super-smart-kit 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. checksums.yaml +7 -0
  2. data/doorkeeper-5.9.3/CHANGELOG.md +1208 -0
  3. data/doorkeeper-5.9.3/MIT-LICENSE +20 -0
  4. data/doorkeeper-5.9.3/README.md +186 -0
  5. data/doorkeeper-5.9.3/app/assets/stylesheets/doorkeeper/admin/application.css +10 -0
  6. data/doorkeeper-5.9.3/app/assets/stylesheets/doorkeeper/application.css +64 -0
  7. data/doorkeeper-5.9.3/app/controllers/doorkeeper/application_controller.rb +14 -0
  8. data/doorkeeper-5.9.3/app/controllers/doorkeeper/application_metal_controller.rb +13 -0
  9. data/doorkeeper-5.9.3/app/controllers/doorkeeper/applications_controller.rb +99 -0
  10. data/doorkeeper-5.9.3/app/controllers/doorkeeper/authorizations_controller.rb +164 -0
  11. data/doorkeeper-5.9.3/app/controllers/doorkeeper/authorized_applications_controller.rb +33 -0
  12. data/doorkeeper-5.9.3/app/controllers/doorkeeper/token_info_controller.rb +25 -0
  13. data/doorkeeper-5.9.3/app/controllers/doorkeeper/tokens_controller.rb +180 -0
  14. data/doorkeeper-5.9.3/app/helpers/doorkeeper/dashboard_helper.rb +21 -0
  15. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/_delete_form.html.erb +6 -0
  16. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/_form.html.erb +59 -0
  17. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/edit.html.erb +5 -0
  18. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/index.html.erb +38 -0
  19. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/new.html.erb +5 -0
  20. data/doorkeeper-5.9.3/app/views/doorkeeper/applications/show.html.erb +63 -0
  21. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/error.html.erb +9 -0
  22. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
  23. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/new.html.erb +46 -0
  24. data/doorkeeper-5.9.3/app/views/doorkeeper/authorizations/show.html.erb +7 -0
  25. data/doorkeeper-5.9.3/app/views/doorkeeper/authorized_applications/_delete_form.html.erb +4 -0
  26. data/doorkeeper-5.9.3/app/views/doorkeeper/authorized_applications/index.html.erb +24 -0
  27. data/doorkeeper-5.9.3/app/views/layouts/doorkeeper/admin.html.erb +39 -0
  28. data/doorkeeper-5.9.3/app/views/layouts/doorkeeper/application.html.erb +23 -0
  29. data/doorkeeper-5.9.3/config/locales/en.yml +155 -0
  30. data/doorkeeper-5.9.3/lib/doorkeeper/config/abstract_builder.rb +28 -0
  31. data/doorkeeper-5.9.3/lib/doorkeeper/config/option.rb +82 -0
  32. data/doorkeeper-5.9.3/lib/doorkeeper/config/validations.rb +65 -0
  33. data/doorkeeper-5.9.3/lib/doorkeeper/config.rb +721 -0
  34. data/doorkeeper-5.9.3/lib/doorkeeper/engine.rb +38 -0
  35. data/doorkeeper-5.9.3/lib/doorkeeper/errors.rb +85 -0
  36. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  37. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow/flow.rb +44 -0
  38. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow/registry.rb +50 -0
  39. data/doorkeeper-5.9.3/lib/doorkeeper/grant_flow.rb +45 -0
  40. data/doorkeeper-5.9.3/lib/doorkeeper/grape/authorization_decorator.rb +19 -0
  41. data/doorkeeper-5.9.3/lib/doorkeeper/grape/helpers.rb +58 -0
  42. data/doorkeeper-5.9.3/lib/doorkeeper/helpers/controller.rb +91 -0
  43. data/doorkeeper-5.9.3/lib/doorkeeper/models/access_grant_mixin.rb +124 -0
  44. data/doorkeeper-5.9.3/lib/doorkeeper/models/access_token_mixin.rb +526 -0
  45. data/doorkeeper-5.9.3/lib/doorkeeper/models/application_mixin.rb +96 -0
  46. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/accessible.rb +15 -0
  47. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/expirable.rb +36 -0
  48. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb +96 -0
  49. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/orderable.rb +15 -0
  50. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/ownership.rb +18 -0
  51. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb +29 -0
  52. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  53. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/reusable.rb +19 -0
  54. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/revocable.rb +31 -0
  55. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/scopes.rb +27 -0
  56. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
  57. data/doorkeeper-5.9.3/lib/doorkeeper/models/concerns/write_to_primary.rb +57 -0
  58. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/code.rb +76 -0
  59. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/context.rb +17 -0
  60. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/token.rb +100 -0
  61. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization/uri_builder.rb +33 -0
  62. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/authorization_code_request.rb +125 -0
  63. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/base_request.rb +68 -0
  64. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/base_response.rb +31 -0
  65. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client/credentials.rb +34 -0
  66. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client.rb +28 -0
  67. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials/creator.rb +57 -0
  68. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials/issuer.rb +48 -0
  69. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials/validator.rb +55 -0
  70. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/client_credentials_request.rb +46 -0
  71. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/code_request.rb +25 -0
  72. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/code_response.rb +51 -0
  73. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/error.rb +16 -0
  74. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/error_response.rb +121 -0
  75. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/forbidden_token_response.rb +31 -0
  76. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/helpers/scope_checker.rb +50 -0
  77. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/helpers/unique_token.rb +30 -0
  78. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/helpers/uri_checker.rb +83 -0
  79. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  80. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/invalid_request_response.rb +47 -0
  81. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/invalid_token_response.rb +54 -0
  82. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/nonstandard.rb +39 -0
  83. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/password_access_token_request.rb +75 -0
  84. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/pre_authorization.rb +187 -0
  85. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/refresh_token_request.rb +144 -0
  86. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/scopes.rb +134 -0
  87. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token.rb +66 -0
  88. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token_introspection.rb +220 -0
  89. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token_request.rb +25 -0
  90. data/doorkeeper-5.9.3/lib/doorkeeper/oauth/token_response.rb +38 -0
  91. data/doorkeeper-5.9.3/lib/doorkeeper/oauth.rb +13 -0
  92. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/access_grant.rb +9 -0
  93. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/access_token.rb +9 -0
  94. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/application.rb +10 -0
  95. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +64 -0
  96. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/mixins/access_token.rb +95 -0
  97. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/mixins/application.rb +223 -0
  98. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
  99. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +44 -0
  100. data/doorkeeper-5.9.3/lib/doorkeeper/orm/active_record.rb +41 -0
  101. data/doorkeeper-5.9.3/lib/doorkeeper/rails/helpers.rb +82 -0
  102. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  103. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/mapper.rb +30 -0
  104. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/mapping.rb +40 -0
  105. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes/registry.rb +45 -0
  106. data/doorkeeper-5.9.3/lib/doorkeeper/rails/routes.rb +110 -0
  107. data/doorkeeper-5.9.3/lib/doorkeeper/rake/db.rake +40 -0
  108. data/doorkeeper-5.9.3/lib/doorkeeper/rake/setup.rake +6 -0
  109. data/doorkeeper-5.9.3/lib/doorkeeper/rake.rb +14 -0
  110. data/doorkeeper-5.9.3/lib/doorkeeper/request/authorization_code.rb +26 -0
  111. data/doorkeeper-5.9.3/lib/doorkeeper/request/client_credentials.rb +17 -0
  112. data/doorkeeper-5.9.3/lib/doorkeeper/request/code.rb +17 -0
  113. data/doorkeeper-5.9.3/lib/doorkeeper/request/password.rb +19 -0
  114. data/doorkeeper-5.9.3/lib/doorkeeper/request/refresh_token.rb +22 -0
  115. data/doorkeeper-5.9.3/lib/doorkeeper/request/strategy.rb +19 -0
  116. data/doorkeeper-5.9.3/lib/doorkeeper/request/token.rb +17 -0
  117. data/doorkeeper-5.9.3/lib/doorkeeper/request.rb +73 -0
  118. data/doorkeeper-5.9.3/lib/doorkeeper/revocable_tokens/revocable_access_token.rb +21 -0
  119. data/doorkeeper-5.9.3/lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb +21 -0
  120. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/base.rb +64 -0
  121. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
  122. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/plain.rb +33 -0
  123. data/doorkeeper-5.9.3/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
  124. data/doorkeeper-5.9.3/lib/doorkeeper/server.rb +44 -0
  125. data/doorkeeper-5.9.3/lib/doorkeeper/stale_records_cleaner.rb +24 -0
  126. data/doorkeeper-5.9.3/lib/doorkeeper/validations.rb +33 -0
  127. data/doorkeeper-5.9.3/lib/doorkeeper/version.rb +14 -0
  128. data/doorkeeper-5.9.3/lib/doorkeeper.rb +209 -0
  129. data/doorkeeper-5.9.3/lib/generators/doorkeeper/application_owner_generator.rb +33 -0
  130. data/doorkeeper-5.9.3/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
  131. data/doorkeeper-5.9.3/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  132. data/doorkeeper-5.9.3/lib/generators/doorkeeper/install_generator.rb +22 -0
  133. data/doorkeeper-5.9.3/lib/generators/doorkeeper/migration_generator.rb +32 -0
  134. data/doorkeeper-5.9.3/lib/generators/doorkeeper/pkce_generator.rb +33 -0
  135. data/doorkeeper-5.9.3/lib/generators/doorkeeper/previous_refresh_token_generator.rb +41 -0
  136. data/doorkeeper-5.9.3/lib/generators/doorkeeper/remove_applications_secret_not_null_constraint_generator.rb +33 -0
  137. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/README +24 -0
  138. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb +13 -0
  139. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +9 -0
  140. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +13 -0
  141. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
  142. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  143. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/initializer.rb +544 -0
  144. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/migration.rb.erb +99 -0
  145. data/doorkeeper-5.9.3/lib/generators/doorkeeper/templates/remove_applications_secret_not_null_constraint.rb.erb +7 -0
  146. data/doorkeeper-5.9.3/lib/generators/doorkeeper/views_generator.rb +18 -0
  147. data/doorkeeper-5.9.3/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +6 -0
  148. data/super-smart-kit.gemspec +12 -0
  149. metadata +188 -0
@@ -0,0 +1,1208 @@
1
+ # Changelog
2
+
3
+ See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for
4
+ upgrade guides.
