Skip to content

Commit

Permalink
Merge pull request #1639 from doorkeeper-gem/fix-auth-destroy
Browse files Browse the repository at this point in the history 
Add grant type vlaidation to avoid Internal Server Error for DELETE /oauth/authorize endpoint
  • Loading branch information
@nbulaj
nbulaj authored Feb 22, 2023
2 parents 0dcb083 + a2a39f9 commit a90d4c1
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 30 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ User-visible changes worth mentioning.
- [#ID] Add your PR description here.
- [#1602] Allow custom data to be stored inside access grants/tokens.
- [#1634] Code refactoring for custom token attributes.
- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.

# 5.6.4

Expand Down
14 changes: 11 additions & 3 deletions app/controllers/doorkeeper/authorizations_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,19 @@ def new
end

def create
redirect_or_render authorize_response
redirect_or_render(authorize_response)
end

def destroy
redirect_or_render authorization.deny
redirect_or_render(authorization.deny)
rescue Doorkeeper::Errors::InvalidTokenStrategy => e
error_response = get_error_response_from_exception(e)

if Doorkeeper.configuration.api_only
render json: error_response.body, status: :bad_request
else
render :error, locals: { error_response: error_response }
end
end

private
Expand All @@ -37,7 +45,7 @@ def render_error
render json: pre_auth.error_response.body,
status: :bad_request
else
render :error
render :error, locals: { error_response: pre_auth.error_response }
end
end

Expand Down
4 changes: 3 additions & 1 deletion app/views/doorkeeper/authorizations/error.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,7 @@
</div>

<main role="main">
<pre><%= @pre_auth.error_response.body[:error_description] %></pre>
<pre>
<%= (respond_to?(:error_response) ? error_response : @pre_auth.error_response).body[:error_description] %>
</pre>
</main>
50 changes: 24 additions & 26 deletions spec/controllers/authorizations_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ def query_params
scopes: "default"
end

let(:response_json_body) { JSON.parse(response.body) }

before do
Doorkeeper.configure do
orm DOORKEEPER_ORM
Expand Down Expand Up @@ -111,7 +113,6 @@ def query_params
post :create, params: { client_id: client.uid, response_type: "token", redirect_uri: client.redirect_uri }
end

let(:response_json_body) { JSON.parse(response.body) }
let(:redirect_uri) { response_json_body["redirect_uri"] }

it "renders success after authorization" do
Expand Down Expand Up @@ -154,8 +155,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders success after authorization" do
expect(response).to be_successful
end
Expand Down Expand Up @@ -200,8 +199,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 400 error" do
expect(response.status).to eq 400
end
Expand Down Expand Up @@ -231,8 +228,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 401 error" do
expect(response.status).to eq 401
end
Expand Down Expand Up @@ -262,8 +257,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 401 error" do
expect(response.status).to eq 401
end
Expand Down Expand Up @@ -355,8 +348,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 400 error" do
expect(response.status).to eq 400
end
Expand Down Expand Up @@ -386,8 +377,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 401 error" do
expect(response.status).to eq 401
end
Expand Down Expand Up @@ -418,8 +407,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 401 error" do
expect(response.status).to eq 401
end
Expand Down Expand Up @@ -451,7 +438,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }
let(:redirect_uri) { response_json_body["redirect_uri"] }

it "renders 400 error" do
Expand Down Expand Up @@ -492,8 +478,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 400 error" do
expect(response.status).to eq 400
end
Expand Down Expand Up @@ -838,8 +822,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders success" do
expect(response).to be_successful
end
Expand Down Expand Up @@ -928,8 +910,6 @@ def query_params
get :new, params: { an_invalid: "request" }
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders bad request" do
expect(response).to have_http_status(:bad_request)
end
Expand Down Expand Up @@ -960,8 +940,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders bad request" do
expect(response).to have_http_status(:bad_request)
end
Expand Down Expand Up @@ -992,8 +970,6 @@ def query_params
}
end

let(:response_json_body) { JSON.parse(response.body) }

it "renders 400 error" do
expect(response.status).to eq 400
end
Expand Down Expand Up @@ -1106,4 +1082,26 @@ def query_params
expect(response).to be_successful
end
end

describe "DELETE #destroy in API mode" do
context "with invalid params" do
before do
allow(Doorkeeper.config).to receive(:api_only).and_return(true)
delete :destroy, params: {
client_id: client.uid,
response_type: "blabla",
redirect_uri: client.redirect_uri,
response_mode: "form_post",
}
end

it "renders bad request" do
expect(response).to have_http_status(:bad_request)
end

it "includes error in body" do
expect(response_json_body["error"]).to eq("unsupported_grant_type")
end
end
end
end

0 comments on commit a90d4c1

Please sign in to comment.