+ else
+ {:auth_active, false} ->
+ conn
+ |> put_status(:forbidden)
+ |> json(%{error: "Account confirmation pending"})
+
+ _error ->
+ put_status(conn, 400)
+ |> json(%{error: "Invalid credentials"})
+ end
+ end
+
+ def token_exchange(
+ conn,
+ %{"grant_type" => "password", "name" => name, "password" => _password} = params
+ ) do
+ params =
+ params
+ |> Map.delete("name")
+ |> Map.put("username", name)
+
+ token_exchange(conn, params)
+ end
+
+ def token_revoke(conn, %{"token" => token} = params) do
+ with %App{} = app <- get_app_from_request(conn, params),
+ %Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),
+ {:ok, %Token{}} <- Repo.delete(token) do
+ json(conn, %{})
+ else
+ _error ->
+ # RFC 7009: invalid tokens [in the request] do not cause an error response
+ json(conn, %{})
+ end
+ end
+
+ # XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be
+ # decoding it. Investigate sometime.
+ defp fix_padding(token) do
+ token
+ |> URI.decode()
+ |> Base.url_decode64!(padding: false)
+ |> Base.url_encode64()
+ end
+
+ defp get_app_from_request(conn, params) do
+ # Per RFC 6749, HTTP Basic is preferred to body params
+ {client_id, client_secret} =
+ with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),
+ {:ok, decoded} <- Base.decode64(encoded),
+ [id, secret] <-
+ String.split(decoded, ":")
+ |> Enum.map(fn s -> URI.decode_www_form(s) end) do
+ {id, secret}
+ else
+ _ -> {params["client_id"], params["client_secret"]}
+ end
+
+ if client_id && client_secret do
+ Repo.get_by(
+ App,
+ client_id: client_id,
+ client_secret: client_secret
+ )
+ else
+ nil