From 21ccedab9c4fe6195a24b5ec07f052567f5f6df5 Mon Sep 17 00:00:00 2001 From: yystopf Date: Fri, 17 Jun 2022 18:33:37 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D:=20doorkeeper=20=E6=97=A0?= =?UTF-8?q?=E6=B3=95=E7=94=9F=E6=88=90jwt=20token?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Gemfile.lock | 7 + config/initializers/doorkeeper.rb | 11 +- config/locales/doorkeeper.zh-CN.yml | 177 +++++++++--------- ...oauth_access_tokens_token_column_length.rb | 5 + 4 files changed, 112 insertions(+), 88 deletions(-) create mode 100644 db/migrate/20220617103002_change_oauth_access_tokens_token_column_length.rb diff --git a/Gemfile.lock b/Gemfile.lock index b1dc2cca7..99f40ad94 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -106,6 +106,10 @@ GEM activerecord (>= 3.1.0, < 7) diff-lcs (1.3) diffy (3.3.0) + doorkeeper (5.5.4) + railties (>= 5) + doorkeeper-jwt (0.4.1) + jwt (>= 2.1) e2mmap (0.1.0) elasticsearch (7.5.0) elasticsearch-api (= 7.5.0) @@ -450,6 +454,8 @@ DEPENDENCIES chromedriver-helper deep_cloneable (~> 3.0.0) diffy + doorkeeper + doorkeeper-jwt enumerize faraday (~> 0.15.4) font-awesome-sass (= 4.7.0) @@ -458,6 +464,7 @@ DEPENDENCIES harmonious_dictionary (~> 0.0.1) jbuilder (~> 2.5) jquery-rails + jwt kaminari (~> 1.1, >= 1.1.1) letter_avatar listen (>= 3.0.5, < 3.2) diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index 196e25037..4f9db8cdf 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -7,7 +7,7 @@ Doorkeeper.configure do # This block will be called to check whether the resource owner is authenticated or not. resource_owner_authenticator do - raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}" + # raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}" # Put your resource owner authentication logic here. # Example implementation: User.find_by(id: session[:www_user_id]) || redirect_to(new_user_session_url) @@ -228,7 +228,7 @@ Doorkeeper.configure do # `grant_type` - the grant type of the request (see Doorkeeper::OAuth) # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes) # - # use_refresh_token + use_refresh_token # Provide support for an owner to be assigned to each registered application (disabled by default) # Optional parameter confirmation: true (default: false) if you want to enforce ownership of @@ -304,7 +304,7 @@ Doorkeeper.configure do # # You can completely disable this feature with: # - # allow_blank_redirect_uri false + allow_blank_redirect_uri true # # Or you can define your custom check: # @@ -444,6 +444,9 @@ Doorkeeper.configure do # skip_authorization do |resource_owner, client| # client.superapp? or resource_owner.admin? # end + skip_authorization do + true + end # Configure custom constraints for the Token Introspection request. # By default this configuration option allows to introspect a token by another @@ -540,7 +543,7 @@ Doorkeeper::JWT.configure do # Set the encryption secret. This would be shared with any other applications # that should be able to read the payload of the token. Defaults to "secret". - secret_key ENV['JWT_SECRET'] + secret_key ENV['JWT_SECRET'] || "forgeplus" # If you want to use RS* encoding specify the path to the RSA key to use for # signing. If you specify a `secret_key_path` it will be used instead of diff --git a/config/locales/doorkeeper.zh-CN.yml b/config/locales/doorkeeper.zh-CN.yml index 3a00820a3..f05f65a5c 100644 --- a/config/locales/doorkeeper.zh-CN.yml +++ b/config/locales/doorkeeper.zh-CN.yml @@ -2,125 +2,134 @@ zh-CN: activerecord: attributes: doorkeeper/application: - name: '名称' - redirect_uri: '登录回调地址' - scopes: '权限范围' + name: 应用名称 + redirect_uri: 重定向 URI errors: models: doorkeeper/application: attributes: redirect_uri: - fragment_present: '不能包含片段(#)' - invalid_uri: '必须是有效的 URL 格式' - relative_uri: '必须是绝对的 URL 地址' - secured_uri: '必须是 HTTPS/SSL 的 URL 地址' - + fragment_present: 不能包含网址片段(#) + invalid_uri: 必须是有效的 URI 格式 + unspecified_scheme: must specify a scheme. + relative_uri: 必须是绝对的 URI 地址 + secured_uri: 必须是 HTTPS/SSL 的 URI 地址 + forbidden_uri: 被服务器禁止。 + scopes: + not_match_configured: 不匹配服务器上的配置。 doorkeeper: applications: confirmations: - destroy: '确定要删除应用吗?' + destroy: 确定要删除应用吗? buttons: - edit: '编辑' - destroy: '删除' - submit: '提交' - cancel: '取消' - authorize: '授权' + edit: 编辑 + destroy: 删除 + submit: 提交 + cancel: 取消 + authorize: 授权 form: - error: '抱歉! 提交信息的时候遇到了下面的错误' + error: 抱歉! 提交信息的时候遇到了下面的错误 help: - redirect_uri: '每行只能有一个 URL' - native_redirect_uri: '使用 %{native_redirect_uri} 作为本地测试' - scopes: '用空格隔开权限范围,留空则使用默认设置' + confidential: 应用程序的client secret可以保密,但原生移动应用和单页应用将无法保护client secret。 + redirect_uri: 每行只能有一个 URI + blank_redirect_uri: Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI. + scopes: 用空格分割权限范围,留空则使用默认设置 edit: - title: '修改应用' + title: 修改应用 index: - title: '你的应用' - new: '创建新应用' - name: '名称' - callback_url: '登录回调地址' + title: 你的应用 + new: 创建新应用 + name: 名称 + callback_url: 回调 URL + confidential: Confidential? + actions: 动作 + confidentiality: + 'yes': 是 + 'no': 沒有 new: - title: '创建新应用' + title: 创建新应用 show: - title: '应用:%{name}' - application_id: '应用 ID' - secret: '私钥' - scopes: '权限范围' - callback_urls: '登录回调地址' - confidential: 'Confidential' - actions: '操作' - + title: 应用:%{name} + application_id: 应用 UID + secret: 应用密钥 + secret_hashed: Secret hashed + scopes: 权限范围 + confidential: Confidential + callback_urls: 回调 URL + actions: 操作 + not_defined: Not defined authorizations: buttons: - authorize: '授权' - deny: '拒绝' + authorize: 同意授权 + deny: 拒绝授权 error: - title: '存在错误' + title: 发生错误 new: - title: '需要你授权' - prompt: '授权 %{client_name} 使用你的帐号?' - able_to: '此应用将会' + title: 需要授权 + prompt: 授权 %{client_name} 使用你的帐户? + able_to: 此应用将能够 show: - title: '授权码' - + title: 授权代码 + form_post: + title: Submit this form authorized_applications: confirmations: - revoke: '确定要注销此应用的认证信息吗?' + revoke: 确定要撤销对此应用的授权吗? buttons: - revoke: '注销' + revoke: 撤销授权 index: - title: '你授权的应用列表' - application: '应用' - created_at: '授权时间' - date_format: '%Y-%m-%d %H:%M:%S' - + title: 已授权的应用 + application: 应用 + created_at: 授权时间 + date_format: "%Y-%m-%d %H:%M:%S" + pre_authorization: + status: 预授权 errors: messages: - # Common error messages - invalid_request: '这个请求缺少必要的参数,或者参数值、格式不正确' - invalid_redirect_uri: '无效的登录回调地址' - unauthorized_client: '未授权的应用,请求无法执行' - access_denied: '用户或服务器拒绝了请求' - invalid_scope: '请求范围无效、未知或格式不正确' - server_error: '服务器异常,无法处理请求' - temporarily_unavailable: '服务器维护中或负载过高,暂时无法处理请求' - - #configuration error messages - credential_flow_not_configured: 'Resource Owner Password Credentials flow failed,原因是 Doorkeeper.configure.resource_owner_from_credentials 尚未设置。' - resource_owner_authenticator_not_configured: 'Resource Owner find failed,原因是 Doorkeeper.configure.resource_owner_authenticator 尚未设置。' - - # Access grant errors - unsupported_response_type: '服务器不支持这种响应类型' - - # Access token errors - invalid_client: '由于未知、不支持或没有客户端,认证失败' - invalid_grant: '授权方式无效,或者登录回调地址无效、过期或已被撤销' - unsupported_grant_type: '服务器不支持此类型的授权方式' - - # Password Access token errors - invalid_resource_owner: '资源所有者认证无效或没有所有者' - + invalid_request: + unknown: 请求缺少必要的参数,或者参数值、格式不正确。 + missing_param: 'Missing required parameter: %{value}.' + request_not_authorized: Request need to be authorized. Required parameter for authorizing request is missing or invalid. + invalid_redirect_uri: 无效的登录回调地址。 + unauthorized_client: 未授权的应用,请求无法执行。 + access_denied: 资源所有者或服务器拒绝了请求。 + invalid_scope: 请求的权限范围无效、未知或格式不正确。 + invalid_code_challenge_method: The code challenge method must be plain or S256. + server_error: 服务器异常,无法处理请求。 + temporarily_unavailable: 服务器维护中或负载过高,暂时无法处理请求。 + credential_flow_not_configured: 由于 Doorkeeper.configure.resource_owner_from_credentials 尚未配置,应用验证授权流程失败。 + resource_owner_authenticator_not_configured: 由于 Doorkeeper.configure.resource_owner_authenticator 尚未配置,查找资源所有者失败。 + admin_authenticator_not_configured: 由于 Doorkeeper.configure.admin_authenticator 尚未配置,禁止访问管理员面板。 + unsupported_response_type: 服务器不支持这种响应类型。 + unsupported_response_mode: The authorization server does not support this response mode. + invalid_client: 由于应用信息未知、未提交认证信息或使用了不支持的认证方式,认证失败。 + invalid_grant: 授权方式无效、过期或已被撤销、与授权请求中的回调地址不一致,或使用了其他应用的回调地址。 + unsupported_grant_type: 服务器不支持此类型的授权方式。 invalid_token: - revoked: "访问令牌已被吊销" - expired: "访问令牌已过期" - unknown: "访问令牌无效" - + revoked: 访问令牌已被吊销 + expired: 访问令牌已过期 + unknown: 访问令牌无效 + revoke: + unauthorized: You are not authorized to revoke this token + forbidden_token: + missing_scope: Access to this resource requires scope "%{oauth_scopes}". flash: applications: create: - notice: '应用创建成功' + notice: 应用创建成功。 destroy: - notice: '应用删除成功' + notice: 应用删除成功。 update: - notice: '应用修改成功' + notice: 应用修改成功。 authorized_applications: destroy: - notice: '已成功注销了应用的认证信息' - + notice: 已成功撤销对此应用的授权。 layouts: admin: + title: Doorkeeper nav: - oauth2_provider: 'OAuth2 提供商' - applications: '应用' - home: '首页' + oauth2_provider: OAuth2 提供商 + applications: 应用 + home: 首页 application: - title: 'OAuth 认证' + title: 需要 OAuth 认证 \ No newline at end of file diff --git a/db/migrate/20220617103002_change_oauth_access_tokens_token_column_length.rb b/db/migrate/20220617103002_change_oauth_access_tokens_token_column_length.rb new file mode 100644 index 000000000..9c78ac285 --- /dev/null +++ b/db/migrate/20220617103002_change_oauth_access_tokens_token_column_length.rb @@ -0,0 +1,5 @@ +class ChangeOauthAccessTokensTokenColumnLength < ActiveRecord::Migration[5.2] + def change + change_column :oauth_access_tokens, :token, :string, limit: 500 + end +end