oauth: require predefined scopes for applications

not yet merged into Doorkeeper as of 4.3.1, so temporarily pointing to a git branch. see doorkeeper-gem/doorkeeper#1010
talklittle · Mar 28, 2018 · dc2d508 · dc2d508
1 parent fe07c34
commit dc2d508
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/Gemfile b/Gemfile
@@ -33,7 +33,7 @@ gem "activerecord-typedstore"
 gem "oauth"
 
 # for acting as OAuth 2.0 provider
-gem "doorkeeper"
+gem "doorkeeper", :git => "https://github.com/talklittle/doorkeeper.git", :branch => "validate-application-scopes-configured"
 
 # for parsing incoming mail
 gem "mail"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,3 +1,11 @@
+GIT
+  remote: https://github.com/talklittle/doorkeeper.git
+  revision: d4782e8e014b619fd43ce999adefcfc94d48369e
+  branch: validate-application-scopes-configured
+  specs:
+    doorkeeper (4.3.1)
+      railties (>= 4.2)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -53,8 +61,6 @@ GEM
     concurrent-ruby (1.0.5)
     crass (1.0.3)
     diff-lcs (1.3)
-    doorkeeper (4.2.6)
-      railties (>= 4.2)
     dynamic_form (1.1.4)
     erubi (1.7.1)
     exception_notification (4.2.2)
@@ -188,7 +194,7 @@ DEPENDENCIES
   bcrypt (~> 3.1.2)
   bullet
   commonmarker (~> 0.14)
-  doorkeeper
+  doorkeeper!
   dynamic_form
   exception_notification
   faker

diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
@@ -49,6 +49,11 @@
   # Issue access tokens with refresh token (disabled by default)
   use_refresh_token
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (Disabled by default)
+  enforce_configured_scopes
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application