pleroma/lib/pleroma/web/oauth/oauth_controller.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.OAuth.OAuthController do
  use Pleroma.Web, :controller

  alias Pleroma.Web.OAuth
  alias Pleroma.Web.OAuth.{Authorization, Token, App}
  alias Pleroma.{Repo, User}
  alias Comeonin.Pbkdf2

  plug(:fetch_session)
  plug(:fetch_flash)

  action_fallback(Pleroma.Web.OAuth.FallbackController)

  def authorize(conn, params) do
    render(conn, "show.html", %{
      response_type: params["response_type"],
      client_id: params["client_id"],
      scopes: scopes(params) || [],
      redirect_uri: params["redirect_uri"],
      state: params["state"]
    })
  end

  def create_authorization(conn, %{
        "authorization" =>
          %{
            "name" => name,
            "password" => password,
            "client_id" => client_id,
            "redirect_uri" => redirect_uri
          } = params
      }) do
    with %User{} = user <- User.get_by_nickname_or_email(name),
         true <- Pbkdf2.checkpw(password, user.password_hash),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
         %App{} = app <- Repo.get_by(App, client_id: client_id),
         true <- redirect_uri in String.split(app.redirect_uris),
         scopes <- scopes(params) || app.scopes,
         [] <- scopes -- app.scopes,
         true <- Enum.any?(scopes),
         {:ok, auth} <- Authorization.create_authorization(app, user, scopes) do
      # Special case: Local MastodonFE.
      redirect_uri =
        if redirect_uri == "." do
          mastodon_api_url(conn, :login)
        else
          redirect_uri
        end

      cond do
        redirect_uri == "urn:ietf:wg:oauth:2.0:oob" ->
          render(conn, "results.html", %{
            auth: auth
          })

        true ->
          connector = if String.contains?(redirect_uri, "?"), do: "&", else: "?"
          url = "#{redirect_uri}#{connector}"
          url_params = %{:code => auth.token}

          url_params =
            if params["state"] do
              Map.put(url_params, :state, params["state"])
            else
              url_params
            end

          url = "#{url}#{Plug.Conn.Query.encode(url_params)}"

          redirect(conn, external: url)
      end
    else
      {:auth_active, false} ->
        conn
        |> put_flash(:error, "Account confirmation pending")
        |> put_status(:forbidden)
        |> authorize(params)

      error ->
        error
    end
  end

  def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do
    with %App{} = app <- get_app_from_request(conn, params),
         fixed_token = fix_padding(params["code"]),
         %Authorization{} = auth <-
           Repo.get_by(Authorization, token: fixed_token, app_id: app.id),
         {:ok, token} <- Token.exchange_token(app, auth),
         {:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do
      response = %{
        token_type: "Bearer",
        access_token: token.token,
        refresh_token: token.refresh_token,
        created_at: DateTime.to_unix(inserted_at),
        expires_in: 60 * 10,
        scope: Enum.join(token.scopes)
      }

      json(conn, response)
    else
      _error ->
        put_status(conn, 400)
        |> json(%{error: "Invalid credentials"})
    end
  end

  def token_exchange(
        conn,
        %{"grant_type" => "password", "username" => name, "password" => password} = params
      ) do
    with %App{} = app <- get_app_from_request(conn, params),
         %User{} = user <- User.get_by_nickname_or_email(name),
         true <- Pbkdf2.checkpw(password, user.password_hash),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
         scopes <- scopes(params) || app.scopes,
         {:ok, auth} <- Authorization.create_authorization(app, user, scopes),
         {:ok, token} <- Token.exchange_token(app, auth) do
      response = %{
        token_type: "Bearer",
        access_token: token.token,
        refresh_token: token.refresh_token,
        expires_in: 60 * 10,
        scope: Enum.join(token.scopes, " ")
      }

      json(conn, response)
    else
      {:auth_active, false} ->
        conn
        |> put_status(:forbidden)
        |> json(%{error: "Account confirmation pending"})

      _error ->
        put_status(conn, 400)
        |> json(%{error: "Invalid credentials"})
    end
  end

  def token_exchange(
        conn,
        %{"grant_type" => "password", "name" => name, "password" => _password} = params
      ) do
    params =
      params
      |> Map.delete("name")
      |> Map.put("username", name)

    token_exchange(conn, params)
  end

  def token_revoke(conn, %{"token" => token} = params) do
    with %App{} = app <- get_app_from_request(conn, params),
         %Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),
         {:ok, %Token{}} <- Repo.delete(token) do
      json(conn, %{})
    else
      _error ->
        # RFC 7009: invalid tokens [in the request] do not cause an error response
        json(conn, %{})
    end
  end

  # XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be
  # decoding it.  Investigate sometime.
  defp fix_padding(token) do
    token
    |> URI.decode()
    |> Base.url_decode64!(padding: false)
    |> Base.url_encode64()
  end

  defp get_app_from_request(conn, params) do
    # Per RFC 6749, HTTP Basic is preferred to body params
    {client_id, client_secret} =
      with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),
           {:ok, decoded} <- Base.decode64(encoded),
           [id, secret] <-
             String.split(decoded, ":")
             |> Enum.map(fn s -> URI.decode_www_form(s) end) do
        {id, secret}
      else
        _ -> {params["client_id"], params["client_secret"]}
      end

    if client_id && client_secret do
      Repo.get_by(
        App,
        client_id: client_id,
        client_secret: client_secret
      )
    else
      nil
    end
  end

  defp scopes(params),
    do: OAuth.parse_scopes(params["scopes"] || params["scope"])
end
add license boilerplate to pleroma core 2018-12-23 21:04:54 +01:00			`# Pleroma: A lightweight social networking server`
update copyright years to 2019 2018-12-31 16:41:47 +01:00			`# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>`
add license boilerplate to pleroma core 2018-12-23 21:04:54 +01:00			`# SPDX-License-Identifier: AGPL-3.0-only`

Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`defmodule Pleroma.Web.OAuth.OAuthController do`
			`use Pleroma.Web, :controller`

[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00			`alias Pleroma.Web.OAuth`
Slight cleanup. 2017-09-07 08:58:10 +02:00			`alias Pleroma.Web.OAuth.{Authorization, Token, App}`
			`alias Pleroma.{Repo, User}`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`alias Comeonin.Pbkdf2`

Format the code. 2018-03-30 15:01:53 +02:00			`plug(:fetch_session)`
			`plug(:fetch_flash)`
Create action_fallback for username/password incorrect input 2018-02-08 17:57:30 +01:00
Format the code. 2018-03-30 15:01:53 +02:00			`action_fallback(Pleroma.Web.OAuth.FallbackController)`
Create action_fallback for username/password incorrect input 2018-02-08 17:57:30 +01:00
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`def authorize(conn, params) do`
Format the code. 2018-03-30 15:01:53 +02:00			`render(conn, "show.html", %{`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`response_type: params["response_type"],`
			`client_id: params["client_id"],`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00			`scopes: scopes(params) \|\| [],`
Preserve state in oauth 2017-09-14 09:29:51 +02:00			`redirect_uri: params["redirect_uri"],`
			`state: params["state"]`
Format the code. 2018-03-30 15:01:53 +02:00			`})`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`end`

Format the code. 2018-03-30 15:01:53 +02:00			`def create_authorization(conn, %{`
			`"authorization" =>`
			`%{`
			`"name" => name,`
			`"password" => password,`
			`"client_id" => client_id,`
			`"redirect_uri" => redirect_uri`
			`} = params`
			`}) do`
MastoAPI and OAuth: allow login with either email or username. 2018-04-18 12:13:57 +02:00			`with %User{} = user <- User.get_by_nickname_or_email(name),`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`true <- Pbkdf2.checkpw(password, user.password_hash),`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 15:13:52 +01:00			`{:auth_active, true} <- {:auth_active, User.auth_active?(user)},`
Slight cleanup. 2017-09-07 08:58:10 +02:00			`%App{} = app <- Repo.get_by(App, client_id: client_id),`
OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix. (`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris, and if that happened before /web/login is accessed for the first time then Pleroma used this externally created record with arbitrary redirect_uris and client_secret known by creator). 2019-02-07 20:14:06 +01:00			`true <- redirect_uri in String.split(app.redirect_uris),`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00			`scopes <- scopes(params) \|\| app.scopes,`
			`[] <- scopes -- app.scopes,`
			`true <- Enum.any?(scopes),`
			`{:ok, auth} <- Authorization.create_authorization(app, user, scopes) do`
Unify Mastodon Login with OAuth login. This removes duplication in the login code. 2018-11-06 15:19:11 +01:00			`# Special case: Local MastodonFE.`
			`redirect_uri =`
			`if redirect_uri == "." do`
			`mastodon_api_url(conn, :login)`
			`else`
			`redirect_uri`
			`end`

			`cond do`
			`redirect_uri == "urn:ietf:wg:oauth:2.0:oob" ->`
			`render(conn, "results.html", %{`
			`auth: auth`
			`})`

			`true ->`
			`connector = if String.contains?(redirect_uri, "?"), do: "&", else: "?"`
			`url = "#{redirect_uri}#{connector}"`
			`url_params = %{:code => auth.token}`

			`url_params =`
			`if params["state"] do`
			`Map.put(url_params, :state, params["state"])`
			`else`
			`url_params`
			`end`

			`url = "#{url}#{Plug.Conn.Query.encode(url_params)}"`

			`redirect(conn, external: url)`
Do oauth redirect. 2017-09-09 19:03:57 +02:00			`end`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 15:13:52 +01:00			`else`
			`{:auth_active, false} ->`
			`conn`
			`\|> put_flash(:error, "Account confirmation pending")`
			`\|> put_status(:forbidden)`
			`\|> authorize(params)`

			`error ->`
			`error`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`end`
			`end`

			`def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do`
Make OAuth token endpoint work with HTTP Basic auth client_id/client_secret can now be supplied in an Authorization header 2018-06-01 18:01:56 +02:00			`with %App{} = app <- get_app_from_request(conn, params),`
Fix tootdon logins. 2017-11-06 20:51:31 +01:00			`fixed_token = fix_padding(params["code"]),`
Formatting fixes. 2018-04-21 09:43:53 +02:00			`%Authorization{} = auth <-`
			`Repo.get_by(Authorization, token: fixed_token, app_id: app.id),`
OAuth: Set `created_at` in token exchange response (for compatibility with Mastodon) 2018-08-29 01:07:17 +02:00			`{:ok, token} <- Token.exchange_token(app, auth),`
			`{:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`response = %{`
			`token_type: "Bearer",`
			`access_token: token.token,`
			`refresh_token: token.refresh_token,`
OAuth: Set `created_at` in token exchange response (for compatibility with Mastodon) 2018-08-29 01:07:17 +02:00			`created_at: DateTime.to_unix(inserted_at),`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`expires_in: 60 * 10,`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00			`scope: Enum.join(token.scopes)`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`}`
Format the code. 2018-03-30 15:01:53 +02:00
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`json(conn, response)`
Fix tootdon logins. 2017-11-06 20:51:31 +01:00			`else`
Make token exchange return errors with 400 as status code 2018-06-06 03:14:50 +02:00			`_error ->`
			`put_status(conn, 400)`
			`\|> json(%{error: "Invalid credentials"})`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`end`
			`end`
Fix tootdon logins. 2017-11-06 20:51:31 +01:00
Format the code. 2018-03-30 15:01:53 +02:00			`def token_exchange(`
			`conn,`
oauth: support either name or username parameter with grant_type=password closes #180 2018-06-14 03:45:10 +02:00			`%{"grant_type" => "password", "username" => name, "password" => password} = params`
Format the code. 2018-03-30 15:01:53 +02:00			`) do`
Make OAuth token endpoint work with HTTP Basic auth client_id/client_secret can now be supplied in an Authorization header 2018-06-01 18:01:56 +02:00			`with %App{} = app <- get_app_from_request(conn, params),`
oauth: fix password-based login when username is email address closes #199 2018-06-14 04:29:52 +02:00			`%User{} = user <- User.get_by_nickname_or_email(name),`
oauth: implement grant_type=password for single-page apps 2018-03-23 21:50:34 +01:00			`true <- Pbkdf2.checkpw(password, user.password_hash),`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 15:13:52 +01:00			`{:auth_active, true} <- {:auth_active, User.auth_active?(user)},`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00			`scopes <- scopes(params) \|\| app.scopes,`
			`{:ok, auth} <- Authorization.create_authorization(app, user, scopes),`
oauth: implement grant_type=password for single-page apps 2018-03-23 21:50:34 +01:00			`{:ok, token} <- Token.exchange_token(app, auth) do`
			`response = %{`
			`token_type: "Bearer",`
			`access_token: token.token,`
			`refresh_token: token.refresh_token,`
			`expires_in: 60 * 10,`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00			`scope: Enum.join(token.scopes, " ")`
oauth: implement grant_type=password for single-page apps 2018-03-23 21:50:34 +01:00			`}`
Format the code. 2018-03-30 15:01:53 +02:00
oauth: implement grant_type=password for single-page apps 2018-03-23 21:50:34 +01:00			`json(conn, response)`
			`else`
[#114] Added email confirmation resend action. Added tests for registration, authentication, email confirmation, confirmation resending. Made admin methods create confirmed users. 2018-12-18 15:13:52 +01:00			`{:auth_active, false} ->`
			`conn`
			`\|> put_status(:forbidden)`
			`\|> json(%{error: "Account confirmation pending"})`

