Give better 'me' normalisation to IndieAuth processing + Aadd a simple POST route for actually submitting the form

This commit is contained in:
Danielle McLean 2017-10-29 14:39:30 +11:00
parent 6bdcce1844
commit 221d548e4a
Signed by: 00dani
GPG key ID: 5A5D2D1AFF12EEC5
4 changed files with 38 additions and 21 deletions

View file

@ -7,7 +7,7 @@
{% block main %} {% block main %}
<div class="container"> <div class="container">
<form class="card" method="post" action="{% url 'lemonauth:indie' %}"> <form class="card" method="post" action="{% url 'lemonauth:indie_approve' %}">
<h4 class="card-header h-x-app"> <h4 class="card-header h-x-app">
{% if app %}<img class="u-logo p-name" src="{{ app.logo | first }}" alt="{{ app.name | first }}" />{% endif %} {% if app %}<img class="u-logo p-name" src="{{ app.logo | first }}" alt="{{ app.name | first }}" />{% endif %}
sign in to sign in to
@ -16,7 +16,7 @@
</h4> </h4>
<div class="card-body"> <div class="card-body">
<p class="card-text">do you want to confirm your identity, <a class="code" href="{{ params.me }}">{{ params.me }}</a>, with this app?</p> <p class="card-text">do you want to confirm your identity, <a class="code" href="{{ me }}">{{ me }}</a>, with this app?</p>
<p class="card-text"><small>you will be redirected to <a class="code" href="{{ params.redirect_uri }}">{{ params.redirect_uri }}</a> after authorising this app</small></p> <p class="card-text"><small>you will be redirected to <a class="code" href="{{ params.redirect_uri }}">{{ params.redirect_uri }}</a> after authorising this app</small></p>
</div> </div>
@ -28,9 +28,11 @@
</div> </div>
{% csrf_token %} {% csrf_token %}
{% if params.state %} <input name="me" type="hidden" value="{{ me }}" />
<input name="state" type="hidden" value="{{ params.state }}" /> <input name="client_id" type="hidden" value="{{ params.client_id }}" />
{% endif %} <input name="redirect_uri" type="hidden" value="{{ params.redirect_uri }}" />
{% if params.state %}<input name="state" type="hidden" value="{{ params.state }}" />{% endif %}
<input name="response_type" type="hidden" value="{{ params.response_type }}" />
</form> </form>
</div> </div>
{% endblock %} {% endblock %}

View file

@ -6,4 +6,5 @@ urlpatterns = [
url('^login$', views.login, name='login'), url('^login$', views.login, name='login'),
url('^logout$', views.logout, name='logout'), url('^logout$', views.logout, name='logout'),
url('^indie$', views.IndieView.as_view(), name='indie'), url('^indie$', views.IndieView.as_view(), name='indie'),
url('^indie/approve$', views.indie_approve, name='indie_approve'),
] ]

View file

@ -1,3 +1,3 @@
from .login import login from .login import login
from .logout import logout from .logout import logout
from .indie import IndieView from .indie import IndieView, approve as indie_approve

View file

@ -1,23 +1,39 @@
import mf2py import mf2py
from annoying.decorators import render_to
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
from django.http import HttpResponseForbidden, HttpResponseBadRequest from django.http import HttpResponseForbidden, HttpResponseBadRequest
from django.shortcuts import render from django.http import JsonResponse
from django.utils.decorators import method_decorator from django.utils.decorators import method_decorator
from django.views.generic import TemplateView from django.views.generic import TemplateView
from django.views.decorators.http import require_POST
from lemoncurry import breadcrumbs, utils from lemoncurry import breadcrumbs, utils
from urllib.parse import urljoin from urllib.parse import urljoin, urlunparse, urlparse
breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index') breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index')
def canonical(url):
(scheme, loc, path, params, q, fragment) = urlparse(url)
if not path:
path = '/'
if not loc:
loc, path = path, ''
if not scheme:
scheme = 'https'
return urlunparse((scheme, loc, path, params, q, fragment))
class IndieView(TemplateView): class IndieView(TemplateView):
template_name = 'lemonauth/indie.html' template_name = 'lemonauth/indie.html'
required_params = ('me', 'client_id', 'redirect_uri') required_params = ('me', 'client_id', 'redirect_uri')
@method_decorator(login_required) @method_decorator(login_required)
@method_decorator(render_to(template_name))
def get(self, request): def get(self, request):
params = request.GET params = request.GET.dict()
params.setdefault('response_type', 'id')
for param in self.required_params: for param in self.required_params:
if param not in params: if param not in params:
return HttpResponseBadRequest( return HttpResponseBadRequest(
@ -25,13 +41,9 @@ class IndieView(TemplateView):
content_type='text/plain', content_type='text/plain',
) )
me = params['me'] me = canonical(params['me'])
if me[-1] == '/': user = urljoin(utils.origin(request), request.user.url)
me = me[:-1] if user != me:
origin = utils.origin(request)
user = urljoin(origin, request.user.url)
if user not in (me, me + '/'):
return HttpResponseForbidden( return HttpResponseForbidden(
'you are logged in but not as {0}'.format(me), 'you are logged in but not as {0}'.format(me),
content_type='text/plain', content_type='text/plain',
@ -52,8 +64,10 @@ class IndieView(TemplateView):
except IndexError: except IndexError:
app = None app = None
return render(request, self.template_name, { return {'app': app, 'me': me, 'params': params, 'title': 'indieauth'}
'app': app,
'params': params,
'title': 'indieauth', @login_required
}) @require_POST
def approve(request):
return JsonResponse(request.POST)