Doorkeeper: Does not display application secret when using `hash_application_secrets` in Browser

Created on 21 Apr 2019  路  7Comments  路  Source: doorkeeper-gem/doorkeeper

Refs #1168

Steps to reproduce

I have provided a minimal sample application that displays the behavior at https://github.com/iv-mexx/doorkeeper-hash-client-secrets-repro

  • Activate hash_application_secrets
  • Visit /oauth/applications in Browser
  • Create new Application

Expected behavior

The Secret should be displayed at least once after creating an application.

Actual behavior

The Secret is never displayed and therefore can not be used.

I'm guessing thats because ApplicationsController#create redirects to the new application for html ( https://github.com/doorkeeper-gem/doorkeeper/blob/master/app/controllers/doorkeeper/applications_controller.rb#L37 ) but after the redirect, the @application instance is a new one which now does not have the transient @raw_secret anymore: https://github.com/oliverguenther/doorkeeper/blob/bb4265146d087a4e2716b80334f22bb462ee56d7/lib/doorkeeper/orm/active_record/application.rb#L50

System configuration

You can help us to understand your problem if you will share some very
useful information about your project environment (don't forget to
remove any confidential data if it exists).

Doorkeeper initializer:

Default, only with hash_application_secrets active and an admin_authenticator that allows everyone (for quick demonstration)

https://github.com/iv-mexx/doorkeeper-hash-client-secrets-repro/blob/master/config/initializers/doorkeeper.rb

Ruby version:

2.5.0

Gemfile.lock:

https://github.com/iv-mexx/doorkeeper-hash-client-secrets-repro/blob/master/Gemfile.lock

bug

All 7 comments

Thanks @iv-mexx for reporting, need to check it, but fast look says you are in the right direction.
I'll check it later (or you can produce a PR).

/cc @oliverguenther

I could take a look. How would you go about this?
Just showing the token in the Flash?
Or passing the Secret in the Redirect via URL Parameter?

I'm for flash, but thinking how it would work in API mode..

I have not yet tested this, but from the code I'm confident it already works correctly in API Mode because the JSON response renders the @application instance (with the transient @raw_secret) directly.

I'll take a look! 馃憤

Good point which I missed because we override the default layouts. We can redirect with the flash present, that would probably be easiest. Let me know if you need any help or want me to look into it.

Hi @iv-mexx . Any success with the issue? Maybe need some help?

Hey, thanks for asking. I did not have the time yet as I was busy integrating doorkeeper into my application first 馃槃

I wanted to do it this upcoming weekend

Was this page helpful?
0 / 5 - 0 ratings