Half-implement an IndieAuth authorization endpoint - it accepts the right parameters, verifies your client_id, and displays a prompt, but you can't actually approve the auth yet

2017-10-26 11:35:57 +11:00 · 2017-10-26 11:35:57 +11:00 · 93be2f5a32
commit 93be2f5a32
parent d234fd942d
7 changed files with 145 additions and 1 deletions
--- a/lemonauth/views/init.py
+++ b/lemonauth/views/init.py
@ -1,2 +1,3 @@
 from .login import login
 from .logout import logout
+from .indie import IndieView
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -0,0 +1,53 @@
+import mf2py
+
+from django.contrib.auth.decorators import login_required
+from django.http import HttpResponseForbidden, HttpResponseBadRequest
+from django.shortcuts import render
+from django.utils.decorators import method_decorator
+from django.views.generic import TemplateView
+from lemoncurry import breadcrumbs
+
+breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index')
+
+
+class IndieView(TemplateView):
+    template_name = 'lemonauth/indie.html'
+    required_params = ('me', 'client_id', 'redirect_uri')
+
+    @method_decorator(login_required)
+    def dispatch(self, *args, **kwargs):
+        return super(IndieView, self).dispatch(*args, **kwargs)
+
+    def get(self, request):
+        params = request.GET
+        for param in self.required_params:
+            if param not in params:
+                return HttpResponseBadRequest(
+                    'parameter {0} is required'.format(param),
+                    content_type='text/plain',
+                )
+
+        me = params['me']
+        user = '{0}://{1}{2}'.format(
+            request.scheme,
+            request.META['HTTP_HOST'],
+            request.user.url
+        )
+        if me != user:
+            return HttpResponseForbidden(
+                'you are logged in but not as {0}'.format(me),
+                content_type='text/plain',
+            )
+
+        client = mf2py.parse(url=params['client_id'])
+        rels = client['rel-urls'].get(params['redirect_uri'], {}).get('rels', ())
+        if 'redirect_uri' not in rels:
+            return HttpResponseBadRequest(
+                'your redirect_uri is not published on your client_id page',
+                content_type='text/plain'
+            )
+
+        return render(request, self.template_name, {
+            'params': params,
+            'title': 'indieauth',
+        })