doorkeeper 5.7.0 → 5.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/doorkeeper/config.rb +10 -0
- data/lib/doorkeeper/errors.rb +1 -0
- data/lib/doorkeeper/oauth/authorization_code_request.rb +6 -0
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/pre_authorization.rb +7 -0
- data/lib/doorkeeper/version.rb +1 -1
- data/lib/generators/doorkeeper/templates/initializer.rb +5 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: df8ee24bf06e6b24c9ee822c24abf45ce0424b93ff05361dcdff76c930fa3c5a
|
|
4
|
+
data.tar.gz: 56e84b30480a60d02eea4b417f41c1cd6b322365bfce0e9fa31aad504def3807
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d25945505890cb67e1e2db1e0a7eb8d49cd8bcccf05d2732883df6ace7269fe4bbe3de491a563ea3e254e1ac16e2daa407f665078cf243f7131a26db00b39842
|
|
7
|
+
data.tar.gz: 2269f220720be56f31928a1ab4180254058bc2b636994160db72030bc32f0a5db695e76b3186f6b0c24b8d77565bd4c49911d4f5a632b14c6bd57e213c278694
|
data/CHANGELOG.md
CHANGED
|
@@ -9,6 +9,10 @@ User-visible changes worth mentioning.
|
|
|
9
9
|
|
|
10
10
|
Add your entry here.
|
|
11
11
|
|
|
12
|
+
## 5.7.1
|
|
13
|
+
|
|
14
|
+
- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code
|
|
15
|
+
|
|
12
16
|
## 5.7.0
|
|
13
17
|
|
|
14
18
|
- [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse`
|
data/lib/doorkeeper/config.rb
CHANGED
|
@@ -113,6 +113,12 @@ module Doorkeeper
|
|
|
113
113
|
@config.instance_variable_set(:@revoke_previous_authorization_code_token, true)
|
|
114
114
|
end
|
|
115
115
|
|
|
116
|
+
# Require non-confidential apps to use PKCE (send a code_verifier) when requesting
|
|
117
|
+
# an access_token using an authorization code (disabled by default)
|
|
118
|
+
def force_pkce
|
|
119
|
+
@config.instance_variable_set(:@force_pkce, true)
|
|
120
|
+
end
|
|
121
|
+
|
|
116
122
|
# Use an API mode for applications generated with --api argument
|
|
117
123
|
# It will skip applications controller, disable forgery protection
|
|
118
124
|
def api_only
|
|
@@ -492,6 +498,10 @@ module Doorkeeper
|
|
|
492
498
|
option_set? :revoke_previous_authorization_code_token
|
|
493
499
|
end
|
|
494
500
|
|
|
501
|
+
def force_pkce?
|
|
502
|
+
option_set? :force_pkce
|
|
503
|
+
end
|
|
504
|
+
|
|
495
505
|
def enforce_configured_scopes?
|
|
496
506
|
option_set? :enforce_configured_scopes
|
|
497
507
|
end
|
data/lib/doorkeeper/errors.rb
CHANGED
|
@@ -54,6 +54,7 @@ module Doorkeeper
|
|
|
54
54
|
InvalidClient = Class.new(BaseResponseError)
|
|
55
55
|
InvalidScope = Class.new(BaseResponseError)
|
|
56
56
|
InvalidRedirectUri = Class.new(BaseResponseError)
|
|
57
|
+
InvalidCodeChallenge = Class.new(BaseResponseError)
|
|
57
58
|
InvalidCodeChallengeMethod = Class.new(BaseResponseError)
|
|
58
59
|
InvalidGrant = Class.new(BaseResponseError)
|
|
59
60
|
|
|
@@ -59,10 +59,16 @@ module Doorkeeper
|
|
|
59
59
|
Doorkeeper.config.access_grant_model.pkce_supported?
|
|
60
60
|
end
|
|
61
61
|
|
|
62
|
+
def confidential?
|
|
63
|
+
client&.confidential
|
|
64
|
+
end
|
|
65
|
+
|
|
62
66
|
def validate_params
|
|
63
67
|
@missing_param =
|
|
64
68
|
if grant&.uses_pkce? && code_verifier.blank?
|
|
65
69
|
:code_verifier
|
|
70
|
+
elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank?
|
|
71
|
+
:code_verifier
|
|
66
72
|
elsif redirect_uri.blank?
|
|
67
73
|
:redirect_uri
|
|
68
74
|
end
|
|
@@ -5,7 +5,7 @@ module Doorkeeper
|
|
|
5
5
|
class Client
|
|
6
6
|
attr_reader :application
|
|
7
7
|
|
|
8
|
-
delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application
|
|
8
|
+
delegate :id, :name, :uid, :redirect_uri, :scopes, :confidential, to: :@application
|
|
9
9
|
|
|
10
10
|
def initialize(application)
|
|
11
11
|
@application = application
|
|
@@ -14,6 +14,7 @@ module Doorkeeper
|
|
|
14
14
|
validate :response_type, error: Errors::UnsupportedResponseType
|
|
15
15
|
validate :response_mode, error: Errors::UnsupportedResponseMode
|
|
16
16
|
validate :scopes, error: Errors::InvalidScope
|
|
17
|
+
validate :code_challenge, error: Errors::InvalidCodeChallenge
|
|
17
18
|
validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
|
|
18
19
|
|
|
19
20
|
attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
|
|
@@ -143,6 +144,12 @@ module Doorkeeper
|
|
|
143
144
|
)
|
|
144
145
|
end
|
|
145
146
|
|
|
147
|
+
def validate_code_challenge
|
|
148
|
+
return true unless Doorkeeper.config.force_pkce?
|
|
149
|
+
return true if client.confidential
|
|
150
|
+
code_challenge.present?
|
|
151
|
+
end
|
|
152
|
+
|
|
146
153
|
def validate_code_challenge_method
|
|
147
154
|
return true unless Doorkeeper.config.access_grant_model.pkce_supported?
|
|
148
155
|
|
data/lib/doorkeeper/version.rb
CHANGED
|
@@ -173,6 +173,11 @@ Doorkeeper.configure do
|
|
|
173
173
|
#
|
|
174
174
|
# revoke_previous_authorization_code_token
|
|
175
175
|
|
|
176
|
+
# Require non-confidential clients to use PKCE when using an authorization code
|
|
177
|
+
# to obtain an access_token (disabled by default)
|
|
178
|
+
#
|
|
179
|
+
# force_pkce
|
|
180
|
+
|
|
176
181
|
# Hash access and refresh tokens before persisting them.
|
|
177
182
|
# This will disable the possibility to use +reuse_access_token+
|
|
178
183
|
# since plain values can no longer be retrieved.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.7.
|
|
4
|
+
version: 5.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Felipe Elias Philipp
|
|
@@ -11,7 +11,7 @@ authors:
|
|
|
11
11
|
autorequire:
|
|
12
12
|
bindir: bin
|
|
13
13
|
cert_chain: []
|
|
14
|
-
date: 2024-
|
|
14
|
+
date: 2024-06-25 00:00:00.000000000 Z
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
17
17
|
name: railties
|