Make auth tokens usable once and expire them.

This commit is contained in:
Roger Braun 2017-09-09 12:02:59 +02:00
parent 890503ca1e
commit 95cedd6000
4 changed files with 91 additions and 1 deletions

View file

@ -4,6 +4,8 @@ defmodule Pleroma.Web.OAuth.Authorization do
alias Pleroma.{User, Repo}
alias Pleroma.Web.OAuth.{Authorization, App}
import Ecto.{Changeset}
schema "oauth_authorizations" do
field :token, :string
field :valid_until, :naive_datetime
@ -27,4 +29,19 @@ def create_authorization(%App{} = app, %User{} = user) do
Repo.insert(authorization)
end
def use_changeset(%Authorization{} = auth, params) do
auth
|> cast(params, [:used])
|> validate_required([:used])
end
def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
if NaiveDateTime.diff(NaiveDateTime.utc_now, valid_until) < 0 do
Repo.update(use_changeset(auth, %{used: true}))
else
{:error, "token expired"}
end
end
def use_token(%Authorization{used: true}), do: {:error, "already used"}
end

View file

@ -2,7 +2,7 @@ defmodule Pleroma.Web.OAuth.Token do
use Ecto.Schema
alias Pleroma.{User, Repo}
alias Pleroma.Web.OAuth.{Token, App}
alias Pleroma.Web.OAuth.{Token, App, Authorization}
schema "oauth_tokens" do
field :token, :string
@ -14,6 +14,13 @@ defmodule Pleroma.Web.OAuth.Token do
timestamps()
end
def exchange_token(app, auth) do
with {:ok, auth} <- Authorization.use_token(auth),
true <- auth.app_id == app.id do
create_token(app, Repo.get(User, auth.user_id))
end
end
def create_token(%App{} = app, %User{} = user) do
token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64

View file

@ -0,0 +1,42 @@
defmodule Pleroma.Web.OAuth.AuthorizationTest do
use Pleroma.DataCase
alias Pleroma.Web.OAuth.{Authorization, App}
import Pleroma.Factory
test "create an authorization token for a valid app" do
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
assert auth.user_id == user.id
assert auth.app_id == app.id
assert String.length(auth.token) > 10
assert auth.used == false
end
test "use up a token" do
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
{:ok, auth} = Authorization.use_token(auth)
assert auth.used == true
assert {:error, "already used"} == Authorization.use_token(auth)
expired_auth = %Authorization{
user_id: user.id,
app_id: app.id,
valid_until: NaiveDateTime.add(NaiveDateTime.utc_now, -10),
token: "mytoken",
used: false
}
{:ok, expired_auth} = Repo.insert(expired_auth)
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
end
end

View file

@ -0,0 +1,24 @@
defmodule Pleroma.Web.OAuth.TokenTest do
use Pleroma.DataCase
alias Pleroma.Web.OAuth.{App, Token, Authorization}
alias Pleroma.Repo
import Pleroma.Factory
test "exchanges a auth token for an access token" do
{:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
{:ok, token} = Token.exchange_token(app, auth)
assert token.app_id == app.id
assert token.user_id == user.id
assert String.length(token.token) > 10
assert String.length(token.refresh_token) > 10
auth = Repo.get(Authorization, auth.id)
{:error, "already used"} = Token.exchange_token(app, auth)
end
end