doorkeeper 5.0.0 → 5.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: db3333346ca1b82cd7aa332bb1e43f8d979534c0
-  data.tar.gz: 12511ea5d14b0bba28fef47893cc925c9e45ebcd
+  metadata.gz: ca4c29978b53dcffbe1a130f0c14609fb83d838b
+  data.tar.gz: d3e2964493e5a09e680a2f2a8049ab4fad2db52a
 SHA512:
-  metadata.gz: a5265ed62b206c4f9f117c3cbc8e6d905840636297a342ea952e5dfced01f7ce4bd6b59fc7efd6a4f0e6558475c566bf59ba4a793ef3f87942cf8935dde061ba
-  data.tar.gz: 18d2b90ae8e5f2e6e80f518fe0a251c49ba3187fda34c9213f14c0152f301dfd149d11db14dcd94a69bb8048352f8a945107c572cfb3fa03aeabc6d6383b706c
+  metadata.gz: 73f369296eae02dffc8e0611bf6dcfbbdecc7c2ef4b3cd395b3a154ffb579c9ccf442e726cae2c63fc963a84e52c4900242225f90b3d4f7367977747b4047205
+  data.tar.gz: 2af877910b73b8baf2f9f27306fd1a40b5e6cb1a93849a09403607ac9b3420be7b8bd46d7be1c128eec5ad9bdaf003ee6484c16df928bc7df3f80881813cdf35

data/.travis.yml

@@ -23,6 +23,11 @@ gemfile:
 
 matrix:
   fast_finish: true
+  # Run Danger only once
+  include:
+    - rvm: 2.5
+      gemfile: gemfiles/rails_5_2.gemfile
+      script: bundle exec danger
   exclude:
     - gemfile: gemfiles/rails_5_0.gemfile
       rvm: 2.1

data/Dangerfile

@@ -0,0 +1,57 @@
+CHANGELOG_FILE = 'NEWS.md'
+GITHUB_REPO = 'https://github.com/doorkeeper-gem/doorkeeper'
+
+def changelog_changed?
+  git.modified_files.include?(CHANGELOG_FILE) || git.added_files.include?(CHANGELOG_FILE)
+end
+
+def changelog_entry_example
+  pr_number = github.pr_json['number']
+  pr_url = github.pr_json['html_url']
+  pr_title = github.pr_title
+                   .sub(/[?.!,;]?$/, '')
+                   .capitalize
+
+  "- [##{pr_number}](#{pr_url}): #{pr_title}."
+end
+
+# --------------------------------------------------------------------------------------------------------------------
+# Has any changes happened inside the actual library code?
+# --------------------------------------------------------------------------------------------------------------------
+has_app_changes = !git.modified_files.grep(/lib/).empty?
+has_spec_changes = !git.modified_files.grep(/spec/).empty?
+
+# --------------------------------------------------------------------------------------------------------------------
+# You've made changes to lib, but didn't write any tests?
+# --------------------------------------------------------------------------------------------------------------------
+if has_app_changes && !has_spec_changes
+  warn("There're library changes, but not tests. That's OK as long as you're refactoring existing code.", sticky: false)
+end
+
+# --------------------------------------------------------------------------------------------------------------------
+# You've made changes to specs, but no library code has changed?
+# --------------------------------------------------------------------------------------------------------------------
+if !has_app_changes && has_spec_changes
+  message('We really appreciate pull requests that demonstrate issues, even without a fix. That said, the next step is to try and fix the failing tests!', sticky: false)
+end
+
+# Mainly to encourage writing up some reasoning about the PR, rather than
+# just leaving a title
+if github.pr_body.length < 10
+  fail "Please provide a summary in the Pull Request description"
+end
+
+# --------------------------------------------------------------------------------------------------------------------
+# Have you updated CHANGELOG.md?
+# --------------------------------------------------------------------------------------------------------------------
+# Add a CHANGELOG entry for app changes
+if has_app_changes && !changelog_changed?
+  markdown <<-MARKDOWN
+Here's an example of a #{CHANGELOG_FILE} entry:
+```markdown
+#{changelog_entry_example}
+```
+  MARKDOWN
+
+  fail("Please include a changelog entry. \nYou can find it at [#{CHANGELOG_FILE}](#{GITHUB_REPO}/blob/master/#{CHANGELOG_FILE}).")
+end

data/NEWS.md

@@ -7,7 +7,17 @@ User-visible changes worth mentioning.
 
 ## master
 
-- [#PR ID] Add PR description.
+- [#] Add your description here.
+
+## 5.0.1
+
+- [#1140] Allow rendering custom errors from exceptions (issue #844). Originally opened as [#944].
+- [#1138] Revert regression bug (check for token expiration in Authorizations controller so authorization
+  triggers every time)
+- [#1149] Fix for `URIChecker#valid_for_authorization?` false negative when query is blank, but `?` present.
+- [#1151] Fix Refresh Token strategy: add proper validation of client credentials both for Public & Private clients.
+- [#1152] Fix migration template: change resource owner data type from integer to Rails generic `references`
+- [#1154] Refactor `StaleRecordsCleaner` to be ORM agnostic.
 
 ## 5.0.0
 
@@ -43,6 +53,12 @@ User-visible changes worth mentioning.
   `Doorkeeper#installed?` method
 - [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
   either public or private/confidential
+  
+  **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
+    You need to manually change `confidential` column to `false` if you are using public clients,
+    in other case your mobile (or other) applications will not be able to authorize.
+    See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
+  
 - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
   `optional_scopes`) for applications
 - [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
@@ -61,6 +77,12 @@ User-visible changes worth mentioning.
 - Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
   SSL redirect_uri.
   
+## 4.4.3
+  
+- [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
+  changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
+
+  
 ## 4.4.2
 
 - [#1130] Backport fix for native redirect_uri from 5.x.
@@ -73,6 +95,11 @@ User-visible changes worth mentioning.
 ## 4.4.0
   
 - [#1120] Backport security fix from 5.x for token revocation when using public clients
+  
+  **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
+  You need to manually change `confidential` column to `false` if you are using public clients,
+  in other case your mobile (or other) applications will not be able to authorize.
+  See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
 
 ## 4.3.2
 
@@ -101,6 +128,10 @@ User-visible changes worth mentioning.
 - [#985] Generate valid migration files for Rails >= 5
 - [#972] Replace Struct subclassing with block-form initialization
 - [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
+
+  **[IMPORTANT]**: Previously authorization code response route was `/oauth/authorize/<code>`,
+  now it is `oauth/authorize/native?code=<code>` (in order to help applications to automatically find the code value).
+
 - [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
   object.
 - [#1019] Remove translation not in use: `invalid_resource_owner`.

data/README.md

@@ -23,6 +23,9 @@ Supported features:
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 
+See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-tos--tutorials) in order to
+learn how to use the gem or integrate it with other solutions / gems.
+
 ## Documentation valid for `master` branch
 
 Please check the documentation for the version of doorkeeper you are using in:
@@ -50,6 +53,7 @@ https://github.com/doorkeeper-gem/doorkeeper/releases
   - [Routes](#routes)
   - [Authenticating](#authenticating)
   - [Internationalization (I18n)](#internationalization-i18n)
+  - [Customizing errors](#customizing-errors)
   - [Rake Tasks](#rake-tasks)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
   - [Ruby on Rails controllers](#ruby-on-rails-controllers)
@@ -237,6 +241,14 @@ You may want to check other ways of authentication
 Doorkeeper support multiple languages. See language files in
 [the I18n repository](https://github.com/doorkeeper-gem/doorkeeper-i18n).
 
+### Customizing errors
+
+If you don't want to use default Doorkeeper error responses you can raise and rescue it's
+exceptions. All you need is to set configuration option `handle_auth_errors` to `:raise`.
+In this case Doorkeeper will raise `Doorkeeper::Errors::TokenForbidden`,
+`Doorkeeper::Errors::TokenExpired`, `Doorkeeper::Errors::TokenRevoked` or other exceptions
+that you need to care about.
+
 ### Rake Tasks
 
 If you are using `rake`, you can load rake tasks provided by this gem, by adding
@@ -372,7 +384,7 @@ end
 Please note that there is a logical OR between multiple required scopes. In the
 above example, `doorkeeper_authorize! :admin, :write` means that the access
 token is required to have either `:admin` scope or `:write` scope, but does not
-need have both of them.
+need to have both of them.
 
