oauth: require predefined scopes for applications

not yet merged into Doorkeeper as of 4.3.0, so temporarily pointing to a git branch. see doorkeeper-gem/doorkeeper#1010
talklittle · Feb 26, 2018 · d981b06 · d981b06
1 parent bd047c4
commit d981b06
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/Gemfile b/Gemfile
@@ -30,7 +30,7 @@ gem "activerecord-typedstore"
 gem "oauth"
 
 # for acting as OAuth 2.0 provider
-gem "doorkeeper"
+gem "doorkeeper", :git => "https://github.com/talklittle/doorkeeper.git", :branch => "validate-application-scopes-configured"
 
 # for parsing incoming mail
 gem "mail"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,3 +1,11 @@
+GIT
+  remote: https://github.com/talklittle/doorkeeper.git
+  revision: 558f167571fcb86b6d6b299f221804593bd8245f
+  branch: validate-application-scopes-configured
+  specs:
+    doorkeeper (4.3.0)
+      railties (>= 4.2)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -48,8 +56,6 @@ GEM
       ruby-enum (~> 0.5)
     concurrent-ruby (1.0.5)
     diff-lcs (1.3)
-    doorkeeper (4.2.6)
-      railties (>= 4.2)
     dynamic_form (1.1.4)
     erubi (1.6.0)
     exception_notification (4.2.1)
@@ -162,7 +168,7 @@ DEPENDENCIES
   activerecord-typedstore
   bcrypt (~> 3.1.2)
   commonmarker (~> 0.14)
-  doorkeeper
+  doorkeeper!
   dynamic_form
   exception_notification
   faker

diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
@@ -49,6 +49,11 @@
   # Issue access tokens with refresh token (disabled by default)
   use_refresh_token
 
+  # Forbids creating/updating applications with arbitrary scopes that are
+  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # (Disabled by default)
+  enforce_configured_scopes
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application