Changelog History
Page 3
-
v5.2.2 Changes
November 10, 2019 -
v5.2.1 Changes
September 17, 2019 -
v5.2.0 Changes
September 16, 2019 -
v5.2.0.rc3 Changes
August 28, 2019- ๐ [#1298] Slice strong params so doesn't error with Rails forms.
- [#1300] Limiting access to attributes of pre_authorization.
- [#1296] Adding client_id to strong parameters.
- ๐ [#1293] Move ar specific redirect uri validator to ar orm directory.
- [#1288] Allow to pass attributes to the
Doorkeeper::OAuth::PreAuthorization#as_json
method to customize
the PreAuthorization response. - [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
- ๐ง [#1283] Allow to customize base class for
Doorkeeper::ApplicationMetalController
(new configuration
option calledbase_metal_controller
(fix #1273). - [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
-
v5.2.0.rc2 Changes
June 17, 2019- [#1270] Find matching tokens in batches for reuse_access_token option (fix #1193).
- [#1271] Reintroduce existing token revocation for client credentials.
- ๐ [#1269] Update initializer template documentation.
- [#1266] Use strong parameters within pre-authorization.
- [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
- ๐ง [#1263] Response properly when introspection fails and fix configurations's user guide.
-
v5.2.0.rc1 Changes
May 23, 2019- ๐ง [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
- ๐ง [#1257] Add constraint configuration when using client authentication on introspection endpoint.
- [#1252] Returning
unauthorized
when the revocation of the token should not be performed due to wrong permissions. - ๐ [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
- [#1248] Display the Application Secret in HTML after creating a new application even when
hash_application_secrets
is used. - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when
hash_application_secrets
is used. - ๐ [#1238] Better support for native app with support for custom scheme and localhost redirection.
-
v5.1.2 Changes
May 07, 2020- [#1404] Backport: Make
Doorkeeper::Application#read_attribute_for_serialization
public.
- [#1404] Backport: Make
-
v5.1.1 Changes
May 02, 2020- [#1371] Backport: Add
#as_json
method and attributes serialization restriction for Application model.
๐ Fixes information disclosure vulnerability (CVE-2020-10187).
- [#1371] Backport: Add
-
v5.1.0 Changes
April 17, 2019โฌ๏ธ See Upgrade guides for migration to a new version.
- [#1243]: Add nil check operator in token checking at token introspection.
- [#1241] Explaining foreign key options for resource owner in a single place
- ๐ง [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
- [#1234] Fix
StaleRecordsCleaner
to properly work with big amount of records. - [#1228] Allow to explicitly set non-expiring tokens in
custom_access_token_expires_in
configuration
option usingFloat::INIFINITY
return value. - [#1224] Do not try to store token if not found by fallback hashing strategy.
- ๐ [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
- ๐ [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
-
v5.1.0.rc2 Changes
March 22, 2019[#1208] Unify hashing implementation into secret storing strategies
[IMPORTANT]: If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
โช your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt
.[#1216] Add nil check to
expires_at
method.๐ [#1215] Fix deprecates for Rails 6.
[#1214] Scopes field accepts array.
[#1209] Fix tokens validation for Token Introspection request.
[#1202] Use correct HTTP status codes for error responses.
[IMPORTANT]: this change might break your application if you were relying on the previous
401 status codes, this is now a 400 by default, or a 401 forinvalid_client
andinvalid_token
errors.[#1201] Fix custom TTL block
client
parameter to always be anDoorkeeper::Application
instance.[IMPORTANT]: those who defined
custom_access_token_expires_in
configuration option need to check
their block implementation: if you are usingoauth_client.application
to getDoorkeeper::Application
instance, then you need to replace it with justoauth_client
.0๏ธโฃ [#1200] Increase default Doorkeeper access token value complexity (
urlsafe_base64
instead of justhex
)
matching RFC6749/RFC6750.[IMPORTANT]: this change have possible side-effects in case you have custom database constraints for
access token value, application secrets, refresh tokens or you patched Doorkeeper models and introduced
token value validations, or you are using database with case-insensitive WHERE clause like MySQL
(you can face some collisions). Before this change access token value matched[a-f0-9]
regex, and now
it matches[a-zA-Z0-9\-_]
. In case you have such restrictions and your don't use custom token generator
please change configuration optiondefault_generator_method
to:hex
.๐ [#1195] Allow to customize Token Introspection response (fixes #1194).
[#1189] Option to set
token_reuse_limit
.[#1191] Try to load bcrypt for hashing of application secrets, but add fallback.