From d66503866e83d2e74609b1337c96cebe8c6b59ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 08:13:00 +0000 Subject: [PATCH 01/14] Update sqlite3 requirement from ~> 1.4 to ~> 2.0 Updates the requirements on [sqlite3](https://github.com/sparklemotion/sqlite3-ruby) to permit the latest version. - [Release notes](https://github.com/sparklemotion/sqlite3-ruby/releases) - [Changelog](https://github.com/sparklemotion/sqlite3-ruby/blob/main/CHANGELOG.md) - [Commits](https://github.com/sparklemotion/sqlite3-ruby/compare/v1.4.0...v2.0.0) --- updated-dependencies: - dependency-name: sqlite3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index a4d0f9ea2..f2cdb76b8 100644 --- a/Gemfile +++ b/Gemfile @@ -23,7 +23,7 @@ gem "rubocop-rspec", require: false gem "bcrypt", "~> 3.1", require: false gem "activerecord-jdbcsqlite3-adapter", platform: :jruby -gem "sqlite3", "~> 1.4", platform: %i[ruby mswin mingw x64_mingw] +gem "sqlite3", "~> 2.0", platform: %i[ruby mswin mingw x64_mingw] gem "tzinfo-data", platforms: %i[mingw mswin x64_mingw] gem "timecop" From 3c4dbba7da6a4b01d4b419e0559d95c5272d4393 Mon Sep 17 00:00:00 2001 From: Matt Manning Date: Wed, 1 May 2024 16:37:16 -0400 Subject: [PATCH 02/14] Add force_pkce option The force_pkce option is disabled by default. When enabled, it requires non-confidential clients to use PKCE when requesting an access_token using an authorization code. --- lib/doorkeeper/config.rb | 11 ++++++++ .../oauth/authorization_code_request.rb | 10 +++++-- lib/doorkeeper/oauth/client.rb | 2 +- .../doorkeeper/templates/initializer.rb | 5 ++++ .../oauth/authorization_code_request_spec.rb | 26 +++++++++++++++++++ 5 files changed, 51 insertions(+), 3 deletions(-) diff --git a/lib/doorkeeper/config.rb b/lib/doorkeeper/config.rb index 09fe87d21..26771f7d7 100644 --- a/lib/doorkeeper/config.rb +++ b/lib/doorkeeper/config.rb @@ -113,6 +113,13 @@ def revoke_previous_authorization_code_token @config.instance_variable_set(:@revoke_previous_authorization_code_token, true) end + # Require non-confidential apps to use PKCE (send a code_challenge and + # code_verifier) when requesting an access_token using an authorization code + # (disabled by default) + def force_pkce + @config.instance_variable_set(:@force_pkce, true) + end + # Use an API mode for applications generated with --api argument # It will skip applications controller, disable forgery protection def api_only @@ -492,6 +499,10 @@ def revoke_previous_authorization_code_token? option_set? :revoke_previous_authorization_code_token end + def force_pkce? + option_set? :force_pkce + end + def enforce_configured_scopes? option_set? :enforce_configured_scopes end diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb index be9ba0dbb..c5f7ac293 100644 --- a/lib/doorkeeper/oauth/authorization_code_request.rb +++ b/lib/doorkeeper/oauth/authorization_code_request.rb @@ -10,8 +10,8 @@ class AuthorizationCodeRequest < BaseRequest validate :redirect_uri, error: Errors::InvalidGrant validate :code_verifier, error: Errors::InvalidGrant - attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier, - :invalid_request_reason, :missing_param + attr_reader :grant, :client, :redirect_uri, :access_token, :code_challenge, + :code_verifier, :invalid_request_reason, :missing_param def initialize(server, grant, client, parameters = {}) @server = server @@ -59,10 +59,16 @@ def pkce_supported? Doorkeeper.config.access_grant_model.pkce_supported? end + def confidential? + client&.confidential + end + def validate_params @missing_param = if grant&.uses_pkce? && code_verifier.blank? :code_verifier + elsif !confidential? && Doorkeeper.config.force_pkce? && code_challenge.blank? + :code_challenge elsif redirect_uri.blank? :redirect_uri end diff --git a/lib/doorkeeper/oauth/client.rb b/lib/doorkeeper/oauth/client.rb index f0dc9ad3f..d3cfbbeca 100644 --- a/lib/doorkeeper/oauth/client.rb +++ b/lib/doorkeeper/oauth/client.rb @@ -5,7 +5,7 @@ module OAuth class Client attr_reader :application - delegate :id, :name, :uid, :redirect_uri, :scopes, to: :@application + delegate :id, :name, :uid, :redirect_uri, :scopes, :confidential, to: :@application def initialize(application) @application = application diff --git a/lib/generators/doorkeeper/templates/initializer.rb b/lib/generators/doorkeeper/templates/initializer.rb index 16696cf1e..7341fbd3c 100644 --- a/lib/generators/doorkeeper/templates/initializer.rb +++ b/lib/generators/doorkeeper/templates/initializer.rb @@ -173,6 +173,11 @@ # # revoke_previous_authorization_code_token + # Require non-confidential clients to use PKCE when using an authorization code + # to obtain an access_token (disabled by default) + # + # force_pkce + # Hash access and refresh tokens before persisting them. # This will disable the possibility to use +reuse_access_token+ # since plain values can no longer be retrieved. diff --git a/spec/lib/oauth/authorization_code_request_spec.rb b/spec/lib/oauth/authorization_code_request_spec.rb index 48a14487b..ae5cf66ab 100644 --- a/spec/lib/oauth/authorization_code_request_spec.rb +++ b/spec/lib/oauth/authorization_code_request_spec.rb @@ -170,6 +170,32 @@ end context "when using PKCE params" do + context "when force_pkce is enabled" do + before do + allow_any_instance_of(Doorkeeper::Config).to receive(:force_pkce?).and_return(true) + end + + context "when the app is confidential" do + it "issues a new token for the client" do + expect do + request.authorize + end.to change { client.reload.access_tokens.count }.by(1) + end + end + + context "when the app is not confidential" do + before do + client.update(confidential: false) + end + + it "does not issue a token" do + expect do + request.authorize + end.not_to change { client.reload.access_tokens.count } + end + end + end + context "when PKCE is supported" do before do allow(Doorkeeper::AccessGrant).to receive(:pkce_supported?).and_return(true) From 006c35de6e122852be9f3ff3da6464d8fceb2a80 Mon Sep 17 00:00:00 2001 From: Matt Manning Date: Wed, 1 May 2024 17:00:26 -0400 Subject: [PATCH 03/14] Add entry to CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa61fef93..0c2e6b3d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ User-visible changes worth mentioning. - [#1702] Fix bugs for error response in the form_post and error view - [#1660] Custom access token attributes are now considered when finding matching tokens (fixes #1665). Introduce `revoke_previous_client_credentials_token` configuration option. +- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code ## 5.6.9 From 5bf9d406dd710209cb2bc0600a20aa52178ff32b Mon Sep 17 00:00:00 2001 From: Matt Manning Date: Fri, 3 May 2024 13:52:41 -0400 Subject: [PATCH 04/14] Check for code_verifier, not code_challenge --- lib/doorkeeper/config.rb | 5 ++--- lib/doorkeeper/oauth/authorization_code_request.rb | 8 ++++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/lib/doorkeeper/config.rb b/lib/doorkeeper/config.rb index 26771f7d7..277d427d0 100644 --- a/lib/doorkeeper/config.rb +++ b/lib/doorkeeper/config.rb @@ -113,9 +113,8 @@ def revoke_previous_authorization_code_token @config.instance_variable_set(:@revoke_previous_authorization_code_token, true) end - # Require non-confidential apps to use PKCE (send a code_challenge and - # code_verifier) when requesting an access_token using an authorization code - # (disabled by default) + # Require non-confidential apps to use PKCE (send a code_verifier) when requesting + # an access_token using an authorization code (disabled by default) def force_pkce @config.instance_variable_set(:@force_pkce, true) end diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb index c5f7ac293..4043552ed 100644 --- a/lib/doorkeeper/oauth/authorization_code_request.rb +++ b/lib/doorkeeper/oauth/authorization_code_request.rb @@ -10,8 +10,8 @@ class AuthorizationCodeRequest < BaseRequest validate :redirect_uri, error: Errors::InvalidGrant validate :code_verifier, error: Errors::InvalidGrant - attr_reader :grant, :client, :redirect_uri, :access_token, :code_challenge, - :code_verifier, :invalid_request_reason, :missing_param + attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier, + :invalid_request_reason, :missing_param def initialize(server, grant, client, parameters = {}) @server = server @@ -67,8 +67,8 @@ def validate_params @missing_param = if grant&.uses_pkce? && code_verifier.blank? :code_verifier - elsif !confidential? && Doorkeeper.config.force_pkce? && code_challenge.blank? - :code_challenge + elsif !confidential? && Doorkeeper.config.force_pkce? && code_verifier.blank? + :code_verifier elsif redirect_uri.blank? :redirect_uri end From 2def866a95deb4707f8257741c606f0e14747cda Mon Sep 17 00:00:00 2001 From: Matt Manning Date: Wed, 8 May 2024 16:54:11 -0400 Subject: [PATCH 05/14] add development dependency pry-byebug for debugging --- doorkeeper.gemspec | 1 + spec/spec_helper.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/doorkeeper.gemspec b/doorkeeper.gemspec index 469bfd1f4..71ec2de4e 100644 --- a/doorkeeper.gemspec +++ b/doorkeeper.gemspec @@ -52,6 +52,7 @@ Gem::Specification.new do |gem| gem.add_development_dependency "factory_bot", "~> 6.0" gem.add_development_dependency "generator_spec", "~> 0.10.0" gem.add_development_dependency "grape" + gem.add_development_dependency "pry-byebug" gem.add_development_dependency "rake", ">= 11.3.0" gem.add_development_dependency "rspec-rails" gem.add_development_dependency "timecop" diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 5317cb573..ae0daf6c9 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -20,6 +20,7 @@ require "capybara/rspec" require "database_cleaner" require "generator_spec/test_case" +require "pry-byebug" # Load JRuby SQLite3 if in that platform if defined? JRUBY_VERSION From 5ac90357a35191317e5354743ebae8b1930fd04a Mon Sep 17 00:00:00 2001 From: Matt Manning Date: Wed, 8 May 2024 16:58:26 -0400 Subject: [PATCH 06/14] Validate presence of code_challenge in pre authorization when force_pkce is set --- lib/doorkeeper/errors.rb | 1 + lib/doorkeeper/oauth/pre_authorization.rb | 7 ++++ spec/lib/oauth/pre_authorization_spec.rb | 45 +++++++++++++++++++++++ 3 files changed, 53 insertions(+) diff --git a/lib/doorkeeper/errors.rb b/lib/doorkeeper/errors.rb index 1e2e2046f..7832b0b5d 100644 --- a/lib/doorkeeper/errors.rb +++ b/lib/doorkeeper/errors.rb @@ -54,6 +54,7 @@ def self.name_for_response InvalidClient = Class.new(BaseResponseError) InvalidScope = Class.new(BaseResponseError) InvalidRedirectUri = Class.new(BaseResponseError) + InvalidCodeChallenge = Class.new(BaseResponseError) InvalidCodeChallengeMethod = Class.new(BaseResponseError) InvalidGrant = Class.new(BaseResponseError) diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb index 1c9fe8c0f..88f744bb4 100644 --- a/lib/doorkeeper/oauth/pre_authorization.rb +++ b/lib/doorkeeper/oauth/pre_authorization.rb @@ -14,6 +14,7 @@ class PreAuthorization validate :response_type, error: Errors::UnsupportedResponseType validate :response_mode, error: Errors::UnsupportedResponseMode validate :scopes, error: Errors::InvalidScope + validate :code_challenge, error: Errors::InvalidCodeChallenge validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod attr_reader :client, :code_challenge, :code_challenge_method, :missing_param, @@ -143,6 +144,12 @@ def validate_scopes ) end + def validate_code_challenge + return true unless Doorkeeper.config.force_pkce? + return true if client.confidential + code_challenge.present? + end + def validate_code_challenge_method return true unless Doorkeeper.config.access_grant_model.pkce_supported? diff --git a/spec/lib/oauth/pre_authorization_spec.rb b/spec/lib/oauth/pre_authorization_spec.rb index 81820b4d5..9aa561ffd 100644 --- a/spec/lib/oauth/pre_authorization_spec.rb +++ b/spec/lib/oauth/pre_authorization_spec.rb @@ -40,6 +40,7 @@ response_type response_mode scopes + code_challenge code_challenge_method ]) end @@ -343,5 +344,49 @@ expect(pre_auth).to be_authorizable end end + + context "when force_pkce is enabled" do + before do + allow_any_instance_of(Doorkeeper::Config).to receive(:force_pkce?).and_return(true) + end + + context "when the app is confidential" do + before do + application.update(confidential: true) + end + + it "accepts a blank code_challenge" do + attributes[:code_challenge] = " " + + expect(pre_auth).to be_authorizable + end + + it "accepts a code challenge" do + attributes[:code_challenge] = "a45a9fea-0676-477e-95b1-a40f72ac3cfb" + attributes[:code_challenge_method] = "plain" + + expect(pre_auth).to be_authorizable + end + end + + context "when the app is not confidential" do + before do + application.update(confidential: false) + end + + it "does not accept a blank code_challenge" do + attributes[:code_challenge] = " " + + expect(pre_auth).not_to be_authorizable + end + + it "accepts a code challenge" do + attributes[:code_challenge] = "a45a9fea-0676-477e-95b1-a40f72ac3cfb" + attributes[:code_challenge_method] = "plain" + + expect(pre_auth).to be_authorizable + end + end + end end end From 26247b7a677e1f1e7f29f82cc0f91dbadf615728 Mon Sep 17 00:00:00 2001 From: Matt Manning Date: Tue, 21 May 2024 15:10:07 -0400 Subject: [PATCH 07/14] remove pry-byebug development dependency --- doorkeeper.gemspec | 1 - spec/spec_helper.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/doorkeeper.gemspec b/doorkeeper.gemspec index 71ec2de4e..469bfd1f4 100644 --- a/doorkeeper.gemspec +++ b/doorkeeper.gemspec @@ -52,7 +52,6 @@ Gem::Specification.new do |gem| gem.add_development_dependency "factory_bot", "~> 6.0" gem.add_development_dependency "generator_spec", "~> 0.10.0" gem.add_development_dependency "grape" - gem.add_development_dependency "pry-byebug" gem.add_development_dependency "rake", ">= 11.3.0" gem.add_development_dependency "rspec-rails" gem.add_development_dependency "timecop" diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index ae0daf6c9..5317cb573 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -20,7 +20,6 @@ require "capybara/rspec" require "database_cleaner" require "generator_spec/test_case" -require "pry-byebug" # Load JRuby SQLite3 if in that platform if defined? JRUBY_VERSION From 7ffdeec302b747d21e11334d02b2ede0959fc633 Mon Sep 17 00:00:00 2001 From: Nikita Bulai Date: Tue, 18 Jun 2024 10:41:18 +0300 Subject: [PATCH 08/14] [ci skip] Fix CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2bb0d2d61..61cd99a3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ User-visible changes worth mentioning. Add your entry here. +- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code + ## 5.7.0 - [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse` @@ -16,7 +18,6 @@ Add your entry here. - [#1702] Fix bugs for error response in the form_post and error view - [#1660] Custom access token attributes are now considered when finding matching tokens (fixes #1665). Introduce `revoke_previous_client_credentials_token` configuration option. -- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code ## 5.6.9 From 1cd750b2bfc68b641c11a8ec0297feb3825eb97b Mon Sep 17 00:00:00 2001 From: Nikita Bulai Date: Tue, 25 Jun 2024 17:53:34 +0300 Subject: [PATCH 09/14] Release 5.7.1 :tada: --- CHANGELOG.md | 2 ++ lib/doorkeeper/version.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 61cd99a3b..07ac83956 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ User-visible changes worth mentioning. Add your entry here. +## 5.7.1 + - [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code ## 5.7.0 diff --git a/lib/doorkeeper/version.rb b/lib/doorkeeper/version.rb index 4993b3466..59e1d5b3b 100644 --- a/lib/doorkeeper/version.rb +++ b/lib/doorkeeper/version.rb @@ -5,7 +5,7 @@ module VERSION # Semantic versioning MAJOR = 5 MINOR = 7 - TINY = 0 + TINY = 1 PRE = nil # Full version number From 745babb99f426dd8a6463267a14d0774bf67e19c Mon Sep 17 00:00:00 2001 From: Ransom Briggs Date: Fri, 28 Jun 2024 10:04:43 -0500 Subject: [PATCH 10/14] Add Pragma: no-cache to token response --- lib/doorkeeper/oauth/token_response.rb | 1 + spec/lib/oauth/token_response_spec.rb | 1 + spec/requests/endpoints/token_spec.rb | 1 + 3 files changed, 3 insertions(+) diff --git a/lib/doorkeeper/oauth/token_response.rb b/lib/doorkeeper/oauth/token_response.rb index a1d44b493..a31ba7c46 100644 --- a/lib/doorkeeper/oauth/token_response.rb +++ b/lib/doorkeeper/oauth/token_response.rb @@ -30,6 +30,7 @@ def headers { "Cache-Control" => "no-store, no-cache", "Content-Type" => "application/json; charset=utf-8", + "Pragma" => "no-cache", } end end diff --git a/spec/lib/oauth/token_response_spec.rb b/spec/lib/oauth/token_response_spec.rb index 70a7de0a0..f6afb8e37 100644 --- a/spec/lib/oauth/token_response_spec.rb +++ b/spec/lib/oauth/token_response_spec.rb @@ -8,6 +8,7 @@ it "includes access token response headers" do headers = response.headers expect(headers.fetch("Cache-Control")).to eq("no-store, no-cache") + expect(headers.fetch("Pragma")).to eq("no-cache") end it "status is ok" do diff --git a/spec/requests/endpoints/token_spec.rb b/spec/requests/endpoints/token_spec.rb index 6c1a824bd..898af80b1 100644 --- a/spec/requests/endpoints/token_spec.rb +++ b/spec/requests/endpoints/token_spec.rb @@ -17,6 +17,7 @@ expect(headers["Cache-Control"]).to be_in(["no-store", "no-cache, no-store", "private, no-store"]) expect(headers["Content-Type"]).to eq("application/json; charset=utf-8") + expect(headers["Pragma"]).to eq("no-cache") end it "accepts client credentials with basic auth header" do From 3af9ca09eaa99d35977e7e6c59b91d7fa8f1a33a Mon Sep 17 00:00:00 2001 From: Nikita Bulai Date: Wed, 10 Jul 2024 17:27:26 +0300 Subject: [PATCH 11/14] Fix Doorkeeper::AccessToken.find_or_create_for with empty scopes Fixes #1699 --- CHANGELOG.md | 2 ++ lib/doorkeeper/models/access_token_mixin.rb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07ac83956..b57edd313 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ User-visible changes worth mentioning. Add your entry here. +- [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError + ## 5.7.1 - [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code diff --git a/lib/doorkeeper/models/access_token_mixin.rb b/lib/doorkeeper/models/access_token_mixin.rb index ec6e55224..2c1ce4ace 100644 --- a/lib/doorkeeper/models/access_token_mixin.rb +++ b/lib/doorkeeper/models/access_token_mixin.rb @@ -214,6 +214,8 @@ def custom_attributes_match?