CHANGELOG.md

Changelog

2.1.3

• [#588] Fixes scopes_match? bug that skipped authorization form in some cases

2.1.2

• [#574] Remove unused update authorization route.
• [#576] Filter out sensitive parameters from logs.
• [#582] The Authorization HTTP header fields are now case insensitive.
• [#583] Database connection bugfix in certain scenarios.
• Testing improvements

2.1.1

• Remove wildcard_redirect_url option
• [#481] Customize token flow OAuth expirations with a config lambda
• [#568] TokensController: Memoize strategy.authorize_response result to enable subclasses to use the response object.
• [#571] Fix database initialization issues in some configurations.
• Documentation improvements

2.1.0

• [#540] Include created_at in response.
• [#538] Check application-level scopes in client_credentials and password flow.
• [5596227] Check application scopes in AccessToken when present. Fixes a bug in doorkeeper 2.0.0 and 2.0.1 referring to application specific scopes.
• [#534] Internationalizes doorkeeper views.
• [#545] Ensure there is a connection to the database before checking for missing columns
• [#546] Use Doorkeeper:: prefix when referencing Application to avoid possible application model name conflict.
• [#538] Test with Rails ~> 4.2.

Potentially backward incompatible changes

• Enable by default authorization_code and client_credentials grant flows. Disables implicit and password grant flows by default.
• [#510, #544, 722113f] Revoked refresh token response bugfix.

2.0.1

• [#525, #526, #527] Fix ActiveRecord::NoDatabaseError on gem load.

2.0.0

Backward incompatible changes

• [#448] Removes doorkeeper_for helper. Now we use before_action :doorkeeper_authorize!.

• [#469] Allow client applications to restrict the set of allowable scopes. Fixes #317. oauth_applications relation needs a new scopes string column, non nullable, which defaults to an empty string. To add the column run:

  rails generate doorkeeper:application_scopes
  

  If you’d rather do it by hand, your ActiveRecord migration should contain:

  add_column :oauth_applications, :scopes, :string, null: false, default: ‘’

Removed deprecations

• Removes test_redirect_uri option. It is now called native_redirect_uri.
• [#446] Removes mount Doorkeeper::Engine. Now we use use_doorkeeper.

Others

• [#484] Performance improvement - avoid performing order_by when not required.
• [#450] When password is invalid in Password Credentials Grant, Doorkeeper returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec declares. Fixes #444.
• [#452] Allows revoked_at to be set in the future, for future expiry. Rationale: doorkeeper-gem#452 (comment)
• [#480] For Implicit grant flow, access tokens can now be reused. Fixes #421.
• [#491] Reworks of @jasl's #454 and #478. ORM refactor that allows doorkeeper to be extended more easily with unsupported ORMs. It also marks the boundaries between shared model code and ORM specifics inside of the gem.
• [#496] Tests with Rails 4.2.
• [#489] Adds force_ssl_in_redirect_uri to force the usage of the HTTPS protocol in non-native redirect uris.
• [#516] SECURITY: Adds protect_from_forgery to Doorkeeper::ApplicationController
• [#518] Fix random failures in mongodb.

1.4.1

• [#516] SECURITY: Adds protect_from_forgery to Doorkeeper::ApplicationController

1.4.0

• internals
  • [#427] Adds specs expectations.
  • [#428] Error response refactor.
  • [#417] Moves token validation into Access Token class.
  • [#439] Removes redundant module includes.
  • [#443] TokensController and TokenInfoController inherit from ActionController::Metal
• bug
  • [#418] fixes #243, requests with insufficient scope now respond 403 instead of 401. (API change)
  • [#438] fixes #398, native redirect for implicit token grant bug.
  • [#440] namespace fixes
• enhancements
  • [#432] Keeps query parameters

1.3.1

• enhancements
  • [#405] Adds facade to more easily get the token from a request in a route constraint.
  • [#415] Extend Doorkeeper TokenResponse with an after_successful_response callback that allows handling of response object.
• internals
  • [#409] Deprecates test_redirect_uri in favor of native_redirect_uri. See discussion in: [#351].
  • [#411] Clean rspec deprecations. General test improvements.
  • [#412] rspec line width can go longer than 80 (hound CI config).
• bug
  • [#413] fixes #340, routing scope is now taken into account in redirect.
  • [#401] and [#425] application is not required any longer for access_token.

1.3.0

• enhancements
  • [#387] Adds reuse_access_token configuration option.

1.2.0

• enhancements
  • [#376] Allow users to enable basic header authorization for access tokens.
  • [#374] Token revocation implementation [RFC 7009]
  • [#295] Only enable specific grant flows.
• internals
  • [#381] Locale source fix.
  • [#380] Renames errors_for to doorkeeper_errors_for.
  • [#390] Style adjustments in accordance with Ruby Style Guide form Thoughtbot.

