Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant

2017-11-03 16:14:30 +11:00 · 2017-11-03 16:14:30 +11:00 · ab810a8f94
commit ab810a8f94
parent 43a56e865e
2 changed files with 18 additions and 15 deletions
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -1,6 +1,7 @@
 import mf2py

 from annoying.decorators import render_to
+from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.http import JsonResponse
 from django.shortcuts import redirect
@ -106,8 +107,10 @@ class IndieView(TemplateView):
        if code['uri'] != post.get('redirect_uri'):
            return utils.forbid('redirect uri did not match')

+        user = get_user_model().get(pk=code['uid'])
+        me = urljoin(utils.origin(request), user.url)
        # If we got here, it's valid! Yay!
-        return utils.choose_type(request, {'me': code['me']}, {
+        return utils.choose_type(request, {'me': me}, {
            'application/x-www-form-urlencoded': utils.form_encoded_response,
            'application/json': JsonResponse,
        })
@ -116,6 +119,13 @@ class IndieView(TemplateView):
@login_required
@require_POST
 def approve(request):
-    uri, params = tokens.gen_auth_code(request)
+    params = {
+        'me': urljoin(utils.origin(request), request.user.url),
+        'code': tokens.gen_auth_code(request),
+    }
+    if 'state' in request.POST:
+        params['state'] = request.POST['state']
+
+    uri = request.POST['redirect_uri']
    sep = '&' if '?' in uri else '?'
    return redirect(uri + sep + urlencode(params))