Doorkeeper v5.1.0.rc2 Release Notes
Release Date: 2019-03-22 // about 5 years ago-
[#1208] Unify hashing implementation into secret storing strategies
[IMPORTANT]: If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
⏪ your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt
.[#1216] Add nil check to
expires_at
method.🗄 [#1215] Fix deprecates for Rails 6.
[#1214] Scopes field accepts array.
[#1209] Fix tokens validation for Token Introspection request.
[#1202] Use correct HTTP status codes for error responses.
[IMPORTANT]: this change might break your application if you were relying on the previous
401 status codes, this is now a 400 by default, or a 401 forinvalid_client
andinvalid_token
errors.[#1201] Fix custom TTL block
client
parameter to always be anDoorkeeper::Application
instance.[IMPORTANT]: those who defined
custom_access_token_expires_in
configuration option need to check
their block implementation: if you are usingoauth_client.application
to getDoorkeeper::Application
instance, then you need to replace it with justoauth_client
.0️⃣ [#1200] Increase default Doorkeeper access token value complexity (
urlsafe_base64
instead of justhex
)
matching RFC6749/RFC6750.[IMPORTANT]: this change have possible side-effects in case you have custom database constraints for
access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
token value validations, or you are using database with case-insensitive WHERE clause like MySQL
(you can face some collisions). Before this change access token value matched[a-f0-9]
regex, and now
it matches[a-zA-Z0-9\-_]
. In case you have such restrictions and your don't use custom token generator
please change configuration optiondefault_generator_method
to:hex
.🛠 [#1195] Allow to customize Token Introspection response (fixes #1194).
[#1189] Option to set
token_reuse_limit
.[#1191] Try to load bcrypt for hashing of application secrets, but add fallback.