rodauth-oauth 0.10.4 → 1.0.0.pre.beta2

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_grants.html.erb

@@ -0,0 +1,41 @@
+<% oauth_grants = rodauth.scope.instance_variable_get(:@oauth_grants) %>
+<% grants_count = oauth_grants.count %>
+<% if grants_count.zero? %>
+  <p><%= rodauth.oauth_no_grants_text %></p>
+<% else %>
+  <table class="table">
+    <thead>
+      <tr>
+        <th scope="col"><=% rodauth.oauth_grants_type_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_refresh_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_expires_in_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_revoked_at_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_scopes_label %></th>
+        <th scope="col"><span class="badge badge-pill badge-dark"><%= grants_count %></span>
+      </tr>
+    </thead>
+    <tbody>
+      <% oauth_grants.each do |oauth_grant| %>
+        <tr>
+          <td><%= oauth_grant[rodauth.oauth_grants_type_column] %></td>
+          <td><code class="token"><%= oauth_grant[rodauth.oauth_grants_token_column] %></code></td>
+          <td><code class="token"><%= oauth_grant[rodauth.oauth_grants_refresh_token_column] %></code></td>
+          <td><%= oauth_grant[rodauth.oauth_grants_expires_in_column] %></td>
+          <td><%= oauth_grant[rodauth.oauth_grants_revoked_at_column] %></td>
+          <td><%= oauth_grant[rodauth.oauth_grants_scopes_column] %></td>
+          <td>
+            <% if !oauth_grant[rodauth.oauth_grants_revoked_at_column] %>
+              <%= form_tag rodauth.revoke_path, method: :post do %>
+                <%= hidden_field_tag :token_type_hint, "access_token" %>
+                <%= hidden_field_tag :token, oauth_grant[rodauth.oauth_grants_token_column] %>
+                <%= submit_tag rodauth.oauth_grant_revoke_button, class: "btn btn-danger" %>
+              <% end %>
+            <% end %>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+  <%= rodauth.oauth_management_pagination_links(@oauth_grants) %>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -4,7 +4,7 @@
   <%= link_to rodauth.new_oauth_application_page_title, "#{rodauth.oauth_applications_path}/new", class: "btn btn-secondary" %>
 </div>
 <% if apps_count.zero? %>
-  <p>No oauth applications yet!</p>
+  <p><%= rodauth.oauth_no_applications_text %></p>
 <% else %>
   <table class="table">
     <thead>
@@ -26,5 +26,5 @@
       <% end %>
     </tbody>
   </table>
-  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds) %>
+  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds).html_safe %>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_grants.html.erb

@@ -0,0 +1,37 @@
+<% oauth_grants = rodauth.scope.instance_variable_get(:@oauth_grants) %>
+<% grants_count = oauth_grants.count %>
+<% if grants_count.zero? %>
+  <p><%= rodauth.oauth_no_grants_text %></p>
+<% else %>
+  <table class="table">
+    <thead>
+      <tr>
+        <th scope="col"><=% rodauth.oauth_applications_name_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_type_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_refresh_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_expires_in_label %></th>
+        <th scope="col"><=% rodauth.oauth_grants_scopes_label %></th>
+        <th scope="col"><span class="badge badge-pill badge-dark"><%= grants_count %></span>
+      </tr>
+    </thead>
+    <tbody>
+      <% oauth_grants.each do |oauth_grant| %>
+        <tr>
+          <td><%= oauth_grant[rodauth.oauth_applications_name_column] %></td>
+          <td><%= oauth_grant[rodauth.oauth_grants_type_column] %></td>
+          <td><code class="token"><%= oauth_grant[rodauth.oauth_grants_token_column] %></code></td>
+          <td><code class="token"><%= oauth_grant[rodauth.oauth_grants_refresh_token_column] %></code></td>
+          <td><%= oauth_grant[rodauth.oauth_grants_expires_in_column] %></td>
+          <td><%= oauth_grant[rodauth.oauth_grants_scopes_column] %></td>
+          <td>
+            <%= form_tag rodauth.oauth_grant_path(oauth_grant[rodauth.oauth_grants_id_column]), method: :post do %>
+              <%= submit_tag rodauth.oauth_grant_revoke_button, class: "btn btn-danger" %>
+            <% end %>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+  <%= rodauth.oauth_management_pagination_links(oauth_grants) %>
+<% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -5,29 +5,48 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :accounts, column: :account_id
       t.string :name, null: false
       t.string :description, null: true
-      t.string :homepage_url, null: false
+      t.string :homepage_url, null: true
       t.string :redirect_uri, null: false
       t.string :client_id, null: false, index: { unique: true }
       t.string :client_secret, null: false, index: { unique: true }
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # extra params
-      # t.string :token_endpoint_auth_method, null: true
-      # t.string :grant_types, null: true
-      # t.string :response_types, null: true
-      # t.string :client_uri, null: true
-      # t.string :logo_uri, null: true
-      # t.string :tos_uri, null: true
-      # t.string :policy_uri, null: true
-      # t.string :jwks_uri, null: true
-      # t.string :jwks, null: true
-      # t.string :contacts, null: true
-      # t.string :software_id, null: true
-      # t.string :software_version, null: true
-      # JWT/OIDC per application signing verification
-      # t.text :jwt_public_key, null: true
-      # RP-initiated logout
-      # t.string :post_logout_redirect_uri, null: false
+
+      # :oauth_dynamic_client_configuration enabled, extra optional params
+      t.string :token_endpoint_auth_method, null: true
+      t.string :grant_types, null: true
+      t.string :response_types, null: true
+      t.string :client_uri, null: true
+      t.string :logo_uri, null: true
+      t.string :tos_uri, null: true
+      t.string :policy_uri, null: true
+      t.string :jwks_uri, null: true
+      t.string :jwks, null: true
+      t.string :contacts, null: true
+      t.string :software_id, null: true
+      t.string :software_version, null: true
+
+      # :oidc_dynamic_client_configuration enabled, extra optional params
+      t.string :sector_identifier_uri, null: true
+      t.string :application_type, null: true
+
+      # :oidc enabled
+      t.string :subject_type, null: true
+      t.string :id_token_signed_response_alg, null: true
+      t.string :id_token_encrypted_response_alg, null: true
+      t.string :id_token_encrypted_response_enc, null: true
+      t.string :userinfo_signed_response_alg, null: true
+      t.string :userinfo_encrypted_response_alg, null: true
+      t.string :userinfo_encrypted_response_enc, null: true
+
+      # :oauth_jwt_secured_authorization_request
+      t.string :request_object_signing_alg, null: true
+      t.string :request_object_encryption_alg, null: true
+      t.string :request_object_encryption_enc, null: true
+      t.string :request_uris, null: true
+
+      # :oidc_rp_initiated_logout enabled
+      t.string :post_logout_redirect_uris, null: false
     end
 
     create_table :oauth_grants do |t|
@@ -35,53 +54,34 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :accounts, column: :account_id
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
-      t.string :code, null: false
+      t.string :type, null: true
+      t.string :code, null: true
       t.index(%i[oauth_application_id code], unique: true)
+      t.string :token, unique: true
+      t.string :refresh_token, unique: true
       t.datetime :expires_in, null: false
       t.string :redirect_uri
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # for using access_types
       t.string :access_type, null: false, default: "offline"
-      # uncomment to enable PKCE
-      # t.string :code_challenge
-      # t.string :code_challenge_method
-      # uncomment to use OIDC nonce
-      # t.string :nonce
-      # device code grant
-      # t.string :user_code, null: true, unique: true
-      # t.datetime :last_polled_at, null: true
-      # when using :oauth_resource_indicators feature
-      # t.string :resource
-    end
 
