Class: Doorkeeper::AccessToken

Inherits:

Object

• Object
• Doorkeeper::AccessToken

Includes:

Rethinkdb::Timestamps, Models::Accessible, Models::Expirable, Models::Reusable, Models::Revocable, Models::Scopes, Models::SecretStorable, NoBrainer::Document, OAuth::Helpers

Defined in:

lib/support/orm/rethinkdb/access_token.rb

Instance Attribute Summary

• #use_refresh_token ⇒ Object writeonly

  Sets the attribute use_refresh_token.

Class Method Summary

• .by_previous_refresh_token(previous_refresh_token) ⇒ Doorkeeper::AccessToken^?

  Returns an instance of the Doorkeeper::AccessToken found by previous refresh token.

• .by_refresh_token(refresh_token) ⇒ Doorkeeper::AccessToken^?

  Returns an instance of the Doorkeeper::AccessToken with specific token value.

• .by_token(token) ⇒ Doorkeeper::AccessToken^?

  Returns an instance of the Doorkeeper::AccessToken with specific token value.

• .create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Object
• .fallback_secret_strategy ⇒ Object

  Determine the fallback storing strategy Unless configured, there will be no fallback.

• .find_by_plaintext_token(attr, token) ⇒ Object
• .find_or_create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Doorkeeper::AccessToken

  Looking for not expired AccessToken record with a matching set of scopes that belongs to specific Application and Resource Owner.

• .last_authorized_token_for(application_id, resource_owner_id) ⇒ Doorkeeper::AccessToken^?

  Looking for not revoked Access Token record that belongs to specific Application and Resource Owner.

• .matching_token_for(application, resource_owner_or_id, scopes) ⇒ Doorkeeper::AccessToken^?

  Looking for not expired Access Token with a matching set of scopes that belongs to specific Application and Resource Owner.

• .refresh_token_revoked_on_use? ⇒ Boolean
• .revoke_all_for(application_id, resource_owner) ⇒ Object

  Revokes AccessToken records that have not been revoked and associated with the specific Application and Resource Owner.

• .scopes_match?(token_scopes, param_scopes, app_scopes) ⇒ Boolean

  Checks whether the token scopes match the scopes from the parameters or Application scopes (if present).

• .secret_strategy ⇒ Doorkeeper::SecretStoring::Base

  Determines the secret storing transformer Unless configured otherwise, uses the plain secret strategy.

Instance Method Summary

• #acceptable?(scopes) ⇒ Boolean

  Indicates if token is acceptable for specific scopes.

• #as_json(_options = {}) ⇒ Hash

  JSON representation of the Access Token instance.

• #lock! ⇒ Object
• #revoke(clock = Time) ⇒ Object
• #revoke_previous_refresh_token! ⇒ Object

  Revokes token with ‘:refresh_token` equal to `:previous_refresh_token` and clears `:previous_refresh_token` attribute.

• #same_credential?(access_token) ⇒ Boolean

  Indicates whether the token instance have the same credential as the other Access Token.

• #token_type ⇒ Object

  Access Token type: Bearer.

• #transaction ⇒ Object
• #use_refresh_token? ⇒ Boolean

Methods included from Rethinkdb::Timestamps

#created_at, #revoked_at, #revoked_at=

Instance Attribute Details

#use_refresh_token=(value) ⇒ Object (writeonly)

Sets the attribute use_refresh_token

Parameters:

• value —

  the value to set the attribute use_refresh_token to.

# File 'lib/support/orm/rethinkdb/access_token.rb', line 18

def use_refresh_token=(value)
  @use_refresh_token = value
end

Class Method Details

.by_previous_refresh_token(previous_refresh_token) ⇒ Doorkeeper::AccessToken^?

Returns an instance of the Doorkeeper::AccessToken found by previous refresh token. Keep in mind that value of the previous_refresh_token isn’t encrypted using secrets strategy.

Parameters:

• previous_refresh_token (#to_s) —

  previous refresh token value (any object that responds to ‘#to_s`)

Returns:

• (Doorkeeper::AccessToken, nil) —

  AccessToken object or nil if there is no record with such refresh token

# File 'lib/support/orm/rethinkdb/access_token.rb', line 86

def by_previous_refresh_token(previous_refresh_token)
  return nil unless previous_refresh_token.present?
  where(previous_refresh_token: previous_refresh_token).first
end

.by_refresh_token(refresh_token) ⇒ Doorkeeper::AccessToken^?

Returns an instance of the Doorkeeper::AccessToken with specific token value.

Parameters:

• refresh_token (#to_s) —

  refresh token value (any object that responds to ‘#to_s`)

Returns:

• (Doorkeeper::AccessToken, nil) —

  AccessToken object or nil if there is no record with such refresh token

# File 'lib/support/orm/rethinkdb/access_token.rb', line 71

def by_refresh_token(refresh_token)
  find_by_plaintext_token(:refresh_token, refresh_token)
end

.by_token(token) ⇒ Doorkeeper::AccessToken^?

Returns an instance of the Doorkeeper::AccessToken with specific token value.

Parameters:

• token (#to_s) —

  token value (any object that responds to ‘#to_s`)

Returns:

• (Doorkeeper::AccessToken, nil) —

  AccessToken object or nil if there is no record with such token

# File 'lib/support/orm/rethinkdb/access_token.rb', line 58

def by_token(token)
  find_by_plaintext_token(:token, token)
end

.create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Object

# File 'lib/support/orm/rethinkdb/access_token.rb', line 200

def create_for(application:, resource_owner:, scopes:, **token_attributes)
  token_attributes[:application_id] = application&.id
  token_attributes[:scopes] = scopes.to_s

  resource_owner = resource_owner.try(:id) || resource_owner
  token_attributes[:resource_owner_id] = resource_owner || application.try(:owner_id)

  create!(**token_attributes)
end

.fallback_secret_strategy ⇒ Object

Determine the fallback storing strategy Unless configured, there will be no fallback

# File 'lib/support/orm/rethinkdb/access_token.rb', line 223

def fallback_secret_strategy
  ::Doorkeeper.config.token_secret_fallback_strategy
end

.find_by_plaintext_token(attr, token) ⇒ Object

# File 'lib/support/orm/rethinkdb/access_token.rb', line 44

def find_by_plaintext_token(attr, token)
  # We are not implementing the fallback strategy
  where(attr => secret_strategy.transform_secret(token.to_s)).first
end

.find_or_create_for(application:, resource_owner:, scopes:, **token_attributes) ⇒ Doorkeeper::AccessToken

Looking for not expired AccessToken record with a matching set of scopes that belongs to specific Application and Resource Owner. If it doesn’t exists - then creates it.

Parameters:

• application (Doorkeeper::Application) —

  Application instance

• resource_owner_id (ActiveRecord::Base, Integer) —

  Resource Owner model instance or it’s ID

• scopes (#to_s) —

  set of scopes (any object that responds to ‘#to_s`)

• expires_in (Integer) —

  token lifetime in seconds

• use_refresh_token (Boolean) —

  whether to use the refresh token

Returns:

• (Doorkeeper::AccessToken) —

  existing record or a new one

# File 'lib/support/orm/rethinkdb/access_token.rb', line 183

def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
  resource_owner = resource_owner.try(:id) || resource_owner

  if Doorkeeper.config.reuse_access_token
    access_token = matching_token_for(application, resource_owner, scopes)

    return access_token if access_token&.reusable?
  end

  create!(
    application_id:    application.try(:id),
    resource_owner_id: resource_owner || application.try(:owner_id),
    scopes:            scopes.to_s,
    **token_attributes,
  )
end

.last_authorized_token_for(application_id, resource_owner_id) ⇒ Doorkeeper::AccessToken^?

Looking for not revoked Access Token record that belongs to specific Application and Resource Owner.

Parameters:

• application_id (Integer) —

  ID of the Application model instance

• resource_owner_id (Integer) —

  ID of the Resource Owner model instance

Returns:

• (Doorkeeper::AccessToken, nil) —

  matching AccessToken object or nil if nothing was found

# File 'lib/support/orm/rethinkdb/access_token.rb', line 116

def last_authorized_token_for(application_id, resource_owner_id)
  resource_owner_id = resource_owner_id.try(:id) || resource_owner_id
  result = where(application_id: application_id, resource_owner_id: resource_owner_id).last
  return nil unless result
  result[:revoked_at] ? nil : result
end

.matching_token_for(application, resource_owner_or_id, scopes) ⇒ Doorkeeper::AccessToken^?

Looking for not expired Access Token with a matching set of scopes that belongs to specific Application and Resource Owner.

Parameters:

• application (Doorkeeper::Application) —

  Application instance

• resource_owner_or_id (ActiveRecord::Base, Integer) —

  Resource Owner model instance or it’s ID

• scopes (String, Doorkeeper::OAuth::Scopes) —

  set of scopes

Returns:

• (Doorkeeper::AccessToken, nil) —

  Access Token instance or nil if matching record was not found

# File 'lib/support/orm/rethinkdb/access_token.rb', line 136

def matching_token_for(application, resource_owner_or_id, scopes)
  resource_owner_id = resource_owner_or_id.try(:id) || resource_owner_or_id
  token = last_authorized_token_for(application.try(:id), resource_owner_id)
  if token && scopes_match?(token.scopes, scopes, application.try(:scopes))
    token
  end
end

.refresh_token_revoked_on_use? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/support/orm/rethinkdb/access_token.rb', line 40

def refresh_token_revoked_on_use?
  true
end

.revoke_all_for(application_id, resource_owner) ⇒ Object

Revokes AccessToken records that have not been revoked and associated with the specific Application and Resource Owner.

