diff --git a/lemonauth/models.py b/lemonauth/models.py index 1225811..2360431 100644 --- a/lemonauth/models.py +++ b/lemonauth/models.py @@ -3,13 +3,13 @@ from secrets import token_hex class IndieAuthCodeManager(models.Manager): - def create_from_dict(self, d): + def create_from_qdict(self, d): code = self.create( me=d['me'], client_id=d['client_id'], redirect_uri=d['redirect_uri'], response_type=d.get('response_type', 'id'), - scope=d.get('scope', ''), + scope=" ".join(d.getlist('scope')), ) code.code = token_hex(32) return code diff --git a/lemonauth/templates/lemonauth/indie.html b/lemonauth/templates/lemonauth/indie.html index d6a769d..90d18af 100644 --- a/lemonauth/templates/lemonauth/indie.html +++ b/lemonauth/templates/lemonauth/indie.html @@ -22,6 +22,18 @@

do you want to confirm your identity, {{ me }}, with this app?

+ {% if params.response_type == 'code' %} +

additionally, this app is requesting the following scopes - you can edit the scopes that will be granted to the app, if you wish

+
+ {% for scope in scopes %} + + {% endfor %} +
+ {% endif %}

you will be redirected to {{ params.redirect_uri }} after authorising this app

diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py index c76147d..30c26a3 100644 --- a/lemonauth/views/indie.py +++ b/lemonauth/views/indie.py @@ -62,6 +62,22 @@ class IndieView(TemplateView): content_type='text/plain', ) + type = params['response_type'] + if type not in ('id', 'code'): + return HttpResponseBadRequest( + 'unknown response_type: {0}'.format(type), + content_type='text/plain' + ) + + scopes = () + if type == 'code': + if 'scope' not in params: + return HttpResponseBadRequest( + 'scopes required for code type', + content_type='text/plain', + ) + scopes = params['scope'].split(' ') + client = mf2py.Parser(url=params['client_id'], html_parser='html5lib') rels = (client.to_dict()['rel-urls'] .get(params['redirect_uri'], {}) @@ -78,6 +94,7 @@ class IndieView(TemplateView): 'me': me, 'verified': verified, 'params': params, + 'scopes': scopes, 'title': 'indieauth', } @@ -112,10 +129,9 @@ class IndieView(TemplateView): @login_required @require_POST def approve(request): - post = request.POST.dict() - code = IndieAuthCode.objects.create_from_dict(post) + code = IndieAuthCode.objects.create_from_qdict(request.POST) code.save() params = {'code': code.code, 'me': code.me} - if 'state' in post: - params['state'] = post['state'] + if 'state' in request.POST: + params['state'] = request.POST['state'] return redirect(code.redirect_uri + '?' + urlencode(params))