lemoncurry/lemonauth/views/token.py

47 lines
1.5 KiB
Python

from django.views import View
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
from .. import tokens
from ..models import IndieAuthCode
from lemoncurry import utils
@method_decorator(csrf_exempt, name='dispatch')
class TokenView(View):
def get(self, req):
token = tokens.auth(req)
res = {
'me': token.me,
'client_id': token.client_id,
'scope': token.scope,
}
return utils.choose_type(req, res)
def post(self, req):
post = req.POST
try:
code = IndieAuthCode.objects.get(pk=post.get('code'))
except IndieAuthCode.DoesNotExist:
return utils.forbid('invalid auth code')
code.delete()
if code.expired:
return utils.forbid('invalid auth code')
if code.response_type != 'code':
return utils.bad_req(
'this endpoint only supports response_type=code'
)
if 'client_id' in post and code.client_id != post['client_id']:
return utils.forbid('client id did not match')
if code.redirect_uri != post.get('redirect_uri'):
return utils.forbid('redirect uri did not match')
if 'me' in post and code.me != post['me']:
return utils.forbid('me did not match')
return utils.choose_type(req, {
'access_token': tokens.gen_token(code),
'me': code.me,
'scope': code.scope,
})