5
+
6
+ User-visible changes worth mentioning.
7
+
8
+ ## main
9
+
10
+ - Please add here
11
+
12
+ ## 5.9.3
13
+
14
+ - [#1834] Fix default `allow_token_introspection` returning `false` when a custom `application_class` is configured. The default proc compared application objects with `==`, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base `Doorkeeper::Application` vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
15
+ - [#1832] Fix confusing `belongs_to :owner` side effect: `Doorkeeper::Models::Ownership` is now included only when `enable_application_owner?` is set (read at include time), so models no longer expose a misleading `owner` association/reflection when the application owner feature is disabled and the schema lacks the owner columns.
16
+
17
+ ## 5.9.2
18
+
19
+ - [#1822][#1823][#1825] Update Rubocop config, auto-corrections and codebase cleanup.
20
+ - [#1830] Fix `NameError: uninitialized constant ApplicationRecord` on `rails db:seed` (and other non-eager-loading flows) caused by `on_load(:active_record)` firing re-entrantly during `ApplicationRecord` autoload. The orm hooks no longer depend on `ActiveSupport.on_load(:active_record)`; model concerns (`Ownership`, `PolymorphicResourceOwner::ForAccessGrant`, `PolymorphicResourceOwner::ForAccessToken`) are now wired up from each `Mixins::*` `included` block, which fires at parent-class autoload time — after `Doorkeeper.configure` has applied user settings and without re-entering the AR load chain.
21
+ - **Upgrade note**: fully custom model classes that don't include `Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant}` will no longer auto-receive `Ownership` / `PolymorphicResourceOwner` concerns (previously injected by `run_orm_hooks` via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding `Mixins::*` module, or `include` the concerns directly.
22
+
23
+ ## 5.9.1
24
+
25
+ - [#1781] Honor `handle_auth_errors :raise` in `AuthorizationsController#authorize_response`
26
+ - [#1795] Fix: detailed error 'insufficient_scope' in protected resources 403s
27
+ - [#1797] Fix `doorkeeper:db:cleanup` rake task failure on PostgreSQL
28
+ - [#1800] Set `@grant_type` in `ClientCredentialsRequest` and `RefreshTokenRequest` constructors so `request.grant_type` returns
29
+ the correct value in hooks like `before_successful_strategy_response`.
30
+ - [#1802] Fix `filter_parameters` not applied when `Doorkeeper.configure` is called inside to_prepare.
31
+ - [#1804] Use `ActiveSupport.on_load(:active_record)` in ORM hooks to prevent loading ActiveRecord models too early
32
+ - [#1806] Fix token revocation bypass for public clients (RFC 7009)
33
+ - [#1815] Expose `current_resource_owner` as a view helper in `Doorkeeper::ApplicationController`.
34
+ - [#1818] Fix token introspection returning `exp: 0` for non-expiring tokens.
35
+ - [#1784] Remove hardcoded colons from view templates, move punctuation to i18n translation strings.
36
+
37
+ **[IMPORTANT]**: if you have customized Doorkeeper views (`authorizations/new`, `authorizations/show`,
38
+ `applications/show`) or overridden the default `en.yml` translations, you may need to update them.
39
+ Colons are no longer hardcoded in the views — they are now part of the translation strings.
40
+ Update the [doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) gem to get the
41
+ updated translations for all locales.
42
+ - [#1820] Remove dead wildcard presence check in `Scopes#dynamic_scope_match?` (internal cleanup, no behavior change).
43
+ - [#1822] Update Rubocop config, auto-corrections.
44
+ - [#1823] Update Rubocop config, part 2.
45
+ - [#1825] Update Rubocop config, part 3.
46
+ - [#1821] Fix noisy `Could not find command "no_previous_refresh_token_column?"` Thor output during the
47
+ `PreviousRefreshTokenGenerator` spec by stubbing the underlying DB column check instead of the generator's
48
+ private method (test-only change).
49
+
50
+ ## 5.9.0
51
+
52
+ - [#1791] Add support for Rails read replicas with automatic role switching via `enable_multiple_database_roles` configuration option
53
+ - [#1792] Consider expires_in when clear expired tokens with StaleRecordsCleaner.
54
+ - [#1790] Fix race condition in refresh token revocation check by moving InvalidGrantReuse check inside the lock block
55
+ - [#1788] Fix regex for basic auth to be case-insensitive
56
+ - [#1775] Fix Applications Secret Not Null Constraint generator
57
+ - [#1779] Only lock previous access token model when creating a new token from its refresh token if revoke_previous_refresh_token_on_use is false
58
+ - [#1778] Ensure that token revocation is idempotent by checking that that token has not already been revoked before revoking.
59
+
60
+
61
+ ## 5.8.2
62
+
63
+ - [#1755] Fix the error message for force_pkce
64
+ - [#1761] Memoize authentication failure
65
+ - [#1762] Allow missing client to trigger invalid client error when force_pkce is enabled
66
+ - [#1767] Make sure error handling happens on a controller level opposed to action level to account for the controller being extended
67
+
68
+ ## 5.8.1
69
+
70
+ - [#1752] Bump the range of supported Ruby and Rails versions
71
+ - [#1747] Fix unknown pkce method error when configured
72
+ - [#1744] Allow for expired refresh tokens to be revoked
73
+ - [#1754] Fix refresh tokens with dynamic scopes
74
+
75
+ ## 5.8.0
76
+
77
+ - [#1739] Add support for dynamic scopes
78
+ - [#1715] Fix token introspection invalid request reason
79
+ - [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError
80
+ - [#1712] Add `Pragma: no-cache` to token response
81
+ - [#1726] Refactor token introspection class.
82
+ - [#1727] Allow to set null secret value for Applications if they are public.
83
+ - [#1735] Add `pkce_code_challenge_methods` config option.
84
+
85
+ ## 5.7.1
86
+
87
+ - [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code
88
+
89
+ ## 5.7.0
90
+
91
+ - [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse`
92
+ - [#1697] Allow a TokenResponse body to be customized (memoize response body).
93
+ - [#1702] Fix bugs for error response in the form_post and error view
94
+ - [#1660] Custom access token attributes are now considered when finding matching tokens (fixes #1665).
