Merge c625066 into 4b9f692

doorkeeper-gem · May 17, 2019 · fd286c4 · fd286c4
2 parents 4b9f692 + c625066
commit fd286c4
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 17 deletions.
diff --git a/doorkeeper-jwt.gemspec b/doorkeeper-jwt.gemspec
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'jwt', '~> 2.1'
 
-  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'bundler', '>= 1.16', '< 3'
   spec.add_development_dependency 'pry', '~> 0'
   spec.add_development_dependency 'rake', '~> 12.3'
   spec.add_development_dependency 'rspec', '~> 3.8'

diff --git a/lib/doorkeeper/jwt.rb b/lib/doorkeeper/jwt.rb
@@ -61,14 +61,26 @@ def application_secret(opts)
           )
         end
 
-        if opts[:application][:secret].nil?
+        secret = if opts[:application].respond_to?(:plaintext_secret)
+                   unless opts[:application].secret_strategy.allows_restoring_secrets?
+                     raise(
+                       "JWT `use_application_secret` is enabled, but secret strategy " \
+                       "doesn't allow plaintext secret restoring"
+                     )
+                   end
+                   opts[:application].plaintext_secret
+                 else
+                   opts[:application].secret
+                 end
+
+        if secret.nil?
           raise(
             'JWT `use_application_secret` is enabled, but the application' \
             ' secret is nil.'
           )
         end
 
-        opts[:application][:secret]
+        secret
       end
 
       def rsa_encryption?

diff --git a/spec/doorkeeper/jwt_spec.rb b/spec/doorkeeper/jwt_spec.rb
@@ -207,27 +207,102 @@
       expect(decoded_token[1]['alg']).to eq 'ES512'
     end
 
-    it 'creates a signed JWT token encrypted with an app secret' do
-      secret_key = OpenSSL::PKey::RSA.new(1024)
+    context "when use_application_secret used" do
+      let(:secret_key) do
+        OpenSSL::PKey::RSA.new(1024)
+      end
 
-      described_class.configure do
-        use_application_secret true
+      let(:application) do
+        instance_double("Doorkeeper::Application",
+                        secret: Digest::SHA256.digest(secret_key.to_s),
+                        plaintext_secret: secret_key,
+                        secret_strategy: class_double("Doorkeeper::SecretStoring::Sha256Hash",
+                                                      allows_restoring_secrets?: true))
+      end
 
-        token_payload do
-          { foo: 'bar' }
+      before do
+        described_class.configure do
+          use_application_secret true
+
+          token_payload do
+            { foo: "bar" }
+          end
+
+          encryption_method :rs512
         end
+      end
 
-        secret_key secret_key.to_s
-        encryption_method :rs512
+      it "creates a signed JWT token encrypted with an app secret", :aggregate_failures do
+        token = described_class.generate(application: application)
+        decoded_token = ::JWT.decode(token, secret_key, true, algorithm: "RS512")
+
+        expect(decoded_token[0]).to be_a(Hash)
+        expect(decoded_token[0]["foo"]).to eq "bar"
+        expect(decoded_token[1]).to be_a(Hash)
+        expect(decoded_token[1]["alg"]).to eq "RS512"
       end
+    end
 
-      token = described_class.generate(application: { secret: secret_key })
-      decoded_token = ::JWT.decode(token, secret_key, true, algorithm: 'RS512')
+    context "when use_application_secret used and Doorkeeper version < 5.1.0" do
+      let(:secret_key) do
+        OpenSSL::PKey::RSA.new(1024)
+      end
 
-      expect(decoded_token[0]).to be_a(Hash)
-      expect(decoded_token[0]['foo']).to eq 'bar'
-      expect(decoded_token[1]).to be_a(Hash)
-      expect(decoded_token[1]['alg']).to eq 'RS512'
+      let(:application) { instance_double("Doorkeeper::Application", secret: secret_key) }
+
+      before do
+        described_class.configure do
+          use_application_secret true
+
+          token_payload do
+            { foo: "bar" }
+          end
+
+          encryption_method :rs512
+        end
+      end
+
+      it "creates a signed JWT token encrypted with an app secret", :aggregate_failures do
+        token = described_class.generate(application: application)
+        decoded_token = ::JWT.decode(token, secret_key, true, algorithm: "RS512")
+
+        expect(decoded_token[0]).to be_a(Hash)
+        expect(decoded_token[0]["foo"]).to eq "bar"
+        expect(decoded_token[1]).to be_a(Hash)
+        expect(decoded_token[1]["alg"]).to eq "RS512"
+      end
+    end
+
+    context "when use_application_secret used" do
+      let(:secret_key) do
+        OpenSSL::PKey::RSA.new(1024)
+      end
+
+      let(:application) do
+        instance_double("Doorkeeper::Application",
+                        secret: Digest::SHA256.digest(secret_key.to_s),
+                        plaintext_secret: secret_key,
+                        secret_strategy: class_double("Doorkeeper::SecretStoring::Sha256Hash",
+                                                      allows_restoring_secrets?: false))
+      end
+
+      before do
+        described_class.configure do
+          use_application_secret true
+
+          token_payload do
+            { foo: "bar" }
+          end
+
+          encryption_method :rs512
+        end
+      end
+
+      it "creates a signed JWT token encrypted with an app secret", :aggregate_failures do
+        expect { described_class.generate(application: application) }.to(
+          raise_error.with_message(/secret strategy doesn't/)
+        )
+      end
     end
   end
 end