From d6069f1feae21aba6f041c524ef4ae197b58eae8 Mon Sep 17 00:00:00 2001 From: Sanghyun Park Date: Sun, 8 Apr 2018 18:30:35 +1000 Subject: [PATCH] Add config to enforce content type to application/x-www-form-urlencoded. (Fixes #1067) --- NEWS.md | 1 + .../application_metal_controller.rb | 4 ++ lib/doorkeeper/config.rb | 7 +++ lib/doorkeeper/helpers/controller.rb | 5 ++ .../doorkeeper/templates/initializer.rb | 5 ++ .../application_metal_controller.rb | 10 ---- .../application_metal_controller_spec.rb | 50 +++++++++++++++++++ .../applications_controller_spec.rb | 43 ++++++++++------ .../authorizations_controller_spec.rb | 28 +++++------ .../protected_resources_controller_spec.rb | 28 +++++------ .../controllers/token_info_controller_spec.rb | 4 +- spec/controllers/tokens_controller_spec.rb | 18 +++---- spec/lib/config_spec.rb | 15 ++++++ spec/requests/endpoints/token_spec.rb | 10 ++-- .../requests/flows/client_credentials_spec.rb | 14 +++--- spec/requests/flows/implicit_grant_spec.rb | 24 +++++---- spec/requests/flows/revoke_token_spec.rb | 20 ++++---- spec/support/http_method_shim.rb | 29 +++++------ 18 files changed, 204 insertions(+), 111 deletions(-) delete mode 100644 spec/controllers/application_metal_controller.rb create mode 100644 spec/controllers/application_metal_controller_spec.rb diff --git a/NEWS.md b/NEWS.md index ddd03cd0a..7df08d845 100644 --- a/NEWS.md +++ b/NEWS.md @@ -31,6 +31,7 @@ User-visible changes worth mentioning. customized Token Info route). - [#1086, #1088] Fix bug with receiving default scopes in the token even if they are not present in the application scopes (use scopes intersection). +- [#1076] Add config to enforce content type to application/x-www-form-urlencoded ## 4.3.2 diff --git a/app/controllers/doorkeeper/application_metal_controller.rb b/app/controllers/doorkeeper/application_metal_controller.rb index 9f84e79bb..dac3e0d05 100644 --- a/app/controllers/doorkeeper/application_metal_controller.rb +++ b/app/controllers/doorkeeper/application_metal_controller.rb @@ -5,6 +5,7 @@ class ApplicationMetalController < ActionController::Metal AbstractController::Rendering, ActionController::Rendering, ActionController::Renderers::All, + AbstractController::Callbacks, Helpers::Controller ].freeze @@ -12,6 +13,9 @@ class ApplicationMetalController < ActionController::Metal include mod end + before_action :enforce_content_type, + if: -> { Doorkeeper.configuration.enforce_content_type } + ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self) end end diff --git a/lib/doorkeeper/config.rb b/lib/doorkeeper/config.rb index 5c1f4eb97..472698135 100644 --- a/lib/doorkeeper/config.rb +++ b/lib/doorkeeper/config.rb @@ -139,6 +139,12 @@ def api_only def enforce_configured_scopes @config.instance_variable_set(:@enforce_configured_scopes, true) end + + # Enforce request content type as the spec requires: + # disabled by default for backward compatibility. + def enforce_content_type + @config.instance_variable_set(:@enforce_content_type, true) + end end module Option @@ -284,6 +290,7 @@ def option(name, options = {}) attr_reader :reuse_access_token attr_reader :api_only + attr_reader :enforce_content_type def refresh_token_enabled? defined?(@refresh_token_enabled) && @refresh_token_enabled diff --git a/lib/doorkeeper/helpers/controller.rb b/lib/doorkeeper/helpers/controller.rb index 38b8957af..ea3449529 100644 --- a/lib/doorkeeper/helpers/controller.rb +++ b/lib/doorkeeper/helpers/controller.rb @@ -51,6 +51,11 @@ def handle_token_exception(exception) def skip_authorization? !!instance_exec([@server.current_resource_owner, @pre_auth.client], &Doorkeeper.configuration.skip_authorization) end + + def enforce_content_type + return if request.content_type == 'application/x-www-form-urlencoded' + render json: {}, status: :unsupported_media_type + end end end end diff --git a/lib/generators/doorkeeper/templates/initializer.rb b/lib/generators/doorkeeper/templates/initializer.rb index 480e7a385..0d4521586 100644 --- a/lib/generators/doorkeeper/templates/initializer.rb +++ b/lib/generators/doorkeeper/templates/initializer.rb @@ -25,6 +25,11 @@ # # api_only + # Enforce token request content type to application/x-www-form-urlencoded. + # It is not enabled by default to not break prior versions of the gem. + # + # enforce_content_type + # Authorization Code expiration time (default 10 minutes). # # authorization_code_expires_in 10.minutes diff --git a/spec/controllers/application_metal_controller.rb b/spec/controllers/application_metal_controller.rb deleted file mode 100644 index 7403f5a86..000000000 --- a/spec/controllers/application_metal_controller.rb +++ /dev/null @@ -1,10 +0,0 @@ -require "spec_helper_integration" - -describe Doorkeeper::ApplicationMetalController do - it "lazy run hooks" do - i = 0 - ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 } - - expect(i).to eq 1 - end -end diff --git a/spec/controllers/application_metal_controller_spec.rb b/spec/controllers/application_metal_controller_spec.rb new file mode 100644 index 000000000..41681c3b0 --- /dev/null +++ b/spec/controllers/application_metal_controller_spec.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +require 'spec_helper_integration' + +describe Doorkeeper::ApplicationMetalController do + controller(Doorkeeper::ApplicationMetalController) do + def index + render json: {}, status: 200 + end + end + + it "lazy run hooks" do + i = 0 + ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 } + + expect(i).to eq 1 + end + + describe 'enforce_content_type' do + before { allow(Doorkeeper.configuration).to receive(:enforce_content_type).and_return(flag) } + + context 'enabled' do + let(:flag) { true } + + it '200 for the correct media type' do + get :index, params: {}, as: :url_encoded_form + expect(response).to have_http_status 200 + end + + it 'returns a 415 for an incorrect media type' do + get :index, as: :json + expect(response).to have_http_status 415 + end + end + + context 'disabled' do + let(:flag) { false } + + it 'returns a 200 for the correct media type' do + get :index, as: :url_encoded_form + expect(response).to have_http_status 200 + end + + it 'returns a 200 for an incorrect media type' do + get :index, as: :json + expect(response).to have_http_status 200 + end + end + end +end diff --git a/spec/controllers/applications_controller_spec.rb b/spec/controllers/applications_controller_spec.rb index 4625ffdcd..e4d9b4eec 100644 --- a/spec/controllers/applications_controller_spec.rb +++ b/spec/controllers/applications_controller_spec.rb @@ -16,9 +16,13 @@ module Doorkeeper it 'does not create application' do expect do - post :create, doorkeeper_application: { - name: 'Example', - redirect_uri: 'https://example.com' } + post :create, + params: { + doorkeeper_application: { + name: 'Example', + redirect_uri: 'https://example.com' + } + } end.not_to change { Doorkeeper::Application.count } end end @@ -43,9 +47,13 @@ module Doorkeeper it 'creates application' do expect do - post :create, doorkeeper_application: { - name: 'Example', - redirect_uri: 'https://example.com' } + post :create, + params: { + doorkeeper_application: { + name: 'Example', + redirect_uri: 'https://example.com' + } + } end.to change { Doorkeeper::Application.count }.by(1) expect(response).to be_redirect @@ -53,20 +61,27 @@ module Doorkeeper it 'does not allow mass assignment of uid or secret' do application = FactoryBot.create(:application) - put :update, id: application.id, doorkeeper_application: { - uid: '1A2B3C4D', - secret: '1A2B3C4D' - } + put :update, + params: { + id: application.id, + doorkeeper_application: { + uid: '1A2B3C4D', + secret: '1A2B3C4D' + } + } expect(application.reload.uid).not_to eq '1A2B3C4D' end it 'updates application' do application = FactoryBot.create(:application) - put :update, id: application.id, doorkeeper_application: { - name: 'Example', - redirect_uri: 'https://example.com' - } + put :update, + params: { + id: application.id, doorkeeper_application: { + name: 'Example', + redirect_uri: 'https://example.com' + } + } expect(application.reload.name).to eq 'Example' end diff --git a/spec/controllers/authorizations_controller_spec.rb b/spec/controllers/authorizations_controller_spec.rb index 035d869af..dfe0b4877 100644 --- a/spec/controllers/authorizations_controller_spec.rb +++ b/spec/controllers/authorizations_controller_spec.rb @@ -41,7 +41,7 @@ def translated_error_message(key) describe 'POST #create' do before do - post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'redirects after authorization' do @@ -76,7 +76,7 @@ def translated_error_message(key) describe "POST #create in API mode" do before do allow(Doorkeeper.configuration).to receive(:api_only).and_return(true) - post :create, client_id: client.uid, response_type: "token", redirect_uri: client.redirect_uri + post :create, params: { client_id: client.uid, response_type: "token", redirect_uri: client.redirect_uri } end let(:response_json_body) { JSON.parse(response.body) } @@ -114,7 +114,7 @@ def translated_error_message(key) describe 'POST #create with errors' do before do default_scopes_exist :public - post :create, client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri + post :create, params: { client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri } end it 'redirects after authorization' do @@ -146,7 +146,7 @@ def translated_error_message(key) before do allow(Doorkeeper.configuration).to receive(:api_only).and_return(true) default_scopes_exist :public - post :create, client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri + post :create, params: { client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri } end let(:response_json_body) { JSON.parse(response.body) } @@ -182,7 +182,7 @@ def translated_error_message(key) allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true) access_token.save! - post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'returns the existing access token in a fragment' do @@ -201,7 +201,7 @@ def translated_error_message(key) describe 'when successful' do after do - post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'should call :before_successful_authorization callback' do @@ -215,7 +215,7 @@ def translated_error_message(key) describe 'with errors' do after do - post :create, client_id: client.uid, response_type: 'token', redirect_uri: 'bad_uri' + post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: 'bad_uri' } end it 'should not call :before_successful_authorization callback' do @@ -234,7 +234,7 @@ def translated_error_message(key) true end) client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob' - get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'should redirect immediately' do @@ -258,7 +258,7 @@ def translated_error_message(key) true end) client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob' - get :new, client_id: client.uid, response_type: 'code', redirect_uri: client.redirect_uri + get :new, params: { client_id: client.uid, response_type: 'code', redirect_uri: client.redirect_uri } end it 'should redirect immediately' do @@ -280,7 +280,7 @@ def translated_error_message(key) allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do true end) - get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'should redirect immediately' do @@ -312,7 +312,7 @@ def translated_error_message(key) describe 'GET #new in API mode' do before do allow(Doorkeeper.configuration).to receive(:api_only).and_return(true) - get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'should render success' do @@ -337,7 +337,7 @@ def translated_error_message(key) allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc { true }) allow(Doorkeeper.configuration).to receive(:api_only).and_return(true) - get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end it 'should render success' do @@ -374,7 +374,7 @@ def translated_error_message(key) describe 'GET #new with errors' do before do default_scopes_exist :public - get :new, an_invalid: 'request' + get :new, params: { an_invalid: 'request' } end it 'does not redirect' do @@ -390,7 +390,7 @@ def translated_error_message(key) describe 'GET #new with callbacks' do after do client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob' - get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri + get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri } end describe 'when authorizing' do diff --git a/spec/controllers/protected_resources_controller_spec.rb b/spec/controllers/protected_resources_controller_spec.rb index 9c9cc34d9..f5a75b108 100644 --- a/spec/controllers/protected_resources_controller_spec.rb +++ b/spec/controllers/protected_resources_controller_spec.rb @@ -33,12 +33,12 @@ def index it 'access_token param' do expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token) - get :index, access_token: token_string + get :index, params: { access_token: token_string } end it 'bearer_token param' do expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token) - get :index, bearer_token: token_string + get :index, params: { bearer_token: token_string } end it 'Authorization header' do @@ -71,25 +71,25 @@ def index context 'with valid token', token: :valid do it 'allows into index action' do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response).to be_successful end it 'allows into show action' do - get :show, id: '4', access_token: token_string + get :show, params: { id: '4', access_token: token_string } expect(response).to be_successful end end context 'with invalid token', token: :invalid do it 'does not allow into index action' do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.status).to eq 401 expect(response.header['WWW-Authenticate']).to match(/^Bearer/) end it 'does not allow into show action' do - get :show, id: '4', access_token: token_string + get :show, params: { id: '4', access_token: token_string } expect(response.status).to eq 401 expect(response.header['WWW-Authenticate']).to match(/^Bearer/) end @@ -115,7 +115,7 @@ def index Doorkeeper::AccessToken ).to receive(:by_token).with(token_string).and_return(token) - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response).to be_successful end @@ -129,7 +129,7 @@ def index ).to receive(:by_token).with(token_string).and_return(token) expect(token).to receive(:acceptable?).with([:write]).and_return(false) - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.status).to eq 403 expect(response.header).to_not include('WWW-Authenticate') end @@ -163,7 +163,7 @@ def doorkeeper_unauthorized_render_options(error: nil) end it 'it renders a custom JSON response', token: :invalid do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.status).to eq 401 expect(response.content_type).to eq('application/json') expect(response.header['WWW-Authenticate']).to match(/^Bearer/) @@ -193,7 +193,7 @@ def doorkeeper_unauthorized_render_options(error: nil); end end it 'it renders a custom text response', token: :invalid do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.status).to eq 401 expect(response.content_type).to eq('text/plain') expect(response.header['WWW-Authenticate']).to match(/^Bearer/) @@ -243,7 +243,7 @@ def doorkeeper_forbidden_render_options(*) end it 'renders a custom JSON response' do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.header).to_not include('WWW-Authenticate') expect(response.content_type).to eq('application/json') expect(response.status).to eq 403 @@ -265,7 +265,7 @@ def doorkeeper_forbidden_render_options(*) end it 'overrides the default status code' do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.status).to eq 404 end end @@ -282,7 +282,7 @@ def doorkeeper_forbidden_render_options(*) end it 'renders a custom status code and text response' do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.header).to_not include('WWW-Authenticate') expect(response.status).to eq 403 expect(response.body).to eq('Forbidden') @@ -301,7 +301,7 @@ def doorkeeper_forbidden_render_options(*) end it 'overrides the default status code' do - get :index, access_token: token_string + get :index, params: { access_token: token_string } expect(response.status).to eq 404 end end diff --git a/spec/controllers/token_info_controller_spec.rb b/spec/controllers/token_info_controller_spec.rb index 6842426b8..9656b1e1f 100644 --- a/spec/controllers/token_info_controller_spec.rb +++ b/spec/controllers/token_info_controller_spec.rb @@ -6,13 +6,13 @@ describe 'successful request' do it 'responds with token info' do - get :show, access_token: doorkeeper_token.token + get :show, params: { access_token: doorkeeper_token.token } expect(response.body).to eq(doorkeeper_token.to_json) end it 'responds with a 200 status' do - get :show, access_token: doorkeeper_token.token + get :show, params: { access_token: doorkeeper_token.token } expect(response.status).to eq 200 end diff --git a/spec/controllers/tokens_controller_spec.rb b/spec/controllers/tokens_controller_spec.rb index ebaa672c5..6b554b128 100644 --- a/spec/controllers/tokens_controller_spec.rb +++ b/spec/controllers/tokens_controller_spec.rb @@ -90,7 +90,7 @@ it 'responds with full token introspection' do request.headers['Authorization'] = "Bearer #{access_token.token}" - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } should_have_json 'active', true expect(json_response).to include('client_id', 'token_type', 'exp', 'iat') @@ -104,7 +104,7 @@ it 'responds with full token introspection' do request.headers['Authorization'] = basic_auth_header_for_client(client) - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } should_have_json 'active', true expect(json_response).to include('client_id', 'token_type', 'exp', 'iat') @@ -119,7 +119,7 @@ it 'responds with full token introspection' do request.headers['Authorization'] = basic_auth_header_for_client(client) - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } should_have_json 'active', true expect(json_response).to include('client_id', 'token_type', 'exp', 'iat') @@ -135,7 +135,7 @@ it 'responds with only active state' do request.headers['Authorization'] = basic_auth_header_for_client(different_client) - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } expect(response).to be_successful @@ -151,7 +151,7 @@ it 'responds with invalid_client error' do request.headers['Authorization'] = basic_auth_header_for_client(client) - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } expect(response).not_to be_successful response_status_should_be 401 @@ -168,7 +168,7 @@ it 'responds with only active state' do request.headers['Authorization'] = basic_auth_header_for_client(client) - post :introspect, token: SecureRandom.hex(16) + post :introspect, params: { token: SecureRandom.hex(16) } should_have_json 'active', false expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat') @@ -182,7 +182,7 @@ it 'responds with only active state' do request.headers['Authorization'] = basic_auth_header_for_client(client) - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } should_have_json 'active', false expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat') @@ -196,7 +196,7 @@ it 'responds with only active state' do