1.1.0

• enhancements
  • [#336] mongoid4 support.
  • [#372] Allow users to set ActiveRecord table_name_prefix/suffix options
• internals
  • [#343] separate OAuth's admin and user end-point to different layouts, upgrade theme to Bootstrap 3.1.
  • [#348] Move render_options in filter after @error has been set

1.0.0

• bug (spec)
  • [#228] token response expires_in value is now in seconds, relative to request time
  • [#296] client is optional for password grant type.
  • [#319] If client credentials are present on password grant type they are validated
  • [#326] If client credentials are present in refresh token they are validated
  • [#326] If authenticated client does not match original client that obtained a refresh token it responds invalid_grant instead of invalid_client. Previous usage was invalid according to Section 5.2 of the spec.
  • [#329] access tokens' scopes string wa being compared against default_scopes symbols, always unauthorizing.
  • [#318] Include "WWW-Authenticate" header with Unauthorized responses
• enhancements
  • [#293] Adds ActionController::Instrumentation in TokensController
  • [#298] Support for multiple redirect_uris added.
  • [#313] AccessToken.revoke_all_for actually revokes all non-revoked tokens for an application/owner instead of deleting them.
  • [#333] Rails 4.1 support
• internals
  • Removes jQuery dependency [fixes #300] [PR #312 is related]
  • [#294] Client uid and secret will be generated only if not present.
  • [#316] Test warnings addressed.
  • [#338] Rspec 3 syntax.

0.7.4

• bug
  • Symbols instead of strings for user input.

0.7.3

• enhancements
  • [#204] Allow to overwrite scope in routes
• internals
  • Returns only present keys in Token Response (may imply a backwards incompatible change). doorkeeper-gem#220
• bug
  • [#290] Support for Rails 4 when 'protected_attributes' gem is present.

0.7.2

• enhancements
  • [#272] Allow issuing multiple access_tokens for one user/application for multiple devices
  • [#170] Increase length of allowed redirect URIs
  • [#239] Do not try to load unavailable Request class for the current phase.
  • [#273] Relax jquery-rails gem dependency

0.7.1

• bug
  • [#269] Rails 3.2 raised ActiveModel::MassAssignmentSecurity::Error.

0.7.0

• enhancements
  • [#229] Rails 4!
• internals
  • [#203] Changing table name to be specific in column_names_with_table
  • [#215] README update
  • [#227] Use Rails.config.paths["config/routes"] instead of assuming "config/routes.rb" exists
  • [#262] Add jquery as gem dependency
  • [#263] Add a configuration for ActiveRecord.establish_connection
  • Deprecation and Ruby warnings (PRs merged outside of GitHub).

0.6.7

• internals
  • [#188] Add IDs to the show views for integration testing @egtann

0.6.6

• enhancements
  • [#187] Raise error if configuration is not set

0.6.5

• enhancements
  • [#184] Vendor the Bootstrap CSS @tylerhunt

0.6.4

• bug
  • [#180] Add localization to authorized_applications destroy notice @aalvarado

0.6.3

• bugfixes
  • [#163] Error response content-type header should be application/json @ggayan
  • [#175] Make token.expires_in_seconds return nil when expires_in is nil @miyagawa
• enhancements
  • [#166, #172, #174] Behavior to automatically authorize based on a configured proc
• internals
  • [#168] Using expectation syntax for controller specs @rdsoze

0.6.2

• bugfixes
  • [#162] Remove ownership columns from base migration template @rdsoze

0.6.1

• bugfixes
  • [#160] Removed |routes| argument from initializer authenticator blocks
• documentation
  • [#160] Fixed description of context of authenticator blocks

0.6.0

• enhancements
  • Mongoid orm configuration accepts only :mongoid2 or :mongoid3
  • Authorization endpoint does not redirect in #new action anymore. It wasn't specified by OAuth spec
  • TokensController now inherits from ActionController::Metal. There might be performance upgrades
  • Add link to authorization in Applications scaffold
  • [#116] MongoMapper support @carols10cents
  • [#122] Mongoid3 support @petergoldstein
  • [#150] Introduce test redirect uri for applications
• bugfixes
  • [#157] Response token status should be :ok, not :success @theycallmeswift
  • [#159] Remove ActionView::Base.field_error_proc override (fixes #145)
• internals
  • Update development dependencies
  • Several refactorings
  • Rails/ORM are easily swichable with env vars (rails and orm)
  • Travis now tests against Mongoid v2

0.5.0.rc1

Official support for rubinius was removed.

