from django.views import View from django.utils.decorators import method_decorator from django.views.decorators.csrf import csrf_exempt from .. import tokens from ..models import IndieAuthCode from lemoncurry import utils @method_decorator(csrf_exempt, name="dispatch") class TokenView(View): def get(self, req): token = tokens.auth(req) res = { "me": token.me, "client_id": token.client_id, "scope": token.scope, } return utils.choose_type(req, res) def post(self, req): post = req.POST try: code = IndieAuthCode.objects.get(pk=post.get("code")) except IndieAuthCode.DoesNotExist: return utils.forbid("invalid auth code") code.delete() if code.expired: return utils.forbid("invalid auth code") if code.response_type != "code": return utils.bad_req("this endpoint only supports response_type=code") if "client_id" in post and code.client_id != post["client_id"]: return utils.forbid("client id did not match") if code.redirect_uri != post.get("redirect_uri"): return utils.forbid("redirect uri did not match") if "me" in post and code.me != post["me"]: return utils.forbid("me did not match") return utils.choose_type( req, { "access_token": tokens.gen_token(code), "me": code.me, "scope": code.scope, }, )