[Security] Bump doorkeeper from 4.3.2 to 4.4.0

[dependabot-preview]

Bumps doorkeeper from 4.3.2 to 4.4.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Doorkeeper gem does not revoke token for public clients
Any OAuth application that uses public/non-confidential authentication when
interacting with Doorkeeper is unable to revoke its tokens when calling the
revocation endpoint.

A bug in the token revocation API would cause it to attempt to authenticate
the public OAuth client as if it was a confidential app. Because of this, the
token is never revoked.

The impact of this is the access or refresh token is not revoked, leaking
access to protected resources for the remainder of that token's lifetime.

... (truncated)

Patched versions: >= 4.4.0; >= 5.0.0.rc2
Unaffected versions: < 4.2.0

Release notes

Sourced from doorkeeper's releases.

v4.4.0

• [#1120] Backport security fix from 5.x for token revocation when using public clients

Changelog

Sourced from doorkeeper's changelog.

4.4.0

• [#1120] Backport security fix from 5.x for token revocation when using public clients

Commits

• 16e76e6 Merge pull request #1120 from f3ndot/backport-cve-2018-1000211
• 35cd855 Disable confidential button if not supported, fix test coverage
• d3fb696 Fix embarassing typo. Freeze heredoc constant
• bd7bd3f Add news entry on this update
• 4ecb0a2 [Lint] long lines, heredocs, other stylistic things
• 3aebb59 Bump version to 4.4.0
• 8e846f9 Warn developers when security migration not run
• d6b56a9 Move warning into a constant for other uses
• 36dc99b Add non-breaking backwards compatibility for 4.x and CVE-2018-1000211
• 337d4c2 Use Application#confidential? to determine revocation auth eligibility
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[coveralls]

Coverage remained the same at 96.203% when pulling e1d8748 on dependabot/bundler/doorkeeper-4.4.0 into 709c75f on master.