super-smart-kit 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. checksums.yaml +7 -0
  2. data/doorkeeper-5.9.3/CHANGELOG.md +1208 -0
  3. data/doorkeeper-5.9.3/MIT-LICENSE +20 -0
  4. data/doorkeeper-5.9.3/README.md +186 -0
  5. data/doorkeeper-5.9.3/app/assets/stylesheets/doorkeeper/admin/application.css +10 -0
  6. data/doorkeeper-5.9.3/app/assets/stylesheets/doorkeeper/application.css +64 -0
  7. data/doorkeeper-5.9.3/app/controllers/doorkeeper/application_controller.rb +14 -0
  8. data/doorkeeper-5.9.3/app/controllers/doorkeeper/application_metal_controller.rb +13 -0
  9. data/doorkeeper-5.9.3/app/controllers/doorkeeper/applications_controller.rb +99 -0
  10. data/doorkeeper-5.9.3/app/controllers/doorkeeper/authorizations_controller.rb +164 -0
  11. data/doorkeeper-5.9.3/app/controllers/doorkeeper/authorized_applications_controller.rb +33 -0
  12. data/doorkeeper-5.9.3/app/controllers/doorkeeper/token_info_controller.rb +25 -0
  13. data/doorkeeper-5.9.3/app/controllers/doorkeeper/tokens_controller.rb +180 -0
  14. data/doorkeeper-5.9.3/app/helpers/doorkeeper/dashboard_helper.rb +21 -0
  15. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/_delete_form.html.erb +6 -0
  16. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/_form.html.erb +59 -0
  17. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/edit.html.erb +5 -0
  18. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/index.html.erb +38 -0
  19. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/new.html.erb +5 -0
  20. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/show.html.erb +63 -0
  21. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/error.html.erb +9 -0
  22. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
  23. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/new.html.erb +46 -0
  24. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/show.html.erb +7 -0
  25. data/doorkeeper-5.9.3/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +4 -0
  26. data/doorkeeper-5.9.3/app/views/doorkeeper/authorized_applications/index.html.erb +24 -0
  27. data/doorkeeper-5.9.3/app/views/layouts/doorkeeper/admin.html.erb +39 -0
  28. data/doorkeeper-5.9.3/app/views/layouts/doorkeeper/application.html.erb +23 -0
  29. data/doorkeeper-5.9.3/config/locales/en.yml +155 -0
  30. data/doorkeeper-5.9.3/lib/doorkeeper/config/abstract_builder.rb +28 -0
  31. data/doorkeeper-5.9.3/lib/doorkeeper/config/option.rb +82 -0
  32. data/doorkeeper-5.9.3/lib/doorkeeper/config/validations.rb +65 -0
  33. data/doorkeeper-5.9.3/lib/doorkeeper/config.rb +721 -0
  34. data/doorkeeper-5.9.3/lib/doorkeeper/engine.rb +38 -0
  35. data/doorkeeper-5.9.3/lib/doorkeeper/errors.rb +85 -0
  36. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  37. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow/flow.rb +44 -0
  38. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow/registry.rb +50 -0
  39. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow.rb +45 -0
  40. data/doorkeeper-5.9.3/lib/doorkeeper/grape/authorization_decorator.rb +19 -0
  41. data/doorkeeper-5.9.3/lib/doorkeeper/grape/helpers.rb +58 -0
  42. data/doorkeeper-5.9.3/lib/doorkeeper/helpers/controller.rb +91 -0
  43. data/doorkeeper-5.9.3/lib/doorkeeper/models/access_grant_mixin.rb +124 -0
  44. data/doorkeeper-5.9.3/lib/doorkeeper/models/access_token_mixin.rb +526 -0
  45. data/doorkeeper-5.9.3/lib/doorkeeper/models/application_mixin.rb +96 -0
  46. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/accessible.rb +15 -0
  47. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/expirable.rb +36 -0
  48. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +96 -0
  49. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/orderable.rb +15 -0
  50. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/ownership.rb +18 -0
  51. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +29 -0
  52. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  53. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/reusable.rb +19 -0
  54. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/revocable.rb +31 -0
  55. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/scopes.rb +27 -0
  56. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
  57. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/write_to_primary.rb +57 -0
  58. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/code.rb +76 -0
  59. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/context.rb +17 -0
  60. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/token.rb +100 -0
  61. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/uri_builder.rb +33 -0
  62. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization_code_request.rb +125 -0
  63. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/base_request.rb +68 -0
  64. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/base_response.rb +31 -0
  65. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client/credentials.rb +34 -0
  66. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client.rb +28 -0
  67. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials/creator.rb +57 -0
  68. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials/issuer.rb +48 -0
  69. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials/validator.rb +55 -0
  70. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials_request.rb +46 -0
  71. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/code_request.rb +25 -0
  72. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/code_response.rb +51 -0
  73. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/error.rb +16 -0
  74. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/error_response.rb +121 -0
  75. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/forbidden_token_response.rb +31 -0
  76. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/helpers/scope_checker.rb +50 -0
  77. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/helpers/unique_token.rb +30 -0
  78. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/helpers/uri_checker.rb +83 -0
  79. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  80. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/invalid_request_response.rb +47 -0
  81. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/invalid_token_response.rb +54 -0
  82. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/nonstandard.rb +39 -0
  83. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/password_access_token_request.rb +75 -0
  84. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/pre_authorization.rb +187 -0
  85. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/refresh_token_request.rb +144 -0
  86. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/scopes.rb +134 -0
  87. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token.rb +66 -0
  88. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token_introspection.rb +220 -0
  89. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token_request.rb +25 -0
  90. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token_response.rb +38 -0
  91. data/doorkeeper-5.9.3/lib/doorkeeper/oauth.rb +13 -0
  92. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/access_grant.rb +9 -0
  93. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/access_token.rb +9 -0
  94. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/application.rb +10 -0
  95. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +64 -0
  96. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/mixins/access_token.rb +95 -0
  97. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/mixins/application.rb +223 -0
  98. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
  99. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +44 -0
  100. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record.rb +41 -0
  101. data/doorkeeper-5.9.3/lib/doorkeeper/rails/helpers.rb +82 -0
  102. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  103. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/mapper.rb +30 -0
  104. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/mapping.rb +40 -0
  105. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/registry.rb +45 -0
  106. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes.rb +110 -0
  107. data/doorkeeper-5.9.3/lib/doorkeeper/rake/db.rake +40 -0
  108. data/doorkeeper-5.9.3/lib/doorkeeper/rake/setup.rake +6 -0
  109. data/doorkeeper-5.9.3/lib/doorkeeper/rake.rb +14 -0
  110. data/doorkeeper-5.9.3/lib/doorkeeper/request/authorization_code.rb +26 -0
  111. data/doorkeeper-5.9.3/lib/doorkeeper/request/client_credentials.rb +17 -0
  112. data/doorkeeper-5.9.3/lib/doorkeeper/request/code.rb +17 -0
  113. data/doorkeeper-5.9.3/lib/doorkeeper/request/password.rb +19 -0
  114. data/doorkeeper-5.9.3/lib/doorkeeper/request/refresh_token.rb +22 -0
  115. data/doorkeeper-5.9.3/lib/doorkeeper/request/strategy.rb +19 -0
  116. data/doorkeeper-5.9.3/lib/doorkeeper/request/token.rb +17 -0
  117. data/doorkeeper-5.9.3/lib/doorkeeper/request.rb +73 -0
  118. data/doorkeeper-5.9.3/lib/doorkeeper/revocable_tokens/revocable_access_token.rb +21 -0
  119. data/doorkeeper-5.9.3/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb +21 -0
  120. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/base.rb +64 -0
  121. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
  122. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/plain.rb +33 -0
  123. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
  124. data/doorkeeper-5.9.3/lib/doorkeeper/server.rb +44 -0
  125. data/doorkeeper-5.9.3/lib/doorkeeper/stale_records_cleaner.rb +24 -0
  126. data/doorkeeper-5.9.3/lib/doorkeeper/validations.rb +33 -0
  127. data/doorkeeper-5.9.3/lib/doorkeeper/version.rb +14 -0
  128. data/doorkeeper-5.9.3/lib/doorkeeper.rb +209 -0
  129. data/doorkeeper-5.9.3/lib/generators/doorkeeper/application_owner_generator.rb +33 -0
  130. data/doorkeeper-5.9.3/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
  131. data/doorkeeper-5.9.3/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  132. data/doorkeeper-5.9.3/lib/generators/doorkeeper/install_generator.rb +22 -0
  133. data/doorkeeper-5.9.3/lib/generators/doorkeeper/migration_generator.rb +32 -0
  134. data/doorkeeper-5.9.3/lib/generators/doorkeeper/pkce_generator.rb +33 -0
  135. data/doorkeeper-5.9.3/lib/generators/doorkeeper/previous_refresh_token_generator.rb +41 -0
  136. data/doorkeeper-5.9.3/lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb +33 -0
  137. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/README +24 -0
  138. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
  139. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +9 -0
  140. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +13 -0
  141. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
  142. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  143. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/initializer.rb +544 -0
  144. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/migration.rb.erb +99 -0
  145. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb +7 -0
  146. data/doorkeeper-5.9.3/lib/generators/doorkeeper/views_generator.rb +18 -0
  147. data/doorkeeper-5.9.3/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +6 -0
  148. data/super-smart-kit.gemspec +12 -0
  149. metadata +188 -0
@@ -0,0 +1,544 @@
1
+ # frozen_string_literal: true
2
+
3
+ Doorkeeper.configure do
4
+ # Change the ORM that doorkeeper will use (requires ORM extensions installed).
5
+ # Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms
6
+ orm :active_record
7
+
8
+ # Enable support for multiple database configurations with read replicas.
9
+ # When enabled, Doorkeeper will wrap database write operations to ensure they
10
+ # use the primary (writable) database when automatic role switching is enabled.
11
+ #
12
+ # For ActiveRecord (Rails 6.1+), this uses `ActiveRecord::Base.connected_to(role: :writing)`.
13
+ # Other ORM extensions can implement their own primary database targeting logic.
14
+ #
15
+ # enable_multiple_database_roles
16
+ #
17
+ # This prevents `ActiveRecord::ReadOnlyError` when using read replicas with Rails
18
+ # automatic role switching. Enable this if your application uses multiple databases
19
+ # with automatic role switching for read replicas.
20
+ #
21
+ # See: https://guides.rubyonrails.org/active_record_multiple_databases.html#activating-automatic-role-switching
22
+
23
+ # This block will be called to check whether the resource owner is authenticated or not.
24
+ resource_owner_authenticator do
25
+ raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
26
+ # Put your resource owner authentication logic here.
27
+ # Example implementation:
28
+ # User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
29
+ end
30
+
31
+ # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
32
+ # file then you need to declare this block in order to restrict access to the web interface for
33
+ # adding oauth authorized applications. In other case it will return 403 Forbidden response
34
+ # every time somebody will try to access the admin web interface.
35
+ #
36
+ # admin_authenticator do
37
+ # # Put your admin authentication logic here.
38
+ # # Example implementation:
39
+ #
40
+ # if current_user
41
+ # head :forbidden unless current_user.admin?
42
+ # else
43
+ # redirect_to sign_in_url
44
+ # end
45
+ # end
46
+
47
+ # You can use your own model classes if you need to extend (or even override) default
48
+ # Doorkeeper models such as `Application`, `AccessToken` and `AccessGrant.
49
+ #
50
+ # By default Doorkeeper ActiveRecord ORM uses its own classes:
51
+ #
52
+ # access_token_class "Doorkeeper::AccessToken"
53
+ # access_grant_class "Doorkeeper::AccessGrant"
54
+ # application_class "Doorkeeper::Application"
55
+ #
56
+ # Don't forget to include Doorkeeper ORM mixins into your custom models:
57
+ #
58
+ # * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken - for access token
59
+ # * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant - for access grant
60
+ # * ::Doorkeeper::Orm::ActiveRecord::Mixins::Application - for application (OAuth2 clients)
61
+ #
62
+ # For example:
63
+ #
64
+ # access_token_class "MyAccessToken"
65
+ #
66
+ # class MyAccessToken < ApplicationRecord
67
+ # include ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
68
+ #
69
+ # self.table_name = "hey_i_wanna_my_name"
70
+ #
71
+ # def destroy_me!
72
+ # destroy
73
+ # end
74
+ # end
75
+
76
+ # Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
77
+ # By default this option is disabled.
78
+ #
79
+ # Make sure you properly setup you database and have all the required columns (run
80
+ # `bundle exec rails generate doorkeeper:enable_polymorphic_resource_owner` and execute Rails
81
+ # migrations).
82
+ #
83
+ # If this option enabled, Doorkeeper will store not only Resource Owner primary key
84
+ # value, but also it's type (class name). See "Polymorphic Associations" section of
85
+ # Rails guides: https://guides.rubyonrails.org/association_basics.html#polymorphic-associations
86
+ #
87
+ # [NOTE] If you apply this option on already existing project don't forget to manually
88
+ # update `resource_owner_type` column in the database and fix migration template as it will
89
+ # set NOT NULL constraint for Access Grants table.
90
+ #
91
+ # use_polymorphic_resource_owner
92
+
93
+ # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
94
+ # want to use API mode that will skip all the views management and change the way how
95
+ # Doorkeeper responds to a requests.
96
+ #
97
+ # api_only
98
+
99
+ # Enforce token request content type to application/x-www-form-urlencoded.
100
+ # It is not enabled by default to not break prior versions of the gem.
101
+ #
102
+ # enforce_content_type
103
+
104
+ # Authorization Code expiration time (default: 10 minutes).
105
+ #
106
+ # authorization_code_expires_in 10.minutes
107
+
108
+ # Access token expiration time (default: 2 hours).
