lib/doorkeeper/oauth/pre_authorization.rb
# frozen_string_literal: true
module Doorkeeper
module OAuth
class PreAuthorization
include Validations
validate :client_id, error: :invalid_request
validate :client, error: :invalid_client
validate :client_supports_grant_flow, error: :unauthorized_client
validate :resource_owner_authorize_for_client, error: :invalid_client
validate :redirect_uri, error: :invalid_redirect_uri
validate :params, error: :invalid_request
validate :response_type, error: :unsupported_response_type
validate :scopes, error: :invalid_scope
validate :code_challenge_method, error: :invalid_code_challenge_method
attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
:redirect_uri, :resource_owner, :response_type, :state
def initialize(server, parameters = {}, resource_owner = nil)
@server = server
@client_id = parameters[:client_id]
@response_type = parameters[:response_type]
@redirect_uri = parameters[:redirect_uri]
@scope = parameters[:scope]
@state = parameters[:state]
@code_challenge = parameters[:code_challenge]
@code_challenge_method = parameters[:code_challenge_method]
@resource_owner = resource_owner
end
def authorizable?
valid?
end
def scopes
Scopes.from_string(scope)
end
def scope
@scope.presence || (server.default_scopes.presence && build_scopes)
end
def error_response
if error == :invalid_request
OAuth::InvalidRequestResponse.from_request(
self,
response_on_fragment: response_on_fragment?,
)
else
OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
end
end
def as_json(_options = nil)
pre_auth_hash
end
private
attr_reader :client_id, :server
def build_scopes
client_scopes = client.scopes
if client_scopes.blank?
server.default_scopes.to_s
else
(server.default_scopes & client_scopes).to_s
end
end
def validate_client_id
@missing_param = :client_id if client_id.blank?
@missing_param.nil?
end
def validate_client
@client = OAuth::Client.find(client_id)
@client.present?
end
def validate_client_supports_grant_flow
Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
end
def validate_redirect_uri
return false if redirect_uri.blank?
Helpers::URIChecker.valid_for_authorization?(
redirect_uri,
client.redirect_uri,
)
end
def validate_params
@missing_param = if response_type.blank?
:response_type
elsif @scope.blank? && server.default_scopes.blank?
:scope
end
@missing_param.nil?
end
def validate_response_type
server.authorization_response_types.include?(response_type)
end
def validate_scopes
Helpers::ScopeChecker.valid?(
scope_str: scope,
server_scopes: server.scopes,
app_scopes: client.scopes,
grant_type: grant_type,
)
end
def validate_code_challenge_method
code_challenge.blank? ||
(code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
end
def validate_resource_owner_authorize_for_client
# The `authorize_resource_owner_for_client` config option is used for this validation
client.application.authorized_for_resource_owner?(@resource_owner)
end
def response_on_fragment?
response_type == "token"
end
def grant_type
response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
end
def pre_auth_hash
{
client_id: client.uid,
redirect_uri: redirect_uri,
state: state,
response_type: response_type,
scope: scope,
client_name: client.name,
status: I18n.t("doorkeeper.pre_authorization.status"),
}
end
end
end
end