Make auth tokens usable once and expire them.
This commit is contained in:
parent
890503ca1e
commit
95cedd6000
4 changed files with 91 additions and 1 deletions
|
@ -4,6 +4,8 @@ defmodule Pleroma.Web.OAuth.Authorization do
|
|||
alias Pleroma.{User, Repo}
|
||||
alias Pleroma.Web.OAuth.{Authorization, App}
|
||||
|
||||
import Ecto.{Changeset}
|
||||
|
||||
schema "oauth_authorizations" do
|
||||
field :token, :string
|
||||
field :valid_until, :naive_datetime
|
||||
|
@ -27,4 +29,19 @@ defmodule Pleroma.Web.OAuth.Authorization do
|
|||
|
||||
Repo.insert(authorization)
|
||||
end
|
||||
|
||||
def use_changeset(%Authorization{} = auth, params) do
|
||||
auth
|
||||
|> cast(params, [:used])
|
||||
|> validate_required([:used])
|
||||
end
|
||||
|
||||
def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
|
||||
if NaiveDateTime.diff(NaiveDateTime.utc_now, valid_until) < 0 do
|
||||
Repo.update(use_changeset(auth, %{used: true}))
|
||||
else
|
||||
{:error, "token expired"}
|
||||
end
|
||||
end
|
||||
def use_token(%Authorization{used: true}), do: {:error, "already used"}
|
||||
end
|
||||
|
|
|
@ -2,7 +2,7 @@ defmodule Pleroma.Web.OAuth.Token do
|
|||
use Ecto.Schema
|
||||
|
||||
alias Pleroma.{User, Repo}
|
||||
alias Pleroma.Web.OAuth.{Token, App}
|
||||
alias Pleroma.Web.OAuth.{Token, App, Authorization}
|
||||
|
||||
schema "oauth_tokens" do
|
||||
field :token, :string
|
||||
|
@ -14,6 +14,13 @@ defmodule Pleroma.Web.OAuth.Token do
|
|||
timestamps()
|
||||
end
|
||||
|
||||
def exchange_token(app, auth) do
|
||||
with {:ok, auth} <- Authorization.use_token(auth),
|
||||
true <- auth.app_id == app.id do
|
||||
create_token(app, Repo.get(User, auth.user_id))
|
||||
end
|
||||
end
|
||||
|
||||
def create_token(%App{} = app, %User{} = user) do
|
||||
token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
|
||||
refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
|
||||
|
|
42
test/web/oauth/authorization_test.exs
Normal file
42
test/web/oauth/authorization_test.exs
Normal file
|
@ -0,0 +1,42 @@
|
|||
defmodule Pleroma.Web.OAuth.AuthorizationTest do
|
||||
use Pleroma.DataCase
|
||||
alias Pleroma.Web.OAuth.{Authorization, App}
|
||||
import Pleroma.Factory
|
||||
|
||||
test "create an authorization token for a valid app" do
|
||||
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||
|
||||
assert auth.user_id == user.id
|
||||
assert auth.app_id == app.id
|
||||
assert String.length(auth.token) > 10
|
||||
assert auth.used == false
|
||||
end
|
||||
|
||||
test "use up a token" do
|
||||
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||
|
||||
{:ok, auth} = Authorization.use_token(auth)
|
||||
|
||||
assert auth.used == true
|
||||
|
||||
assert {:error, "already used"} == Authorization.use_token(auth)
|
||||
|
||||
expired_auth = %Authorization{
|
||||
user_id: user.id,
|
||||
app_id: app.id,
|
||||
valid_until: NaiveDateTime.add(NaiveDateTime.utc_now, -10),
|
||||
token: "mytoken",
|
||||
used: false
|
||||
}
|
||||
|
||||
{:ok, expired_auth} = Repo.insert(expired_auth)
|
||||
|
||||
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
|
||||
end
|
||||
end
|
24
test/web/oauth/token_test.exs
Normal file
24
test/web/oauth/token_test.exs
Normal file
|
@ -0,0 +1,24 @@
|
|||
defmodule Pleroma.Web.OAuth.TokenTest do
|
||||
use Pleroma.DataCase
|
||||
alias Pleroma.Web.OAuth.{App, Token, Authorization}
|
||||
alias Pleroma.Repo
|
||||
|
||||
import Pleroma.Factory
|
||||
|
||||
test "exchanges a auth token for an access token" do
|
||||
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||
|
||||
{:ok, token} = Token.exchange_token(app, auth)
|
||||
|
||||
assert token.app_id == app.id
|
||||
assert token.user_id == user.id
|
||||
assert String.length(token.token) > 10
|
||||
assert String.length(token.refresh_token) > 10
|
||||
|
||||
auth = Repo.get(Authorization, auth.id)
|
||||
{:error, "already used"} = Token.exchange_token(app, auth)
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue