Bump doorkeeper from 4.4.0 to 5.0.0

[dependabot-preview]

Bumps doorkeeper from 4.4.0 to 5.0.0.

Release notes

Sourced from doorkeeper's releases.

v5.0.0

• [Non-logged in volunteer see same subject 20 minutes after first seeing it #1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.

v5.0.0.rc2

• [New password error #1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
  configured by developers..
• [Retire via API call #1108] Simple formating of callback URLs when listing oauth applications
• [Allow the last tag to be deleted #1116] AccessGrants will now be revoked along with AccessTokens when
  hitting the AuthorizedApplicationController#destroy route.
• [Upload classification and subject dumps as gzip #1114] Make token info endpoint's attributes consistent with token creation
• [Trouble parsing the json from the annotations csv file - needing to know subject id ahead of time to access json string #1119] Fix token revocation for OAuth apps using "implicit" grant flow
• [Setup project preferences for all users that classified on snaphot supernova #1122] Fix AuthorizationsController#new error response to be in JSON format

v5.0.0.rc1

• [Legacy project activity counts should respect individual workflows #1103] Allow customizing use_refresh_token
• [update subscribe worker params #1089] Removed enable_pkce_without_secret configuration option
• [Use correct method to fuzzy search tags #1102] Expiration time based on scopes
• [API socket timeout #1099] All the configuration variables in Doorkeeper.configuration now
  always return a non-nil value (true or false)
• [API socket timeout #1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
  in doorkeeper.rb
• [add beta users email communication migration #996] Expiration Time Base On Grant Type
• [Cassandra speed issues #997] Allow PKCE authorization_code flow as specified in RFC7636
• [Can't copy one workflow's subject_set into another workflow #907] Fix lookup for matching tokens in certain edge-cases
• [Add hrefs to all resource responses #992] Add API option to use Doorkeeper without management views for API only
  Rails applications (api_only)
• [A workflow data dump? #1045] Validate redirect_uri as the native URI when making authorization code requests
• [NULL zooniverse_id's #1048] Remove deprecated Doorkeeper#configured?, Doorkeeper#database_installed?, and
  Doorkeeper#installed? method
• [Clean up factory girl association build / create chains #1031] Allow public clients to authenticate without client_secret. Define an app as
  either public or private/confidential
• [Filter role controllers by user_id #1010] Add configuration to enforce configured scopes (default_scopes and
  optional_scopes) for applications
• [User avatars and profile headers can't be deleted #1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
• [Including project links on project_preferences request results in a 500 #1064] Add :before_successful_authorization and :after_successful_authorization hooks
• [multiple users reporting duplicate images while signed in #1069] Upgrade Bootstrap to 4 for Admin
• [redirect only unless a required param is missing #1068] Add rake task to cleanup databases that can become large over time
• [Include subjects in the Kafka classification JSONs #1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
  subclasses to use the response object.
• [Better user search using pg_search gem #1075] Call before_successful_authorization and after_successful_authorization hooks
  on create action as well as new
• [Project pages #1082] Fix #916: remember routes mapping and use it required places (fix error with
  customized Token Info route).
• [subjects seen more than once #1086, #1088] Fix bug with receiving default scopes in the token even if they are
  not present in the application scopes (use scopes intersection).
• [Better threshold defaults #1076] Add config to enforce content type to application/x-www-form-urlencoded
• Fix bug with force_ssl_in_redirect_uri when it breaks existing applications with an
  SSL redirect_uri.

v4.4.2

... (truncated)

Changelog

Sourced from doorkeeper's changelog.

5.0.0

• [Non-logged in volunteer see same subject 20 minutes after first seeing it #1127] Change the token_type initials of the Banner Token to uppercase to comply with the RFC6750 specification.

5.0.0.rc2

• [New password error #1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
  configured by developers..
• [Retire via API call #1108] Simple formating of callback URLs when listing oauth applications
• [Allow the last tag to be deleted #1116] AccessGrants will now be revoked along with AccessTokens when
  hitting the AuthorizedApplicationController#destroy route.
• [Upload classification and subject dumps as gzip #1114] Make token info endpoint's attributes consistent with token creation
• [Trouble parsing the json from the annotations csv file - needing to know subject id ahead of time to access json string #1119] Fix token revocation for OAuth apps using "implicit" grant flow
• [Setup project preferences for all users that classified on snaphot supernova #1122] Fix AuthorizationsController#new error response to be in JSON format

5.0.0.rc1

• [Legacy project activity counts should respect individual workflows #1103] Allow customizing use_refresh_token
• [update subscribe worker params #1089] Removed enable_pkce_without_secret configuration option
• [Use correct method to fuzzy search tags #1102] Expiration time based on scopes
• [API socket timeout #1099] All the configuration variables in Doorkeeper.configuration now
  always return a non-nil value (true or false)
• [API socket timeout #1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
  in doorkeeper.rb
• [add beta users email communication migration #996] Expiration Time Base On Grant Type
• [Cassandra speed issues #997] Allow PKCE authorization_code flow as specified in RFC7636
• [Can't copy one workflow's subject_set into another workflow #907] Fix lookup for matching tokens in certain edge-cases
• [Add hrefs to all resource responses #992] Add API option to use Doorkeeper without management views for API only
  Rails applications (api_only)
• [A workflow data dump? #1045] Validate redirect_uri as the native URI when making authorization code requests
• [NULL zooniverse_id's #1048] Remove deprecated Doorkeeper#configured?, Doorkeeper#database_installed?, and
  Doorkeeper#installed? method
• [Clean up factory girl association build / create chains #1031] Allow public clients to authenticate without client_secret. Define an app as
  either public or private/confidential
• [Filter role controllers by user_id #1010] Add configuration to enforce configured scopes (default_scopes and
  optional_scopes) for applications
• [User avatars and profile headers can't be deleted #1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
• [Including project links on project_preferences request results in a 500 #1064] Add :before_successful_authorization and :after_successful_authorization hooks
• [multiple users reporting duplicate images while signed in #1069] Upgrade Bootstrap to 4 for Admin
• [redirect only unless a required param is missing #1068] Add rake task to cleanup databases that can become large over time
• [Include subjects in the Kafka classification JSONs #1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
  subclasses to use the response object.
• [Better user search using pg_search gem #1075] Call before_successful_authorization and after_successful_authorization hooks
  on create action as well as new
• [Project pages #1082] Fix #916: remember routes mapping and use it required places (fix error with
  customized Token Info route).
• [subjects seen more than once #1086, #1088] Fix bug with receiving default scopes in the token even if they are
  not present in the application scopes (use scopes intersection).
• [Better threshold defaults #1076] Add config to enforce content type to application/x-www-form-urlencoded
• Fix bug with force_ssl_in_redirect_uri when it breaks existing applications with an

... (truncated)

Upgrade guide

Sourced from doorkeeper's upgrade guide.

See Upgrade Guides
in the project Wiki.

Commits

• 4c94445 Prepare 5.0.0 release
• bd631bc [ci skip] Merge NEWS.md
• 7044d1f Merge pull request #1131 from salbertson/patch-1
• 001fb02 Add a "Reviewed by Hound" badge
• 3471a94 [ci skip] Update NEWS.md with 4.4.1 release
• c5d27ea Merge pull request #1127 from sequoia-china/fixed/rfc_6750_token_type
• 9a42b98 Change the token_type initials of the Banner Token to uppercase.
• 4094aaa Merge pull request #1123 from arsduo/patch-1
• 6c82384 Add note about Rails CSRF protections
• 178e86c [ci skip] Release 5.0.0.rc2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #2989.