pleroma/lib/pleroma/web/plugs/o_auth_plug.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Plugs.OAuthPlug do
  @moduledoc "Performs OAuth authentication by token from params / headers / cookies."

  import Plug.Conn
  import Ecto.Query

  alias Pleroma.Helpers.AuthHelper
  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Token

  @realm_reg Regex.compile!("Bearer\:?\s+(.*)$", "i")

  def init(options), do: options

  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn

  def call(conn, _) do
    with {:ok, token_str} <- fetch_token_str(conn) do
      with {:ok, user, user_token} <- fetch_user_and_token(token_str),
           false <- Token.is_expired?(user_token) do
        conn
        |> assign(:token, user_token)
        |> assign(:user, user)
      else
        _ ->
          with {:ok, app, app_token} <- fetch_app_and_token(token_str),
               false <- Token.is_expired?(app_token) do
            conn
            |> assign(:token, app_token)
            |> assign(:app, app)
          else
            _ -> conn
          end
      end
    else
      _ -> conn
    end
  end

  # Gets user by token
  #
  @spec fetch_user_and_token(String.t()) :: {:ok, User.t(), Token.t()} | nil
  defp fetch_user_and_token(token) do
    token_query =
      from(t in Token,
        where: t.token == ^token
      )

    with %Token{user_id: user_id} = token_record <- Repo.one(token_query),
         false <- is_nil(user_id),
         %User{} = user <- User.get_cached_by_id(user_id) do
      {:ok, user, token_record}
    else
      _ -> nil
    end
  end

  @spec fetch_app_and_token(String.t()) :: {:ok, App.t(), Token.t()} | nil
  defp fetch_app_and_token(token) do
    query =
      from(t in Token, where: t.token == ^token, join: app in assoc(t, :app), preload: [app: app])

    with %Token{app: app} = token_record <- Repo.one(query) do
      {:ok, app, token_record}
    end
  end

  # Gets token string from conn (in params / headers / session)
  #
  @spec fetch_token_str(Plug.Conn.t() | list(String.t())) :: :no_token_found | {:ok, String.t()}
  defp fetch_token_str(%Plug.Conn{params: %{"access_token" => access_token}} = _conn) do
    {:ok, access_token}
  end

  defp fetch_token_str(%Plug.Conn{} = conn) do
    headers = get_req_header(conn, "authorization")

    with {:ok, token} <- fetch_token_str(headers) do
      {:ok, token}
    else
      _ -> fetch_token_from_session(conn)
    end
  end

  defp fetch_token_str([token | tail]) do
    trimmed_token = String.trim(token)

    case Regex.run(@realm_reg, trimmed_token) do
      [_, match] -> {:ok, String.trim(match)}
      _ -> fetch_token_str(tail)
    end
  end

  defp fetch_token_str([]), do: :no_token_found

  @spec fetch_token_from_session(Plug.Conn.t()) :: :no_token_found | {:ok, String.t()}
  defp fetch_token_from_session(conn) do
    case AuthHelper.get_session_token(conn) do
      nil -> :no_token_found
      token -> {:ok, token}
    end
  end
end
add license boilerplate to pleroma core 2018-12-23 21:04:54 +01:00			`# Pleroma: A lightweight social networking server`
Copyright bump for 2022 2022-02-26 07:11:42 +01:00			`# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>`
add license boilerplate to pleroma core 2018-12-23 21:04:54 +01:00			`# SPDX-License-Identifier: AGPL-3.0-only`

OAuthPlug module name 2020-06-24 08:59:21 +02:00			`defmodule Pleroma.Web.Plugs.OAuthPlug do`
Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`@moduledoc "Performs OAuth authentication by token from params / headers / cookies."`

Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`import Plug.Conn`
fix/273 2018-12-05 15:29:49 +01:00			`import Ecto.Query`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00
Session token setting on token exchange. Auth-related refactoring. 2020-11-25 19:47:23 +01:00			`alias Pleroma.Helpers.AuthHelper`
de-group alias/es 2019-02-09 16:16:26 +01:00			`alias Pleroma.Repo`
[Credo] fix Credo.Check.Readability.AliasOrder 2019-03-05 03:52:23 +01:00			`alias Pleroma.User`
differences_in_mastoapi_responses.md: fullname & bio are optionnal [ci skip] 2019-05-13 20:35:45 +02:00			`alias Pleroma.Web.OAuth.App`
de-group alias/es 2019-02-09 16:16:26 +01:00			`alias Pleroma.Web.OAuth.Token`
fix/273 2018-12-05 15:29:49 +01:00
			`@realm_reg Regex.compile!("Bearer\:?\s+(.*)$", "i")`

