Add config to enforce content type

NEWS.md

@@ -31,6 +31,7 @@ User-visible changes worth mentioning.
   customized Token Info route).
 - [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
   not present in the application scopes (use scopes intersection).
+- [#1076] Add config to enforce content type to application/x-www-form-urlencoded
 
 ## 4.3.2
 

app/controllers/doorkeeper/application_metal_controller.rb

@@ -5,13 +5,17 @@ class ApplicationMetalController < ActionController::Metal
       AbstractController::Rendering,
       ActionController::Rendering,
       ActionController::Renderers::All,
+      AbstractController::Callbacks,
       Helpers::Controller
     ].freeze
 
     MODULES.each do |mod|
       include mod
     end
 
+    before_action :enforce_content_type,
+                  if: -> { Doorkeeper.configuration.enforce_content_type }
+
     ActiveSupport.run_load_hooks(:doorkeeper_metal_controller, self)
   end
 end

lib/doorkeeper/config.rb

@@ -139,6 +139,12 @@ def api_only
       def enforce_configured_scopes
         @config.instance_variable_set(:@enforce_configured_scopes, true)
       end
+
+      # Enforce request content type as the spec requires:
+      # disabled by default for backward compatibility.
+      def enforce_content_type
+        @config.instance_variable_set(:@enforce_content_type, true)
+      end
     end
 
     module Option
@@ -284,6 +290,7 @@ def option(name, options = {})
 
     attr_reader :reuse_access_token
     attr_reader :api_only
+    attr_reader :enforce_content_type
 
     def refresh_token_enabled?
       defined?(@refresh_token_enabled) && @refresh_token_enabled

lib/doorkeeper/helpers/controller.rb

@@ -51,6 +51,11 @@ def handle_token_exception(exception)
       def skip_authorization?
         !!instance_exec([@server.current_resource_owner, @pre_auth.client], &Doorkeeper.configuration.skip_authorization)
       end
+
+      def enforce_content_type
+        return if request.content_type == 'application/x-www-form-urlencoded'
+        render json: {}, status: :unsupported_media_type
+      end
     end
   end
 end

lib/generators/doorkeeper/templates/initializer.rb

@@ -25,6 +25,11 @@
   #
   # api_only
 
+  # Enforce token request content type to application/x-www-form-urlencoded.
+  # It is not enabled by default to not break prior versions of the gem.
+  #
+  # enforce_content_type
+
   # Authorization Code expiration time (default 10 minutes).
   #
   # authorization_code_expires_in 10.minutes

spec/controllers/application_metal_controller_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper_integration'
+
+describe Doorkeeper::ApplicationMetalController do
+  controller(Doorkeeper::ApplicationMetalController) do
+    def index
+      render json: {}, status: 200
+    end
+  end
+
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+
+    expect(i).to eq 1
+  end
+
+  describe 'enforce_content_type' do
+    before { allow(Doorkeeper.configuration).to receive(:enforce_content_type).and_return(flag) }
+
+    context 'enabled' do
+      let(:flag) { true }
+
+      it '200 for the correct media type' do
+        get :index, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 415 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 415
+      end
+    end
+
+    context 'disabled' do
+      let(:flag) { false }
+
+      it 'returns a 200 for the correct media type' do
+        get :index, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it 'returns a 200 for an incorrect media type' do
+        get :index, as: :json
+        expect(response).to have_http_status 200
+      end
+    end
+  end
+end

spec/controllers/applications_controller_spec.rb

@@ -16,9 +16,13 @@ module Doorkeeper
 
       it 'does not create application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
+          post :create,
+               params: {
+                 doorkeeper_application: {
+                   name: 'Example',
+                   redirect_uri: 'https://example.com'
+                 }
+               }
         end.not_to change { Doorkeeper::Application.count }
       end
     end
@@ -43,30 +47,41 @@ module Doorkeeper
 
       it 'creates application' do
         expect do
-          post :create, doorkeeper_application: {
-            name: 'Example',
-            redirect_uri: 'https://example.com' }
+          post :create,
+               params: {
+                 doorkeeper_application: {
+                   name: 'Example',
+                   redirect_uri: 'https://example.com'
+                 }
+               }
         end.to change { Doorkeeper::Application.count }.by(1)
 
