gotosocial/web/source/lib/oauth.js

/*
   GoToSocial
   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

"use strict";

const Promise = require("bluebird");

function getCurrentUrl() {
	return window.location.origin + window.location.pathname; // strips ?query=string and #hash
}

module.exports = function oauthClient(config, initState) {
	/* config: 
		instance: instance domain (https://testingtesting123.xyz)
		client_name: "GoToSocial Admin Panel"
		scope: []
		website: 
	*/

	let state = initState;
	if (initState == undefined) {
		state = localStorage.getItem("oauth");
		if (state == undefined) {
			state = {
				config
			};
			storeState();
		} else {
			state = JSON.parse(state);
		}
	}

	function storeState() {
		localStorage.setItem("oauth", JSON.stringify(state));
	}

	/* register app
		/api/v1/apps
	*/
	function register() {
		if (state.client_id != undefined) {
			return true; // we already have a registration
		}
		let url = new URL(config.instance);
		url.pathname = "/api/v1/apps";

		return fetch(url.href, {
			method: "POST",
			headers: {
				'Content-Type': 'application/json'
			},
			body: JSON.stringify({
				client_name: config.client_name,
				redirect_uris: getCurrentUrl(),
				scopes: config.scope.join(" "),
				website: getCurrentUrl()
			})
		}).then((res) => {
			if (res.status != 200) {
				throw res;
			}
			return res.json();
		}).then((json) => {
			state.client_id = json.client_id;
			state.client_secret = json.client_secret;
			storeState();
		});
	}
	
	/* authorize:
		/oauth/authorize
			?client_id=CLIENT_ID
			&redirect_uri=window.location.href
			&response_type=code
			&scope=admin
	*/
	function authorize() {
		let url = new URL(config.instance);
		url.pathname = "/oauth/authorize";
		url.searchParams.set("client_id", state.client_id);
		url.searchParams.set("redirect_uri", getCurrentUrl());
		url.searchParams.set("response_type", "code");
		url.searchParams.set("scope", config.scope.join(" "));

		window.location.assign(url.href);
	}
	
	function callback() {
		if (state.access_token != undefined) {
			return; // we're already done :)
		}
		let params = (new URL(window.location)).searchParams;
	
		let token = params.get("code");
		if (token != null) {
			console.log("got token callback:", token);
		}

		return authorizeToken(token)
			.catch((e) => {
				console.log("Error processing oauth callback:", e);
				logout(); // just to be sure
			});
	}

	function authorizeToken(token) {
		let url = new URL(config.instance);
		url.pathname = "/oauth/token";
		return fetch(url.href, {
			method: "POST",
			headers: {
				"Content-Type": "application/json"
			},
			body: JSON.stringify({
				client_id: state.client_id,
				client_secret: state.client_secret,
				redirect_uri: getCurrentUrl(),
				grant_type: "authorization_code",
				code: token
			})
		}).then((res) => {
			if (res.status != 200) {
				throw res;
			}
			return res.json();
		}).then((json) => {
			state.access_token = json.access_token;
			storeState();
			window.location = getCurrentUrl(); // clear ?token=
		});
	}

	function isAuthorized() {
		return (state.access_token != undefined);
	}

	function apiRequest(path, method, data, type="json", accept="json") {
		if (!isAuthorized()) {
			throw new Error("Not Authenticated");
		}
		let url = new URL(config.instance);
		let [p, s] = path.split("?");
		url.pathname = p;
		if (s != undefined) {
			url.search = s;
		}
		let headers = {
			"Authorization": `Bearer ${state.access_token}`,
			"Accept": accept == "json" ? "application/json" : "*/*"
		};
		let body = data;
		if (type == "json" && body != undefined) {
			headers["Content-Type"] = "application/json";
			body = JSON.stringify(data);
		}
		return fetch(url.href, {
			method,
			headers,
			body
		}).then((res) => {
			return Promise.all([res.json(), res]);
		}).then(([json, res]) => {
			if (res.status != 200) {
				if (json.error) {
					throw new Error(json.error);
				} else {
					throw new Error(`${res.status}: ${res.statusText}`);
				}
			} else {
				return json;
			}
		});
	}

	function logout() {
		let url = new URL(config.instance);
		url.pathname = "/oauth/revoke";
		return fetch(url.href, {
			method: "POST",
			headers: {
				"Content-Type": "application/json"
			},
			body: JSON.stringify({
				client_id: state.client_id,
				client_secret: state.client_secret,
				token: state.access_token,
			})
		}).then((res) => {
			if (res.status != 200) {
				// GoToSocial doesn't actually implement this route yet,
				// so error is to be expected
				return;
			}
			return res.json();
		}).catch(() => {
			// see above
		}).then(() => {
			localStorage.removeItem("oauth");
			window.location = getCurrentUrl();
		});
	}

