Half-implement an IndieAuth authorization endpoint - it accepts the right parameters, verifies your client_id, and displays a prompt, but you can't actually approve the auth yet

2017-10-26 11:35:57 +11:00 · 2017-10-26 11:35:57 +11:00 · 93be2f5a32
commit 93be2f5a32
parent d234fd942d
7 changed files with 145 additions and 1 deletions
--- a/lemonauth/templates/lemonauth/indie.html
+++ b/lemonauth/templates/lemonauth/indie.html
@ -0,0 +1,24 @@
+{% extends 'lemoncurry/layout.html' %}
+{% block main %}
+<div class="container">
+	<form class="card" method="post" action="{% url 'lemonauth:indie' %}">
+		<h4 class="card-header">
+			<a href="{{ params.client_id }}">{{ params.client_id }}</a>
+		</h4>
+
+		<div class="card-body">
+			<p class="card-text">do you want to confirm your identity, <a href="{{ params.me }}">{{ params.me }}</a>, with this app?</p>
+		</div>
+
+		<div class="card-footer">
+			<p class="card-text">you can't actually auth yet but this button is how you will do it</p>
+			<button class="btn btn-success" type="button">
+				<i class="fa fa-check"></i>
+				approve
+			</button>
+		</div>
+
+		{% csrf_token %}
+	</form>
+</div>
+{% endblock %}
--- a/lemonauth/urls.py
+++ b/lemonauth/urls.py
@ -5,4 +5,5 @@ app_name = 'lemonauth'
 urlpatterns = [
    url('^login$', views.login, name='login'),
    url('^logout$', views.logout, name='logout'),
+    url('^indie$', views.IndieView.as_view(), name='indie'),
 ]
--- a/lemonauth/views/init.py
+++ b/lemonauth/views/init.py
@ -1,2 +1,3 @@
 from .login import login
 from .logout import logout
+from .indie import IndieView
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -0,0 +1,53 @@
+import mf2py
+
+from django.contrib.auth.decorators import login_required
+from django.http import HttpResponseForbidden, HttpResponseBadRequest
+from django.shortcuts import render
+from django.utils.decorators import method_decorator
+from django.views.generic import TemplateView
+from lemoncurry import breadcrumbs
+
+breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index')
+
+
+class IndieView(TemplateView):
+    template_name = 'lemonauth/indie.html'
+    required_params = ('me', 'client_id', 'redirect_uri')
+
+    @method_decorator(login_required)
+    def dispatch(self, *args, **kwargs):
+        return super(IndieView, self).dispatch(*args, **kwargs)
+
+    def get(self, request):
+        params = request.GET
+        for param in self.required_params:
+            if param not in params:
+                return HttpResponseBadRequest(
+                    'parameter {0} is required'.format(param),
+                    content_type='text/plain',
+                )
+
+        me = params['me']
+        user = '{0}://{1}{2}'.format(
+            request.scheme,
+            request.META['HTTP_HOST'],
+            request.user.url
+        )
+        if me != user:
+            return HttpResponseForbidden(
+                'you are logged in but not as {0}'.format(me),
+                content_type='text/plain',
+            )
+
+        client = mf2py.parse(url=params['client_id'])
+        rels = client['rel-urls'].get(params['redirect_uri'], {}).get('rels', ())
+        if 'redirect_uri' not in rels:
+            return HttpResponseBadRequest(
+                'your redirect_uri is not published on your client_id page',
+                content_type='text/plain'
+            )
+
+        return render(request, self.template_name, {
+            'params': params,
+            'title': 'indieauth',
+        })