Add config to enforce content type #1076
Conversation
| @@ -0,0 +1,48 @@ | |||
| require "spec_helper_integration" | |||
There was a problem hiding this comment.
Style/FrozenStringLiteralComment: Missing magic comment # frozen_string_literal: true.
| Helpers::Controller | ||
| ].freeze | ||
|
|
||
| MODULES.each do |mod| | ||
| include mod | ||
| end | ||
|
|
||
| before_action :enforce_content_type, if: -> { Doorkeeper.configuration.enforce_content_type } |
There was a problem hiding this comment.
Metrics/LineLength: Line is too long. [97/80]
|
Hi @nbulaj and @hallucinations, Although this PR needs some more work, I think it is ready for someone else' review. Can you please take a look? A few comments on my decisions are: Config APII made the new config API Since many people, including myself, are already running Doorkeeper in production, I thought about more options than simply turning it on/off. For example, an option to log/collect metrics on content type so systems admins can understand their traffic. However I ended up thinking - ok let's just make it simple. TestingI had some tricky problems in writing tests to support both Rails 4 and 5. There's some HTTP method shims for Rails 5 and the shims are written as if no headers are passed to them. I ended up having some not pretty test code like below. it '200 for the correct media type' do
@request.headers['Content-Type'] = 'application/x-www-form-urlencoded'
get :index, {}, as: :url_encoded_form
expect(response).to have_http_status 200
end
|
This one good 👍
I think every production system has some additional services/tools for log analysis (graphana, ELK, NewRelic, etc). So they already have an ability to find useful info about content type in the requests. If not - well, they need to use it :)
So let's fix them to work with headers :) In this case tests will look good. We can do something like this (for Rails <= 5): module ControllerHTTPMethodShim
def get(path, params = {}, headers = nil)
# Set request headers for :controller specs
if headers.present?
headers.each { |key, value| request.headers[key.to_s] = value }
end
super(path, params: params)
end
# ...
end
Absolutely agree. Interesting thing: Hydra OAuth2 provider (Golang) supports both |
|
@nbulaj Thanks for your review. I will try to make test code nicer as well the rest of TODO items. And regarding Hyda, it's interesting that I found an issue that rejected a feature request to support JSON: ory/hydra#786. It might be the case JSON is used for other endpoints that are not part of OAuth 2.0 but I'm just guessing here. |
| params: { | ||
| doorkeeper_application: { | ||
| name: 'Example', | ||
| redirect_uri: 'https://example.com' } |
There was a problem hiding this comment.
Layout/MultilineHashBraceLayout: Closing hash brace must be on the line after the last hash element when opening brace is on a separate line from the first hash element.
| params: { | ||
| doorkeeper_application: { | ||
| name: 'Example', | ||
| redirect_uri: 'https://example.com' } |
There was a problem hiding this comment.
Layout/MultilineHashBraceLayout: Closing hash brace must be on the line after the last hash element when opening brace is on a separate line from the first hash element.
|
Hi @nbulaj I've added a couple commits to improve test code a bit. What I've done is basically I inverted Rails 4 -> 5 syntax conversion: b6c2227#diff-3b61ca35a7f47da3a2dbf21b5b9e3dd0 I think doing this is better for a few reasons:
I'm still to fix CI failures, but before I spend more time I'd love to hear your thoughts. |
|
Hi @baxang . Totally agree: in future versions we will drop support of Rails 4.x, so it is reasonable to use actual syntax. Feel free to continue 👍 |
|
Test fails on all non-rails-5 versions and can't reproduce on local machine :-( Any advice would be appreciated. I will keep looking. |
| if as = args.delete(:as) | ||
| @request.headers['Content-Type'] = Mime[as].to_s | ||
| end | ||
| super(action, http_method, args[:params], args[:session], args[:flash]) |
There was a problem hiding this comment.
This is calling Rails 4's and in Rails 4 adding headers is not supported.
|
I cloned your repo and executed rspec from the |
|
Thanks for your effort and you're right 😕 that's what I'm experiencing too. What even further confuses me is CI errors. Based on CI error log (from Ruby 2.4/Rails 4.2 https://travis-ci.org/doorkeeper-gem/doorkeeper/jobs/367131874 ) the first error reported is which is And the line is https://github.com/baxang/doorkeeper/blob/1067-enforce-strict-content-type/spec/controllers/authorizations_controller_spec.rb#L207 which does not look related to the failed spec I have in the log. I'll keep digging |
|
Any news here? |
| @@ -25,6 +25,11 @@ | |||
| # | |||
| # api_only | |||
|
|
|||
| # Enforce token request content type strictly to application/x-www-form-urlencoded. | |||
There was a problem hiding this comment.
Metrics/LineLength: Line is too long. [85/80]
|
I could finally reproduce the errors with upstream master merged into my branch - which still does not explain failures on CI though. Maybe there's something that I don't know about how Travis CI runs tests. Anyways the errors were caused by a couple specs recently added to master branch which obviously used Rails 4 |
|
Let me know if you want me to squash commits |
|
Yes, could you please squash them? I think everything is ready to be merged |
|
No problem - I've squashed and pushed. Just waiting for Travis to turn green 💚 Thanks for your guidance. Can't wait to see 5.0 to out! |
|
Thank you @baxang for your work and patience! 👍 |
|
Nevermind, fixed :) |
Summary
Fixes #1067
TODOs: