1 files changed, 15 insertions, 7 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 111c85bc5..a01d5c75f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -131,6 +131,14 @@ class ApplicationController < ActionController::Base
       if (key = api_key_from_request)
         # Use API key
         user = User.find_by_api_key(key)
+      elsif access_token = Doorkeeper.authenticate(request)
+        # Oauth
+        if access_token.accessible?
+          user = User.active.find_by_id(access_token.resource_owner_id)
+          user.oauth_scope = access_token.scopes.all.map(&:to_sym)
+        else
+          doorkeeper_render_error
+        end
       elsif /\ABasic /i.match?(request.authorization.to_s)
         # HTTP Basic, either username/password or API key/random
         authenticate_with_http_basic do |username, password|
@@ -482,15 +490,17 @@ class ApplicationController < ActionController::Base
   end
   helper_method :back_url
 
-  def redirect_back_or_default(default, options={})
+  def redirect_back_or_default(default, options = {})
+    referer = options.delete(:referer)
+
     if back_url = validate_back_url(params[:back_url].to_s)
       redirect_to(back_url)
       return
-    elsif options[:referer]
+    elsif referer
       redirect_to_referer_or default
       return
     end
-    redirect_to default
+    redirect_to default, options
     false
   end
 
@@ -509,11 +519,9 @@ class ApplicationController < ActionController::Base
         if uri.send(component).present? && uri.send(component) != request.send(component)
           return false
         end
-
-        uri.send(:"#{component}=", nil)
       end
-      # Always ignore basic user:password in the URL
-      uri.userinfo = nil
+      # Remove unnecessary components to convert the URL into a relative URL
+      uri.omit!(:scheme, :authority)
     rescue Addressable::URI::InvalidURIError
       return false
     end