From 90facd359813197060f6c33f2389fce772550fc3 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Tue, 12 Feb 2019 21:28:11 +0000
Subject: [PATCH 1/7] user view: add AP C2S oauth endpoints to local user
 profiles

---
 .../web/activity_pub/views/user_view.ex       | 26 ++++++++++++++-----
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index 15e6c1f68..0d880212e 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -15,6 +15,20 @@ defmodule Pleroma.Web.ActivityPub.UserView do
 
   import Ecto.Query
 
+  def render("endpoints.json", %{user: %{local: true} = _user}) do
+    %{
+      "oauthAuthorizationEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/authorize",
+      "oauthTokenEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/token"
+    }
+    |> Map.merge(render("endpoints.json", nil))
+  end
+
+  def render("endpoints.json", _) do
+    %{
+      "sharedInbox" => "#{Pleroma.Web.Endpoint.url()}/inbox"
+    }
+  end
+
   # the instance itself is not a Person, but instead an Application
   def render("user.json", %{user: %{nickname: nil} = user}) do
     {:ok, user} = WebFinger.ensure_keys_present(user)
@@ -22,6 +36,8 @@ def render("user.json", %{user: %{nickname: nil} = user}) do
     public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
     public_key = :public_key.pem_encode([public_key])
 
+    endpoints = render("endpoints.json", %{user: user})
+
     %{
       "id" => user.ap_id,
       "type" => "Application",
@@ -37,9 +53,7 @@ def render("user.json", %{user: %{nickname: nil} = user}) do
         "owner" => user.ap_id,
         "publicKeyPem" => public_key
       },
-      "endpoints" => %{
-        "sharedInbox" => "#{Pleroma.Web.Endpoint.url()}/inbox"
-      }
+      "endpoints" => endpoints
     }
     |> Map.merge(Utils.make_json_ld_header())
   end
@@ -50,6 +64,8 @@ def render("user.json", %{user: user}) do
     public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
     public_key = :public_key.pem_encode([public_key])
 
+    endpoints = render("endpoints.json", %{user: user})
+
     %{
       "id" => user.ap_id,
       "type" => "Person",
@@ -67,9 +83,7 @@ def render("user.json", %{user: user}) do
         "owner" => user.ap_id,
         "publicKeyPem" => public_key
       },
-      "endpoints" => %{
-        "sharedInbox" => "#{Pleroma.Web.Endpoint.url()}/inbox"
-      },
+      "endpoints" => endpoints,
       "icon" => %{
         "type" => "Image",
         "url" => User.avatar_url(user)

From dd989962e681a126ff086064d22cbcbd9bfaf7a2 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Tue, 12 Feb 2019 21:37:37 +0000
Subject: [PATCH 2/7] litepub schema: add oauthRegistrationEndpoint [ci skip]

---
 priv/static/schemas/litepub-0.1.jsonld | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/priv/static/schemas/litepub-0.1.jsonld b/priv/static/schemas/litepub-0.1.jsonld
index 15645646a..f36b231c5 100644
--- a/priv/static/schemas/litepub-0.1.jsonld
+++ b/priv/static/schemas/litepub-0.1.jsonld
@@ -19,7 +19,11 @@
             "value": "schema:value",
             "sensitive": "as:sensitive",
             "litepub": "http://litepub.social/ns#",
-            "directMessage": "litepub:directMessage"
+            "directMessage": "litepub:directMessage",
+            "oauthRegistrationEndpoint": {
+                "@id": "litepub:oauthRegistrationEndpoint",
+                "@type": "@id"
+            }
         }
     ]
 }

From db8abd958dc2266262def048352466280c12d3a7 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Tue, 12 Feb 2019 21:42:32 +0000
Subject: [PATCH 3/7] activitypub: user view: fix up endpoints rendering

