Introduce application tokens

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

lib/web/auth/context.ex

@@ -6,6 +6,8 @@ defmodule Mobilizon.Web.Auth.Context do
 
   import Plug.Conn
 
+  alias Mobilizon.Applications.Application, as: AuthApplication
+  alias Mobilizon.Applications.ApplicationToken
   alias Mobilizon.Users.User
 
   @spec init(Plug.opts()) :: Plug.opts()
@@ -28,18 +30,13 @@ defmodule Mobilizon.Web.Auth.Context do
 
     {conn, context} =
       case Guardian.Plug.current_resource(conn) do
-        %User{id: user_id, email: user_email} = user ->
-          if Application.get_env(:sentry, :dsn) != nil do
-            Sentry.Context.set_user_context(%{
-              id: user_id,
-              email: user_email,
-              ip_address: context.ip
-            })
-          end
+        %User{} = user ->
+          set_user_context({conn, context}, user)
 
-          context = Map.put(context, :current_user, user)
-          conn = assign(conn, :user_locale, user.locale)
-          {conn, context}
+        %ApplicationToken{user: %User{} = user} = app_token ->
+          conn
+          |> set_app_token_context(context, app_token)
+          |> set_user_context(user)
 
         nil ->
           {conn, context}
@@ -49,4 +46,35 @@ defmodule Mobilizon.Web.Auth.Context do
 
     put_private(conn, :absinthe, %{context: context})
   end
+
+  defp set_user_context({conn, context}, %User{id: user_id, email: user_email} = user) do
+    if Application.get_env(:sentry, :dsn) != nil do
+      Sentry.Context.set_user_context(%{
+        id: user_id,
+        email: user_email,
+        ip_address: context.ip
+      })
+    end
+
+    context = Map.put(context, :current_user, user)
+    conn = assign(conn, :user_locale, user.locale)
+    {conn, context}
+  end
+
+  defp set_app_token_context(
+         conn,
+         context,
+         %ApplicationToken{application: %AuthApplication{client_id: client_id} = app} = app_token
+       ) do
+    if Application.get_env(:sentry, :dsn) != nil do
+      Sentry.Context.set_user_context(%{
+        app_token_client_id: client_id
+      })
+    end
+
+    context =
+      context |> Map.put(:current_auth_app_token, app_token) |> Map.put(:current_auth_app, app)
+
+    {conn, context}
+  end
 end

lib/web/auth/guardian.ex

@@ -10,14 +10,19 @@ defmodule Mobilizon.Web.Auth.Guardian do
       user: [:base]
     }
 
-  alias Mobilizon.Users
+  alias Mobilizon.{Applications, Users}
+  alias Mobilizon.Applications.ApplicationToken
   alias Mobilizon.Users.User
 
   require Logger
 
   @spec subject_for_token(any(), any()) :: {:ok, String.t()} | {:error, :unknown_resource}
-  def subject_for_token(%User{} = user, _claims) do
-    {:ok, "User:" <> to_string(user.id)}
+  def subject_for_token(%User{id: user_id}, _claims) do
+    {:ok, "User:" <> to_string(user_id)}
+  end
+
+  def subject_for_token(%ApplicationToken{id: app_token_id}, _claims) do
+    {:ok, "AppToken:" <> to_string(app_token_id)}
   end
 
   def subject_for_token(_, _) do
@@ -42,6 +47,25 @@ defmodule Mobilizon.Web.Auth.Guardian do
     end
   end
 
+  def resource_from_claims(%{"sub" => "AppToken:" <> id_str}) do
+    Logger.debug(fn -> "Receiving claim for app token #{id_str}" end)
+
+    try do
+      case Integer.parse(id_str) do
+        {id, ""} ->
+          application_token = Applications.get_application_token!(id)
+          user = Users.get_user_with_actors!(application_token.user_id)
+          application = Applications.get_application!(application_token.application_id)
+          {:ok, application_token |> Map.put(:user, user) |> Map.put(:application, application)}
+
+        _ ->
+          {:error, :invalid_id}
+      end
+    rescue
+      Ecto.NoResultsError -> {:error, :no_result}
+    end
+  end
+
   def resource_from_claims(_) do
     {:error, :no_claims}
   end

lib/web/channels/graphql_socket.ex

@@ -4,19 +4,16 @@ defmodule Mobilizon.Web.GraphQLSocket do
   use Absinthe.Phoenix.Socket,
     schema: Mobilizon.GraphQL.Schema
 
+  alias Mobilizon.Applications.Application, as: AuthApplication
+  alias Mobilizon.Applications.ApplicationToken
   alias Mobilizon.Users.User
 
   @spec connect(map, Phoenix.Socket.t()) :: {:ok, Phoenix.Socket.t()} | :error
   def connect(%{"token" => token}, socket) do
     with {:ok, authed_socket} <-
            Guardian.Phoenix.Socket.authenticate(socket, Mobilizon.Web.Auth.Guardian, token),
-         %User{} = user <- Guardian.Phoenix.Socket.current_resource(authed_socket) do
-      authed_socket =
-        Absinthe.Phoenix.Socket.put_options(socket,
-          context: %{
-            current_user: user
-          }
-        )
+         resource <- Guardian.Phoenix.Socket.current_resource(authed_socket) do
+      set_context(authed_socket, resource)
 
       {:ok, authed_socket}
     else
@@ -29,4 +26,27 @@ defmodule Mobilizon.Web.GraphQLSocket do
 