109
+ # If you set this to `nil` Doorkeeper will not expire the token and omit expires_in in response.
110
+ # It is RECOMMENDED to set expiration time explicitly.
111
+ # Prefer access_token_expires_in 100.years or similar,
112
+ # which would be functionally equivalent and avoid the risk of unexpected behavior by callers.
113
+ #
114
+ # access_token_expires_in 2.hours
115
+
116
+ # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
117
+ # option if defined. In case the block returns `nil` value Doorkeeper fallbacks to
118
+ # +access_token_expires_in+ configuration option value. If you really need to issue a
119
+ # non-expiring access token (which is not recommended) then you need to return
120
+ # Float::INFINITY from this block.
121
+ #
122
+ # `context` has the following properties available:
123
+ #
124
+ # * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
125
+ # * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
126
+ # * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
127
+ # * `resource_owner` - authorized resource owner instance (if present)
128
+ #
129
+ # custom_access_token_expires_in do |context|
130
+ # context.client.additional_settings.implicit_oauth_expiration
131
+ # end
132
+
133
+ # Use a custom class for generating the access token.
134
+ # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
135
+ #
136
+ # access_token_generator '::Doorkeeper::JWT'
137
+
138
+ # The controller +Doorkeeper::ApplicationController+ inherits from.
139
+ # Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
140
+ # +ActionController::API+. The return value of this option must be a stringified class name.
141
+ # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
142
+ #
143
+ # base_controller 'ApplicationController'
144
+
145
+ # Reuse access token for the same resource owner within an application (disabled by default).
146
+ #
147
+ # This option protects your application from creating new tokens before old **valid** one becomes
148
+ # expired so your database doesn't bloat. Keep in mind that when this option is enabled Doorkeeper
149
+ # doesn't update existing token expiration time, it will create a new token instead if no active matching
150
+ # token found for the application, resources owner and/or set of scopes.
151
+ # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
152
+ #
153
+ # You can not enable this option together with +hash_token_secrets+.
154
+ #
155
+ # reuse_access_token
156
+
157
+ # In case you enabled `reuse_access_token` option Doorkeeper will try to find matching
158
+ # token using `matching_token_for` Access Token API that searches for valid records
159
+ # in batches in order not to pollute the memory with all the database records. By default
160
+ # Doorkeeper uses batch size of 10 000 records. You can increase or decrease this value
161
+ # depending on your needs and server capabilities.
162
+ #
163
+ # token_lookup_batch_size 10_000
164
+
165
+ # Set a limit for token_reuse if using reuse_access_token option
166
+ #
167
+ # This option limits token_reusability to some extent.
168
+ # If not set then access_token will be reused unless it expires.
169
+ # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
170
+ #
171
+ # This option should be a percentage(i.e. (0,100])
172
+ #
173
+ # token_reuse_limit 100
174
+
175
+ # Only allow one valid access token obtained via client credentials
176
+ # per client. If a new access token is obtained before the old one
177
+ # expired, the old one gets revoked (disabled by default)
178
+ #
179
+ # When enabling this option, make sure that you do not expect multiple processes
180
+ # using the same credentials at the same time (e.g. web servers spanning
181
+ # multiple machines and/or processes).
182
+ #
183
+ # revoke_previous_client_credentials_token
184
+
185
+ # Only allow one valid access token obtained via authorization code
186
+ # per client. If a new access token is obtained before the old one
187
+ # expired, the old one gets revoked (disabled by default)
188
+ #
189
+ # revoke_previous_authorization_code_token
190
+
191
+ # Require non-confidential clients to use PKCE when using an authorization code
192
+ # to obtain an access_token (disabled by default)
193
+ #
194
+ # force_pkce
195
+
196
+ # Hash access and refresh tokens before persisting them.
197
+ # This will disable the possibility to use +reuse_access_token+
198
+ # since plain values can no longer be retrieved.
199
+ #
200
+ # Note: If you are already a user of doorkeeper and have existing tokens
201
+ # in your installation, they will be invalid without adding 'fallback: :plain'.
202
+ #
203
+ # hash_token_secrets
204
+ # By default, token secrets will be hashed using the
205
+ # +Doorkeeper::Hashing::SHA256+ strategy.
206
+ #
207
+ # If you wish to use another hashing implementation, you can override
208
+ # this strategy as follows:
209
+ #
210
+ # hash_token_secrets using: '::Doorkeeper::Hashing::MyCustomHashImpl'
211
+ #
212
+ # Keep in mind that changing the hashing function will invalidate all existing
213
+ # secrets, if there are any.
214
+
215
+ # Hash application secrets before persisting them.
