oauth: allow client_credentials 2 legged oauth to suport ivory

davecheney · davecheney · commit 22e23a23296e · 2023-04-30T19:58:42.000+10:00
diff --git a/internal/httpx/params.go b/internal/httpx/params.go
@@ -3,9 +3,9 @@ package httpx
 import (
 	"errors"
 	"fmt"
+	"mime"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"github.com/go-json-experiment/json"
 	"github.com/gorilla/schema"
@@ -25,7 +25,11 @@ func Params(r *http.Request, v interface{}) error {
 			return Error(http.StatusBadRequest, err)
 		}
 	case "POST", "PUT":
-		switch mediaType(r) {
+		mt, _, err := mime.ParseMediaType(r.Header.Get("Content-Type"))
+		if err != nil {
+			return Error(http.StatusBadRequest, err)
+		}
+		switch mt {
 		case "application/json":
 			if err := json.UnmarshalFull(r.Body, v); err != nil {
 				return Error(http.StatusBadRequest, err)
@@ -61,8 +65,3 @@ func Params(r *http.Request, v interface{}) error {
 	}
 	return nil
 }
-
-// mediaType returns the media type of the request.
-func mediaType(req *http.Request) string {
-	return strings.Split(req.Header.Get("Content-Type"), ";")[0]
-}
diff --git a/models/token.go b/models/token.go
@@ -14,7 +14,7 @@ import (
 type Token struct {
 	AccessToken       string `gorm:"size:64;primaryKey;autoIncrement:false"`
 	CreatedAt         time.Time
-	AccountID         snowflake.ID
+	AccountID         *snowflake.ID
 	Account           *Account `gorm:"constraint:OnDelete:CASCADE;<-:false;"`
 	ApplicationID     snowflake.ID
 	Application       *Application `gorm:"constraint:OnDelete:CASCADE;<-:false;"`
diff --git a/oauth/oauth.go b/oauth/oauth.go
@@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 
 	"net/http"
 
@@ -88,7 +87,7 @@ func AuthorizeCreate(env *activitypub.Env, w http.ResponseWriter, r *http.Reques
 
 	token := &models.Token{
 		AccessToken:       uuid.New().String(),
-		AccountID:         account.ID,
+		AccountID:         &account.ID,
 		ApplicationID:     app.ID,
 		TokenType:         models.TokenType("Bearer"),
 		Scope:             "read write follow push",
@@ -110,32 +109,59 @@ func TokenCreate(env *activitypub.Env, w http.ResponseWriter, r *http.Request) e
 		ClientID     string `json:"client_id" schema:"client_id,required"`
 		ClientSecret string `json:"client_secret" schema:"client_secret,required"`
 		GrantType    string `json:"grant_type" schema:"grant_type,required"`
-		Code         string `json:"code" schema:"code,required"`
+		Code         string `json:"code" schema:"code"`
 		RedirectURI  string `json:"redirect_uri" schema:"redirect_uri,required"`
-		Scope        string `json:"-" schema:"scope"` // ignored
+		Scope        string `json:"scope" schema:"scope"`
 	}
 	if err := httpx.Params(r, &params); err != nil {
 		return err
 	}
-	var token models.Token
-	if err := env.DB.Where("authorization_code = ?", params.Code).First(&token).Error; err != nil {
-		return httpx.Error(http.StatusUnauthorized, fmt.Errorf("token with code %s not found", params.Code))
-	}
+
 	var app models.Application
 	if err := env.DB.Where("client_id = ?", params.ClientID).First(&app).Error; err != nil {
 		return httpx.Error(http.StatusBadRequest, fmt.Errorf("failed to find application: %w", err))
 	}
+	if app.ClientSecret != params.ClientSecret {
+		return httpx.Error(http.StatusUnauthorized, fmt.Errorf("invalid client_secret"))
+	}
 
-	if token.ApplicationID != app.ID {
-		log.Println("client_id mismatch", token.ApplicationID, app.ID)
-		return httpx.Error(http.StatusUnauthorized, fmt.Errorf("client_id mismatch"))
+	switch params.GrantType {
+	case "authorization_code":
+		var token models.Token
+		if err := env.DB.Where("authorization_code = ?", params.Code).First(&token).Error; err != nil {
+			return httpx.Error(http.StatusUnauthorized, fmt.Errorf("token with code %s not found", params.Code))
+		}
+		if token.ApplicationID != app.ID {
+			return httpx.Error(http.StatusUnauthorized, fmt.Errorf("client_id mismatch"))
+		}
+		return to.JSON(w, map[string]any{
+			"access_token": token.AccessToken,
+			"token_type":   token.TokenType,
+			"scope":        token.Scope,
+			"created_at":   token.CreatedAt.Unix(),
+		})
+	case "refresh_token":
+		return httpx.Error(http.StatusNotImplemented, fmt.Errorf("refresh_token grant type not implemented"))
+	case "client_credentials":
+		token := &models.Token{
+			AccessToken:       uuid.New().String(),
+			ApplicationID:     app.ID,
+			TokenType:         models.TokenType("Bearer"),
+			Scope:             params.Scope,
+			AuthorizationCode: uuid.New().String(),
+		}
+		if err := env.DB.Create(token).Error; err != nil {
+			return err
+		}
+		return to.JSON(w, map[string]any{
+			"access_token": token.AccessToken,
+			"token_type":   token.TokenType,
+			"scope":        token.Scope,
+			"created_at":   token.CreatedAt.Unix(),
+		})
+	default:
+		return httpx.Error(http.StatusBadRequest, fmt.Errorf("invalid grant_type"))
 	}
-	return to.JSON(w, map[string]any{
-		"access_token": token.AccessToken,
-		"token_type":   token.TokenType,
-		"scope":        token.Scope,
-		"created_at":   token.CreatedAt.Unix(),
-	})
 }
 
 func TokenDestroy(env *activitypub.Env, w http.ResponseWriter, r *http.Request) error {