   @spec id(any) :: nil
   def id(_socket), do: nil
+
+  @spec set_context(Phoenix.Socket.t(), User.t() | ApplicationToken.t()) :: Phoenix.Socket.t()
+  defp set_context(socket, %User{} = user) do
+    Absinthe.Phoenix.Socket.put_options(socket,
+      context: %{
+        current_user: user
+      }
+    )
+  end
+
+  defp set_context(
+         socket,
+         %ApplicationToken{user: %User{} = user, application: %AuthApplication{} = app} =
+           app_token
+       ) do
+    Absinthe.Phoenix.Socket.put_options(socket,
+      context: %{
+        current_auth_app_token: app_token,
+        current_auth_app: app,
+        current_user: user
+      }
+    )
+  end
 end

lib/web/controllers/application_controller.ex

@@ -0,0 +1,130 @@
+defmodule Mobilizon.Web.ApplicationController do
+  use Mobilizon.Web, :controller
+
+  alias Mobilizon.Applications.Application
+  alias Mobilizon.Service.Auth.Applications
+  plug(:put_layout, false)
+  import Mobilizon.Web.Gettext, only: [dgettext: 2]
+
+  @out_of_band_redirect_uri "urn:ietf:wg:oauth:2.0:oob"
+
+  @doc """
+  Create an application
+  """
+  @spec create_application(Plug.Conn.t(), map()) :: Plug.Conn.t()
+  def create_application(conn, %{"name" => name, "redirect_uris" => redirect_uris} = args) do
+    case Applications.create(
+           name,
+           redirect_uris,
+           Map.get(args, "scopes"),
+           Map.get(args, "website")
+         ) do
+      {:ok, %Application{} = app} ->
+        json(
+          conn,
+          Map.take(app, [:name, :website, :redirect_uris, :client_id, :client_secret, :scope])
+        )
+
+      {:error, _error} ->
+        send_resp(
+          conn,
+          500,
+          dgettext(
+            "errors",
+            "Impossible to create application."
+          )
+        )
+    end
+  end
+
+  def create_application(conn, _args) do
+    send_resp(
+      conn,
+      400,
+      dgettext(
+        "errors",
+        "Both name and redirect_uri parameters are required to create an application"
+      )
+    )
+  end
+
+  @doc """
+  Authorize
+  """
+  @spec authorize(Plug.Conn.t(), map()) :: Plug.Conn.t()
+  def authorize(
+        conn,
+        _args
+      ) do
+    conn = fetch_query_params(conn)
+
+    client_id = conn.query_params["client_id"]
+    redirect_uri = conn.query_params["redirect_uri"]
+    state = conn.query_params["state"]
+
+    if is_binary(client_id) and is_binary(redirect_uri) and is_binary(state) do
+      redirect(conn,
+        to:
+          Routes.page_path(conn, :authorize,
+            client_id: client_id,
+            redirect_uri: redirect_uri,
+            scope: conn.query_params["scope"],
+            state: state
+          )
+      )
+    else
+      send_resp(
+        conn,
+        400,
+        dgettext(
+          "errors",
+          "You need to specify client_id, redirect_uri and state to autorize an application"
+        )
+      )
+    end
+  end
+
+  @spec generate_access_token(Plug.Conn.t(), map()) :: Plug.Conn.t()
+  def generate_access_token(conn, %{
+        "client_id" => client_id,
+        "client_secret" => client_secret,
+        "code" => code,
+        "redirect_uri" => redirect_uri
+      }) do
+    case Applications.generate_access_token(client_id, client_secret, code, redirect_uri) do
+      {:ok, token} ->
+        if redirect_uri != @out_of_band_redirect_uri do
+          redirect(conn, external: generate_redirect_with_query_params(redirect_uri, token))
+        else
+          json(conn, token)
+        end
+
+      {:error, :application_not_found} ->
+        send_resp(conn, 400, dgettext("errors", "No application was found with this client_id"))
+
+      {:error, :redirect_uri_not_in_allowed} ->
+        send_resp(conn, 400, dgettext("errors", "This redirect URI is not allowed"))
+
+      {:error, :invalid_or_expired} ->
+        send_resp(conn, 400, dgettext("errors", "The provided code is invalid or expired"))
+
+      {:error, :invalid_client_id} ->
+        send_resp(
+          conn,
+          400,
+          dgettext("errors", "The provided client_id does not match the provided code")
+        )
+
+      {:error, :invalid_client_secret} ->
+        send_resp(conn, 400, dgettext("errors", "The provided client_secret is invalid"))
+
+      {:error, :user_not_found} ->
+        send_resp(conn, 400, dgettext("errors", "The user for this code was not found"))
+    end
+  end
+
+  @spec generate_redirect_with_query_params(String.t(), map()) :: String.t()
+  defp generate_redirect_with_query_params(redirect_uri, query_params) do
+    redirect_uri |> URI.parse() |> URI.merge("?" <> URI.encode_query(query_params)) |> to_string()
+  end
+end

lib/web/controllers/page_controller.ex

@@ -121,6 +121,9 @@ defmodule Mobilizon.Web.PageController do
     end
   end
 
+  @spec authorize(Plug.Conn.t(), any) :: Plug.Conn.t()
+  def authorize(conn, _params), do: render(conn, :index)
+
   @spec handle_collection_route(Plug.Conn.t(), collections()) :: Plug.Conn.t()
   defp handle_collection_route(conn, collection) do
     case get_format(conn) do

lib/web/router.ex

@@ -205,6 +205,11 @@ defmodule Mobilizon.Web.Router do
     # Also possible CSRF issue
     get("/auth/:provider/callback", AuthController, :callback)
     post("/auth/:provider/callback", AuthController, :callback)
+
+    post("/apps", ApplicationController, :create_application)
+    get("/oauth/authorize", ApplicationController, :authorize)
+    post("/oauth/token", ApplicationController, :generate_access_token)
+    get("/oauth/autorize_approve", PageController, :authorize)
   end
 
   scope "/proxy/", Mobilizon.Web do