From 38a8c9f1b08c93f4f75487e4ffe73d2517c794d4 Mon Sep 17 00:00:00 2001 From: Edward Kerry Date: Tue, 25 Feb 2020 14:43:06 +0000 Subject: [PATCH] Validate Doorkeeper PreAuthorization to ensure the client is accessible As of https://github.com/doorkeeper-gem/doorkeeper/pull/1296 Doorkeeper's PreAuthorization controller is no longer passed the Client upon instantiation, but instead retrieves it during validation. To ensure that the we can access the application via the client, we explicitly call pre_auth.authorizable in order to invoke `validate_client` https://github.com/linhdangduy/doorkeeper/blob/a3458b00d89fb79e0f0a4efc733124c3bfe56db6/lib/doorkeeper/oauth/pre_authorization.rb#L71 --- .../signin_required_authorizations_controller.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/signin_required_authorizations_controller.rb b/app/controllers/signin_required_authorizations_controller.rb index f775094a2..359792e98 100644 --- a/app/controllers/signin_required_authorizations_controller.rb +++ b/app/controllers/signin_required_authorizations_controller.rb @@ -3,7 +3,7 @@ class SigninRequiredAuthorizationsController < Doorkeeper::AuthorizationsControl EXPECTED_DOORKEEPER_VERSION = "5.2.0.rc3".freeze def new - if pre_auth.authorizable? + if pre_authorizable? if skip_authorization? || matching_token? if user_has_signin_permission_to_application? auth = authorization.authorize @@ -31,6 +31,10 @@ def create private + def pre_authorizable? + @pre_authorizable ||= pre_auth.authorizable? + end + def user_has_signin_permission_to_application? return false if application.nil? return false if current_resource_owner.nil? @@ -39,6 +43,7 @@ def user_has_signin_permission_to_application? end def application + pre_authorizable? #Doorkeeper PreAuthorization controller must be validated in-order for the client to be instantiated. pre_auth.try(:client).try(:application) end end