Module: Doorkeeper::AccessTokenMixin::ClassMethods

Defined in:

lib/doorkeeper/models/access_token_mixin.rb

Instance Method Summary

• #authorized_tokens_for(application_id, resource_owner) ⇒ ActiveRecord::Relation

  Looking for not revoked Access Token records that belongs to specific Application and Resource Owner.

• #by_previous_refresh_token(previous_refresh_token) ⇒ Doorkeeper::AccessToken^?

  Returns an instance of the Doorkeeper::AccessToken found by previous refresh token.

• #by_refresh_token(refresh_token) ⇒ Doorkeeper::AccessToken^?

  Returns an instance of the Doorkeeper::AccessToken with specific token value.

• #by_token(token) ⇒ Doorkeeper::AccessToken^?

  Returns an instance of the Doorkeeper::AccessToken with specific plain text token value.

• #create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Doorkeeper::AccessToken

  Creates a not expired AccessToken record with a matching set of scopes that belongs to specific Application and Resource Owner.

• #custom_attributes_match?(token, custom_attributes) ⇒ Boolean

  Checks whether the token custom attribute values match the custom attributes from the parameters.

• #extract_custom_attributes(attributes) ⇒ Hash

  Extracts the token’s custom attributes (defined by the custom_access_token_attributes config option) from the token’s attributes.

• #fallback_secret_strategy ⇒ Object

  Determine the fallback storing strategy Unless configured, there will be no fallback.

• #find_access_token_in_batches(relation, **args, &block) ⇒ Object

  Interface to enumerate access token records in batches in order not to bloat the memory.

• #find_matching_token(relation, application, custom_attributes, scopes) ⇒ Doorkeeper::AccessToken^?

  Enumerates AccessToken records in batches to find a matching token.

• #find_or_create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Doorkeeper::AccessToken

  Looking for not expired AccessToken record with a matching set of scopes that belongs to specific Application and Resource Owner.

• #last_authorized_token_for(application_id, resource_owner) ⇒ Doorkeeper::AccessToken^?

  Convenience method for backwards-compatibility, return the last matching token for the given Application and Resource Owner.

• #matching_token_for(application, resource_owner, scopes, custom_attributes: nil, include_expired: true) ⇒ Doorkeeper::AccessToken^?

  Looking for not revoked Access Token with a matching set of scopes that belongs to specific Application and Resource Owner.

• #revoke_all_for(application_id, resource_owner, clock = Time) ⇒ Object

  Revokes AccessToken records that have not been revoked and associated with the specific Application and Resource Owner.

• #scopes_match?(token_scopes, param_scopes, app_scopes) ⇒ Boolean

  Checks whether the token scopes match the scopes from the parameters.

• #secret_strategy ⇒ Doorkeeper::SecretStoring::Base

  Determines the secret storing transformer Unless configured otherwise, uses the plain secret strategy.

Instance Method Details

#authorized_tokens_for(application_id, resource_owner) ⇒ ActiveRecord::Relation

Looking for not revoked Access Token records that belongs to specific Application and Resource Owner.

Parameters:

• application_id (Integer) —

  ID of the Application model instance

• resource_owner (ActiveRecord::Base, Integer) —

  Resource Owner model instance or it’s ID

Returns:

• (ActiveRecord::Relation) —

  collection of matching AccessToken objects

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 283

def authorized_tokens_for(application_id, resource_owner)
  by_resource_owner(resource_owner).where(
    application_id: application_id,
    revoked_at: nil,
  )
end

#by_previous_refresh_token(previous_refresh_token) ⇒ Doorkeeper::AccessToken^?

Returns an instance of the Doorkeeper::AccessToken found by previous refresh token. Keep in mind that value of the previous_refresh_token isn’t encrypted using secrets strategy.

Parameters:

• previous_refresh_token (#to_s) —

  previous refresh token value (any object that responds to ‘#to_s`)

Returns:

• (Doorkeeper::AccessToken, nil) —

  AccessToken object or nil if there is no record with such refresh token

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 57

def by_previous_refresh_token(previous_refresh_token)
  find_by(refresh_token: previous_refresh_token)
end

#by_refresh_token(refresh_token) ⇒ Doorkeeper::AccessToken^?

Returns an instance of the Doorkeeper::AccessToken with specific token value.

Parameters:

• refresh_token (#to_s) —

  refresh token value (any object that responds to ‘#to_s`)

Returns:

• (Doorkeeper::AccessToken, nil) —

  AccessToken object or nil if there is no record with such refresh token

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 42

def by_refresh_token(refresh_token)
  find_by_plaintext_token(:refresh_token, refresh_token)
end

#by_token(token) ⇒ Doorkeeper::AccessToken^?

Returns an instance of the Doorkeeper::AccessToken with specific plain text token value.

