From 027adbc9e5c60cd43b8857eb7a3124e6df1310c2 Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Thu, 14 Feb 2019 17:03:19 +0300
Subject: [PATCH] [#468] Refactored OAuth scopes parsing / defaults handling.

---
 lib/pleroma/web/controller_helper.ex          |  4 ++++
 .../mastodon_api/mastodon_api_controller.ex   | 11 ++++++---
 lib/pleroma/web/oauth.ex                      | 23 +++++++++----------
 lib/pleroma/web/oauth/oauth_controller.ex     | 12 ++++------
 4 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/lib/pleroma/web/controller_helper.ex b/lib/pleroma/web/controller_helper.ex
index 14e3d19fd..a32195b49 100644
--- a/lib/pleroma/web/controller_helper.ex
+++ b/lib/pleroma/web/controller_helper.ex
@@ -5,6 +5,10 @@
 defmodule Pleroma.Web.ControllerHelper do
   use Pleroma.Web, :controller
 
+  def oauth_scopes(params, default) do
+    Pleroma.Web.OAuth.parse_scopes(params["scopes"] || params["scope"], default)
+  end
+
   def json_response(conn, status, json) do
     conn
     |> put_status(status)
diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
index 59f472e91..a1e9472b2 100644
--- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@@ -19,11 +19,12 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
   alias Pleroma.Web.ActivityPub.ActivityPub
   alias Pleroma.Web.ActivityPub.Utils
   alias Pleroma.Web.CommonAPI
-  alias Pleroma.Web.OAuth
   alias Pleroma.Web.OAuth.{Authorization, Token, App}
   alias Pleroma.Web.MediaProxy
 
+  import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]
   import Ecto.Query
+
   require Logger
 
   @httpoison Application.get_env(:pleroma, :httpoison)
@@ -32,8 +33,12 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
   action_fallback(:errors)
 
   def create_app(conn, params) do
-    scopes = OAuth.parse_scopes(params["scope"] || params["scopes"])
-    app_attrs = params |> Map.drop(["scope", "scopes"]) |> Map.put("scopes", scopes)
+    scopes = oauth_scopes(params, [])
+
+    app_attrs =
+      params
+      |> Map.drop(["scope", "scopes"])
+      |> Map.put("scopes", scopes)
 
     with cs <- App.register_changeset(%App{}, app_attrs),
          false <- cs.changes[:client_name] == @local_mastodon_name,
diff --git a/lib/pleroma/web/oauth.ex b/lib/pleroma/web/oauth.ex
index 761b80fde..8c78d1100 100644
--- a/lib/pleroma/web/oauth.ex
+++ b/lib/pleroma/web/oauth.ex
@@ -3,22 +3,21 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.OAuth do
-  def parse_scopes(nil) do
-    nil
+  def parse_scopes(scopes, default) when is_list(scopes) do
+    scopes = Enum.filter(scopes, &(&1 not in [nil, ""]))
+
+    if Enum.any?(scopes),
+      do: scopes,
+      else: default
   end
 
-  def parse_scopes(scopes) when is_list(scopes) do
+  def parse_scopes(scopes, default) when is_binary(scopes) do
     scopes
+    |> String.split(~r/[\s,]+/)
+    |> parse_scopes(default)
   end
 
-  def parse_scopes(scopes) do
-    scopes =
-      scopes
-      |> to_string()
-      |> String.trim()
-
-    if scopes == "",
-      do: [],
-      else: String.split(scopes, [" ", ","])
+  def parse_scopes(_, default) do
+    default
   end
 end
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex
index f00d5293d..3e905c7c7 100644
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@@ -5,11 +5,12 @@
 defmodule Pleroma.Web.OAuth.OAuthController do
   use Pleroma.Web, :controller
 
-  alias Pleroma.Web.OAuth
   alias Pleroma.Web.OAuth.{Authorization, Token, App}
   alias Pleroma.{Repo, User}
   alias Comeonin.Pbkdf2
 
+  import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]
+
   plug(:fetch_session)
   plug(:fetch_flash)
 
@@ -19,7 +20,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     render(conn, "show.html", %{
       response_type: params["response_type"],
       client_id: params["client_id"],
-      scopes: scopes(params) || [],
+      scopes: oauth_scopes(params, []),
       redirect_uri: params["redirect_uri"],
       state: params["state"]
     })
@@ -39,7 +40,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
          {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
          %App{} = app <- Repo.get_by(App, client_id: client_id),
          true <- redirect_uri in String.split(app.redirect_uris),
-         scopes <- scopes(params) || app.scopes,
+         scopes <- oauth_scopes(params, app.scopes),
          [] <- scopes -- app.scopes,
          true <- Enum.any?(scopes),
          {:ok, auth} <- Authorization.create_authorization(app, user, scopes) do
@@ -117,7 +118,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
          %User{} = user <- User.get_by_nickname_or_email(name),
          true <- Pbkdf2.checkpw(password, user.password_hash),
          {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
-         scopes <- scopes(params) || app.scopes,
+         scopes <- oauth_scopes(params, app.scopes),
          {:ok, auth} <- Authorization.create_authorization(app, user, scopes),
          {:ok, token} <- Token.exchange_token(app, auth) do
       response = %{
@@ -197,7 +198,4 @@ defmodule Pleroma.Web.OAuth.OAuthController do
       nil
     end
   end
-
-  defp scopes(params),
-    do: OAuth.parse_scopes(params["scopes"] || params["scope"])
 end