 If you want to require the access token to have multiple scopes at the same
 time, use multiple `doorkeeper_authorize!`, for example:
@@ -448,8 +460,11 @@ token owner.
 
 ### Applications list
 
-By default, the applications list (`/oauth/applications`) is publicly available.
-To protect the endpoint you should uncomment these lines:
+By default, the applications list (`/oauth/applications`) is publicly available (before 5.0 release).
+Starting from Doorkeeper 5.0 it returns 403 Forbidden if `admin_authenticator` option is not configured
+by developers.
+
+To change the protection rules of this endpoint you should uncomment these lines:
 
 ```ruby
 # config/initializers/doorkeeper.rb

data/app/controllers/doorkeeper/application_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class ApplicationController <
     Doorkeeper.configuration.base_controller.constantize

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class ApplicationMetalController < ActionController::Metal
     MODULES = [

data/app/controllers/doorkeeper/applications_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class ApplicationsController < Doorkeeper::ApplicationController
     layout 'doorkeeper/admin' unless Doorkeeper.configuration.api_only
@@ -77,8 +79,8 @@ module Doorkeeper
     end
 
     def application_params
-      params.require(:doorkeeper_application).
-        permit(:name, :redirect_uri, :scopes, :confidential)
+      params.require(:doorkeeper_application)
+        .permit(:name, :redirect_uri, :scopes, :confidential)
     end
   end
 end

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class AuthorizationsController < Doorkeeper::ApplicationController
     before_action :authenticate_resource_owner!
@@ -41,13 +43,11 @@ module Doorkeeper
     end
 
     def matching_token?
-      token = AccessToken.matching_token_for(
+      AccessToken.matching_token_for(
         pre_auth.client,
         current_resource_owner.id,
         pre_auth.scopes
       )
-
-      token && token.accessible?
     end
 
     def redirect_or_render(auth)

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class AuthorizedApplicationsController < Doorkeeper::ApplicationController
     before_action :authenticate_resource_owner!

data/app/controllers/doorkeeper/token_info_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class TokenInfoController < Doorkeeper::ApplicationMetalController
     def show

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
     def create

data/app/helpers/doorkeeper/dashboard_helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module DashboardHelper
     def doorkeeper_errors_for(object, method)

data/app/validators/redirect_uri_validator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'uri'
 
 class RedirectUriValidator < ActiveModel::EachValidator

data/doorkeeper.gemspec

@@ -2,29 +2,30 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 
 require 'doorkeeper/version'
 
-Gem::Specification.new do |s|
-  s.name        = 'doorkeeper'
-  s.version     = Doorkeeper.gem_version
-  s.authors     = ['Felipe Elias Philipp', 'Tute Costa', 'Jon Moss', 'Nikita Bulai']
-  s.email       = %w(bulaj.nikita@gmail.com)
-  s.homepage    = 'https://github.com/doorkeeper-gem/doorkeeper'
-  s.summary     = 'OAuth 2 provider for Rails and Grape'
-  s.description = 'Doorkeeper is an OAuth 2 provider for Rails and Grape.'
-  s.license     = 'MIT'
+Gem::Specification.new do |gem|
+  gem.name        = 'doorkeeper'
+  gem.version     = Doorkeeper.gem_version
+  gem.authors     = ['Felipe Elias Philipp', 'Tute Costa', 'Jon Moss', 'Nikita Bulai']
+  gem.email       = %w(bulaj.nikita@gmail.com)
+  gem.homepage    = 'https://github.com/doorkeeper-gem/doorkeeper'
+  gem.summary     = 'OAuth 2 provider for Rails and Grape'
+  gem.description = 'Doorkeeper is an OAuth 2 provider for Rails and Grape.'
+  gem.license     = 'MIT'
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- spec/*`.split("\n")
-  s.require_paths = ['lib']
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- spec/*`.split("\n")
+  gem.require_paths = ['lib']
 
