// Copyright © 2020 Metabolist. All rights reserved. import Foundation import Combine struct AuthenticationService { private let environment: AppEnvironment private let networkClient: MastodonClient private let webAuthSessionContextProvider = WebAuthSessionContextProvider() init(environment: AppEnvironment) { self.environment = environment self.networkClient = MastodonClient(configuration: environment.URLSessionConfiguration) } } extension AuthenticationService { func authenticate(instanceURL: URL) -> AnyPublisher { let identityID = UUID() let redirectURL: URL do { redirectURL = try identityID.uuidString.url(scheme: MastodonAPI.OAuth.callbackURLScheme) } catch { return Fail(error: error).eraseToAnyPublisher() } return authorizeApp( identityID: identityID, instanceURL: instanceURL, redirectURL: redirectURL, keychainService: environment.keychainService) .authenticationURL(instanceURL: instanceURL, redirectURL: redirectURL) .authenticate( webAuthSessionType: environment.webAuthSessionType, contextProvider: webAuthSessionContextProvider, callbackURLScheme: MastodonAPI.OAuth.callbackURLScheme) .extractCode() .requestAccessToken( networkClient: networkClient, identityID: identityID, instanceURL: instanceURL, redirectURL: redirectURL) .createIdentity(id: identityID, instanceURL: instanceURL, environment: environment) } } private extension AuthenticationService { func authorizeApp( identityID: UUID, instanceURL: URL, redirectURL: URL, keychainService: KeychainServiceType) -> AnyPublisher { let endpoint = AppAuthorizationEndpoint.apps( clientName: MastodonAPI.OAuth.clientName, redirectURI: redirectURL.absoluteString, scopes: MastodonAPI.OAuth.scopes, website: nil) let target = MastodonTarget(baseURL: instanceURL, endpoint: endpoint, accessToken: nil) return networkClient.request(target) .tryMap { let secretsService = SecretsService(identityID: identityID, keychainService: keychainService) try secretsService.set($0.clientId, forItem: .clientID) try secretsService.set($0.clientSecret, forItem: .clientSecret) return $0 } .eraseToAnyPublisher() } } private extension Publisher where Output == AppAuthorization { func authenticationURL(instanceURL: URL, redirectURL: URL) -> AnyPublisher<(AppAuthorization, URL), Error> { tryMap { appAuthorization in guard var authorizationURLComponents = URLComponents(url: instanceURL, resolvingAgainstBaseURL: true) else { throw URLError(.badURL) } authorizationURLComponents.path = "/oauth/authorize" authorizationURLComponents.queryItems = [ "client_id": appAuthorization.clientId, "scope": MastodonAPI.OAuth.scopes, "response_type": "code", "redirect_uri": redirectURL.absoluteString ].map { URLQueryItem(name: $0, value: $1) } guard let authorizationURL = authorizationURLComponents.url else { throw URLError(.badURL) } return (appAuthorization, authorizationURL) } .mapError { $0 as Error } .eraseToAnyPublisher() } } private extension Publisher where Output == (AppAuthorization, URL), Failure == Error { func authenticate( webAuthSessionType: WebAuthSessionType.Type, contextProvider: WebAuthSessionContextProvider, callbackURLScheme: String) -> AnyPublisher<(AppAuthorization, URL), Error> { flatMap { appAuthorization, url in webAuthSessionType.publisher( url: url, callbackURLScheme: callbackURLScheme, presentationContextProvider: contextProvider) .tryCatch { error -> AnyPublisher in if (error as? WebAuthSessionError)?.code == .canceledLogin { return Just(nil).setFailureType(to: Error.self).eraseToAnyPublisher() } throw error } .compactMap { $0 } .map { (appAuthorization, $0) } } .eraseToAnyPublisher() } } private extension Publisher where Output == (AppAuthorization, URL) { func extractCode() -> AnyPublisher<(AppAuthorization, String), Error> { tryMap { appAuthorization, url -> (AppAuthorization, String) in guard let queryItems = URLComponents(url: url, resolvingAgainstBaseURL: true)?.queryItems, let code = queryItems.first(where: { $0.name == MastodonAPI.OAuth.codeCallbackQueryItemName })?.value else { throw MastodonAPI.OAuthError.codeNotFound } return (appAuthorization, code) } .eraseToAnyPublisher() } } private extension Publisher where Output == (AppAuthorization, String), Failure == Error { func requestAccessToken( networkClient: HTTPClient, identityID: UUID, instanceURL: URL, redirectURL: URL) -> AnyPublisher { flatMap { appAuthorization, code -> AnyPublisher in let endpoint = AccessTokenEndpoint.oauthToken( clientID: appAuthorization.clientId, clientSecret: appAuthorization.clientSecret, code: code, grantType: MastodonAPI.OAuth.grantType, scopes: MastodonAPI.OAuth.scopes, redirectURI: redirectURL.absoluteString) let target = MastodonTarget(baseURL: instanceURL, endpoint: endpoint, accessToken: nil) return networkClient.request(target) } .eraseToAnyPublisher() } } private extension Publisher where Output == AccessToken { func createIdentity(id: UUID, instanceURL: URL, environment: AppEnvironment) -> AnyPublisher { tryMap { accessToken -> (UUID, URL) in let secretsService = SecretsService(identityID: id, keychainService: environment.keychainService) try secretsService.set(accessToken.accessToken, forItem: .accessToken) return (id, instanceURL) } .flatMap(environment.identityDatabase.createIdentity) .map { id } .eraseToAnyPublisher() } }