rodauth-oauth 0.10.3 → 0.10.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/doc/release_notes/0_10_3.md +1 -1
  3. data/doc/release_notes/0_10_4.md +11 -0
  4. data/lib/rodauth/features/oauth_base.rb +1 -1
  5. data/lib/rodauth/features/oauth_jwt.rb +10 -0
  6. data/lib/rodauth/features/oauth_resource_indicators.rb +6 -1
  7. data/lib/rodauth/features/oauth_token_introspection.rb +1 -0
  8. data/lib/rodauth/features/oauth_token_revocation.rb +3 -1
  9. data/lib/rodauth/oauth/version.rb +1 -1
  10. metadata +4 -4
  11. data/lib/rodauth/features/oauth_authorization_server.rb +0 -0
  12. data/lib/rodauth/features/oauth_resource_server.rb +0 -21
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8ab7ede677cd918473b708b02509526add2744f96a2cf143c71e79b8d8950f49
4
- data.tar.gz: ad19fced98a7f8b62fb856ef0103d09263b1442b33a95adecc9419afe5132ff6
3
+ metadata.gz: fa43bf0d9c1f6d8ac7a9e2c05b9f9751a68bf0720d47bcdcd92090cdc80b8ec6
4
+ data.tar.gz: 14101a64005ea99770b2548c3dda8589b06c10cb8d26a4bb30a9e396c301ec17
5
5
  SHA512:
6
- metadata.gz: e62b0a2586b493c3012e1106c88ec6cdc1dabc6ce5e632526dd81dbf4ef2427a3645449e8ca5484e77e7a41470b09b9ab53df0c1ebc9598a12a62862cefe1b51
7
- data.tar.gz: f3b20d4b7566466b40d09e8391b0c73f4f2a1e250ec0aa238af246eed8cc8c9d3a329d6b24369a0a265f1cd0dcd13853941003bca4ce26ce125fcfb5e6e258aa
6
+ metadata.gz: d5ca40d77877ff713dad6bee5d6424d869a8e6d61101fe87ff18c97372e3c9d8d2acd6fc3450ea8f938582f42740ff5da1326a3501b46e43ada73d1d192592a8
7
+ data.tar.gz: 4cd099ee6f8e8b5195fb62d8370e46063fa88a1eb3631cad0705fff076d627c891e6cbfc147e7f0c3c4ea651463f611e87c756e93f65b9475322d523f5b101b1
data/doc/release_notes/0_10_3.md CHANGED
@@ -1,4 +1,4 @@
1
- ### 0.10.2 (29/08/2022)
1
+ ### 0.10.3 (29/08/2022)
2
2
 
3
3
  #### Features
4
4
 
data/doc/release_notes/0_10_4.md ADDED
@@ -0,0 +1,11 @@
1
+ ### 0.10.4 (18/09/2022)
2
+
3
+ #### Bugfixes
4
+
5
+ * refresh token lookups are now scoped by application.
6
+
7
+ This bug meant that lookups of refresh token via the refresh token grant were not scoped by the application identified by the `/token` request credentials, so grant hijacking could happen in theory, if attackers knew of existing refresh tokens.
8
+
9
+ The same issue was observed (and fixed) for token revocation (this time involving the access token).
10
+
11
+ * Fix for a case which made resource indicators unusable under Rack 3.0 .
data/lib/rodauth/features/oauth_base.rb CHANGED
@@ -530,7 +530,7 @@ module Rodauth
530
530
  end
531
531
 
532
532
  def oauth_token_by_refresh_token(token, revoked: false)
533
- ds = db[oauth_tokens_table]
533
+ ds = db[oauth_tokens_table].where(oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column])
534
534
  #
535
535
  # filter expired refresh tokens out.
536
536
  # an expired refresh token is a token whose access token expired for a period longer than the
data/lib/rodauth/features/oauth_jwt.rb CHANGED
@@ -241,6 +241,16 @@ module Rodauth
241
241
  jwt_decode(token)
242
242
  end
243
243
 