			`def init(options), do: options`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00
			`def call(%{assigns: %{user: %User{}}} = conn, _), do: conn`
Format the code. 2018-03-30 15:01:53 +02:00
Fix all compilation warnings 2017-11-19 02:22:07 +01:00			`def call(conn, _) do`
Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`with {:ok, token_str} <- fetch_token_str(conn) do`
			`with {:ok, user, user_token} <- fetch_user_and_token(token_str),`
			`false <- Token.is_expired?(user_token) do`
differences_in_mastoapi_responses.md: fullname & bio are optionnal [ci skip] 2019-05-13 20:35:45 +02:00			`conn`
Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`\|> assign(:token, user_token)`
			`\|> assign(:user, user)`
			`else`
			`_ ->`
			`with {:ok, app, app_token} <- fetch_app_and_token(token_str),`
			`false <- Token.is_expired?(app_token) do`
			`conn`
			`\|> assign(:token, app_token)`
			`\|> assign(:app, app)`
			`else`
			`_ -> conn`
			`end`
			`end`
			`else`
			`_ -> conn`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`end`
			`end`
fix/273 2018-12-05 15:29:49 +01:00
			`# Gets user by token`
			`#`
fix and improve web push; add configuration docs 2018-12-07 09:55:28 +01:00			`@spec fetch_user_and_token(String.t()) :: {:ok, User.t(), Token.t()} \| nil`
			`defp fetch_user_and_token(token) do`
OAuthPlug: use user cache instead of joining As this plug is called on every request, this should reduce load on the database by not requiring to select on the users table every single time, and to instead use the by-ID user cache whenever possible. 2022-08-23 17:15:06 +02:00			`token_query =`
Join on preloads to avoid N+1 queries 2019-01-26 15:55:53 +01:00			`from(t in Token,`
OAuthPlug: use user cache instead of joining As this plug is called on every request, this should reduce load on the database by not requiring to select on the users table every single time, and to instead use the by-ID user cache whenever possible. 2022-08-23 17:15:06 +02:00			`where: t.token == ^token`
Join on preloads to avoid N+1 queries 2019-01-26 15:55:53 +01:00			`)`
fix/273 2018-12-05 15:29:49 +01:00
OAuthPlug: use user cache instead of joining As this plug is called on every request, this should reduce load on the database by not requiring to select on the users table every single time, and to instead use the by-ID user cache whenever possible. 2022-08-23 17:15:06 +02:00			`with %Token{user_id: user_id} = token_record <- Repo.one(token_query),`
			`false <- is_nil(user_id),`
			`%User{} = user <- User.get_cached_by_id(user_id) do`
fix and improve web push; add configuration docs 2018-12-07 09:55:28 +01:00			`{:ok, user, token_record}`
OAuthPlug: use user cache instead of joining As this plug is called on every request, this should reduce load on the database by not requiring to select on the users table every single time, and to instead use the by-ID user cache whenever possible. 2022-08-23 17:15:06 +02:00			`else`
			`_ -> nil`
fix/273 2018-12-05 15:29:49 +01:00			`end`
			`end`

differences_in_mastoapi_responses.md: fullname & bio are optionnal [ci skip] 2019-05-13 20:35:45 +02:00			`@spec fetch_app_and_token(String.t()) :: {:ok, App.t(), Token.t()} \| nil`
			`defp fetch_app_and_token(token) do`
			`query =`
			`from(t in Token, where: t.token == ^token, join: app in assoc(t, :app), preload: [app: app])`

			`with %Token{app: app} = token_record <- Repo.one(query) do`
			`{:ok, app, token_record}`
			`end`
			`end`

Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`# Gets token string from conn (in params / headers / session)`
fix/273 2018-12-05 15:29:49 +01:00			`#`
Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`@spec fetch_token_str(Plug.Conn.t() \| list(String.t())) :: :no_token_found \| {:ok, String.t()}`
			`defp fetch_token_str(%Plug.Conn{params: %{"access_token" => access_token}} = _conn) do`
			`{:ok, access_token}`
fix/273 2018-12-05 15:29:49 +01:00			`end`

fix and improve web push; add configuration docs 2018-12-07 09:55:28 +01:00			`defp fetch_token_str(%Plug.Conn{} = conn) do`
fix/273 2018-12-05 15:29:49 +01:00			`headers = get_req_header(conn, "authorization")`

Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`with {:ok, token} <- fetch_token_str(headers) do`
			`{:ok, token}`
			`else`
			`_ -> fetch_token_from_session(conn)`
			`end`
fix/273 2018-12-05 15:29:49 +01:00			`end`

fix and improve web push; add configuration docs 2018-12-07 09:55:28 +01:00			`defp fetch_token_str([token \| tail]) do`
fix/273 2018-12-05 15:29:49 +01:00			`trimmed_token = String.trim(token)`

			`case Regex.run(@realm_reg, trimmed_token) do`
			`[_, match] -> {:ok, String.trim(match)}`
fix and improve web push; add configuration docs 2018-12-07 09:55:28 +01:00			`_ -> fetch_token_str(tail)`
fix/273 2018-12-05 15:29:49 +01:00			`end`
			`end`
Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00
			`defp fetch_token_str([]), do: :no_token_found`

			`@spec fetch_token_from_session(Plug.Conn.t()) :: :no_token_found \| {:ok, String.t()}`
			`defp fetch_token_from_session(conn) do`
Session token setting on token exchange. Auth-related refactoring. 2020-11-25 19:47:23 +01:00			`case AuthHelper.get_session_token(conn) do`
Session-based OAuth auth fixes (token expiration check), refactoring, tweaks. 2020-11-21 17:47:25 +01:00			`nil -> :no_token_found`
			`token -> {:ok, token}`
			`end`
			`end`
Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00			`end`