Skip to content

Commit

Permalink
Merge pull request #1119 from f3ndot/use-confidential
Browse files Browse the repository at this point in the history
Use Application#confidential? to determine revocation auth eligibility
  • Loading branch information
nbulaj authored Jul 10, 2018
2 parents 5ee46e3 + 8e8b9a0 commit 66d8e18
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 17 deletions.
1 change: 1 addition & 0 deletions NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ User-visible changes worth mentioning.
- [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
hitting the `AuthorizedApplicationController#destroy` route.
- [#1114] Make token info endpoint's attributes consistent with token creation
- [#1119] Fix token revocation for OAuth apps using "implicit" grant flow

## 5.0.0.rc1

Expand Down
19 changes: 9 additions & 10 deletions app/controllers/doorkeeper/tokens_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -56,16 +56,15 @@ def introspect
# https://tools.ietf.org/html/rfc6749#section-2.1
# https://tools.ietf.org/html/rfc7009
def authorized?
if token.present?
# Client is confidential, therefore client authentication & authorization
# is required
if token.application_id?
# We authorize client by checking token's application
server.client && server.client.application == token.application
else
# Client is public, authentication unnecessary
true
end
return unless token.present?
# Client is confidential, therefore client authentication & authorization
# is required
if token.application_id? && token.application.confidential?
# We authorize client by checking token's application
server.client && server.client.application == token.application
else
# Client is public, authentication unnecessary
true
end
end

Expand Down
66 changes: 59 additions & 7 deletions spec/controllers/tokens_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,67 @@
end
end

describe 'when revoke authorization has failed' do
# http://tools.ietf.org/html/rfc7009#section-2.2
it 'returns no error response' do
token = double(:token, authorize: false, application_id?: true)
allow(controller).to receive(:token) { token }
# http://tools.ietf.org/html/rfc7009#section-2.2
describe 'revoking tokens' do
let(:client) { FactoryBot.create(:application) }
let(:access_token) { FactoryBot.create(:access_token, application: client) }

before(:each) do
allow(controller).to receive(:token) { access_token }
end

context 'when associated app is public' do
let(:client) { FactoryBot.create(:application, confidential: false) }

it 'returns 200' do
post :revoke

expect(response.status).to eq 200
end

it 'revokes the access token' do
post :revoke

expect(access_token.reload).to have_attributes(revoked?: true)
end
end

context 'when associated app is confidential' do
let(:client) { FactoryBot.create(:application, confidential: true) }
let(:oauth_client) { Doorkeeper::OAuth::Client.new(client) }

post :revoke
before(:each) do
allow_any_instance_of(Doorkeeper::Server).to receive(:client) { oauth_client }
end

it 'returns 200' do
post :revoke

expect(response.status).to eq 200
end

it 'revokes the access token' do
post :revoke

expect(access_token.reload).to have_attributes(revoked?: true)
end

context 'when authorization fails' do
let(:some_other_client) { FactoryBot.create(:application, confidential: true) }
let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }

it 'returns 200' do
post :revoke

expect(response.status).to eq 200
expect(response.status).to eq 200
end

it 'does not revoke the access token' do
post :revoke

expect(access_token.reload).to have_attributes(revoked?: false)
end
end
end
end

Expand Down

0 comments on commit 66d8e18

Please sign in to comment.