doorkeeper 5.2.0.rc2 → 5.2.0.rc3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30363aebde1b255fb64b8df11e5d9b1c80f0d896ebb970908f764a8a5fd17fdf
-  data.tar.gz: 129cddd18b7ea164da1387d8a3fef5c40b4be96eca9f141ebb0167a318f28a07
+  metadata.gz: 79deafb0a48421ccce39ffc81a5c78e89c02d53d3759dfd8ec1cc18a8fee9eb1
+  data.tar.gz: 4d31a738a4955f1e7c323aa972a487b85d6050f05d2ceb4f4b8197925371ef1d
 SHA512:
-  metadata.gz: 48f707ac0ee598c6987cf396cc168f57975abe8fbf78ce0479733e1b7fdf35ef6abcd73474f0141c72eee1b08ce8a9f0cf46d866f974c0feea8ae9609cb36d07
-  data.tar.gz: 79c4aa3fdae50be283f3ef78c544554ad5d50d8395d6f6970a41c73a0d46d427b859dd07e38685120d0df9b1016567a3a34b79d882b9b23d6bb470a19c95ecd8
+  metadata.gz: 58fb6a412cb9b9a3e7c89c1aa93edc98380673ff71bd0c0797bb32a1ad89806370c41b3a40ca98f113af922e681deef696f90233bd098fdee30b149cce927e0d
+  data.tar.gz: e32e2d2cdc45a38ca98fcf27bc1a6657077de7cb0a738d07627dd51d5c2237287e736fff3833d1a154346be46286e6ea87b4a16d0e2c4637e58f4d79bce2a45b

data/Appraisals

@@ -16,7 +16,7 @@ appraise "rails-5-2" do
 end
 
 appraise "rails-6-0" do
-  gem "rails", "~> 6.0.0.beta3"
+  gem "rails", "~> 6.0.0.rc2"
   gem "sqlite3", "~> 1.4", platform: %i[ruby mswin mingw x64_mingw]
 
   # TODO: Remove when rspec-rails 4.0 released

data/CHANGELOG.md

@@ -7,7 +7,20 @@ User-visible changes worth mentioning.
 
 ## master
 
-- [#PR ID] Add your description here
+- [#PR ID] Add your description here.
+
+## 5.2.0.rc3
+
+- [#1298] Slice strong params so doesn't error with Rails forms.
+- [#1300] Limiting access to attributes of pre_authorization.
+- [#1296] Adding client_id to strong parameters.
+- [#1293] Move ar specific redirect uri validator to ar orm directory.
+- [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
+  the PreAuthorization response.
+- [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
+- [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
+  option called `base_metal_controller` (fix #1273).
+- [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
 
 ## 5.2.0.rc2
 
@@ -20,7 +33,7 @@ User-visible changes worth mentioning.
 
 ## 5.2.0.rc1
 
-- [#1260], [#1261] Improve Token Introspection configuration option (access to tokens, client).
+- [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
 - [#1257] Add constraint configuration when using client authentication on introspection endpoint.
 - [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
 - [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message

data/Gemfile

@@ -5,7 +5,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gemspec
 
-gem "rails", "~> 6.0.0.rc1"
+gem "rails", "~> 6.0.0.rc2"
 
 # TODO: Remove when rspec-rails 4.0 released
 gem "rspec-core", github: "rspec/rspec-core"

data/README.md

@@ -21,10 +21,11 @@ Supported features:
   - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
   - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
   - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 - [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
 
 ## Table of Contents
 
@@ -93,6 +94,7 @@ Doorkeeper supports Active Record by default, but can be configured to work with
 | MongoDB | [doorkeeper-gem/doorkeeper-mongodb](https://github.com/doorkeeper-gem/doorkeeper-mongodb) |
 | Sequel | [nbulaj/doorkeeper-sequel](https://github.com/nbulaj/doorkeeper-sequel) |
 | Couchbase | [acaprojects/doorkeeper-couchbase](https://github.com/acaprojects/doorkeeper-couchbase) |
+| RethinkDB | [aca-labs/doorkeeper-rethinkdb](https://github.com/aca-labs/doorkeeper-rethinkdb) |
 
 ## Extensions
 
@@ -136,6 +138,12 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 
 > If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
 
+<br>
+
+<a href="https://www.wealthsimple.com/?utm_source=doorkeeper-gem" target="_blank"><img src="https://wealthsimple.s3.amazonaws.com/branding/medium-black.svg"/></a>
+
+> Wealthsimple is a financial company on a mission to help everyone achieve financial freedom by providing products and advice that are accessible and affordable. Using smart technology, Wealthsimple takes financial services that are often confusing, opaque and expensive and makes them simple, transparent, and low-cost. See what Investing on Autopilot is all about: [https://www.wealthsimple.com](https://www.wealthsimple.com/?utm_source=doorkeeper-gem)
+
 ## Development
 
 To run the local engine server:

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  class ApplicationMetalController < ActionController::API
+  class ApplicationMetalController < Doorkeeper.configuration.base_metal_controller.constantize
     include Helpers::Controller
 
     before_action :enforce_content_type,

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -12,7 +12,6 @@ module Doorkeeper
       end
     end
 
