Merge remote-tracking branch 'pleroma/develop' into cycles-plugs
[akkoma] / lib / pleroma / web / twitter_api / controllers / remote_follow_controller.ex
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
6 use Pleroma.Web, :controller
7
8 require Logger
9
10 alias Pleroma.Activity
11 alias Pleroma.MFA
12 alias Pleroma.Object.Fetcher
13 alias Pleroma.User
14 alias Pleroma.Web.Auth.Authenticator
15 alias Pleroma.Web.Auth.TOTPAuthenticator
16 alias Pleroma.Web.CommonAPI
17
18 @status_types ["Article", "Event", "Note", "Video", "Page", "Question"]
19
20 plug(Pleroma.Web.Plugs.FederatingPlug)
21
22 # Note: follower can submit the form (with password auth) not being signed in (having no token)
23 plug(
24 Pleroma.Web.Plugs.OAuthScopesPlug,
25 %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
26 when action in [:do_follow]
27 )
28
29 # GET /ostatus_subscribe
30 #
31 def follow(%{assigns: %{user: user}} = conn, %{"acct" => acct}) do
32 case is_status?(acct) do
33 true -> follow_status(conn, user, acct)
34 _ -> follow_account(conn, user, acct)
35 end
36 end
37
38 defp follow_status(conn, _user, acct) do
39 with {:ok, object} <- Fetcher.fetch_object_from_id(acct),
40 %Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object.data["id"]) do
41 redirect(conn, to: Routes.o_status_path(conn, :notice, activity_id))
42 else
43 error ->
44 handle_follow_error(conn, error)
45 end
46 end
47
48 defp follow_account(conn, user, acct) do
49 with {:ok, followee} <- User.get_or_fetch(acct) do
50 render(conn, follow_template(user), %{error: false, followee: followee, acct: acct})
51 else
52 {:error, _reason} ->
53 render(conn, follow_template(user), %{error: :error})
54 end
55 end
56
57 defp follow_template(%User{} = _user), do: "follow.html"
58 defp follow_template(_), do: "follow_login.html"
59
60 defp is_status?(acct) do
61 case Fetcher.fetch_and_contain_remote_object_from_id(acct) do
62 {:ok, %{"type" => type}} when type in @status_types ->
63 true
64
65 _ ->
66 false
67 end
68 end
69
70 # POST /ostatus_subscribe
71 #
72 # adds a remote account in followers if user already is signed in.
73 #
74 def do_follow(%{assigns: %{user: %User{} = user}} = conn, %{"user" => %{"id" => id}}) do
75 with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
76 {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
77 redirect(conn, to: "/users/#{followee.id}")
78 else
79 error ->
80 handle_follow_error(conn, error)
81 end
82 end
83
84 # POST /ostatus_subscribe
85 #
86 # step 1.
87 # checks login\password and displays step 2 form of MFA if need.
88 #
89 def do_follow(conn, %{"authorization" => %{"name" => _, "password" => _, "id" => id}}) do
90 with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
91 {_, {:ok, user}, _} <- {:auth, Authenticator.get_user(conn), followee},
92 {_, _, _, false} <- {:mfa_required, followee, user, MFA.require?(user)},
93 {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
94 redirect(conn, to: "/users/#{followee.id}")
95 else
96 error ->
97 handle_follow_error(conn, error)
98 end
99 end
100
101 # POST /ostatus_subscribe
102 #
103 # step 2
104 # checks TOTP code. otherwise displays form with errors
105 #
106 def do_follow(conn, %{"mfa" => %{"code" => code, "token" => token, "id" => id}}) do
107 with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
108 {_, _, {:ok, %{user: user}}} <- {:mfa_token, followee, MFA.Token.validate(token)},
109 {_, _, _, {:ok, _}} <-
110 {:verify_mfa_code, followee, token, TOTPAuthenticator.verify(code, user)},
111 {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
112 redirect(conn, to: "/users/#{followee.id}")
113 else
114 error ->
115 handle_follow_error(conn, error)
116 end
117 end
118
119 def do_follow(%{assigns: %{user: nil}} = conn, _) do
120 Logger.debug("Insufficient permissions: follow | write:follows.")
121 render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
122 end
123
124 defp handle_follow_error(conn, {:mfa_token, followee, _} = _) do
125 render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
126 end
127
128 defp handle_follow_error(conn, {:verify_mfa_code, followee, token, _} = _) do
129 render(conn, "follow_mfa.html", %{
130 error: "Wrong authentication code",
131 followee: followee,
132 mfa_token: token
133 })
134 end
135
136 defp handle_follow_error(conn, {:mfa_required, followee, user, _} = _) do
137 {:ok, %{token: token}} = MFA.Token.create(user)
138 render(conn, "follow_mfa.html", %{followee: followee, mfa_token: token, error: false})
139 end
140
141 defp handle_follow_error(conn, {:auth, _, followee} = _) do
142 render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
143 end
144
145 defp handle_follow_error(conn, {:fetch_user, error} = _) do
146 Logger.debug("Remote follow failed with error #{inspect(error)}")
147 render(conn, "followed.html", %{error: "Could not find user"})
148 end
149
150 defp handle_follow_error(conn, {:error, "Could not follow user:" <> _} = _) do
151 render(conn, "followed.html", %{error: "Error following account"})
152 end
153
154 defp handle_follow_error(conn, error) do
155 Logger.debug("Remote follow failed with error #{inspect(error)}")
156 render(conn, "followed.html", %{error: "Something went wrong."})
157 end
158 end