Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant

2017-11-03 16:14:30 +11:00 · 2017-11-03 16:14:30 +11:00 · ab810a8f94
parent 43a56e865e
commit ab810a8f94
2 changed files with 18 additions and 15 deletions
--- a/lemonauth/tokens.py
+++ b/lemonauth/tokens.py
@ -13,25 +13,18 @@ def decode(token):


 def gen_auth_code(req):
-    post = req.POST
-    params = {'me': post['me']}
-    if 'state' in post:
-        params['state'] = post['state']
-
    code = {
-        'me': post['me'],
        'uid': req.user.id,
-        'cid': post['client_id'],
-        'uri': post['redirect_uri'],
-        'typ': post.get('response_type', 'id'),
+        'cid': req.POST['client_id'],
+        'uri': req.POST['redirect_uri'],
+        'typ': req.POST.get('response_type', 'id'),
        'iat': datetime.utcnow(),
        'exp': datetime.utcnow() + timedelta(seconds=30),
    }
-    if 'scope' in post:
-        code['sco'] = ' '.join(post.getlist('scope'))
+    if 'scope' in req.POST:
+        code['sco'] = ' '.join(req.POST.getlist('scope'))

-    params['code'] = encode(code)
-    return (post['redirect_uri'], params)
+    return encode(code)


 def verify_auth_code(c):
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -1,6 +1,7 @@
 import mf2py

 from annoying.decorators import render_to
+from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.http import JsonResponse
 from django.shortcuts import redirect
@ -106,8 +107,10 @@ class IndieView(TemplateView):
        if code['uri'] != post.get('redirect_uri'):
            return utils.forbid('redirect uri did not match')

+        user = get_user_model().get(pk=code['uid'])
+        me = urljoin(utils.origin(request), user.url)
        # If we got here, it's valid! Yay!
-        return utils.choose_type(request, {'me': code['me']}, {
+        return utils.choose_type(request, {'me': me}, {
            'application/x-www-form-urlencoded': utils.form_encoded_response,
            'application/json': JsonResponse,
        })
@ -116,6 +119,13 @@ class IndieView(TemplateView):
@login_required
@require_POST
 def approve(request):
-    uri, params = tokens.gen_auth_code(request)
+    params = {
+        'me': urljoin(utils.origin(request), request.user.url),
+        'code': tokens.gen_auth_code(request),
+    }
+    if 'state' in request.POST:
+        params['state'] = request.POST['state']
+
+    uri = request.POST['redirect_uri']
    sep = '&' if '?' in uri else '?'
    return redirect(uri + sep + urlencode(params))