Make token exchange return errors with 400 as status code 2018-06-06 03:14:50 +02:00			`_error ->`
			`put_status(conn, 400)`
			`\|> json(%{error: "Invalid credentials"})`
oauth: implement grant_type=password for single-page apps 2018-03-23 21:50:34 +01:00			`end`
			`end`

oauth: support either name or username parameter with grant_type=password closes #180 2018-06-14 03:45:10 +02:00			`def token_exchange(`
			`conn,`
fix compile warnings 2018-12-09 10:12:48 +01:00			`%{"grant_type" => "password", "name" => name, "password" => _password} = params`
oauth: support either name or username parameter with grant_type=password closes #180 2018-06-14 03:45:10 +02:00			`) do`
			`params =`
			`params`
			`\|> Map.delete("name")`
			`\|> Map.put("username", name)`

			`token_exchange(conn, params)`
			`end`

OAuth: Support /revoke endpoint for revoking tokens (for compatibility with Mastodon) 2018-08-29 01:25:40 +02:00			`def token_revoke(conn, %{"token" => token} = params) do`
			`with %App{} = app <- get_app_from_request(conn, params),`
			`%Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),`
			`{:ok, %Token{}} <- Repo.delete(token) do`
			`json(conn, %{})`
			`else`
			`_error ->`
			`# RFC 7009: invalid tokens [in the request] do not cause an error response`
			`json(conn, %{})`
			`end`
			`end`

oauth: fix token decode regression 2018-11-11 06:11:27 +01:00			`# XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be`
			`# decoding it. Investigate sometime.`
Fix tootdon logins. 2017-11-06 20:51:31 +01:00			`defp fix_padding(token) do`
			`token`
oauth: fix token decode regression 2018-11-11 06:11:27 +01:00			`\|> URI.decode()`
Fix tootdon logins. 2017-11-06 20:51:31 +01:00			`\|> Base.url_decode64!(padding: false)`
Format the code. 2018-03-30 15:01:53 +02:00			`\|> Base.url_encode64()`
Fix tootdon logins. 2017-11-06 20:51:31 +01:00			`end`
Make OAuth token endpoint work with HTTP Basic auth client_id/client_secret can now be supplied in an Authorization header 2018-06-01 18:01:56 +02:00
			`defp get_app_from_request(conn, params) do`
			`# Per RFC 6749, HTTP Basic is preferred to body params`
			`{client_id, client_secret} =`
			`with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),`
			`{:ok, decoded} <- Base.decode64(encoded),`
			`[id, secret] <-`
			`String.split(decoded, ":")`
			`\|> Enum.map(fn s -> URI.decode_www_form(s) end) do`
			`{id, secret}`
			`else`
			`_ -> {params["client_id"], params["client_secret"]}`
			`end`

			`if client_id && client_secret do`
			`Repo.get_by(`
			`App,`
			`client_id: client_id,`
			`client_secret: client_secret`
			`)`
			`else`
			`nil`
			`end`
			`end`
[#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-13 22:29:29 +01:00
			`defp scopes(params),`
			`do: OAuth.parse_scopes(params["scopes"] \|\| params["scope"])`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`end`