lemoncurry/lemonauth/views/token.py

from django.contrib.auth import get_user_model
from django.views import View
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
from urllib.parse import urljoin

from .. import tokens
from lemoncurry import utils


@method_decorator(csrf_exempt, name='dispatch')
class TokenView(View):
    def get(self, req):
        token = tokens.auth(req)
        if hasattr(token, 'content'):
            return token
        res = {
            'me': token.me,
            'client_id': token.client,
            'scope': token.scope,
        }
        return utils.choose_type(req, res)

    def post(self, req):
        post = req.POST
        try:
            code = tokens.decode(post.get('code'))
        except Exception:
            return utils.forbid('invalid auth code')

        if code['typ'] != 'code':
            return utils.bad_req(
                'this endpoint only supports response_type=code'
            )
        if code['cid'] != post.get('client_id'):
            return utils.forbid('client id did not match')
        if code['uri'] != post.get('redirect_uri'):
            return utils.forbid('redirect uri did not match')

        user = get_user_model().objects.get(pk=code['uid'])
        me = urljoin(utils.origin(req), user.url)
        if me != post.get('me'):
            return utils.forbid('me did not match')

        return utils.choose_type(req, {
            'access_token': tokens.gen_token(code),
            'me': me,
            'scope': code['sco'],
        })
Implement a token endpoint - currently all tokens last forever and can't be revoked, but I can add revocation later without too much trouble 2017-11-03 02:18:00 -04:00			`from django.contrib.auth import get_user_model`
			`from django.views import View`
			`from django.utils.decorators import method_decorator`
			`from django.views.decorators.csrf import csrf_exempt`
			`from urllib.parse import urljoin`

			`from .. import tokens`
			`from lemoncurry import utils`


			`@method_decorator(csrf_exempt, name='dispatch')`
			`class TokenView(View):`
			`def get(self, req):`
Dramatically improved processing of Micropub tokens which supports both the Authorization header and the access_token field approaches 2017-12-17 17:51:06 -05:00			`token = tokens.auth(req)`
			`if hasattr(token, 'content'):`
			`return token`
Implement a token endpoint - currently all tokens last forever and can't be revoked, but I can add revocation later without too much trouble 2017-11-03 02:18:00 -04:00			`res = {`
Dramatically improved processing of Micropub tokens which supports both the Authorization header and the access_token field approaches 2017-12-17 17:51:06 -05:00			`'me': token.me,`
			`'client_id': token.client,`
			`'scope': token.scope,`
Implement a token endpoint - currently all tokens last forever and can't be revoked, but I can add revocation later without too much trouble 2017-11-03 02:18:00 -04:00			`}`
			`return utils.choose_type(req, res)`

			`def post(self, req):`
			`post = req.POST`
			`try:`
			`code = tokens.decode(post.get('code'))`
			`except Exception:`
			`return utils.forbid('invalid auth code')`

			`if code['typ'] != 'code':`
			`return utils.bad_req(`
			`'this endpoint only supports response_type=code'`
			`)`
			`if code['cid'] != post.get('client_id'):`
			`return utils.forbid('client id did not match')`
			`if code['uri'] != post.get('redirect_uri'):`
			`return utils.forbid('redirect uri did not match')`

			`user = get_user_model().objects.get(pk=code['uid'])`
			`me = urljoin(utils.origin(req), user.url)`
			`if me != post.get('me'):`
			`return utils.forbid('me did not match')`

			`return utils.choose_type(req, {`
			`'access_token': tokens.gen_token(code),`
			`'me': me,`
			`'scope': code['sco'],`
			`})`