+ # TODO
+ # - investigate a way to verify the user wants to grant read/write/follow once scope handling is done
+ def token_exchange(
+ conn,
+ %{"grant_type" => "password", "username" => name, "password" => password} = params
+ ) do
+ with %App{} = app <- get_app_from_request(conn, params),
+ %User{} = user <- User.get_by_nickname_or_email(name),
+ true <- Pbkdf2.checkpw(password, user.password_hash),
+ {:ok, auth} <- Authorization.create_authorization(app, user),
+ {:ok, token} <- Token.exchange_token(app, auth) do
+ response = %{
+ token_type: "Bearer",
+ access_token: token.token,
+ refresh_token: token.refresh_token,
+ expires_in: 60 * 10,
+ scope: "read write follow"
+ }
+
+ json(conn, response)
+ else
+ _error ->
+ put_status(conn, 400)
+ |> json(%{error: "Invalid credentials"})
+ end
+ end
+
+ def token_exchange(
+ conn,
+ %{"grant_type" => "password", "name" => name, "password" => password} = params
+ ) do
+ params =
+ params
+ |> Map.delete("name")
+ |> Map.put("username", name)
+
+ token_exchange(conn, params)
+ end
+