(token, custom_attributes) # @return [Doorkeeper::AccessToken] existing record or a new one # def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes) + scopes = Doorkeeper::OAuth::Scopes.from_string(scopes) if scopes.is_a?(String) + if Doorkeeper.config.reuse_access_token custom_attributes = extract_custom_attributes(token_attributes).presence access_token = matching_token_for( From d23242f21d53ccd3fab5c06a68106122b0ff0f25 Mon Sep 17 00:00:00 2001 From: Nikita Bulai Date: Wed, 10 Jul 2024 17:33:47 +0300 Subject: [PATCH 12/14] [ci skip] Update CHANGELOG --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b57edd313..2535d61bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,8 @@ User-visible changes worth mentioning. Add your entry here. -- [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError +- [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError +- [#1712] Add `Pragma: no-cache` to token response ## 5.7.1 From d86fc47abac1219b70b271be603708f4cc3920fd Mon Sep 17 00:00:00 2001 From: Ransom Briggs Date: Thu, 11 Jul 2024 14:25:22 -0500 Subject: [PATCH 13/14] Fix token introspection invalid request reason --- CHANGELOG.md | 1 + lib/doorkeeper/oauth/token_introspection.rb | 3 +-- spec/controllers/tokens_controller_spec.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2535d61bb..edc7c81b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ User-visible changes worth mentioning. Add your entry here. +- [#1715] Fix token introspection invalid request reason - [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError - [#1712] Add `Pragma: no-cache` to token response diff --git a/lib/doorkeeper/oauth/token_introspection.rb b/lib/doorkeeper/oauth/token_introspection.rb index 4dca014ef..002c73cb0 100644 --- a/lib/doorkeeper/oauth/token_introspection.rb +++ b/lib/doorkeeper/oauth/token_introspection.rb @@ -6,7 +6,7 @@ module OAuth # # @see https://datatracker.ietf.org/doc/html/rfc7662 class TokenIntrospection - attr_reader :error + attr_reader :error, :invalid_request_reason def initialize(server, token) @server = server @@ -38,7 +38,6 @@ def to_json(*) private attr_reader :server, :token - attr_reader :invalid_request_reason # If the protected resource uses OAuth 2.0 client credentials to # authenticate to the introspection endpoint and its credentials are diff --git a/spec/controllers/tokens_controller_spec.rb b/spec/controllers/tokens_controller_spec.rb index 012c18622..9d029314a 100644 --- a/spec/controllers/tokens_controller_spec.rb +++ b/spec/controllers/tokens_controller_spec.rb @@ -536,7 +536,7 @@ expect(json_response).to match( "error" => "invalid_request", - "error_description" => an_instance_of(String), + "error_description" => I18n.t("doorkeeper.errors.messages.invalid_request.request_not_authorized"), ) end end From 3b906771f91b8e834b1ac392b7b2b1cdf8d21ab6 Mon Sep 17 00:00:00 2001 From: Nikita Bulai Date: Mon, 15 Jul 2024 13:44:23 +0300 Subject: [PATCH 14/14] Remove TruffleRuby Unfortunately it has more cons than pros making hard to understand what really failed in CI --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 109be527c..9094520c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,6 @@ jobs: - '3.0' - '3.1' - '3.2' - - truffleruby-head gemfile: - gemfiles/rails_6_0.gemfile - gemfiles/rails_6_1.gemfile