From 95cedd60004893fd646735d17f7196297c38e22c Mon Sep 17 00:00:00 2001 From: Roger Braun Date: Sat, 9 Sep 2017 12:02:59 +0200 Subject: [PATCH] Make auth tokens usable once and expire them. --- lib/pleroma/web/oauth/authorization.ex | 17 +++++++++++ lib/pleroma/web/oauth/token.ex | 9 +++++- test/web/oauth/authorization_test.exs | 42 ++++++++++++++++++++++++++ test/web/oauth/token_test.exs | 24 +++++++++++++++ 4 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 test/web/oauth/authorization_test.exs create mode 100644 test/web/oauth/token_test.exs diff --git a/lib/pleroma/web/oauth/authorization.ex b/lib/pleroma/web/oauth/authorization.ex index c47289455..1ba5be602 100644 --- a/lib/pleroma/web/oauth/authorization.ex +++ b/lib/pleroma/web/oauth/authorization.ex @@ -4,6 +4,8 @@ defmodule Pleroma.Web.OAuth.Authorization do alias Pleroma.{User, Repo} alias Pleroma.Web.OAuth.{Authorization, App} + import Ecto.{Changeset} + schema "oauth_authorizations" do field :token, :string field :valid_until, :naive_datetime @@ -27,4 +29,19 @@ defmodule Pleroma.Web.OAuth.Authorization do Repo.insert(authorization) end + + def use_changeset(%Authorization{} = auth, params) do + auth + |> cast(params, [:used]) + |> validate_required([:used]) + end + + def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do + if NaiveDateTime.diff(NaiveDateTime.utc_now, valid_until) < 0 do + Repo.update(use_changeset(auth, %{used: true})) + else + {:error, "token expired"} + end + end + def use_token(%Authorization{used: true}), do: {:error, "already used"} end diff --git a/lib/pleroma/web/oauth/token.ex b/lib/pleroma/web/oauth/token.ex index da723d6d6..828a966fb 100644 --- a/lib/pleroma/web/oauth/token.ex +++ b/lib/pleroma/web/oauth/token.ex @@ -2,7 +2,7 @@ defmodule Pleroma.Web.OAuth.Token do use Ecto.Schema alias Pleroma.{User, Repo} - alias Pleroma.Web.OAuth.{Token, App} + alias Pleroma.Web.OAuth.{Token, App, Authorization} schema "oauth_tokens" do field :token, :string @@ -14,6 +14,13 @@ defmodule Pleroma.Web.OAuth.Token do timestamps() end + def exchange_token(app, auth) do + with {:ok, auth} <- Authorization.use_token(auth), + true <- auth.app_id == app.id do + create_token(app, Repo.get(User, auth.user_id)) + end + end + def create_token(%App{} = app, %User{} = user) do token = :crypto.strong_rand_bytes(32) |> Base.url_encode64 refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64 diff --git a/test/web/oauth/authorization_test.exs b/test/web/oauth/authorization_test.exs new file mode 100644 index 000000000..52441fa7d --- /dev/null +++ b/test/web/oauth/authorization_test.exs @@ -0,0 +1,42 @@ +defmodule Pleroma.Web.OAuth.AuthorizationTest do + use Pleroma.DataCase + alias Pleroma.Web.OAuth.{Authorization, App} + import Pleroma.Factory + + test "create an authorization token for a valid app" do + {:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"})) + user = insert(:user) + + {:ok, auth} = Authorization.create_authorization(app, user) + + assert auth.user_id == user.id + assert auth.app_id == app.id + assert String.length(auth.token) > 10 + assert auth.used == false + end + + test "use up a token" do + {:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"})) + user = insert(:user) + + {:ok, auth} = Authorization.create_authorization(app, user) + + {:ok, auth} = Authorization.use_token(auth) + + assert auth.used == true + + assert {:error, "already used"} == Authorization.use_token(auth) + + expired_auth = %Authorization{ + user_id: user.id, + app_id: app.id, + valid_until: NaiveDateTime.add(NaiveDateTime.utc_now, -10), + token: "mytoken", + used: false + } + + {:ok, expired_auth} = Repo.insert(expired_auth) + + assert {:error, "token expired"} == Authorization.use_token(expired_auth) + end +end diff --git a/test/web/oauth/token_test.exs b/test/web/oauth/token_test.exs new file mode 100644 index 000000000..3bd763989 --- /dev/null +++ b/test/web/oauth/token_test.exs @@ -0,0 +1,24 @@ +defmodule Pleroma.Web.OAuth.TokenTest do + use Pleroma.DataCase + alias Pleroma.Web.OAuth.{App, Token, Authorization} + alias Pleroma.Repo + + import Pleroma.Factory + + test "exchanges a auth token for an access token" do + {:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"})) + user = insert(:user) + + {:ok, auth} = Authorization.create_authorization(app, user) + + {:ok, token} = Token.exchange_token(app, auth) + + assert token.app_id == app.id + assert token.user_id == user.id + assert String.length(token.token) > 10 + assert String.length(token.refresh_token) > 10 + + auth = Repo.get(Authorization, auth.id) + {:error, "already used"} = Token.exchange_token(app, auth) + end +end