Merge pull request #1602 from teamsimplepay/pre_auth_extension

Allow custom data to be sent inside access tokens
doorkeeper-gem · Feb 5, 2023 · 8436928 · 8436928
2 parents 3ad48e0 + e4ae754
commit 8436928
Show file tree

Hide file tree

Showing 11 changed files with 84 additions and 7 deletions.
diff --git a/app/controllers/doorkeeper/authorizations_controller.rb b/app/controllers/doorkeeper/authorizations_controller.rb
@@ -88,7 +88,7 @@ def pre_auth_params
     end
 
     def pre_auth_param_fields
-      %i[
+      Doorkeeper.configuration.custom_access_token_attributes + %i[
         client_id
         code_challenge
         code_challenge_method

diff --git a/lib/doorkeeper/config.rb b/lib/doorkeeper/config.rb
@@ -321,6 +321,15 @@ def configure_secrets_for(type, using:, fallback:)
     option :access_token_generator,
            default: "Doorkeeper::OAuth::Helpers::UniqueToken"
 
+    # Allows additional data to be received when granting access to an Application, and for this
+    # additional data to be sent with subsequently generated access tokens. The access grant and
+    # access token models will both need to respond to the specified attribute names.
+    #
+    # @param attributes [Array] The array of custom attribute names to be saved
+    #
+    option :custom_access_token_attributes,
+           default: []
+
     # Use a custom class for generating the application secret.
     # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-application-secret-generator
     #

diff --git a/lib/doorkeeper/config/validations.rb b/lib/doorkeeper/config/validations.rb
@@ -48,6 +48,18 @@ def validate_token_reuse_limit
         )
         @token_reuse_limit = 100
       end
+
+      def validate_custom_access_token_attributes
+        # Validate that the access_token and access_grant models
+        # both respond to all of the custom attributes
+        Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+          [Doorkeeper.config.access_token_model, Doorkeeper.config.access_grant_model].each do |model|
+            unless model.has_attribute?(attribute_name)
+              raise NotImplementedError, "#{model} does not recognize custom attribute: #{attribute_name}."
+            end
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/doorkeeper/oauth/authorization/code.rb b/lib/doorkeeper/oauth/authorization/code.rb
@@ -45,6 +45,12 @@ def access_grant_attributes
             attributes[:resource_owner_id] = resource_owner.id
           end
 
+          # Custom access token attributes are saved into the access grant,
+          # and then included in subsequently generated access tokens.
+          Doorkeeper.config.custom_access_token_attributes.each do |attribute_name|
+            attributes[attribute_name] = @pre_auth.custom_access_token_attributes[attribute_name]
+          end
+
           pkce_attributes.merge(attributes)
         end
 

diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb
@@ -35,6 +35,7 @@ def before_successful_response
             grant.application,
             resource_owner,
             grant.scopes,
+            custom_token_attributes_with_data,
             server,
           )
         end
@@ -99,6 +100,10 @@ def validate_code_verifier
       def generate_code_challenge(code_verifier)
         server_config.access_grant_model.generate_code_challenge(code_verifier)
       end
+
+      private def custom_token_attributes_with_data
+        grant.attributes.with_indifferent_access.slice(*Doorkeeper.config.custom_access_token_attributes).symbolize_keys
+      end
     end
   end
 end
diff --git a/lib/doorkeeper/oauth/base_request.rb b/lib/doorkeeper/oauth/base_request.rb
@@ -26,15 +26,20 @@ def scopes
         @scopes ||= build_scopes
       end
 
