« Changelog History


Doorkeeper v5.1.0.rc2 Release Notes

Release Date: 2019-03-22 // about 5 years ago

    [#1208] Unify hashing implementation into secret storing strategies

    [IMPORTANT]: If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
    ⏪ your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
    use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt.

    [#1216] Add nil check to expires_at method.

    🗄 [#1215] Fix deprecates for Rails 6.

    [#1214] Scopes field accepts array.

    [#1209] Fix tokens validation for Token Introspection request.

    [#1202] Use correct HTTP status codes for error responses.

    [IMPORTANT]: this change might break your application if you were relying on the previous
    401 status codes, this is now a 400 by default, or a 401 for invalid_client and invalid_token errors.

    [#1201] Fix custom TTL block client parameter to always be an Doorkeeper::Application instance.

    [IMPORTANT]: those who defined custom_access_token_expires_in configuration option need to check
    their block implementation: if you are using oauth_client.application to get Doorkeeper::Application
    instance, then you need to replace it with just oauth_client.

    0️⃣ [#1200] Increase default Doorkeeper access token value complexity (urlsafe_base64 instead of just hex)
    matching RFC6749/RFC6750.

    [IMPORTANT]: this change have possible side-effects in case you have custom database constraints for
    access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
    token value validations, or you are using database with case-insensitive WHERE clause like MySQL
    (you can face some collisions). Before this change access token value matched [a-f0-9] regex, and now
    it matches [a-zA-Z0-9\-_]. In case you have such restrictions and your don't use custom token generator
    please change configuration option default_generator_method to :hex.

    🛠 [#1195] Allow to customize Token Introspection response (fixes #1194).

    [#1189] Option to set token_reuse_limit.

    [#1191] Try to load bcrypt for hashing of application secrets, but add fallback.