v5.3.3

Bump version

v5.2.6

Bump version

v5.1.2

Bump version

v5.4.0.rc2

• [#1371] Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

  [IMPORTANT] you need to re-implement #as_json method for Doorkeeper Application model
  if you previously used #to_json serialization with custom options or attributes or rely on
  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
  is a breaking change which restricts serialized attributes to a very small set of columns.

• [#1395] Fix NameError: uninitialized constant Doorkeeper::AccessToken for Rake tasks.

• [#1397] Add as: :doorkeeper_application on Doorkeeper application form in order to support
  custom configured application model.

• [#1400] Correctly yield the application instance to allow_grant_flow_for_client? config
  option (fixes #1398).

• [#1402] Handle trying authorization with client credentials.

v5.3.2

• [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

v5.2.5

• [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

v5.1.1

• [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

v5.0.3

• [#1371] Backport: add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

v5.4.0.rc1

• [#1366] Sets expiry of token generated using refresh_token to that of original token. (Fixes #1364)

• [#1354] Add authorize_resource_owner_for_client option to authorize the calling user to access an application.

• [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
  models (use_polymorphic_resource_owner configuration option).

  [IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you
  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
  just it's ID. See PR description for details.

• [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.

• [#1357] Fix Doorkeeper::OAuth::PreAuthorization#as_json method causing
  Stack level too deep error with AMS (fix #1312).

• [#1358] Deprecate active_record_options configuration option.

• [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
  in external extensions.

• [#1360] Increase matching_token_for lookup size to 10 000 and make it configurable.

• [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.

• [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).

  [IMPORTANT] now fully according to RFC 7009 nobody can do a revocation request without client_id
  (for public clients) and client_secret (for private clients). Please update your apps to include that
  info in the revocation request payload.

• [#1373] Make Doorkeeper routes mapper reusable in extensions.

• [#1374] Revoke and issue client credentials token in a transaction with a row lock.

• [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.

• [#1387] Add AccessToken#create_for and use in RefreshTokenRequest.

• [#1392] Fix enable_polymorphic_resource_owner migration template to have proper index name.

• [#1393] Improve Applications #show page with more informative data on client secret and scopes.

• [#1394] Use Ruby autoload feature to load Doorkeeper files.

v5.3.1

• [#1360] Backport: Increase matching_token_for batch lookup size to 10 000 and make it configurable.