-      def find_or_create_access_token(client, resource_owner, scopes, server)
+      def find_or_create_access_token(client, resource_owner, scopes, custom_attributes, server)
         context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
-        @access_token = server_config.access_token_model.find_or_create_for(
-          application: client.is_a?(server_config.application_model) ? client : client&.application,
+        token_model = server_config.access_token_model
+        application = client.is_a?(server_config.application_model) ? client : client&.application
+
+        token_attributes = {
+          application: application,
           resource_owner: resource_owner,
           scopes: scopes,
           expires_in: Authorization::Token.access_token_expires_in(server, context),
           use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
-        )
+        }
+
+        @access_token = token_model.find_or_create_for(**token_attributes.merge(custom_attributes))
       end
 
       def before_successful_response

diff --git a/lib/doorkeeper/oauth/password_access_token_request.rb b/lib/doorkeeper/oauth/password_access_token_request.rb
@@ -25,7 +25,7 @@ def initialize(server, client, credentials, resource_owner, parameters = {})
       private
 
       def before_successful_response
-        find_or_create_access_token(client, resource_owner, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, {}, server)
         super
       end
 

diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb
@@ -18,7 +18,7 @@ class PreAuthorization
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
 
       def initialize(server, parameters = {}, resource_owner = nil)
         @server                = server
@@ -31,6 +31,11 @@ def initialize(server, parameters = {}, resource_owner = nil)
         @code_challenge        = parameters[:code_challenge]
         @code_challenge_method = parameters[:code_challenge_method]
         @resource_owner        = resource_owner
+
+        @custom_access_token_attributes = {}
+        Doorkeeper.config.custom_access_token_attributes.each do |field|
+          @custom_access_token_attributes[field] = parameters[field]
+        end
       end
 
       def authorizable?

diff --git a/lib/generators/doorkeeper/templates/initializer.rb b/lib/generators/doorkeeper/templates/initializer.rb
@@ -391,6 +391,23 @@
   #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
   # end
 
+  # Allows additional data fields to be sent while granting access to an application,
+  # and for this additional data to be included in subsequently generated access tokens.
+  # The 'authorizations/new' page will need to be overridden to include this additional data
+  # in the request params when granting access. The access grant and access token models
+  # will both need to respond to these additional data fields, and have a database column
+  # to store them in.
+  #
+  # Example:
+  # You have a multi-tenanted platform and want to be able to grant access to a specific
+  # tenant, rather than all the tenants a user has access to. You can use this config
+  # option to specify that a ':tenant_id' will be passed when authorizing. This tenant_id
+  # will be included in the access tokens. When a request is made with one of these access
+  # tokens, you can check that the requested data belongs to the specified tenant.
+  #
+  # Default value is an empty Array: []
+  # custom_access_token_attributes [:tenant_id]
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #

diff --git a/spec/lib/config_spec.rb b/spec/lib/config_spec.rb
@@ -521,6 +521,20 @@ class ApplicationWithOwner < ActiveRecord::Base
     end
   end
 
+  describe "custom_access_token_attributes" do
+    it "is '[]' by default" do
+      expect(Doorkeeper.configuration.custom_access_token_attributes).to(eq([]))
+    end
+
+    it "can change the value" do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        custom_access_token_attributes [:added_field_1, :added_field_2]
+      end
+      expect(config.custom_access_token_attributes).to eq([:added_field_1, :added_field_2])
+    end
+  end
+
   describe "application_secret_generator" do
     it "is 'Doorkeeper::OAuth::Helpers::UniqueToken' by default" do
       expect(Doorkeeper.configuration.application_secret_generator).to(

diff --git a/spec/lib/oauth/base_request_spec.rb b/spec/lib/oauth/base_request_spec.rb
@@ -124,6 +124,7 @@
         client,
         resource_owner,
         "public",
+        {},
         server,
       )
 
@@ -144,6 +145,7 @@
         client,
         resource_owner,
         "public",
+        {},
         server,
       )
       expect(result.expires_in).to be(500)
@@ -165,6 +167,7 @@
         client,
         resource_owner,
         "public",
+        {},
         server,
       )
       expect(result.refresh_token).not_to be_nil
@@ -173,6 +176,7 @@
         client,
         resource_owner,
         "private",
+        {},
         server,
       )
       expect(result.refresh_token).to be_nil
-Original file line number
+Diff line change
@@ Expand Up @@
           private
           def before_successful_response
-            find_or_create_access_token(client, resource_owner, scopes, server)
+            find_or_create_access_token(client, resource_owner, scopes, {}, server)
             super
           end
@@ Expand Down @@