akkoma/lib/pleroma/web/oauth/oauth_controller.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.OAuth.OAuthController do
  use Pleroma.Web, :controller

  alias Pleroma.Web.OAuth.Authorization
  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.OAuth.App
  alias Pleroma.Repo
  alias Pleroma.User
  alias Comeonin.Pbkdf2

  import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]

  plug(:fetch_session)
  plug(:fetch_flash)

  action_fallback(Pleroma.Web.OAuth.FallbackController)

  def authorize(conn, params) do
    app = Repo.get_by(App, client_id: params["client_id"])
    available_scopes = (app && app.scopes) || []
    scopes = oauth_scopes(params, nil) || available_scopes

    render(conn, "show.html", %{
      response_type: params["response_type"],
      client_id: params["client_id"],
      available_scopes: available_scopes,
      scopes: scopes,
      redirect_uri: params["redirect_uri"],
      state: params["state"]
    })
  end

  def create_authorization(conn, %{
        "authorization" =>
          %{
            "name" => name,
            "password" => password,
            "client_id" => client_id,
            "redirect_uri" => redirect_uri
          } = auth_params
      }) do
    with %User{} = user <- User.get_by_nickname_or_email(name),
         true <- Pbkdf2.checkpw(password, user.password_hash),
         %App{} = app <- Repo.get_by(App, client_id: client_id),
         true <- redirect_uri in String.split(app.redirect_uris),
         scopes <- oauth_scopes(auth_params, []),
         {:unsupported_scopes, []} <- {:unsupported_scopes, scopes -- app.scopes},
         # Note: `scope` param is intentionally not optional in this context
         {:missing_scopes, false} <- {:missing_scopes, scopes == []},
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
         {:ok, auth} <- Authorization.create_authorization(app, user, scopes) do
      # Special case: Local MastodonFE.
      redirect_uri =
        if redirect_uri == "." do
          mastodon_api_url(conn, :login)
        else
          redirect_uri
        end

      cond do
        redirect_uri == "urn:ietf:wg:oauth:2.0:oob" ->
          render(conn, "results.html", %{
            auth: auth
          })

        true ->
          connector = if String.contains?(redirect_uri, "?"), do: "&", else: "?"
          url = "#{redirect_uri}#{connector}"
          url_params = %{:code => auth.token}

          url_params =
            if auth_params["state"] do
              Map.put(url_params, :state, auth_params["state"])
            else
              url_params
            end

          url = "#{url}#{Plug.Conn.Query.encode(url_params)}"

          redirect(conn, external: url)
      end
    else
      {scopes_issue, _} when scopes_issue in [:unsupported_scopes, :missing_scopes] ->
        conn
        |> put_flash(:error, "Permissions not specified.")
        |> put_status(:unauthorized)
        |> authorize(auth_params)

      {:auth_active, false} ->
        conn
        |> put_flash(:error, "Account confirmation pending.")
        |> put_status(:forbidden)
        |> authorize(auth_params)

      error ->
        error
    end
  end

  def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do
    with %App{} = app <- get_app_from_request(conn, params),
         fixed_token = fix_padding(params["code"]),
         %Authorization{} = auth <-
           Repo.get_by(Authorization, token: fixed_token, app_id: app.id),
         {:ok, token} <- Token.exchange_token(app, auth),
         {:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do
      response = %{
        token_type: "Bearer",
        access_token: token.token,
        refresh_token: token.refresh_token,
        created_at: DateTime.to_unix(inserted_at),
        expires_in: 60 * 10,
        scope: Enum.join(token.scopes)
      }

      json(conn, response)
    else
      _error ->
        put_status(conn, 400)
        |> json(%{error: "Invalid credentials"})
    end
  end

