BenLubar/lemoncurry
1
0
Fork 0
forked from 00dani/lemoncurry
Code Issues Pull requests Releases Wiki Activity

Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant

Browse source
This commit is contained in:
Danielle McLean 2017-11-03 16:14:30 +11:00
parent 43a56e865e
commit ab810a8f94
Signed by untrusted user: 00dani
GPG key ID: 5A5D2D1AFF12EEC5
2 changed files with 18 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
lemonauth/tokens.py
View file

@ -13,25 +13,18 @@ def decode(token):
def gen_auth_code(req): def gen_auth_code(req):
post = req.POST
params = {'me': post['me']}
if 'state' in post:
params['state'] = post['state']
code = { code = {
'me': post['me'],
'uid': req.user.id, 'uid': req.user.id,
'cid': post['client_id'], 'cid': req.POST['client_id'],
'uri': post['redirect_uri'], 'uri': req.POST['redirect_uri'],
'typ': post.get('response_type', 'id'), 'typ': req.POST.get('response_type', 'id'),
'iat': datetime.utcnow(), 'iat': datetime.utcnow(),
'exp': datetime.utcnow() + timedelta(seconds=30), 'exp': datetime.utcnow() + timedelta(seconds=30),
} }
if 'scope' in post: if 'scope' in req.POST:
code['sco'] = ' '.join(post.getlist('scope')) code['sco'] = ' '.join(req.POST.getlist('scope'))
params['code'] = encode(code) return encode(code)
return (post['redirect_uri'], params)
def verify_auth_code(c): def verify_auth_code(c):

14
lemonauth/views/indie.py
View file

@ -1,6 +1,7 @@
import mf2py import mf2py
from annoying.decorators import render_to from annoying.decorators import render_to
from django.contrib.auth import get_user_model
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
from django.http import JsonResponse from django.http import JsonResponse
from django.shortcuts import redirect from django.shortcuts import redirect
@ -106,8 +107,10 @@ class IndieView(TemplateView):
if code['uri'] != post.get('redirect_uri'): if code['uri'] != post.get('redirect_uri'):
return utils.forbid('redirect uri did not match') return utils.forbid('redirect uri did not match')
user = get_user_model().get(pk=code['uid'])
me = urljoin(utils.origin(request), user.url)
# If we got here, it's valid! Yay! # If we got here, it's valid! Yay!
return utils.choose_type(request, {'me': code['me']}, { return utils.choose_type(request, {'me': me}, {
'application/x-www-form-urlencoded': utils.form_encoded_response, 'application/x-www-form-urlencoded': utils.form_encoded_response,
'application/json': JsonResponse, 'application/json': JsonResponse,
}) })
@ -116,6 +119,13 @@ class IndieView(TemplateView):
@login_required @login_required
@require_POST @require_POST
def approve(request): def approve(request):
uri, params = tokens.gen_auth_code(request) params = {
'me': urljoin(utils.origin(request), request.user.url),
'code': tokens.gen_auth_code(request),
}
if 'state' in request.POST:
params['state'] = request.POST['state']
uri = request.POST['redirect_uri']
sep = '&' if '?' in uri else '?' sep = '&' if '?' in uri else '?'
return redirect(uri + sep + urlencode(params)) return redirect(uri + sep + urlencode(params))