I override the Doorkeepers AuthorizationsController . Since docs suggested me to inherit from AuthorizationsController . Now the code below shows my last redefinition attempt.
I currently have
Basically, add an extra if statement around the new Doorkeeper authorization process . I added line 3-7, this is currently working fine. It returns to me :error if line 6 is true.
My question
I still see the AccessToken through the browser url and server log. As a user, I could still use this AccessToken to retrieve some data using Postman, for example. Even that gave me an error when logging in. Why is this? And how could I prevent this?
class AuthorizationsController < Doorkeeper::AuthorizationsController def new application = Application.find(authorization.authorize.pre_auth.client.id) resource_owner = User.find(current_resource_owner) if application.users.exclude?(resource_owner) && application.owner != resource_owner render :error elsif pre_auth.authorizable? if skip_authorization? || matching_token? auth = authorization.authorize redirect_to auth.redirect_uri else render :new end else render :error end end end
If you check the introduction on OAuth2 written by DigitalOcean, my if statement will still be executed in step 3 βThe user agent accesses the Token with Redirect URI 'because I see the AccessToken with the redirect URI in my browser URL. And after step 3 he gives me :error .
UPDATE
The entire process of creating an AccessToken has already been completed before the redefinition begins at the beginning of the AuthorizationsController . I added a simple before_action to print to the server log, but before that Doorkeeper::AccessToken Load (0.9ms) SELECT 'oauth_access_tokens'.* FROM 'oauth_access_tokens' WHERE 'oauth_access_tokens'.'token' = 'x' LIMIT 1 will happen.
source share