Make redirect_uri verification optional because many IndieAuth clients don't implement it - show a stylish icon to convey whether the client was verified

2017-10-29 19:15:29 +11:00 · 2017-10-29 19:15:29 +11:00 · e5d3af1b51
commit e5d3af1b51
parent 3c95eeeefb
8 changed files with 63 additions and 9 deletions
--- a/lemonauth/static/lemonauth/css/indie.styl
+++ b/lemonauth/static/lemonauth/css/indie.styl
@ -2,3 +2,14 @@
 	img
 		height 2em
 		margin-right .5em
+.tippy-tooltip
+	&.success-theme
+		color $base0B
+		background-color $base03
+	&.warning-theme
+		color $base0A
+		background-color $base03
+.verified-success
+	color $base0B
+.verified-warning
+	color $base0A
--- a/lemonauth/templates/lemonauth/indie.html
+++ b/lemonauth/templates/lemonauth/indie.html
@ -1,5 +1,5 @@
 {% extends 'lemoncurry/layout.html' %}
-{% load static %}
+{% load markdown static %}

 {% block styles %}
 <link rel="stylesheet" type="text/stylus" href="{% static 'lemonauth/css/indie.styl' %}" />
@ -13,6 +13,11 @@
 			sign in to
 			{% if app %}{{ app.name | first }}{% endif %}
 			{% if app %}({% endif %}<a class="u-url code{% if not app %} p-name{% endif %}" href="{{ params.client_id }}">{{ params.client_id }}</a>{% if app %}){% endif %}?
+			{% if verified %}
+			<i class="fa fa-check-circle verified-success" data-tooltip data-theme="success" data-html="#verified-success"></i>
+			{% else %}
+			<i class="fa fa-question-circle verified-warning" data-tooltip data-theme="warning" data-html="#verified-warning"></i>
+			{% endif %}
 		</h4>

 		<div class="card-body">
@ -35,4 +40,16 @@
 		<input name="response_type" type="hidden" value="{{ params.response_type }}" />
 	</form>
 </div>
+
+<div id="verified-success" hidden>
+	this client has been <strong>verified</strong> using <code>{{ '<link rel="redirect_uri">' | force_escape }}</code> - they are who they claim to be!
+</div>
+<div id="verified-warning" hidden>
+	this client could <strong>not</strong> be verified using <code>{{ '<link rel="redirect_uri">' | force_escape }}</code> - check the redirect uri carefully yourself!
+</div>
+{% endblock %}
+{% block foot %}
+<script type="text/javascript">
+	tippy('[data-tooltip]', {arrow: true});
+</script>
 {% endblock %}
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -58,18 +58,20 @@ class IndieView(TemplateView):
        rels = (client.to_dict()['rel-urls']
                .get(params['redirect_uri'], {})
                .get('rels', ()))
-        if 'redirect_uri' not in rels:
-            return HttpResponseBadRequest(
-                'your redirect_uri is not published on your client_id page',
-                content_type='text/plain'
-            )
+        verified = 'redirect_uri' in rels

        try:
            app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
        except IndexError:
            app = None

-        return {'app': app, 'me': me, 'params': params, 'title': 'indieauth'}
+        return {
+            'app': app,
+            'me': me,
+            'verified': verified,
+            'params': params,
+            'title': 'indieauth',
+        }

    def post(self, request):
        post = request.POST.dict()