Remove a couple of the riskier Doorkeeper grant flows (#1772)

* Remove a couple of the riskier Doorkeeper grant flows

Fixes #820

* update tests to not rely on the password grant flow

* linter

config/initializers/doorkeeper.rb

@@ -368,7 +368,7 @@
   # The user doesn't have control over the authorization process, so clients
   # aren't limited by scope, and could potentially have the same capabilities
   # as the user themselves. See the second link above for countermeasures.
-  grant_flows %w[authorization_code password implicit client_credentials]
+  grant_flows %w[authorization_code client_credentials]
 
   # Allows to customize OAuth grant flows that +each+ application support.
   # You can configure a custom block (or use a class respond to `#call`) that must

test/controllers/api/test.rb

@@ -1,28 +1,22 @@
 class Api::Test < ActionDispatch::IntegrationTest
   def access_token
-    params = {
-      client_id: @platform_application.uid,
-      client_secret: @platform_application.secret,
-      grant_type: "password",
-      scope: "read write delete"
-    }
-
-    post "/oauth/token", params: params
-    assert_response :success
-    response.parsed_body["access_token"]
+    access_token = Doorkeeper::AccessToken.create!(
+      resource_owner_id: @user.id,
+      token: SecureRandom.hex,
+      application: @platform_application,
+      scopes: "read write delete"
+    )
+    access_token.token
   end
 
   def another_access_token
-    params = {
-      client_id: @another_platform_application.uid,
-      client_secret: @another_platform_application.secret,
-      grant_type: "password",
-      scope: "read write delete"
-    }
-
-    post "/oauth/token", params: params
-    assert_response :success
-    response.parsed_body["access_token"]
+    access_token = Doorkeeper::AccessToken.create!(
+      resource_owner_id: @another_user.id,
+      token: SecureRandom.hex,
+      application: @another_platform_application,
+      scopes: "read write delete"
+    )
+    access_token.token
   end
 
   setup do