-    create_table :oauth_tokens do |t|
-      t.integer :account_id
-      t.foreign_key :accounts, column: :account_id
-      t.integer :oauth_grant_id
-      t.foreign_key :oauth_grants, column: :oauth_grant_id
-      t.integer :oauth_token_id
-      t.foreign_key :oauth_tokens, column: :oauth_token_id
-      t.integer :oauth_application_id
-      t.foreign_key :oauth_applications, column: :oauth_application_id
-      t.string :token, null: false, token: true, unique: true
-      # uncomment if setting oauth_tokens_token_hash_column
-      # and delete the token column
-      # t.string :token_hash, token: true, unique: true
-      t.string :refresh_token, unique: true
-      # uncomment if setting oauth_tokens_refresh_token_hash_column
-      # and delete the refresh_token column
-      # t.string :refresh_token_hash, token: true, unique: true
-      t.datetime :expires_in, null: false
-      t.datetime :revoked_at
-      t.string :scopes, null: false
-      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # uncomment to use OIDC nonce
-      # t.string :nonce
-      # t.datetime :auth_time
-      # when using :oauth_resource_indicators feature
-      # t.string :resource
+      # :oauth_pkce enabled
+      t.string :code_challenge
+      t.string :code_challenge_method
+
+      # :oauth_device_code_grant enabled
+      t.string :user_code, null: true, unique: true
+      t.datetime :last_polled_at, null: true
+
+      # :resource_indicators enabled
+      t.string :resource
+
+      # :oidc enabled
+      t.string :nonce
+      t.string :acr
+      t.string :claims_locales
+      t.string :claims
     end
   end
 end

data/lib/rodauth/features/oauth_application_management.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_application_management, :OauthApplicationManagement) do
-    depends :oauth_management_base
+    depends :oauth_management_base, :oauth_token_revocation
 
     before "create_oauth_application"
     after "create_oauth_application"
@@ -13,7 +15,7 @@ module Rodauth
     view "oauth_applications", "Oauth Applications", "oauth_applications"
     view "oauth_application", "Oauth Application", "oauth_application"
     view "new_oauth_application", "New Oauth Application", "new_oauth_application"
-    view "oauth_application_oauth_tokens", "Oauth Application Tokens", "oauth_application_oauth_tokens"
+    view "oauth_application_oauth_grants", "Oauth Application Grants", "oauth_application_oauth_grants"
 
     # Application
     APPLICATION_REQUIRED_PARAMS = %w[name scopes homepage_url redirect_uri client_secret].freeze
@@ -21,12 +23,6 @@ module Rodauth
 
     (APPLICATION_REQUIRED_PARAMS + %w[description client_id]).each do |param|
       auth_value_method :"oauth_application_#{param}_param", param
-      configuration_module_eval do
-        define_method :"#{param}_label" do
-          warn "#{__method__} is deprecated, switch to oauth_applications_#{__method__}_label"
-          __send__(:"oauth_applications_#{param}_label")
-        end
-      end
     end
 
     translatable_method :oauth_applications_name_label, "Name"
@@ -41,36 +37,42 @@ module Rodauth
     translatable_method :oauth_applications_redirect_uri_label, "Redirect URI"
     translatable_method :oauth_applications_client_secret_label, "Client Secret"
     translatable_method :oauth_applications_client_id_label, "Client ID"
+
+    %w[type token refresh_token expires_in revoked_at].each do |param|
+      translatable_method :"oauth_grants_#{param}_label", param.gsub("_", " ").capitalize
+    end
+
     button "Register", "oauth_application"
-    button "Revoke", "oauth_token_revoke"
+    button "Revoke", "oauth_grant_revoke"
 
-    auth_value_method :oauth_applications_oauth_tokens_path, "oauth-tokens"
+    auth_value_method :oauth_applications_oauth_grants_path, "oauth-grants"
     auth_value_method :oauth_applications_route, "oauth-applications"
     auth_value_method :oauth_applications_per_page, 20
     auth_value_method :oauth_applications_id_pattern, Integer
-    auth_value_method :oauth_tokens_per_page, 20
+    auth_value_method :oauth_grants_per_page, 20
 
     translatable_method :invalid_url_message, "Invalid URL"
     translatable_method :null_error_message, "is not filled"
 
-    def oauth_applications_path(opts = {})
-      route_path(oauth_applications_route, opts)
-    end
+    translatable_method :oauth_no_applications_text, "No oauth applications yet!"
+    translatable_method :oauth_no_grants_text, "No oauth grants yet!"
 
-    def oauth_applications_url(opts = {})
-      route_url(oauth_applications_route, opts)
-    end
     auth_value_methods(
       :oauth_application_path
     )
 
+    def oauth_applications_path(opts = {})
+      route_path(oauth_applications_route, opts)
+    end
+
     def oauth_application_path(id)
       "#{oauth_applications_path}/#{id}"
     end
 
     # /oauth-applications routes
-    def oauth_applications
+    def load_oauth_application_management_routes
       request.on(oauth_applications_route) do
+        check_csrf if check_csrf?
         require_account
 
         request.get "new" do
@@ -92,57 +94,52 @@ module Rodauth
             end
           end
 
-          request.on(oauth_applications_oauth_tokens_path) do
+          request.on(oauth_applications_oauth_grants_path) do
             page = Integer(param_or_nil("page") || 1)
-            per_page = per_page_param(oauth_tokens_per_page)
-            oauth_tokens = db[oauth_tokens_table]
-                           .where(oauth_tokens_oauth_application_id_column => id)
-                           .order(Sequel.desc(oauth_tokens_id_column))
-            scope.instance_variable_set(:@oauth_tokens, oauth_tokens.paginate(page, per_page))
-            request.get do
-              oauth_application_oauth_tokens_view
+            per_page = per_page_param(oauth_grants_per_page)
+            oauth_grants = db[oauth_grants_table]
+                           .where(oauth_grants_oauth_application_id_column => id)
+                           .order(Sequel.desc(oauth_grants_id_column))
+            scope.instance_variable_set(:@oauth_grants, oauth_grants.paginate(page, per_page))
+            request.is do
+              request.get do
+                oauth_application_oauth_grants_view
+              end
             end
           end
         end
 
-        request.get do
-          page = Integer(param_or_nil("page") || 1)
-          per_page = per_page_param(oauth_applications_per_page)
-          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
-            .where(oauth_applications_account_id_column => account_id)
-            .order(Sequel.desc(oauth_applications_id_column))
-            .paginate(page, per_page))
-
-          oauth_applications_view
-        end
+        request.is do
+          request.get do
+            page = Integer(param_or_nil("page") || 1)
+            per_page = per_page_param(oauth_applications_per_page)
+            scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
+              .where(oauth_applications_account_id_column => account_id)
+              .order(Sequel.desc(oauth_applications_id_column))
+              .paginate(page, per_page))
 
-        request.post do
-          catch_error do
-            validate_oauth_application_params
+            oauth_applications_view
+          end
 
-            transaction do
-              before_create_oauth_application
-              id = create_oauth_application
-              after_create_oauth_application
-              set_notice_flash create_oauth_application_notice_flash
-              redirect "#{request.path}/#{id}"
+          request.post do
+            catch_error do
+              validate_oauth_application_params
+
+              transaction do
+                before_create_oauth_application
+                id = create_oauth_application
+                after_create_oauth_application
+                set_notice_flash create_oauth_application_notice_flash
+                redirect "#{request.path}/#{id}"
+              end
             end
+            set_error_flash create_oauth_application_error_flash
+            new_oauth_application_view
           end
-          set_error_flash create_oauth_application_error_flash
-          new_oauth_application_view
         end
       end
     end
 
-    def check_csrf?
-      case request.path
-      when oauth_applications_path
-        only_json? ? false : super
-      else
-        super
-      end
-    end
-
     private
 
     def oauth_application_params
@@ -168,15 +165,15 @@ module Rodauth
             value.each do |uri|
               next if uri.empty?
 
