doorkeeper 5.4.0.rc2 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4bd9636505ce9c77f93c052d721fb3dad5fb6e135375a3fd3cc6f492e211c7df
4
- data.tar.gz: 967a846ecfe1713842133555b9fd793c2f8600c9382aa13ffc209b7448a9aabd
3
+ metadata.gz: 76b3a86e21584548c9b0c176512c844bee90ba9c447aaf09741abf54488093bb
4
+ data.tar.gz: ce7a4ffdf3b0aebaa69f703b70f0109276205c9ec0b2f1e2c7b3e88cb4746f8b
5
5
  SHA512:
6
- metadata.gz: a45ad0f893f9c47dc3a50672e668b9b3519db22bd6a6a05dfaf57d7f00c4d5bb228c4913ad6ab5886a063a4fdea4fe435eb886ad2b61f7274cbbf1c2d7be5166
7
- data.tar.gz: c8fd9f47a74bc6735802ee90a3d63e266e928a59801e13becc8b345dc46902e80bfeb6b6830c9c44d7b90093a0cd4727f6d67e5519b137dd31cc9339d42901ec
6
+ metadata.gz: 7192f9711713f15d323e85aa3ad4274b314a55dcc89ba945de52dca5dbbad2e267dc3252da353cd4991fae365a1161fd91d06c0bfcaba767163b4c54eafca125
7
+ data.tar.gz: b5f324cfe8064b32254ca1c045bc24c54ab21a485bf3c6a9726bc995ab9dc24516872bf8ee314850b65f6ce3d879d0497e67416ea78c0f8f7566bdbfd48e024a
@@ -9,6 +9,10 @@ User-visible changes worth mentioning.
9
9
 
10
10
  - [#PR ID] Your PR description.
11
11
 
12
+ ## 5.4.0
13
+
14
+ - [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
15
+
12
16
  ## 5.4.0.rc2
13
17
 
14
18
  - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
@@ -58,6 +62,10 @@ User-visible changes worth mentioning.
58
62
  - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
59
63
  - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
60
64
 
65
+ ## 5.3.3
66
+
67
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
68
+
61
69
  ## 5.3.2
62
70
 
63
71
  - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
@@ -82,6 +90,10 @@ User-visible changes worth mentioning.
82
90
  requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
83
91
  initialization file.
84
92
 
93
+ ## 5.2.6
94
+
95
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
96
+
85
97
  ## 5.2.5
86
98
 
87
99
  - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
@@ -154,6 +166,15 @@ User-visible changes worth mentioning.
154
166
  - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
155
167
  - [#1238] Better support for native app with support for custom scheme and localhost redirection.
156
168
 
169
+ ## 5.1.2
170
+
171
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
172
+
173
+ ## 5.1.1
174
+
175
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
176
+ Fixes information disclosure vulnerability (CVE-2020-10187).
177
+
157
178
  ## 5.1.0
158
179
 
159
180
  - [#1243] Add nil check operator in token checking at token introspection.
@@ -215,6 +236,11 @@ User-visible changes worth mentioning.
215
236
  - [#1164] Fix error when `root_path` is not defined.
216
237
  - [#1162] Fix `enforce_content_type` for requests without body.
217
238
 
239
+ ## 5.0.3
240
+
241
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
242
+ Fixes information disclosure vulnerability (CVE-2020-10187).
243
+
218
244
  ## 5.0.2
219
245
 
220
246
  - [#1158] Fix initializer template: change `handle_auth_errors` option
@@ -4,7 +4,7 @@ module Doorkeeper
4
4
  class Engine < Rails::Engine
5
5
  initializer "doorkeeper.params.filter" do |app|
6
6
  parameters = %w[client_secret code authentication_token access_token refresh_token]
7
- app.config.filter_parameters << /^(#{Regexp.union parameters})$/
7
+ app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
8
8
  end
9
9
 
10
10
  initializer "doorkeeper.routes" do
@@ -11,7 +11,7 @@ module Doorkeeper
11
11
  @resource_owner = resource_owner
12
12
  end
13
13
 
14
- def issue_token
14
+ def issue_token!
15
15
  return @token if defined?(@token)
16
16
 
17
17
  @token = Doorkeeper.config.access_grant_model.create!(access_grant_attributes)
@@ -48,7 +48,7 @@ module Doorkeeper
48
48
  @resource_owner = resource_owner
49
49
  end
50
50
 
51
- def issue_token
51
+ def issue_token!
52
52
  return @token if defined?(@token)
53
53
 
54
54
  context = self.class.build_context(
@@ -6,13 +6,13 @@ module Doorkeeper
6
6
  attr_reader :pre_auth, :resource_owner
7
7
 
8
8
  def initialize(pre_auth, resource_owner)
9
- @pre_auth = pre_auth
9
+ @pre_auth = pre_auth
10
10
  @resource_owner = resource_owner
11
11
  end
12
12
 
13
13
  def authorize
14
14
  auth = Authorization::Code.new(pre_auth, resource_owner)
15
- auth.issue_token
15
+ auth.issue_token!
16
16
  CodeResponse.new(pre_auth, auth)
17
17
  end
18
18
 
