2 files changed, 84 insertions, 3 deletions
diff --git a/config/initializers/30-redmine.rb b/config/initializers/30-redmine.rb
index cf13cab20..d6477faca 100644
--- a/config/initializers/30-redmine.rb
+++ b/config/initializers/30-redmine.rb
@@ -4,14 +4,78 @@ require 'redmine/configuration'
 require 'redmine/plugin_loader'
 
 Rails.application.config.to_prepare do
-  I18n.backend = Redmine::I18n::Backend.new
-  # Forces I18n to load available locales from the backend
-  I18n.config.available_locales = nil
+  I18n::Backend::Simple.include(I18n::Backend::Pluralization)
 
   # Use Nokogiri as XML backend instead of Rexml
   ActiveSupport::XmlMini.backend = 'Nokogiri'
 
   Redmine::Preparation.prepare
+
+  Doorkeeper.configure do
+    orm :active_record
+
+    # Issue access tokens with refresh token
+    use_refresh_token
+
+    # Authorization Code expiration time (default: 10 minutes).
+    #
+    # authorization_code_expires_in 10.minutes
+
+    # Access token expiration time (default: 2 hours).
+    # If you want to disable expiration, set this to `nil`.
+    #
+    # access_token_expires_in 2.hours
+
+    # Hash access and refresh tokens before persisting them.
+    # https://doorkeeper.gitbook.io/guides/security/token-and-application-secrets
+    hash_token_secrets
+
+    # Hash application secrets before persisting them.
+    hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
+
+    # limit supported flows to Auth code
+    grant_flows ['authorization_code']
+
+    realm           Redmine::Info.app_name
+    base_controller 'ApplicationController'
+    default_scopes(*Redmine::AccessControl.public_permissions.map(&:name))
+    optional_scopes(*(Redmine::AccessControl.permissions.map(&:name) << :admin))
+
+    # Forbids creating/updating applications with arbitrary scopes that are
+    # not in configuration, i.e. +default_scopes+ or +optional_scopes+.
+    enforce_configured_scopes
+
+    allow_token_introspection false
+
+    # allow http loopback redirect URIs but require https for all others
+    force_ssl_in_redirect_uri { |uri| !%w[localhost 127.0.0.1 web localohst:8080].include?(uri.host) }
+
+    # Specify what redirect URI's you want to block during Application creation.
+    forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
+
+    resource_owner_authenticator do
+      if require_login
+        if Setting.rest_api_enabled?
+          User.current
+        else
+          deny_access
+        end
+      end
+    end
+
+    admin_authenticator do |_routes|
+      if !Setting.rest_api_enabled? || !User.current.admin?
+        deny_access
+      end
+    end
+  end
+
+  # Use Redmine standard layouts and helpers for Doorkeeper OAuth2 screens
+  Doorkeeper::ApplicationsController.layout "admin"
+  Doorkeeper::ApplicationsController.main_menu = false
+  Doorkeeper::AuthorizationsController.layout "base"
+  Doorkeeper::AuthorizedApplicationsController.layout "base"
+  Doorkeeper::AuthorizedApplicationsController.main_menu = false
 end
 
 # Load the secret token from the Redmine configuration file
@@ -42,6 +106,14 @@ Rails.application.config.to_prepare do
     paths = theme.asset_paths
     Rails.application.config.assets.redmine_extension_paths << paths if paths.present?
   end
+
+  Doorkeeper::ApplicationsController.class_eval do
+    require_sudo_mode :create, :show, :update, :destroy
+  end
+
+  Doorkeeper::AuthorizationsController.class_eval do
+    require_sudo_mode :create, :destroy
+  end
 end
 
 Rails.application.deprecators[:redmine] = ActiveSupport::Deprecation.new('7.0', 'Redmine')
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
new file mode 100644
index 000000000..40888ad8b
--- /dev/null
+++ b/config/initializers/doorkeeper.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# rubocop:disable Lint/EmptyBlock
+Doorkeeper.configure do
+end
+
+Rails.application.config.to_prepare do
+end
+# rubocop:enable Lint/EmptyBlock