Bump doorkeeper from 3.1.0 to 4.4.0

[dependabot]

Bumps doorkeeper from 3.1.0 to 4.4.0.

Release notes

Sourced from doorkeeper's releases.

v4.4.0

• #1120 Backport security fix from 5.x for token revocation when using public clients

v4.3.2

• #1053 Support authorizing with query params in the request redirect_uri if explicitly present in app's Application#redirect_uri

v4.3.1

• Remove BaseRecord and introduce additional concern for ordering methods to fix
  braking changes for Doorkeeper models.
• #1032 Refactor BaseRequest callbacks into configurable lambdas
• #1040 Clear mixins from ActiveRecord DSL and save only overridable API. It
  allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.

v4.3.0

• #976 Fix to invalidate the second redirect URI when the first URI is the native URI
• #1035 Allow Application#redirect_uri= to handle array of URIs.
• #1036 Allow to forbid Application redirect URI's with specific rules.
• #1029 Deprecate order_method and introduce ordered_by. Sort applications
  by created_at in index action.
• #1033 Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
• Fix Grape integration & add specs for it
• #913 Deferred ORM (ActiveRecord) models loading
• #943 Fix Access Token token generation when certain errors occur in custom token generators
• #1026 Implement RFC7662 - OAuth 2.0 Token Introspection
• #985 Generate valid migration files for Rails >= 5
• #972 Replace Struct subclassing with block-form initialization
• #1003 Use URL query param to pass through native redirect auth code so automated apps can find it.
• #868 Scopes#& and Scopes#+ now take an array or any other enumerable
  object.
• #1019 Remove translation not in use: invalid_resource_owner.
• Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
• #948 Make Scopes.<=> work with any "other" value.
• #974 Redirect URI is checked without query params within AuthorizationCodeRequest.
• #1004 More explicit help text for native_redirect_uri.
• #1023 Update Ruby versions and test against 2.5.0 on Travis CI.
• #1024 Migrate from FactoryGirl to FactoryBot.
• #1025 Improve documentation for adding foreign keys
• #1028 Make it possible to have composit strategy names.

v4.2.6

• #970 Escape certain attributes in authorization forms.

v4.2.5

• #936 Deprecate Doorkeeper#configured?, Doorkeeper#database_installed?, and
  Doorkeeper#installed?
• #909 Add InvalidTokenResponse#reason reader method to allow read the kind
  of invalid token error.
• #928 Test against more recent Ruby versions
• Small refactorings within the codebase
• #921 Switch to Appraisal, and test against Rails master

... (truncated)

Changelog

Sourced from doorkeeper's changelog.

4.4.0

• #1120 Backport security fix from 5.x for token revocation when using public clients

  [IMPORTANT]: all the applications (clients) now are considered as private by default.
  You need to manually change confidential column to false if you are using public clients,
  in other case your mobile (or other) applications will not be able to authorize.
  See #1142 for more details.

4.3.2

• #1053 Support authorizing with query params in the request redirect_uri if explicitly present in app's Application#redirect_uri

4.3.1

• Remove BaseRecord and introduce additional concern for ordering methods to fix
  braking changes for Doorkeeper models.
• #1032 Refactor BaseRequest callbacks into configurable lambdas
• #1040 Clear mixins from ActiveRecord DSL and save only overridable API. It
  allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.

4.3.0

• #976 Fix to invalidate the second redirect URI when the first URI is the native URI

• #1035 Allow Application#redirect_uri= to handle array of URIs.

• #1036 Allow to forbid Application redirect URI's with specific rules.

• #1029 Deprecate order_method and introduce ordered_by. Sort applications
  by created_at in index action.

• #1033 Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.

• Fix Grape integration & add specs for it

• #913 Deferred ORM (ActiveRecord) models loading

• #943 Fix Access Token token generation when certain errors occur in custom token generators

• #1026 Implement RFC7662 - OAuth 2.0 Token Introspection

• #985 Generate valid migration files for Rails >= 5

• #972 Replace Struct subclassing with block-form initialization

• #1003 Use URL query param to pass through native redirect auth code so automated apps can find it.

  [IMPORTANT]: Previously authorization code response route was /oauth/authorize/<code>,
  now it is oauth/authorize/native?code=<code> (in order to help applications to automatically find the code value).

• #868 Scopes#& and Scopes#+ now take an array or any other enumerable
  object.

• #1019 Remove translation not in use: invalid_resource_owner.

• Use Ruby 2 hash style syntax (min required Ruby version = 2.1)

• #948 Make Scopes.<=> work with any "other" value.

• #974 Redirect URI is checked without query params within AuthorizationCodeRequest.

• #1004 More explicit help text for native_redirect_uri.

• #1023 Update Ruby versions and test against 2.5.0 on Travis CI.

• #1024 Migrate from FactoryGirl to FactoryBot.

• #1025 Improve documentation for adding foreign keys

... (truncated)

Upgrade guide

Sourced from doorkeeper's upgrade guide.

See Upgrade Guides
in the project Wiki.

Commits

• 16e76e6 Merge pull request #1120 from f3ndot/backport-cve-2018-1000211
• 35cd855 Disable confidential button if not supported, fix test coverage
• d3fb696 Fix embarassing typo. Freeze heredoc constant
• bd7bd3f Add news entry on this update
• 4ecb0a2 [Lint] long lines, heredocs, other stylistic things
• 3aebb59 Bump version to 4.4.0
• 8e846f9 Warn developers when security migration not run
• d6b56a9 Move warning into a constant for other uses
• 36dc99b Add non-breaking backwards compatibility for 4.x and CVE-2018-1000211
• 337d4c2 Use Application#confidential? to determine revocation auth eligibility
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.