doorkeeper 5.5.0 → 5.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d0646462c8fd51891c70b06dbccf9d4c2a2db2d19f71fb9e358c9401843053a
-  data.tar.gz: 17669cf7be5a1f0053850c6f00c03b63df477438a7aa6805558d48dfb35541b0
+  metadata.gz: '08f9f8fec2b33300cb7ed4a09ff5682330698f51515404339a1ef40621f1d0d0'
+  data.tar.gz: 6d53afbc73dfdb731b0641575ffd7156ad3a74e11452654a99a1f24ad7f1093f
 SHA512:
-  metadata.gz: 54c0fadb672bb09b4e33b6df5476694a0e7f1fb7795b3e2d4172e6c77671bbd7f929dec42f37d9b17bede5cb0659c5a95a30771fd8c69dbdddcb80d4d291aa81
-  data.tar.gz: 462977a3eae6d5705ce246814a66f0bd29cd64647e43ba4df2502b9b72eea9c0e848ce3c1789fa97cb6953a07661eef025665a9fa29a97080c1d61acc3e559b6
+  metadata.gz: 345be4d8d397eacb61d21a749b0c8e1fe38a9f6f2868c14a76006a2cc0686c6e192b9828e7f37df39f83f80c69a4a8394191f9d28691db43616f47f52b2505bb
+  data.tar.gz: 4c96d9ad3d31305f1fb9fc135de3ee5a4e187a38f317307da6d83fc8dabe265dab741c52f25d7f907930a195918b1713aa3db6495b37626a2cfe5fe621f9e240

data/CHANGELOG.md

@@ -9,6 +9,14 @@ User-visible changes worth mentioning.
 
 - [#PR ID] Add your PR description here.
 
+## 5.5.1
+
+- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
+- [#1495] Fix `respond_to` undefined in API-only mode 
+- [#1488] Verify client authentication for Resource Owner Password Grant when
+  `config.skip_client_authentication_for_password_grant` is set and the client credentials
+  are sent in a HTTP Basic auth header.
+
 ## 5.5.0
 
 - [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).

data/app/controllers/doorkeeper/application_controller.rb

@@ -4,6 +4,7 @@ module Doorkeeper
   class ApplicationController <
     Doorkeeper.config.resolve_controller(:base)
     include Helpers::Controller
+    include ActionController::MimeResponds if Doorkeeper.config.api_only
 
     unless Doorkeeper.config.api_only
       protect_from_forgery with: :exception

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -26,7 +26,7 @@ module Doorkeeper
           )
         end
 
-        format.json { render :no_content }
+        format.json { head :no_content }
       end
     end
   end

data/lib/doorkeeper/config.rb

@@ -278,6 +278,10 @@ module Doorkeeper
     # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
     option :token_reuse_limit,              default: 100
 
+    # Don't require client authentication for password grants. If client credentials
+    # are present they will still be validated, and the grant rejected if the credentials
+    # are invalid.
+    #
     # This is discouraged. Spec says that password grants always require a client.
     #
     # See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -374,10 +374,10 @@ module Doorkeeper
     # and clears `:previous_refresh_token` attribute.
     #
     def revoke_previous_refresh_token!
-      return unless self.class.refresh_token_revoked_on_use?
+      return if !self.class.refresh_token_revoked_on_use? || previous_refresh_token.blank?
 
       old_refresh_token&.revoke
-      update_attribute(:previous_refresh_token, "") if previous_refresh_token.present?
+      update_attribute(:previous_refresh_token, "")
     end
 
     private

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -10,12 +10,13 @@ module Doorkeeper
       validate :resource_owner, error: :invalid_grant
       validate :scopes, error: :invalid_scope
 
-      attr_reader :client, :resource_owner, :parameters, :access_token
+      attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
 
-      def initialize(server, client, resource_owner, parameters = {})
+      def initialize(server, client, credentials, resource_owner, parameters = {})
         @server          = server
         @resource_owner  = resource_owner
         @client          = client
+        @credentials     = credentials
         @parameters      = parameters
         @original_scopes = parameters[:scope]
         @grant_type      = Doorkeeper::OAuth::PASSWORD
@@ -60,7 +61,7 @@ module Doorkeeper
       #
       def validate_client
         if Doorkeeper.config.skip_client_authentication_for_password_grant
-          !parameters[:client_id] || client.present?
+          client.present? || (!parameters[:client_id] && credentials.blank?)
         else
           client.present?
         end

data/lib/doorkeeper/request/password.rb

@@ -9,6 +9,7 @@ module Doorkeeper
         @request ||= OAuth::PasswordAccessTokenRequest.new(
           Doorkeeper.config,
           client,
+          credentials,
           resource_owner,
           parameters,
         )

data/lib/doorkeeper/version.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 5
-    TINY = 0
+    TINY = 1
     PRE = nil
 
     # Full version number

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.5.0
+  version: 5.5.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-19 00:00:00.000000000 Z
+date: 2021-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -89,14 +89,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: factory_bot
   requirement: !ruby/object:Gem::Requirement