Bump doorkeeper from 5.2.3 to 5.4.0

[dependabot]

Bumps doorkeeper from 5.2.3 to 5.4.0.

Release notes

Sourced from doorkeeper's releases.

v5.4.0

• #1404 Make Doorkeeper::Application#read_attribute_for_serialization public.

v5.2.6

No release notes provided.

v5.3.3

No release notes provided.

v5.3.2

• #1371 Backport: Add #as_json method and attributes serialization restriction for Application model. Fixes information disclosure vulnerability (CVE-2020-10187).

v5.2.5

• #1371 Backport: Add #as_json method and attributes serialization restriction for Application model. Fixes information disclosure vulnerability (CVE-2020-10187).

v5.4.0.rc2

• #1371 Add #as_json method and attributes serialization restriction for Application model. Fixes information disclosure vulnerability (CVE-2020-10187).

  [IMPORTANT] you need to re-implement #as_json method for Doorkeeper Application model if you previously used #to_json serialization with custom options or attributes or rely on JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change is a breaking change which restricts serialized attributes to a very small set of columns.

• #1395 Fix NameError: uninitialized constant Doorkeeper::AccessToken for Rake tasks.

• #1397 Add as: :doorkeeper_application on Doorkeeper application form in order to support custom configured application model.

• #1400 Correctly yield the application instance to allow_grant_flow_for_client? config option (fixes #1398).

• #1402 Handle trying authorization with client credentials.

v5.4.0.rc1

• #1366 Sets expiry of token generated using refresh_token to that of original token. (Fixes #1364)

• #1354 Add authorize_resource_owner_for_client option to authorize the calling user to access an application.

• #1355 Allow to enable polymorphic Resource Owner association for Access Token & Grant models (use_polymorphic_resource_owner configuration option).

  [IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you have such - since now Doorkeeper passes Resource Owner instance to every objects and not just it's ID. See PR description for details.

• #1356 Remove duplicated scopes from Access Tokens and Grants on attribute assignment.

• #1357 Fix Doorkeeper::OAuth::PreAuthorization#as_json method causing Stack level too deep error with AMS (fix #1312).

• #1358 Deprecate active_record_options configuration option.

• #1359 Refactor Doorkeeper configuration options DSL to make it easy to reuse it in external extensions.

• #1360 Increase matching_token_for lookup size to 10 000 and make it configurable.

... (truncated)

Changelog

Sourced from doorkeeper's changelog.

5.4.0

• #1404 Make Doorkeeper::Application#read_attribute_for_serialization public.

5.4.0.rc2

• #1371 Add #as_json method and attributes serialization restriction for Application model. Fixes information disclosure vulnerability (CVE-2020-10187).

  [IMPORTANT] you need to re-implement #as_json method for Doorkeeper Application model if you previously used #to_json serialization with custom options or attributes or rely on JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change is a breaking change which restricts serialized attributes to a very small set of columns.

• #1395 Fix NameError: uninitialized constant Doorkeeper::AccessToken for Rake tasks.

• #1397 Add as: :doorkeeper_application on Doorkeeper application form in order to support custom configured application model.

• #1400 Correctly yield the application instance to allow_grant_flow_for_client? config option (fixes #1398).

• #1402 Handle trying authorization with client credentials.

5.4.0.rc1

• #1366 Sets expiry of token generated using refresh_token to that of original token. (Fixes #1364)

• #1354 Add authorize_resource_owner_for_client option to authorize the calling user to access an application.

• #1355 Allow to enable polymorphic Resource Owner association for Access Token & Grant models (use_polymorphic_resource_owner configuration option).

  [IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you have such - since now Doorkeeper passes Resource Owner instance to every objects and not just it's ID. See PR description for details.

• #1356 Remove duplicated scopes from Access Tokens and Grants on attribute assignment.

• #1357 Fix Doorkeeper::OAuth::PreAuthorization#as_json method causing Stack level too deep error with AMS (fix #1312).

• #1358 Deprecate active_record_options configuration option.

• #1359 Refactor Doorkeeper configuration options DSL to make it easy to reuse it in external extensions.

• #1360 Increase matching_token_for lookup size to 10 000 and make it configurable.

• #1371 Fix controllers to use valid classes in case Doorkeeper has custom models configured.

• #1370 Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).

  [IMPORTANT] now fully according to RFC 7009 nobody can do a revocation request without client_id (for public clients) and client_secret (for private clients). Please update your apps to include that info in the revocation request payload.

• #1373 Make Doorkeeper routes mapper reusable in extensions.

• #1374 Revoke and issue client credentials token in a transaction with a row lock.

• #1384 Add context object with auth/pre_auth and issued_token for authorization hooks.

• #1387 Add AccessToken#create_for and use in RefreshTokenRequest.

• #1392 Fix enable_polymorphic_resource_owner migration template to have proper index name.

... (truncated)

Commits

• f0bd292 Release 5.4.0 🎉
• 034d87e Code refactoring
• f47f07c [ci skip] Benchmark stub
• 384e7b0 Merge pull request #1405 from doorkeeper-gem/dependabot/bundler/danger-tw-8.0
• 7e3cab7 [ci skip] Update CHANGELOG.md
• 7e39c20 Merge pull request #1404 from irphilli/master
• b5a0c16 Update danger requirement from ~> 7.0 to ~> 8.0
• e98454c Make Doorkeeper::Application#read_attribute_for_serialization public.
• e244864 Use defined ORM in config blocks in specs
• b275c6a Update spec to consider all Rails versions
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.