  def token_exchange(
        conn,
        %{"grant_type" => "password", "username" => name, "password" => password} = params
      ) do
    with %App{} = app <- get_app_from_request(conn, params),
         %User{} = user <- User.get_by_nickname_or_email(name),
         true <- Pbkdf2.checkpw(password, user.password_hash),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
         scopes <- oauth_scopes(params, app.scopes),
         [] <- scopes -- app.scopes,
         true <- Enum.any?(scopes),
         {:ok, auth} <- Authorization.create_authorization(app, user, scopes),
         {:ok, token} <- Token.exchange_token(app, auth) do
      response = %{
        token_type: "Bearer",
        access_token: token.token,
        refresh_token: token.refresh_token,
        expires_in: 60 * 10,
        scope: Enum.join(token.scopes, " ")
      }

      json(conn, response)
    else
      {:auth_active, false} ->
        conn
        |> put_status(:forbidden)
        |> json(%{error: "Account confirmation pending"})

      _error ->
        put_status(conn, 400)
        |> json(%{error: "Invalid credentials"})
    end
  end

  def token_exchange(
        conn,
        %{"grant_type" => "password", "name" => name, "password" => _password} = params
      ) do
    params =
      params
      |> Map.delete("name")
      |> Map.put("username", name)

    token_exchange(conn, params)
  end

  def token_revoke(conn, %{"token" => token} = params) do
    with %App{} = app <- get_app_from_request(conn, params),
         %Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),
         {:ok, %Token{}} <- Repo.delete(token) do
      json(conn, %{})
    else
      _error ->
        # RFC 7009: invalid tokens [in the request] do not cause an error response
        json(conn, %{})
    end
  end

  # XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be
  # decoding it.  Investigate sometime.
  defp fix_padding(token) do
    token
    |> URI.decode()
    |> Base.url_decode64!(padding: false)
    |> Base.url_encode64(padding: false)
  end

  defp get_app_from_request(conn, params) do
    # Per RFC 6749, HTTP Basic is preferred to body params
    {client_id, client_secret} =
      with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),
           {:ok, decoded} <- Base.decode64(encoded),
           [id, secret] <-
             String.split(decoded, ":")
             |> Enum.map(fn s -> URI.decode_www_form(s) end) do
        {id, secret}
      else
        _ -> {params["client_id"], params["client_secret"]}
      end

    if client_id && client_secret do
      Repo.get_by(
        App,
        client_id: client_id,
        client_secret: client_secret
      )
    else
      nil
    end
  end
end
add license boilerplate to pleroma core 2018-12-23 20:04:54 +00:00			`# Pleroma: A lightweight social networking server`
update copyright years to 2019 2018-12-31 15:41:47 +00:00			`# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>`
add license boilerplate to pleroma core 2018-12-23 20:04:54 +00:00			`# SPDX-License-Identifier: AGPL-3.0-only`

Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`defmodule Pleroma.Web.OAuth.OAuthController do`
			`use Pleroma.Web, :controller`

de-group alias/es 2019-02-09 15:16:26 +00:00			`alias Pleroma.Web.OAuth.Authorization`
			`alias Pleroma.Web.OAuth.Token`
			`alias Pleroma.Web.OAuth.App`
			`alias Pleroma.Repo`
			`alias Pleroma.User`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`alias Comeonin.Pbkdf2`

[#468] Refactored OAuth scopes parsing / defaults handling. 2019-02-14 14:03:19 +00:00			`import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]`

Format the code. 2018-03-30 13:01:53 +00:00			`plug(:fetch_session)`
			`plug(:fetch_flash)`
Create action_fallback for username/password incorrect input 2018-02-08 16:57:30 +00:00
Format the code. 2018-03-30 13:01:53 +00:00			`action_fallback(Pleroma.Web.OAuth.FallbackController)`
Create action_fallback for username/password incorrect input 2018-02-08 16:57:30 +00:00
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`def authorize(conn, params) do`
[#468] Refactored OAuth scopes' defaults & missing selection handling. 2019-02-17 10:49:14 +00:00			`app = Repo.get_by(App, client_id: params["client_id"])`
			`available_scopes = (app && app.scopes) \|\| []`
			`scopes = oauth_scopes(params, nil) \|\| available_scopes`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00
Format the code. 2018-03-30 13:01:53 +00:00			`render(conn, "show.html", %{`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`response_type: params["response_type"],`
			`client_id: params["client_id"],`
[#468] Refactored OAuth scopes' defaults & missing selection handling. 2019-02-17 10:49:14 +00:00			`available_scopes: available_scopes,`
			`scopes: scopes,`
Preserve state in oauth 2017-09-14 07:29:51 +00:00			`redirect_uri: params["redirect_uri"],`
			`state: params["state"]`
Format the code. 2018-03-30 13:01:53 +00:00			`})`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`end`

