Add support for selecting scopes during IndieAuth's 'code' type

5 years ago · 06278935b6
3 changed files with 34 additions and 6 deletions
--- a/lemonauth/models.py
+++ b/lemonauth/models.py
@ -3,13 +3,13 @@ from secrets import token_hex


 class IndieAuthCodeManager(models.Manager):
-    def create_from_dict(self, d):
+    def create_from_qdict(self, d):
        code = self.create(
            me=d['me'],
            client_id=d['client_id'],
            redirect_uri=d['redirect_uri'],
            response_type=d.get('response_type', 'id'),
-            scope=d.get('scope', ''),
+            scope=" ".join(d.getlist('scope')),
        )
        code.code = token_hex(32)
        return code
--- a/lemonauth/templates/lemonauth/indie.html
+++ b/lemonauth/templates/lemonauth/indie.html
@ -22,6 +22,18 @@

 		<div class="card-body">
 			<p class="card-text">do you want to confirm your identity, <a class="code" href="{{ me }}">{{ me }}</a>, with this app?</p>
+			{% if params.response_type == 'code' %}
+			<p class="card-text">additionally, this app is requesting the following <i>scopes</i> - you can edit the scopes that will be granted to the app, if you wish</p>
+			<div class="custom-controls-stacked card-text">
+			{% for scope in scopes %}
+				<label class="custom-control custom-checkbox">
+					<input name="scope" type="checkbox" class="custom-control-input" checked value="{{ scope }}" />
+					<span class="custom-control-indicator"></span>
+					<span class="custom-control-description">{{ scope }}</span>
+				</label>
+			{% endfor %}
+			</div>
+			{% endif %}
 			<p class="card-text"><small>you will be redirected to <a class="code" href="{{ params.redirect_uri }}">{{ params.redirect_uri }}</a> after authorising this app</small></p>
 		</div>

--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -62,6 +62,22 @@ class IndieView(TemplateView):
                content_type='text/plain',
            )

+        type = params['response_type']
+        if type not in ('id', 'code'):
+            return HttpResponseBadRequest(
+                'unknown response_type: {0}'.format(type),
+                content_type='text/plain'
+            )
+
+        scopes = ()
+        if type == 'code':
+            if 'scope' not in params:
+                return HttpResponseBadRequest(
+                    'scopes required for code type',
+                    content_type='text/plain',
+                )
+            scopes = params['scope'].split(' ')
+
        client = mf2py.Parser(url=params['client_id'], html_parser='html5lib')
        rels = (client.to_dict()['rel-urls']
                .get(params['redirect_uri'], {})
@ -78,6 +94,7 @@ class IndieView(TemplateView):
            'me': me,
            'verified': verified,
            'params': params,
+            'scopes': scopes,
            'title': 'indieauth',
        }

@ -112,10 +129,9 @@ class IndieView(TemplateView):
@login_required
@require_POST
 def approve(request):
-    post = request.POST.dict()
-    code = IndieAuthCode.objects.create_from_dict(post)
+    code = IndieAuthCode.objects.create_from_qdict(request.POST)
    code.save()
    params = {'code': code.code, 'me': code.me}
-    if 'state' in post:
-        params['state'] = post['state']
+    if 'state' in request.POST:
+        params['state'] = request.POST['state']
    return redirect(code.redirect_uri + '?' + urlencode(params))