Implement a client_credentials process for read

api/middleware.py

@@ -17,13 +17,17 @@ class ApiTokenMiddleware:
         request.token = None
         if auth_header and auth_header.startswith("Bearer "):
             token_value = auth_header[7:]
-            try:
-                token = Token.objects.get(token=token_value, revoked=None)
-            except Token.DoesNotExist:
-                return HttpResponse("Invalid Bearer token", status=400)
-            request.user = token.user
-            request.identity = token.identity
-            request.token = token
+            if token_value == "__app__":
+                # Special client app token value
+                pass
+            else:
+                try:
+                    token = Token.objects.get(token=token_value, revoked=None)
+                except Token.DoesNotExist:
+                    return HttpResponse("Invalid Bearer token", status=400)
+                request.user = token.user
+                request.identity = token.identity
+                request.token = token
             request.session = None
         response = self.get_response(request)
         return response

api/views/oauth.py

@@ -1,6 +1,7 @@
 import base64
 import json
 import secrets
+import time
 from urllib.parse import urlparse, urlunparse
 
 from django.contrib.auth.mixins import LoginRequiredMixin
@@ -169,13 +170,16 @@ class TokenView(View):
             return JsonResponse({"error": "invalid_grant_type"}, status=400)
 
         if grant_type == "client_credentials":
-            # TODO: Implement client credentials flow
+            # We don't support individual client credential tokens, but instead
+            # just have a fixed one (since anyone can register an app at any
+            # time anyway)
             return JsonResponse(
                 {
-                    "error": "invalid_grant_type",
-                    "error_description": "client credential flow not implemented",
-                },
-                status=400,
+                    "access_token": "__app__",
+                    "token_type": "Bearer",
+                    "scope": "read",
+                    "created_at": int(time.time()),
+                }
             )
         elif grant_type == "authorization_code":
             code = post_data.get("code")