Merge branch 'refactor/oauth_scopes' into 'develop'
Refactoring functions for dealing with oauth scopes. See merge request pleroma/pleroma!1125
This commit is contained in:
commit
aa8a6e7bec
|
@ -10,12 +10,6 @@ defmodule Pleroma.Web.ControllerHelper do
|
||||||
def truthy_param?(blank_value) when blank_value in [nil, ""], do: nil
|
def truthy_param?(blank_value) when blank_value in [nil, ""], do: nil
|
||||||
def truthy_param?(value), do: value not in @falsy_param_values
|
def truthy_param?(value), do: value not in @falsy_param_values
|
||||||
|
|
||||||
def oauth_scopes(params, default) do
|
|
||||||
# Note: `scopes` is used by Mastodon — supporting it but sticking to
|
|
||||||
# OAuth's standard `scope` wherever we control it
|
|
||||||
Pleroma.Web.OAuth.parse_scopes(params["scope"] || params["scopes"], default)
|
|
||||||
end
|
|
||||||
|
|
||||||
def json_response(conn, status, json) do
|
def json_response(conn, status, json) do
|
||||||
conn
|
conn
|
||||||
|> put_status(status)
|
|> put_status(status)
|
||||||
|
|
|
@ -37,6 +37,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
|
||||||
alias Pleroma.Web.MediaProxy
|
alias Pleroma.Web.MediaProxy
|
||||||
alias Pleroma.Web.OAuth.App
|
alias Pleroma.Web.OAuth.App
|
||||||
alias Pleroma.Web.OAuth.Authorization
|
alias Pleroma.Web.OAuth.Authorization
|
||||||
|
alias Pleroma.Web.OAuth.Scopes
|
||||||
alias Pleroma.Web.OAuth.Token
|
alias Pleroma.Web.OAuth.Token
|
||||||
|
|
||||||
alias Pleroma.Web.ControllerHelper
|
alias Pleroma.Web.ControllerHelper
|
||||||
|
@ -50,7 +51,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
|
||||||
action_fallback(:errors)
|
action_fallback(:errors)
|
||||||
|
|
||||||
def create_app(conn, params) do
|
def create_app(conn, params) do
|
||||||
scopes = ControllerHelper.oauth_scopes(params, ["read"])
|
scopes = Scopes.fetch_scopes(params, ["read"])
|
||||||
|
|
||||||
app_attrs =
|
app_attrs =
|
||||||
params
|
params
|
||||||
|
|
|
@ -3,18 +3,4 @@
|
||||||
# SPDX-License-Identifier: AGPL-3.0-only
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
defmodule Pleroma.Web.OAuth do
|
defmodule Pleroma.Web.OAuth do
|
||||||
def parse_scopes(scopes, _default) when is_list(scopes) do
|
|
||||||
Enum.filter(scopes, &(&1 not in [nil, ""]))
|
|
||||||
end
|
|
||||||
|
|
||||||
def parse_scopes(scopes, default) when is_binary(scopes) do
|
|
||||||
scopes
|
|
||||||
|> String.trim()
|
|
||||||
|> String.split(~r/[\s,]+/)
|
|
||||||
|> parse_scopes(default)
|
|
||||||
end
|
|
||||||
|
|
||||||
def parse_scopes(_, default) do
|
|
||||||
default
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -15,8 +15,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
|
||||||
alias Pleroma.Web.OAuth.Token
|
alias Pleroma.Web.OAuth.Token
|
||||||
alias Pleroma.Web.OAuth.Token.Strategy.RefreshToken
|
alias Pleroma.Web.OAuth.Token.Strategy.RefreshToken
|
||||||
alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken
|
alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken
|
||||||
|
alias Pleroma.Web.OAuth.Scopes
|
||||||
import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]
|
|
||||||
|
|
||||||
if Pleroma.Config.oauth_consumer_enabled?(), do: plug(Ueberauth)
|
if Pleroma.Config.oauth_consumer_enabled?(), do: plug(Ueberauth)
|
||||||
|
|
||||||
|
@ -57,7 +56,7 @@ def authorize(conn, params), do: do_authorize(conn, params)
|
||||||
defp do_authorize(conn, params) do
|
defp do_authorize(conn, params) do
|
||||||
app = Repo.get_by(App, client_id: params["client_id"])