95
+ Introduce `revoke_previous_client_credentials_token` configuration option.
96
+
97
+ ## 5.6.9
98
+
99
+ - [#1691] Make new Doorkeeper errors backward compatible with older extensions.
100
+
101
+ ## 5.6.8
102
+
103
+ - [#1680] Fix handle_auth_errors :raise NotImplementedError
104
+
105
+ ## 5.6.7
106
+
107
+ - [#1662] Specify uri_redirect validation class explicitly.
108
+ - [#1652] Add custom attributes support to token generator.
109
+ - [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
110
+ - [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
111
+ - [#1676] Improve AuthorizationsController error response handling
112
+ - [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
113
+
114
+ ## 5.6.6
115
+
116
+ - [#1644] Update HTTP headers.
117
+ - [#1646] Block public clients automatic authorization skip.
118
+ - [#1648] Add custom token attributes to Refresh Token Request.
119
+ - [#1649] Fixed custom_access_token_attributes related errors.
120
+
121
+ ## 5.6.5
122
+
123
+ - [#1602] Allow custom data to be stored inside access grants/tokens.
124
+ - [#1634] Code refactoring for custom token attributes.
125
+ - [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
126
+
127
+ ## 5.6.4
128
+
129
+ - [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
130
+
131
+ ## 5.6.3
132
+
133
+ - [#1622] Drop support for Rubies 2.5 and 2.6
134
+ - [#1605] Fix URI validation for Ruby 3.2+.
135
+ - [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
136
+ - [#1626] Remove deprecated `active_record_options` config option.
137
+ - [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
138
+ - [#1630] Special case unique index creation for refresh_token on SQL Server.
139
+ - [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
140
+
141
+ ## 5.6.2
142
+
143
+ - [#1604] Fix fetching of the application when custom application_class defined.
144
+
145
+ ## 5.6.1
146
+
147
+ - [#1593] Add support for Trilogy ActiveRecord adapter.
148
+ - [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
149
+ - [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
150
+
151
+ ## 5.6.0
152
+
153
+ - [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
154
+
155
+ ## 5.6.0.rc2
156
+
157
+ - [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
158
+ application scopes when using client credentials.
159
+ - [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
160
+
161
+ ## 5.6.0.rc1
162
+
163
+ - [#1551] Change lazy loading for ORM to be Ruby standard autoload.
164
+ - [#1552] Remove duplicate IDs on Auth form to improve accessibility.
165
+ - [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
166
+
167
+ **[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
168
+ only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
169
+ `reuse_access_token` option is to check for existing _active_ token (see configuration option description).
170
+
171
+ ## 5.5.4
172
+
173
+ - [#1535] Revert changes introduced in #1528 to allow query params in `redirect_uri` as per the spec.
174
+
175
+ ## 5.5.3
176
+
177
+ - [#1528] Don't allow extra query params in redirect_uri.
178
+ - [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
179
+ - [#1531] Disable `strict-loading` for Doorkeeper models by default.
180
+ - [#1532] Add support for Rails 7.
181
+
182
+ ## 5.5.2
183
+
184
+ - [#1502] Drop support for Ruby 2.4 because of EOL.
185
+ - [#1504] Updated the url fragment in the comment for code documentation.
186
+ - [#1512] Fix form behavior when response mode is form_post.
187
+ - [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
188
+
189
+ ## 5.5.1
190
+
191
+ - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
192
+ - [#1495] Fix `respond_to` undefined in API-only mode
193
+ - [#1488] Verify client authentication for Resource Owner Password Grant when
194
+ `config.skip_client_authentication_for_password_grant` is set and the client credentials
195
+ are sent in a HTTP Basic auth header.
196
+
197
+ ## 5.5.0
198
+
199
+ - [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
200
+ - [#1478] Fix ownership association and Rake tasks when custom models configured.
201
+ - [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
202
+
203
+ ## 5.5.0.rc2
204
+
205
+ - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
206
+
207
+ **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
208
+ `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
209
+
210
+ - [#1472] Fix `establish_connection` configuration for custom defined models.
211
+ - [#1471] Add support for Ruby 3.0.
212
+ - [#1469] Check if `redirect_uri` exists.
213
+ - [#1465] Memoize nil doorkeeper_token.
214
+ - [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
215
+ - [#1457] Make owner_id a bigint for newly-generated owner migrations
216
+ - [#1452] Empty previous_refresh_token only if present.
217
+ - [#1440] Validate empty host in redirect_uri.
218
+ - [#1438] Add form post response mode.
219
+ - [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
220
+
221
+ ## 5.5.0.rc1
222
+
223
+ - [#1435] Make error response not redirectable when client is unauthorized
224
+ - [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
225
+ - [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
226
+ - [#1416] Don't add introspection route if token introspection completely disabled.
227
+ - [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
228
+ - [#1415] Ignore PKCE params for non-PKCE grants.
229
+ - [#1418] Add ability to register custom OAuth Grant Flows.
230
+ - [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
231
+
232
+ **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
233
+ have it before and use client credentials in HTTP Basic auth if you previously used this grant
234
+ flow without client authentication. To opt out of this you could set the
235
+ `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
236
+ this is in violation of the OAuth spec and represents a security risk.
237
+ All the users of your provider application now need to include client credentials when they use
238
+ this grant flow.
239
+
240
+ - [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
241
+ configuration option to allow resource owner based Access Tokens TTL.
242
+
243
+ ## 5.4.0
244
+
245
+ - [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
246
+
247
+ ## 5.4.0.rc2
248
+
249
+ - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
250
+ Fixes information disclosure vulnerability (CVE-2020-10187).
251
+
252
+ **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
253
+ if you previously used `#to_json` serialization with custom options or attributes or rely on
254
+ JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
255
+ is a breaking change which restricts serialized attributes to a very small set of columns.
256
+
257
+ - [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
258
+ - [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
259
+ custom configured application model.
260
+ - [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
261
+ option (fixes #1398).
262
+ - [#1402] Handle trying authorization with client credentials.
263
+
264
+ ## 5.4.0.rc1
265
+ - [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
266
+ - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
267
+ - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
268
+ models (`use_polymorphic_resource_owner` configuration option).
269
+
270
+ **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
271
+ have such - since now Doorkeeper passes Resource Owner instance to every objects and not
272
+ just it's ID. See PR description for details.
273
+
274
+ - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
275
+ - [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
276
+ `Stack level too deep` error with AMS (fix #1312).
277
+ - [#1358] Deprecate `active_record_options` configuration option.
278
+ - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
279
+ in external extensions.
280
+ - [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
281
+ - [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
282
+ - [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
283
+
284
+ **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
285
+ (for public clients) and `client_secret` (for private clients). Please update your apps to include that
286
+ info in the revocation request payload.
287
+
288
+ - [#1373] Make Doorkeeper routes mapper reusable in extensions.
289
+ - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
290
+ - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
291
+ - [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
292
+ - [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
293
+ - [#1393] Improve Applications #show page with more informative data on client secret and scopes.
294
+ - [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
295
+
296
+ ## 5.3.3
297
+
298
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
299
+
300
+ ## 5.3.2
301
+
302
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
303
+ Fixes information disclosure vulnerability (CVE-2020-10187).
304
+
305
+ ## 5.3.1
306
+
307
+ - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
308
+
309
+ ## 5.3.0
310
+
311
+ - [#1339] Validate Resource Owner in `PasswordAccessTokenRequest` against `nil` and `false` values.
312
+ - [#1341] Fix `refresh_token_revoked_on_use` with `hash_token_secrets` enabled.
313
+ - [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.
314
+ - [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.
315
+ - [#1346] Refactor `Doorkeeper::Application#to_json` into convenient `#as_json` (fix #1344).
316
+ - [#1349] Fix `Doorkeeper::Application` AR associations using an incorrect foreign key name when using a custom class.
317
+ - [#1318] Make existing token revocation for client credentials optional and disable it by default.
318
+
319
+ **[IMPORTANT]** This is a change compared to the behaviour of version 5.2.
320
+ If you were relying on access tokens being revoked once the same client
321
+ requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
322
+ initialization file.
323
+
324
+ ## 5.2.6
325
+
326
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
327
+
328
+ ## 5.2.5
329
+
330
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
331
+ Fixes information disclosure vulnerability (CVE-2020-10187).
