Merge pull request #10230 from annando/oauth-login
OAuth login prototype
This commit is contained in:
commit
e7884b1409
15 changed files with 287 additions and 16 deletions
17
database.sql
17
database.sql
|
@ -1,6 +1,6 @@
|
|||
-- ------------------------------------------
|
||||
-- Friendica 2021.06-dev (Siberian Iris)
|
||||
-- DB_UPDATE_VERSION 1415
|
||||
-- DB_UPDATE_VERSION 1416
|
||||
-- ------------------------------------------
|
||||
|
||||
|
||||
|
@ -379,6 +379,21 @@ CREATE TABLE IF NOT EXISTS `application` (
|
|||
UNIQUE INDEX `client_id` (`client_id`)
|
||||
) DEFAULT COLLATE utf8mb4_general_ci COMMENT='OAuth application';
|
||||
|
||||
--
|
||||
-- TABLE application-token
|
||||
--
|
||||
CREATE TABLE IF NOT EXISTS `application-token` (
|
||||
`application-id` int unsigned NOT NULL COMMENT '',
|
||||
`uid` mediumint unsigned NOT NULL COMMENT 'Owner User id',
|
||||
`code` varchar(64) NOT NULL COMMENT '',
|
||||
`access_token` varchar(64) NOT NULL COMMENT '',
|
||||
`created_at` datetime NOT NULL DEFAULT '0001-01-01 00:00:00' COMMENT 'creation time',
|
||||
PRIMARY KEY(`application-id`,`uid`),
|
||||
INDEX `uid_id` (`uid`,`application-id`),
|
||||
FOREIGN KEY (`application-id`) REFERENCES `application` (`id`) ON UPDATE RESTRICT ON DELETE CASCADE,
|
||||
FOREIGN KEY (`uid`) REFERENCES `user` (`uid`) ON UPDATE RESTRICT ON DELETE CASCADE
|
||||
) DEFAULT COLLATE utf8mb4_general_ci COMMENT='OAuth user token';
|
||||
|
||||
--
|
||||
-- TABLE attach
|
||||
--
|
||||
|
|
|
@ -181,7 +181,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
|
|||
* random key which is encrypted with their site public key.
|
||||
*/
|
||||
|
||||
$src_aes_key = openssl_random_pseudo_bytes(64);
|
||||
$src_aes_key = random_bytes(64);
|
||||
|
||||
$result = '';
|
||||
openssl_private_encrypt($dfrn_id, $result, $user['prvkey']);
|
||||
|
|
|
@ -59,7 +59,7 @@ class Attachment extends BaseFactory
|
|||
public function createFromUriId(int $uriId)
|
||||
{
|
||||
$attachments = [];
|
||||
foreach (Post\Media::getByURIId($uriId) as $attachment) {
|
||||
foreach (Post\Media::getByURIId($uriId, [Post\Media::AUDIO, Post\Media::VIDEO, Post\Media::IMAGE]) as $attachment) {
|
||||
|
||||
$filetype = !empty($attachment['mimetype']) ? strtolower(substr($attachment['mimetype'], 0, strpos($attachment['mimetype'], '/'))) : '';
|
||||
|
||||
|
|
|
@ -46,7 +46,7 @@ class Apps extends BaseApi
|
|||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
$client_id = base64_encode(openssl_random_pseudo_bytes(32));
|
||||
$client_id = bin2hex(random_bytes(32));
|
||||
$client_secret = bin2hex(random_bytes(32));
|
||||
|
||||
$fields = ['client_id' => $client_id, 'client_secret' => $client_secret, 'name' => $name, 'redirect_uri' => $redirect];
|
||||
|
|
|
@ -24,8 +24,11 @@ namespace Friendica\Module;
|
|||
use Friendica\BaseModule;
|
||||
use Friendica\Core\Logger;
|
||||
use Friendica\Core\System;
|
||||
use Friendica\Database\Database;
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\DI;
|
||||
use Friendica\Network\HTTPException;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
|
||||
require_once __DIR__ . '/../../include/api.php';
|
||||
|
||||
|
@ -110,7 +113,7 @@ class BaseApi extends BaseModule
|
|||
public static function unsupported(string $method = 'all')
|
||||
{
|
||||
$path = DI::args()->getQueryString();
|
||||
