doorkeeper 5.0.0.rc1 → 5.0.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1294d2df3309f8b266a7b9de07d4ebf8dd96fe27
-  data.tar.gz: 9eea101d6a9b5e72412a373224e8160d0d4cd897
+  metadata.gz: f9a6bf0cb64c84923dedcc19d31136a03cb7fab0
+  data.tar.gz: ee93150982920fc8fb654b2e447d755e42191d9c
 SHA512:
-  metadata.gz: a7146828263c150652126e56c7a4a177bfaecf44a02d93f7f630d99edbc5a91767e4e86964b52f68c590022ff85375dd5004b78cd621b386b9c767cc67b90a3c
-  data.tar.gz: 15d04141cfc2bc9161531bc5b2a5cd98ee55f8cb144b76878ffe7fffb790c6de380a3857cc30813cd979a6c301bec188da6554dcb04d2d2e910b2cb0f240e857
+  metadata.gz: d66636e7818c25feab19f577ee2d344f0fac658906253c18c33e884ff063bc75f0461aa0a2ddb6305404501d58b321916fc64d48be5da4917e0fe1bfb1f1c600
+  data.tar.gz: f439482a6a560f1e70453e0a69fd1b468c640f2287fe0d2e5a90fad315214eeef01731235931d57aba3ed29ac85eaed2165e6e072a8c9e5b3792f2c4b7cc4392

data/.gitlab-ci.yml

@@ -0,0 +1,16 @@
+dependency_scanning:
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
+    - docker run
+        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
+        --volume "$PWD:/code"
+        --volume /var/run/docker.sock:/var/run/docker.sock
+        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
+  artifacts:
+    paths: [gl-dependency-scanning-report.json]

data/NEWS.md

@@ -6,12 +6,29 @@ upgrade guides.
 User-visible changes worth mentioning.
 
 ## master
+
+- [#] Add description here
+
+## 5.0.0.rc2
+
+- [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
+  configured by developers..
+- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
+  hitting the `AuthorizedApplicationController#destroy` route.
+- [#1114] Make token info endpoint's attributes consistent with token creation
+- [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
+- [#1122] Fix AuthorizationsController#new error response to be in JSON format
+
+## 5.0.0.rc1
+
+- [#1103] Allow customizing use_refresh_token
 - [#1089] Removed enable_pkce_without_secret configuration option
 - [#1102] Expiration time based on scopes
 - [#1099] All the configuration variables in `Doorkeeper.configuration` now
-          always return a non-nil value (`true` or `false`)
+  always return a non-nil value (`true` or `false`)
 - [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
-          in `doorkeeper.rb`
+  in `doorkeeper.rb`
 - [#996] Expiration Time Base On Grant Type
 - [#997] Allow PKCE authorization_code flow as specified in RFC7636
 - [#907] Fix lookup for matching tokens in certain edge-cases
@@ -39,6 +56,10 @@ User-visible changes worth mentioning.
 - [#1076] Add config to enforce content type to application/x-www-form-urlencoded
 - Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
   SSL redirect_uri.
+  
+## 4.4.0
+  
+- [#1120] Backport security fix from 5.x for token revocation when using public clients
 
 ## 4.3.2
 

data/README.md

@@ -1,14 +1,13 @@
-# Doorkeeper - awesome OAuth 2 provider for your Rails app.
+# Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
 [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
-[![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
 [![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
 
-Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider
-functionality to your Rails or Grape application.
+Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
+functionality to your Ruby on Rails or Grape application.
 
 Supported features:
 
@@ -28,7 +27,7 @@ Supported features:
 Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases
 
-- See the [wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
+- See the [Wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki)
 - See [upgrade guides](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions)
 - For general questions, please post in [Stack Overflow](http://stackoverflow.com/questions/tagged/doorkeeper)
 - See [SECURITY.md](SECURITY.md) for this project's security disclose
@@ -276,7 +275,9 @@ protect. For example:
 
 ``` ruby
 class Api::V1::ProductsController < Api::V1::ApiController
-  before_action :doorkeeper_authorize! # Require access token for all actions
+  before_action :doorkeeper_authorize! # Requires access token for all actions
+  
+  # before_action -> { doorkeeper_authorize! :read, :write }
 
   # your actions
 end

data/UPGRADE.md

@@ -0,0 +1,2 @@
+See [Upgrade Guides](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions)
+in the project Wiki.

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -33,7 +33,7 @@ module Doorkeeper
 
     def render_error
       if Doorkeeper.configuration.api_only
-        render json: pre_auth.error_response.body[:error_description],
+        render json: pre_auth.error_response.body,
                status: :bad_request
       else
         render :error

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -12,7 +12,10 @@ module Doorkeeper
     end
 
     def destroy
-      AccessToken.revoke_all_for params[:id], current_resource_owner
+      Application.revoke_tokens_and_grants_for(
+        params[:id],
+        current_resource_owner
+      )
 
       respond_to do |format|
         format.html do

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -56,16 +56,15 @@ module Doorkeeper
     # https://tools.ietf.org/html/rfc6749#section-2.1
     # https://tools.ietf.org/html/rfc7009
     def authorized?
-      if token.present?
-        # Client is confidential, therefore client authentication & authorization
-        # is required
-        if token.application_id?
-          # We authorize client by checking token's application
-          server.client && server.client.application == token.application
-        else
-          # Client is public, authentication unnecessary
-          true
-        end
+      return unless token.present?
+      # Client is confidential, therefore client authentication & authorization
+      # is required
+      if token.application_id? && token.application.confidential?
+        # We authorize client by checking token's application
+        server.client && server.client.application == token.application
+      else
+        # Client is public, authentication unnecessary
+        true
       end
     end
 

data/app/views/doorkeeper/applications/index.html.erb

@@ -21,7 +21,7 @@
         <%= link_to application.name, oauth_application_path(application) %>
       </td>
       <td class="align-middle">
-        <%= application.redirect_uri %>
+        <%= simple_format(application.redirect_uri) %>
       </td>
       <td class="align-middle">
         <%= application.confidential? ? t('doorkeeper.applications.index.confidentiality.yes') : t('doorkeeper.applications.index.confidentiality.no') %>

data/config/locales/en.yml

@@ -99,6 +99,7 @@ en:
         # Configuration error messages
         credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.'
         resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfigured.'
+        admin_authenticator_not_configured: 'Access to admin panel is forbidden due to Doorkeeper.configure.admin_authenticator being unconfigured.'
 
         # Access grant errors
         unsupported_response_type: 'The authorization server does not support this response type.'

data/doorkeeper.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.add_dependency "railties", ">= 4.2"
   s.required_ruby_version = ">= 2.1"
 
-  s.add_development_dependency "capybara"
+  s.add_development_dependency "capybara", '~> 2.18'
   s.add_development_dependency "coveralls"
   s.add_development_dependency "grape"
   s.add_development_dependency "database_cleaner", "~> 1.6"

data/gemfiles/rails_master.gemfile

@@ -9,6 +9,9 @@ gem "appraisal"
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]
-gem "rspec-rails", "~> 3.7"
+
+%w[rspec-core rspec-expectations rspec-mocks rspec-rails rspec-support].each do |lib|
+  gem lib, git: "https://github.com/rspec/#{lib}.git", branch: 'master'
+end
 
 gemspec path: "../"

data/lib/doorkeeper.rb

@@ -2,6 +2,14 @@ require 'doorkeeper/version'
 require 'doorkeeper/engine'
 require 'doorkeeper/config'
 
+require 'doorkeeper/request/strategy'
+require 'doorkeeper/request/authorization_code'
+require 'doorkeeper/request/client_credentials'
+require 'doorkeeper/request/code'
+require 'doorkeeper/request/password'
+require 'doorkeeper/request/refresh_token'
+require 'doorkeeper/request/token'
+
 require 'doorkeeper/errors'
 require 'doorkeeper/server'
 require 'doorkeeper/request'
@@ -27,6 +35,13 @@ require 'doorkeeper/oauth/base_request'
 require 'doorkeeper/oauth/authorization_code_request'
 require 'doorkeeper/oauth/refresh_token_request'
 require 'doorkeeper/oauth/password_access_token_request'
+
+require 'doorkeeper/oauth/client_credentials/validation'
+require 'doorkeeper/oauth/client_credentials/creator'
+require 'doorkeeper/oauth/client_credentials/issuer'
+require 'doorkeeper/oauth/client_credentials/validation'
+require 'doorkeeper/oauth/client/credentials'
+
 require 'doorkeeper/oauth/client_credentials_request'