Format the code. 2018-03-30 13:01:53 +00:00			`def create_authorization(conn, %{`
			`"authorization" =>`
			`%{`
			`"name" => name,`
			`"password" => password,`
			`"client_id" => client_id,`
			`"redirect_uri" => redirect_uri`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00			`} = auth_params`
Format the code. 2018-03-30 13:01:53 +00:00			`}) do`
MastoAPI and OAuth: allow login with either email or username. 2018-04-18 10:13:57 +00:00			`with %User{} = user <- User.get_by_nickname_or_email(name),`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`true <- Pbkdf2.checkpw(password, user.password_hash),`
Slight cleanup. 2017-09-07 06:58:10 +00:00			`%App{} = app <- Repo.get_by(App, client_id: client_id),`
OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix. (`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris, and if that happened before /web/login is accessed for the first time then Pleroma used this externally created record with arbitrary redirect_uris and client_secret known by creator). 2019-02-07 19:14:06 +00:00			`true <- redirect_uri in String.split(app.redirect_uris),`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00			`scopes <- oauth_scopes(auth_params, []),`
[#468] Refactored OAuth scopes' defaults & missing selection handling. 2019-02-17 10:49:14 +00:00			`{:unsupported_scopes, []} <- {:unsupported_scopes, scopes -- app.scopes},`
			# Note: `scope` param is intentionally not optional in this context
			`{:missing_scopes, false} <- {:missing_scopes, scopes == []},`
			`{:auth_active, true} <- {:auth_active, User.auth_active?(user)},`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 21:29:29 +00:00			`{:ok, auth} <- Authorization.create_authorization(app, user, scopes) do`
Unify Mastodon Login with OAuth login. This removes duplication in the login code. 2018-11-06 14:19:11 +00:00			`# Special case: Local MastodonFE.`
			`redirect_uri =`
			`if redirect_uri == "." do`
			`mastodon_api_url(conn, :login)`
			`else`
			`redirect_uri`
			`end`

			`cond do`
			`redirect_uri == "urn:ietf:wg:oauth:2.0:oob" ->`
			`render(conn, "results.html", %{`
			`auth: auth`
			`})`

			`true ->`
			`connector = if String.contains?(redirect_uri, "?"), do: "&", else: "?"`
			`url = "#{redirect_uri}#{connector}"`
			`url_params = %{:code => auth.token}`

			`url_params =`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00			`if auth_params["state"] do`
			`Map.put(url_params, :state, auth_params["state"])`
Unify Mastodon Login with OAuth login. This removes duplication in the login code. 2018-11-06 14:19:11 +00:00			`else`
			`url_params`
			`end`

			`url = "#{url}#{Plug.Conn.Query.encode(url_params)}"`

			`redirect(conn, external: url)`
Do oauth redirect. 2017-09-09 17:03:57 +00:00			`end`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 14:13:52 +00:00			`else`
[#468] Refactored OAuth scopes' defaults & missing selection handling. 2019-02-17 10:49:14 +00:00			`{scopes_issue, _} when scopes_issue in [:unsupported_scopes, :missing_scopes] ->`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00			`conn`
[#468] Refactored OAuth scopes' defaults & missing selection handling. 2019-02-17 10:49:14 +00:00			`\|> put_flash(:error, "Permissions not specified.")`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00			`\|> put_status(:unauthorized)`
[#468] Refactored OAuth scopes' defaults & missing selection handling. 2019-02-17 10:49:14 +00:00			`\|> authorize(auth_params)`

