Issue with defining application_class in Doorkeeper config causing NoMethodError

Question

Issue with defining application_class in Doorkeeper config causing NoMethodError

giovannelli opened this issue a year ago · 0 comments

Issue

When defining the application_class in the Doorkeeper configuration, an error is encountered:

NoMethodError:
        undefined method `application' for #<Doorkeeper::Application id:...

The issue arises in the AuthorizationCodeRequest during the execution of the before_successful_response method.

def before_successful_response
  grant.transaction do
    grant.lock!
    raise Errors::InvalidGrantReuse if grant.revoked?

    grant.revoke

    find_or_create_access_token(
      grant.application,
      resource_owner,
      grant.scopes,
      custom_token_attributes_with_data,
      server,
    )
  end

  super
end

The problem appears to stem from the following code block in the base_request:

application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application

In certain cases, such as the one presented, this check fails to work as intended because the client instance is of type Doorkeeper::Application. This is due to the behavior of grant.application returning a Doorkeeper::Application instance instead of Doorkeeper.config.application_class.to_s, despite the AccessGrant relationship being correctly defined as shown below:

belongs_to :application, class_name: Doorkeeper.config.application_class.to_s,
                         optional: true,
                         inverse_of: :access_grants

To address this issue, a potential solution is to modify the AuthorizationCodeRequest.before_successful_response method as follows:

def before_successful_response
  grant.transaction do
    grant.lock!
    raise Errors::InvalidGrantReuse if grant.revoked?

    grant.revoke

    find_or_create_access_token(
      client,
      resource_owner,
      grant.scopes,
      custom_token_attributes_with_data,
      server,
    )
  end

  super
end

By passing client directly, similar to how it's done for other types of requests, the issue might be resolved.

Please share your thoughts on whether the proposed solution appears reasonable or if there are any crucial aspects that I may have overlooked.

System configuration

Doorkeeper Version: latest
Ruby Version: 3.2.2
Rails Version: 7.0.7.2

Doorkeeper initializer:

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
    orm :active_record

    custom_access_token_expires_in { |context| context.client.expires_in }

    application_class "Application"
    access_token_class "AccessToken"
    access_token_generator "TokenEncoder"
    api_only
    base_controller "ActionController::API"
    allow_token_introspection do |token, authorized_client, authorized_token|
      [token&.application&.id, authorized_token&.application&.id].include?(authorized_client.id)
    end

    reuse_access_token
    use_refresh_token
    access_token_methods :from_bearer_authorization
    grant_flows %w[authorization_code password client_credentials].freeze
    realm REALM
  end