From 5ea3d5d14372bccf6f571a6e6d41451a2a3e7a07 Mon Sep 17 00:00:00 2001
From: Andrew Godwin <andrew@aeracode.org>
Date: Mon, 6 Mar 2023 15:48:43 -0700
Subject: [PATCH] Implement a client_credentials process for read

---
 api/middleware.py  | 18 +++++++++++-------
 api/views/oauth.py | 14 +++++++++-----
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/api/middleware.py b/api/middleware.py
index ae3c44a..cea8238 100644
--- a/api/middleware.py
+++ b/api/middleware.py
@@ -17,13 +17,17 @@ class ApiTokenMiddleware:
         request.token = None
         if auth_header and auth_header.startswith("Bearer "):
             token_value = auth_header[7:]
-            try:
-                token = Token.objects.get(token=token_value, revoked=None)
-            except Token.DoesNotExist:
-                return HttpResponse("Invalid Bearer token", status=400)
-            request.user = token.user
-            request.identity = token.identity
-            request.token = token
+            if token_value == "__app__":
+                # Special client app token value
+                pass
+            else:
+                try:
+                    token = Token.objects.get(token=token_value, revoked=None)
+                except Token.DoesNotExist:
+                    return HttpResponse("Invalid Bearer token", status=400)
+                request.user = token.user
+                request.identity = token.identity
+                request.token = token
             request.session = None
         response = self.get_response(request)
         return response
diff --git a/api/views/oauth.py b/api/views/oauth.py
index 161e18a..4d3b213 100644
--- a/api/views/oauth.py
+++ b/api/views/oauth.py
@@ -1,6 +1,7 @@
 import base64
 import json
 import secrets
+import time
 from urllib.parse import urlparse, urlunparse
 
 from django.contrib.auth.mixins import LoginRequiredMixin
@@ -169,13 +170,16 @@ class TokenView(View):
             return JsonResponse({"error": "invalid_grant_type"}, status=400)
 
         if grant_type == "client_credentials":
-            # TODO: Implement client credentials flow
+            # We don't support individual client credential tokens, but instead
+            # just have a fixed one (since anyone can register an app at any
+            # time anyway)
             return JsonResponse(
                 {
-                    "error": "invalid_grant_type",
-                    "error_description": "client credential flow not implemented",
-                },
-                status=400,
+                    "access_token": "__app__",
+                    "token_type": "Bearer",
+                    "scope": "read",
+                    "created_at": int(time.time()),
+                }
             )
         elif grant_type == "authorization_code":
             code = post_data.get("code")