			`{:auth_active, false} ->`
			`conn`
			`\|> put_flash(:error, "Account confirmation pending.")`
			`\|> put_status(:forbidden)`
			`\|> authorize(auth_params)`

			`error ->`
			`error`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`end`
			`end`

			`def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do`
Make OAuth token endpoint work with HTTP Basic auth client_id/client_secret can now be supplied in an Authorization header 2018-06-01 16:01:56 +00:00			`with %App{} = app <- get_app_from_request(conn, params),`
Fix tootdon logins. 2017-11-06 19:51:31 +00:00			`fixed_token = fix_padding(params["code"]),`
Formatting fixes. 2018-04-21 07:43:53 +00:00			`%Authorization{} = auth <-`
			`Repo.get_by(Authorization, token: fixed_token, app_id: app.id),`
OAuth: Set `created_at` in token exchange response (for compatibility with Mastodon) 2018-08-28 23:07:17 +00:00			`{:ok, token} <- Token.exchange_token(app, auth),`
			`{:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`response = %{`
			`token_type: "Bearer",`
			`access_token: token.token,`
			`refresh_token: token.refresh_token,`
OAuth: Set `created_at` in token exchange response (for compatibility with Mastodon) 2018-08-28 23:07:17 +00:00			`created_at: DateTime.to_unix(inserted_at),`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`expires_in: 60 * 10,`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 21:29:29 +00:00			`scope: Enum.join(token.scopes)`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`}`
Format the code. 2018-03-30 13:01:53 +00:00
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`json(conn, response)`
Fix tootdon logins. 2017-11-06 19:51:31 +00:00			`else`
Make token exchange return errors with 400 as status code 2018-06-06 01:14:50 +00:00			`_error ->`
			`put_status(conn, 400)`
			`\|> json(%{error: "Invalid credentials"})`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`end`
			`end`
Fix tootdon logins. 2017-11-06 19:51:31 +00:00
Format the code. 2018-03-30 13:01:53 +00:00			`def token_exchange(`
			`conn,`
oauth: support either name or username parameter with grant_type=password closes #180 2018-06-14 01:45:10 +00:00			`%{"grant_type" => "password", "username" => name, "password" => password} = params`
Format the code. 2018-03-30 13:01:53 +00:00			`) do`
Make OAuth token endpoint work with HTTP Basic auth client_id/client_secret can now be supplied in an Authorization header 2018-06-01 16:01:56 +00:00			`with %App{} = app <- get_app_from_request(conn, params),`
oauth: fix password-based login when username is email address closes #199 2018-06-14 02:29:52 +00:00			`%User{} = user <- User.get_by_nickname_or_email(name),`
oauth: implement grant_type=password for single-page apps 2018-03-23 20:50:34 +00:00			`true <- Pbkdf2.checkpw(password, user.password_hash),`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 14:13:52 +00:00			`{:auth_active, true} <- {:auth_active, User.auth_active?(user)},`
[#468] Refactored OAuth scopes parsing / defaults handling. 2019-02-14 14:03:19 +00:00			`scopes <- oauth_scopes(params, app.scopes),`
[#468] Defined OAuth restrictions for all applicable routes. Improved missing "scopes" param handling. Allowed "any of" / "all of" mode specification in OAuthScopesPlug. Fixed auth UI / behavior when user selects no permissions at /oauth/authorize. 2019-02-15 16:54:37 +00:00			`[] <- scopes -- app.scopes,`
			`true <- Enum.any?(scopes),`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 21:29:29 +00:00			`{:ok, auth} <- Authorization.create_authorization(app, user, scopes),`
oauth: implement grant_type=password for single-page apps 2018-03-23 20:50:34 +00:00			`{:ok, token} <- Token.exchange_token(app, auth) do`
			`response = %{`
			`token_type: "Bearer",`
			`access_token: token.token,`
			`refresh_token: token.refresh_token,`
			`expires_in: 60 * 10,`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 21:29:29 +00:00			`scope: Enum.join(token.scopes, " ")`
oauth: implement grant_type=password for single-page apps 2018-03-23 20:50:34 +00:00			`}`
Format the code. 2018-03-30 13:01:53 +00:00
oauth: implement grant_type=password for single-page apps 2018-03-23 20:50:34 +00:00			`json(conn, response)`
			`else`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 14:13:52 +00:00			`{:auth_active, false} ->`
			`conn`
			`\|> put_status(:forbidden)`
			`\|> json(%{error: "Account confirmation pending"})`

