Merge pull request #1 from medley-inc/cmpt-dk5

compat with doorkeeper 5.0.0.rc1
medley-inc · Jun 29, 2018 · df8bddf · df8bddf
2 parents 844fc7f + 12a641b
commit df8bddf
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 10 deletions.
diff --git a/doorkeeper-mongodb.gemspec b/doorkeeper-mongodb.gemspec
@@ -17,7 +17,7 @@ Gem::Specification.new do |gem|
   gem.files = Dir['lib/**/*', 'config/**/*', 'MIT-LICENSE', 'Rakefile', 'README.md']
   gem.test_files = Dir['spec/**/*']
 
-  gem.add_dependency 'doorkeeper', '>= 4.0.0', '< 5.0'
+  gem.add_dependency 'doorkeeper', '>= 5.0.0.rc1', '< 6.0'
 
   gem.add_development_dependency 'grape'
   gem.add_development_dependency 'coveralls'

diff --git a/lib/doorkeeper-mongodb/mixins/mongoid/access_grant_mixin.rb b/lib/doorkeeper-mongodb/mixins/mongoid/access_grant_mixin.rb
@@ -42,6 +42,62 @@ module ClassMethods
           def by_token(token)
             where(token: token.to_s).find_first
           end
+
+          # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
+          # https://tools.ietf.org/html/rfc7636#appendix-A
+          #   Appendix A.  Notes on Implementing Base64url Encoding without Padding
+          #
+          #   This appendix describes how to implement a base64url-encoding
+          #   function without padding, based upon the standard base64-encoding
+          #   function that uses padding.
+          #
+          #       To be concrete, example C# code implementing these functions is shown
+          #   below.  Similar code could be used in other languages.
+          #
+          #   static string base64urlencode(byte [] arg)
+          #   {
+          #       string s = Convert.ToBase64String(arg); // Regular base64 encoder
+          #       s = s.Split('=')[0]; // Remove any trailing '='s
+          #       s = s.Replace('+', '-'); // 62nd char of encoding
+          #       s = s.Replace('/', '_'); // 63rd char of encoding
+          #       return s;
+          #   }
+          #
+          #   An example correspondence between unencoded and encoded values
+          #   follows.  The octet sequence below encodes into the string below,
+          #   which when decoded, reproduces the octet sequence.
+          #
+          #   3 236 255 224 193
+          #
+          #   A-z_4ME
+          #
+          # https://ruby-doc.org/stdlib-2.1.3/libdoc/base64/rdoc/Base64.html#method-i-urlsafe_encode64
+          #
+          # urlsafe_encode64(bin)
+          # Returns the Base64-encoded version of bin. This method complies with
+          # “Base 64 Encoding with URL and Filename Safe Alphabet” in RFC 4648.
+          # The alphabet uses '-' instead of '+' and '_' instead of '/'.
+
+          # @param code_verifier [#to_s] a one time use value (any object that responds to `#to_s`)
+          #
+          # @return [#to_s] An encoded code challenge based on the provided verifier suitable for PKCE validation
+          def generate_code_challenge(code_verifier)
+            padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
+            padded_result.split('=')[0] # Remove any trailing '='
+          end
+
+          def pkce_supported?
+            new.pkce_supported?
+          end
+        end
+
+        # never uses pkce, if pkce migrations were not generated
+        def uses_pkce?
+          pkce_supported? && code_challenge.present?
+        end
+
+        def pkce_supported?
+          respond_to? :code_challenge
         end
 
         private

diff --git a/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb b/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb
@@ -105,24 +105,27 @@ def matching_token_for(application, resource_owner_or_id, scopes)
             end
           end
 
-          # Checks whether the token scopes match the scopes from the parameters or
-          # Application scopes (if present).
+          # Checks whether the token scopes match the scopes from the parameters
           #
           # @param token_scopes [#to_s]
           #   set of scopes (any object that responds to `#to_s`)
-          # @param param_scopes [String]
+          # @param param_scopes [Doorkeeper::OAuth::Scopes]
           #   scopes from params
-          # @param app_scopes [String]
+          # @param app_scopes [Doorkeeper::OAuth::Scopes]
           #   Application scopes
           #
-          # @return [Boolean] true if all scopes and blank or matches
+          # @return [Boolean] true if the param scopes match the token scopes,
+          #   and all the param scopes are defined in the application (or in the
+          #   server configuration if the application doesn't define any scopes),
           #   and false in other cases
           #
           def scopes_match?(token_scopes, param_scopes, app_scopes)
-            (!token_scopes.present? && !param_scopes.present?) ||
-              Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
-                token_scopes.to_s,
-                param_scopes,
+            return true if token_scopes.empty? && param_scopes.empty?
+
+            (token_scopes.sort == param_scopes.sort) &&
+              Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+                param_scopes.to_s,
+                Doorkeeper.configuration.scopes,
                 app_scopes
               )
           end