216
+ #
217
+ # hash_application_secrets
218
+ #
219
+ # By default, applications will be hashed
220
+ # with the +Doorkeeper::SecretStoring::SHA256+ strategy.
221
+ #
222
+ # If you wish to use bcrypt for application secret hashing, uncomment
223
+ # this line instead:
224
+ #
225
+ # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
226
+
227
+ # When the above option is enabled, and a hashed token or secret is not found,
228
+ # you can allow to fall back to another strategy. For users upgrading
229
+ # doorkeeper and wishing to enable hashing, you will probably want to enable
230
+ # the fallback to plain tokens.
231
+ #
232
+ # This will ensure that old access tokens and secrets
233
+ # will remain valid even if the hashing above is enabled.
234
+ #
235
+ # This can be done by adding 'fallback: plain', e.g. :
236
+ #
237
+ # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
238
+
239
+ # Issue access tokens with refresh token (disabled by default), you may also
240
+ # pass a block which accepts `context` to customize when to give a refresh
241
+ # token or not. Similar to +custom_access_token_expires_in+, `context` has
242
+ # the following properties:
243
+ #
244
+ # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
245
+ # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
246
+ # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
247
+ #
248
+ # use_refresh_token
249
+
250
+ # Provide support for an owner to be assigned to each registered application (disabled by default)
251
+ # Optional parameter confirmation: true (default: false) if you want to enforce ownership of
252
+ # a registered application
253
+ # NOTE: you must also run the rails g doorkeeper:application_owner generator
254
+ # to provide the necessary support
255
+ #
256
+ # enable_application_owner confirmation: false
257
+
258
+ # Define access token scopes for your provider
259
+ # For more information go to
260
+ # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
261
+ #
262
+ # default_scopes :public
263
+ # optional_scopes :write, :update
264
+
265
+ # Allows to restrict only certain scopes for grant_type.
266
+ # By default, all the scopes will be available for all the grant types.
267
+ #
268
+ # Keys to this hash should be the name of grant_type and
269
+ # values should be the array of scopes for that grant type.
270
+ # Note: scopes should be from configured_scopes (i.e. default or optional)
271
+ #
272
+ # scopes_by_grant_type password: [:write], client_credentials: [:update]
273
+
274
+ # Forbids creating/updating applications with arbitrary scopes that are
275
+ # not in configuration, i.e. +default_scopes+ or +optional_scopes+.
276
+ # (disabled by default)
277
+ #
278
+ # enforce_configured_scopes
279
+
280
+ # Change the way client credentials are retrieved from the request object.
281
+ # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
282
+ # falls back to the `:client_id` and `:client_secret` params from the `params` object.
283
+ # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
284
+ # for more information on customization
285
+ #
286
+ # client_credentials :from_basic, :from_params
287
+
288
+ # Change the way access token is authenticated from the request object.
289
+ # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
290
+ # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
291
+ # Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
292
+ # for more information on customization
293
+ #
294
+ # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
295
+
296
+ # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
297
+ # by default in non-development environments). OAuth2 delegates security in
298
+ # communication to the HTTPS protocol so it is wise to keep this enabled.
299
+ #
300
+ # Callable objects such as proc, lambda, block or any object that responds to
301
+ # #call can be used in order to allow conditional checks (to allow non-SSL
302
+ # redirects to localhost for example).
303
+ #
304
+ # force_ssl_in_redirect_uri !Rails.env.development?
305
+ #
306
+ # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
307
+
308
+ # Specify what redirect URI's you want to block during Application creation.
309
+ # Any redirect URI is allowed by default.
310
+ #
311
+ # You can use this option in order to forbid URI's with 'javascript' scheme
312
+ # for example.
313
+ #
314
+ # forbid_redirect_uri { |uri| uri.scheme.to_s.downcase == 'javascript' }
315
+
316
+ # Allows to set blank redirect URIs for Applications in case Doorkeeper configured
317
+ # to use URI-less OAuth grant flows like Client Credentials or Resource Owner
318
+ # Password Credentials. The option is on by default and checks configured grant
319
+ # types, but you **need** to manually drop `NOT NULL` constraint from `redirect_uri`
320
+ # column for `oauth_applications` database table.
321
+ #
322
+ # You can completely disable this feature with:
323
+ #
324
+ # allow_blank_redirect_uri false
325
+ #
326
+ # Or you can define your custom check:
327
+ #
328
+ # allow_blank_redirect_uri do |grant_flows, client|
329
+ # client.superapp?
330
+ # end
331
+
332
+ # Specify how authorization errors should be handled.
333
+ # By default, doorkeeper renders json errors when access token
334
+ # is invalid, expired, revoked or has invalid scopes.
