rodauth-oauth 0.7.1 → 0.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e6a9da692805069b0250b975d86c02f81af6bd1cc80ce24ecbc92ea6d3fef14
-  data.tar.gz: c4996d52e4119f6a2d8fde3f0149f8deadb609324fb894c99d5fbcdf836efd4c
+  metadata.gz: d000e6a25796dbdc8c58d378e93819343810f6089c33d02732443342ce721ec3
+  data.tar.gz: e61c19bd7e74c3f2b68541bf7aa78c143c669d5a745bf4efc389e786598fbcd8
 SHA512:
-  metadata.gz: d8ec7872e8997019182b04a40c11f5db1e272de0bcceada11f870d706f2646aca911239d1f01876f26126e0936938a6ea233f312304410ce0c35d3964ebe7f1f
-  data.tar.gz: 4a5df07c4da7c30803d7cb513c87ca6296b205dcdae89eb3ab475aa6780a4b37acd0e3b3bae5d43372eb8f9d3a92bd30a761ad7cda269d18d7bc16658f719768
+  metadata.gz: 9d727127c9e5a6d3a935b6194fbd0bd81358f3ea9876387d1639c3cf419b15246a0b89d57688d8ef15e830bd7b86f482463332c0fa843cb494ee56afe23c3e2e
+  data.tar.gz: 1d565e48e99b4897ca47a64c5b937405a5a10a9696893059d59670e58ae0dc1677daf17194ddfefcdd0d9fc33960ab5fd3a1fd3716cbe0e7fae961537ad46058

data/CHANGELOG.md

@@ -2,6 +2,28 @@
 
 ## master
 
+### 0.7.2 (14/12/2021)
+
+#### Features
+
+* Revoking tokens from the OAuth Application management interface (@muellerj)
+
+Token revocation was only possible when using the client ID and Secret, to aid "logout" functionality from client applications. Although the admin interface (available via `r.oauth_applications`) displayed a "Revoke" button alongside tokens in the list page, this was not working. The RFC does allow for the use case of application administrators being able to manually revoke tokens (as a result of client support, for example), so this functionality was enabled (only for the oauth application owner, for now).
+
+#### Bugfixes
+
+Default scope usage related bugfixes:
+
+* Improved default scope conversion to avoid nested arrays (@muellerj);
+* Authorize form shows a disabled checkbox and POST's no scope when default scope is to be used (@muellerj);
+* example default scope fixed for example authorization server (should be string) (@muellerj);
+* several param fixes in view templates (@muellerj);
+
+OAuth Applications Management fixes:
+
+* Access to OAuth Application page is now restricted to app owner;
+* OAuth Applications page now lists the **only** the applications owned by the logged in user;
+
 ### 0.7.1 (05/12/2021)
 
 #### Improvements

data/lib/rodauth/features/oauth.rb

@@ -66,6 +66,7 @@ module Rodauth
     notice_flash "Your oauth application has been registered", "create_oauth_application"
 
     notice_flash "The oauth token has been revoked", "revoke_oauth_token"
+    error_flash "You are not authorized to revoke this token", "revoke_unauthorized_account"
 
     view "authorize", "Authorize", "authorize"
     view "oauth_applications", "Oauth Applications", "oauth_applications"
@@ -279,7 +280,13 @@ module Rodauth
       next unless is_authorization_server?
 
       before_revoke_route
-      require_oauth_application
+
+      if logged_in?
+        require_account
+        require_oauth_application_from_account
+      else
+        require_oauth_application
+      end
 
       r.post do
         catch_error do
@@ -386,7 +393,10 @@ module Rodauth
         end
 
         request.on(oauth_applications_id_pattern) do |id|
-          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
+          oauth_application = db[oauth_applications_table]
+                              .where(oauth_applications_id_column => id)
+                              .where(oauth_applications_account_id_column => account_id)
+                              .first
           next unless oauth_application
 
           scope.instance_variable_set(:@oauth_application, oauth_application)
@@ -407,7 +417,8 @@ module Rodauth
         end
 
         request.get do
-          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
+          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
+            .where(oauth_applications_account_id_column => account_id))
           oauth_applications_view
         end
 
@@ -474,7 +485,7 @@ module Rodauth
       when String
         scope.split(" ")
       when nil
-        [oauth_application_default_scope]
+        Array(oauth_application_default_scope)
       end
     end
 
@@ -684,6 +695,20 @@ module Rodauth
       authorization_required unless @oauth_application && secret_matches?(@oauth_application, client_secret)
     end
 
+    def require_oauth_application_from_account
+      ds = db[oauth_applications_table]
+           .join(oauth_tokens_table, Sequel[oauth_tokens_table][oauth_tokens_oauth_application_id_column] =>
+                                     Sequel[oauth_applications_table][oauth_applications_id_column])
+           .where(oauth_token_by_token_ds(param("token")).opts.fetch(:where, true))
+           .where(Sequel[oauth_applications_table][oauth_applications_account_id_column] => account_id)
+
+      @oauth_application = ds.qualify.first
+      return if @oauth_application
+
+      set_redirect_error_flash revoke_unauthorized_account_error_flash
+      redirect request.referer || "/"
+    end
+
     def secret_matches?(oauth_application, secret)
       BCrypt::Password.new(oauth_application[oauth_applications_client_secret_column]) == secret
     end
@@ -774,17 +799,21 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token)
+    def oauth_token_by_token_ds(token)
       ds = db[oauth_tokens_table]
 
       ds = if oauth_tokens_token_hash_column
-             ds.where(oauth_tokens_token_hash_column => generate_token_hash(token))
+             ds.where(Sequel[oauth_tokens_table][oauth_tokens_token_hash_column] => generate_token_hash(token))
            else
-             ds.where(oauth_tokens_token_column => token)
+             ds.where(Sequel[oauth_tokens_table][oauth_tokens_token_column] => token)
            end
 
