Module: Doorkeeper::OAuth::Helpers::URIChecker

Defined in:

lib/doorkeeper/oauth/helpers/uri_checker.rb

Class Method Summary

• .as_uri(url) ⇒ Object
• .hypertext_scheme?(uri) ⇒ Boolean
• .iff_host?(uri) ⇒ Boolean
• .loopback_uri?(uri) ⇒ Boolean
• .matches?(url, client_url) ⇒ Boolean
• .oob_uri?(uri) ⇒ Boolean
• .query_matches?(query, client_query) ⇒ Boolean
• .valid?(url) ⇒ Boolean
• .valid_for_authorization?(url, client_url) ⇒ Boolean
• .valid_scheme?(uri) ⇒ Boolean

Class Method Details

.as_uri(url) ⇒ Object

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 51

def self.as_uri(url)
  URI.parse(url)
end

.hypertext_scheme?(uri) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 69

def self.hypertext_scheme?(uri)
  %w[http https].include?(uri.scheme)
end

.iff_host?(uri) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 73

def self.iff_host?(uri)
  !(hypertext_scheme?(uri) && uri.host.blank?)
end

.loopback_uri?(uri) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 41

def self.loopback_uri?(uri)
  IPAddr.new(uri.host).loopback?
rescue IPAddr::Error, IPAddr::InvalidAddressError
  false
end

.matches?(url, client_url) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 18

def self.matches?(url, client_url)
  url = as_uri(url)
  client_url = as_uri(client_url)

  unless client_url.query.nil?
    return false unless query_matches?(url.query, client_url.query)

    # Clear out queries so rest of URI can be tested. This allows query
    # params to be in the request but order not mattering.
    client_url.query = nil
  end

  # RFC8252, Paragraph 7.3
  # @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
  if loopback_uri?(url) && loopback_uri?(client_url)
    url.port = nil
    client_url.port = nil
  end

  url.query = nil
  url == client_url
end

.oob_uri?(uri) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 77

def self.oob_uri?(uri)
  NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
end

.query_matches?(query, client_query) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 55

def self.query_matches?(query, client_query)
  return true if client_query.blank? && query.blank?
  return false if client_query.nil? || query.nil?

  # Will return true independent of query order
  client_query.split("&").sort == query.split("&").sort
end

.valid?(url) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 9

def self.valid?(url)
  return true if oob_uri?(url)

  uri = as_uri(url)
  valid_scheme?(uri) && iff_host?(uri) && uri.fragment.nil? && uri.opaque.nil?
rescue URI::InvalidURIError
  false
end

.valid_for_authorization?(url, client_url) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 47

def self.valid_for_authorization?(url, client_url)
  valid?(url) && client_url.split.any? { |other_url| matches?(url, other_url) }
end

.valid_scheme?(uri) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/doorkeeper/oauth/helpers/uri_checker.rb', line 63

def self.valid_scheme?(uri)
  return false if uri.scheme.blank?

  %w[localhost].exclude?(uri.scheme)
end