335
+ #
336
+ # If you want to render error response yourself (i.e. rescue exceptions),
337
+ # set +handle_auth_errors+ to `:raise` and rescue Doorkeeper::Errors::InvalidToken
338
+ # or following specific errors:
339
+ #
340
+ # Doorkeeper::Errors::TokenForbidden, Doorkeeper::Errors::TokenExpired,
341
+ # Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
342
+ #
343
+ # handle_auth_errors :raise
344
+ #
345
+ # If you want to redirect back to the client application in accordance with
346
+ # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1, you can set
347
+ # +handle_auth_errors+ to :redirect
348
+ #
349
+ # handle_auth_errors :redirect
350
+
351
+ # Customize token introspection response.
352
+ # Allows to add your own fields to default one that are required by the OAuth spec
353
+ # for the introspection response. It could be `sub`, `aud` and so on.
354
+ # This configuration option can be a proc, lambda or any Ruby object responds
355
+ # to `.call` method and result of it's invocation must be a Hash.
356
+ #
357
+ # custom_introspection_response do |token, context|
358
+ # {
359
+ # "sub": "Z5O3upPC88QrAjx00dis",
360
+ # "aud": "https://protected.example.net/resource",
361
+ # "username": User.find(token.resource_owner_id).username
362
+ # }
363
+ # end
364
+ #
365
+ # or
366
+ #
367
+ # custom_introspection_response CustomIntrospectionResponder
368
+
369
+ # Specify what grant flows are enabled in array of Strings. The valid
370
+ # strings and the flows they enable are:
371
+ #
372
+ # "authorization_code" => Authorization Code Grant Flow
373
+ # "implicit" => Implicit Grant Flow
374
+ # "password" => Resource Owner Password Credentials Grant Flow
375
+ # "client_credentials" => Client Credentials Grant Flow
376
+ #
377
+ # If not specified, Doorkeeper enables authorization_code and
378
+ # client_credentials.
379
+ #
380
+ # implicit and password grant flows have risks that you should understand
381
+ # before enabling:
382
+ # https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.2
383
+ # https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.3
384
+ #
385
+ # grant_flows %w[authorization_code client_credentials]
386
+
387
+ # Allows to customize OAuth grant flows that +each+ application support.
388
+ # You can configure a custom block (or use a class respond to `#call`) that must
389
+ # return `true` in case Application instance supports requested OAuth grant flow
390
+ # during the authorization request to the server. This configuration +doesn't+
391
+ # set flows per application, it only allows to check if application supports
392
+ # specific grant flow.
393
+ #
394
+ # For example you can add an additional database column to `oauth_applications` table,
395
+ # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
396
+ # be used with this application there. Then when authorization requested Doorkeeper
397
+ # will call this block to check if specific Application (passed with client_id and/or
398
+ # client_secret) is allowed to perform the request for the specific grant type
399
+ # (authorization, password, client_credentials, etc).
400
+ #
401
+ # Example of the block:
402
+ #
403
+ # ->(flow, client) { client.grant_flows.include?(flow) }
404
+ #
405
+ # In case this option invocation result is `false`, Doorkeeper server returns
406
+ # :unauthorized_client error and stops the request.
407
+ #
408
+ # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
409
+ # @return [Boolean] `true` if allow or `false` if forbid the request
410
+ #
411
+ # allow_grant_flow_for_client do |grant_flow, client|
412
+ # # `grant_flows` is an Array column with grant
413
+ # # flows that application supports
414
+ #
415
+ # client.grant_flows.include?(grant_flow)
416
+ # end
417
+
418
+ # If you need arbitrary Resource Owner-Client authorization you can enable this option
419
+ # and implement the check your need. Config option must respond to #call and return
420
+ # true in case resource owner authorized for the specific application or false in other
421
+ # cases.
422
+ #
423
+ # By default all Resource Owners are authorized to any Client (application).
424
+ #
425
+ # authorize_resource_owner_for_client do |client, resource_owner|
426
+ # resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
427
+ # end
428
+
429
+ # Allows additional data fields to be sent while granting access to an application,
430
+ # and for this additional data to be included in subsequently generated access tokens.
431
+ # The 'authorizations/new' page will need to be overridden to include this additional data
432
+ # in the request params when granting access. The access grant and access token models
433
+ # will both need to respond to these additional data fields, and have a database column
434
+ # to store them in.
435
+ #
436
+ # Example:
437
+ # You have a multi-tenanted platform and want to be able to grant access to a specific
438
+ # tenant, rather than all the tenants a user has access to. You can use this config
439
+ # option to specify that a ':tenant_id' will be passed when authorizing. This tenant_id
440
+ # will be included in the access tokens. When a request is made with one of these access
441
+ # tokens, you can check that the requested data belongs to the specified tenant.