	return {
		register, authorize, callback, isAuthorized, apiRequest, logout
	};
};
[frontend] Restructure Frontend Sources (#634) * 🐸restructure frontend stuff, include admin and future user panel in main repo, properly deduplicate bundles for css+js across uses * rename bundled to dist, caught by gitignore * re-include status.css for profile template * default to localhost * serve frontend panels * add todo message for abstraction * refactor oauth registration flow * oauth restructure * update footer template * change panel routes * remove superfluous css imports * write bundle to disk from test server, use forked budo-express * wrap all page content in container for robustness with addons etc injection other elements in body * update documentation, goreleaser, Dockerfile * update template meta tags * add AGPL-3.0+ license header everywhere * only attach update listener on EventEmitter * cleaner config for various frontend bundles * fix bundler script paths * Merge commit 'd191931932b9293ce1be44ed08a1e69b9fcc1e25' * fix up dockerfile, goreleaser * go mod tidy * add uglifyify * move status hide/show js to frontend bundle * fix stylesheet color( func regressions * update contributing docs for new build path * update goreleaser + docker building * resolve dependency paths properly * update package name * use api errorhandler Co-authored-by: tsmethurst <tobi.smethurst@protonmail.com> 2022-06-09 12:51:19 +02:00			`/*`
			`GoToSocial`
			`Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org`

			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU Affero General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU Affero General Public License for more details.`

			`You should have received a copy of the GNU Affero General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`"use strict";`

			`const Promise = require("bluebird");`

			`function getCurrentUrl() {`
			`return window.location.origin + window.location.pathname; // strips ?query=string and #hash`
			`}`

			`module.exports = function oauthClient(config, initState) {`
			`/* config:`
			`instance: instance domain (https://testingtesting123.xyz)`
			`client_name: "GoToSocial Admin Panel"`
			`scope: []`
			`website:`
			`*/`

			`let state = initState;`
			`if (initState == undefined) {`
			`state = localStorage.getItem("oauth");`
			`if (state == undefined) {`
			`state = {`
			`config`
			`};`
			`storeState();`
			`} else {`
			`state = JSON.parse(state);`
			`}`
			`}`

			`function storeState() {`
			`localStorage.setItem("oauth", JSON.stringify(state));`
			`}`

			`/* register app`
			`/api/v1/apps`
			`*/`
			`function register() {`
			`if (state.client_id != undefined) {`
			`return true; // we already have a registration`
			`}`
			`let url = new URL(config.instance);`
			`url.pathname = "/api/v1/apps";`

			`return fetch(url.href, {`
			`method: "POST",`
			`headers: {`
			`'Content-Type': 'application/json'`
			`},`
			`body: JSON.stringify({`
			`client_name: config.client_name,`
			`redirect_uris: getCurrentUrl(),`
			`scopes: config.scope.join(" "),`
			`website: getCurrentUrl()`
			`})`
			`}).then((res) => {`
			`if (res.status != 200) {`
			`throw res;`
			`}`
			`return res.json();`
			`}).then((json) => {`
			`state.client_id = json.client_id;`
			`state.client_secret = json.client_secret;`
			`storeState();`
			`});`
			`}`

			`/* authorize:`
			`/oauth/authorize`
			`?client_id=CLIENT_ID`
			`&redirect_uri=window.location.href`
			`&response_type=code`
			`&scope=admin`
			`*/`
			`function authorize() {`
			`let url = new URL(config.instance);`
			`url.pathname = "/oauth/authorize";`
			`url.searchParams.set("client_id", state.client_id);`
			`url.searchParams.set("redirect_uri", getCurrentUrl());`
			`url.searchParams.set("response_type", "code");`
			`url.searchParams.set("scope", config.scope.join(" "));`

			`window.location.assign(url.href);`
			`}`

			`function callback() {`
			`if (state.access_token != undefined) {`
			`return; // we're already done :)`
			`}`
			`let params = (new URL(window.location)).searchParams;`

			`let token = params.get("code");`
			`if (token != null) {`
			`console.log("got token callback:", token);`
			`}`

			`return authorizeToken(token)`
			`.catch((e) => {`
			`console.log("Error processing oauth callback:", e);`
			`logout(); // just to be sure`
			`});`
			`}`

