Merge pull request #1680 from camero2734/fix-not-implemented-error-raise

Fix handle_auth_errors :raise NotImplementedError
doorkeeper-gem · Dec 1, 2023 · eb849d0 · eb849d0
2 parents 6692812 + bdf3d50
commit eb849d0
Show file tree

Hide file tree

Showing 21 changed files with 142 additions and 76 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,7 @@ User-visible changes worth mentioning.
 
 ## main
 
-- [#ID] Add your PR description here.
+- [#1680] Fix handle_auth_errors :raise NotImplementedError
 
 ## 5.6.7
 

diff --git a/lib/doorkeeper/errors.rb b/lib/doorkeeper/errors.rb
@@ -39,6 +39,10 @@ class BaseResponseError < DoorkeeperError
       def initialize(response)
         @response = response
       end
+
+      def self.name_for_response
+        self.name.demodulize.underscore.to_sym
+      end
     end
 
     UnableToGenerateToken = Class.new(DoorkeeperError)
@@ -47,6 +51,19 @@ def initialize(response)
 
     InvalidRequest = Class.new(BaseResponseError)
     InvalidToken = Class.new(BaseResponseError)
+    InvalidClient = Class.new(BaseResponseError)
+    InvalidScope = Class.new(BaseResponseError)
+    InvalidRedirectUri = Class.new(BaseResponseError)
+    InvalidCodeChallengeMethod = Class.new(BaseResponseError)
+    InvalidGrant = Class.new(BaseResponseError)
+
+    UnauthorizedClient = Class.new(BaseResponseError)
+    UnsupportedResponseType = Class.new(BaseResponseError)
+    UnsupportedResponseMode = Class.new(BaseResponseError)
+
+    AccessDenied = Class.new(BaseResponseError)
+    ServerError = Class.new(BaseResponseError)
+
     TokenExpired = Class.new(InvalidToken)
     TokenRevoked = Class.new(InvalidToken)
     TokenUnknown = Class.new(InvalidToken)

diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb
@@ -3,12 +3,12 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :params,       error: :invalid_request
-      validate :client,       error: :invalid_client
-      validate :grant,        error: :invalid_grant
+      validate :params,       error: Errors::InvalidRequest
+      validate :client,       error: Errors::InvalidClient
+      validate :grant,        error: Errors::InvalidGrant
       # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
-      validate :redirect_uri, error: :invalid_grant
-      validate :code_verifier, error: :invalid_grant
+      validate :redirect_uri, error: Errors::InvalidGrant
+      validate :code_verifier, error: Errors::InvalidGrant
 
       attr_reader :grant, :client, :redirect_uri, :access_token, :code_verifier,
                   :invalid_request_reason, :missing_param

diff --git a/lib/doorkeeper/oauth/base_request.rb b/lib/doorkeeper/oauth/base_request.rb
@@ -15,7 +15,7 @@ def authorize
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
-        elsif error == :invalid_request
+        elsif error == Errors::InvalidRequest
           @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)

diff --git a/lib/doorkeeper/oauth/client_credentials/issuer.rb b/lib/doorkeeper/oauth/client_credentials/issuer.rb
@@ -14,7 +14,7 @@ def initialize(server, validator)
         def create(client, scopes, attributes = {}, creator = Creator.new)
           if validator.valid?
             @token = create_token(client, scopes, attributes, creator)
-            @error = :server_error unless @token
+            @error = Errors::ServerError unless @token
           else
             @token = false
             @error = validator.error

diff --git a/lib/doorkeeper/oauth/client_credentials/validator.rb b/lib/doorkeeper/oauth/client_credentials/validator.rb
@@ -7,9 +7,9 @@ class Validator
         include Validations
         include OAuth::Helpers
 
-        validate :client, error: :invalid_client
-        validate :client_supports_grant_flow, error: :unauthorized_client
-        validate :scopes, error: :invalid_scope
+        validate :client, error: Errors::InvalidClient
+        validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+        validate :scopes, error: Errors::InvalidScope
 
         def initialize(server, request)
           @server = server

diff --git a/lib/doorkeeper/oauth/code_request.rb b/lib/doorkeeper/oauth/code_request.rb
@@ -17,7 +17,7 @@ def authorize
       end
 
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

diff --git a/lib/doorkeeper/oauth/error_response.rb b/lib/doorkeeper/oauth/error_response.rb
@@ -10,7 +10,8 @@ class ErrorResponse < BaseResponse
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
-            name: request.error,
+            name: request.error&.name_for_response,
+            exception_class: request.error,
             state: request.try(:state),
             redirect_uri: request.try(:redirect_uri),
           ),
@@ -21,6 +22,7 @@ def self.from_request(request, attributes = {})
 
       def initialize(attributes = {})
         @error = OAuth::Error.new(*attributes.values_at(:name, :state))
+        @exception_class = attributes[:exception_class]
         @redirect_uri = attributes[:redirect_uri]
         @response_on_fragment = attributes[:response_on_fragment]
       end
@@ -72,6 +74,7 @@ def realm
       end
 
       def exception_class
+        return @exception_class if @exception_class
         raise NotImplementedError, "error response must define #exception_class"
       end
 

diff --git a/lib/doorkeeper/oauth/password_access_token_request.rb b/lib/doorkeeper/oauth/password_access_token_request.rb
@@ -5,10 +5,10 @@ module OAuth
     class PasswordAccessTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner, error: :invalid_grant
-      validate :scopes, error: :invalid_scope
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner, error: Errors::InvalidGrant
+      validate :scopes, error: Errors::InvalidScope
 
       attr_reader :client, :credentials, :resource_owner, :parameters, :access_token
 

diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb
@@ -5,16 +5,16 @@ module OAuth
     class PreAuthorization
       include Validations
 
-      validate :client_id, error: :invalid_request
-      validate :client, error: :invalid_client
-      validate :client_supports_grant_flow, error: :unauthorized_client
-      validate :resource_owner_authorize_for_client, error: :invalid_client
-      validate :redirect_uri, error: :invalid_redirect_uri
-      validate :params, error: :invalid_request
-      validate :response_type, error: :unsupported_response_type
-      validate :response_mode, error: :unsupported_response_mode
-      validate :scopes, error: :invalid_scope
-      validate :code_challenge_method, error: :invalid_code_challenge_method
+      validate :client_id, error: Errors::InvalidRequest
+      validate :client, error: Errors::InvalidClient
+      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
+      validate :resource_owner_authorize_for_client, error: Errors::InvalidClient
+      validate :redirect_uri, error: Errors::InvalidRedirectUri
+      validate :params, error: Errors::InvalidRequest
+      validate :response_type, error: Errors::UnsupportedResponseType
+      validate :response_mode, error: Errors::UnsupportedResponseMode
+      validate :scopes, error: Errors::InvalidScope
+      validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
@@ -47,7 +47,7 @@ def scope
       end
 
       def error_response
-        if error == :invalid_request
+        if error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(
             self,
             response_on_fragment: response_on_fragment?,

diff --git a/lib/doorkeeper/oauth/refresh_token_request.rb b/lib/doorkeeper/oauth/refresh_token_request.rb
@@ -5,11 +5,11 @@ module OAuth
     class RefreshTokenRequest < BaseRequest
       include OAuth::Helpers
 
-      validate :token_presence, error: :invalid_request
-      validate :token,        error: :invalid_grant
-      validate :client,       error: :invalid_client
-      validate :client_match, error: :invalid_grant
-      validate :scope,        error: :invalid_scope
+      validate :token_presence, error: Errors::InvalidRequest
+      validate :token,        error: Errors::InvalidGrant
+      validate :client,       error: Errors::InvalidClient
+      validate :client_match, error: Errors::InvalidGrant
+      validate :scope,        error: Errors::InvalidScope
 
       attr_reader :access_token, :client, :credentials, :refresh_token
       attr_reader :missing_param

diff --git a/lib/doorkeeper/oauth/token_introspection.rb b/lib/doorkeeper/oauth/token_introspection.rb
@@ -6,6 +6,8 @@ module OAuth
     #
     # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
+      attr_reader :error
+
       def initialize(server, token)
         @server = server
         @token = token
@@ -20,12 +22,12 @@ def authorized?
       def error_response
         return if @error.blank?
 
-        if @error == :invalid_token
+        if @error == Errors::InvalidToken
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
-        elsif @error == :invalid_request
+        elsif @error == Errors::InvalidRequest
           OAuth::InvalidRequestResponse.from_request(self)
         else
-          OAuth::ErrorResponse.new(name: @error)
+          OAuth::ErrorResponse.from_request(self)
         end
       end
 
@@ -36,7 +38,7 @@ def to_json(*)
       private
 
       attr_reader :server, :token
-      attr_reader :error, :invalid_request_reason
+      attr_reader :invalid_request_reason
 
       # If the protected resource uses OAuth 2.0 client credentials to
       # authenticate to the introspection endpoint and its credentials are
@@ -58,7 +60,7 @@ def to_json(*)
       def authorize!
         # Requested client authorization
         if server.credentials
-          @error = :invalid_client unless authorized_client
+          @error = Errors::InvalidClient unless authorized_client
         elsif authorized_token
           # Requested bearer token authorization
           #
@@ -69,9 +71,9 @@ def authorize!
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token unless valid_authorized_token?
+          @error = Errors::InvalidToken unless valid_authorized_token?
         else
-          @error = :invalid_request
+          @error = Errors::InvalidRequest
           @invalid_request_reason = :request_not_authorized
         end
       end

diff --git a/lib/doorkeeper/oauth/token_request.rb b/lib/doorkeeper/oauth/token_request.rb
@@ -17,7 +17,7 @@ def authorize
       end
 
       def deny
-        pre_auth.error = :access_denied
+        pre_auth.error = Errors::AccessDenied
         pre_auth.error_response
       end
     end

diff --git a/spec/controllers/authorizations_controller_spec.rb b/spec/controllers/authorizations_controller_spec.rb
@@ -1156,7 +1156,7 @@ def query_params
         default_scopes_exist :public
       end
 
-      it "does not redirect" do
+      it "raises InvalidRequest error" do
         expect { get :new, params: { an_invalid: "request" } }.to raise_error(Doorkeeper::Errors::InvalidRequest)
       end
 
@@ -1165,6 +1165,50 @@ def query_params
         expect(Doorkeeper::AccessToken.count).to eq 0
       end
     end
+
+    context "invalid client_id" do
+      before do
+        default_scopes_exist :public
+      end
+
+      it "raises InvalidClient error" do
+        expect { get :new, params: { client_id: "invalid" } }.to raise_error(Doorkeeper::Errors::InvalidClient)
+      end
+    end
+
+    context "invalid scope" do
+      before do
+        default_scopes_exist :public
+      end
+
+      it "raises InvalidScope error" do
+        expect do
+          get :new, params: {
+            client_id: client.uid,
+            response_type: "token",
+            scope: "invalid",
+            redirect_uri: client.redirect_uri,
+            state: "return-this",
+          }
+        end.to raise_error(Doorkeeper::Errors::InvalidScope)
+      end
+    end
+
+    context "invalid redirect_uri" do
+      before do
+        default_scopes_exist :public
+      end
+
+      it "raises InvalidRedirectUri error" do
+        expect do
+          get :new, params: {
+            client_id: client.uid,
+            response_type: "token",
+            redirect_uri: "invalid",
+          }
+        end.to raise_error(Doorkeeper::Errors::InvalidRedirectUri)
+      end
+    end
   end
 
   describe "GET #new with callbacks" do

diff --git a/spec/lib/oauth/authorization_code_request_spec.rb b/spec/lib/oauth/authorization_code_request_spec.rb
@@ -50,39 +50,39 @@
   it "requires the grant to be accessible" do
     grant.revoke
     request.validate
-    expect(request.error).to eq(:invalid_grant)
+    expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
   end
 
   it "requires the grant" do
     request = described_class.new(server, nil, client, params)
     request.validate
-    expect(request.error).to eq(:invalid_grant)
+    expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
   end
 
   it "requires the client" do
     request = described_class.new(server, grant, nil, params)
     request.validate
-    expect(request.error).to eq(:invalid_client)
+    expect(request.error).to eq(Doorkeeper::Errors::InvalidClient)
   end
 
   it "requires the redirect_uri" do
     request = described_class.new(server, grant, nil, params.except(:redirect_uri))
     request.validate
-    expect(request.error).to eq(:invalid_request)
+    expect(request.error).to eq(Doorkeeper::Errors::InvalidRequest)
     expect(request.missing_param).to eq(:redirect_uri)
   end
 
   it "matches the redirect_uri with grant's one" do
     request = described_class.new(server, grant, client, params.merge(redirect_uri: "http://other.com"))
     request.validate
-    expect(request.error).to eq(:invalid_grant)
+    expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
   end
 
   it "matches the client with grant's one" do
     other_client = FactoryBot.create :application
     request = described_class.new(server, grant, other_client, params)
     request.validate
-    expect(request.error).to eq(:invalid_grant)
+    expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
   end
 
   it "skips token creation if there is a matching one reusable" do
@@ -150,7 +150,7 @@
 
     it "responds with invalid_grant" do
       request.validate
-      expect(request.error).to eq(:invalid_grant)
+      expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
     end
   end
 
@@ -159,7 +159,7 @@
 
     it "invalidates when redirect_uri of the grant is not native" do
       request.validate
-      expect(request.error).to eq(:invalid_grant)
+      expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
     end
 
     it "validates when redirect_uri of the grant is also native" do
@@ -195,15 +195,15 @@
       it "invalidates when code_verifier is missing" do
         request.validate
 
-        expect(request.error).to eq(:invalid_request)
+        expect(request.error).to eq(Doorkeeper::Errors::InvalidRequest)
         expect(request.missing_param).to eq(:code_verifier)
       end
 
       it "invalidates when code_verifier is the wrong value" do
         params[:code_verifier] = "foobar"
         request.validate
 
-        expect(request.error).to eq(:invalid_grant)
+        expect(request.error).to eq(Doorkeeper::Errors::InvalidGrant)
       end
     end