@@ -32,13 +32,13 @@ module Doorkeeper
32
32
 
33
33
  def from_bearer_authorization(request)
34
34
  pattern = /^Bearer /i
35
- header = request.authorization
35
+ header = request.authorization
36
36
  token_from_header(header, pattern) if match?(header, pattern)
37
37
  end
38
38
 
39
39
  def from_basic_authorization(request)
40
40
  pattern = /^Basic /i
41
- header = request.authorization
41
+ header = request.authorization
42
42
  token_from_basic_header(header, pattern) if match?(header, pattern)
43
43
  end
44
44
 
@@ -54,7 +54,7 @@ module Doorkeeper
54
54
  end
55
55
 
56
56
  def token_from_header(header, pattern)
57
- header.gsub pattern, ""
57
+ header.gsub(pattern, "")
58
58
  end
59
59
 
60
60
  def match?(header, pattern)
@@ -179,11 +179,7 @@ module Doorkeeper
179
179
  allow_introspection = Doorkeeper.config.allow_token_introspection
180
180
  return allow_introspection unless allow_introspection.respond_to?(:call)
181
181
 
182
- allow_introspection.call(
183
- @token,
184
- auth_client,
185
- auth_token,
186
- )
182
+ allow_introspection.call(@token, auth_client, auth_token)
187
183
  end
188
184
 
189
185
  # Allows to customize introspection response.
@@ -12,7 +12,7 @@ module Doorkeeper
12
12
 
13
13
  def authorize
14
14
  auth = Authorization::Token.new(pre_auth, resource_owner)
15
- auth.issue_token
15
+ auth.issue_token!
16
16
  CodeResponse.new(pre_auth, auth, response_on_fragment: true)
17
17
  end
18
18
 
@@ -88,6 +88,17 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
88
88
  Doorkeeper.configuration.authorize_resource_owner_for_client.call(self, resource_owner)
89
89
  end
90
90
 
91
+ # We need to hook into this method to allow serializing plan-text secrets
92
+ # when secrets hashing enabled.
93
+ #
94
+ # @param key [String] attribute name
95
+ #
96
+ def read_attribute_for_serialization(key)
97
+ return super unless key.to_s == "secret"
98
+
99
+ plaintext_secret || secret
100
+ end
101
+
91
102
  private
92
103
 
93
104
  def generate_uid
@@ -135,17 +146,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
135
146
  only.uniq
136
147
  end
137
148
 
138
- # We need to hook into this method to allow serializing plan-text secrets
139
- # when secrets hashing enabled.
140
- #
141
- # @param key [String] attribute name
142
- #
143
- def read_attribute_for_serialization(key)
144
- return super unless key.to_s == "secret"
145
-
146
- plaintext_secret || secret
147
- end
148
-
149
149
  # Collection of attributes that could be serialized for public.
150
150
  # Override this method if you need additional attributes to be serialized.
151
151
  #
@@ -4,7 +4,7 @@ module Doorkeeper
4
4
  class Server
5
5
  attr_reader :context
6
6
 
7
- def initialize(context = nil)
7
+ def initialize(context)
8
8
  @context = context
9
9
  end
10
10
 
@@ -13,12 +13,12 @@ module Doorkeeper
13
13
  raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
14
14
  end
15
15
 
16
- def self.configured_orm
17
- Doorkeeper.config.orm
18
- end
19
-
20
16
  def self.new(base_scope)
21
17
  self.for(base_scope)
22
18
  end
19
+
20
+ def self.configured_orm
21
+ Doorkeeper.config.orm
22
+ end
23
23
  end
24
24
  end
@@ -10,7 +10,7 @@ module Doorkeeper
10
10
  MAJOR = 5
11
11
  MINOR = 4
12
12
  TINY = 0
13
- PRE = "rc2"
13
+ PRE = nil
14
14
 
15
15
  # Full version number
16
16
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.4.0.rc2
4
+ version: 5.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2020-05-02 00:00:00.000000000 Z
14
+ date: 2020-05-11 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: railties
@@ -75,14 +75,14 @@ dependencies:
75
75
  requirements:
76
76
  - - "~>"
77
77
  - !ruby/object:Gem::Version
78
- version: '7.0'
78
+ version: '8.0'
79
79
  type: :development
80
80
  prerelease: false
81
81
  version_requirements: !ruby/object:Gem::Requirement
82
82
  requirements:
83
83
  - - "~>"
84
84
  - !ruby/object:Gem::Version
85
- version: '7.0'
85
+ version: '8.0'
86
86
  - !ruby/object:Gem::Dependency
87
87
  name: database_cleaner
88
88
  requirement: !ruby/object:Gem::Requirement
@@ -327,9 +327,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
327
327
  version: '2.4'
328
328
  required_rubygems_version: !ruby/object:Gem::Requirement
329
329
  requirements:
330
- - - ">"
330
+ - - ">="
331
331
  - !ruby/object:Gem::Version
332
- version: 1.3.1
332
+ version: '0'
333
333
  requirements: []
334
334
  rubygems_version: 3.0.2
335
335
  signing_key: