Releases: doorkeeper-gem/doorkeeper
v5.3.3
v5.2.6
v5.1.2
v5.4.0.rc2
-
[#1371] Add
#as_json
method and attributes serialization restriction for Application model.
Fixes information disclosure vulnerability (CVE-2020-10187).[IMPORTANT] you need to re-implement
#as_json
method for Doorkeeper Application model
if you previously used#to_json
serialization with custom options or attributes or rely on
JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
is a breaking change which restricts serialized attributes to a very small set of columns. -
[#1395] Fix
NameError: uninitialized constant Doorkeeper::AccessToken
for Rake tasks. -
[#1397] Add
as: :doorkeeper_application
on Doorkeeper application form in order to support
custom configured application model. -
[#1400] Correctly yield the application instance to
allow_grant_flow_for_client?
config
option (fixes #1398). -
[#1402] Handle trying authorization with client credentials.
v5.3.2
v5.2.5
v5.1.1
v5.0.3
v5.4.0.rc1
-
[#1366] Sets expiry of token generated using
refresh_token
to that of original token. (Fixes #1364) -
[#1354] Add
authorize_resource_owner_for_client
option to authorize the calling user to access an application. -
[#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
models (use_polymorphic_resource_owner
configuration option).[IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you
have such - since now Doorkeeper passes Resource Owner instance to every objects and not
just it's ID. See PR description for details. -
[#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
-
[#1357] Fix
Doorkeeper::OAuth::PreAuthorization#as_json
method causing
Stack level too deep
error with AMS (fix #1312). -
[#1358] Deprecate
active_record_options
configuration option. -
[#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
in external extensions. -
[#1360] Increase
matching_token_for
lookup size to 10 000 and make it configurable. -
[#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
-
[#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
[IMPORTANT] now fully according to RFC 7009 nobody can do a revocation request without
client_id
(for public clients) andclient_secret
(for private clients). Please update your apps to include that
info in the revocation request payload. -
[#1373] Make Doorkeeper routes mapper reusable in extensions.
-
[#1374] Revoke and issue client credentials token in a transaction with a row lock.
-
[#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
-
[#1387] Add
AccessToken#create_for
and use inRefreshTokenRequest
. -
[#1392] Fix
enable_polymorphic_resource_owner
migration template to have proper index name. -
[#1393] Improve Applications #show page with more informative data on client secret and scopes.
-
[#1394] Use Ruby
autoload
feature to load Doorkeeper files.