From ab810a8f9466d88c8d3bcbae330ac8fb8761c5cc Mon Sep 17 00:00:00 2001 From: Danielle McLean Date: Fri, 3 Nov 2017 16:14:30 +1100 Subject: [PATCH] Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant --- lemonauth/tokens.py | 19 ++++++------------- lemonauth/views/indie.py | 14 ++++++++++++-- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/lemonauth/tokens.py b/lemonauth/tokens.py index 8645912..f69bb9c 100644 --- a/lemonauth/tokens.py +++ b/lemonauth/tokens.py @@ -13,25 +13,18 @@ def decode(token): def gen_auth_code(req): - post = req.POST - params = {'me': post['me']} - if 'state' in post: - params['state'] = post['state'] - code = { - 'me': post['me'], 'uid': req.user.id, - 'cid': post['client_id'], - 'uri': post['redirect_uri'], - 'typ': post.get('response_type', 'id'), + 'cid': req.POST['client_id'], + 'uri': req.POST['redirect_uri'], + 'typ': req.POST.get('response_type', 'id'), 'iat': datetime.utcnow(), 'exp': datetime.utcnow() + timedelta(seconds=30), } - if 'scope' in post: - code['sco'] = ' '.join(post.getlist('scope')) + if 'scope' in req.POST: + code['sco'] = ' '.join(req.POST.getlist('scope')) - params['code'] = encode(code) - return (post['redirect_uri'], params) + return encode(code) def verify_auth_code(c): diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py index 8dab3ce..2b34880 100644 --- a/lemonauth/views/indie.py +++ b/lemonauth/views/indie.py @@ -1,6 +1,7 @@ import mf2py from annoying.decorators import render_to +from django.contrib.auth import get_user_model from django.contrib.auth.decorators import login_required from django.http import JsonResponse from django.shortcuts import redirect @@ -106,8 +107,10 @@ class IndieView(TemplateView): if code['uri'] != post.get('redirect_uri'): return utils.forbid('redirect uri did not match') + user = get_user_model().get(pk=code['uid']) + me = urljoin(utils.origin(request), user.url) # If we got here, it's valid! Yay! - return utils.choose_type(request, {'me': code['me']}, { + return utils.choose_type(request, {'me': me}, { 'application/x-www-form-urlencoded': utils.form_encoded_response, 'application/json': JsonResponse, }) @@ -116,6 +119,13 @@ class IndieView(TemplateView): @login_required @require_POST def approve(request): - uri, params = tokens.gen_auth_code(request) + params = { + 'me': urljoin(utils.origin(request), request.user.url), + 'code': tokens.gen_auth_code(request), + } + if 'state' in request.POST: + params['state'] = request.POST['state'] + + uri = request.POST['redirect_uri'] sep = '&' if '?' in uri else '?' return redirect(uri + sep + urlencode(params))