git.squeep.com Git - akkoma/blob - lib/pleroma/web/o_auth/token.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.OAuth.Token do
   6   use Ecto.Schema
   7
   8   import Ecto.Changeset
   9
  10   alias Pleroma.Repo
  11   alias Pleroma.User
  12   alias Pleroma.Web.OAuth.App
  13   alias Pleroma.Web.OAuth.Authorization
  14   alias Pleroma.Web.OAuth.Token
  15   alias Pleroma.Web.OAuth.Token.Query
  16
  17   @type t :: %__MODULE__{}
  18
  19   schema "oauth_tokens" do
  20     field(:token, :string)
  21     field(:refresh_token, :string)
  22     field(:scopes, {:array, :string}, default: [])
  23     field(:valid_until, :naive_datetime_usec)
  24     belongs_to(:user, User, type: FlakeId.Ecto.CompatType)
  25     belongs_to(:app, App)
  26
  27     timestamps()
  28   end
  29
  30   def lifespan do
  31     Pleroma.Config.get!([:oauth2, :token_expires_in])
  32   end
  33
  34   @doc "Gets token by unique access token"
  35   @spec get_by_token(String.t()) :: {:ok, t()} | {:error, :not_found}
  36   def get_by_token(token) do
  37     token
  38     |> Query.get_by_token()
  39     |> Repo.find_resource()
  40   end
  41
  42   @doc "Gets token for app by access token"
  43   @spec get_by_token(App.t(), String.t()) :: {:ok, t()} | {:error, :not_found}
  44   def get_by_token(%App{id: app_id} = _app, token) do
  45     Query.get_by_app(app_id)
  46     |> Query.get_by_token(token)
  47     |> Repo.find_resource()
  48   end
  49
  50   @doc "Gets token for app by refresh token"
  51   @spec get_by_refresh_token(App.t(), String.t()) :: {:ok, t()} | {:error, :not_found}
  52   def get_by_refresh_token(%App{id: app_id} = _app, token) do
  53     Query.get_by_app(app_id)
  54     |> Query.get_by_refresh_token(token)
  55     |> Query.preload([:user])
  56     |> Repo.find_resource()
  57   end
  58
  59   @spec exchange_token(App.t(), Authorization.t()) :: {:ok, Token.t()} | {:error, Changeset.t()}
  60   def exchange_token(app, auth) do
  61     with {:ok, auth} <- Authorization.use_token(auth),
  62          true <- auth.app_id == app.id do
  63       user = if auth.user_id, do: User.get_cached_by_id(auth.user_id), else: %User{}
  64
  65       create(
  66         app,
  67         user,
  68         %{scopes: auth.scopes}
  69       )
  70     end
  71   end
  72
  73   def get_preeexisting_by_app_and_user(app, user) do
  74     Query.get_by_app(app.id)
  75     |> Query.get_by_user(user.id)
  76     |> Query.get_unexpired()
  77     |> Query.preload([:user])
  78     |> Query.sort_by_inserted_at()
  79     |> Query.limit(1)
  80     |> Repo.find_resource()
  81   end
  82
  83   defp put_token(changeset) do
  84     changeset
  85     |> change(%{token: Token.Utils.generate_token()})
  86     |> validate_required([:token])
  87     |> unique_constraint(:token)
  88   end
  89
  90   defp put_refresh_token(changeset, attrs) do
  91     refresh_token = Map.get(attrs, :refresh_token, Token.Utils.generate_token())
  92
  93     changeset
  94     |> change(%{refresh_token: refresh_token})
  95     |> validate_required([:refresh_token])
  96     |> unique_constraint(:refresh_token)
  97   end
  98
  99   def get_or_exchange_token(%Authorization{} = auth, %App{} = app, %User{} = user) do
 100     if auth.used do
 101       get_preeexisting_by_app_and_user(app, user)
 102     else
 103       exchange_token(app, auth)
 104     end
 105   end
 106
 107   defp put_valid_until(changeset, attrs) do
 108     valid_until =
 109       Map.get(attrs, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), lifespan()))
 110
 111     changeset
 112     |> change(%{valid_until: valid_until})
 113     |> validate_required([:valid_until])
 114   end
 115
 116   @spec create(App.t(), User.t(), map()) :: {:ok, Token} | {:error, Changeset.t()}
 117   def create(%App{} = app, %User{} = user, attrs \\ %{}) do
 118     with {:ok, token} <- do_create(app, user, attrs) do
 119       if Pleroma.Config.get([:oauth2, :clean_expired_tokens]) do
 120         Pleroma.Workers.PurgeExpiredToken.enqueue(%{
 121           token_id: token.id,
 122           valid_until: DateTime.from_naive!(token.valid_until, "Etc/UTC"),
 123           mod: __MODULE__
 124         })
 125       end
 126
 127       {:ok, token}
 128     end
 129   end
 130
 131   defp do_create(app, user, attrs) do
 132     %__MODULE__{user_id: user.id, app_id: app.id}
 133     |> cast(%{scopes: attrs[:scopes] || app.scopes}, [:scopes])
 134     |> validate_required([:scopes, :app_id])
 135     |> put_valid_until(attrs)
 136     |> put_token()
 137     |> put_refresh_token(attrs)
 138     |> Repo.insert()
 139   end
 140
 141   def delete_user_tokens(%User{id: user_id}) do
 142     Query.get_by_user(user_id)
 143     |> Repo.delete_all()
 144   end
 145
 146   def delete_user_token(%User{id: user_id}, token_id) do
 147     Query.get_by_user(user_id)
 148     |> Query.get_by_id(token_id)
 149     |> Repo.delete_all()
 150   end
 151
 152   def get_user_tokens(%User{id: user_id}) do
 153     Query.get_by_user(user_id)
 154     |> Query.preload([:app])
 155     |> Repo.all()
 156   end
 157
 158   def is_expired?(%__MODULE__{valid_until: valid_until}) do
 159     NaiveDateTime.diff(NaiveDateTime.utc_now(), valid_until) > 0
 160   end
 161
 162   def is_expired?(_), do: false
 163 end