-              set_field_error(key, invalid_url_message) unless check_valid_uri?(uri)
+              set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(uri)
             end
           else
-            set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
+            set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(value)
           end
         elsif key == oauth_application_scopes_param
 
           value.each do |scope|
-            set_field_error(key, invalid_scope_message) unless oauth_application_scopes.include?(scope)
+            set_field_error(key, oauth_invalid_scope_message) unless oauth_application_scopes.include?(scope)
           end
         end
       end
@@ -196,28 +193,18 @@ module Rodauth
       redirect_uris = oauth_application_params[oauth_application_redirect_uri_param]
       redirect_uris = redirect_uris.to_a.reject(&:empty?).join(" ") if redirect_uris.respond_to?(:each)
       create_params[oauth_applications_redirect_uri_column] = redirect_uris unless redirect_uris.empty?
-      # set client ID/secret pairs
 
-      create_params.merge! \
-        oauth_applications_client_secret_column => \
-          secret_hash(oauth_application_params[oauth_application_client_secret_param])
+      # set client ID/secret pairs
+      set_client_secret(create_params, oauth_application_params[oauth_application_client_secret_param])
 
-      create_params[oauth_applications_scopes_column] = if create_params[oauth_applications_scopes_column]
-                                                          create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
-                                                        else
-                                                          oauth_application_default_scope
-                                                        end
+      if create_params[oauth_applications_scopes_column]
+        create_params[oauth_applications_scopes_column] = create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
+      end
 
       rescue_from_uniqueness_error do
         create_params[oauth_applications_client_id_column] = oauth_unique_id_generator
         db[oauth_applications_table].insert(create_params)
       end
     end
-
-    def oauth_server_metadata_body(*)
-      super.tap do |data|
-        data[:registration_endpoint] = oauth_applications_url
-      end
-    end
   end
 end

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -1,11 +1,9 @@
 # frozen_string_literal: true
 
-require "rodauth/oauth/refinements"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_assertion_base, :OauthAssertionBase) do
-    using PrefixExtensions
-
     depends :oauth_base
 
     auth_value_methods(
@@ -17,7 +15,7 @@ module Rodauth
 
     private
 
-    def validate_oauth_token_params
+    def validate_token_params
       return super unless assertion_grant_type?
 
       redirect_response_error("invalid_grant") unless param_or_nil("assertion")
@@ -29,19 +27,16 @@ module Rodauth
       elsif client_assertion_type?
         @oauth_application = __send__(:"require_oauth_application_from_#{client_assertion_type}_assertion_subject",
                                       param("client_assertion"))
-      else
-        return super
-      end
 
-      redirect_response_error("invalid_grant") unless @oauth_application
-
-      if client_assertion_type? &&
-         (client_id = param_or_nil("client_id")) &&
-         client_id != @oauth_application[oauth_applications_client_id_column]
-        # If present, the value of the
-        # "client_id" parameter MUST identify the same client as is
-        # identified by the client assertion.
-        redirect_response_error("invalid_grant")
+        if (client_id = param_or_nil("client_id")) &&
+           client_id != @oauth_application[oauth_applications_client_id_column]
+          # If present, the value of the
+          # "client_id" parameter MUST identify the same client as is
+          # identified by the client assertion.
+          redirect_response_error("invalid_grant")
+        end
+      else
+        super
       end
     end
 
@@ -54,7 +49,7 @@ module Rodauth
       )
     end
 
-    def create_oauth_token(grant_type)
+    def create_token(grant_type)
       return super unless assertion_grant_type?(grant_type) && supported_grant_type?(grant_type)
 
       account = __send__(:"account_from_#{assertion_grant_type}_assertion", param("assertion"))
@@ -62,19 +57,20 @@ module Rodauth
       redirect_response_error("invalid_grant") unless account
 
       grant_scopes = if param_or_nil("scope")
-                       redirect_response_error("invalid_grant") unless check_valid_scopes?
+                       redirect_response_error("invalid_scope") unless check_valid_scopes?
                        scopes
                      else
                        @oauth_application[oauth_applications_scopes_column]
                      end
 
-      create_params = {
-        oauth_tokens_account_id_column => account[account_id_column],
-        oauth_tokens_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
-        oauth_tokens_scopes_column => grant_scopes
+      grant_params = {
+        oauth_grants_type_column => grant_type,
+        oauth_grants_account_id_column => account[account_id_column],
+        oauth_grants_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
+        oauth_grants_scopes_column => grant_scopes
       }
 
-      generate_oauth_token(create_params, false)
+      generate_token(grant_params, false)
     end
 
     def assertion_grant_type?(grant_type = param("grant_type"))