-    # TODO: Handle raise invalid authorization
     def create
       redirect_or_render authorize_response
     end
@@ -66,14 +65,16 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration,
-                                                server.client_via_uid,
-                                                pre_auth_params)
+      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
     end
 
     def pre_auth_params
-      params.permit(:response_type, :redirect_uri, :scope, :state,
-                    :code_challenge, :code_challenge_method)
+      params.slice(*pre_auth_param_fields).permit(*pre_auth_param_fields)
+    end
+
+    def pre_auth_param_fields
+      %i[client_id response_type redirect_uri scope state code_challenge
+         code_challenge_method]
     end
 
     def authorization
@@ -86,10 +87,11 @@ module Doorkeeper
 
     def authorize_response
       @authorize_response ||= begin
-        authorizable = pre_auth.authorizable?
-        before_successful_authorization if authorizable
+        return pre_auth.error_response unless pre_auth.authorizable?
+
+        before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization if authorizable
+        after_successful_authorization
         auth
       end
     end

data/config/locales/en.yml

@@ -88,7 +88,11 @@ en:
     errors:
       messages:
         # Common error messages
-        invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+        invalid_request:
+          unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+          missing_param: 'Missing required parameter: #{value}.'
+          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
+          request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'

data/doorkeeper.gemspec

@@ -18,6 +18,14 @@ Gem::Specification.new do |gem|
   gem.test_files    = `git ls-files -- spec/*`.split("\n")
   gem.require_paths = ["lib"]
 
+  gem.metadata = {
+    "homepage_uri" => "https://github.com/doorkeeper-gem/doorkeeper",
+    "changelog_uri" => "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
+    "source_code_uri" => "https://github.com/doorkeeper-gem/doorkeeper",
+    "bug_tracker_uri" => "https://github.com/doorkeeper-gem/doorkeeper/issues",
+    "documentation_uri" => "https://doorkeeper.gitbook.io/guides/",
+  }
+
   gem.add_dependency "railties", ">= 5"
   gem.required_ruby_version = ">= 2.4"
 

data/gemfiles/rails_6_0.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 6.0.0.rc1"
+gem "rails", "~> 6.0.0.rc2"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"

data/lib/doorkeeper.rb

@@ -52,6 +52,7 @@ require "doorkeeper/oauth/token"
 require "doorkeeper/oauth/token_introspection"
 require "doorkeeper/oauth/invalid_token_response"
 require "doorkeeper/oauth/forbidden_token_response"
+require "doorkeeper/oauth/invalid_request_response"
 require "doorkeeper/oauth/nonstandard"
 
 require "doorkeeper/secret_storing/base"

data/lib/doorkeeper/config.rb

@@ -259,6 +259,32 @@ module Doorkeeper
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
 
+    # Allows to customize OAuth grant flows that +each+ application support.
+    # You can configure a custom block (or use a class respond to `#call`) that must
+    # return `true` in case Application instance supports requested OAuth grant flow
+    # during the authorization request to the server. This configuration +doesn't+
+    # set flows per application, it only allows to check if application supports
+    # specific grant flow.
+    #
+    # For example you can add an additional database column to `oauth_applications` table,
+    # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+    # be used with this application there. Then when authorization requested Doorkeeper
+    # will call this block to check if specific Application (passed with client_id and/or
+    # client_secret) is allowed to perform the request for the specific grant type
+    # (authorization, password, client_credentials, etc).
+    #
+    # Example of the block:
+    #
+    #   ->(flow, client) { client.grant_flows.include?(flow) }
+    #
+    # In case this option invocation result is `false`, Doorkeeper server returns
+    # :unauthorized_client error and stops the request.
+    #
+    # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+    # @return [Boolean] `true` if allow or `false` if forbid the request
+    #
+    option :allow_grant_flow_for_client,    default: ->(_grant_flow, _client) { true }
+
     # Allows to forbid specific Application redirect URI's by custom rules.
     # Doesn't forbid any URI by default.
     #
@@ -288,7 +314,7 @@ module Doorkeeper
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
 
     # Use a custom class for generating the access token.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
     #
     # @param access_token_generator [String]
     #   the name of the access token generator class
@@ -306,12 +332,19 @@ module Doorkeeper
 
     # The controller Doorkeeper::ApplicationController inherits from.
     # Defaults to ActionController::Base.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
     #
     # @param base_controller [String] the name of the base controller
     option :base_controller,
            default: "ActionController::Base"
 
+    # The controller Doorkeeper::ApplicationMetalController inherits from.
+    # Defaults to ActionController::API.
+    #
+    # @param base_metal_controller [String] the name of the base controller
+    option :base_metal_controller,
+           default: "ActionController::API"
+
     # Allows to set blank redirect URIs for Applications in case
     # server configured to use URI-less grant flows.
     #
@@ -452,6 +485,12 @@ module Doorkeeper
       end
     end
 