-      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-        .where(oauth_tokens_revoked_at_column => nil).first
+      ds.where(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+        .where(Sequel[oauth_tokens_table][oauth_tokens_revoked_at_column] => nil)
+    end
+
+    def oauth_token_by_token(token)
+      oauth_token_by_token_ds(token).first
     end
 
     def oauth_token_by_refresh_token(token, revoked: false)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.7.1"
+    VERSION = "0.7.2"
   end
 end

data/locales/en.yml

@@ -3,6 +3,7 @@ en:
     require_authorization_error_flash: "Please authorize to continue"
     create_oauth_application_error_flash: "There was an error registering your oauth application"
     create_oauth_application_notice_flash: "Your oauth application has been registered"
+    revoke_unauthorized_account_error_flash: "You are not authorized to revoke this token"
     revoke_oauth_token_notice_flash: "The oauth token has been revoked"
     oauth_authorize_title: "Authorize"
     oauth_oauth_applications_page_title: "Oauth Applications"
@@ -31,4 +32,4 @@ en:
     unsupported_transform_algorithm_message: "transform algorithm not supported"
     request_uri_not_supported_message: "request uri is unsupported"
     invalid_request_object_message: "request object is invalid"
-    invalid_scope_message: "The Access Token expired"
+    invalid_scope_message: "The Access Token expired"

data/templates/authorize.str

@@ -7,12 +7,22 @@
 
     #{
       rodauth.scopes.map do |scope|
-        <<-HTML
-         	<div class="form-check">
-            <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}" #{"checked disabled" if scope == rodauth.oauth_application_default_scope}>
-            <label class="form-check-label" for="#{scope}">#{scope}</label>
-          </div>
-        HTML
+        if scope == rodauth.oauth_application_default_scope
+          <<-HTML
+            <div class="form-check">
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}" checked disabled>
+              <label class="form-check-label" for="#{scope}">#{scope}</label>
+              <input type="hidden" name="scope[]" value="#{scope}">
+            </div>
+          HTML
+        else
+          <<-HTML
+            <div class="form-check">
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}">
+              <label class="form-check-label" for="#{scope}">#{scope}</label>
+            </div>
+          HTML
+        end
       end.join
     }
 
@@ -31,4 +41,4 @@
     <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>
     <a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">Cancel</a>
   </p>
-</form>
+</form>

data/templates/oauth_tokens.str

@@ -10,7 +10,8 @@
               <th scope="col">Token</th>
               <th scope="col">Refresh Token</th>
               <th scope="col">Expires in</th>
-              <th scope="col">Revoke</th>
+              <th scope="col">Revoked at</th>
+              <th scope="col">Scopes</th>
               <th scope="col"><span class="badge badge-pill badge-dark">#{@oauth_tokens.count}</span>
             </tr>
           </thead>
@@ -19,13 +20,14 @@
               @oauth_tokens.map do |oauth_token|
                 <<-HTML
                   <tr>
-                    <td>#{oauth_token[rodauth.oauth_tokens_token_column]}</td>
-                    <td>#{oauth_token[rodauth.oauth_tokens_refresh_token_column]}</td>
+                    <td><code class="token">#{oauth_token[rodauth.oauth_tokens_token_column]}</code></td>
+                    <td><code class="token">#{oauth_token[rodauth.oauth_tokens_refresh_token_column]}</code></td>
                     <td>#{oauth_token[rodauth.oauth_tokens_expires_in_column]}</td>
                     <td>#{oauth_token[rodauth.oauth_tokens_revoked_at_column]}</td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_scopes_column]}</td>
                     <td>
                       #{
-                        if !oauth_token[rodauth.oauth_tokens_revoked_at_param] && !oauth_token[rodauth.oauth_tokens_token_hash_column]
+                        if !oauth_token[rodauth.oauth_tokens_revoked_at_column] && !oauth_token[rodauth.oauth_tokens_token_hash_column]
                           <<-HTML
                             <form method="post" action="#{rodauth.revoke_path}" class="form-horizontal" role="form" id="revoke-form">
                               #{csrf_tag(rodauth.revoke_path) if respond_to?(:csrf_tag)}
@@ -46,4 +48,4 @@
       HTML
     end
   }
-</div>
+</div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.7.1
+  version: 0.7.2
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-12-05 00:00:00.000000000 Z
+date: 2021-12-14 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -52,7 +52,8 @@ files:
 - templates/redirect_uri_field.str
 - templates/scope_field.str
 homepage: https://gitlab.com/honeyryderchuck/rodauth-oauth
-licenses: []
+licenses:
+- Apache 2.0
 metadata:
   homepage_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth
   source_code_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth
@@ -72,7 +73,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.