X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/e222329d043592af299eed12cf6ad16969c1b46f..423ae5f8e048c91c00d7c46c05c7b529cbe2f9c7:/config/initializers/doorkeeper.rb diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index bc70f02f0..c1d4e2f78 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true +require_relative "../../lib/oauth" + Doorkeeper.configure do # Change the ORM that doorkeeper will use (requires ORM extensions installed). # Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms @@ -48,6 +50,8 @@ Doorkeeper.configure do # end # end + application_class "Oauth2Application" unless Settings.status == "database_offline" + # Enables polymorphic Resource Owner association for Access Tokens and Access Grants. # By default this option is disabled. # @@ -93,12 +97,13 @@ Doorkeeper.configure do # # `context` has the following properties available: # - # `client` - the OAuth client application (see Doorkeeper::OAuth::Client) - # `grant_type` - the grant type of the request (see Doorkeeper::OAuth) - # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes) + # * `client` - the OAuth client application (see Doorkeeper::OAuth::Client) + # * `grant_type` - the grant type of the request (see Doorkeeper::OAuth) + # * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes) + # * `resource_owner` - authorized resource owner instance (if present) # # custom_access_token_expires_in do |context| - # context.client.application.additional_settings.implicit_oauth_expiration + # context.client.additional_settings.implicit_oauth_expiration # end # Use a custom class for generating the access token. @@ -109,7 +114,7 @@ Doorkeeper.configure do # The controller +Doorkeeper::ApplicationController+ inherits from. # Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to # +ActionController::API+. The return value of this option must be a stringified class name. - # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller + # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers base_controller "ApplicationController" @@ -121,8 +126,8 @@ Doorkeeper.configure do # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383 # # You can not enable this option together with +hash_token_secrets+. - # - # reuse_access_token + + reuse_access_token # In case you enabled `reuse_access_token` option Doorkeeper will try to find matching # token using `matching_token_for` Access Token API that searches for valid records @@ -157,15 +162,33 @@ Doorkeeper.configure do # since plain values can no longer be retrieved. # # Note: If you are already a user of doorkeeper and have existing tokens - # in your installation, they will be invalid without enabling the additional - # setting `fallback_to_plain_secrets` below. + # in your installation, they will be invalid without adding 'fallback: :plain'. + # + # hash_token_secrets + # By default, token secrets will be hashed using the + # +Doorkeeper::Hashing::SHA256+ strategy. + # + # If you wish to use another hashing implementation, you can override + # this strategy as follows: + + hash_token_secrets :using => "::Doorkeeper::SecretStoring::Plain", + :fallback => "::Doorkeeper::SecretStoring::Sha256Hash" - hash_token_secrets + # Keep in mind that changing the hashing function will invalidate all existing + # secrets, if there are any. # Hash application secrets before persisting them. hash_application_secrets + # By default, applications will be hashed + # with the +Doorkeeper::SecretStoring::SHA256+ strategy. + # + # If you wish to use bcrypt for application secret hashing, uncomment + # this line instead: + # + # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt' + # When the above option is enabled, and a hashed token or secret is not found, # you can allow to fall back to another strategy. For users upgrading # doorkeeper and wishing to enable hashing, you will probably want to enable @@ -174,7 +197,9 @@ Doorkeeper.configure do # This will ensure that old access tokens and secrets # will remain valid even if the hashing above is enabled. # - # fallback_to_plain_secrets + # This can be done by adding 'fallback: plain', e.g. : + # + # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain # Issue access tokens with refresh token (disabled by default), you may also # pass a block which accepts `context` to customize when to give a refresh @@ -200,7 +225,7 @@ Doorkeeper.configure do # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes # default_scopes :public - optional_scopes(*Oauth::SCOPES) + optional_scopes(*Oauth::SCOPES, *Oauth::PRIVILEGED_SCOPES, *Oauth::OAUTH2_SCOPES) # Allows to restrict only certain scopes for grant_type. # By default, all the scopes will be available for all the grant types. @@ -241,7 +266,9 @@ Doorkeeper.configure do # #call can be used in order to allow conditional checks (to allow non-SSL # redirects to localhost for example). - force_ssl_in_redirect_uri !Rails.env.development? + force_ssl_in_redirect_uri do |uri| + !Rails.env.development? && uri.host != "127.0.0.1" + end # Specify what redirect URI's you want to block during Application creation. # Any redirect URI is whitelisted by default. @@ -394,10 +421,10 @@ Doorkeeper.configure do # Under some circumstances you might want to have applications auto-approved, # so that the user skips the authorization step. # For example if dealing with a trusted application. - # - # skip_authorization do |resource_owner, client| - # client.superapp? or resource_owner.admin? - # end + + skip_authorization do |_, client| + client.scopes.include?("skip_authorization") + end # Configure custom constraints for the Token Introspection request. # By default this configuration option allows to introspect a token by another