Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for

lemonauth/tokens.py

@@ -12,14 +12,16 @@ def decode(token):
     return jwt.decode(token, settings.SECRET_KEY, algorithms=('HS256',))
 
 
-def gen_auth_code(post):
+def gen_auth_code(req):
+    post = req.POST
     params = {'me': post['me']}
     if 'state' in post:
         params['state'] = post['state']
 
     code = {
         'me': post['me'],
-        'id': post['client_id'],
+        'uid': req.user.id,
+        'cid': post['client_id'],
         'uri': post['redirect_uri'],
         'typ': post.get('response_type', 'id'),
         'iat': datetime.utcnow(),
@@ -29,7 +31,7 @@ def gen_auth_code(post):
         code['sco'] = ' '.join(post.getlist('scope'))
 
     params['code'] = encode(code)
-    return params
+    return (post['redirect_uri'], params)
 
 
 def verify_auth_code(c):

lemonauth/views/indie.py

@@ -101,7 +101,7 @@ class IndieView(TemplateView):
             return utils.bad_req(
                 'this endpoint only supports response_type=id'
             )
-        if code['id'] != post.get('client_id'):
+        if code['cid'] != post.get('client_id'):
             return utils.forbid('client id did not match')
         if code['uri'] != post.get('redirect_uri'):
             return utils.forbid('redirect uri did not match')
@@ -116,9 +116,6 @@ class IndieView(TemplateView):
 @login_required
 @require_POST
 def approve(request):
-    post = request.POST
+    uri, params = tokens.gen_auth_code(request)
-    params = tokens.gen_auth_code(post)
-
-    uri = post['redirect_uri']
     sep = '&' if '?' in uri else '?'
     return redirect(uri + sep + urlencode(params))