From 0aaaf8d6efe26314b386a7ac4e86022cac52a069 Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 14 May 2021 06:05:01 +0000 Subject: [PATCH] API: Support OAuth client credentials --- doc/API-Mastodon.md | 4 ++-- src/Module/OAuth/Token.php | 29 +++++++++++++++++------------ 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/doc/API-Mastodon.md b/doc/API-Mastodon.md index 09cf169e2b..a8566ce60a 100644 --- a/doc/API-Mastodon.md +++ b/doc/API-Mastodon.md @@ -18,11 +18,11 @@ Supported mobile apps: - twitlatte - AndStatus - Twidere +- Subway Tooter Unsupported mobile apps: -- [Subway Tooter](https://github.com/tateisu/SubwayTooter) Uses the wrong grant_type when requesting a token, possibly a problem in the server type detection of the app. See issue https://github.com/tateisu/SubwayTooter/issues/156 -- [Mammut](https://github.com/jamiesanson/Mammut) States that the instance doesn't exist. Most likely an issue in the vitality check of the app, see issue https://github.com/jamiesanson/Mammut/issues/19 +- [Mammut](https://github.com/jamiesanson/Mammut) There are problems with the token request, see issue https://github.com/jamiesanson/Mammut/issues/19 - [Fedilab](https://framagit.org/tom79/fedilab) Automatically uses the legacy API, see issue: https://framagit.org/tom79/fedilab/-/issues/520 ## Entities diff --git a/src/Module/OAuth/Token.php b/src/Module/OAuth/Token.php index 0a1a32b744..c7a8109698 100644 --- a/src/Module/OAuth/Token.php +++ b/src/Module/OAuth/Token.php @@ -50,12 +50,7 @@ class Token extends BaseApi } } - if ($grant_type != 'authorization_code') { - Logger::warning('Unsupported or missing grant type', ['request' => $_REQUEST]); - DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Unsupported or missing grant type')); - } - - if (empty($client_id) || empty($client_secret) || empty($redirect_uri)) { + if (empty($client_id) || empty($client_secret)) { Logger::warning('Incomplete request data', ['request' => $_REQUEST]); DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Incomplete request data')); } @@ -65,13 +60,23 @@ class Token extends BaseApi DI::mstdnError()->UnprocessableEntity(); } - // For security reasons only allow freshly created tokens - $condition = ["`application-id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE", $application['id'], $code, 5]; + if ($grant_type == 'client_credentials') { + // the "client_credentials" are used as a token for the application itself. + // see https://aaronparecki.com/oauth-2-simplified/#client-credentials + $token = self::createTokenForUser($application, 0, ''); + } elseif ($grant_type == 'authorization_code') { + // For security reasons only allow freshly created tokens + $condition = ["`redirect_uri` = ? AND `id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE", + $redirect_uri, $application['id'], $code, 5]; - $token = DBA::selectFirst('application-token', ['access_token', 'created_at'], $condition); - if (!DBA::isResult($token)) { - Logger::warning('Token not found or outdated', $condition); - DI::mstdnError()->Unauthorized(); + $token = DBA::selectFirst('application-view', ['access_token', 'created_at'], $condition); + if (!DBA::isResult($token)) { + Logger::warning('Token not found or outdated', $condition); + DI::mstdnError()->Unauthorized(); + } + } else { + Logger::warning('Unsupported or missing grant type', ['request' => $_REQUEST]); + DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Unsupported or missing grant type')); } $object = new \Friendica\Object\Api\Mastodon\Token($token['access_token'], 'Bearer', $application['scopes'], $token['created_at']);