+    def allow_grant_flow_for_client?(grant_flow, client)
+      return true unless option_defined?(:allow_grant_flow_for_client)
+
+      allow_grant_flow_for_client.call(grant_flow, client)
+    end
+
     def option_defined?(name)
       instance_variable_defined?("@#{name}")
     end

data/lib/doorkeeper/errors.rb

@@ -8,18 +8,6 @@ module Doorkeeper
       end
     end
 
-    class InvalidAuthorizationStrategy < DoorkeeperError
-      def type
-        :unsupported_response_type
-      end
-    end
-
-    class InvalidTokenReuse < DoorkeeperError
-      def type
-        :invalid_request
-      end
-    end
-
     class InvalidGrantReuse < DoorkeeperError
       def type
         :invalid_grant
@@ -32,7 +20,14 @@ module Doorkeeper
       end
     end
 
-    class MissingRequestStrategy < DoorkeeperError
+    class MissingRequiredParameter < DoorkeeperError
+      attr_reader :missing_param
+
+      def initialize(missing_param)
+        super
+        @missing_param = missing_param
+      end
+
       def type
         :invalid_request
       end
@@ -50,10 +45,10 @@ module Doorkeeper
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
 
-    InvalidToken = Class.new BaseResponseError
-    TokenExpired = Class.new InvalidToken
-    TokenRevoked = Class.new InvalidToken
-    TokenUnknown = Class.new InvalidToken
-    TokenForbidden = Class.new InvalidToken
+    InvalidToken = Class.new(BaseResponseError)
+    TokenExpired = Class.new(InvalidToken)
+    TokenRevoked = Class.new(InvalidToken)
+    TokenUnknown = Class.new(InvalidToken)
+    TokenForbidden = Class.new(InvalidToken)
   end
 end

data/lib/doorkeeper/helpers/controller.rb

@@ -44,8 +44,12 @@ module Doorkeeper
       def get_error_response_from_exception(exception)
         if exception.respond_to?(:response)
           exception.response
+        elsif exception.type == :invalid_request
+          OAuth::InvalidRequestResponse.new(name: exception.type,
+                                            state: params[:state],
+                                            missing_param: exception.missing_param)
         else
-          OAuth::ErrorResponse.new name: exception.type, state: params[:state]
+          OAuth::ErrorResponse.new(name: exception.type, state: params[:state])
         end
       end
 
@@ -58,7 +62,7 @@ module Doorkeeper
 
       def skip_authorization?
         !!instance_exec(
-          [@server.current_resource_owner, @pre_auth.client],
+          [server.current_resource_owner, @pre_auth.client],
           &Doorkeeper.configuration.skip_authorization
         )
       end

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -19,14 +19,10 @@ module Doorkeeper
           { action: :show, code: token.plaintext_token }
         end
 
-        def configuration
-          Doorkeeper.configuration
-        end
-
         private
 
         def authorization_code_expires_in
-          configuration.authorization_code_expires_in
+          Doorkeeper.configuration.authorization_code_expires_in
         end
 
         def access_grant_attributes

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,7 +3,8 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :attributes,   error: :invalid_request
+      validate :pkce_support, error: :invalid_request
+      validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
       # @see https://tools.ietf.org/html/rfc6749#section-5.2
@@ -12,6 +13,7 @@ module Doorkeeper
 
       attr_accessor :server, :grant, :client, :redirect_uri, :access_token,
                     :code_verifier
+      attr_reader :invalid_request_reason, :missing_param
 
       def initialize(server, grant, client, parameters = {})
         @server = server
@@ -24,10 +26,6 @@ module Doorkeeper
 
       private
 
-      def client_by_uid(parameters)
-        Doorkeeper::Application.by_uid(parameters[:client_id])
-      end
-
       def before_successful_response
         grant.transaction do
           grant.lock!
@@ -42,11 +40,22 @@ module Doorkeeper
         super
       end
 
-      def validate_attributes
-        return false if grant&.uses_pkce? && code_verifier.blank?
-        return false if grant && !grant.pkce_supported? && !code_verifier.blank?
+      def validate_pkce_support
+        @invalid_request_reason = :not_support_pkce if grant &&
+                                                       !grant.pkce_supported? &&
+                                                       code_verifier.present?
+
+        @invalid_request_reason.nil?
+      end
+
+      def validate_params
+        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
+                           :code_verifier
+                         elsif redirect_uri.blank?
+                           :redirect_uri
+                         end
 
-        redirect_uri.present?
+        @missing_param.nil?
       end
 
       def validate_client

data/lib/doorkeeper/oauth/base_request.rb

@@ -15,6 +15,8 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
+        elsif error == :invalid_request
+          @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)
         end

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -8,6 +8,7 @@ module Doorkeeper
         include OAuth::Helpers
 
         validate :client, error: :invalid_client
+        validate :client_supports_grant_flow, error: :unauthorized_client
         validate :scopes, error: :invalid_scope
 
         def initialize(server, request)
@@ -24,6 +25,13 @@ module Doorkeeper
           @client.present?
         end
 
+        def validate_client_supports_grant_flow
+          Doorkeeper.configuration.allow_grant_flow_for_client?(
+            Doorkeeper::OAuth::CLIENT_CREDENTIALS,
+            @client
+          )
+        end
+
         def validate_scopes
           return true if @request.scopes.blank?