Parameters:

• token (#to_s) —

  Plain text token value (any object that responds to ‘#to_s`)

Returns:

• (Doorkeeper::AccessToken, nil) —

  AccessToken object or nil if there is no record with such token

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 29

def by_token(token)
  find_by_plaintext_token(:token, token)
end

#create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Doorkeeper::AccessToken

Creates a not expired AccessToken record with a matching set of scopes that belongs to specific Application and Resource Owner.

Parameters:

• application (Doorkeeper::Application) —

  Application instance

• resource_owner (ActiveRecord::Base, Integer) —

  Resource Owner model instance or it’s ID

• scopes (#to_s) —

  set of scopes (any object that responds to ‘#to_s`)

• token_attributes (Hash) —

  Additional attributes to use when creating a token

Options Hash (**token_attributes):

• :expires_in (Integer) —

  token lifetime in seconds

• :use_refresh_token (Boolean) —

  whether to use the refresh token

Returns:

• (Doorkeeper::AccessToken) —

  new access token

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 257

def create_for(application:, resource_owner:, scopes:, **token_attributes)
  token_attributes[:application] = application
  token_attributes[:scopes] = scopes.to_s

  if Doorkeeper.config.polymorphic_resource_owner?
    token_attributes[:resource_owner] = resource_owner
  else
    token_attributes[:resource_owner_id] = resource_owner_id_for(resource_owner)
  end

  with_primary_role do
    create!(token_attributes)
  end
end

#custom_attributes_match?(token, custom_attributes) ⇒ Boolean

Checks whether the token custom attribute values match the custom attributes from the parameters.

Parameters:

• token (Doorkeeper::AccessToken) —

  The access token whose custom attributes are being compared to the custom_attributes.

• custom_attributes (Hash) —

  A hash of the attributes for which we want to determine whether the token’s custom attributes match.

Returns:

• (Boolean) —

  true if the token’s custom attribute values match those in the custom_attributes, or if both are empty/blank. False otherwise.

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 189

def custom_attributes_match?(token, custom_attributes)
  return true if custom_attributes.nil?

  token_attribs = token.custom_attributes
  return true if token_attribs.blank? && custom_attributes.blank?

  Doorkeeper.config.custom_access_token_attributes.all? do |attribute|
    token_attribs[attribute] == custom_attributes[attribute]
  end
end

#extract_custom_attributes(attributes) ⇒ Hash

Extracts the token’s custom attributes (defined by the custom_access_token_attributes config option) from the token’s attributes.

Parameters:

• attributes (Hash) —

  A hash of the access token’s attributes.

Returns:

• (Hash) —

  A hash containing only the custom access token attributes.

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 331

def extract_custom_attributes(attributes)
  attributes.with_indifferent_access.slice(
    *Doorkeeper.configuration.custom_access_token_attributes,
  )
end

#fallback_secret_strategy ⇒ Object

Determine the fallback storing strategy Unless configured, there will be no fallback

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 320

def fallback_secret_strategy
  ::Doorkeeper.config.token_secret_fallback_strategy
end

#find_access_token_in_batches(relation, **args, &block) ⇒ Object

Interface to enumerate access token records in batches in order not to bloat the memory. Could be overloaded in any ORM extension.

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 106

def find_access_token_in_batches(relation, **args, &block)
  relation.find_in_batches(**args, &block)
end

#find_matching_token(relation, application, custom_attributes, scopes) ⇒ Doorkeeper::AccessToken^?

Enumerates AccessToken records in batches to find a matching token. Batching is required in order not to pollute the memory if Application has huge amount of associated records.

ActiveRecord 5.x - 6.x ignores custom ordering so we can’t perform a database sort by created_at, so we need to load all the matching records, sort them and find latest one.

Parameters:

• relation (ActiveRecord::Relation) —

  Access tokens relation

• application (Doorkeeper::Application) —

  Application instance

• scopes (String, Doorkeeper::OAuth::Scopes) —

  set of scopes

• custom_attributes (Nilable Hash) —

  A nil value, or hash with keys corresponding to the custom attributes configured with the ‘custom_access_token_attributes` config option. A nil value will ignore custom attributes.

Returns:

• (Doorkeeper::AccessToken, nil) —

  Access Token instance or nil if matching record was not found

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 132

def find_matching_token(relation, application, custom_attributes, scopes)
  return nil unless relation

  matching_tokens = []
  batch_size = Doorkeeper.configuration.token_lookup_batch_size

  find_access_token_in_batches(relation, batch_size: batch_size) do |batch|
    tokens = batch.select do |token|
      scopes_match?(token.scopes, scopes, application&.scopes) &&
        custom_attributes_match?(token, custom_attributes)
    end

    matching_tokens.concat(tokens)
  end

  matching_tokens.max_by(&:created_at)
end

#find_or_create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Doorkeeper::AccessToken

Looking for not expired AccessToken record with a matching set of scopes that belongs to specific Application and Resource Owner. If it doesn’t exists - then creates it.

Parameters:

• application (Doorkeeper::Application) —

  Application instance

• resource_owner (ActiveRecord::Base, Integer) —

  Resource Owner model instance or it’s ID

• scopes (#to_s) —

  set of scopes (any object that responds to ‘#to_s`)

• token_attributes (Hash) —

  Additional attributes to use when creating a token

Options Hash (**token_attributes):

• :expires_in (Integer) —

  token lifetime in seconds

• :use_refresh_token (Boolean) —

  whether to use the refresh token

Returns:

• (Doorkeeper::AccessToken) —

  existing record or a new one

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 219

def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
  scopes = Doorkeeper::OAuth::Scopes.from_string(scopes) if scopes.is_a?(String)

  if Doorkeeper.config.reuse_access_token
    custom_attributes = extract_custom_attributes(token_attributes).presence
    access_token = matching_token_for(
      application, resource_owner, scopes, custom_attributes: custom_attributes, include_expired: false,
    )

    return access_token if access_token&.reusable?
  end

  create_for(
    application: application,
    resource_owner: resource_owner,
    scopes: scopes,
    **token_attributes,
  )
end

#last_authorized_token_for(application_id, resource_owner) ⇒ Doorkeeper::AccessToken^?

Convenience method for backwards-compatibility, return the last matching token for the given Application and Resource Owner.

Parameters:

• application_id (Integer) —

  ID of the Application model instance

• resource_owner (ActiveRecord::Base, Integer) —

  ID of the Resource Owner model instance

Returns:

• (Doorkeeper::AccessToken, nil) —

  matching AccessToken object or nil if nothing was found

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 301

def last_authorized_token_for(application_id, resource_owner)
  authorized_tokens_for(application_id, resource_owner)
    .ordered_by(:created_at, :desc)
    .first
end

#matching_token_for(application, resource_owner, scopes, custom_attributes: nil, include_expired: true) ⇒ Doorkeeper::AccessToken^?

Looking for not revoked Access Token with a matching set of scopes that belongs to specific Application and Resource Owner.

Parameters:

• application (Doorkeeper::Application) —

  Application instance

• resource_owner (ActiveRecord::Base, Integer) —

  Resource Owner model instance or it’s ID

• scopes (String, Doorkeeper::OAuth::Scopes) —

  set of scopes

• custom_attributes (Nilable Hash) (defaults to: nil) —

  A nil value, or hash with keys corresponding to the custom attributes configured with the ‘custom_access_token_attributes` config option. A nil value will ignore custom attributes.

Returns:

• (Doorkeeper::AccessToken, nil) —

  Access Token instance or nil if matching record was not found

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 97

def matching_token_for(application, resource_owner, scopes, custom_attributes: nil, include_expired: true)
  tokens = authorized_tokens_for(application&.id, resource_owner)
  tokens = tokens.not_expired unless include_expired
  find_matching_token(tokens, application, custom_attributes, scopes)
end

#revoke_all_for(application_id, resource_owner, clock = Time) ⇒ Object

Revokes AccessToken records that have not been revoked and associated with the specific Application and Resource Owner.

Parameters:

• application_id (Integer) —

  ID of the Application

• resource_owner (ActiveRecord::Base, Integer) —

  instance of the Resource Owner model or it’s ID

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 69

def revoke_all_for(application_id, resource_owner, clock = Time)
  with_primary_role do
    by_resource_owner(resource_owner)
      .where(
        application_id: application_id,
        revoked_at: nil,
      )
      .update_all(revoked_at: clock.now.utc)
  end
end

#scopes_match?(token_scopes, param_scopes, app_scopes) ⇒ Boolean

Checks whether the token scopes match the scopes from the parameters

Parameters:

• token_scopes (#to_s) —

  set of scopes (any object that responds to ‘#to_s`)

• param_scopes (Doorkeeper::OAuth::Scopes) —

  scopes from params

• app_scopes (Doorkeeper::OAuth::Scopes) —

  Application scopes

Returns:

• (Boolean) —

  true if the param scopes match the token scopes, and all the param scopes are defined in the application (or in the server configuration if the application doesn’t define any scopes), and false in other cases

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 164

def scopes_match?(token_scopes, param_scopes, app_scopes)
  return true if token_scopes.empty? && param_scopes.empty?

  (token_scopes.sort == param_scopes.sort) &&
    Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
      scope_str: param_scopes.to_s,
      server_scopes: Doorkeeper.config.scopes,
      app_scopes: app_scopes,
    )
end

#secret_strategy ⇒ Doorkeeper::SecretStoring::Base

Determines the secret storing transformer Unless configured otherwise, uses the plain secret strategy

Returns:

• (Doorkeeper::SecretStoring::Base)

# File 'lib/doorkeeper/models/access_token_mixin.rb', line 313

def secret_strategy
  ::Doorkeeper.config.token_secret_strategy
end