doorkeeper 5.8.0 → 5.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4907be020648eb5c1dbc6e596c31c72c4133740e849ee1345ff337a4ce01c56
-  data.tar.gz: 831e491b48efe921e43065d393c6a785a9988e6057f1ed3e1e4f2e8626555e65
+  metadata.gz: 8364fc5d75f9cbe96cc3ef67c8010dde471eb51ced0cf328f9ca84705553976f
+  data.tar.gz: db817023f41b070185ae9d6fae32b9d9b0eb0fc7abf8bdd99961c80e8bece1dd
 SHA512:
-  metadata.gz: 2f97a8c5d6749cea33b31737988b26271d1ad03f4bd8f003b3674e8e81159a44e6a54f5611b868a06a9a074995bcc47165f222aadcd961746cc43776ee993c57
-  data.tar.gz: 3d2e13efa8bba0cedc4a63055d6ecb70f0af8d1dc0644047b4b1ecb3bc3bf5affd2a0a20d46989a4999b4361573c39ae72f516398c67ffe708512f0fd6e23011
+  metadata.gz: 940f6253760d9117390495e97fa270aa0337a7379d2070d2be5ce2a44cf8148f451ffe7a3ba0451ab88d1cbb5bd4242f6d4a7de90204cf2749a57bdeaa4005ed
+  data.tar.gz: 728ea65c1e37f7f77183e5528c441cf7b9c8a4493428bbafbfe7815dec4b227d8bd033e05c4ee2dde50b9cc252cad7241b5d287d2df28e6631f9ccada5c7afc5

data/CHANGELOG.md

@@ -9,6 +9,13 @@ User-visible changes worth mentioning.
 
 Add your entry here.
 
+## 5.8.1
+
+- [#1752] Bump the range of supported Ruby and Rails versions
+- [#1747] Fix unknown pkce method error when configured
+- [#1744] Allow for expired refresh tokens to be revoked
+- [#1754] Fix refresh tokens with dynamic scopes
+
 ## 5.8.0
 
 - [#1739] Add support for dynamic scopes

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -113,19 +113,38 @@ module Doorkeeper
       # The authorization server responds with HTTP status code 200 if the token
       # has been revoked successfully or if the client submitted an invalid
       # token
-      token.revoke if token&.accessible?
+      revocable_token.revoke if revocable_token.revocable?
     end
 
     def token
-      @token ||=
+      revocable_token&.token
+    end
+
+    def revocable_token
+      return @revocable_token if defined? @revocable_token
+
+      @revocable_token =
         if params[:token_type_hint] == "refresh_token"
-          Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+          refresh_token
         else
-          Doorkeeper.config.access_token_model.by_token(params["token"]) ||
-            Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+          access_token || refresh_token
         end
     end
 
+    def refresh_token
+      token = Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+      return unless token
+
+      RevocableTokens::RevocableRefreshToken.new(token)
+    end
+
+    def access_token
+      token = Doorkeeper.config.access_token_model.by_token(params["token"])
+      return unless token
+
+      RevocableTokens::RevocableAccessToken.new(token)
+    end
+
     def strategy
       @strategy ||= server.token_request(params[:grant_type])
     end

data/config/locales/en.yml

@@ -100,7 +100,10 @@ en:
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
-        invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
+        invalid_code_challenge_method:
+          zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.'
+          one: 'The code_challenge_method must be %{challenge_methods}.'
+          other: 'The code_challenge_method must be one of %{challenge_methods}.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
 

data/lib/doorkeeper/errors.rb

@@ -6,6 +6,10 @@ module Doorkeeper
       def type
         message
       end
+
+      def self.translate_options
+        {}
+      end
     end
 
     class InvalidGrantReuse < DoorkeeperError
@@ -45,6 +49,16 @@ module Doorkeeper
       end
     end
 
+    class InvalidCodeChallengeMethod < BaseResponseError
+      def self.translate_options
+        challenge_methods = Doorkeeper.config.pkce_code_challenge_methods_supported
+        {
+          challenge_methods: challenge_methods.join(", "),
+          count: challenge_methods.length
+        }
+      end
+    end
+
     UnableToGenerateToken = Class.new(DoorkeeperError)
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
@@ -55,7 +69,6 @@ module Doorkeeper
     InvalidScope = Class.new(BaseResponseError)
     InvalidRedirectUri = Class.new(BaseResponseError)
     InvalidCodeChallenge = Class.new(BaseResponseError)
-    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
     InvalidGrant = Class.new(BaseResponseError)
 
     UnauthorizedClient = Class.new(BaseResponseError)

data/lib/doorkeeper/oauth/base_request.rb

@@ -59,7 +59,8 @@ module Doorkeeper
           client_scopes = @client&.scopes
           return default_scopes if client_scopes.blank?
 
-          default_scopes & client_scopes
+          # Avoid using Scope#& for dynamic scopes
+          client_scopes.allowed(default_scopes)
         end
       end
     end

data/lib/doorkeeper/oauth/error.rb

@@ -2,13 +2,14 @@
 
 module Doorkeeper
   module OAuth
-    Error = Struct.new(:name, :state) do
+    Error = Struct.new(:name, :state, :translate_options) do
       def description
-        I18n.translate(
-          name,
+        options = (translate_options || {}).merge(
           scope: %i[doorkeeper errors messages],
           default: :server_error,
         )
+
+        I18n.translate(name, **options)
       end
     end
   end

data/lib/doorkeeper/oauth/error_response.rb

@@ -12,6 +12,7 @@ module Doorkeeper
           attributes.merge(
             name: error_name_for(request.error),
             exception_class: exception_class_for(request.error),
+            translate_options: request.error.try(:translate_options),
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
@@ -33,7 +34,7 @@ module Doorkeeper
       delegate :name, :description, :state, to: :@error
 
       def initialize(attributes = {})
-        @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @error = OAuth::Error.new(*attributes.values_at(:name, :state, :translate_options))
         @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -75,7 +75,7 @@ module Doorkeeper
         if client_scopes.blank?
           server.default_scopes.to_s
         else
-          (server.default_scopes & client_scopes).to_s
+          server.default_scopes.allowed(client_scopes).to_s
         end
       end
 

data/lib/doorkeeper/oauth/scopes.rb

@@ -70,10 +70,28 @@ module Doorkeeper
         end
       end
 
+      # DEPRECATED: With dynamic scopes, #allowed should be called because
+      # A & B doesn't really make sense with dynamic scopes.
+      #
+      # For example, if A = user:* and B is user:1, A & B = [].
+      # If we modified this method to take dynamic scopes into an account, then order
+      # becomes important, and this would violate the principle that A & B = B & A.
       def &(other)
+        return allowed(other) if dynamic_scopes_enabled?
+
         self.class.from_array(all & to_array(other))
       end
 
+      # Returns a set of scopes that are allowed, taking dynamic
+      # scopes into account. This instance's scopes is taken as the allowed set,
+      # and the passed value is the set to filter.
+      #
+      # @param other The set of scopes to filter
+      def allowed(other)
+        filtered_scopes = other.select { |scope| self.exists?(scope) }
+        self.class.from_array(filtered_scopes)
+      end
+
       private
 
       def dynamic_scopes_enabled?

data/lib/doorkeeper/revocable_tokens/revocable_access_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module RevocableTokens
+    class RevocableAccessToken
+      attr_reader :token
+
+      def initialize(token)
+        @token = token
+      end
+
+      def revocable?
+        token.accessible?
+      end
+
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module RevocableTokens
+    class RevocableRefreshToken
+      attr_reader :token
+
+      def initialize(token)
+        @token = token
+      end
+
+      def revocable?
+        !token.revoked?
+      end
+
+      def revoke
+        token.revoke
+      end
+    end
+  end
+end

data/lib/doorkeeper/version.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 8
-    TINY = 0
+    TINY = 1
     PRE = nil
 
     # Full version number

data/lib/doorkeeper.rb

@@ -34,6 +34,11 @@ module Doorkeeper
     autoload :Token, "doorkeeper/request/token"
   end
 
+  module RevocableTokens
+    autoload :RevocableAccessToken, "doorkeeper/revocable_tokens/revocable_access_token"
+    autoload :RevocableRefreshToken, "doorkeeper/revocable_tokens/revocable_refresh_token"
+  end
+
   module OAuth
     autoload :BaseRequest, "doorkeeper/oauth/base_request"
     autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.8.0
+  version: 5.8.1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 2024-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -290,6 +290,8 @@ files:
 - lib/doorkeeper/request/refresh_token.rb
 - lib/doorkeeper/request/strategy.rb
 - lib/doorkeeper/request/token.rb
+- lib/doorkeeper/revocable_tokens/revocable_access_token.rb
+- lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb
 - lib/doorkeeper/secret_storing/base.rb
 - lib/doorkeeper/secret_storing/bcrypt.rb
 - lib/doorkeeper/secret_storing/plain.rb
@@ -326,6 +328,7 @@ metadata:
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
+  funding_uri: https://opencollective.com/doorkeeper-gem
 post_install_message: "Starting from 5.5.0 RC1 Doorkeeper requires client authentication
   for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
   a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use