-  s.add_dependency 'railties', '>= 4.2'
-  s.required_ruby_version = '>= 2.1'
+  gem.add_dependency 'railties', '>= 4.2'
+  gem.required_ruby_version = '>= 2.1'
 
-  s.add_development_dependency 'capybara', '~> 2.18'
-  s.add_development_dependency 'coveralls'
-  s.add_development_dependency 'grape'
-  s.add_development_dependency 'database_cleaner', '~> 1.6'
-  s.add_development_dependency 'factory_bot', '~> 4.8'
-  s.add_development_dependency 'generator_spec', '~> 0.9.3'
-  s.add_development_dependency 'rake', '>= 11.3.0'
-  s.add_development_dependency 'rspec-rails'
+  gem.add_development_dependency 'capybara', '~> 2.18'
+  gem.add_development_dependency 'coveralls'
+  gem.add_development_dependency 'danger', '~> 5.0'
+  gem.add_development_dependency 'grape'
+  gem.add_development_dependency 'database_cleaner', '~> 1.6'
+  gem.add_development_dependency 'factory_bot', '~> 4.8'
+  gem.add_development_dependency 'generator_spec', '~> 0.9.3'
+  gem.add_development_dependency 'rake', '>= 11.3.0'
+  gem.add_development_dependency 'rspec-rails'
 end

data/lib/doorkeeper.rb

@@ -67,6 +67,7 @@ require 'doorkeeper/rails/routes'
 require 'doorkeeper/rails/helpers'
 
 require 'doorkeeper/rake'
+require 'doorkeeper/stale_records_cleaner'
 
 require 'doorkeeper/orm/active_record'
 

data/lib/doorkeeper/config.rb

@@ -107,7 +107,7 @@ module Doorkeeper
       def use_refresh_token(enabled = true, &block)
         @config.instance_variable_set(
           :@refresh_token_enabled,
-          block ? block : enabled
+          block || enabled
         )
       end
 
@@ -177,7 +177,7 @@ module Doorkeeper
             value = if attribute_builder
                       attribute_builder.new(&block).build
                     else
-                      block ? block : args.first
+                      block || args.first
                     end
 
             @config.instance_variable_set(:"@#{attribute}", value)
@@ -239,6 +239,7 @@ module Doorkeeper
     option :native_redirect_uri,            default: 'urn:ietf:wg:oauth:2.0:oob'
     option :active_record_options,          default: {}
     option :grant_flows,                    default: %w[authorization_code client_credentials]
+    option :handle_auth_errors,             default: :render
 
     # Allows to forbid specific Application redirect URI's by custom rules.
     # Doesn't forbid any URI by default.
@@ -317,6 +318,10 @@ module Doorkeeper
       !!(defined?(@confirm_application_owner) && @confirm_application_owner)
     end
 
+    def raise_on_errors?
+      handle_auth_errors == :raise
+    end
+
     def default_scopes
       @default_scopes ||= OAuth::Scopes.new
     end

data/lib/doorkeeper/engine.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   class Engine < Rails::Engine
     initializer "doorkeeper.params.filter" do |app|

data/lib/doorkeeper/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Errors
     class DoorkeeperError < StandardError
@@ -36,7 +38,22 @@ module Doorkeeper
       end
     end
 
+    class BaseResponseError < DoorkeeperError
+      attr_reader :response
+
+      def initialize(response)
+        @response = response
+      end
+    end
+
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
+    NoOrmCleaner = Class.new(DoorkeeperError)
+
+    InvalidToken = Class.new BaseResponseError
+    TokenExpired = Class.new InvalidToken
+    TokenRevoked = Class.new InvalidToken
+    TokenUnknown = Class.new InvalidToken
+    TokenForbidden = Class.new InvalidToken
   end
 end

data/lib/doorkeeper/grape/authorization_decorator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module Grape
     class AuthorizationDecorator < SimpleDelegator

data/lib/doorkeeper/grape/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'doorkeeper/grape/authorization_decorator'
 
 module Doorkeeper

data/lib/doorkeeper/helpers/controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Define methods that can be called in any controller that inherits from
 # Doorkeeper::ApplicationMetalController or Doorkeeper::ApplicationController
 module Doorkeeper