-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
pre_authorization.rb
144 lines (118 loc) · 4.02 KB
/
pre_authorization.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# frozen_string_literal: true
module Doorkeeper
module OAuth
class PreAuthorization
include Validations
validate :client_id, error: :invalid_request
validate :client, error: :invalid_client
validate :redirect_uri, error: :invalid_redirect_uri
validate :params, error: :invalid_request
validate :response_type, error: :unsupported_response_type
validate :scopes, error: :invalid_scope
validate :code_challenge_method, error: :invalid_code_challenge_method
validate :client_supports_grant_flow, error: :unauthorized_client
attr_reader :server, :client_id, :client, :redirect_uri, :response_type, :state,
:code_challenge, :code_challenge_method, :missing_param
def initialize(server, attrs = {})
@server = server
@client_id = attrs[:client_id]
@response_type = attrs[:response_type]
@redirect_uri = attrs[:redirect_uri]
@scope = attrs[:scope]
@state = attrs[:state]
@code_challenge = attrs[:code_challenge]
@code_challenge_method = attrs[:code_challenge_method]
end
def authorizable?
valid?
end
def validate_client_supports_grant_flow
Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
end
def scopes
Scopes.from_string scope
end
def scope
@scope.presence || (server.default_scopes.presence && build_scopes)
end
def error_response
if error == :invalid_request
OAuth::InvalidRequestResponse.from_request(
self,
response_on_fragment: response_on_fragment?,
)
else
OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
end
end
def as_json(attributes = {})
return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
pre_auth_hash
end
private
def build_scopes
client_scopes = client.scopes
if client_scopes.blank?
server.default_scopes.to_s
else
(server.default_scopes & client_scopes).to_s
end
end
def validate_client_id
@missing_param = :client_id if client_id.blank?
@missing_param.nil?
end
def validate_client
@client = OAuth::Client.find(client_id)
@client.present?
end
def validate_redirect_uri
return false if redirect_uri.blank?
Helpers::URIChecker.valid_for_authorization?(
redirect_uri,
client.redirect_uri,
)
end
def validate_params
@missing_param = if response_type.blank?
:response_type
elsif @scope.blank? && server.default_scopes.blank?
:scope
end
@missing_param.nil?
end
def validate_response_type
server.authorization_response_types.include?(response_type)
end
def validate_scopes
Helpers::ScopeChecker.valid?(
scope_str: scope,
server_scopes: server.scopes,
app_scopes: client.scopes,
grant_type: grant_type,
)
end
def grant_type
response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
end
def validate_code_challenge_method
code_challenge.blank? ||
(code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
end
def response_on_fragment?
response_type == "token"
end
def pre_auth_hash
{
client_id: client.uid,
redirect_uri: redirect_uri,
state: state,
response_type: response_type,
scope: scope,
client_name: client.name,
status: I18n.t("doorkeeper.pre_authorization.status"),
}
end
end
end
end