Logger::info('Unimplemented API call', ['method' => $method, 'path' => $path, 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '']);
|
||||
Logger::info('Unimplemented API call', ['method' => $method, 'path' => $path, 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'request' => $_REQUEST ?? []]);
|
||||
$error = DI::l10n()->t('API endpoint %s %s is not implemented', strtoupper($method), $path);
|
||||
$error_description = DI::l10n()->t('The API endpoint is currently not implemented but might be in the future.');;
|
||||
$errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description);
|
||||
|
@ -135,6 +138,14 @@ class BaseApi extends BaseModule
|
|||
*/
|
||||
protected static function login()
|
||||
{
|
||||
$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
|
||||
$authorization = $_SERVER['AUTHORIZATION'] ?? $authorization;
|
||||
|
||||
if (self::checkBearer($authorization)) {
|
||||
self::$current_user_id = self::getUserByBearer($authorization);
|
||||
return (bool)self::$current_user_id;
|
||||
}
|
||||
|
||||
api_login(DI::app());
|
||||
|
||||
self::$current_user_id = api_user();
|
||||
|
@ -149,6 +160,14 @@ class BaseApi extends BaseModule
|
|||
*/
|
||||
protected static function getCurrentUserID()
|
||||
{
|
||||
$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
|
||||
$authorization = $_SERVER['AUTHORIZATION'] ?? $authorization;
|
||||
|
||||
if (self::checkBearer($authorization)) {
|
||||
self::$current_user_id = self::getUserByBearer($authorization);
|
||||
return (int)self::$current_user_id;
|
||||
}
|
||||
|
||||
if (is_null(self::$current_user_id)) {
|
||||
api_login(DI::app(), false);
|
||||
|
||||
|
@ -158,6 +177,55 @@ class BaseApi extends BaseModule
|
|||
return (int)self::$current_user_id;
|
||||
}
|
||||
|
||||
private static function checkBearer(string $authorization)
|
||||
{
|
||||
return (substr($authorization, 0, 7) == 'Bearer ');
|
||||
}
|
||||
|
||||
private static function getUserByBearer(string $authorization)
|
||||
{
|
||||
$bearer = trim(substr($authorization, 6));
|
||||
$condition = ['access_token' => $bearer];
|
||||
$token = DBA::selectFirst('application-token', ['uid'], $condition);
|
||||
if (!DBA::isResult($token)) {
|
||||
Logger::warning('Token not found', $condition);
|
||||
return 0;
|
||||
}
|
||||
Logger::info('Token found', $token);
|
||||
return $token['uid'];
|
||||
}
|
||||
|
||||
public static function getApplication()
|
||||
{
|
||||
$redirect_uri = !isset($_REQUEST['redirect_uri']) ? '' : $_REQUEST['redirect_uri'];
|
||||
$client_id = !isset($_REQUEST['client_id']) ? '' : $_REQUEST['client_id'];
|
||||
|
||||
if (empty($redirect_uri) || empty($client_id)) {
|
||||
Logger::warning('Incomplete request');
|
||||
return [];
|
||||
}
|
||||
|
||||
$condition = ['redirect_uri' => $redirect_uri, 'client_id' => $client_id];
|
||||
$application = DBA::selectFirst('application', [], $condition);
|
||||
if (!DBA::isResult($application)) {
|
||||
Logger::warning('Application not found', $condition);
|
||||
return [];
|
||||
}
|
||||
return $application;
|
||||
}
|
||||
|
||||
public static function getTokenForUser(array $application, int $uid)
|
||||
{
|
||||
$code = bin2hex(random_bytes(32));
|
||||
$access_token = bin2hex(random_bytes(32));
|
||||
|
||||
$fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
|
||||
if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
|
||||
}
|
||||
/**
|
||||
* Get user info array.
