Ensure apps are assigned to users

This commit is contained in:
Mark Felder 2024-09-04 10:40:37 -04:00
parent 427da7a99a
commit 7bd0750787
5 changed files with 42 additions and 1 deletions

View file

@ -1 +1 @@
Add a rate limiter to the OAuth App creation endpoint Add a rate limiter to the OAuth App creation endpoint and ensure registered apps are assigned to users.

View file

@ -8,6 +8,7 @@ defmodule Pleroma.Web.OAuth.App do
import Ecto.Query import Ecto.Query
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.OAuth.Token
@type t :: %__MODULE__{} @type t :: %__MODULE__{}
@ -155,4 +156,13 @@ def errors(changeset) do
Map.put(acc, key, error) Map.put(acc, key, error)
end) end)
end end
@spec maybe_update_owner(Token.t()) :: :ok
def maybe_update_owner(%Token{app_id: app_id, user_id: user_id}) when not is_nil(user_id) do
__MODULE__.update(app_id, %{user_id: user_id})
:ok
end
def maybe_update_owner(_), do: :ok
end end

View file

@ -318,6 +318,8 @@ def token_exchange(%Plug.Conn{} = conn, %{"grant_type" => "client_credentials"}
def token_exchange(%Plug.Conn{} = conn, params), do: bad_request(conn, params) def token_exchange(%Plug.Conn{} = conn, params), do: bad_request(conn, params)
def after_token_exchange(%Plug.Conn{} = conn, %{token: token} = view_params) do def after_token_exchange(%Plug.Conn{} = conn, %{token: token} = view_params) do
App.maybe_update_owner(token)
conn conn
|> AuthHelper.put_session_token(token.token) |> AuthHelper.put_session_token(token.token)
|> json(OAuthView.render("token.json", view_params)) |> json(OAuthView.render("token.json", view_params))

View file

@ -0,0 +1,21 @@
defmodule Pleroma.Repo.Migrations.AssignAppUser do
use Ecto.Migration
alias Pleroma.Repo
alias Pleroma.Web.OAuth.App
alias Pleroma.Web.OAuth.Token
def up do
Repo.all(Token)
|> Enum.group_by(fn x -> Map.get(x, :app_id) end)
|> Enum.each(fn {_app_id, tokens} ->
token =
Enum.filter(tokens, fn x -> not is_nil(x.user_id) end)
|> List.first()
App.maybe_update_owner(token)
end)
end
def down, do: :ok
end

View file

@ -12,6 +12,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
alias Pleroma.MFA.TOTP alias Pleroma.MFA.TOTP
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.OAuth.App
alias Pleroma.Web.OAuth.Authorization alias Pleroma.Web.OAuth.Authorization
alias Pleroma.Web.OAuth.OAuthController alias Pleroma.Web.OAuth.OAuthController
alias Pleroma.Web.OAuth.Token alias Pleroma.Web.OAuth.Token
@ -770,6 +771,9 @@ test "issues a token for an all-body request" do
{:ok, auth} = Authorization.create_authorization(app, user, ["write"]) {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
# Verify app has no associated user yet
assert %Pleroma.Web.OAuth.App{user_id: nil} = Repo.get_by(App, %{id: app.id})
conn = conn =
build_conn() build_conn()
|> post("/oauth/token", %{ |> post("/oauth/token", %{
@ -786,6 +790,10 @@ test "issues a token for an all-body request" do
assert token assert token
assert token.scopes == auth.scopes assert token.scopes == auth.scopes
assert user.ap_id == ap_id assert user.ap_id == ap_id
# Verify app has an associated user now
user_id = user.id
assert %Pleroma.Web.OAuth.App{user_id: ^user_id} = Repo.get_by(App, %{id: app.id})
end end
test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do