request.headers['Authorization'] = basic_auth_header_for_client(client) - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } should_have_json 'active', false expect(json_response).not_to include('client_id', 'token_type', 'exp', 'iat') @@ -207,7 +207,7 @@ let(:access_token) { FactoryBot.create(:access_token) } it 'responds with invalid_request error' do - post :introspect, token: access_token.token + post :introspect, params: { token: access_token.token } expect(response).not_to be_successful response_status_should_be 401 diff --git a/spec/lib/config_spec.rb b/spec/lib/config_spec.rb index bca957a77..99b13d601 100644 --- a/spec/lib/config_spec.rb +++ b/spec/lib/config_spec.rb @@ -479,4 +479,19 @@ expect(subject.api_only).to be_truthy end end + + describe 'strict_content_type' do + it 'is false by default' do + expect(subject.enforce_content_type).to be_falsey + end + + it "can change the value" do + Doorkeeper.configure do + orm DOORKEEPER_ORM + enforce_content_type + end + + expect(subject.enforce_content_type).to be_truthy + end + end end diff --git a/spec/requests/endpoints/token_spec.rb b/spec/requests/endpoints/token_spec.rb index 245c1fe9a..c8871fe2c 100644 --- a/spec/requests/endpoints/token_spec.rb +++ b/spec/requests/endpoints/token_spec.rb @@ -21,10 +21,12 @@ end it 'accepts client credentials with basic auth header' do - post token_endpoint_url( - code: @authorization.token, - redirect_uri: @client.redirect_uri - ), {}, 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client) + post token_endpoint_url, + params: { + code: @authorization.token, + redirect_uri: @client.redirect_uri + }, + headers: { 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client) } should_have_json 'access_token', Doorkeeper::AccessToken.first.token end diff --git a/spec/requests/flows/client_credentials_spec.rb b/spec/requests/flows/client_credentials_spec.rb index 76b89b46c..4501681ed 100644 --- a/spec/requests/flows/client_credentials_spec.rb +++ b/spec/requests/flows/client_credentials_spec.rb @@ -8,7 +8,7 @@ headers = authorization client.uid, client.secret params = { grant_type: 'client_credentials' } - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers should_have_json 'access_token', Doorkeeper::AccessToken.first.token should_have_json_within 'expires_in', Doorkeeper.configuration.access_token_expires_in, 1 @@ -29,7 +29,7 @@ headers = authorization client.uid, client.secret params = { grant_type: 'client_credentials', scope: 'write' } - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers should_have_json 'access_token', Doorkeeper::AccessToken.first.token should_have_json 'scope', 'write' @@ -40,7 +40,7 @@ headers = authorization client.uid, client.secret params = { grant_type: 'client_credentials', scope: 'public' } - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers should_have_json 'access_token', Doorkeeper::AccessToken.first.token should_have_json 'scope', 'public' @@ -52,7 +52,7 @@ headers = authorization client.uid, client.secret params = { grant_type: 'client_credentials', scope: 'random' } - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers should_have_json 'error', 'invalid_scope' should_have_json 'error_description', translated_error_message(:invalid_scope) @@ -76,7 +76,7 @@ params = { grant_type: 'client_credentials' } expect do - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers end.to change { Doorkeeper::AccessToken.count }.by(1) token = Doorkeeper::AccessToken.first @@ -93,7 +93,7 @@ params = { grant_type: 'client_credentials' } expect do - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers end.to change { Doorkeeper::AccessToken.count }.by(1) token = Doorkeeper::AccessToken.first @@ -109,7 +109,7 @@ headers = {} params = { grant_type: 'client_credentials' } - post '/oauth/token', params, headers + post '/oauth/token', params: params, headers: headers should_have_json 'error', 'invalid_client' should_have_json 'error_description', translated_error_message(:invalid_client) diff --git a/spec/requests/flows/implicit_grant_spec.rb b/spec/requests/flows/implicit_grant_spec.rb index 93f5f074c..b504b1203 100644 --- a/spec/requests/flows/implicit_grant_spec.rb +++ b/spec/requests/flows/implicit_grant_spec.rb @@ -55,11 +55,13 @@ token = client_is_authorized(@client, @resource_owner) post "/oauth/authorize", - client_id: @client.uid, - state: '', - redirect_uri: @client.redirect_uri, - response_type: 'token', - commit: 'Authorize' + params: { + client_id: @client.uid, + state: '', + redirect_uri: @client.redirect_uri, + response_type: 'token', + commit: 'Authorize' + } expect(response.location).not_to include(token.token) end @@ -70,11 +72,13 @@ token = client_is_authorized(@client, @resource_owner) post "/oauth/authorize", - client_id: @client.uid, - state: '', - redirect_uri: @client.redirect_uri, - response_type: 'token', - commit: 'Authorize' + params: { + client_id: @client.uid, + state: '', + redirect_uri: @client.redirect_uri, + response_type: 'token', + commit: 'Authorize' + } expect(response.location).to include(token.token) end diff --git a/spec/requests/flows/revoke_token_spec.rb b/spec/requests/flows/revoke_token_spec.rb index 451d5b0b2..2434ccc3d 100644 --- a/spec/requests/flows/revoke_token_spec.rb +++ b/spec/requests/flows/revoke_token_spec.rb @@ -24,7 +24,7 @@ end it 'should revoke the access token provided' do - post revocation_token_endpoint_url, { token: access_token.token }, headers + post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers access_token.reload @@ -33,7 +33,7 @@ end it 'should revoke the refresh token provided' do - post revocation_token_endpoint_url, { token: access_token.refresh_token }, headers + post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers access_token.reload @@ -44,7 +44,7 @@ context 'with invalid token to revoke' do it 'should not revoke any tokens and respond successfully' do num_prev_revoked_tokens = Doorkeeper::AccessToken.where(revoked_at: nil).count - post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALID_TOKEN' }, headers + post revocation_token_endpoint_url, params: { token: 'I_AM_AN_INVALID_TOKEN' }, headers: headers # The authorization server responds with HTTP status code 200 even if # token is invalid @@ -60,7 +60,7 @@ { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" } end it 'should not revoke any tokens and respond successfully' do - post revocation_token_endpoint_url, { token: access_token.token }, headers + post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers access_token.reload @@ -71,7 +71,7 @@ context 'with no credentials and a valid token' do it 'should not revoke any tokens and respond successfully' do - post revocation_token_endpoint_url, { token: access_token.token } + post revocation_token_endpoint_url, params: { token: access_token.token } access_token.reload @@ -90,7 +90,7 @@ end it 'should not revoke the token as its unauthorized' do - post revocation_token_endpoint_url, { token: access_token.token }, headers + post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers access_token.reload @@ -109,7 +109,7 @@ end it 'should revoke the access token provided' do - post revocation_token_endpoint_url, { token: access_token.token } + post revocation_token_endpoint_url, params: { token: access_token.token } access_token.reload @@ -118,7 +118,7 @@ end it 'should revoke the refresh token provided' do - post revocation_token_endpoint_url, { token: access_token.refresh_token } + post revocation_token_endpoint_url, params: { token: access_token.refresh_token } access_token.reload @@ -135,7 +135,7 @@ end it 'should not revoke the access token provided' do - post revocation_token_endpoint_url, { token: access_token.token } + post revocation_token_endpoint_url, params: { token: access_token.token } access_token.reload @@ -144,7 +144,7 @@ end it 'should not revoke the refresh token provided' do - post revocation_token_endpoint_url, { token: access_token.token } + post revocation_token_endpoint_url, params: { token: access_token.token } access_token.reload diff --git a/spec/support/http_method_shim.rb b/spec/support/http_method_shim.rb index f187abfbe..0168b9445 100644 --- a/spec/support/http_method_shim.rb +++ b/spec/support/http_method_shim.rb @@ -3,34 +3,29 @@ # supported in Rails 5+. Since we support back to 4, we need some sort of shim # to avoid super noisy deprecations when running tests. module RoutingHTTPMethodShim - def get(path, params = {}, headers = nil) - super(path, params: params, headers: headers) + def get(path, **args) + super(path, args[:params], args[:headers]) end - def post(path, params = {}, headers = nil) - super(path, params: params, headers: headers) + def post(path, **args) + super(path, args[:params], args[:headers]) end - def put(path, params = {}, headers = nil) - super(path, params: params, headers: headers) + def put(path, **args) + super(path, args[:params], args[:headers]) end end module ControllerHTTPMethodShim - def get(path, params = {}) - super(path, params: params) - end - - def post(path, params = {}) - super(path, params: params) - end - - def put(path, params = {}) - super(path, params: params) + def process(action, http_method = 'GET', **args) + if as = args.delete(:as) + @request.headers['Content-Type'] = Mime[as].to_s + end + super(action, http_method, args[:params], args[:session], args[:flash]) end end -if ::Rails::VERSION::MAJOR >= 5 +if ::Rails::VERSION::MAJOR < 5 RSpec.configure do |config| config.include ControllerHTTPMethodShim, type: :controller config.include RoutingHTTPMethodShim, type: :request