|
||||
*
|
||||
|
|
67
src/Module/OAuth/Authorize.php
Normal file
67
src/Module/OAuth/Authorize.php
Normal file
|
@ -0,0 +1,67 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (C) 2010-2021, the Friendica project
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Friendica\Module\OAuth;
|
||||
|
||||
use Friendica\Core\Logger;
|
||||
use Friendica\DI;
|
||||
use Friendica\Module\BaseApi;
|
||||
|
||||
/**
|
||||
* Dummy class for all currently unimplemented endpoints
|
||||
*/
|
||||
class Authorize extends BaseApi
|
||||
{
|
||||
/**
|
||||
* @param array $parameters
|
||||
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
|
||||
*/
|
||||
public static function rawContent(array $parameters = [])
|
||||
{
|
||||
//return;
|
||||
|
||||
$response_type = !isset($_REQUEST['response_type']) ? '' : $_REQUEST['response_type'];
|
||||
if ($response_type != 'code') {
|
||||
Logger::warning('Wrong or missing response type', ['response_type' => $response_type]);
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
$application = self::getApplication();
|
||||
if (empty($application)) {
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
$uid = local_user();
|
||||
if (empty($uid)) {
|
||||
Logger::info('Redirect to login');
|
||||
DI::app()->redirect('login?return_path=/oauth/authorize');
|
||||
} else {
|
||||
Logger::info('Already logged in user', ['uid' => $uid]);
|
||||
}
|
||||
|
||||
$token = self::getTokenForUser($application, $uid);
|
||||
if (!$token) {
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
DI::app()->redirect($application['redirect_uri'] . '?code=' . $token['code']);
|
||||
}
|
||||
}
|
35
src/Module/OAuth/Revoke.php
Normal file
35
src/Module/OAuth/Revoke.php
Normal file
|
@ -0,0 +1,35 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (C) 2010-2021, the Friendica project
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Friendica\Module\OAuth;
|
||||
|
||||
use Friendica\Module\BaseApi;
|
||||
|
||||
/**
|
||||
* Dummy class for all currently unimplemented endpoints
|
||||
*/
|
||||
class Revoke extends BaseApi
|
||||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
self::unsupported('post');
|
||||
}
|
||||
}
|
67
src/Module/OAuth/Token.php
Normal file
67
src/Module/OAuth/Token.php
Normal file
|
@ -0,0 +1,67 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (C) 2010-2021, the Friendica project
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Friendica\Module\OAuth;
|
||||
|
||||
use Friendica\Core\Logger;
|
||||
use Friendica\Core\System;
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\DI;
|
||||
use Friendica\Module\BaseApi;
|
||||
|
||||
/**
|
||||
* Dummy class for all currently unimplemented endpoints
|
||||
*/
|
||||
class Token extends BaseApi
|
||||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
$client_secret = !isset($_REQUEST['client_secret']) ? '' : $_REQUEST['client_secret'];
|
||||
$code = !isset($_REQUEST['code']) ? '' : $_REQUEST['code'];
|
||||
$grant_type = !isset($_REQUEST['grant_type']) ? '' : $_REQUEST['grant_type'];
|
||||
|
||||
if ($grant_type != 'authorization_code') {
|
||||
Logger::warning('Wrong or missing grant type', ['grant_type' => $grant_type]);
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
$application = self::getApplication();
|
||||
if (empty($application)) {
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
if ($application['client_secret'] != $client_secret) {
|
||||
Logger::warning('Wrong client secret', $client_secret);
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
$condition = ['application-id' => $application['id'], 'code' => $code];
|
||||
|
||||
$token = DBA::selectFirst('application-token', ['access_token'], $condition);
|
||||
if (!DBA::isResult($token)) {
|
||||
Logger::warning('Token not found', $condition);
|
||||
DI::mstdnError()->RecordNotFound();
|
||||
}
|
||||
|
||||
// @todo Use entity class
|
||||
System::jsonExit(['access_token' => $token['access_token'], 'token_type' => 'Bearer', 'scope' => $application['scopes'], 'created_at' => $token['created_at']]);
|
||||
}
|
||||
}
|
|
@ -36,8 +36,12 @@ class Login extends BaseModule
|
|||
{
|
||||
public static function content(array $parameters = [])
|
||||
{
|
||||
$return_path = !isset($_REQUEST['return_path']) ? '' : $_REQUEST['return_path'];
|
||||
|
||||
if (local_user()) {
|
||||
DI::baseUrl()->redirect();
|
||||
DI::baseUrl()->redirect($return_path);
|
||||
} elseif (!empty($return_path)) {
|
||||
Session::set('return_path', $return_path);
|
||||
}
|
||||
|
||||
return self::form(Session::get('return_path'), intval(DI::config()->get('config', 'register_policy')) !== \Friendica\Module\Register::CLOSED);
|
||||
|
|
|
@ -126,7 +126,7 @@ class Status extends BaseDataTransferObject
|
|||
$this->muted = $userAttributes->muted;
|
||||
$this->bookmarked = $userAttributes->bookmarked;
|
||||
$this->pinned = $userAttributes->pinned;
|
||||
$this->content = BBCode::convert($item['raw-body'] ?? $item['body'], false);
|
||||
$this->content = BBCode::convert($item['raw-body'] ?? $item['body'], false, BBCode::API);
|
||||
$this->reblog = $reblog;
|
||||
$this->application = $application->toArray();
|
||||
$this->account = $account->toArray();
|
||||
|
@ -134,7 +134,7 @@ class Status extends BaseDataTransferObject
|
|||
$this->mentions = $mentions;
|
||||
$this->tags = $tags;
|
||||
$this->emojis = [];
|
||||
$this->card = $card->toArray();
|
||||
//$this->card = $card;
|
||||
$this->poll = null;
|
||||
}
|
||||
|
||||
|
|
|
@ -1272,7 +1272,7 @@ class DFRN
|
|||
|
||||
switch ($rino_remote_version) {
|
||||
case 1:
|
||||
$key = openssl_random_pseudo_bytes(16);
|
||||
$key = random_bytes(16);
|
||||
$data = self::aesEncrypt($postvars['data'], $key);
|
||||
break;
|
||||
|
||||
|
|
|
@ -2870,9 +2870,9 @@ class Diaspora
|
|||
return false;
|
||||
}
|
||||
|
||||
$aes_key = openssl_random_pseudo_bytes(32);
|
||||
$aes_key = random_bytes(32);
|
||||
$b_aes_key = base64_encode($aes_key);
|
||||
$iv = openssl_random_pseudo_bytes(16);
|
||||
$iv = random_bytes(16);
|
||||
$b_iv = base64_encode($iv);
|
||||
|
||||
$ciphertext = self::aesEncrypt($aes_key, $iv, $msg);
|
||||
|
|
|
@ -39,6 +39,7 @@ use Friendica\Util\Network;
|
|||
use Friendica\Util\Strings;
|
||||
use LightOpenID;
|
||||
use Friendica\Core\L10n;
|
||||
use Friendica\Core\Logger;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
/**
|
||||
|
|
|
@ -55,7 +55,7 @@
|
|||
use Friendica\Database\DBA;
|
||||
|
||||
if (!defined('DB_UPDATE_VERSION')) {
|
||||
define('DB_UPDATE_VERSION', 1415);
|
||||
define('DB_UPDATE_VERSION', 1416);
|
||||
}
|
||||
|
||||
return [
|
||||
|
@ -442,6 +442,20 @@ return [
|
|||
"client_id" => ["UNIQUE", "client_id"]
|
||||
]
|
||||
],
|
||||
"application-token" => [
|
||||
"comment" => "OAuth user token",
|
||||
"fields" => [
|
||||
"application-id" => ["type" => "int unsigned", "not null" => "1", "primary" => "1", "foreign" => ["application" => "id"], "comment" => ""],
|
||||
"uid" => ["type" => "mediumint unsigned", "not null" => "1", "primary" => "1", "foreign" => ["user" => "uid"], "comment" => "Owner User id"],
|
||||
"code" => ["type" => "varchar(64)", "not null" => "1", "comment" => ""],
|
||||
"access_token" => ["type" => "varchar(64)", "not null" => "1", "comment" => ""],
|
||||
"created_at" => ["type" => "datetime", "not null" => "1", "default" => DBA::NULL_DATETIME, "comment" => "creation time"],
|
||||
],
|
||||
"indexes" => [
|
||||
"PRIMARY" => ["application-id", "uid"],
|
||||
"uid_id" => ["uid", "application-id"],
|
||||
]
|
||||
],
|
||||
"attach" => [
|
||||
"comment" => "file attachments",
|
||||
"fields" => [
|
||||
|
|
|
@ -331,9 +331,9 @@ return [
|
|||
'/mark/all' => [Module\Notifications\Notification::class, [R::GET]],
|
||||
'/{id:\d+}' => [Module\Notifications\Notification::class, [R::GET, R::POST]],
|
||||
],
|
||||
'/oauth/authorize' => [Module\Api\Mastodon\Unimplemented::class, [R::GET]],
|
||||
'/oauth/revoke' => [Module\Api\Mastodon\Unimplemented::class, [R::POST]],
|
||||
'/oauth/token' => [Module\Api\Mastodon\Unimplemented::class, [R::POST]],
|
||||
'/oauth/authorize' => [Module\OAuth\Authorize::class, [R::GET]],
|
||||
'/oauth/revoke' => [Module\OAuth\Revoke::class, [R::POST]],
|
||||
'/oauth/token' => [Module\OAuth\Token::class, [R::POST]],
|
||||
'/objects/{guid}[/{activity}]' => [Module\Objects::class, [R::GET]],
|
||||
|
||||
'/oembed' => [
|
||||
|
|
Loading…
Reference in a new issue