         expect(response).to be_redirect
       end
 
       it 'does not allow mass assignment of uid or secret' do
         application = FactoryBot.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          uid: '1A2B3C4D',
-          secret: '1A2B3C4D'
-        }
+        put :update,
+            params: {
+              id: application.id,
+              doorkeeper_application: {
+                uid: '1A2B3C4D',
+                secret: '1A2B3C4D'
+              }
+            }
 
         expect(application.reload.uid).not_to eq '1A2B3C4D'
       end
 
       it 'updates application' do
         application = FactoryBot.create(:application)
-        put :update, id: application.id, doorkeeper_application: {
-          name: 'Example',
-          redirect_uri: 'https://example.com'
-        }
+        put :update,
+            params: {
+              id: application.id, doorkeeper_application: {
+                name: 'Example',
+                redirect_uri: 'https://example.com'
+              }
+            }
 
         expect(application.reload.name).to eq 'Example'
       end

spec/controllers/authorizations_controller_spec.rb

@@ -41,7 +41,7 @@ def translated_error_message(key)
 
   describe 'POST #create' do
     before do
-      post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     it 'redirects after authorization' do
@@ -76,7 +76,7 @@ def translated_error_message(key)
   describe "POST #create in API mode" do
     before do
       allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-      post :create, client_id: client.uid, response_type: "token", redirect_uri: client.redirect_uri
+      post :create, params: { client_id: client.uid, response_type: "token", redirect_uri: client.redirect_uri }
     end
 
     let(:response_json_body) { JSON.parse(response.body) }
@@ -114,7 +114,7 @@ def translated_error_message(key)
   describe 'POST #create with errors' do
     before do
       default_scopes_exist :public
-      post :create, client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri
+      post :create, params: { client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri }
     end
 
     it 'redirects after authorization' do
@@ -146,7 +146,7 @@ def translated_error_message(key)
     before do
       allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
       default_scopes_exist :public
-      post :create, client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri
+      post :create, params: { client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri }
     end
 
     let(:response_json_body) { JSON.parse(response.body) }
@@ -182,7 +182,7 @@ def translated_error_message(key)
       allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
 
       access_token.save!
-      post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     it 'returns the existing access token in a fragment' do
@@ -201,7 +201,7 @@ def translated_error_message(key)
 
     describe 'when successful' do
       after do
-        post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+        post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
       end
 
       it 'should call :before_successful_authorization callback' do
@@ -215,7 +215,7 @@ def translated_error_message(key)
 
     describe 'with errors' do
       after do
-        post :create, client_id: client.uid, response_type: 'token', redirect_uri: 'bad_uri'
+        post :create, params: { client_id: client.uid, response_type: 'token', redirect_uri: 'bad_uri' }
       end
 
       it 'should not call :before_successful_authorization callback' do
@@ -234,7 +234,7 @@ def translated_error_message(key)
         true
       end)
       client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob'
-      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     it 'should redirect immediately' do
@@ -258,7 +258,7 @@ def translated_error_message(key)
         true
       end)
       client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob'
-      get :new, client_id: client.uid, response_type: 'code', redirect_uri: client.redirect_uri
+      get :new, params: { client_id: client.uid, response_type: 'code', redirect_uri: client.redirect_uri }
     end
 
     it 'should redirect immediately' do
@@ -280,7 +280,7 @@ def translated_error_message(key)
       allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
         true
       end)
-      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     it 'should redirect immediately' do
@@ -312,7 +312,7 @@ def translated_error_message(key)
   describe 'GET #new in API mode' do
     before do
       allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     it 'should render success' do
@@ -337,7 +337,7 @@ def translated_error_message(key)
       allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc { true })
       allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
 
-      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     it 'should render success' do
@@ -374,7 +374,7 @@ def translated_error_message(key)
   describe 'GET #new with errors' do
     before do
       default_scopes_exist :public
-      get :new, an_invalid: 'request'
+      get :new, params: { an_invalid: 'request' }
     end
 
     it 'does not redirect' do
@@ -390,7 +390,7 @@ def translated_error_message(key)
   describe 'GET #new with callbacks' do
     after do
       client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob'
-      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+      get :new, params: { client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri }
     end
 
     describe 'when authorizing' do