[Security] Bump doorkeeper from 4.2.6 to 4.4.0

[dependabot-preview]

DO NOT MERGE YET - merging / migrating this PR will break authentication for some API clients (gavity spy user promotion)

TODO

• Confirm with Scotty from Gravity Spy that the user promotion code uses the default python client authentication flows or they have updated to a custom Oauth application for client credentials flow
• Add new / modify migration to set specific apps to confidential = false to ensure viable authentication (PFE clients, Python API and gravity spy clients at the very least) as well as any implicit flow apps (has valid redirects) to be non-confidential.

This may impact authentication for a variety of applications in the wild, any strange auth errors should look to the confidential setting implications first.

Bumps doorkeeper from 4.2.6 to 4.4.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Doorkeeper gem does not revoke token for public clients
Any OAuth application that uses public/non-confidential authentication when
interacting with Doorkeeper is unable to revoke its tokens when calling the
revocation endpoint.

A bug in the token revocation API would cause it to attempt to authenticate
the public OAuth client as if it was a confidential app. Because of this, the
token is never revoked.

The impact of this is the access or refresh token is not revoked, leaking
access to protected resources for the remainder of that token's lifetime.

... (truncated)

Patched versions: >= 4.4.0; >= 5.0.0.rc2
Unaffected versions: < 4.2.0

Release notes

Sourced from doorkeeper's releases.

v4.4.0

• [Policy: subject management #1120] Backport security fix from 5.x for token revocation when using public clients

v4.3.2

• [Return HTTP 200 unless no email param was supplied #1053] Support authorizing with query params in the request redirect_uri if explicitly present in app's Application#redirect_uri

v4.3.1

• Remove BaseRecord and introduce additional concern for ordering methods to fix
  braking changes for Doorkeeper models.
• [Robustness against various unexpected data formats #1032] Refactor BaseRequest callbacks into configurable lambdas
• [skip authenticity token check for events api #1040] Clear mixins from ActiveRecord DSL and save only overridable API. It
  allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.

v4.3.0

• [Update to RSpec 3.3 #976] Fix to invalidate the second redirect URI when the first URI is the native URI
• [Add RSpec binstub with Spring enabled #1035] Allow Application#redirect_uri= to handle array of URIs.
• [Can create a collection with a name length of 0 #1036] Allow to forbid Application redirect URI's with specific rules.
• [Include login_prompt in serializer #1029] Deprecate order_method and introduce ordered_by. Sort applications
  by created_at in index action.
• [nonrandom subject queing #1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
• Fix Grape integration & add specs for it
• [Export import project #913] Deferred ORM (ActiveRecord) models loading
• [Fix Talk API client to set correct token #943] Fix Access Token token generation when certain errors occur in custom token generators
• [Set User#zooniverse_id for panoptes-only users #1026] Implement RFC7662 - OAuth 2.0 Token Introspection
• [Expand README for the first-use experience #985] Generate valid migration files for Rails >= 5
• [reset the set_member_subjects counter when bulk importing #972] Replace Struct subclassing with block-form initialization
• [Filter users by login name #1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
• [Add ability to filter by current user role #868] Scopes#& and Scopes#+ now take an array or any other enumerable
  object.
• [optimize the subscription migration #1019] Remove translation not in use: invalid_resource_owner.
• Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
• [Track beta users #948] Make Scopes.<=> work with any "other" value.
• [destroy_links is slow #974] Redirect URI is checked without query params within AuthorizationCodeRequest.
• [ensure user login field cannot be null #1004] More explicit help text for native_redirect_uri.
• [Make sure to update the timestamp if nothing else changes #1023] Update Ruby versions and test against 2.5.0 on Travis CI.
• [Anyone could create roles that's not good #1024] Migrate from FactoryGirl to FactoryBot.
• [Welcome emails with unsubscribe via email #1025] Improve documentation for adding foreign keys
• [use zooniverse_id to find the users #1028] Make it possible to have composit strategy names.

Changelog

Sourced from doorkeeper's changelog.