• enhancements
  • Configure the way access token is retrieved from request (default to bearer header)
  • Authorization Code expiration time is now configurable
  • Add support for mongoid
  • [#78, #128, #137, #138] Application Ownership
  • [#92] Allow users to skip controllers
  • [#99] Remove deprecated warnings for data-* attributes @towerhe
  • [#101] Return existing access_token for PasswordAccessTokenRequest @benoist
  • [#104] Changed access token scopes example code to default_scopes and optional_scopes @amkirwan
  • [#107] Fix typos in initializer
  • [#123] i18n for validator, flash messages @petergoldstein
  • [#140] ActiveRecord is the default value for the ORM @petergoldstein
• internals
  • [#112, #120] Replacing update_attribute with update_column to eliminate deprecation warnings @rmoriz, @petergoldstein
  • [#121] Updating all development dependencies to recent versions. @petergoldstein
  • [#144] Adding MongoDB dependency to .travis.yml @petergoldstein
  • [#143] Displays errors for unconfigured error messages @timgaleckas
• bugfixes
  • [#102] Not returning 401 when access token generation fails @cslew
  • [#125] Doorkeeper is using ActiveRecord version of as_json in ORM agnostic code @petergoldstein
  • [#142] Prevent double submission of password based authentication @bdurand
• documentation
  • [#141] Add rack-cors middleware to readme @gottfrois

0.4.2

• bugfixes:
  • [#94] Uninitialized Constant in Password Flow

0.4.1

• enhancements:
  • Backport: Move doorkeeper_for extension to Filter helper

0.4.0

• deprecation
  • Deprecate authorization_scopes
• database changes
  • AccessToken#resource_owner_id is not nullable
• enhancements
  • [#83] Add Resource Owner Password Credentials flow @jaimeiniesta
  • [#76] Allow token expiration to be disabled @mattgreen
  • [#89] Configure the way client credentials are retrieved from request
  • [#b6470a] Add Client Credentials flow
• internals
  • [#2ece8d, #f93778] Introduce Client and ErrorResponse classes

0.3.4

• Fix attr_accessible for rails 3.2.x

0.3.3

• [#86] shrink gem package size

0.3.2

• enhancements
  • [#54] Ignore Authorization: headers that are not Bearer @miyagawa
  • [#58, #64] Add destroy action to applications endpoint @jaimeiniesta, @davidfrey
  • [#63] TokensController responds with 401 unauthorized @jaimeiniesta
  • [#67, #72] Fix for mass-assignment @cicloid
• internals
  • [#49] Add Gemnasium status image to README @laserlemon
  • [#50] Fix typos @tomekw
  • [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer @antekpiechnik
  • [#62] Typos, .gitignore @jaimeiniesta
  • [#65] Change _path redirections to _url redirections @jaimeiniesta
  • [#75] Fix unknown method #authenticate_admin! @mattgreen
  • Remove application link in authorized app view

0.3.1

• enhancements
  • [#48] Add if, else options to doorkeeper_for
  • Add views generator
• internals
  • Namespace models

0.3.0

• enhancements
  • [#17, #31] Add support for client credentials in basic auth header @GoldsteinTechPartners
  • [#28] Add indices to migration @GoldsteinTechPartners
  • [#29] Allow doorkeeper to run with rails 3.2 @john-griffin
  • [#30] Improve client's redirect uri validation @GoldsteinTechPartners
  • [#32] Add token (implicit grant) flow @GoldsteinTechPartners
  • [#34] Add support for custom unathorized responses @GoldsteinTechPartners
  • [#36] Remove repetitions from the Authorised Applications view @carvil
  • When user revoke an application, all tokens for that application are revoked
  • Error messages now can be translated
  • Install generator copies the error messages localization file
• internals
  • Fix deprecation warnings in ActiveSupport::Base64
  • Remove deprecation in doorkeeper_for that handles hash arguments
  • Depends on railties instead of whole rails framework
  • CI now integrates with rails 3.1 and 3.2

0.2.0

• enhancements
  • [#4] Add authorized applications endpoint
  • [#5, #11] Add access token scopes
  • [#10] Add access token expiration by default
  • [#9, #12] Add refresh token flow
• internals
  • [#7] Improve configuration options with :default
  • Improve configuration options with :builder
  • Refactor config class
  • Improve coverage of authorization request integration
• bug fixes
  • [#6, #20] Fix access token response headers
  • Fix issue with state parameter
• deprecation
  • deprecate :only and :except options in doorkeeper_for

0.1.1

• enhancements
  • [#3] Authorization code must be short lived and single use
  • [#2] Improve views provided by doorkeeper
  • [#1] Skips authorization form if the client has been authorized by the resource owner
  • Improve readme
• bugfixes
  • Fix issue when creating the access token (wrong client id)

0.1.0

• Authorization Code flow
• OAuth applications endpoint