442
+ #
443
+ # Default value is an empty Array: []
444
+ # custom_access_token_attributes [:tenant_id]
445
+
446
+ # Hook into the strategies' request & response life-cycle in case your
447
+ # application needs advanced customization or logging:
448
+ #
449
+ # before_successful_strategy_response do |request|
450
+ # puts "BEFORE HOOK FIRED! #{request}"
451
+ # end
452
+ #
453
+ # after_successful_strategy_response do |request, response|
454
+ # puts "AFTER HOOK FIRED! #{request}, #{response}"
455
+ # end
456
+
457
+ # Hook into Authorization flow in order to implement Single Sign Out
458
+ # or add any other functionality. Inside the block you have an access
459
+ # to `controller` (authorizations controller instance) and `context`
460
+ # (Doorkeeper::OAuth::Hooks::Context instance) which provides pre auth
461
+ # or auth objects with issued token based on hook type (before or after).
462
+ #
463
+ # before_successful_authorization do |controller, context|
464
+ # Rails.logger.info(controller.request.params.inspect)
465
+ #
466
+ # Rails.logger.info(context.pre_auth.inspect)
467
+ # end
468
+ #
469
+ # after_successful_authorization do |controller, context|
470
+ # controller.session[:logout_urls] <<
471
+ # Doorkeeper::Application
472
+ # .find_by(controller.request.params.slice(:redirect_uri))
473
+ # .logout_uri
474
+ #
475
+ # Rails.logger.info(context.auth.inspect)
476
+ # Rails.logger.info(context.issued_token)
477
+ # end
478
+
479
+ # Under some circumstances you might want to have applications auto-approved,
480
+ # so that the user skips the authorization step.
481
+ # For example if dealing with a trusted application.
482
+ #
483
+ # skip_authorization do |resource_owner, client|
484
+ # client.superapp? or resource_owner.admin?
485
+ # end
486
+
487
+ # Configure custom constraints for the Token Introspection request.
488
+ # By default this configuration option allows to introspect a token by another
489
+ # token of the same application, OR to introspect the token that belongs to
490
+ # authorized client (from authenticated client) OR when token doesn't
491
+ # belong to any client (public token). Otherwise requester has no access to the
492
+ # introspection and it will return response as stated in the RFC.
493
+ #
494
+ # Block arguments:
495
+ #
496
+ # @param token [Doorkeeper::AccessToken]
497
+ # token to be introspected
498
+ #
499
+ # @param authorized_client [Doorkeeper::Application]
500
+ # authorized client (if request is authorized using Basic auth with
501
+ # Client Credentials for example)
502
+ #
503
+ # @param authorized_token [Doorkeeper::AccessToken]
504
+ # Bearer token used to authorize the request
505
+ #
506
+ # In case the block returns `nil` or `false` introspection responses with 401 status code
507
+ # when using authorized token to introspect, or you'll get 200 with { "active": false } body
508
+ # when using authorized client to introspect as stated in the
509
+ # RFC 7662 section 2.2. Introspection Response.
510
+ #
511
+ # Using with caution:
512
+ # Keep in mind that these three parameters pass to block can be nil as following case:
513
+ # `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
514
+ # `token` will be nil if and only if `authorized_token` is present.
515
+ # So remember to use `&` or check if it is present before calling method on
516
+ # them to make sure you doesn't get NoMethodError exception.
517
+ #
518
+ # You can define your custom check:
519
+ #
520
+ # allow_token_introspection do |token, authorized_client, authorized_token|
521
+ # if authorized_token
522
+ # # customize: require `introspection` scope
523
+ # authorized_token.application == token&.application ||
524
+ # authorized_token.scopes.include?("introspection")
525
+ # elsif token.application
526
+ # # `protected_resource` is a new database boolean column, for example
527
+ # authorized_client == token.application || authorized_client.protected_resource?
528
+ # else
529
+ # # public token (when token.application is nil, token doesn't belong to any application)
530
+ # true
531
+ # end
532
+ # end
533
+ #
534
+ # Or you can completely disable any token introspection:
535
+ #
536
+ # allow_token_introspection false
537
+ #
538
+ # If you need to block the request at all, then configure your routes.rb or web-server
539
+ # like nginx to forbid the request.
540
+
541
+ # WWW-Authenticate Realm (default: "Doorkeeper").
542
+ #
543
+ # realm "Doorkeeper"
544
+ end
@@ -0,0 +1,99 @@
1
+ # frozen_string_literal: true
2
+
3
+ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
4
+ def change
5
+ create_table :oauth_applications do |t|
6
+ t.string :name, null: false
7
+ t.string :uid, null: false
8
+ # Remove `null: false` or use conditional constraint if you are planning to use public clients.
9
+ t.string :secret, null: false
10
+
11
+ # Remove `null: false` if you are planning to use grant flows
12
+ # that doesn't require redirect URI to be used during authorization
13
+ # like Client Credentials flow or Resource Owner Password.
14
+ t.text :redirect_uri, null: false
15
+ t.string :scopes, null: false, default: ''
16
+ t.boolean :confidential, null: false, default: true
17
+ t.timestamps null: false
18
+ end
19
+
20
+ add_index :oauth_applications, :uid, unique: true
21
+
22
+ create_table :oauth_access_grants do |t|
23
+ t.references :resource_owner, null: false
24
+ t.references :application, null: false
25
+ t.string :token, null: false
26
+ t.integer :expires_in, null: false
27
+ t.text :redirect_uri, null: false
28
+ t.string :scopes, null: false, default: ''
29
+ t.datetime :created_at, null: false
30
+ t.datetime :revoked_at
31
+ end
32
+
33
+ add_index :oauth_access_grants, :token, unique: true
34
+ add_foreign_key(
35
+ :oauth_access_grants,
36
+ :oauth_applications,
37
+ column: :application_id
38
+ )
39
+
40
+ create_table :oauth_access_tokens do |t|
41
+ t.references :resource_owner, index: true
42
+
43
+ # Remove `null: false` if you are planning to use Password
44
+ # Credentials Grant flow that doesn't require an application.
45
+ t.references :application, null: false
46
+
47
+ # If you use a custom token generator you may need to change this column
48
+ # from string to text, so that it accepts tokens larger than 255
49
+ # characters. More info on custom token generators in:
50
+ # https://github.com/doorkeeper-gem/doorkeeper/tree/v3.0.0.rc1#custom-access-token-generator
51
+ #
52
+ # t.text :token, null: false
53
+ t.string :token, null: false
54
+
55
+ t.string :refresh_token
56
+ t.integer :expires_in
57
+ t.string :scopes
58
+ t.datetime :created_at, null: false
59
+ t.datetime :revoked_at
60
+
61
+ # The authorization server MAY issue a new refresh token, in which case
62
+ # *the client MUST discard the old refresh token* and replace it with the
63
+ # new refresh token. The authorization server MAY revoke the old
64
+ # refresh token after issuing a new refresh token to the client.
65
+ # @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
66
+ #
67
+ # Doorkeeper implementation: if there is a `previous_refresh_token` column,
68
+ # refresh tokens will be revoked after a related access token is used.
69
+ # If there is no `previous_refresh_token` column, previous tokens are
70
+ # revoked as soon as a new access token is created.
71
+ #
72
+ # Comment out this line if you want refresh tokens to be instantly
73
+ # revoked after use.
74
+ t.string :previous_refresh_token, null: false, default: ""
75
+ end
76
+
77
+ add_index :oauth_access_tokens, :token, unique: true
78
+
79
+ # See https://github.com/doorkeeper-gem/doorkeeper/issues/1592
80
+ if ActiveRecord::Base.connection.adapter_name == "SQLServer"
81
+ execute <<~SQL.squish
82
+ CREATE UNIQUE NONCLUSTERED INDEX index_oauth_access_tokens_on_refresh_token ON oauth_access_tokens(refresh_token)
83
+ WHERE refresh_token IS NOT NULL
84
+ SQL
85
+ else
86
+ add_index :oauth_access_tokens, :refresh_token, unique: true
87
+ end
88
+
89
+ add_foreign_key(
90
+ :oauth_access_tokens,
91
+ :oauth_applications,
92
+ column: :application_id
93
+ )
94
+
95
+ # Uncomment below to ensure a valid reference to the resource owner's table
96
+ # add_foreign_key :oauth_access_grants, <model>, column: :resource_owner_id
97
+ # add_foreign_key :oauth_access_tokens, <model>, column: :resource_owner_id
98
+ end
99
+ end
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ class RemoveApplicationsSecretNotNullConstraint < ActiveRecord::Migration<%= migration_version %>
4
+ def change
5
+ change_column_null :oauth_applications, :secret, true
6
+ end
7
+ end
@@ -0,0 +1,18 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Doorkeeper
4
+ module Generators
5
+ # Generates doorkeeper views for Rails application
6
+ #
7
+ class ViewsGenerator < ::Rails::Generators::Base
8
+ source_root File.expand_path("../../../app/views", __dir__)
9
+
10
+ desc "Copies default Doorkeeper views and layouts to your application."
11
+
12
+ def manifest
13
+ directory "doorkeeper", "app/views/doorkeeper"
14
+ directory "layouts/doorkeeper", "app/views/layouts/doorkeeper"
15
+ end
16
+ end
17
+ end
18
+ end