4.4.0

• [Policy: subject management #1120] Backport security fix from 5.x for token revocation when using public clients

4.3.2

• [Return HTTP 200 unless no email param was supplied #1053] Support authorizing with query params in the request redirect_uri if explicitly present in app's Application#redirect_uri

4.3.1

• Remove BaseRecord and introduce additional concern for ordering methods to fix
  braking changes for Doorkeeper models.
• [Robustness against various unexpected data formats #1032] Refactor BaseRequest callbacks into configurable lambdas
• [skip authenticity token check for events api #1040] Clear mixins from ActiveRecord DSL and save only overridable API. It
  allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.

4.3.0

• [Update to RSpec 3.3 #976] Fix to invalidate the second redirect URI when the first URI is the native URI
• [Add RSpec binstub with Spring enabled #1035] Allow Application#redirect_uri= to handle array of URIs.
• [Can create a collection with a name length of 0 #1036] Allow to forbid Application redirect URI's with specific rules.
• [Include login_prompt in serializer #1029] Deprecate order_method and introduce ordered_by. Sort applications
  by created_at in index action.
• [nonrandom subject queing #1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
• Fix Grape integration & add specs for it
• [Export import project #913] Deferred ORM (ActiveRecord) models loading
• [Fix Talk API client to set correct token #943] Fix Access Token token generation when certain errors occur in custom token generators
• [Set User#zooniverse_id for panoptes-only users #1026] Implement RFC7662 - OAuth 2.0 Token Introspection
• [Expand README for the first-use experience #985] Generate valid migration files for Rails >= 5
• [reset the set_member_subjects counter when bulk importing #972] Replace Struct subclassing with block-form initialization
• [Filter users by login name #1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
• [Add ability to filter by current user role #868] Scopes#& and Scopes#+ now take an array or any other enumerable
  object.
• [optimize the subscription migration #1019] Remove translation not in use: invalid_resource_owner.
• Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
• [Track beta users #948] Make Scopes.<=> work with any "other" value.
• [destroy_links is slow #974] Redirect URI is checked without query params within AuthorizationCodeRequest.
• [ensure user login field cannot be null #1004] More explicit help text for native_redirect_uri.
• [Make sure to update the timestamp if nothing else changes #1023] Update Ruby versions and test against 2.5.0 on Travis CI.
• [Anyone could create roles that's not good #1024] Migrate from FactoryGirl to FactoryBot.
• [Welcome emails with unsubscribe via email #1025] Improve documentation for adding foreign keys
• [use zooniverse_id to find the users #1028] Make it possible to have composite strategy names.

Commits

• 16e76e6 Merge pull request #1120 from f3ndot/backport-cve-2018-1000211
• 35cd855 Disable confidential button if not supported, fix test coverage
• d3fb696 Fix embarassing typo. Freeze heredoc constant
• bd7bd3f Add news entry on this update
• 4ecb0a2 [Lint] long lines, heredocs, other stylistic things
• 3aebb59 Bump version to 4.4.0
• 8e846f9 Warn developers when security migration not run
• d6b56a9 Move warning into a constant for other uses
• 36dc99b Add non-breaking backwards compatibility for 4.x and CVE-2018-1000211
• 337d4c2 Use Application#confidential? to determine revocation auth eligibility
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[houndci-bot]

Layout/LeadingCommentSpace: Missing space after #.

[dependabot-preview]

A newer version of doorkeeper exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[marten]

I would love a summary of what changes and what's causing the incompatibility specifically. For instance, how would I tell if Caesar is going to be affected?

[camallen]

I would love a summary of what changes and what's causing the incompatibility specifically.

Doorkeeper wasn't previously revoking tokens for non-confidential apps (see the Vulnerabilities fixed link in the PR description). The latest gem updates fixed this issue so public apps can now revoke tokens.

All implicit / native apps have to be set to non-confidential as that is how they work. Our first_party apps (PFE, python client) that convert devise sessions into oauth tokens also needed to be set to non-confidential as they supply a client_id but not a client_secret. I've audited all the apps we have (staging & production) and set up the migrations accordingly.

For instance, how would I tell if Caesar is going to be affected?

If your app us using an implicit grant / custom scheme (native) to get a token then it'll need it's non-confidential attribute set via the migration / UI to work properly. If you can keep a secret via your server and authentication using a client_id & client_secret then your app will be set to confidential via the default value in the migration and will continue to work accordingly.

[marten]

Thanks, this "confidentiality" was a new concept but not explained. I get it now.