 require 'doorkeeper/oauth/code_request'
 require 'doorkeeper/oauth/token_request'

data/lib/doorkeeper/config.rb

@@ -103,9 +103,12 @@ module Doorkeeper
         @config.instance_variable_set(:@access_token_methods, methods)
       end
 
-      # Issue access tokens with refresh token (disabled by default)
-      def use_refresh_token
-        @config.instance_variable_set(:@refresh_token_enabled, true)
+      # Issue access tokens with refresh token (disabled if not set)
+      def use_refresh_token(enabled = true, &block)
+        @config.instance_variable_set(
+          :@refresh_token_enabled,
+          block ? block : enabled
+        )
       end
 
       # Reuse access token for the same resource owner within an application
@@ -207,7 +210,13 @@ module Doorkeeper
 
     option :admin_authenticator,
            as: :authenticate_admin,
-           default: ->(_routes) {}
+           default: (lambda do |_routes|
+             ::Rails.logger.warn(
+               I18n.t('doorkeeper.errors.messages.admin_authenticator_not_configured')
+             )
+
+             head :forbidden
+           end)
 
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
@@ -289,7 +298,11 @@ module Doorkeeper
     end
 
     def refresh_token_enabled?
-      !!(defined?(@refresh_token_enabled) && @refresh_token_enabled)
+      if defined?(@refresh_token_enabled)
+        @refresh_token_enabled
+      else
+        false
+      end
     end
 
     def enforce_configured_scopes?

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -31,6 +31,21 @@ module Doorkeeper
         find_by(token: token.to_s)
       end
 
+      # Revokes AccessGrant records that have not been revoked and associated
+      # with the specific Application and Resource Owner.
+      #
+      # @param application_id [Integer]
+      #   ID of the Application
+      # @param resource_owner [ActiveRecord::Base]
+      #   instance of the Resource Owner model
+      #
+      def revoke_all_for(application_id, resource_owner, clock = Time)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner.id,
+              revoked_at: nil).
+          update_all(revoked_at: clock.now.utc)
+      end
+
       # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
       # https://tools.ietf.org/html/rfc7636#appendix-A
       #   Appendix A.  Notes on Implementing Base64url Encoding without Padding

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -187,8 +187,8 @@ module Doorkeeper
     def as_json(_options = {})
       {
         resource_owner_id:  resource_owner_id,
-        scopes:             scopes,
-        expires_in_seconds: expires_in_seconds,
+        scope:              scopes,
+        expires_in:         expires_in_seconds,
         application:        { uid: application.try(:uid) },
         created_at:         created_at.to_i
       }

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -5,30 +5,37 @@ module Doorkeeper
         attr_accessor :pre_auth, :resource_owner, :token
 
         class << self
-          def access_token_expires_in(server, pre_auth_or_oauth_client, grant_type, scopes)
-            if (expiration = custom_expiration(server, pre_auth_or_oauth_client, grant_type, scopes))
-              expiration
-            else
-              server.access_token_expires_in
-            end
-          end
-
-          private
-
-          def custom_expiration(server, pre_auth_or_oauth_client, grant_type, scopes)
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes)
             oauth_client = if pre_auth_or_oauth_client.respond_to?(:client)
                              pre_auth_or_oauth_client.client
                            else
                              pre_auth_or_oauth_client
                            end
-            context = Doorkeeper::OAuth::Authorization::Context.new(
+
+            Doorkeeper::OAuth::Authorization::Context.new(
               oauth_client,
               grant_type,
               scopes
             )
+          end
+
+          def access_token_expires_in(server, context)
+            if (expiration = server.custom_access_token_expires_in.call(context))
+              expiration
+            else
+              server.access_token_expires_in
+            end
+          end
 
-            server.custom_access_token_expires_in.call(context)
+          def refresh_token_enabled?(server, context)
+            if server.refresh_token_enabled?.respond_to? :call
+              server.refresh_token_enabled?.call(context)
+            else
+              !!server.refresh_token_enabled?
+            end
           end
+
+          private
         end
 
         def initialize(pre_auth, resource_owner)
@@ -37,16 +44,16 @@ module Doorkeeper
         end
 
         def issue_token
+          context = self.class.build_context(
+            pre_auth.client,
+            Doorkeeper::OAuth::IMPLICIT,
+            pre_auth.scopes
+          )
           @token ||= AccessToken.find_or_create_for(
             pre_auth.client,
             resource_owner.id,
             pre_auth.scopes,
-            self.class.access_token_expires_in(
-              configuration,
-              pre_auth,
-              Doorkeeper::OAuth::IMPLICIT,
-              pre_auth.scopes
-            ),
+            self.class.access_token_expires_in(configuration, context),
             false
           )
         end

data/lib/doorkeeper/oauth/base_request.rb

@@ -31,12 +31,13 @@ module Doorkeeper
       end
 
       def find_or_create_access_token(client, resource_owner_id, scopes, server)
+        context = Authorization::Token.build_context(client, grant_type, scopes)
         @access_token = AccessToken.find_or_create_for(
           client,
           resource_owner_id,
           scopes,
-          Authorization::Token.access_token_expires_in(server, client, grant_type, scopes),
-          server.refresh_token_enabled?
+          Authorization::Token.access_token_expires_in(server, context),
+          Authorization::Token.refresh_token_enabled?(server, context)
         )
       end
 

data/lib/doorkeeper/oauth/client.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/oauth/client/credentials'
-
 module Doorkeeper
   module OAuth
     class Client

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/oauth/client_credentials/validation'
-
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest
@@ -25,12 +23,12 @@ module Doorkeeper
         private
 
         def create_token(client, scopes, creator)
-          ttl = Authorization::Token.access_token_expires_in(
-            @server,
+          context = Authorization::Token.build_context(
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
             scopes
           )
+          ttl = Authorization::Token.access_token_expires_in(@server, context)
 
           creator.call(
             client,

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -1,7 +1,3 @@
-require 'doorkeeper/validations'
-require 'doorkeeper/oauth/scopes'
-require 'doorkeeper/oauth/helpers/scope_checker'
-
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -1,7 +1,3 @@
-require 'doorkeeper/oauth/client_credentials/creator'
-require 'doorkeeper/oauth/client_credentials/issuer'
-require 'doorkeeper/oauth/client_credentials/validation'
-
 module Doorkeeper
   module OAuth
     class ClientCredentialsRequest < BaseRequest

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -65,12 +65,12 @@ module Doorkeeper
       end
 
       def access_token_expires_in
-        Authorization::Token.access_token_expires_in(
-          server,
+        context = Authorization::Token.build_context(
           client,
           Doorkeeper::OAuth::REFRESH_TOKEN,
           scopes
         )
+        Authorization::Token.access_token_expires_in(server, context)
       end
 
       def validate_token_presence

data/lib/doorkeeper/orm/active_record/application.rb

@@ -34,6 +34,17 @@ module Doorkeeper
       where(id: resource_access_tokens.select(:application_id).distinct)
     end
 
+    # Revokes AccessToken and AccessGrant records that have not been revoked and
+    # associated with the specific Application and Resource Owner.
+    #
+    # @param resource_owner [ActiveRecord::Base]
+    #   instance of the Resource Owner model
+    #
+    def self.revoke_tokens_and_grants_for(id, resource_owner)
+      AccessToken.revoke_all_for(id, resource_owner)
+      AccessGrant.revoke_all_for(id, resource_owner)
+    end
+
     private
 
     def generate_uid

data/lib/doorkeeper/request.rb

@@ -1,10 +1,3 @@
-require 'doorkeeper/request/authorization_code'
-require 'doorkeeper/request/client_credentials'
-require 'doorkeeper/request/code'
-require 'doorkeeper/request/password'
-require 'doorkeeper/request/refresh_token'
-require 'doorkeeper/request/token'
-
 module Doorkeeper
   module Request
     class << self

data/lib/doorkeeper/request/authorization_code.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class AuthorizationCode < Strategy

data/lib/doorkeeper/request/client_credentials.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class ClientCredentials < Strategy

data/lib/doorkeeper/request/code.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class Code < Strategy

data/lib/doorkeeper/request/password.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class Password < Strategy

data/lib/doorkeeper/request/refresh_token.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class RefreshToken < Strategy

data/lib/doorkeeper/request/token.rb

@@ -1,5 +1,3 @@
-require 'doorkeeper/request/strategy'
-
 module Doorkeeper
   module Request
     class Token < Strategy

data/lib/doorkeeper/version.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     MAJOR = 5
     MINOR = 0
     TINY = 0
-    PRE = 'rc1'
+    PRE = 'rc2'
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -10,13 +10,20 @@ Doorkeeper.configure do
     #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
   end
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications,
-  # you need to declare the block below.
+  # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
+  # file then you need to declare this block in order to restrict access to the web interface for
+  # adding oauth authorized applications. In other case it will return 403 Forbidden response
+  # every time somebody will try to access the admin web interface.
   #
   # admin_authenticator do
   #   # Put your admin authentication logic here.
   #   # Example implementation:
-  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
+  #
+  #   if current_user
+  #     head :forbidden unless current_user.admin?
+  #   else
+  #     redirect_to sign_in_url
+  #   end
   # end
 
   # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
@@ -66,7 +73,14 @@ Doorkeeper.configure do
   #
   # reuse_access_token
 
-  # Issue access tokens with refresh token (disabled by default)
+  # Issue access tokens with refresh token (disabled by default), you may also
+  # pass a block which accepts `context` to customize when to give a refresh
+  # token or not. Similar to `custom_access_token_expires_in`, `context` has
+  # the properties:
+  #
+  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
   #
   # use_refresh_token
 

data/spec/controllers/authorizations_controller_spec.rb

@@ -387,6 +387,33 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
   end
 
+  describe 'GET #new in API mode with errors' do
+    let(:response_json_body) { JSON.parse(response.body) }
+
+    before do
+      default_scopes_exist :public
+      allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+      get :new, params: { an_invalid: 'request' }
+    end
+
+    it 'should render bad request' do
+      expect(response).to have_http_status(:bad_request)
+    end
+
+    it 'includes error in body' do
+      expect(response_json_body['error']).to eq('unsupported_response_type')
+    end
+
+    it 'includes error description in body' do
+      expect(response_json_body['error_description']).to eq(translated_error_message(:unsupported_response_type))
+    end
+
+    it 'does not issue any token' do
+      expect(Doorkeeper::AccessGrant.count).to eq 0
+      expect(Doorkeeper::AccessToken.count).to eq 0
+    end
+  end
+
   describe 'GET #new with callbacks' do
     after do
       client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob'

data/spec/controllers/tokens_controller_spec.rb

@@ -56,15 +56,67 @@ describe Doorkeeper::TokensController do
     end
   end
 
-  describe 'when revoke authorization has failed' do
-    # http://tools.ietf.org/html/rfc7009#section-2.2
-    it 'returns no error response' do
-      token = double(:token, authorize: false, application_id?: true)
-      allow(controller).to receive(:token) { token }
+  # http://tools.ietf.org/html/rfc7009#section-2.2
+  describe 'revoking tokens' do
+    let(:client) { FactoryBot.create(:application) }
+    let(:access_token) { FactoryBot.create(:access_token, application: client) }
+
+    before(:each) do
+      allow(controller).to receive(:token) { access_token }
+    end
+
+    context 'when associated app is public' do
+      let(:client) { FactoryBot.create(:application, confidential: false) }
+
+      it 'returns 200' do
+        post :revoke
+
+        expect(response.status).to eq 200
+      end
+
+      it 'revokes the access token' do
+        post :revoke
+
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+    end
+
+    context 'when associated app is confidential' do
+      let(:client) { FactoryBot.create(:application, confidential: true) }
+      let(:oauth_client) { Doorkeeper::OAuth::Client.new(client) }
 
-      post :revoke
+      before(:each) do
+        allow_any_instance_of(Doorkeeper::Server).to receive(:client) { oauth_client }
+      end
+
+      it 'returns 200' do
+        post :revoke
+
+        expect(response.status).to eq 200
+      end
+
+      it 'revokes the access token' do
+        post :revoke
+
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+
+      context 'when authorization fails' do
+        let(:some_other_client) { FactoryBot.create(:application, confidential: true) }
+        let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }
+
+        it 'returns 200' do
+          post :revoke
 
-      expect(response.status).to eq 200
+          expect(response.status).to eq 200
+        end
+
+        it 'does not revoke the access token' do
+          post :revoke
+
+          expect(access_token.reload).to have_attributes(revoked?: false)
+        end
+      end
     end
   end
 

data/spec/dummy/config/initializers/doorkeeper.rb

@@ -8,7 +8,11 @@ Doorkeeper.configure do
     User.where(id: session[:user_id]).first || redirect_to(root_url, alert: 'Needs sign in.')
   end
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
+  # file then you need to declare this block in order to restrict access to the web interface for
+  # adding oauth authorized applications. In other case it will return 403 Forbidden response
+  # every time somebody will try to access the admin web interface.
+  #
   # admin_authenticator do
   #   # Put your admin authentication logic here.
   #   # Example implementation:

data/spec/lib/config_spec.rb

@@ -66,6 +66,17 @@ describe Doorkeeper, 'configuration' do
   end
 
   describe 'admin_authenticator' do
+    it 'sets the block that is accessible via authenticate_admin' do
+      default_behaviour = 'default behaviour'
+      allow(Doorkeeper::Config).to receive(:head).and_return(default_behaviour)
+
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+      end
+
+      expect(subject.authenticate_admin.call({})).to eq(default_behaviour)
+    end
+
     it 'sets the block that is accessible via authenticate_admin' do
       block = proc {}
       Doorkeeper.configure do
@@ -144,6 +155,24 @@ describe Doorkeeper, 'configuration' do
       expect(subject.refresh_token_enabled?).to eq(true)
     end
 
+    it 'can accept a boolean parameter' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        use_refresh_token false
+      end
+
+      expect(subject.refresh_token_enabled?).to eq(false)
+    end
+
+    it 'can accept a block parameter' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        use_refresh_token { |_context| nil }
+      end
+
+      expect(subject.refresh_token_enabled?).to be_a(Proc)
+    end
+
     it "does not includes 'refresh_token' in authorization_response_types" do
       expect(subject.token_grant_types).not_to include 'refresh_token'
     end

data/spec/lib/oauth/base_request_spec.rb

@@ -119,6 +119,30 @@ module Doorkeeper::OAuth
         )
         expect(result.expires_in).to eql(500)
       end
+
+      it "respects use_refresh_token with a block" do