Make token exchange return errors with 400 as status code 2018-06-06 01:14:50 +00:00			`_error ->`
			`put_status(conn, 400)`
			`\|> json(%{error: "Invalid credentials"})`
oauth: implement grant_type=password for single-page apps 2018-03-23 20:50:34 +00:00			`end`
			`end`

oauth: support either name or username parameter with grant_type=password closes #180 2018-06-14 01:45:10 +00:00			`def token_exchange(`
			`conn,`
fix compile warnings 2018-12-09 09:12:48 +00:00			`%{"grant_type" => "password", "name" => name, "password" => _password} = params`
oauth: support either name or username parameter with grant_type=password closes #180 2018-06-14 01:45:10 +00:00			`) do`
			`params =`
			`params`
			`\|> Map.delete("name")`
			`\|> Map.put("username", name)`

			`token_exchange(conn, params)`
			`end`

OAuth: Support /revoke endpoint for revoking tokens (for compatibility with Mastodon) 2018-08-28 23:25:40 +00:00			`def token_revoke(conn, %{"token" => token} = params) do`
			`with %App{} = app <- get_app_from_request(conn, params),`
			`%Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),`
			`{:ok, %Token{}} <- Repo.delete(token) do`
			`json(conn, %{})`
			`else`
			`_error ->`
			`# RFC 7009: invalid tokens [in the request] do not cause an error response`
			`json(conn, %{})`
			`end`
			`end`

oauth: fix token decode regression 2018-11-11 05:11:27 +00:00			`# XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be`
			`# decoding it. Investigate sometime.`
Fix tootdon logins. 2017-11-06 19:51:31 +00:00			`defp fix_padding(token) do`
			`token`
oauth: fix token decode regression 2018-11-11 05:11:27 +00:00			`\|> URI.decode()`
Fix tootdon logins. 2017-11-06 19:51:31 +00:00			`\|> Base.url_decode64!(padding: false)`
oauth: never use base64 padding when returning tokens to applications The normal Base64 alphabet uses the equals sign (=) as a padding character. Since Base64 strings are self-synchronizing, padding characters are unnecessary, so don't generate them in the first place. 2019-02-14 01:05:25 +00:00			`\|> Base.url_encode64(padding: false)`
Fix tootdon logins. 2017-11-06 19:51:31 +00:00			`end`
Make OAuth token endpoint work with HTTP Basic auth client_id/client_secret can now be supplied in an Authorization header 2018-06-01 16:01:56 +00:00
			`defp get_app_from_request(conn, params) do`
			`# Per RFC 6749, HTTP Basic is preferred to body params`
			`{client_id, client_secret} =`
			`with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),`
			`{:ok, decoded} <- Base.decode64(encoded),`
			`[id, secret] <-`
			`String.split(decoded, ":")`
			`\|> Enum.map(fn s -> URI.decode_www_form(s) end) do`
			`{id, secret}`
			`else`
			`_ -> {params["client_id"], params["client_secret"]}`
			`end`

			`if client_id && client_secret do`
			`Repo.get_by(`
			`App,`
			`client_id: client_id,`
			`client_secret: client_secret`
			`)`
			`else`
			`nil`
			`end`
			`end`
Add very basic oauth and mastodon api support. 2017-09-06 17:06:25 +00:00			`end`