git.squeep.com Git - akkoma/blob - lib/pleroma/web/oauth/oauth_controller.ex

   1 defmodule Pleroma.Web.OAuth.OAuthController do
   2   use Pleroma.Web, :controller
   3
   4   alias Pleroma.Web.OAuth.{Authorization, Token, App}
   5   alias Pleroma.{Repo, User}
   6   alias Comeonin.Pbkdf2
   7
   8   plug(:fetch_session)
   9   plug(:fetch_flash)
  10
  11   action_fallback(Pleroma.Web.OAuth.FallbackController)
  12
  13   def authorize(conn, params) do
  14     render(conn, "show.html", %{
  15       response_type: params["response_type"],
  16       client_id: params["client_id"],
  17       scope: params["scope"],
  18       redirect_uri: params["redirect_uri"],
  19       state: params["state"]
  20     })
  21   end
  22
  23   def create_authorization(conn, %{
  24         "authorization" =>
  25           %{
  26             "name" => name,
  27             "password" => password,
  28             "client_id" => client_id,
  29             "redirect_uri" => redirect_uri
  30           } = params
  31       }) do
  32     with %User{} = user <- User.get_by_nickname_or_email(name),
  33          true <- Pbkdf2.checkpw(password, user.password_hash),
  34          %App{} = app <- Repo.get_by(App, client_id: client_id),
  35          {:ok, auth} <- Authorization.create_authorization(app, user) do
  36       # Special case: Local MastodonFE.
  37       redirect_uri =
  38         if redirect_uri == "." do
  39           mastodon_api_url(conn, :login)
  40         else
  41           redirect_uri
  42         end
  43
  44       cond do
  45         redirect_uri == "urn:ietf:wg:oauth:2.0:oob" ->
  46           render(conn, "results.html", %{
  47             auth: auth
  48           })
  49
  50         true ->
  51           connector = if String.contains?(redirect_uri, "?"), do: "&", else: "?"
  52           url = "#{redirect_uri}#{connector}"
  53           url_params = %{:code => auth.token}
  54
  55           url_params =
  56             if params["state"] do
  57               Map.put(url_params, :state, params["state"])
  58             else
  59               url_params
  60             end
  61
  62           url = "#{url}#{Plug.Conn.Query.encode(url_params)}"
  63
  64           redirect(conn, external: url)
  65       end
  66     end
  67   end
  68
  69   # TODO
  70   # - proper scope handling
  71   def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do
  72     with %App{} = app <- get_app_from_request(conn, params),
  73          fixed_token = fix_padding(params["code"]),
  74          %Authorization{} = auth <-
  75            Repo.get_by(Authorization, token: fixed_token, app_id: app.id),
  76          {:ok, token} <- Token.exchange_token(app, auth),
  77          {:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do
  78       response = %{
  79         token_type: "Bearer",
  80         access_token: token.token,
  81         refresh_token: token.refresh_token,
  82         created_at: DateTime.to_unix(inserted_at),
  83         expires_in: 60 * 10,
  84         scope: "read write follow"
  85       }
  86
  87       json(conn, response)
  88     else
  89       _error ->
  90         put_status(conn, 400)
  91         |> json(%{error: "Invalid credentials"})
  92     end
  93   end
  94
  95   # TODO
  96   # - investigate a way to verify the user wants to grant read/write/follow once scope handling is done
  97   def token_exchange(
  98         conn,
  99         %{"grant_type" => "password", "username" => name, "password" => password} = params
 100       ) do
 101     with %App{} = app <- get_app_from_request(conn, params),
 102          %User{} = user <- User.get_by_nickname_or_email(name),
 103          true <- Pbkdf2.checkpw(password, user.password_hash),
 104          {:ok, auth} <- Authorization.create_authorization(app, user),
 105          {:ok, token} <- Token.exchange_token(app, auth) do
 106       response = %{
 107         token_type: "Bearer",
 108         access_token: token.token,
 109         refresh_token: token.refresh_token,
 110         expires_in: 60 * 10,
 111         scope: "read write follow"
 112       }
 113
 114       json(conn, response)
 115     else
 116       _error ->
 117         put_status(conn, 400)
 118         |> json(%{error: "Invalid credentials"})
 119     end
 120   end
 121
 122   def token_exchange(
 123         conn,
 124         %{"grant_type" => "password", "name" => name, "password" => password} = params
 125       ) do
 126     params =
 127       params
 128       |> Map.delete("name")
 129       |> Map.put("username", name)
 130
 131     token_exchange(conn, params)
 132   end
 133
 134   def token_revoke(conn, %{"token" => token} = params) do
 135     with %App{} = app <- get_app_from_request(conn, params),
 136          %Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),
 137          {:ok, %Token{}} <- Repo.delete(token) do
 138       json(conn, %{})
 139     else
 140       _error ->
 141         # RFC 7009: invalid tokens [in the request] do not cause an error response
 142         json(conn, %{})
 143     end
 144   end
 145
 146   defp fix_padding(token) do
 147     token
 148     |> Base.url_decode64!(padding: false)
 149     |> Base.url_encode64()
 150   end
 151
 152   defp get_app_from_request(conn, params) do
 153     # Per RFC 6749, HTTP Basic is preferred to body params
 154     {client_id, client_secret} =
 155       with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),
 156            {:ok, decoded} <- Base.decode64(encoded),
 157            [id, secret] <-
 158              String.split(decoded, ":")
 159              |> Enum.map(fn s -> URI.decode_www_form(s) end) do
 160         {id, secret}
 161       else
 162         _ -> {params["client_id"], params["client_secret"]}
 163       end
 164
 165     if client_id && client_secret do
 166       Repo.get_by(
 167         App,
 168         client_id: client_id,
 169         client_secret: client_secret
 170       )
 171     else
 172       nil
 173     end
 174   end
 175 end