lib/doorkeeper/oauth/password_access_token_request.rb


# frozen_string_literal: true

module Doorkeeper
  module OAuth
    class PasswordAccessTokenRequest < BaseRequest
      include OAuth::Helpers

      validate :client, error: Errors::InvalidClient
      validate :client_supports_grant_flow, error: Errors::UnauthorizedClient
      validate :resource_owner, error: Errors::InvalidGrant
      validate :scopes, error: Errors::InvalidScope

      attr_reader :client, :credentials, :resource_owner, :parameters, :access_token

      def initialize(server, client, credentials, resource_owner, parameters = {})
        @server          = server
        @resource_owner  = resource_owner
        @client          = client
        @credentials     = credentials
        @parameters      = parameters
        @original_scopes = parameters[:scope]
        @grant_type      = Doorkeeper::OAuth::PASSWORD
      end

      private

      def before_successful_response
        find_or_create_access_token(client, resource_owner, scopes, {}, server)
        super
      end

      def validate_scopes
        return true if scopes.blank?

        ScopeChecker.valid?(
          scope_str: scopes.to_s,
          server_scopes: server.scopes,
          app_scopes: client.try(:scopes),
          grant_type: grant_type,
        )
      end

      def validate_resource_owner
        resource_owner.present?
      end

      # Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
      #
      #   If the client type is confidential or the client was issued client credentials (or assigned
      #   other authentication requirements), the client MUST authenticate with the authorization
      #   server as described in Section 3.2.1.
      #
      #   The authorization server MUST:
      #
      #    o  require client authentication for confidential clients or for any  client that was
      #       issued client credentials (or with other authentication requirements)
      #
      #    o  authenticate the client if client authentication is included,
      #
      #   @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
      #
      def validate_client
        if Doorkeeper.config.skip_client_authentication_for_password_grant
          client.present? || (!parameters[:client_id] && credentials.blank?)
        else
          client.present?
        end
      end

      def validate_client_supports_grant_flow
        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client&.application)
      end
    end
  end
end