X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;ds=sidebyside;f=lib%2Fpleroma%2Fweb%2Fo_auth%2Fo_auth_controller.ex;h=277df1c46683932b08b9669cfe97f7b34a6642a4;hb=28ab09d37755aa4e3f886f4d7748beaed4ad22e3;hp=6e3c7e1a1c75c71372cc85e25e2ba7a5f9c1679f;hpb=6cd0586ef9f1991655c7736479a9a1fb39f4098c;p=akkoma
diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index 6e3c7e1a1..277df1c46 100644
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -1,5 +1,5 @@
# Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors
+# Copyright © 2017-2021 Pleroma Authors
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.OAuth.OAuthController do
@@ -12,8 +12,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
alias Pleroma.Registration
alias Pleroma.Repo
alias Pleroma.User
- alias Pleroma.Web.Auth.Authenticator
- alias Pleroma.Web.ControllerHelper
+ alias Pleroma.Web.Auth.WrapperAuthenticator, as: Authenticator
alias Pleroma.Web.OAuth.App
alias Pleroma.Web.OAuth.Authorization
alias Pleroma.Web.OAuth.MFAController
@@ -24,6 +23,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
alias Pleroma.Web.OAuth.Token.Strategy.RefreshToken
alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken
alias Pleroma.Web.Plugs.RateLimiter
+ alias Pleroma.Web.Utils.Params
require Logger
@@ -32,10 +32,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
plug(:fetch_session)
plug(:fetch_flash)
- plug(:skip_plug, [
- Pleroma.Web.Plugs.OAuthScopesPlug,
- Pleroma.Web.Plugs.EnsurePublicOrAuthenticatedPlug
- ])
+ plug(:skip_auth)
plug(RateLimiter, [name: :authentication] when action == :create_authorization)
@@ -50,7 +47,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
end
def authorize(%Plug.Conn{assigns: %{token: %Token{}}} = conn, %{"force_login" => _} = params) do
- if ControllerHelper.truthy_param?(params["force_login"]) do
+ if Params.truthy_param?(params["force_login"]) do
do_authorize(conn, params)
else
handle_existing_authorization(conn, params)
@@ -62,18 +59,39 @@ defmodule Pleroma.Web.OAuth.OAuthController do
# after user already authorized to MastodonFE.
# So we have to check client and token.
def authorize(
- %Plug.Conn{assigns: %{token: %Token{} = token}} = conn,
+ %Plug.Conn{assigns: %{token: %Token{} = token, user: %User{} = user}} = conn,
%{"client_id" => client_id} = params
) do
with %Token{} = t <- Repo.get_by(Token, token: token.token) |> Repo.preload(:app),
^client_id <- t.app.client_id do
handle_existing_authorization(conn, params)
+ else
+ _ ->
+ maybe_reuse_token(conn, params, user.id)
+ end
+ end
+
+ def authorize(%Plug.Conn{} = conn, params) do
+ # if we have a user in the session, attempt to authenticate as them
+ # otherwise show the login form
+ maybe_reuse_token(conn, params, AuthHelper.get_session_user(conn))
+ end
+
+ defp maybe_reuse_token(conn, params, user_id) when is_binary(user_id) do
+ with %User{} = user <- User.get_cached_by_id(user_id),
+ %App{} = app <- Repo.get_by(App, client_id: params["client_id"]),
+ {:ok, %Token{} = token} <- Token.get_preeexisting_by_app_and_user(app, user),
+ {:ok, %Authorization{} = auth} <-
+ Authorization.get_preeexisting_by_app_and_user(app, user) do
+ conn
+ |> assign(:token, token)
+ |> after_create_authorization(auth, %{"authorization" => params})
else
_ -> do_authorize(conn, params)
end
end
- def authorize(%Plug.Conn{} = conn, params), do: do_authorize(conn, params)
+ defp maybe_reuse_token(conn, params, _user), do: do_authorize(conn, params)
defp do_authorize(%Plug.Conn{} = conn, params) do
app = Repo.get_by(App, client_id: params["client_id"])
@@ -104,7 +122,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
scopes: scopes,
redirect_uri: params["redirect_uri"],
state: params["state"],
- params: params
+ params: params,
+ view_module: OAuthView
})
end
@@ -150,7 +169,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
def create_authorization(%Plug.Conn{} = conn, %{"authorization" => _} = params, opts) do
with {:ok, auth, user} <- do_create_authorization(conn, params, opts[:user]),
{:mfa_required, _, _, false} <- {:mfa_required, user, auth, MFA.require?(user)} do
- after_create_authorization(conn, auth, params)
+ conn
+ |> AuthHelper.put_session_user(user.id)
+ |> after_create_authorization(auth, params)
else
