diff options
| author | lambda <pleromagit@rogerbraun.net> | 2018-06-06 08:27:08 +0000 |
|---|---|---|
| committer | lambda <pleromagit@rogerbraun.net> | 2018-06-06 08:27:08 +0000 |
| commit | b5d8213e701a525903f4ac6b0654fdb1ed68b300 (patch) | |
| tree | 62bfc16fb03da04e24b228c9c7f97a85c19ffc4d /lib | |
| parent | f9719b064c46491589fe0428f6dc7c27680c0020 (diff) | |
| parent | 2cebaa7d3a6fcf0085888809c14c8b949b15257f (diff) | |
| download | pleroma-b5d8213e701a525903f4ac6b0654fdb1ed68b300.tar.gz | |
Merge branch 'fix/oauth-http-basic' into 'develop'
Make OAuth token endpoint work with HTTP Basic auth
See merge request pleroma/pleroma!191
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/oauth/oauth_controller.ex | 46 |
1 files changed, 32 insertions, 14 deletions
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index 11dc1806f..3dd87d0ab 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -56,12 +56,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do # TODO # - proper scope handling def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do - with %App{} = app <- - Repo.get_by( - App, - client_id: params["client_id"], - client_secret: params["client_secret"] - ), + with %App{} = app <- get_app_from_request(conn, params), fixed_token = fix_padding(params["code"]), %Authorization{} = auth <- Repo.get_by(Authorization, token: fixed_token, app_id: app.id), @@ -76,7 +71,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do json(conn, response) else - _error -> json(conn, %{error: "Invalid credentials"}) + _error -> + put_status(conn, 400) + |> json(%{error: "Invalid credentials"}) end end @@ -86,12 +83,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do conn, %{"grant_type" => "password", "name" => name, "password" => password} = params ) do - with %App{} = app <- - Repo.get_by( - App, - client_id: params["client_id"], - client_secret: params["client_secret"] - ), + with %App{} = app <- get_app_from_request(conn, params), %User{} = user <- User.get_cached_by_nickname(name), true <- Pbkdf2.checkpw(password, user.password_hash), {:ok, auth} <- Authorization.create_authorization(app, user), @@ -106,7 +98,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do json(conn, response) else - _error -> json(conn, %{error: "Invalid credentials"}) + _error -> + put_status(conn, 400) + |> json(%{error: "Invalid credentials"}) end end @@ -115,4 +109,28 @@ defmodule Pleroma.Web.OAuth.OAuthController do |> Base.url_decode64!(padding: false) |> Base.url_encode64() end + + defp get_app_from_request(conn, params) do + # Per RFC 6749, HTTP Basic is preferred to body params + {client_id, client_secret} = + with ["Basic " <> encoded] <- get_req_header(conn, "authorization"), + {:ok, decoded} <- Base.decode64(encoded), + [id, secret] <- + String.split(decoded, ":") + |> Enum.map(fn s -> URI.decode_www_form(s) end) do + {id, secret} + else + _ -> {params["client_id"], params["client_secret"]} + end + + if client_id && client_secret do + Repo.get_by( + App, + client_id: client_id, + client_secret: client_secret + ) + else + nil + end + end end |