|
app = Repo.get_by(App, client_id: params["client_id"])
|
||||||
available_scopes = (app && app.scopes) || []
|
available_scopes = (app && app.scopes) || []
|
||||||
scopes = oauth_scopes(params, nil) || available_scopes
|
scopes = Scopes.fetch_scopes(params, available_scopes)
|
||||||
|
|
||||||
# Note: `params` might differ from `conn.params`; use `@params` not `@conn.params` in template
|
# Note: `params` might differ from `conn.params`; use `@params` not `@conn.params` in template
|
||||||
render(conn, Authenticator.auth_template(), %{
|
render(conn, Authenticator.auth_template(), %{
|
||||||
|
@ -113,7 +112,7 @@ def after_create_authorization(conn, auth, %{
|
||||||
|
|
||||||
defp handle_create_authorization_error(
|
defp handle_create_authorization_error(
|
||||||
conn,
|
conn,
|
||||||
{scopes_issue, _},
|
{:error, scopes_issue},
|
||||||
%{"authorization" => _} = params
|
%{"authorization" => _} = params
|
||||||
)
|
)
|
||||||
when scopes_issue in [:unsupported_scopes, :missing_scopes] do
|
when scopes_issue in [:unsupported_scopes, :missing_scopes] do
|
||||||
|
@ -184,9 +183,7 @@ def token_exchange(
|
||||||
%App{} = app <- get_app_from_request(conn, params),
|
%App{} = app <- get_app_from_request(conn, params),
|
||||||
{:auth_active, true} <- {:auth_active, User.auth_active?(user)},
|
{:auth_active, true} <- {:auth_active, User.auth_active?(user)},
|
||||||
{:user_active, true} <- {:user_active, !user.info.deactivated},
|
{:user_active, true} <- {:user_active, !user.info.deactivated},
|
||||||
scopes <- oauth_scopes(params, app.scopes),
|
{:ok, scopes} <- validate_scopes(app, params),
|
||||||
[] <- scopes -- app.scopes,
|
|
||||||
true <- Enum.any?(scopes),
|
|
||||||
{:ok, auth} <- Authorization.create_authorization(app, user, scopes),
|
{:ok, auth} <- Authorization.create_authorization(app, user, scopes),
|
||||||
{:ok, token} <- Token.exchange_token(app, auth) do
|
{:ok, token} <- Token.exchange_token(app, auth) do
|
||||||
json(conn, response_token(user, token))
|
json(conn, response_token(user, token))
|
||||||
|
@ -247,8 +244,9 @@ defp bad_request(conn, _) do
|
||||||
@doc "Prepares OAuth request to provider for Ueberauth"
|
@doc "Prepares OAuth request to provider for Ueberauth"
|
||||||
def prepare_request(conn, %{"provider" => provider, "authorization" => auth_attrs}) do
|
def prepare_request(conn, %{"provider" => provider, "authorization" => auth_attrs}) do
|
||||||
scope =
|
scope =
|
||||||
oauth_scopes(auth_attrs, [])
|
auth_attrs
|
||||||
|> Enum.join(" ")
|
|> Scopes.fetch_scopes([])
|
||||||
|
|> Scopes.to_string()
|
||||||
|
|
||||||
state =
|
state =
|
||||||
auth_attrs
|
auth_attrs
|
||||||
|
@ -326,7 +324,7 @@ def registration_details(conn, %{"authorization" => auth_attrs}) do
|
||||||
client_id: auth_attrs["client_id"],
|
client_id: auth_attrs["client_id"],
|
||||||
redirect_uri: auth_attrs["redirect_uri"],
|
redirect_uri: auth_attrs["redirect_uri"],
|
||||||
state: auth_attrs["state"],
|
state: auth_attrs["state"],
|
||||||
scopes: oauth_scopes(auth_attrs, []),
|
scopes: Scopes.fetch_scopes(auth_attrs, []),
|
||||||
nickname: auth_attrs["nickname"],
|
nickname: auth_attrs["nickname"],
|
||||||
email: auth_attrs["email"]
|
email: auth_attrs["email"]
|
||||||
})
|
})
|
||||||
|
@ -401,10 +399,7 @@ defp do_create_authorization(
|
||||||
{:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
|
{:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
|
||||||
%App{} = app <- Repo.get_by(App, client_id: client_id),
|
%App{} = app <- Repo.get_by(App, client_id: client_id),
|
||||||
true <- redirect_uri in String.split(app.redirect_uris),
|
true <- redirect_uri in String.split(app.redirect_uris),
|
||||||
scopes <- oauth_scopes(auth_attrs, []),
|
{:ok, scopes} <- validate_scopes(app, auth_attrs),
|
||||||
{:unsupported_scopes, []} <- {:unsupported_scopes, scopes -- app.scopes},
|
|
||||||
# Note: `scope` param is intentionally not optional in this context
|
|
||||||
{:missing_scopes, false} <- {:missing_scopes, scopes == []},
|
|
||||||
{:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
|
{:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
|
||||||
Authorization.create_authorization(app, user, scopes)
|
Authorization.create_authorization(app, user, scopes)
|
||||||
end
|
end
|
||||||
|
@ -458,4 +453,12 @@ defp response_token(%User{} = user, token, opts \\ %{}) do
|
||||||
}
|
}
|
||||||
|> Map.merge(opts)
|
|> Map.merge(opts)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@spec validate_scopes(App.t(), map()) ::
|
||||||
|
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
|
||||||
|
defp validate_scopes(app, params) do
|
||||||
|
params
|
||||||
|
|> Scopes.fetch_scopes(app.scopes)
|
||||||
|
|> Scopes.validates(app.scopes)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
# Pleroma: A lightweight social networking server
|
||||||
|
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
|
defmodule Pleroma.Web.OAuth.Scopes do
|
||||||
|
@moduledoc """
|
||||||
|
Functions for dealing with scopes.
|
||||||
|
"""
|
||||||
|
|
||||||
|
@doc """
|
||||||
|
Fetch scopes from requiest params.
|
||||||
|
|
||||||
|
Note: `scopes` is used by Mastodon — supporting it but sticking to
|
||||||
|
OAuth's standard `scope` wherever we control it
|
||||||
|
"""
|
||||||
|
@spec fetch_scopes(map(), list()) :: list()
|
||||||
|
def fetch_scopes(params, default) do
|
||||||
|
parse_scopes(params["scope"] || params["scopes"], default)
|
||||||
|
end
|
||||||
|
|
||||||
|
def parse_scopes(scopes, _default) when is_list(scopes) do
|
||||||
|
Enum.filter(scopes, &(&1 not in [nil, ""]))
|
||||||
|
end
|
||||||
|
|
||||||
|
def parse_scopes(scopes, default) when is_binary(scopes) do
|
||||||
|
scopes
|
||||||
|
|> to_list
|
||||||
|
|> parse_scopes(default)
|
||||||
|
end
|
||||||
|
|
||||||
|
def parse_scopes(_, default) do
|
||||||
|
default
|
||||||
|
end
|
||||||
|
|
||||||
|
@doc """
|
||||||
|
Convert scopes string to list
|
||||||
|
"""
|
||||||
|
@spec to_list(binary()) :: [binary()]
|
||||||
|
def to_list(nil), do: []
|
||||||
|
|
||||||
|
def to_list(str) do
|
||||||
|
str
|
||||||
|
|> String.trim()
|
||||||
|
|> String.split(~r/[\s,]+/)
|
||||||
|
end
|
||||||
|
|
||||||
|
@doc """
|
||||||
|
Convert scopes list to string
|
||||||
|
"""
|
||||||
|
@spec to_string(list()) :: binary()
|
||||||
|
def to_string(scopes), do: Enum.join(scopes, " ")
|
||||||
|
|
||||||
|
@doc """
|
||||||
|
Validates scopes.
|
||||||
|
"""
|
||||||
|
@spec validates(list() | nil, list()) ::
|
||||||
|
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
|
||||||
|
def validates([], _app_scopes), do: {:error, :missing_scopes}
|
||||||
|
def validates(nil, _app_scopes), do: {:error, :missing_scopes}
|
||||||
|
|
||||||
|
def validates(scopes, app_scopes) do
|
||||||
|
case scopes -- app_scopes do
|
||||||
|
[] -> {:ok, scopes}
|
||||||
|
_ -> {:error, :unsupported_scopes}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue