Fix oauth2 (for real) (#179)

[akkoma] / lib / pleroma / web / o_auth / o_auth_controller.ex

diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index 43536f95d718380f09a109ad3dcf55ef88dbf28a..6a8006d31d44e3be878cb8b4c1a2ac1cf0433940 100644 (file)
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -71,16 +71,27 @@ defmodule Pleroma.Web.OAuth.OAuthController do
 
   def authorize(%Plug.Conn{} = conn, params), do: do_authorize(conn, params)
 
+  defp maybe_remove_token(%Plug.Conn{assigns: %{token: %{app: id}}} = conn, %App{id: id}) do
+    conn
+  end
+
+  defp maybe_remove_token(conn, _app) do
+    conn
+    |> assign(:token, nil)
+  end
+
   defp do_authorize(%Plug.Conn{} = conn, params) do
     app = Repo.get_by(App, client_id: params["client_id"])
+    conn = maybe_remove_token(conn, app)
     available_scopes = (app && app.scopes) || []
     scopes = Scopes.fetch_scopes(params, available_scopes)
 
     # if we already have a token for this specific setup, we can use that
     with false <- Params.truthy_param?(params["force_login"]),
          %App{} <- app,
-         {:ok, _} <- Scopes.validate(scopes, app.scopes),
-         {:ok, %Token{} = token} <- Token.get_by_app(app) do
+         %{assigns: %{user: %Pleroma.User{} = user}} <- conn,
+         {:ok, %Token{} = token} <- Token.get_preexisting_by_app_and_user(app, user),
+         true <- scopes == token.scopes do
       token = Repo.preload(token, :app)
 
       conn