lemoncurry/lemonauth/views/token.py

48 lines
1.5 KiB
Python

from django.views import View
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
from .. import tokens
from ..models import IndieAuthCode
from lemoncurry import utils
@method_decorator(csrf_exempt, name="dispatch")
class TokenView(View):
def get(self, req):
token = tokens.auth(req)
res = {
"me": token.me,
"client_id": token.client_id,
"scope": token.scope,
}
return utils.choose_type(req, res)
def post(self, req):
post = req.POST
try:
code = IndieAuthCode.objects.get(pk=post.get("code"))
except IndieAuthCode.DoesNotExist:
return utils.forbid("invalid auth code")
code.delete()
if code.expired:
return utils.forbid("invalid auth code")
if code.response_type != "code":
return utils.bad_req("this endpoint only supports response_type=code")
if "client_id" in post and code.client_id != post["client_id"]:
return utils.forbid("client id did not match")
if code.redirect_uri != post.get("redirect_uri"):
return utils.forbid("redirect uri did not match")
if "me" in post and code.me != post["me"]:
return utils.forbid("me did not match")
return utils.choose_type(
req,
{
"access_token": tokens.gen_token(code),
"me": code.me,
"scope": code.scope,
},
)