mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-24 00:50:29 +00:00
Make auth tokens usable once and expire them.
This commit is contained in:
parent
890503ca1e
commit
95cedd6000
4 changed files with 91 additions and 1 deletions
|
@ -4,6 +4,8 @@ defmodule Pleroma.Web.OAuth.Authorization do
|
||||||
alias Pleroma.{User, Repo}
|
alias Pleroma.{User, Repo}
|
||||||
alias Pleroma.Web.OAuth.{Authorization, App}
|
alias Pleroma.Web.OAuth.{Authorization, App}
|
||||||
|
|
||||||
|
import Ecto.{Changeset}
|
||||||
|
|
||||||
schema "oauth_authorizations" do
|
schema "oauth_authorizations" do
|
||||||
field :token, :string
|
field :token, :string
|
||||||
field :valid_until, :naive_datetime
|
field :valid_until, :naive_datetime
|
||||||
|
@ -27,4 +29,19 @@ defmodule Pleroma.Web.OAuth.Authorization do
|
||||||
|
|
||||||
Repo.insert(authorization)
|
Repo.insert(authorization)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def use_changeset(%Authorization{} = auth, params) do
|
||||||
|
auth
|
||||||
|
|> cast(params, [:used])
|
||||||
|
|> validate_required([:used])
|
||||||
|
end
|
||||||
|
|
||||||
|
def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
|
||||||
|
if NaiveDateTime.diff(NaiveDateTime.utc_now, valid_until) < 0 do
|
||||||
|
Repo.update(use_changeset(auth, %{used: true}))
|
||||||
|
else
|
||||||
|
{:error, "token expired"}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
def use_token(%Authorization{used: true}), do: {:error, "already used"}
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,7 +2,7 @@ defmodule Pleroma.Web.OAuth.Token do
|
||||||
use Ecto.Schema
|
use Ecto.Schema
|
||||||
|
|
||||||
alias Pleroma.{User, Repo}
|
alias Pleroma.{User, Repo}
|
||||||
alias Pleroma.Web.OAuth.{Token, App}
|
alias Pleroma.Web.OAuth.{Token, App, Authorization}
|
||||||
|
|
||||||
schema "oauth_tokens" do
|
schema "oauth_tokens" do
|
||||||
field :token, :string
|
field :token, :string
|
||||||
|
@ -14,6 +14,13 @@ defmodule Pleroma.Web.OAuth.Token do
|
||||||
timestamps()
|
timestamps()
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def exchange_token(app, auth) do
|
||||||
|
with {:ok, auth} <- Authorization.use_token(auth),
|
||||||
|
true <- auth.app_id == app.id do
|
||||||
|
create_token(app, Repo.get(User, auth.user_id))
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def create_token(%App{} = app, %User{} = user) do
|
def create_token(%App{} = app, %User{} = user) do
|
||||||
token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
|
token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
|
||||||
refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
|
refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
|
||||||
|
|
42
test/web/oauth/authorization_test.exs
Normal file
42
test/web/oauth/authorization_test.exs
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
defmodule Pleroma.Web.OAuth.AuthorizationTest do
|
||||||
|
use Pleroma.DataCase
|
||||||
|
alias Pleroma.Web.OAuth.{Authorization, App}
|
||||||
|
import Pleroma.Factory
|
||||||
|
|
||||||
|
test "create an authorization token for a valid app" do
|
||||||
|
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||||
|
|
||||||
|
assert auth.user_id == user.id
|
||||||
|
assert auth.app_id == app.id
|
||||||
|
assert String.length(auth.token) > 10
|
||||||
|
assert auth.used == false
|
||||||
|
end
|
||||||
|
|
||||||
|
test "use up a token" do
|
||||||
|
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||||
|
|
||||||
|
{:ok, auth} = Authorization.use_token(auth)
|
||||||
|
|
||||||
|
assert auth.used == true
|
||||||
|
|
||||||
|
assert {:error, "already used"} == Authorization.use_token(auth)
|
||||||
|
|
||||||
|
expired_auth = %Authorization{
|
||||||
|
user_id: user.id,
|
||||||
|
app_id: app.id,
|
||||||
|
valid_until: NaiveDateTime.add(NaiveDateTime.utc_now, -10),
|
||||||
|
token: "mytoken",
|
||||||
|
used: false
|
||||||
|
}
|
||||||
|
|
||||||
|
{:ok, expired_auth} = Repo.insert(expired_auth)
|
||||||
|
|
||||||
|
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
|
||||||
|
end
|
||||||
|
end
|
24
test/web/oauth/token_test.exs
Normal file
24
test/web/oauth/token_test.exs
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
defmodule Pleroma.Web.OAuth.TokenTest do
|
||||||
|
use Pleroma.DataCase
|
||||||
|
alias Pleroma.Web.OAuth.{App, Token, Authorization}
|
||||||
|
alias Pleroma.Repo
|
||||||
|
|
||||||
|
import Pleroma.Factory
|
||||||
|
|
||||||
|
test "exchanges a auth token for an access token" do
|
||||||
|
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||||
|
|
||||||
|
{:ok, token} = Token.exchange_token(app, auth)
|
||||||
|
|
||||||
|
assert token.app_id == app.id
|
||||||
|
assert token.user_id == user.id
|
||||||
|
assert String.length(token.token) > 10
|
||||||
|
assert String.length(token.refresh_token) > 10
|
||||||
|
|
||||||
|
auth = Repo.get(Authorization, auth.id)
|
||||||
|
{:error, "already used"} = Token.exchange_token(app, auth)
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue