Commit graph

30 commits

Author SHA1 Message Date
ac22c826cb
Canonicalise the 'me' parameter better, so if I just enter the bare domain it'll work fine 2018-06-28 20:11:37 +10:00
35ced9a451
Whoops, only revoke the current user's Micropub tokens for a client, not every single token for that client 2018-06-28 08:38:55 +10:00
446029ce84
Add a page that lists all authorised Micropub clients and allows a client's access to be revoked easily 2018-06-25 22:31:42 +10:00
e4aa5c6e6e
Loosen the checks on IndieAuth parameters so that generic OAuth 2.0 clients like Paw.app can be used 2018-06-23 13:43:15 +10:00
741c2eb234
Switch from stateless JOSE tokens to stateful tokens in the DB, since they can then be much smaller and we're using a DB anyway 2018-06-12 14:57:53 +10:00
87f04ce988
Use a more helpful page title on IndieAuth authorisation pages 2017-12-18 10:53:17 +11:00
b89405ed88
Dramatically improved processing of Micropub tokens which supports both the Authorization header and the access_token field approaches 2017-12-18 09:51:06 +11:00
a7f6824334
Implement request caching in Redis so that we don't always have to fetch remote pages every time we want their mf2 items 2017-11-10 09:17:32 +11:00
179f5753ed
Implement a token endpoint - currently all tokens last forever and can't be revoked, but I can add revocation later without too much trouble 2017-11-03 17:18:00 +11:00
9add6be8e4
Remove the pointless verify_auth_code wrapper - it's easier to do the verification work in the view anyway 2017-11-03 16:40:09 +11:00
3d5b537369
Oops, forgot to put .objects after the model to get the actual manager 2017-11-03 16:19:26 +11:00
ab810a8f94
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 16:14:30 +11:00
43a56e865e
Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for 2017-11-03 15:51:27 +11:00
6f6bb4e534
Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter 2017-11-03 14:33:27 +11:00
6b1cd896ea
Handle IndieAuth redirect URIs that already have query parameters 2017-11-03 12:14:15 +11:00
b658bf5c79
Default to form encoding rather than JSON, since legacy clients that don't support JSON usually also don't ask for a certain format 2017-11-03 11:51:34 +11:00
92cd38cbb0
Make relative redirect URIs redirect to the right place, by urljoining them with the client ID 2017-11-03 11:28:26 +11:00
1c09be1b1c
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 16:36:16 +11:00
41d490ea80
Put the shortcuts for returning 40* responses into lemoncurry.utils 2017-11-02 16:16:04 +11:00
06278935b6
Add support for selecting scopes during IndieAuth's 'code' type 2017-11-01 13:27:55 +11:00
387e7d859c
Smarter handling of IndieAuth code verification, including verifying the response type is correct 2017-11-01 10:56:49 +11:00
bfa7f68edc
Make POST /indie/auth return a 403 if parameters are missing, rather than a 500 2017-10-30 08:27:19 +11:00
e5d3af1b51
Make redirect_uri verification optional because many IndieAuth clients don't implement it - show a stylish icon to convey whether the client was verified 2017-10-29 19:15:29 +11:00
acce72e90e
Implement the auth-code verification step, producing a complete IndieAuth implementation for 'id' type (nothing for 'code' type yet tho) 2017-10-29 17:07:36 +11:00
8b4a14ffa3
On approving an IndieAuth request, actually generate an auth code and redirect 2017-10-29 16:16:27 +11:00
221d548e4a
Give better 'me' normalisation to IndieAuth processing + Aadd a simple POST route for actually submitting the form 2017-10-29 14:39:30 +11:00
e2e21f4afa
Make sure IndieAuth is agnostic to whether the 'me' parameter has a trailing slash or not 2017-10-27 22:03:25 +11:00
5690e4bfab
Add some niiiice h-x-app rendering to the authorisation page, so you can get a pretty view of who's trying to auth 2017-10-27 21:32:14 +11:00
93be2f5a32
Half-implement an IndieAuth authorization endpoint - it accepts the right parameters, verifies your client_id, and displays a prompt, but you can't actually approve the auth yet 2017-10-26 11:35:57 +11:00
d234fd942d
Refactor the login views into their own modules, because I'm about to implement IndieAuth and it's gonna be kinda big 2017-10-26 11:21:56 +11:00