+        server = double(:server,
+                        access_token_expires_in: 100,
+                        custom_access_token_expires_in: ->(_context) { nil },
+                        refresh_token_enabled?: lambda { |context|
+                          context.scopes == "public"
+                        })
+        result = subject.find_or_create_access_token(
+          client,
+          "1",
+          "public",
+          server
+        )
+        expect(result.refresh_token).to_not be_nil
+
+        result = subject.find_or_create_access_token(
+          client,
+          "1",
+          "private",
+          server
+        )
+        expect(result.refresh_token).to be_nil
+      end
     end
 
     describe "#scopes" do

data/spec/models/doorkeeper/access_grant_spec.rb

@@ -33,4 +33,47 @@ describe Doorkeeper::AccessGrant do
       expect(subject).not_to be_valid
     end
   end
+
+  describe '.revoke_all_for' do
+    let(:resource_owner) { double(id: 100) }
+    let(:application) { FactoryBot.create :application }
+    let(:default_attributes) do
+      {
+        application: application,
+        resource_owner_id: resource_owner.id
+      }
+    end
+
+    it 'revokes all tokens for given application and resource owner' do
+      FactoryBot.create :access_grant, default_attributes
+
+      described_class.revoke_all_for(application.id, resource_owner)
+
+      described_class.all.each do |token|
+        expect(token).to be_revoked
+      end
+    end
+
+    it 'matches application' do
+      access_grant_for_different_app = FactoryBot.create(
+        :access_grant,
+        default_attributes.merge(application: FactoryBot.create(:application))
+      )
+
+      described_class.revoke_all_for(application.id, resource_owner)
+
+      expect(access_grant_for_different_app.reload).not_to be_revoked
+    end
+
+    it 'matches resource owner' do
+      access_grant_for_different_owner = FactoryBot.create(
+        :access_grant,
+        default_attributes.merge(resource_owner_id: 90)
+      )
+
+      described_class.revoke_all_for application.id, resource_owner
+
+      expect(access_grant_for_different_owner.reload).not_to be_revoked
+    end
+  end
 end

data/spec/models/doorkeeper/access_token_spec.rb

@@ -306,15 +306,25 @@ module Doorkeeper
       end
 
       it 'matches application' do
-        FactoryBot.create :access_token, default_attributes.merge(application: FactoryBot.create(:application))
+        access_token_for_different_app = FactoryBot.create(
+          :access_token,
+          default_attributes.merge(application: FactoryBot.create(:application))
+        )
+
         AccessToken.revoke_all_for application.id, resource_owner
-        expect(AccessToken.all).not_to be_empty
+
+        expect(access_token_for_different_app.reload).not_to be_revoked
       end
 
       it 'matches resource owner' do
-        FactoryBot.create :access_token, default_attributes.merge(resource_owner_id: 90)
+        access_token_for_different_owner = FactoryBot.create(
+          :access_token,
+          default_attributes.merge(resource_owner_id: 90)
+        )
+
         AccessToken.revoke_all_for application.id, resource_owner
-        expect(AccessToken.all).not_to be_empty
+
+        expect(access_token_for_different_owner.reload).not_to be_revoked
       end
     end
 
@@ -440,8 +450,8 @@ module Doorkeeper
         token = FactoryBot.create :access_token
         token_hash = {
           resource_owner_id:  token.resource_owner_id,
-          scopes:             token.scopes,
-          expires_in_seconds: token.expires_in_seconds,
+          scope:              token.scopes,
+          expires_in:         token.expires_in_seconds,
           application:        { uid: token.application.uid },
           created_at:         token.created_at.to_i
         }

data/spec/models/doorkeeper/application_spec.rb

@@ -206,6 +206,19 @@ module Doorkeeper
       end
     end
 
+    describe :revoke_tokens_and_grants_for do
+      it 'revokes all access tokens and access grants' do
+        application_id = 42
+        resource_owner = double
+        expect(Doorkeeper::AccessToken).
+          to receive(:revoke_all_for).with(application_id, resource_owner)
+        expect(Doorkeeper::AccessGrant).
