Let the OAuth form remember you, fixes #1909

2020-07-19 19:37:54 -05:00 · 2020-07-19 19:37:54 -05:00 · d11c0ede3a
commit d11c0ede3a
parent 9f48dfb705
5 changed files with 110 additions and 27 deletions
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -76,8 +76,17 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    available_scopes = (app && app.scopes) || []
    scopes = Scopes.fetch_scopes(params, available_scopes)

+    user =
+      with %{assigns: %{user: %User{} = user}} <- conn do
+        user
+      else
+        _ -> nil
+      end
+
    # Note: `params` might differ from `conn.params`; use `@params` not `@conn.params` in template
    render(conn, Authenticator.auth_template(), %{
+      app: app && Map.delete(app, :client_secret),
+      user: user,
      response_type: params["response_type"],
      client_id: params["client_id"],
      available_scopes: available_scopes,
@ -121,11 +130,13 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    end
  end

-  def create_authorization(
-        %Plug.Conn{} = conn,
-        %{"authorization" => _} = params,
-        opts \\ []
-      ) do
+  def create_authorization(_, _, opts \\ [])
+
+  def create_authorization(%Plug.Conn{assigns: %{user: %User{} = user}} = conn, params, []) do
+    create_authorization(conn, params, user: user)
+  end
+
+  def create_authorization(%Plug.Conn{} = conn, %{"authorization" => _} = params, opts) do
    with {:ok, auth, user} <- do_create_authorization(conn, params, opts[:user]),
         {:mfa_required, _, _, false} <- {:mfa_required, user, auth, MFA.require?(user)} do
      after_create_authorization(conn, auth, params)
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -278,9 +278,9 @@ defmodule Pleroma.Web.Router do
    scope [] do
      pipe_through([:oauth, :after_auth])
      get("/authorize", OAuthController, :authorize)
+      post("/authorize", OAuthController, :create_authorization)
    end

-    post("/authorize", OAuthController, :create_authorization)
    post("/token", OAuthController, :token_exchange)
    post("/revoke", OAuthController, :token_revoke)
    get("/registration_details", OAuthController, :registration_details)
--- a/lib/pleroma/web/templates/o_auth/o_auth/show.html.eex
+++ b/lib/pleroma/web/templates/o_auth/o_auth/show.html.eex
@ -5,32 +5,51 @@
 <p class="alert alert-danger" role="alert"><%= get_flash(@conn, :error) %></p>
 <% end %>

-<h2>OAuth Authorization</h2>
 <%= form_for @conn, o_auth_path(@conn, :authorize), [as: "authorization"], fn f -> %>

-<%= if @params["registration"] in ["true", true] do %>
-  <h3>This is the first time you visit! Please enter your Pleroma handle.</h3>
-  <p>Choose carefully! You won't be able to change this later. You will be able to change your display name, though.</p>
-  <div class="input">
-    <%= label f, :nickname, "Pleroma Handle" %>
-    <%= text_input f, :nickname, placeholder: "lain" %>
+<%= if @user do %>
+  <div class="account-header">
+    <div class="avatar">
+      <img src="<%= Pleroma.User.avatar_url(@user) %>">
+    </div>
+    <div class="name">
+      Signed in as:
+      <div class="username">@<%= @user.nickname %></div>
+    </div>
  </div>
-  <%= hidden_input f, :name, value: @params["name"] %>
-  <%= hidden_input f, :password, value: @params["password"] %>
-  <br>
-<% else %>
-  <div class="input">
-    <%= label f, :name, "Username" %>
-    <%= text_input f, :name %>
-  </div>
-  <div class="input">
-    <%= label f, :password, "Password" %>
-    <%= password_input f, :password %>
-  </div>
-  <%= submit "Log In" %>
+<% end %>
+
+<%= if @app do %>
+  <p>Application <strong><%= @app.client_name %></strong> is requesting access to your account.</p>
  <%= render @view_module, "_scopes.html", Map.merge(assigns, %{form: f}) %>
 <% end %>

+<%= if @user do %>
+  <%= submit "Authorize" %>
+<% else %>
+  <%= if @params["registration"] in ["true", true] do %>
+    <h3>This is the first time you visit! Please enter your Pleroma handle.</h3>
+    <p>Choose carefully! You won't be able to change this later. You will be able to change your display name, though.</p>
+    <div class="input">
+      <%= label f, :nickname, "Pleroma Handle" %>
+      <%= text_input f, :nickname, placeholder: "lain" %>
+    </div>
+    <%= hidden_input f, :name, value: @params["name"] %>
+    <%= hidden_input f, :password, value: @params["password"] %>
+    <br>
+  <% else %>
+    <div class="input">
+      <%= label f, :name, "Username" %>
+      <%= text_input f, :name %>
+    </div>
+    <div class="input">
+      <%= label f, :password, "Password" %>
+      <%= password_input f, :password %>
+    </div>
+    <%= submit "Log In" %>
+  <% end %>
+<% end %>
+
 <%= hidden_input f, :client_id, value: @client_id %>
 <%= hidden_input f, :response_type, value: @response_type %>
 <%= hidden_input f, :redirect_uri, value: @redirect_uri %>
@ -40,4 +59,3 @@
 <%= if Pleroma.Config.oauth_consumer_enabled?() do %>
  <%= render @view_module, Pleroma.Web.Auth.Authenticator.oauth_consumer_template(), assigns %>
 <% end %>
-
--- a/priv/static/instance/static.css
+++ b/priv/static/instance/static.css
@ -175,6 +175,23 @@ button:hover {
  font-size: 16px;
 }

+.account-header {
+  display: flex;
+  margin: 20px 0;
+  text-align: left;
+}
+
+.account-header .avatar {
+  display: flex;
+  max-width: 60px;
+  margin-right: 10px;
+}
+
+.account-header .avatar img {
+  width: 100%;
+  border-radius: 4px;
+}
+
@media all and (max-width: 440px) {
  .container {
    margin-top: 0
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@ -606,6 +606,43 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
    end

+    test "authorize from cookie" do
+      app_scopes = ["read", "write"]
+      app = insert(:oauth_app)
+      redirect_uri = OAuthController.default_redirect_uri(app)
+      user = insert(:user)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> put_session(:user_id, user.id)
+        |> post(
+          "/oauth/authorize",
+          %{
+            "authorization" => %{
+              "name" => user.nickname,
+              "client_id" => app.client_id,
+              "redirect_uri" => redirect_uri,
+              "scope" => app_scopes,
+              "state" => "statepassed"
+            }
+          }
+        )
+
+      assert Enum.count(Repo.all(Pleroma.Web.OAuth.Authorization)) == 1
+
+      target = redirected_to(conn)
+      assert target =~ redirect_uri
+
+      query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
+
+      assert %{"state" => "statepassed", "code" => code} = query
+      auth = Repo.get_by(Authorization, token: code)
+      assert auth
+      assert auth.scopes == app_scopes
+    end
+
    test "redirect to on two-factor auth page" do
      otp_secret = TOTP.generate_secret()