---
 lib/pleroma/web/activity_pub/views/user_view.ex | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index 0d880212e..44beee728 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -15,12 +15,12 @@ defmodule Pleroma.Web.ActivityPub.UserView do
 
   import Ecto.Query
 
-  def render("endpoints.json", %{user: %{local: true} = _user}) do
+  def render("endpoints.json", %{user: %User{local: true} = _user}) do
     %{
       "oauthAuthorizationEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/authorize",
       "oauthTokenEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/token"
     }
-    |> Map.merge(render("endpoints.json", nil))
+    |> Map.merge(render("endpoints.json", %{user: nil}))
   end
 
   def render("endpoints.json", _) do

From 29e946ace43f5dd3342e2bd3699004e9c56e711d Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Tue, 12 Feb 2019 21:49:48 +0000
Subject: [PATCH 4/7] activitypub: user view: add oauthRegistrationEndpoint to
 user profiles

---
 lib/pleroma/web/activity_pub/views/user_view.ex | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index 44beee728..af75546dd 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -18,6 +18,7 @@ defmodule Pleroma.Web.ActivityPub.UserView do
   def render("endpoints.json", %{user: %User{local: true} = _user}) do
     %{
       "oauthAuthorizationEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/authorize",
+      "oauthRegistrationEndpoint" => "#{Pleroma.Web.Endpoint.url()}/api/v1/apps",
       "oauthTokenEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/token"
     }
     |> Map.merge(render("endpoints.json", %{user: nil}))

From 9bd6ed975ec57f46ff6796fadb8822faec262bbc Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Wed, 13 Feb 2019 19:20:41 +0000
Subject: [PATCH 5/7] activitypub: user view: use route helpers instead of
 hardcoded URIs

---
 .../web/activity_pub/views/user_view.ex        | 18 ++++++++----------
 lib/pleroma/web/router.ex                      |  2 +-
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index af75546dd..035463de2 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -12,23 +12,21 @@ defmodule Pleroma.Web.ActivityPub.UserView do
   alias Pleroma.Web.ActivityPub.ActivityPub
   alias Pleroma.Web.ActivityPub.Transmogrifier
   alias Pleroma.Web.ActivityPub.Utils
+  alias Pleroma.Web.Router.Helpers
+  alias Pleroma.Web.Endpoint
 
   import Ecto.Query
 
-  def render("endpoints.json", %{user: %User{local: true} = _user}) do
+  def render("endpoints.json", %{user: %User{nickname: _nickname, local: true} = _user}) do
     %{
-      "oauthAuthorizationEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/authorize",
-      "oauthRegistrationEndpoint" => "#{Pleroma.Web.Endpoint.url()}/api/v1/apps",
-      "oauthTokenEndpoint" => "#{Pleroma.Web.Endpoint.url()}/oauth/token"
+      "oauthAuthorizationEndpoint" => Helpers.o_auth_url(Endpoint, :authorize),
+      "oauthRegistrationEndpoint" => Helpers.mastodon_api_url(Endpoint, :create_app),
+      "oauthTokenEndpoint" => Helpers.o_auth_url(Endpoint, :token_exchange),
+      "sharedInbox" => Helpers.activity_pub_url(Endpoint, :inbox)
     }
-    |> Map.merge(render("endpoints.json", %{user: nil}))
   end
 
-  def render("endpoints.json", _) do
-    %{
-      "sharedInbox" => "#{Pleroma.Web.Endpoint.url()}/inbox"
-    }
-  end
+  def render("endpoints.json", _), do: %{}
 
   # the instance itself is not a Person, but instead an Application
   def render("user.json", %{user: %{nickname: nil} = user}) do
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 5b5627ce8..d66a1c2a1 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -468,8 +468,8 @@ defmodule Pleroma.Web.Router do
 
   scope "/", Pleroma.Web.ActivityPub do
     pipe_through(:activitypub)
-    post("/users/:nickname/inbox", ActivityPubController, :inbox)
     post("/inbox", ActivityPubController, :inbox)
+    post("/users/:nickname/inbox", ActivityPubController, :inbox)
   end
 
   scope "/.well-known", Pleroma.Web do

From d54c483964692e1ca6b813d6b35a0635d3c0abf9 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Wed, 13 Feb 2019 19:48:24 +0000
Subject: [PATCH 6/7] tests: add tests for endpoints