Parameters:

• application_id (Integer) —

  ID of the Application

• resource_owner (ActiveRecord::Base) —

  instance of the Resource Owner model

# File 'lib/support/orm/rethinkdb/access_token.rb', line 99

def revoke_all_for(application_id, resource_owner)
  where(application_id: application_id, resource_owner_id: resource_owner.id).each do |at|
    at.revoke
  end
end

.scopes_match?(token_scopes, param_scopes, app_scopes) ⇒ Boolean

Checks whether the token scopes match the scopes from the parameters or Application scopes (if present).

Parameters:

• token_scopes (#to_s) —

  set of scopes (any object that responds to ‘#to_s`)

• param_scopes (String) —

  scopes from params

• app_scopes (String) —

  Application scopes

Returns:

• (Boolean) —

  true if all scopes and blank or matches and false in other cases

# File 'lib/support/orm/rethinkdb/access_token.rb', line 157

def scopes_match?(token_scopes, param_scopes, app_scopes)
  (!token_scopes.present? && !param_scopes.present?) ||
    Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
      token_scopes.to_s,
      param_scopes,
      app_scopes
    )
end

.secret_strategy ⇒ Doorkeeper::SecretStoring::Base

Determines the secret storing transformer Unless configured otherwise, uses the plain secret strategy

Returns:

• (Doorkeeper::SecretStoring::Base)

# File 'lib/support/orm/rethinkdb/access_token.rb', line 216

def secret_strategy
  ::Doorkeeper.config.token_secret_strategy
end

Instance Method Details

#acceptable?(scopes) ⇒ Boolean

Indicates if token is acceptable for specific scopes.

Parameters:

• scopes (Array<String>) —

  scopes

Returns:

• (Boolean) —

  true if record is accessible and includes scopes or false in other cases

# File 'lib/support/orm/rethinkdb/access_token.rb', line 273

def acceptable?(scopes)
  accessible? && includes_scope?(*scopes)
end

#as_json(_options = {}) ⇒ Hash

JSON representation of the Access Token instance.

Returns:

• (Hash) —

  hash with token data

# File 'lib/support/orm/rethinkdb/access_token.rb', line 244

def as_json(_options = {})
  {
    resource_owner_id:  resource_owner_id,
    scopes:             scopes,
    expires_in_seconds: expires_in_seconds,
    application:        { uid: application.try(:uid) },
    created_at:         created_at.to_i
  }
end

#lock! ⇒ Object

# File 'lib/support/orm/rethinkdb/access_token.rb', line 316

def lock!; end

#revoke(clock = Time) ⇒ Object

# File 'lib/support/orm/rethinkdb/access_token.rb', line 310

def revoke(clock = Time)
  self.revoked_at = clock.now.utc
  self.save!
end

#revoke_previous_refresh_token! ⇒ Object

Revokes token with ‘:refresh_token` equal to `:previous_refresh_token` and clears `:previous_refresh_token` attribute.

# File 'lib/support/orm/rethinkdb/access_token.rb', line 304

def revoke_previous_refresh_token!
  return unless self.class.refresh_token_revoked_on_use?
  self.previous_refresh_token = ''
  self.save!
end

#same_credential?(access_token) ⇒ Boolean

Indicates whether the token instance have the same credential as the other Access Token.

Parameters:

• access_token (Doorkeeper::AccessToken) —

  other token

Returns:

• (Boolean) —

  true if credentials are same of false in other cases

# File 'lib/support/orm/rethinkdb/access_token.rb', line 261

def same_credential?(access_token)
  application_id == access_token.application_id &&
  resource_owner_id == access_token.resource_owner_id
end

#token_type ⇒ Object

Access Token type: Bearer.

See Also:

• The OAuth 2.0 Authorization Framework: Bearer Token Usage

# File 'lib/support/orm/rethinkdb/access_token.rb', line 232

def token_type
  'bearer'
end

#transaction ⇒ Object

# File 'lib/support/orm/rethinkdb/access_token.rb', line 315

def transaction; yield; end

#use_refresh_token? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/support/orm/rethinkdb/access_token.rb', line 236

def use_refresh_token?
  @use_refresh_token ||= false
  !!@use_refresh_token
end