From 1017c71ba1d80a1690e357a938ad46f246a456ae Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Sat, 10 Dec 2022 21:03:14 -0700 Subject: Working start of an OAuth flow --- activities/models/post_attachment.py | 2 +- api/__init__.py | 0 api/admin.py | 13 +++++ api/apps.py | 6 ++ api/migrations/0001_initial.py | 87 +++++++++++++++++++++++++++++ api/migrations/__init__.py | 0 api/models/__init__.py | 2 + api/models/application.py | 19 +++++++ api/models/token.py | 39 +++++++++++++ api/parser.py | 20 +++++++ api/views/__init__.py | 3 + api/views/apps.py | 37 ++++++++++++ api/views/base.py | 5 ++ api/views/instance.py | 56 +++++++++++++++++++ api/views/oauth.py | 105 +++++++++++++++++++++++++++++++++++ requirements.txt | 3 + takahe/settings.py | 9 ++- takahe/urls.py | 6 ++ templates/api/oauth_authorize.html | 39 +++++++++++++ templates/auth/login.html | 1 + 20 files changed, 449 insertions(+), 3 deletions(-) create mode 100644 api/__init__.py create mode 100644 api/admin.py create mode 100644 api/apps.py create mode 100644 api/migrations/0001_initial.py create mode 100644 api/migrations/__init__.py create mode 100644 api/models/__init__.py create mode 100644 api/models/application.py create mode 100644 api/models/token.py create mode 100644 api/parser.py create mode 100644 api/views/__init__.py create mode 100644 api/views/apps.py create mode 100644 api/views/base.py create mode 100644 api/views/instance.py create mode 100644 api/views/oauth.py create mode 100644 templates/api/oauth_authorize.html diff --git a/activities/models/post_attachment.py b/activities/models/post_attachment.py index 932ae65..120a1d1 100644 --- a/activities/models/post_attachment.py +++ b/activities/models/post_attachment.py @@ -95,5 +95,5 @@ class PostAttachment(StatorModel): "width": self.width, "height": self.height, "mediaType": self.mimetype, - "http://joinmastodon.org/ns#focalPoint": [0.5, 0.5], + "http://joinmastodon.org/ns#focalPoint": [0, 0], } diff --git a/api/__init__.py b/api/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/api/admin.py b/api/admin.py new file mode 100644 index 0000000..072abb0 --- /dev/null +++ b/api/admin.py @@ -0,0 +1,13 @@ +from django.contrib import admin + +from api.models import Application, Token + + +@admin.register(Application) +class ApplicationAdmin(admin.ModelAdmin): + list_display = ["id", "name", "website", "created"] + + +@admin.register(Token) +class TokenAdmin(admin.ModelAdmin): + list_display = ["id", "user", "application", "created"] diff --git a/api/apps.py b/api/apps.py new file mode 100644 index 0000000..878e7d5 --- /dev/null +++ b/api/apps.py @@ -0,0 +1,6 @@ +from django.apps import AppConfig + + +class ApiConfig(AppConfig): + default_auto_field = "django.db.models.BigAutoField" + name = "api" diff --git a/api/migrations/0001_initial.py b/api/migrations/0001_initial.py new file mode 100644 index 0000000..e9d37f3 --- /dev/null +++ b/api/migrations/0001_initial.py @@ -0,0 +1,87 @@ +# Generated by Django 4.1.3 on 2022-12-11 03:39 + +import django.db.models.deletion +from django.conf import settings +from django.db import migrations, models + + +class Migration(migrations.Migration): + + initial = True + + dependencies = [ + ("users", "0003_identity_followers_etc"), + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ] + + operations = [ + migrations.CreateModel( + name="Application", + fields=[ + ( + "id", + models.BigAutoField( + auto_created=True, + primary_key=True, + serialize=False, + verbose_name="ID", + ), + ), + ("client_id", models.CharField(max_length=500)), + ("client_secret", models.CharField(max_length=500)), + ("redirect_uris", models.TextField()), + ("scopes", models.TextField()), + ("name", models.CharField(max_length=500)), + ("website", models.CharField(blank=True, max_length=500, null=True)), + ("created", models.DateTimeField(auto_now_add=True)), + ("updated", models.DateTimeField(auto_now=True)), + ], + ), + migrations.CreateModel( + name="Token", + fields=[ + ( + "id", + models.BigAutoField( + auto_created=True, + primary_key=True, + serialize=False, + verbose_name="ID", + ), + ), + ("token", models.CharField(max_length=500)), + ("code", models.CharField(blank=True, max_length=100, null=True)), + ("scopes", models.JSONField()), + ("created", models.DateTimeField(auto_now_add=True)), + ("updated", models.DateTimeField(auto_now=True)), + ( + "application", + models.ForeignKey( + on_delete=django.db.models.deletion.CASCADE, + related_name="tokens", + to="api.application", + ), + ), + ( + "identity", + models.ForeignKey( + blank=True, + null=True, + on_delete=django.db.models.deletion.CASCADE, + related_name="tokens", + to="users.identity", + ), + ), + ( + "user", + models.ForeignKey( + blank=True, + null=True, + on_delete=django.db.models.deletion.CASCADE, + related_name="tokens", + to=settings.AUTH_USER_MODEL, + ), + ), + ], + ), + ] diff --git a/api/migrations/__init__.py b/api/migrations/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/api/models/__init__.py b/api/models/__init__.py new file mode 100644 index 0000000..663cd7e --- /dev/null +++ b/api/models/__init__.py @@ -0,0 +1,2 @@ +from .application import Application # noqa +from .token import Token # noqa diff --git a/api/models/application.py b/api/models/application.py new file mode 100644 index 0000000..89bea5f --- /dev/null +++ b/api/models/application.py @@ -0,0 +1,19 @@ +from django.db import models + + +class Application(models.Model): + """ + OAuth applications + """ + + client_id = models.CharField(max_length=500) + client_secret = models.CharField(max_length=500) + + redirect_uris = models.TextField() + scopes = models.TextField() + + name = models.CharField(max_length=500) + website = models.CharField(max_length=500, blank=True, null=True) + + created = models.DateTimeField(auto_now_add=True) + updated = models.DateTimeField(auto_now=True) diff --git a/api/models/token.py b/api/models/token.py new file mode 100644 index 0000000..dc57cec --- /dev/null +++ b/api/models/token.py @@ -0,0 +1,39 @@ +from django.db import models + + +class Token(models.Model): + """ + An (access) token to call the API with. + + Can be either tied to a user, or app-level only. + """ + + application = models.ForeignKey( + "api.Application", + on_delete=models.CASCADE, + related_name="tokens", + ) + + user = models.ForeignKey( + "users.User", + blank=True, + null=True, + on_delete=models.CASCADE, + related_name="tokens", + ) + + identity = models.ForeignKey( + "users.Identity", + blank=True, + null=True, + on_delete=models.CASCADE, + related_name="tokens", + ) + + token = models.CharField(max_length=500) + code = models.CharField(max_length=100, blank=True, null=True) + + scopes = models.JSONField() + + created = models.DateTimeField(auto_now_add=True) + updated = models.DateTimeField(auto_now=True) diff --git a/api/parser.py b/api/parser.py new file mode 100644 index 0000000..63e283f --- /dev/null +++ b/api/parser.py @@ -0,0 +1,20 @@ +import json + +from ninja.parser import Parser + + +class FormOrJsonParser(Parser): + """ + If there's form data in a request, makes it into a JSON dict. + This is needed as the Mastodon API allows form data OR json body as input. + """ + + def parse_body(self, request): + # Did they submit JSON? + if request.content_type == "application/json": + return json.loads(request.body) + # Fall back to form data + value = {} + for key, item in request.POST.items(): + value[key] = item + return value diff --git a/api/views/__init__.py b/api/views/__init__.py new file mode 100644 index 0000000..d661e7c --- /dev/null +++ b/api/views/__init__.py @@ -0,0 +1,3 @@ +from .apps import * # noqa +from .base import api # noqa +from .instance import * # noqa diff --git a/api/views/apps.py b/api/views/apps.py new file mode 100644 index 0000000..33ecf0f --- /dev/null +++ b/api/views/apps.py @@ -0,0 +1,37 @@ +import secrets + +from ninja import Field, Schema + +from ..models import Application +from .base import api + + +class CreateApplicationSchema(Schema): + client_name: str + redirect_uris: str + scopes: None | str = None + website: None | str = None + + +class ApplicationSchema(Schema): + id: str + name: str + website: str | None + client_id: str + client_secret: str + redirect_uri: str = Field(alias="redirect_uris") + + +@api.post("/v1/apps", response=ApplicationSchema) +def add_app(request, details: CreateApplicationSchema): + client_id = "tk-" + secrets.token_urlsafe(16) + client_secret = secrets.token_urlsafe(40) + application = Application.objects.create( + name=details.client_name, + website=details.website, + client_id=client_id, + client_secret=client_secret, + redirect_uris=details.redirect_uris, + scopes=details.scopes or "read", + ) + return application diff --git a/api/views/base.py b/api/views/base.py new file mode 100644 index 0000000..e9a087d --- /dev/null +++ b/api/views/base.py @@ -0,0 +1,5 @@ +from ninja import NinjaAPI + +from api.parser import FormOrJsonParser + +api = NinjaAPI(parser=FormOrJsonParser()) diff --git a/api/views/instance.py b/api/views/instance.py new file mode 100644 index 0000000..5923d30 --- /dev/null +++ b/api/views/instance.py @@ -0,0 +1,56 @@ +from django.conf import settings + +from activities.models import Post +from core.models import Config +from takahe import __version__ +from users.models import Domain, Identity + +from .base import api + + +@api.get("/v1/instance") +@api.get("/v1/instance/") +def instance_info(request): + return { + "uri": request.headers.get("host", settings.SETUP.MAIN_DOMAIN), + "title": Config.system.site_name, + "short_description": "", + "description": "", + "email": "", + "version": __version__, + "urls": {}, + "stats": { + "user_count": Identity.objects.filter(local=True).count(), + "status_count": Post.objects.filter(local=True).count(), + "domain_count": Domain.objects.count(), + }, + "thumbnail": Config.system.site_banner, + "languages": ["en"], + "registrations": ( + Config.system.signup_allowed and not Config.system.signup_invite_only + ), + "approval_required": False, + "invites_enabled": False, + "configuration": { + "accounts": {}, + "statuses": { + "max_characters": Config.system.post_length, + "max_media_attachments": 4, + "characters_reserved_per_url": 23, + }, + "media_attachments": { + "supported_mime_types": [ + "image/apng", + "image/avif", + "image/gif", + "image/jpeg", + "image/png", + "image/webp", + ], + "image_size_limit": (1024**2) * 10, + "image_matrix_limit": 2000 * 2000, + }, + }, + "contact_account": None, + "rules": [], + } diff --git a/api/views/oauth.py b/api/views/oauth.py new file mode 100644 index 0000000..6be2778 --- /dev/null +++ b/api/views/oauth.py @@ -0,0 +1,105 @@ +import secrets +from urllib.parse import urlparse + +from django.contrib.auth.mixins import LoginRequiredMixin +from django.http import HttpResponseRedirect, JsonResponse +from django.utils.decorators import method_decorator +from django.views.decorators.csrf import csrf_exempt +from django.views.generic import TemplateView, View + +from api.models import Application, Token + + +class OauthRedirect(HttpResponseRedirect): + def __init__(self, redirect_uri, key, value): + self.allowed_schemes = [urlparse(redirect_uri).scheme] + super().__init__(redirect_uri + f"?{key}={value}") + + +class AuthorizationView(LoginRequiredMixin, TemplateView): + """ + Asks the user to authorize access. + + Could maybe be a FormView, but things are weird enough we just handle the + POST manually. + """ + + template_name = "api/oauth_authorize.html" + + def get_context_data(self): + redirect_uri = self.request.GET["redirect_uri"] + scope = self.request.GET.get("scope", "read") + try: + application = Application.objects.get( + client_id=self.request.GET["client_id"] + ) + except (Application.DoesNotExist, KeyError): + return OauthRedirect(redirect_uri, "error", "invalid_application") + return { + "application": application, + "redirect_uri": redirect_uri, + "scope": scope, + "identities": self.request.user.identities.all(), + } + + def post(self, request): + # Grab the application and other details again + redirect_uri = self.request.POST["redirect_uri"] + scope = self.request.POST["scope"] + application = Application.objects.get(client_id=self.request.POST["client_id"]) + # Get the identity + identity = self.request.user.identities.get(pk=self.request.POST["identity"]) + # Make a token + token = Token.objects.create( + application=application, + user=self.request.user, + identity=identity, + token=secrets.token_urlsafe(32), + code=secrets.token_urlsafe(16), + scopes=scope.split(), + ) + # Redirect with the token's code + return OauthRedirect(redirect_uri, "code", token.code) + + +@method_decorator(csrf_exempt, name="dispatch") +class TokenView(View): + def post(self, request): + grant_type = request.POST["grant_type"] + scopes = set(self.request.POST.get("scope", "read").split()) + try: + application = Application.objects.get( + client_id=self.request.POST["client_id"] + ) + except (Application.DoesNotExist, KeyError): + return JsonResponse({"error": "invalid_client_id"}, status=400) + # TODO: Implement client credentials flow + if grant_type == "client_credentials": + return JsonResponse({"error": "invalid_grant_type"}, status=400) + elif grant_type == "authorization_code": + code = request.POST["code"] + # Retrieve the token by code + # TODO: Check code expiry based on created date + try: + token = Token.objects.get(code=code, application=application) + except Token.DoesNotExist: + return JsonResponse({"error": "invalid_code"}, status=400) + # Verify the scopes match the token + if scopes != set(token.scopes): + return JsonResponse({"error": "invalid_scope"}, status=400) + # Update the token to remove its code + token.code = None + token.save() + # Return them the token + return JsonResponse( + { + "access_token": token.token, + "token_type": "Bearer", + "scope": " ".join(token.scopes), + "created_at": int(token.created.timestamp()), + } + ) + + +class RevokeTokenView(View): + pass diff --git a/requirements.txt b/requirements.txt index 8132acb..d24b45d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,10 @@ blurhash-python~=1.1.3 cryptography~=38.0 dj_database_url~=1.0.0 django-cache-url~=3.4.2 +django-cors-headers~=3.13.0 django-htmx~=1.13.0 +django-ninja~=0.19.1 +django-oauth-toolkit~=2.2.0 django-storages[google,boto3]~=1.13.1 django~=4.1 email-validator~=1.3.0 diff --git a/takahe/settings.py b/takahe/settings.py index 64a523a..e2e9b43 100644 --- a/takahe/settings.py +++ b/takahe/settings.py @@ -169,16 +169,19 @@ INSTALLED_APPS = [ "django.contrib.messages", "django.contrib.staticfiles", "django_htmx", + "corsheaders", "core", "activities", - "users", - "stator", + "api", "mediaproxy", + "stator", + "users", ] MIDDLEWARE = [ "core.middleware.SentryTaggingMiddleware", "django.middleware.security.SecurityMiddleware", + "corsheaders.middleware.CorsMiddleware", "whitenoise.middleware.WhiteNoiseMiddleware", "django.contrib.sessions.middleware.SessionMiddleware", "django.middleware.common.CommonMiddleware", @@ -278,6 +281,7 @@ AUTO_ADMIN_EMAIL = SETUP.AUTO_ADMIN_EMAIL STATOR_TOKEN = SETUP.STATOR_TOKEN +CORS_ORIGIN_ALLOW_ALL = True # Temporary CORS_ORIGIN_WHITELIST = SETUP.CORS_HOSTS CORS_ALLOW_CREDENTIALS = True CORS_PREFLIGHT_MAX_AGE = 604800 @@ -288,6 +292,7 @@ MEDIA_URL = SETUP.MEDIA_URL MEDIA_ROOT = SETUP.MEDIA_ROOT MAIN_DOMAIN = SETUP.MAIN_DOMAIN + if SETUP.USE_PROXY_HEADERS: SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") diff --git a/takahe/urls.py b/takahe/urls.py index 762e091..57af7a7 100644 --- a/takahe/urls.py +++ b/takahe/urls.py @@ -4,6 +4,7 @@ from django.urls import path, re_path from django.views.static import serve from activities.views import compose, explore, follows, posts, search, timelines +from api.views import api, oauth from core import views as core from mediaproxy import views as mediaproxy from stator import views as stator @@ -201,6 +202,11 @@ urlpatterns = [ path("actor/", activitypub.SystemActorView.as_view()), path("actor/inbox/", activitypub.Inbox.as_view()), path("inbox/", activitypub.Inbox.as_view(), name="shared_inbox"), + # API/Oauth + path("api/", api.urls), + path("oauth/authorize", oauth.AuthorizationView.as_view()), + path("oauth/token", oauth.TokenView.as_view()), + path("oauth/revoke_token", oauth.RevokeTokenView.as_view()), # Stator path(".stator/", stator.RequestRunner.as_view()), # Django admin diff --git a/templates/api/oauth_authorize.html b/templates/api/oauth_authorize.html new file mode 100644 index 0000000..41aac0d --- /dev/null +++ b/templates/api/oauth_authorize.html @@ -0,0 +1,39 @@ +{% extends "base.html" %} + +{% block title %}Authorize {{ application.name }}{% endblock %} + +{% block content %} + {% if not identities %} +

+ You cannot give access to {{ application.name }} as you + have no identities yet. Log in via the website and create + at least one identity, then retry this process. +

+ {% else %} +
+ {% csrf_token %} +
+ Authorize +
+
+ + +
+
+

Do you want to give {{ application.name }} access to this identity?

+

It will have permission to: {{ scope }}

+ + + +
+
+ Deny + +
+
+ {% endif %} +{% endblock %} diff --git a/templates/auth/login.html b/templates/auth/login.html index 80b003b..96c0e98 100644 --- a/templates/auth/login.html +++ b/templates/auth/login.html @@ -11,6 +11,7 @@ {% include "forms/_field.html" %} {% endfor %} +
Forgot Password -- cgit v1.2.3