---
 .../web/activity_pub/views/user_view_test.exs | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/test/web/activity_pub/views/user_view_test.exs b/test/web/activity_pub/views/user_view_test.exs
index 7fc870e96..95d736c50 100644
--- a/test/web/activity_pub/views/user_view_test.exs
+++ b/test/web/activity_pub/views/user_view_test.exs
@@ -15,4 +15,32 @@ test "Renders a user, including the public key" do
 
     assert String.contains?(result["publicKey"]["publicKeyPem"], "BEGIN PUBLIC KEY")
   end
+
+  describe "endpoints" do
+    test "local users have a usable endpoints structure" do
+      user = insert(:user)
+      {:ok, user} = Pleroma.Web.WebFinger.ensure_keys_present(user)
+
+      result = UserView.render("user.json", %{user: user})
+
+      assert result["id"] == user.ap_id
+
+      %{
+        "sharedInbox" => _,
+        "oauthAuthorizationEndpoint" => _,
+        "oauthRegistrationEndpoint" => _,
+        "oauthTokenEndpoint" => _
+      } = result["endpoints"]
+    end
+
+    test "remote users have an empty endpoints structure" do
+      user = insert(:user, local: false)
+      {:ok, user} = Pleroma.Web.WebFinger.ensure_keys_present(user)
+
+      result = UserView.render("user.json", %{user: user})
+
+      assert result["id"] == user.ap_id
+      assert result["endpoints"] == %{}
+    end
+  end
 end

From 64620d8980e3e93791d3f880296be2060ffc4d39 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Thu, 14 Feb 2019 02:41:21 +0000
Subject: [PATCH 7/7] activitypub: user view: do not expose oAuth endpoints for
 instance users

---
 lib/pleroma/web/activity_pub/views/user_view.ex |  6 +++++-
 test/web/activity_pub/views/user_view_test.exs  | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index 035463de2..b363a3dc4 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -17,7 +17,11 @@ defmodule Pleroma.Web.ActivityPub.UserView do
 
   import Ecto.Query
 
-  def render("endpoints.json", %{user: %User{nickname: _nickname, local: true} = _user}) do
+  def render("endpoints.json", %{user: %User{nickname: nil, local: true} = _user}) do
+    %{"sharedInbox" => Helpers.activity_pub_url(Endpoint, :inbox)}
+  end
+
+  def render("endpoints.json", %{user: %User{local: true} = _user}) do
     %{
       "oauthAuthorizationEndpoint" => Helpers.o_auth_url(Endpoint, :authorize),
       "oauthRegistrationEndpoint" => Helpers.mastodon_api_url(Endpoint, :create_app),
diff --git a/test/web/activity_pub/views/user_view_test.exs b/test/web/activity_pub/views/user_view_test.exs
index 95d736c50..0bc1d4728 100644
--- a/test/web/activity_pub/views/user_view_test.exs
+++ b/test/web/activity_pub/views/user_view_test.exs
@@ -42,5 +42,16 @@ test "remote users have an empty endpoints structure" do
       assert result["id"] == user.ap_id
       assert result["endpoints"] == %{}
     end
+
+    test "instance users do not expose oAuth endpoints" do
+      user = insert(:user, nickname: nil, local: true)
+      {:ok, user} = Pleroma.Web.WebFinger.ensure_keys_present(user)
+
+      result = UserView.render("user.json", %{user: user})
+
+      refute result["endpoints"]["oauthAuthorizationEndpoint"]
+      refute result["endpoints"]["oauthRegistrationEndpoint"]
+      refute result["endpoints"]["oauthTokenEndpoint"]
+    end
   end
 end