Fix OAuth application authorization screen to appear with every access

7a0bb214 · Francisco Javier López · Sean McGivern · 4c09fb32 · 7a0bb214 · 7a0bb214
Commit 7a0bb214 authored Jun 29, 2018 by Francisco Javier López Committed by Sean McGivern Jun 29, 2018
3 changed files
--- a/changelogs/unreleased/fj-46278-apply-doorkeeper-scope-patch.yml
+++ b/changelogs/unreleased/fj-46278-apply-doorkeeper-scope-patch.yml
+---
+title: Fix OAuth Application Authorization screen to appear with each access
+merge_request: 20216
+author:
+type: fixed
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -106,3 +106,53 @@ Doorkeeper.configure do

  base_controller '::Gitlab::BaseDoorkeeperController'
 end
+
+# Monkey patch to avoid creating new applications if the scope of the
+# app created does not match the complete list of scopes of the configured app.
+# It also prevents the OAuth authorize application window to appear every time.
+
+# Remove after we upgrade the doorkeeper gem from version 4.3.2
+if Doorkeeper.gem_version > Gem::Version.new('4.3.2')
+  raise "Doorkeeper was upgraded, please remove the monkey patch in #{__FILE__}"
+end
+
+module Doorkeeper
+  module AccessTokenMixin
+    module ClassMethods
+      def matching_token_for(application, resource_owner_or_id, scopes)
+        resource_owner_id =
+          if resource_owner_or_id.respond_to?(:to_key)
+            resource_owner_or_id.id
+          else
+            resource_owner_or_id
+          end
+
+        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
+        tokens.detect do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
+        end
+      end
+
+      def scopes_match?(token_scopes, param_scopes, app_scopes)
+        return true if token_scopes.empty? && param_scopes.empty?
+
+        (token_scopes.sort == param_scopes.sort) &&
+          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+            param_scopes.to_s,
+            Doorkeeper.configuration.scopes,
+            app_scopes)
+      end
+
+      def authorized_tokens_for(application_id, resource_owner_id)
+        ordered_by(:created_at, :desc)
+          .where(application_id: application_id,
+                 resource_owner_id: resource_owner_id,
+                 revoked_at: nil)
+      end
+
+      def last_authorized_token_for(application_id, resource_owner_id)
+        authorized_tokens_for(application_id, resource_owner_id).first
+      end
+    end
+  end
+end
--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -2,19 +2,12 @@ require 'spec_helper'

 describe Oauth::AuthorizationsController do
  let(:user) { create(:user) }
-
-  let(:doorkeeper) do
-    Doorkeeper::Application.create(
-      name: "MyApp",
-      redirect_uri: 'http://example.com',
-      scopes: "")
-  end
-
+  let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
  let(:params) do
    {
      response_type: "code",
-      client_id: doorkeeper.uid,
-      redirect_uri: doorkeeper.redirect_uri,
+      client_id: application.uid,
+      redirect_uri: application.redirect_uri,
      state: 'state'
    }
  end
@@ -44,7 +37,7 @@ describe Oauth::AuthorizationsController do
      end

      it 'deletes session.user_return_to and redirects when skip authorization' do
-        doorkeeper.update(trusted: true)
+        application.update(trusted: true)
        request.session['user_return_to'] = 'http://example.com'

        get :new, params
@@ -52,6 +45,25 @@ describe Oauth::AuthorizationsController do
        expect(request.session['user_return_to']).to be_nil
        expect(response).to have_gitlab_http_status(302)
      end
+
+      context 'when there is already an access token for the application' do
+        context 'when the request scope matches any of the created token scopes' do
+          before do
+            scopes = Doorkeeper::OAuth::Scopes.from_string('api')
+
+            allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
+
+            create :oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes
+          end
+
+          it 'authorizes the request and redirects' do
+            get :new, params
+
+            expect(request.session['user_return_to']).to be_nil
+            expect(response).to have_gitlab_http_status(302)
+          end
+        end
+      end
    end
  end
 end