Merge branch 'release/1.1.6' into 'stable'

[akkoma] / lib / pleroma / web / oauth / oauth_controller.ex

diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex
index 3f8e3b0747c927d8510b638005bec0ed2535c373..63a6cc2863d1dbd646256db79da927b9dfc38b9d 100644 (file)
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@@ -35,7 +35,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     authorize(conn, Map.merge(params, auth_attrs))
   end
 
-  def authorize(%Plug.Conn{assigns: %{token: %Token{}}} = conn, params) do
+  def authorize(%Plug.Conn{assigns: %{token: %Token{}}} = conn, %{"force_login" => _} = params) do
     if ControllerHelper.truthy_param?(params["force_login"]) do
       do_authorize(conn, params)
     else
@@ -43,6 +43,22 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     end
   end
 
+  # Note: the token is set in oauth_plug, but the token and client do not always go together.
+  # For example, MastodonFE's token is set if user requests with another client,
+  # after user already authorized to MastodonFE.
+  # So we have to check client and token.
+  def authorize(
+        %Plug.Conn{assigns: %{token: %Token{} = token}} = conn,
+        %{"client_id" => client_id} = params
+      ) do
+    with %Token{} = t <- Repo.get_by(Token, token: token.token) |> Repo.preload(:app),
+         ^client_id <- t.app.client_id do
+      handle_existing_authorization(conn, params)
+    else
+      _ -> do_authorize(conn, params)
+    end
+  end
+
   def authorize(%Plug.Conn{} = conn, params), do: do_authorize(conn, params)
 
   defp do_authorize(%Plug.Conn{} = conn, params) do
@@ -90,7 +106,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
       redirect(conn, external: url)
     else
       conn
-      |> put_flash(:error, "Unlisted redirect_uri.")
+      |> put_flash(:error, dgettext("errors", "Unlisted redirect_uri."))
       |> redirect(external: redirect_uri(conn, redirect_uri))
     end
   end
@@ -128,7 +144,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
       redirect(conn, external: url)
     else
       conn
-      |> put_flash(:error, "Unlisted redirect_uri.")
+      |> put_flash(:error, dgettext("errors", "Unlisted redirect_uri."))
       |> redirect(external: redirect_uri(conn, redirect_uri))
     end
   end
@@ -142,7 +158,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     # Per https://github.com/tootsuite/mastodon/blob/
     #   51e154f5e87968d6bb115e053689767ab33e80cd/app/controllers/api/base_controller.rb#L39
     conn
-    |> put_flash(:error, "This action is outside the authorized scopes")
+    |> put_flash(:error, dgettext("errors", "This action is outside the authorized scopes"))
     |> put_status(:unauthorized)
     |> authorize(params)
   end
@@ -155,7 +171,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     # Per https://github.com/tootsuite/mastodon/blob/
     #   51e154f5e87968d6bb115e053689767ab33e80cd/app/controllers/api/base_controller.rb#L76
     conn
-    |> put_flash(:error, "Your login is missing a confirmed e-mail address")
+    |> put_flash(:error, dgettext("errors", "Your login is missing a confirmed e-mail address"))
     |> put_status(:forbidden)
     |> authorize(params)
   end
@@ -176,9 +192,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
 
       json(conn, Token.Response.build(user, token, response_attrs))
     else
-      _error ->
-        put_status(conn, 400)
-        |> json(%{error: "Invalid credentials"})
+      _error -> render_invalid_credentials_error(conn)
     end
   end
 
@@ -192,9 +206,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
 
       json(conn, Token.Response.build(user, token, response_attrs))
     else
-      _error ->
-        put_status(conn, 400)
-        |> json(%{error: "Invalid credentials"})
+      _error -> render_invalid_credentials_error(conn)
     end
   end
 
@@ -214,18 +226,13 @@ defmodule Pleroma.Web.OAuth.OAuthController do
       {:auth_active, false} ->
         # Per https://github.com/tootsuite/mastodon/blob/
         #   51e154f5e87968d6bb115e053689767ab33e80cd/app/controllers/api/base_controller.rb#L76
-        conn
-        |> put_status(:forbidden)
-        |> json(%{error: "Your login is missing a confirmed e-mail address"})
+        render_error(conn, :forbidden, "Your login is missing a confirmed e-mail address")
 
       {:user_active, false} ->
-        conn
-        |> put_status(:forbidden)
-        |> json(%{error: "Your account is currently disabled"})
+        render_error(conn, :forbidden, "Your account is currently disabled")
 
       _error ->
-        put_status(conn, 400)
-        |> json(%{error: "Invalid credentials"})
+        render_invalid_credentials_error(conn)
     end
   end
 
@@ -247,9 +254,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
          {:ok, token} <- Token.exchange_token(app, auth) do
       json(conn, Token.Response.build_for_client_credentials(token))
     else
-      _error ->
-        put_status(conn, 400)
-        |> json(%{error: "Invalid credentials"})
+      _error -> render_invalid_credentials_error(conn)
     end
   end
 
@@ -271,9 +276,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
 
   # Response for bad request
   defp bad_request(%Plug.Conn{} = conn, _) do
-    conn
-    |> put_status(500)
-    |> json(%{error: "Bad request"})
+    render_error(conn, :internal_server_error, "Bad request")
   end
 
   @doc "Prepares OAuth request to provider for Ueberauth"
@@ -304,9 +307,11 @@ defmodule Pleroma.Web.OAuth.OAuthController do
   def request(%Plug.Conn{} = conn, params) do
     message =
       if params["provider"] do
-        "Unsupported OAuth provider: #{params["provider"]}."
+        dgettext("errors", "Unsupported OAuth provider: %{provider}.",
+          provider: params["provider"]
+        )
       else
-        "Bad OAuth request."
+        dgettext("errors", "Bad OAuth request.")
       end
 
     conn
@@ -320,7 +325,10 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     message = Enum.join(messages, "; ")
 
     conn
-    |> put_flash(:error, "Failed to authenticate: #{message}.")
+    |> put_flash(
+      :error,
+      dgettext("errors", "Failed to authenticate: %{message}.", message: message)
+    )
     |> redirect(external: redirect_uri(conn, params["redirect_uri"]))
   end
 
@@ -350,7 +358,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
         Logger.debug(inspect(["OAUTH_ERROR", error, conn.assigns]))
 
         conn
-        |> put_flash(:error, "Failed to set up user account.")
+        |> put_flash(:error, dgettext("errors", "Failed to set up user account."))
         |> redirect(external: redirect_uri(conn, params["redirect_uri"]))
     end
   end
@@ -373,8 +381,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
   def register(%Plug.Conn{} = conn, %{"authorization" => _, "op" => "connect"} = params) do
     with registration_id when not is_nil(registration_id) <- get_session_registration_id(conn),
          %Registration{} = registration <- Repo.get(Registration, registration_id),
-         {_, {:ok, auth}} <-
-           {:create_authorization, do_create_authorization(conn, params)},
+         {_, {:ok, auth}} <- {:create_authorization, do_create_authorization(conn, params)},
          %User{} = user <- Repo.preload(auth, :user).user,
          {:ok, _updated_registration} <- Registration.bind_to_user(registration, user) do
       conn
@@ -468,4 +475,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     |> String.split()
     |> Enum.at(0)
   end
+
+  defp render_invalid_credentials_error(conn) do
+    render_error(conn, :bad_request, "Invalid credentials")
+  end
 end