332
+
333
+ ## 5.2.4
334
+
335
+ - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
336
+
337
+ ## 5.2.3
338
+
339
+ - [#1334] Remove `application_secret` flash helper and `redirect_to` keyword.
340
+ - [#1331] Move redirect_uri_validator to where it is used (`Application` model).
341
+ - [#1326] Move response_type check in pre_authorization to a method to be easily to override.
342
+ - [#1329] Fix `find_in_batches` order warning.
343
+
344
+ ## 5.2.2
345
+
346
+ - [#1320] Call configured `authenticate_resource_owner` method once per request.
347
+ - [#1315] Allow generation of new secret with `Doorkeeper::Application#renew_secret`.
348
+ - [#1309] Allow `Doorkeeper::Application#to_json` to work without arguments.
349
+
350
+ ## 5.2.1
351
+
352
+ - [#1308] Fix flash types for `api_only` mode (no flashes for `ActionController::API`).
353
+ - [#1306] Fix interpolation of `missing_param` I18n.
354
+
355
+ ## 5.2.0
356
+
357
+ - [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
358
+ when `api_mode` enabled (fixes #1302).
359
+
360
+ ## 5.2.0.rc3
361
+
362
+ - [#1298] Slice strong params so doesn't error with Rails forms.
363
+ - [#1300] Limiting access to attributes of pre_authorization.
364
+ - [#1296] Adding client_id to strong parameters.
365
+
366
+ **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
367
+
368
+ - [#1293] Move ar specific redirect uri validator to ar orm directory.
369
+ - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
370
+ the PreAuthorization response.
371
+ - [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
372
+ - [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
373
+ option called `base_metal_controller` (fix #1273).
374
+ - [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
375
+
376
+ ## 5.2.0.rc2
377
+
378
+ - [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
379
+ - [#1271] Reintroduce existing token revocation for client credentials.
380
+
381
+ **[IMPORTANT]** If you rely on being able to fetch multiple access tokens from the same
382
+ client using client credentials flow, you should skip to version 5.3, where this behaviour
383
+ is deactivated by default.
384
+
385
+ - [#1269] Update initializer template documentation.
386
+ - [#1266] Use strong parameters within pre-authorization.
387
+ - [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
388
+ - [#1263] Response properly when introspection fails and fix configurations's user guide.
389
+
390
+ ## 5.2.0.rc1
391
+
392
+ - [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
393
+ - [#1257] Add constraint configuration when using client authentication on introspection endpoint.
394
+ - [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
395
+ - [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
396
+ - [#1248] Display the Application Secret in HTML after creating a new application even when `hash_application_secrets` is used.
397
+ - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
398
+ - [#1238] Better support for native app with support for custom scheme and localhost redirection.
399
+
400
+ ## 5.1.2
401
+
402
+ - [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
403
+
404
+ ## 5.1.1
405
+
406
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
407
+ Fixes information disclosure vulnerability (CVE-2020-10187).
408
+
409
+ ## 5.1.0
410
+
411
+ - [#1243] Add nil check operator in token checking at token introspection.
412
+ - [#1241] Explaining foreign key options for resource owner in a single place
413
+ - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
414
+ - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
415
+ - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
416
+ option using `Float::INFINITY` return value.
417
+ - [#1224] Do not try to store token if not found by fallback hashing strategy.
418
+ - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
419
+ - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
420
+
421
+ ## 5.1.0.rc2
422
+
423
+ - [#1208] Unify hashing implementation into secret storing strategies
424
+
425
+ **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
426
+ your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
427
+ `hash_application_secrets using: 'Doorkeeper::SecretStoring::BCrypt`.
428
+
429
+ - [#1216] Add nil check to `expires_at` method.
430
+ - [#1215] Fix deprecates for Rails 6.
431
+ - [#1214] Scopes field accepts array.
432
+ - [#1209] Fix tokens validation for Token Introspection request.
433
+ - [#1202] Use correct HTTP status codes for error responses.
434
+
435
+ **[IMPORTANT]**: this change might break your application if you were relying on the previous
436
+ 401 status codes, this is now a 400 by default, or a 401 for `invalid_client` and `invalid_token` errors.
437
+
438
+ - [#1201] Fix custom TTL block `client` parameter to always be an `Doorkeeper::Application` instance.
439
+
440
+ **[IMPORTANT]**: those who defined `custom_access_token_expires_in` configuration option need to check
441
+ their block implementation: if you are using `oauth_client.application` to get `Doorkeeper::Application`
442
+ instance, then you need to replace it with just `oauth_client`.
443
+
444
+ - [#1200] Increase default Doorkeeper access token value complexity (`urlsafe_base64` instead of just `hex`)
445
+ matching RFC6749/RFC6750.
446
+
447
+ **[IMPORTANT]**: this change have possible side-effects in case you have custom database constraints for
448
+ access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
449
+ token value validations, or you are using database with case-insensitive WHERE clause like MySQL
450
+ (you can face some collisions). Before this change access token value matched `[a-f0-9]` regex, and now
451
+ it matches `[a-zA-Z0-9\-_]`. In case you have such restrictions and your don't use custom token generator
452
+ please change configuration option `default_generator_method` to `:hex`.
453
+
454
+ - [#1195] Allow to customize Token Introspection response (fixes #1194).
455
+ - [#1189] Option to set `token_reuse_limit`.
456
+ - [#1191] Try to load bcrypt for hashing of application secrets, but add fallback.
457
+
458
+ ## 5.1.0.rc1
459
+
460
+ - [#1188] Use `params` instead of `request.POST` in tokens controller (fixes #1183).
461
+ - [#1182] Fix loopback IP redirect URIs to conform with RFC8252, p. 7.3 (fixes #1170).
462
+ - [#1179] Authorization Code Grant Flow without client id returns invalid_client error.
463
+ - [#1177] Allow to limit `scopes` for certain `grant_types`
464
+ - [#1176] Fix test factory support for `factory_bot_rails`
465
+ - [#1175] Internal refactor: use `scopes_string` inside `scopes`.
466
+ - [#1168] Allow optional hashing of tokens and secrets.
467
+ - [#1164] Fix error when `root_path` is not defined.
468
+ - [#1162] Fix `enforce_content_type` for requests without body.
469
+
470
+ ## 5.0.3
471
+
472
+ - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
473
+ Fixes information disclosure vulnerability (CVE-2020-10187).
474
+
475
+ ## 5.0.2
476
+
477
+ - [#1158] Fix initializer template: change `handle_auth_errors` option
478
+ - [#1157] Remove redundant index from migration template.
479
+
480
+ ## 5.0.1
481
+
482
+ - [#1154] Refactor `StaleRecordsCleaner` to be ORM agnostic.
483
+ - [#1152] Fix migration template: change resource owner data type from integer to Rails generic `references`
484
+ - [#1151] Fix Refresh Token strategy: add proper validation of client credentials both for Public & Private clients.
485
+ - [#1149] Fix for `URIChecker#valid_for_authorization?` false negative when query is blank, but `?` present.
486
+ - [#1140] Allow rendering custom errors from exceptions (issue #844). Originally opened as [#944].
487
+ - [#1138] Revert regression bug (check for token expiration in Authorizations controller so authorization
488
+ triggers every time)
489
+
490
+ ## 5.0.0
491
+
492
+ - [#1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.
493
+
494
+ ## 5.0.0.rc2
495
+
496
+ - [#1122] Fix AuthorizationsController#new error response to be in JSON format
497
+ - [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
498
+ - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
499
+ hitting the `AuthorizedApplicationController#destroy` route.
500
+ - [#1114] Make token info endpoint's attributes consistent with token creation
501
+ - [#1108] Simple formatting of callback URLs when listing oauth applications
502
+ - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
503
+ configured by developers.
504
+
505
+ ## 5.0.0.rc1
506
+
507
+ - [#1103] Allow customizing use_refresh_token
508
+ - [#1089] Removed enable_pkce_without_secret configuration option
509
+ - [#1102] Expiration time based on scopes
510
+ - [#1099] All the configuration variables in `Doorkeeper.configuration` now
511
+ always return a non-nil value (`true` or `false`)
512
+ - [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
513
+ in `doorkeeper.rb`
514
+ - [#996] Expiration Time Base On Grant Type
515
+ - [#997] Allow PKCE authorization_code flow as specified in RFC7636
516
+ - [#907] Fix lookup for matching tokens in certain edge-cases
517
+ - [#992] Add API option to use Doorkeeper without management views for API only
518
+ Rails applications (`api_only`)
519
+ - [#1045] Validate redirect_uri as the native URI when making authorization code requests
520
+ - [#1048] Remove deprecated `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
521
+ `Doorkeeper#installed?` method
522
+ - [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
523
+ either public or private/confidential
524
+
525
+ **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
526
+ You need to manually change `confidential` column to `false` if you are using public clients,
527
+ in other case your mobile (or other) applications will not be able to authorize.
528
+ See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
529
+
530
+ - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
531
+ `optional_scopes`) for applications
532
+ - [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
533
+ - [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
534
+ - [#1069] Upgrade Bootstrap to 4 for Admin
535
+ - [#1068] Add rake task to cleanup databases that can become large over time
536
+ - [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
537
+ subclasses to use the response object.
538
+ - [#1075] Call `before_successful_authorization` and `after_successful_authorization` hooks
539
+ on `create` action as well as `new`
540
+ - [#1082] Fix #916: remember routes mapping and use it required places (fix error with
541
+ customized Token Info route).
542
+ - [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
543
+ not present in the application scopes (use scopes intersection).
544
+ - [#1076] Add config to enforce content type to application/x-www-form-urlencoded
545
+ - Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
546
+ SSL redirect_uri.
547
+
548
+ ## 4.4.3
549
+
550
+ - [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
551
+ changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
552
+
553
+ ## 4.4.2
554
+
555
+ - [#1130] Backport fix for native redirect_uri from 5.x.
556
+
557
+ ## 4.4.1
558
+
559
+ - [#1127] Backport token type to comply with the RFC6750 specification.
560
+ - [#1125] Backport Quote surround I18n yes/no keys
561
+
562
+ ## 4.4.0
563
+
564
+ - [#1120] Backport security fix from 5.x for token revocation when using public clients
565
+
566
+ **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
567
+ You need to manually change `confidential` column to `false` if you are using public clients,
568
+ in other case your mobile (or other) applications will not be able to authorize.
569
+ See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
570
+
571
+ ## 4.3.2
572
+
573
+ - [#1053] Support authorizing with query params in the request `redirect_uri` if explicitly present in app's `Application#redirect_uri`
574
+
575
+ ## 4.3.1
576
+
577
+ - Remove `BaseRecord` and introduce additional concern for ordering methods to fix
578
+ braking changes for Doorkeeper models.
579
+ - [#1032] Refactor BaseRequest callbacks into configurable lambdas
580
+ - [#1040] Clear mixins from ActiveRecord DSL and save only overridable API. It
581
+ allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.
582
+
583
+ ## 4.3.0
584
+
585
+ - [#976] Fix to invalidate the second redirect URI when the first URI is the native URI
586
+ - [#1035] Allow `Application#redirect_uri=` to handle array of URIs.
587
+ - [#1036] Allow to forbid Application redirect URI's with specific rules.
588
+ - [#1029] Deprecate `order_method` and introduce `ordered_by`. Sort applications
589
+ by `created_at` in index action.
590
+ - [#1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
591
+ - Fix Grape integration & add specs for it
592
+ - [#913] Deferred ORM (ActiveRecord) models loading
593
+ - [#943] Fix Access Token token generation when certain errors occur in custom token generators
594
+ - [#1026] Implement RFC7662 - OAuth 2.0 Token Introspection
595
+ - [#985] Generate valid migration files for Rails >= 5
596
+ - [#972] Replace Struct subclassing with block-form initialization
597
+ - [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
598
+
599
+ **[IMPORTANT]**: Previously authorization code response route was `/oauth/authorize/<code>`,
600
+ now it is `oauth/authorize/native?code=<code>` (in order to help applications to automatically find the code value).
601
+
602
+ - [#868] `Scopes#&` and `Scopes#+` now take an array or any other enumerable
603
+ object.
604
+ - [#1019] Remove translation not in use: `invalid_resource_owner`.
605
+ - Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
606
+ - [#948] Make Scopes.<=> work with any "other" value.
607
+ - [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
608
+ - [#1004] More explicit help text for `native_redirect_uri`.
609
+ - [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
610
+ - [#1024] Migrate from FactoryGirl to FactoryBot.
611
+ - [#1025] Improve documentation for adding foreign keys
612
+ - [#1028] Make it possible to have composite strategy names.
613
+
614
+ ## 4.2.6
615
+
616
+ - [#970] Escape certain attributes in authorization forms.
617
+
618
+ ## 4.2.5
619
+
620
+ - [#936] Deprecate `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and
621
+ `Doorkeeper#installed?`
622
+ - [#909] Add `InvalidTokenResponse#reason` reader method to allow read the kind
623
+ of invalid token error.
624
+ - [#928] Test against more recent Ruby versions
625
+ - Small refactorings within the codebase
626
+ - [#921] Switch to Appraisal, and test against Rails master
627
+ - [#892] Add minimum Ruby version requirement
628
+
629
+ ## 4.2.0
630
+
631
+ - Security fix: Address CVE-2016-6582, implement token revocation according to
632
+ spec (tokens might not be revoked if client follows the spec).
633
+ - [#873] Add hooks to Doorkeeper::ApplicationMetalController
634
+ - [#871] Allow downstream users to better utilize doorkeeper spec factories by
635
+ eliminating name conflict on `:user` factory.
636
+
637
+ ## 4.1.0
638
+
639
+ - [#845] Allow customising the `Doorkeeper::ApplicationController` base
640
+ controller
641
+
642
+ ## 4.0.0
643
+
644
+ - [#834] Fix AssetNotPrecompiled error with Sprockets 4
645
+ - [#843] Revert "Fix validation error messages"
646
+ - [#847] Specify Null option to timestamps
647
+
648
+ ## 4.0.0.rc4
649
+
650
+ - [#777] Add support for public client in password grant flow
651
+ - [#823] Make configuration and specs ORM independent
652
+ - [#745] Add created_at timestamp to token generation options
653
+ - [#838] Drop `Application#scopes` generator and warning, introduced for
654
+ upgrading doorkeeper from v2 to v3.
655
+ - [#801] Fix Rails 5 warning messages
656
+ - Test against Rails 5 RC1
657
+
658
+ ## 4.0.0.rc3
659
+
660
+ - [#769] Revoke refresh token on access token use. To make use of the new config
661
+ add `previous_refresh_token` column to `oauth_access_tokens`:
662
+
663
+ ```
664
+ rails generate doorkeeper:previous_refresh_token
665
+ ```
666
+
667
+ - [#811] Toughen parameters filter with exact match
668
+ - [#813] Applications admin bugfix
669
+ - [#799] Fix Ruby Warnings
670
+ - Drop `attr_accessible` from models
671
+
672
+ ### Backward incompatible changes
673
+
674
+ - [#730] Force all timezones to use UTC to prevent comparison issues.
675
+ - [#802] Remove `config.i18n.fallbacks` from engine
676
+
677
+ ## 4.0.0.rc2
678
+
679
+ - Fix optional belongs_to for Rails 5
680
+ - Fix Ruby warnings
681
+
682
+ ## 4.0.0.rc1
683
+
684
+ ### Backward incompatible changes
685
+
686
+ - Drops support for Rails 4.1 and earlier
687
+ - Drops support for Ruby 2.0
688
+ - [#778] Bug fix: use the remaining time that a token is still valid when
689
+ building the redirect URI for the implicit grant flow
690
+
691
+ ### Other changes
692
+
693
+ - [#771] Validation error messages fixes
694
+ - Adds foreign key constraints in generated migrations between tokens and
695
+ grants, and applications
696
+ - Support Rails 5
697
+
698
+ ## 3.1.0
699
+
700
+ - [#736] Existing valid tokens are now reused in client_credentials flow
701
+ - [#749] Allow user to raise authorization error with custom messages.
702
+ Under `resource_owner_authenticator` block a user can
703
+ `raise Doorkeeper::Errors::DoorkeeperError.new('custom_message')`
704
+ - [#762] Check doesn’t abort the actual migration, so it runs
705
+ - [#722] `doorkeeper_forbidden_render_options` now supports returning a 404 by
706
+ specifying `respond_not_found_when_forbidden: true` in the
707
+ `doorkeeper_forbidden_render_options` method.
