diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py index 30c26a3..bdeacd0 100644 --- a/lemonauth/views/indie.py +++ b/lemonauth/views/indie.py @@ -2,7 +2,6 @@ import mf2py from annoying.decorators import render_to from django.contrib.auth.decorators import login_required -from django.http import HttpResponseForbidden, HttpResponseBadRequest from django.http import JsonResponse from django.shortcuts import redirect from django.utils.decorators import method_decorator @@ -17,14 +16,6 @@ from ..models import IndieAuthCode breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index') -def bad_req(message): - return HttpResponseBadRequest(message, content_type='text/plain') - - -def forbid(message): - return HttpResponseForbidden(message, content_type='text/plain') - - def canonical(url): (scheme, loc, path, params, q, fragment) = urlparse(url) if not path: @@ -49,32 +40,28 @@ class IndieView(TemplateView): for param in self.required_params: if param not in params: - return HttpResponseBadRequest( - 'parameter {0} is required'.format(param), - content_type='text/plain', + return utils.bad_req( + 'parameter {0} is required'.format(param) ) me = canonical(params['me']) user = urljoin(utils.origin(request), request.user.url) if user != me: - return HttpResponseForbidden( - 'you are logged in but not as {0}'.format(me), - content_type='text/plain', + return utils.forbid( + 'you are logged in but not as {0}'.format(me) ) type = params['response_type'] if type not in ('id', 'code'): - return HttpResponseBadRequest( - 'unknown response_type: {0}'.format(type), - content_type='text/plain' + return utils.bad_req( + 'unknown response_type: {0}'.format(type) ) scopes = () if type == 'code': if 'scope' not in params: - return HttpResponseBadRequest( - 'scopes required for code type', - content_type='text/plain', + return utils.bad_req( + 'scopes required for code type' ) scopes = params['scope'].split(' ') @@ -103,7 +90,7 @@ class IndieView(TemplateView): try: code = IndieAuthCode.objects.get(code=post.get('code')) except IndieAuthCode.DoesNotExist: - return forbid('invalid auth code') + return utils.forbid('invalid auth code') # We always delete the code immediately to ensure it's only single-use. # If you pass the right code but the wrong other info, bad luck, you @@ -113,11 +100,13 @@ class IndieView(TemplateView): # After deleting the code from the DB, we verify the other parameters # of the request. if code.response_type != 'id': - return bad_req('this endpoint only supports response_type=id') + return utils.bad_req( + 'this endpoint only supports response_type=id' + ) if post.get('client_id') != code.client_id: - return forbid('client id did not match') + return utils.forbid('client id did not match') if post.get('redirect_uri') != code.redirect_uri: - return forbid('redirect uri did not match') + return utils.forbid('redirect uri did not match') # If we got here, it's valid! Yay! return utils.choose_type(request, {'me': code.me}, { diff --git a/lemoncurry/utils.py b/lemoncurry/utils.py index 6ce735a..db222d8 100644 --- a/lemoncurry/utils.py +++ b/lemoncurry/utils.py @@ -2,6 +2,7 @@ import json from accept_types import get_best_match from django.conf import settings from django.http import HttpResponse +from django.http import HttpResponseForbidden, HttpResponseBadRequest from os.path import join from shorturls import default_converter as converter from shorturls.templatetags.shorturl import ShortURL @@ -48,3 +49,11 @@ def shortlink(obj): if hasattr(settings, 'SHORT_BASE_URL') and settings.SHORT_BASE_URL: return urljoin(settings.SHORT_BASE_URL, prefix + tinyid) return '/' + prefix + tinyid + + +def bad_req(message): + return HttpResponseBadRequest(message, content_type='text/plain') + + +def forbid(message): + return HttpResponseForbidden(message, content_type='text/plain')