Merge remote-tracking branch 'pleroma/develop' into feature/addressable-lists

1 files changed, 38 insertions, 0 deletions

diff --git a/lib/pleroma/web/oauth/token/utils.ex b/lib/pleroma/web/oauth/token/utils.ex
index a81560a1c..7a4fddafd 100644
--- a/lib/pleroma/web/oauth/token/utils.ex
+++ b/lib/pleroma/web/oauth/token/utils.ex
@@ -3,6 +3,44 @@ defmodule Pleroma.Web.OAuth.Token.Utils do
   Auxiliary functions for dealing with tokens.
   """
 
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.App
+
+  @doc "Fetch app by client credentials from request"
+  @spec fetch_app(Plug.Conn.t()) :: {:ok, App.t()} | {:error, :not_found}
+  def fetch_app(conn) do
+    res =
+      conn
+      |> fetch_client_credentials()
+      |> fetch_client
+
+    case res do
+      %App{} = app -> {:ok, app}
+      _ -> {:error, :not_found}
+    end
+  end
+
+  defp fetch_client({id, secret}) when is_binary(id) and is_binary(secret) do
+    Repo.get_by(App, client_id: id, client_secret: secret)
+  end
+
+  defp fetch_client({_id, _secret}), do: nil
+
+  defp fetch_client_credentials(conn) do
+    # Per RFC 6749, HTTP Basic is preferred to body params
+    with ["Basic " <> encoded] <- Plug.Conn.get_req_header(conn, "authorization"),
+         {:ok, decoded} <- Base.decode64(encoded),
+         [id, secret] <-
+           Enum.map(
+             String.split(decoded, ":"),
+             fn s -> URI.decode_www_form(s) end
+           ) do
+      {id, secret}
+    else
+      _ -> {conn.params["client_id"], conn.params["client_secret"]}
+    end
+  end
+
   @doc "convert token inserted_at to unix timestamp"
   def format_created_at(%{inserted_at: inserted_at} = _token) do
     inserted_at