1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.OAuthController do
6 use Pleroma.Web, :controller
8 alias Pleroma.Web.OAuth.Authorization
9 alias Pleroma.Web.OAuth.Token
10 alias Pleroma.Web.OAuth.App
18 action_fallback(Pleroma.Web.OAuth.FallbackController)
20 def authorize(conn, params) do
21 render(conn, "show.html", %{
22 response_type: params["response_type"],
23 client_id: params["client_id"],
24 scope: params["scope"],
25 redirect_uri: params["redirect_uri"],
26 state: params["state"]
30 def create_authorization(conn, %{
34 "password" => password,
35 "client_id" => client_id,
36 "redirect_uri" => redirect_uri
39 with %User{} = user <- User.get_by_nickname_or_email(name),
40 true <- Pbkdf2.checkpw(password, user.password_hash),
41 {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
42 %App{} = app <- Repo.get_by(App, client_id: client_id),
43 true <- redirect_uri in String.split(app.redirect_uris),
44 {:ok, auth} <- Authorization.create_authorization(app, user) do
45 # Special case: Local MastodonFE.
47 if redirect_uri == "." do
48 mastodon_api_url(conn, :login)
54 redirect_uri == "urn:ietf:wg:oauth:2.0:oob" ->
55 render(conn, "results.html", %{
60 connector = if String.contains?(redirect_uri, "?"), do: "&", else: "?"
61 url = "#{redirect_uri}#{connector}"
62 url_params = %{:code => auth.token}
66 Map.put(url_params, :state, params["state"])
71 url = "#{url}#{Plug.Conn.Query.encode(url_params)}"
73 redirect(conn, external: url)
76 {:auth_active, false} ->
78 |> put_flash(:error, "Account confirmation pending")
79 |> put_status(:forbidden)
88 # - proper scope handling
89 def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do
90 with %App{} = app <- get_app_from_request(conn, params),
91 fixed_token = fix_padding(params["code"]),
92 %Authorization{} = auth <-
93 Repo.get_by(Authorization, token: fixed_token, app_id: app.id),
94 {:ok, token} <- Token.exchange_token(app, auth),
95 {:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do
98 access_token: token.token,
99 refresh_token: token.refresh_token,
100 created_at: DateTime.to_unix(inserted_at),
102 scope: "read write follow"
108 put_status(conn, 400)
109 |> json(%{error: "Invalid credentials"})
114 # - investigate a way to verify the user wants to grant read/write/follow once scope handling is done
117 %{"grant_type" => "password", "username" => name, "password" => password} = params
119 with %App{} = app <- get_app_from_request(conn, params),
120 %User{} = user <- User.get_by_nickname_or_email(name),
121 true <- Pbkdf2.checkpw(password, user.password_hash),
122 {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
123 {:ok, auth} <- Authorization.create_authorization(app, user),
124 {:ok, token} <- Token.exchange_token(app, auth) do
126 token_type: "Bearer",
127 access_token: token.token,
128 refresh_token: token.refresh_token,
130 scope: "read write follow"
135 {:auth_active, false} ->
137 |> put_status(:forbidden)
138 |> json(%{error: "Account confirmation pending"})
141 put_status(conn, 400)
142 |> json(%{error: "Invalid credentials"})
148 %{"grant_type" => "password", "name" => name, "password" => _password} = params
152 |> Map.delete("name")
153 |> Map.put("username", name)
155 token_exchange(conn, params)
158 def token_revoke(conn, %{"token" => token} = params) do
159 with %App{} = app <- get_app_from_request(conn, params),
160 %Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),
161 {:ok, %Token{}} <- Repo.delete(token) do
165 # RFC 7009: invalid tokens [in the request] do not cause an error response
170 # XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be
171 # decoding it. Investigate sometime.
172 defp fix_padding(token) do
175 |> Base.url_decode64!(padding: false)
176 |> Base.url_encode64()
179 defp get_app_from_request(conn, params) do
180 # Per RFC 6749, HTTP Basic is preferred to body params
181 {client_id, client_secret} =
182 with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),
183 {:ok, decoded} <- Base.decode64(encoded),
185 String.split(decoded, ":")
186 |> Enum.map(fn s -> URI.decode_www_form(s) end) do
189 _ -> {params["client_id"], params["client_secret"]}
192 if client_id && client_secret do
195 client_id: client_id,
196 client_secret: client_secret