error ->
handle_create_authorization_error(conn, error, params)
@@ -163,7 +184,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
# Enforcing the view to reuse the template when calling from other controllers
conn
|> put_view(OAuthView)
- |> render("oob_authorization_created.html", %{auth: auth})
+ |> render("oob_authorization_created.html", %{auth: auth, view_module: OAuthView})
end
def after_create_authorization(%Plug.Conn{} = conn, %Authorization{} = auth, %{
@@ -190,11 +211,11 @@ defmodule Pleroma.Web.OAuth.OAuthController do
{:error, scopes_issue},
%{"authorization" => _} = params
)
- when scopes_issue in [:unsupported_scopes, :missing_scopes] do
+ when scopes_issue in [:unsupported_scopes, :missing_scopes, :user_is_not_an_admin] do
# Per https://github.com/tootsuite/mastodon/blob/
# 51e154f5e87968d6bb115e053689767ab33e80cd/app/controllers/api/base_controller.rb#L39
conn
- |> put_flash(:error, dgettext("errors", "This action is outside the authorized scopes"))
+ |> put_flash(:error, dgettext("errors", "This action is outside of authorized scopes"))
|> put_status(:unauthorized)
|> authorize(params)
end
@@ -271,7 +292,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
fixed_token = Token.Utils.fix_padding(params["code"]),
{:ok, auth} <- Authorization.get_by_token(app, fixed_token),
%User{} = user <- User.get_cached_by_id(auth.user_id),
- {:ok, token} <- Token.exchange_token(app, auth) do
+ {:ok, token} <- Token.get_or_exchange_token(auth, app, user) do
after_token_exchange(conn, %{user: user, token: token})
else
error ->
@@ -323,6 +344,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
def after_token_exchange(%Plug.Conn{} = conn, %{token: token} = view_params) do
conn
|> AuthHelper.put_session_token(token.token)
+ |> AuthHelper.put_session_user(token.user_id)
|> json(OAuthView.render("token.json", view_params))
end
@@ -427,7 +449,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
|> Map.put("state", state)
# Handing the request to Ueberauth
- redirect(conn, to: o_auth_path(conn, :request, provider, params))
+ redirect(conn, to: Routes.o_auth_path(conn, :request, provider, params))
end
def request(%Plug.Conn{} = conn, params) do
@@ -536,10 +558,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
else
{:error, changeset} ->
message =
- Enum.map(changeset.errors, fn {field, {error, _}} ->
+ Enum.map_join(changeset.errors, "; ", fn {field, {error, _}} ->
"#{field} #{error}"
end)
- |> Enum.join("; ")
message =
String.replace(
@@ -584,7 +605,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
defp do_create_authorization(%User{} = user, %App{} = app, requested_scopes)
when is_list(requested_scopes) do
with {:account_status, :active} <- {:account_status, User.account_status(user)},
- {:ok, scopes} <- validate_scopes(app, requested_scopes),
+ requested_scopes <- Scopes.filter_admin_scopes(requested_scopes, user),
+ {:ok, scopes} <- validate_scopes(user, app, requested_scopes),
{:ok, auth} <- Authorization.create_authorization(app, user, scopes) do
{:ok, auth}
end
@@ -601,7 +623,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
end
# Special case: Local MastodonFE
- defp redirect_uri(%Plug.Conn{} = conn, "."), do: auth_url(conn, :login)
+ defp redirect_uri(%Plug.Conn{} = conn, "."), do: Routes.auth_url(conn, :login)
defp redirect_uri(%Plug.Conn{}, redirect_uri), do: redirect_uri
@@ -616,15 +638,16 @@ defmodule Pleroma.Web.OAuth.OAuthController do
end
end
- @spec validate_scopes(App.t(), map() | list()) ::
+ @spec validate_scopes(User.t(), App.t(), map() | list()) ::
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
- defp validate_scopes(%App{} = app, params) when is_map(params) do
+ defp validate_scopes(%User{} = user, %App{} = app, params) when is_map(params) do
requested_scopes = Scopes.fetch_scopes(params, app.scopes)
- validate_scopes(app, requested_scopes)
+ validate_scopes(user, app, requested_scopes)
end
- defp validate_scopes(%App{} = app, requested_scopes) when is_list(requested_scopes) do
- Scopes.validate(requested_scopes, app.scopes)
+ defp validate_scopes(%User{} = user, %App{} = app, requested_scopes)
+ when is_list(requested_scopes) do
+ Scopes.validate(requested_scopes, app.scopes, user)
end
def default_redirect_uri(%App{} = app) do