Merge pull request #1293 from jasl/refactor-loading-validator

move AR specific redirect uri validator to AR ORM directory

Author: nbulaj

CHANGELOG.md

@@ -7,6 +7,7 @@ User-visible changes worth mentioning.
 
 ## master
 
+- [#1293] Move ar specific redirect uri validator to ar orm directory.
 - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
   the PreAuthorization response.
 - [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)

app/validators/redirect_uri_validator.rb

@@ -2,8 +2,6 @@
 
 require "active_support/lazy_load_hooks"
 
-require "doorkeeper/orm/active_record/stale_records_cleaner"
-
 module Doorkeeper
   module Orm
     # ActiveRecord ORM for Doorkeeper entity models.
@@ -17,6 +15,8 @@ module Orm
     module ActiveRecord
       def self.initialize_models!
         lazy_load do
+          require "doorkeeper/orm/active_record/stale_records_cleaner"
+          require "doorkeeper/orm/active_record/redirect_uri_validator"
           require "doorkeeper/orm/active_record/access_grant"
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"

lib/doorkeeper/orm/active_record.rb

@@ -11,7 +11,7 @@ class Application < ActiveRecord::Base
 
     validates :name, :secret, :uid, presence: true
     validates :uid, uniqueness: { case_sensitive: true }
-    validates :redirect_uri, redirect_uri: true
+    validates :redirect_uri, "doorkeeper/redirect_uri": true
     validates :confidential, inclusion: { in: [true, false] }
 
     validate :scopes_match_configured, if: :enforce_scopes?

lib/doorkeeper/orm/active_record/application.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module Doorkeeper
+  # ActiveModel validator for redirect URI validation in according
+  # to OAuth standards and Doorkeeper configuration.
+  class RedirectUriValidator < ActiveModel::EachValidator
+    def validate_each(record, attribute, value)
+      if value.blank?
+        return if Doorkeeper.configuration.allow_blank_redirect_uri?(record)
+
+        record.errors.add(attribute, :blank)
+      else
+        value.split.each do |val|
+          next if oob_redirect_uri?(val)
+
+          uri = ::URI.parse(val)
+          record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
+          record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
+          record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
+          record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
+          record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+        end
+      end
+    rescue URI::InvalidURIError
+      record.errors.add(attribute, :invalid_uri)
+    end
+
+    private
+
+    def oob_redirect_uri?(uri)
+      Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
+    end
+
+    def forbidden_uri?(uri)
+      Doorkeeper.configuration.forbid_redirect_uri.call(uri)
+    end
+
+    def unspecified_scheme?(uri)
+      return true if uri.opaque.present?
+
+      %w[localhost].include?(uri.try(:scheme))
+    end
+
+    def relative_uri?(uri)
+      uri.scheme.nil? && uri.host.nil?
+    end
+
+    def invalid_ssl_uri?(uri)
+      forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
+      non_https = uri.try(:scheme) == "http"
+
+      if forces_ssl.respond_to?(:call)
+        forces_ssl.call(uri) && non_https
+      else
+        forces_ssl && non_https
+      end
+    end
+  end
+end

lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -2,7 +2,7 @@
 
 require "spec_helper"
 
-describe RedirectUriValidator do
+describe Doorkeeper::RedirectUriValidator do
   subject do
     FactoryBot.create(:application)
   end