244
+ def token_from_application?(grant_or_claims, oauth_application)
245
+ return super if grant_or_claims[oauth_tokens_id_column]
246
+
247
+ if grant_or_claims["client_id"]
248
+ grant_or_claims["client_id"] == oauth_application[oauth_applications_client_id_column]
249
+ else
250
+ Array(grant_or_claims["aud"]).include?(oauth_application[oauth_applications_client_id_column])
251
+ end
252
+ end
253
+
244
254
  def json_token_introspect_payload(oauth_token)
245
255
  return { active: false } unless oauth_token
246
256
 
data/lib/rodauth/features/oauth_resource_indicators.rb CHANGED
@@ -20,7 +20,12 @@ module Rodauth
20
20
  if json_request? || param_or_nil("request") # signed request
21
21
  resources = Array(resources)
22
22
  else
23
- query = request.form_data? ? request.body.read : request.query_string
23
+ query = if request.form_data?
24
+ request.body.rewind
25
+ request.body.read
26
+ else
27
+ request.query_string
28
+ end
24
29
  # resource query param does not conform to rack parsing rules
25
30
  resources = URI.decode_www_form(query).each_with_object([]) do |(k, v), memo|
26
31
  memo << v if k == "resource"
data/lib/rodauth/features/oauth_token_introspection.rb CHANGED
@@ -15,6 +15,7 @@ module Rodauth
15
15
  next unless is_authorization_server?
16
16
 
17
17
  before_introspect_route
18
+ require_oauth_application
18
19
 
19
20
  r.post do
20
21
  catch_error do
data/lib/rodauth/features/oauth_token_revocation.rb CHANGED
@@ -74,7 +74,9 @@ module Rodauth
74
74
  oauth_token = if param("token_type_hint") == "refresh_token"
75
75
  oauth_token_by_refresh_token(token)
76
76
  else
77
- oauth_token_by_token(token)
77
+ oauth_token_by_token_ds(token).where(
78
+ oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column]
79
+ ).first
78
80
  end
79
81
 
80
82
  redirect_response_error("invalid_request") unless oauth_token
data/lib/rodauth/oauth/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Rodauth
4
4
  module OAuth
5
- VERSION = "0.10.3"
5
+ VERSION = "0.10.4"
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth-oauth
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.10.3
4
+ version: 0.10.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tiago Cardoso
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-08-29 00:00:00.000000000 Z
11
+ date: 2022-09-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rodauth
@@ -43,6 +43,7 @@ extra_rdoc_files:
43
43
  - doc/release_notes/0_10_1.md
44
44
  - doc/release_notes/0_10_2.md
45
45
  - doc/release_notes/0_10_3.md
46
+ - doc/release_notes/0_10_4.md
46
47
  - doc/release_notes/0_1_0.md
47
48
  - doc/release_notes/0_2_0.md
48
49
  - doc/release_notes/0_3_0.md
@@ -78,6 +79,7 @@ files:
78
79
  - doc/release_notes/0_10_1.md
79
80
  - doc/release_notes/0_10_2.md
80
81
  - doc/release_notes/0_10_3.md
82
+ - doc/release_notes/0_10_4.md
81
83
  - doc/release_notes/0_1_0.md
82
84
  - doc/release_notes/0_2_0.md
83
85
  - doc/release_notes/0_3_0.md
@@ -117,7 +119,6 @@ files:
117
119
  - lib/rodauth/features/oauth_application_management.rb
118
120
  - lib/rodauth/features/oauth_assertion_base.rb
119
121
  - lib/rodauth/features/oauth_authorization_code_grant.rb
120
- - lib/rodauth/features/oauth_authorization_server.rb
121
122
  - lib/rodauth/features/oauth_authorize_base.rb
122
123
  - lib/rodauth/features/oauth_base.rb
123
124
  - lib/rodauth/features/oauth_client_credentials_grant.rb
@@ -130,7 +131,6 @@ files:
130
131
  - lib/rodauth/features/oauth_management_base.rb
131
132
  - lib/rodauth/features/oauth_pkce.rb
132
133
  - lib/rodauth/features/oauth_resource_indicators.rb
133
- - lib/rodauth/features/oauth_resource_server.rb
134
134
  - lib/rodauth/features/oauth_saml_bearer_grant.rb
135
135
  - lib/rodauth/features/oauth_token_introspection.rb
136
136
  - lib/rodauth/features/oauth_token_management.rb
data/lib/rodauth/features/oauth_authorization_server.rb DELETED
File without changes
data/lib/rodauth/features/oauth_resource_server.rb DELETED
@@ -1,21 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Rodauth
4
- Feature.define(:oauth_resource_server, :OauthResourceServer) do
5
- def authorization_token
6
- return @authorization_token if defined?(@authorization_token)
7
-
8
- # check if there is a token
9
- bearer_token = fetch_access_token
10
-
11
- return unless bearer_token
12
-
13
- # where in resource server, NOT the authorization server.
14
- payload = introspection_request("access_token", bearer_token)
15
-
16
- return unless payload["active"]
17
-
18
- @authorization_token = payload
19
- end
20
- end
21
- end