708
+ - [#734] Simplify and remove duplication in request strategy classes
709
+
710
+ ## 3.0.1
711
+
712
+ - [#712] Wrap exchange of grant token for access token and access token refresh
713
+ in transactions
714
+ - [#704] Allow applications scopes to be mass assigned
715
+ - [#707] Fixed order of Mixin inclusion and table_name configuration in models
716
+ - [#712] Wrap access token and refresh grants in transactions
717
+ - Adds JRuby support
718
+ - Specs, views and documentation adjustments
719
+
720
+ ## 3.0.0
721
+
722
+ ### Other changes
723
+
724
+ - [#693] Updates `en.yml`.
725
+
726
+ ## 3.0.0 (rc2)
727
+
728
+ ### Backward incompatible changes
729
+
730
+ - [#678] Change application-specific scopes to take precedence over server-wide
731
+ scopes. This removes the previous behavior where the intersection between
732
+ application and server scopes was used.
733
+
734
+ ### Other changes
735
+
736
+ - [#671] Fixes `NoMethodError - undefined method 'getlocal'` when calling
737
+ the /oauth/token path. Switch from using a DateTime object to update
738
+ AR to using a Time object. (Issue #668)
739
+ - [#677] Support editing application-specific scopes via the standard forms
740
+ - [#682] Pass error hash to Grape `error!`
741
+ - [#683] Generate application secret/UID if fields are blank strings
742
+
743
+ ## 3.0.0 (rc1)
744
+
745
+ ### Backward incompatible changes
746
+
747
+ - [#648] Extracts mongodb ORMs to
748
+ https://github.com/doorkeeper-gem/doorkeeper-mongodb. If you use ActiveRecord
749
+ you don’t need to do any change, otherwise you will need to install the new
750
+ plugin.
751
+ - [#665] `doorkeeper_unauthorized_render_options(error:)` and
752
+ `doorkeeper_forbidden_render_options(error:)` now accept `error` keyword
753
+ argument.
754
+
755
+ ### Removed deprecations
756
+
757
+ - Removes `doorkeeper_for` deprecation notice.
758
+ - Remove `applications.scopes` upgrade notice.
759
+
760
+ ## 2.2.2
761
+
762
+ - [#541] Fixed `undefined method attr_accessible` problem on Rails 4
763
+ (happens only when ProtectedAttributes gem is used) in #599
764
+
765
+ ## 2.2.1
766
+
767
+ - [#636] `custom_access_token_expires_in` bugfixes
768
+ - [#641] syntax error fix (Issue #612)
769
+ - [#633] Send extra details to Custom Token Generator
770
+ - [#628] Refactor: improve orm adapters to ease extension
771
+ - [#637] Upgrade to rspec to 3.2
772
+
773
+ ## 2.2.0 - 2015-04-19
774
+
775
+ - [#611] Allow custom access token generators to be used
776
+ - [#632] Properly fallback to `default_scopes` when no scope is specified
777
+ - [#622] Clarify that there is a logical OR between scopes for authorizing
778
+ - [#635] Upgrade to rspec 3
779
+ - [#627] i18n fallbacks to english
780
+ - Moved CHANGELOG to NEWS.md
781
+
782
+ ## 2.1.4 - 2015-03-27
783
+
784
+ - [#595] HTTP spec: Add `scope` for refresh token scope param
785
+ - [#596] Limit scopes in app scopes for client credentials
786
+ - [#567] Add Grape helpers for easier integration with Grape framework
787
+ - [#606] Add custom access token expiration support for Client Credentials flow
788
+
789
+ ## 2.1.3 - 2015-03-01
790
+
791
+ - [#588] Fixes scopes_match? bug that skipped authorization form in some cases
792
+
793
+ ## 2.1.2 - 2015-02-25
794
+
795
+ - [#574] Remove unused update authorization route.
796
+ - [#576] Filter out sensitive parameters from logs.
797
+ - [#582] The Authorization HTTP header fields are now case insensitive.
798
+ - [#583] Database connection bugfix in certain scenarios.
799
+ - Testing improvements
800
+
801
+ ## 2.1.1 - 2015-02-06
802
+
803
+ - Remove `wildcard_redirect_url` option
804
+ - [#481] Customize token flow OAuth expirations with a config lambda
805
+ - [#568] TokensController: Memoize strategy.authorize_response result to enable
806
+ subclasses to use the response object.
807
+ - [#571] Fix database initialization issues in some configurations.
808
+ - Documentation improvements
809
+
810
+ ## 2.1.0 - 2015-01-13
811
+
812
+ - [#540] Include `created_at` in response.
813
+ - [#538] Check application-level scopes in client_credentials and password flow.
814
+ - [5596227] Check application scopes in AccessToken when present. Fixes a bug in
815
+ doorkeeper 2.0.0 and 2.0.1 referring to application specific scopes.
816
+ - [#534] Internationalizes doorkeeper views.
817
+ - [#545] Ensure there is a connection to the database before checking for
818
+ missing columns
819
+ - [#546] Use `Doorkeeper::` prefix when referencing `Application` to avoid
820
+ possible application model name conflict.
821
+ - [#538] Test with Rails ~> 4.2.
822
+
823
+ ### Potentially backward incompatible changes
824
+
825
+ - Enable by default `authorization_code` and `client_credentials` grant flows.
826
+ Disables implicit and password grant flows by default.
827
+ - [#510, #544, 722113f] Revoked refresh token response bugfix.
828
+
829
+ ## 2.0.1 - 2014-12-17
830
+
831
+ - [#525, #526, #527] Fix `ActiveRecord::NoDatabaseError` on gem load.
832
+
833
+ ## 2.0.0 - 2014-12-16
834
+
835
+ ### Backward incompatible changes
836
+
837
+ - [#448] Removes `doorkeeper_for` helper. Now we use
838
+ `before_action :doorkeeper_authorize!`.
839
+ - [#469] Allow client applications to restrict the set of allowable scopes.
840
+ Fixes #317. `oauth_applications` relation needs a new `scopes` string column,
841
+ non nullable, which defaults to an empty string. To add the column run:
842
+
843
+ ```
844
+ rails generate doorkeeper:application_scopes
845
+ ```
846
+
847
+ If you’d rather do it by hand, your ActiveRecord migration should contain:
848
+
849
+ ```ruby
850
+ add_column :oauth_applications, :scopes, :string, null: false, default: ‘’
851
+ ```
852
+
853
+ ### Removed deprecations
854
+
855
+ - Removes `test_redirect_uri` option. It is now called `native_redirect_uri`.
856
+ - [#446] Removes `mount Doorkeeper::Engine`. Now we use `use_doorkeeper`.
857
+
858
+ ### Others
859
+
860
+ - [#484] Performance improvement - avoid performing order_by when not required.
861
+ - [#450] When password is invalid in Password Credentials Grant, Doorkeeper
862
+ returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec
863
+ declares. Fixes #444.
864
+ - [#452] Allows `revoked_at` to be set in the future, for future expiry.
865
+ Rationale: https://github.com/doorkeeper-gem/doorkeeper/pull/452#issuecomment-51431459
866
+ - [#480] For Implicit grant flow, access tokens can now be reused. Fixes #421.
867
+ - [#491] Reworks of @jasl's #454 and #478. ORM refactor that allows doorkeeper
868
+ to be extended more easily with unsupported ORMs. It also marks the boundaries
869
+ between shared model code and ORM specifics inside of the gem.
870
+ - [#496] Tests with Rails 4.2.
871
+ - [#489] Adds `force_ssl_in_redirect_uri` to force the usage of the HTTPS
872
+ protocol in non-native redirect uris.
873
+ - [#516] SECURITY: Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
874
+ - [#518] Fix random failures in mongodb.
875
+
876
+ ---
877
+
878
+ ## 1.4.2 - 2015-03-02
879
+
880
+ - [#576] Filter out sensitive parameters from logs
881
+
882
+ ## 1.4.1 - 2014-12-17
883
+
884
+ - [#516] SECURITY: Adds `protect_from_forgery` to `Doorkeeper::ApplicationController`
885
+
886
+ ## 1.4.0 - 2014-07-31
887
+
888
+ - internals
889
+ - [#427] Adds specs expectations.
890
+ - [#428] Error response refactor.
891
+ - [#417] Moves token validation into Access Token class.
892
+ - [#439] Removes redundant module includes.
893
+ - [#443] TokensController and TokenInfoController inherit from ActionController::Metal
894
+ - bug
895
+ - [#418] fixes #243, requests with insufficient scope now respond 403 instead
896
+ of 401. (API change)
897
+ - [#438] fixes #398, native redirect for implicit token grant bug.
898
+ - [#440] namespace fixes
899
+ - enhancements
900
+ - [#432] Keeps query parameters
901
+
902
+ ## 1.3.1 - 2014-07-06
903
+
904
+ - enhancements
905
+ - [#405] Adds facade to more easily get the token from a request in a route
906
+ constraint.
907
+ - [#415] Extend Doorkeeper TokenResponse with an `after_successful_response`
908
+ callback that allows handling of `response` object.
909
+ - internals
910
+ - [#409] Deprecates `test_redirect_uri` in favor of `native_redirect_uri`.
911
+ See discussion in: [#351].
912
+ - [#411] Clean rspec deprecations. General test improvements.
913
+ - [#412] rspec line width can go longer than 80 (hound CI config).
914
+ - bug
915
+ - [#413] fixes #340, routing scope is now taken into account in redirect.
916
+ - [#401] and [#425] application is not required any longer for access_token.
917
+
918
+ ## 1.3.0 - 2014-05-23
919
+
920
+ - enhancements
921
+ - [#387] Adds reuse_access_token configuration option.
922
+
923
+ ## 1.2.0 - 2014-05-02
924
+
925
+ - enhancements
926
+ - [#376] Allow users to enable basic header authorization for access tokens.
927
+ - [#374] Token revocation implementation [RFC 7009]
928
+ - [#295] Only enable specific grant flows.
929
+ - internals
930
+ - [#381] Locale source fix.
931
+ - [#380] Renames `errors_for` to `doorkeeper_errors_for`.
932
+ - [#390] Style adjustments in accordance with Ruby Style Guide form
933
+ Thoughtbot.
934
+
935
+ ## 1.1.0 - 2014-03-29
936
+
937
+ - enhancements
938
+ - [#336] mongoid4 support.
939
+ - [#372] Allow users to set ActiveRecord table_name_prefix/suffix options
940
+ - internals
941
+ - [#343] separate OAuth's admin and user end-point to different layouts, upgrade theme to Bootstrap 3.1.
942
+ - [#348] Move render_options in filter after `@error` has been set
943
+
944
+ ## 1.0.0 - 2014-01-13
945
+
946
+ - bug (spec)
947
+ - [#228] token response `expires_in` value is now in seconds, relative to
948
+ request time
949
+ - [#296] client is optional for password grant type.
950
+ - [#319] If client credentials are present on password grant type they are validated
951
+ - [#326] If client credentials are present in refresh token they are validated
952
+ - [#326] If authenticated client does not match original client that
953
+ obtained a refresh token it responds `invalid_grant` instead of
954
+ `invalid_client`. Previous usage was invalid according to Section 5.2 of
955
+ the spec.
956
+ - [#329] access tokens' `scopes` string wa being compared against
957
+ `default_scopes` symbols, always unauthorizing.
958
+ - [#318] Include "WWW-Authenticate" header with Unauthorized responses
959
+ - enhancements
960
+ - [#293] Adds ActionController::Instrumentation in TokensController
961
+ - [#298] Support for multiple redirect_uris added.
962
+ - [#313] `AccessToken.revoke_all_for` actually revokes all non-revoked
963
+ tokens for an application/owner instead of deleting them.
964
+ - [#333] Rails 4.1 support
965
+ - internals
966
+ - Removes jQuery dependency [fixes #300][pr #312 is related]
967
+ - [#294] Client uid and secret will be generated only if not present.
968
+ - [#316] Test warnings addressed.
969
+ - [#338] Rspec 3 syntax.
970
+
971
+ ---
972
+
973
+ ## 0.7.4 - 2013-12-01
974
+
975
+ - bug
976
+ - Symbols instead of strings for user input.
977
+
978
+ ## 0.7.3 - 2013-10-04
979
+
980
+ - enhancements
981
+ - [#204] Allow to overwrite scope in routes
982
+ - internals
983
+ - Returns only present keys in Token Response (may imply a backwards
984
+ incompatible change). https://github.com/doorkeeper-gem/doorkeeper/issues/220
985
+ - bug
986
+ - [#290] Support for Rails 4 when 'protected_attributes' gem is present.
987
+
988
+ ## 0.7.2 - 2013-09-11
989
+
990
+ - enhancements
991
+ - [#272] Allow issuing multiple access_tokens for one user/application for multiple devices
992
+ - [#170] Increase length of allowed redirect URIs
993
+ - [#239] Do not try to load unavailable Request class for the current phase.
994
+ - [#273] Relax jquery-rails gem dependency
995
+
996
+ ## 0.7.1 - 2013-08-30
997
+
998
+ - bug
999
+ - [#269] Rails 3.2 raised `ActiveModel::MassAssignmentSecurity::Error`.
1000
+
1001
+ ## 0.7.0 - 2013-08-21
1002
+
1003
+ - enhancements
1004
+ - [#229] Rails 4!
1005
+ - internals
1006
+ - [#203] Changing table name to be specific in column_names_with_table
1007
+ - [#215] README update
1008
+ - [#227] Use Rails.config.paths["config/routes"] instead of assuming "config/routes.rb" exists
1009
+ - [#262] Add jquery as gem dependency
1010
+ - [#263] Add a configuration for ActiveRecord.establish_connection
1011
+ - Deprecation and Ruby warnings (PRs merged outside of GitHub).
1012
+
1013
+ ## 0.6.7 - 2013-01-13
1014
+
1015
+ - internals
1016
+ - [#188] Add IDs to the show views for integration testing [@egtann](https://github.com/egtann)
1017
+
1018
+ ## 0.6.6 - 2013-01-04
1019
+
1020
+ - enhancements
1021
+ - [#187] Raise error if configuration is not set
1022
+
1023
+ ## 0.6.5 - 2012-12-26
1024
+
1025
+ - enhancements
1026
+ - [#184] Vendor the Bootstrap CSS [@tylerhunt](https://github.com/tylerhunt)
1027
+
1028
+ ## 0.6.4 - 2012-12-15
1029
+
1030
+ - bug
1031
+ - [#180] Add localization to authorized_applications destroy notice [@aalvarado](https://github.com/aalvarado)
1032
+
1033
+ ## 0.6.3 - 2012-12-07
1034
+
1035
+ - bugfixes
1036
+ - [#163] Error response content-type header should be application/json [@ggayan](https://github.com/ggayan)
1037
+ - [#175] Make token.expires_in_seconds return nil when expires_in is nil [@miyagawa](https://github.com/miyagawa)
1038
+ - enhancements
1039
+ - [#166, #172, #174] Behavior to automatically authorize based on a configured proc
1040
+ - internals
1041
+ - [#168] Using expectation syntax for controller specs [@rdsoze](https://github.com/rdsoze)
1042
+
1043
+ ## 0.6.2 - 2012-11-10
1044
+
1045
+ - bugfixes
1046
+ - [#162] Remove ownership columns from base migration template [@rdsoze](https://github.com/rdsoze)
1047
+
1048
+ ## 0.6.1 - 2012-11-07
1049
+
1050
+ - bugfixes
1051
+ - [#160] Removed |routes| argument from initializer authenticator blocks
1052
+ - documentation
1053
+ - [#160] Fixed description of context of authenticator blocks
1054
+
1055
+ ## 0.6.0 - 2012-11-05
1056
+
1057
+ - enhancements
1058
+ - Mongoid `orm` configuration accepts only :mongoid2 or :mongoid3
1059
+ - Authorization endpoint does not redirect in #new action anymore. It wasn't specified by OAuth spec
1060
+ - TokensController now inherits from ActionController::Metal. There might be performance upgrades
1061
+ - Add link to authorization in Applications scaffold
1062
+ - [#116] MongoMapper support [@carols10cents](https://github.com/carols10cents)
1063
+ - [#122] Mongoid3 support [@petergoldstein](https://github.com/petergoldstein)
1064
+ - [#150] Introduce test redirect uri for applications
1065
+ - bugfixes
1066
+ - [#157] Response token status should be `:ok`, not `:success` [@theycallmeswift](https://github.com/theycallmeswift)
1067
+ - [#159] Remove ActionView::Base.field_error_proc override (fixes #145)
1068
+ - internals
1069
+ - Update development dependencies
1070
+ - Several refactorings
1071
+ - Rails/ORM are easily swichable with env vars (rails and orm)
1072
+ - Travis now tests against Mongoid v2
1073
+
1074
+ ## 0.5.0 - 2012-10-20
1075
+
1076
+ Official support for rubinius was removed.
1077
+
1078
+ - enhancements
1079
+ - Configure the way access token is retrieved from request (default to bearer header)
1080
+ - Authorization Code expiration time is now configurable
1081
+ - Add support for mongoid
1082
+ - [#78, #128, #137, #138] Application Ownership
1083
+ - [#92] Allow users to skip controllers
1084
+ - [#99] Remove deprecated warnings for data-\* attributes [@towerhe](https://github.com/towerhe)
1085
+ - [#101] Return existing access_token for PasswordAccessTokenRequest [@benoist](https://github.com/benoist)
1086
+ - [#104] Changed access token scopes example code to default_scopes and optional_scopes [@amkirwan](https://github.com/amkirwan)
1087
+ - [#107] Fix typos in initializer
1088
+ - [#123] i18n for validator, flash messages [@petergoldstein](https://github.com/petergoldstein)
1089
+ - [#140] ActiveRecord is the default value for the ORM [@petergoldstein](https://github.com/petergoldstein)
1090
+ - internals
1091
+ - [#112, #120] Replacing update_attribute with update_column to eliminate deprecation warnings [@rmoriz](https://github.com/rmoriz), [@petergoldstein](https://github.com/petergoldstein)
1092
+ - [#121] Updating all development dependencies to recent versions. [@petergoldstein](https://github.com/petergoldstein)
1093
+ - [#144] Adding MongoDB dependency to .travis.yml [@petergoldstein](https://github.com/petergoldstein)
1094
+ - [#143] Displays errors for unconfigured error messages [@timgaleckas](https://github.com/timgaleckas)
1095
+ - bugfixes
1096
+ - [#102] Not returning 401 when access token generation fails [@cslew](https://github.com/cslew)
1097
+ - [#125] Doorkeeper is using ActiveRecord version of as_json in ORM agnostic code [@petergoldstein](https://github.com/petergoldstein)
1098
+ - [#142] Prevent double submission of password based authentication [@bdurand](https://github.com/bdurand)
1099
+ - documentation
1100
+ - [#141] Add rack-cors middleware to readme [@gottfrois](https://github.com/gottfrois)
1101
+
1102
+ ## 0.4.2 - 2012-06-05
1103
+
1104
+ - bugfixes:
1105
+ - [#94] Uninitialized Constant in Password Flow
1106
+
1107
+ ## 0.4.1 - 2012-06-02
1108
+
1109
+ - enhancements:
1110
+ - Backport: Move doorkeeper_for extension to Filter helper
1111
+
1112
+ ## 0.4.0 - 2012-05-26
1113
+
1114
+ - deprecation
1115
+ - Deprecate authorization_scopes
1116
+ - database changes
1117
+ - AccessToken#resource_owner_id is not nullable
1118
+ - enhancements
1119
+ - [#83] Add Resource Owner Password Credentials flow [@jaimeiniesta](https://github.com/jaimeiniesta)
1120
+ - [#76] Allow token expiration to be disabled [@mattgreen](https://github.com/mattgreen)
1121
+ - [#89] Configure the way client credentials are retrieved from request
1122
+ - [#b6470a] Add Client Credentials flow
1123
+ - internals
1124
+ - [#2ece8d, #f93778] Introduce Client and ErrorResponse classes
1125
+
1126
+ ## 0.3.4 - 2012-05-24
1127
+
1128
+ - Fix attr_accessible for rails 3.2.x
1129
+
1130
+ ## 0.3.3 - 2012-05-07
1131
+
1132
+ - [#86] shrink gem package size
1133
+
1134
+ ## 0.3.2 - 2012-04-29
1135
+
1136
+ - enhancements
1137
+ - [#54] Ignore Authorization: headers that are not Bearer [@miyagawa](https://github.com/miyagawa)
1138
+ - [#58, #64] Add destroy action to applications endpoint [@jaimeiniesta](https://github.com/jaimeiniesta), [@davidfrey](https://github.com/davidfrey)
1139
+ - [#63] TokensController responds with `401 unauthorized` [@jaimeiniesta](https://github.com/jaimeiniesta)
1140
+ - [#67, #72] Fix for mass-assignment [@cicloid](https://github.com/cicloid)
1141
+ - internals
1142
+ - [#49] Add Gemnasium status image to README [@laserlemon](https://github.com/laserlemon)
1143
+ - [#50] Fix typos [@tomekw](https://github.com/tomekw)
1144
+ - [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer [@antekpiechnik](https://github.com/antekpiechnik)
1145
+ - [#62] Typos, .gitignore [@jaimeiniesta](https://github.com/jaimeiniesta)
1146
+ - [#65] Change \_path redirections to \_url redirections [@jaimeiniesta](https://github.com/jaimeiniesta)
1147
+ - [#75] Fix unknown method #authenticate_admin! [@mattgreen](https://github.com/mattgreen)
1148
+ - Remove application link in authorized app view
1149
+
1150
+ ## 0.3.1 - 2012-02-17
1151
+
1152
+ - enhancements
1153
+ - [#48] Add if, else options to doorkeeper_for
1154
+ - Add views generator
1155
+ - internals
1156
+ - Namespace models
1157
+
1158
+ ## 0.3.0 - 2012-02-11
1159
+
1160
+ - enhancements
1161
+ - [#17, #31] Add support for client credentials in basic auth header [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
1162
+ - [#28] Add indices to migration [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
1163
+ - [#29] Allow doorkeeper to run with rails 3.2 [@john-griffin](https://github.com/john-griffin)
1164
+ - [#30] Improve client's redirect uri validation [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
1165
+ - [#32] Add token (implicit grant) flow [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
1166
+ - [#34] Add support for custom unathorized responses [@GoldsteinTechPartners](https://github.com/GoldsteinTechPartners)
1167
+ - [#36] Remove repetitions from the Authorised Applications view [@carvil](https://github.com/carvil)
1168
+ - When user revoke an application, all tokens for that application are revoked
1169
+ - Error messages now can be translated
1170
+ - Install generator copies the error messages localization file
1171
+ - internals
1172
+ - Fix deprecation warnings in ActiveSupport::Base64
1173
+ - Remove deprecation in doorkeeper_for that handles hash arguments
1174
+ - Depends on railties instead of whole rails framework
1175
+ - CI now integrates with rails 3.1 and 3.2
1176
+
1177
+ ## 0.2.0 - 2011-12-17
1178
+
1179
+ - enhancements
1180
+ - [#4] Add authorized applications endpoint
1181
+ - [#5, #11] Add access token scopes
1182
+ - [#10] Add access token expiration by default
1183
+ - [#9, #12] Add refresh token flow
1184
+ - internals
1185
+ - [#7] Improve configuration options with :default
1186
+ - Improve configuration options with :builder
1187
+ - Refactor config class
1188
+ - Improve coverage of authorization request integration
1189
+ - bug fixes
1190
+ - [#6, #20] Fix access token response headers
1191
+ - Fix issue with state parameter
1192
+ - deprecation
1193
+ - deprecate :only and :except options in doorkeeper_for
1194
+
1195
+ ## 0.1.1 - 2011-11-30
1196
+
1197
+ - enhancements
1198
+ - [#3] Authorization code must be short lived and single use
1199
+ - [#2] Improve views provided by doorkeeper
1200
+ - [#1] Skips authorization form if the client has been authorized by the resource owner
1201
+ - Improve readme
1202
+ - bugfixes
1203
+ - Fix issue when creating the access token (wrong client id)
1204
+
1205
+ ## 0.1.0 - 2011-11-25
1206
+
1207
+ - Authorization Code flow
1208
+ - OAuth applications endpoint