Support multiple redirect_uris when creating OAuth 2.0 Applications (#29192)

2024-05-17 15:46:12 +02:00
parent 12472e7f40
commit 2da2a1dae9
7 changed files with 201 additions and 25 deletions
--- a/app/controllers/api/v1/apps/credentials_controller.rb
+++ b/app/controllers/api/v1/apps/credentials_controller.rb
@@ -4,6 +4,6 @@ class Api::V1::Apps::CredentialsController < Api::BaseController
  def show
    return doorkeeper_render_error unless valid_doorkeeper_token?

-    render json: doorkeeper_token.application, serializer: REST::ApplicationSerializer, fields: %i(name website vapid_key client_id scopes)
+    render json: doorkeeper_token.application, serializer: REST::ApplicationSerializer
  end
 end
--- a/app/controllers/api/v1/apps_controller.rb
+++ b/app/controllers/api/v1/apps_controller.rb
@@ -5,7 +5,7 @@ class Api::V1::AppsController < Api::BaseController

  def create
    @app = Doorkeeper::Application.create!(application_options)
-    render json: @app, serializer: REST::ApplicationSerializer
+    render json: @app, serializer: REST::CredentialApplicationSerializer
  end

  private
@@ -24,6 +24,6 @@ class Api::V1::AppsController < Api::BaseController
  end

  def app_params
-    params.permit(:client_name, :redirect_uris, :scopes, :website)
+    params.permit(:client_name, :scopes, :website, :redirect_uris, redirect_uris: [])
  end
 end
--- a/app/lib/application_extension.rb
+++ b/app/lib/application_extension.rb
@@ -23,6 +23,12 @@ module ApplicationExtension
    redirect_uri.lines.first.strip
  end

+  def redirect_uris
+    # Doorkeeper stores the redirect_uri value as a newline delimeted list in
+    # the database:
+    redirect_uri.split
+  end
+
  def push_to_streaming_api
    # TODO: #28793 Combine into a single topic
    payload = Oj.dump(event: :kill)
--- a/app/serializers/rest/application_serializer.rb
+++ b/app/serializers/rest/application_serializer.rb
@@ -1,24 +1,18 @@
 # frozen_string_literal: true

 class REST::ApplicationSerializer < ActiveModel::Serializer
-  attributes :id, :name, :website, :scopes, :redirect_uri,
-             :client_id, :client_secret
+  attributes :id, :name, :website, :scopes, :redirect_uris

  # NOTE: Deprecated in 4.3.0, needs to be removed in 5.0.0
  attribute :vapid_key

+  # We should consider this property deprecated for 4.3.0
+  attribute :redirect_uri
+
  def id
    object.id.to_s
  end

-  def client_id
-    object.uid
-  end
-
-  def client_secret
-    object.secret
-  end
-
  def website
    object.website.presence
  end
--- a/app/serializers/rest/credential_application_serializer.rb
+++ b/app/serializers/rest/credential_application_serializer.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class REST::CredentialApplicationSerializer < REST::ApplicationSerializer
+  attributes :client_id, :client_secret
+
+  def client_id
+    object.uid
+  end
+
+  def client_secret
+    object.secret
+  end
+end