+          to receive(:revoke_all_for).with(application_id, resource_owner)
+
+        Application.revoke_tokens_and_grants_for(application_id, resource_owner)
+      end
+    end
+
     describe :by_uid_and_secret do
       context "when application is private/confidential" do
         it "finds the application via uid/secret" do

data/spec/requests/applications/applications_request_spec.rb

@@ -3,6 +3,7 @@ require 'spec_helper'
 feature 'Adding applications' do
   context 'in application form' do
     background do
+      i_am_logged_in
       visit '/oauth/applications/new'
     end
 
@@ -96,12 +97,15 @@ end
 
 feature 'Listing applications' do
   background do
+    i_am_logged_in
+
     FactoryBot.create :application, name: 'Oauth Dude'
     FactoryBot.create :application, name: 'Awesome App'
   end
 
   scenario 'application list' do
     visit '/oauth/applications'
+
     i_should_see 'Awesome App'
     i_should_see 'Oauth Dude'
   end
@@ -126,11 +130,14 @@ end
 
 feature 'Show application' do
   given :app do
+    i_am_logged_in
+
     FactoryBot.create :application, name: 'Just another oauth app'
   end
 
   scenario 'visiting application page' do
     visit "/oauth/applications/#{app.id}"
+
     i_should_see 'Just another oauth app'
   end
 end
@@ -141,12 +148,15 @@ feature 'Edit application' do
   end
 
   background do
+    i_am_logged_in
+
     visit "/oauth/applications/#{app.id}/edit"
   end
 
   scenario 'updating a valid app' do
     fill_in 'doorkeeper_application[name]', with: 'Serious app'
     click_button 'Submit'
+
     i_should_see 'Application updated'
     i_should_see 'Serious app'
     i_should_not_see 'OMG my app'
@@ -155,21 +165,27 @@ feature 'Edit application' do
   scenario 'updating an invalid app' do
     fill_in 'doorkeeper_application[name]', with: ''
     click_button 'Submit'
+
     i_should_see 'Whoops! Check your form for possible errors'
   end
 end
 
 feature 'Remove application' do
   background do
+    i_am_logged_in
+
     @app = FactoryBot.create :application
   end
 
   scenario 'deleting an application from list' do
     visit '/oauth/applications'
+
     i_should_see @app.name
+
     within(:css, "tr#application_#{@app.id}") do
       click_button 'Destroy'
     end
+
     i_should_see 'Application deleted'
     i_should_not_see @app.name
   end
@@ -177,6 +193,35 @@ feature 'Remove application' do
   scenario 'deleting an application from show' do
     visit "/oauth/applications/#{@app.id}"
     click_button 'Destroy'
+
     i_should_see 'Application deleted'
   end
 end
+
+context 'when admin authenticator block is default' do
+  let(:app) { FactoryBot.create :application, name: 'app' }
+
+  feature 'application list' do
+    scenario 'fails with forbidden' do
+      visit '/oauth/applications'
+
+      should_have_status 403
+    end
+  end
+
+  feature 'adding an app' do
+    scenario 'fails with forbidden' do
+      visit '/oauth/applications/new'
+
+      should_have_status 403
+    end
+  end
+
+  feature 'editing an app' do
+    scenario 'fails with forbidden' do
+      visit "/oauth/applications/#{app.id}/edit"
+
+      should_have_status 403
+    end
+  end
+end

data/spec/support/helpers/request_spec_helper.rb

@@ -1,4 +1,8 @@
 module RequestSpecHelper
+  def i_am_logged_in
+    allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) {})
+  end
+
   def i_should_see(content)
     expect(page).to have_content(content)
   end
@@ -39,6 +43,10 @@ module RequestSpecHelper
     expect(headers[header]).to eq(value)
   end
 
+  def should_have_status(status)
+    expect(page.driver.response.status).to eq(status)
+  end
+
   def with_access_token_header(token)
     with_header 'Authorization', "Bearer #{token}"
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.0.0.rc1
+  version: 5.0.0.rc2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-11 00:00:00.000000000 Z
+date: 2018-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -31,16 +31,16 @@ dependencies:
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.18'
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -150,6 +150,7 @@ files:
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".gitignore"
+- ".gitlab-ci.yml"
 - ".hound.yml"
 - ".rspec"
 - ".rubocop.yml"
@@ -164,6 +165,7 @@ files:
 - RELEASING.md
 - Rakefile
 - SECURITY.md
+- UPGRADE.md
 - app/assets/stylesheets/doorkeeper/admin/application.css
 - app/assets/stylesheets/doorkeeper/application.css
 - app/controllers/doorkeeper/application_controller.rb