doorkeeper 5.7.0 → 5.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aeb5db3b840c0c214129e69fb029c1daf95974b033856ab550e9abd3b529b0c1
-  data.tar.gz: 6f948a7fa2b8a2796c56e94a762b1e256228c13f972bbd056d1b4e246bea5001
+  metadata.gz: df8ee24bf06e6b24c9ee822c24abf45ce0424b93ff05361dcdff76c930fa3c5a
+  data.tar.gz: 56e84b30480a60d02eea4b417f41c1cd6b322365bfce0e9fa31aad504def3807
 SHA512:
-  metadata.gz: 2da3aca020ed25ba334d5dfbcbffd1c46818eaa79bbc67e38bcf01dada8105c6683bfb5552dae1cdce34a68e5baafa0c9a9b49b5c980f78464925f2f7576b873
-  data.tar.gz: 865a9c03a28b309624e8058a251c92d002199f9072015efafafb622fad5878274042bee32aba169a0395fc1ba0558ca86c1bd7b32b9dc288c5136b69c6a68e69
+  metadata.gz: d25945505890cb67e1e2db1e0a7eb8d49cd8bcccf05d2732883df6ace7269fe4bbe3de491a563ea3e254e1ac16e2daa407f665078cf243f7131a26db00b39842
+  data.tar.gz: 2269f220720be56f31928a1ab4180254058bc2b636994160db72030bc32f0a5db695e76b3186f6b0c24b8d77565bd4c49911d4f5a632b14c6bd57e213c278694

data/CHANGELOG.md

@@ -9,6 +9,10 @@ User-visible changes worth mentioning.
 
 Add your entry here.
 
+## 5.7.1
+
+- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code
+
 ## 5.7.0
 
 - [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse`

data/lib/doorkeeper/config.rb

@@ -113,6 +113,12 @@ module Doorkeeper
         @config.instance_variable_set(:@revoke_previous_authorization_code_token, true)
       end
 
+      # Require non-confidential apps to use PKCE (send a code_verifier) when requesting
+      # an access_token using an authorization code (disabled by default)
+      def force_pkce
+        @config.instance_variable_set(:@force_pkce, true)
+      end
+
       # Use an API mode for applications generated with --api argument
       # It will skip applications controller, disable forgery protection
       def api_only
@@ -492,6 +498,10 @@ module Doorkeeper
       option_set? :revoke_previous_authorization_code_token
     end
 
+    def force_pkce?
+      option_set? :force_pkce
+    end
+
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end

data/lib/doorkeeper/errors.rb

@@ -54,6 +54,7 @@ module Doorkeeper
     InvalidClient = Class.new(BaseResponseError)
     InvalidScope = Class.new(BaseResponseError)
     InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallenge = Class.new(BaseResponseError)
     InvalidCodeChallengeMethod = Class.new(BaseResponseError)
     InvalidGrant = Class.new(BaseResponseError)
 

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -59,10 +59,16 @@ module Doorkeeper
         Doorkeeper.config.access_grant_model.pkce_supported?
       end
 
+      def confidential?
+        client&.confidential
+      end
+
       def validate_params
         @missing_param =
           if grant&.uses_pkce? && code_verifier.blank?
             :code_verifier
+          elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank?
+            :code_verifier
           elsif redirect_uri.blank?
             :redirect_uri
           end

data/lib/doorkeeper/oauth/client.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     class Client
       attr_reader :application
 
-      delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application
+      delegate :id, :name, :uid, :redirect_uri, :scopes, :confidential, to: :@application
 
       def initialize(application)
         @application = application

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -14,6 +14,7 @@ module Doorkeeper
       validate :response_type, error: Errors::UnsupportedResponseType
       validate :response_mode, error: Errors::UnsupportedResponseMode
       validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge, error: Errors::InvalidCodeChallenge
       validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
@@ -143,6 +144,12 @@ module Doorkeeper
         )
       end
 
+      def validate_code_challenge
+        return true unless Doorkeeper.config.force_pkce?
+        return true if client.confidential
+        code_challenge.present?
+      end
+
       def validate_code_challenge_method
         return true unless Doorkeeper.config.access_grant_model.pkce_supported?
 

data/lib/doorkeeper/version.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 7
-    TINY = 0
+    TINY = 1
     PRE = nil
 
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -173,6 +173,11 @@ Doorkeeper.configure do
   #
   # revoke_previous_authorization_code_token
 
+  # Require non-confidential clients to use PKCE when using an authorization code
+  # to obtain an access_token (disabled by default)
+  #
+  # force_pkce
+
   # Hash access and refresh tokens before persisting them.
   # This will disable the possibility to use +reuse_access_token+
   # since plain values can no longer be retrieved.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.7.0
+  version: 5.7.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-04-24 00:00:00.000000000 Z
+date: 2024-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties