      end
+      revoke_token if authorized?
 
       # The authorization server responds with HTTP status code 200 if the token
       # has been revoked successfully or if the client submitted an invalid
@@ -58,22 +56,21 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      return unless token.present?
-      # Client is confidential, therefore client authentication & authorization
-      # is required
-      if token.application_id? && token.application.confidential?
-        # We authorize client by checking token's application
-        server.client && server.client.application == token.application
-      else
-        # Client is public, authentication unnecessary
-        true
+      if token.present?
+        # Client is confidential, therefore client authentication & authorization
+        # is required
+        if token.application_id?
+          # We authorize client by checking token's application
+          server.client && server.client.application == token.application
+        else
+          # Client is public, authentication unnecessary
+          true
+        end
       end
     end
 
     def revoke_token
-      if token.accessible?
-        token.revoke
-      end
+      token.revoke if token.accessible?
     end
 
     def token

data/app/helpers/doorkeeper/dashboard_helper.rb

@@ -1,15 +1,15 @@
 module Doorkeeper
   module DashboardHelper
     def doorkeeper_errors_for(object, method)
-      if object.errors[method].present?
-        output = object.errors[method].map do |msg|
-          content_tag(:span, class: 'help-block') do
-            msg.capitalize
-          end
-        end
+      return if object.errors[method].blank?
 
-        safe_join(output)
+      output = object.errors[method].map do |msg|
+        content_tag(:span, class: 'form-text') do
+          msg.capitalize
+        end
       end
+
+      safe_join(output)
     end
 
     def doorkeeper_submit_path(application)

data/app/validators/redirect_uri_validator.rb

@@ -34,11 +34,12 @@ class RedirectUriValidator < ActiveModel::EachValidator
 
   def invalid_ssl_uri?(uri)
     forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
+    non_https = uri.try(:scheme) == 'http'
 
     if forces_ssl.respond_to?(:call)
-      forces_ssl.call(uri)
+      forces_ssl.call(uri) && non_https
     else
-      forces_ssl && uri.try(:scheme) == 'http'
+      forces_ssl && non_https
     end
   end
 end

data/app/views/doorkeeper/applications/_delete_form.html.erb

@@ -1,4 +1,6 @@
 <%- submit_btn_css ||= 'btn btn-link' %>
 <%= form_tag oauth_application_path(application), method: :delete do %>
-  <%= submit_tag t('doorkeeper.applications.buttons.destroy'), onclick: "return confirm('#{ t('doorkeeper.applications.confirmations.destroy') }')", class: submit_btn_css %>
+  <%= submit_tag t('doorkeeper.applications.buttons.destroy'),
+                 onclick: "return confirm('#{ t('doorkeeper.applications.confirmations.destroy') }')",
+                 class: submit_btn_css %>
 <% end %>