Ensure apps are assigned to users

2024-11-13 12:31:13 +00:00 · 2024-09-04 10:40:37 -04:00 · 2024-09-04 10:40:37 -04:00 · 7bd0750787
commit 7bd0750787
parent 427da7a99a
5 changed files with 42 additions and 1 deletions
--- a/changelog.d/oauth-app-spam.fix
+++ b/changelog.d/oauth-app-spam.fix
@ -1 +1 @@
-Add a rate limiter to the OAuth App creation endpoint
+Add a rate limiter to the OAuth App creation endpoint and ensure registered apps are assigned to users.
--- a/lib/pleroma/web/o_auth/app.ex
+++ b/lib/pleroma/web/o_auth/app.ex
@ -8,6 +8,7 @@ defmodule Pleroma.Web.OAuth.App do
  import Ecto.Query
  alias Pleroma.Repo
  alias Pleroma.User
+  alias Pleroma.Web.OAuth.Token

  @type t :: %__MODULE__{}

@ -155,4 +156,13 @@ defmodule Pleroma.Web.OAuth.App do
        Map.put(acc, key, error)
    end)
  end
+
+  @spec maybe_update_owner(Token.t()) :: :ok
+  def maybe_update_owner(%Token{app_id: app_id, user_id: user_id}) when not is_nil(user_id) do
+    __MODULE__.update(app_id, %{user_id: user_id})
+
+    :ok
+  end
+
+  def maybe_update_owner(_), do: :ok
 end
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@ -318,6 +318,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
  def token_exchange(%Plug.Conn{} = conn, params), do: bad_request(conn, params)

  def after_token_exchange(%Plug.Conn{} = conn, %{token: token} = view_params) do
+    App.maybe_update_owner(token)
+
    conn
    |> AuthHelper.put_session_token(token.token)
    |> json(OAuthView.render("token.json", view_params))
--- a/priv/repo/migrations/20240904142434_assign_app_user.exs
+++ b/priv/repo/migrations/20240904142434_assign_app_user.exs
@ -0,0 +1,21 @@
+defmodule Pleroma.Repo.Migrations.AssignAppUser do
+  use Ecto.Migration
+
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.App
+  alias Pleroma.Web.OAuth.Token
+
+  def up do
+    Repo.all(Token)
+    |> Enum.group_by(fn x -> Map.get(x, :app_id) end)
+    |> Enum.each(fn {_app_id, tokens} ->
+      token =
+        Enum.filter(tokens, fn x -> not is_nil(x.user_id) end)
+        |> List.first()
+
+      App.maybe_update_owner(token)
+    end)
+  end
+
+  def down, do: :ok
+end
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@ -12,6 +12,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  alias Pleroma.MFA.TOTP
  alias Pleroma.Repo
  alias Pleroma.User
+  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Authorization
  alias Pleroma.Web.OAuth.OAuthController
  alias Pleroma.Web.OAuth.Token
@ -770,6 +771,9 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do

      {:ok, auth} = Authorization.create_authorization(app, user, ["write"])

+      # Verify app has no associated user yet
+      assert %Pleroma.Web.OAuth.App{user_id: nil} = Repo.get_by(App, %{id: app.id})
+
      conn =
        build_conn()
        |> post("/oauth/token", %{
@ -786,6 +790,10 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      assert token
      assert token.scopes == auth.scopes
      assert user.ap_id == ap_id
+
+      # Verify app has an associated user now
+      user_id = user.id
+      assert %Pleroma.Web.OAuth.App{user_id: ^user_id} = Repo.get_by(App, %{id: app.id})
    end

    test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do