			`function authorizeToken(token) {`
			`let url = new URL(config.instance);`
			`url.pathname = "/oauth/token";`
			`return fetch(url.href, {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json"`
			`},`
			`body: JSON.stringify({`
			`client_id: state.client_id,`
			`client_secret: state.client_secret,`
			`redirect_uri: getCurrentUrl(),`
			`grant_type: "authorization_code",`
			`code: token`
			`})`
			`}).then((res) => {`
			`if (res.status != 200) {`
			`throw res;`
			`}`
			`return res.json();`
			`}).then((json) => {`
			`state.access_token = json.access_token;`
			`storeState();`
			`window.location = getCurrentUrl(); // clear ?token=`
			`});`
			`}`

			`function isAuthorized() {`
			`return (state.access_token != undefined);`
			`}`

[frontend] add Accept header to oauthed api requests (#657) 2022-06-20 10:44:01 +02:00			`function apiRequest(path, method, data, type="json", accept="json") {`
[frontend] Restructure Frontend Sources (#634) * 🐸restructure frontend stuff, include admin and future user panel in main repo, properly deduplicate bundles for css+js across uses * rename bundled to dist, caught by gitignore * re-include status.css for profile template * default to localhost * serve frontend panels * add todo message for abstraction * refactor oauth registration flow * oauth restructure * update footer template * change panel routes * remove superfluous css imports * write bundle to disk from test server, use forked budo-express * wrap all page content in container for robustness with addons etc injection other elements in body * update documentation, goreleaser, Dockerfile * update template meta tags * add AGPL-3.0+ license header everywhere * only attach update listener on EventEmitter * cleaner config for various frontend bundles * fix bundler script paths * Merge commit 'd191931932b9293ce1be44ed08a1e69b9fcc1e25' * fix up dockerfile, goreleaser * go mod tidy * add uglifyify * move status hide/show js to frontend bundle * fix stylesheet color( func regressions * update contributing docs for new build path * update goreleaser + docker building * resolve dependency paths properly * update package name * use api errorhandler Co-authored-by: tsmethurst <tobi.smethurst@protonmail.com> 2022-06-09 12:51:19 +02:00			`if (!isAuthorized()) {`
			`throw new Error("Not Authenticated");`
			`}`
			`let url = new URL(config.instance);`
			`let [p, s] = path.split("?");`
			`url.pathname = p;`
			`if (s != undefined) {`
			`url.search = s;`
			`}`
			`let headers = {`
[frontend] add Accept header to oauthed api requests (#657) 2022-06-20 10:44:01 +02:00			"Authorization": `Bearer ${state.access_token}`,
			`"Accept": accept == "json" ? "application/json" : "/"`
[frontend] Restructure Frontend Sources (#634) * 🐸restructure frontend stuff, include admin and future user panel in main repo, properly deduplicate bundles for css+js across uses * rename bundled to dist, caught by gitignore * re-include status.css for profile template * default to localhost * serve frontend panels * add todo message for abstraction * refactor oauth registration flow * oauth restructure * update footer template * change panel routes * remove superfluous css imports * write bundle to disk from test server, use forked budo-express * wrap all page content in container for robustness with addons etc injection other elements in body * update documentation, goreleaser, Dockerfile * update template meta tags * add AGPL-3.0+ license header everywhere * only attach update listener on EventEmitter * cleaner config for various frontend bundles * fix bundler script paths * Merge commit 'd191931932b9293ce1be44ed08a1e69b9fcc1e25' * fix up dockerfile, goreleaser * go mod tidy * add uglifyify * move status hide/show js to frontend bundle * fix stylesheet color( func regressions * update contributing docs for new build path * update goreleaser + docker building * resolve dependency paths properly * update package name * use api errorhandler Co-authored-by: tsmethurst <tobi.smethurst@protonmail.com> 2022-06-09 12:51:19 +02:00			`};`
			`let body = data;`
			`if (type == "json" && body != undefined) {`
			`headers["Content-Type"] = "application/json";`
			`body = JSON.stringify(data);`
			`}`
			`return fetch(url.href, {`
			`method,`
			`headers,`
			`body`
			`}).then((res) => {`
			`return Promise.all([res.json(), res]);`
			`}).then(([json, res]) => {`
			`if (res.status != 200) {`
			`if (json.error) {`
			`throw new Error(json.error);`
			`} else {`
			throw new Error(`${res.status}: ${res.statusText}`);
			`}`
			`} else {`
			`return json;`
			`}`
			`});`
			`}`

			`function logout() {`
			`let url = new URL(config.instance);`
			`url.pathname = "/oauth/revoke";`
			`return fetch(url.href, {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json"`
			`},`
			`body: JSON.stringify({`
			`client_id: state.client_id,`
			`client_secret: state.client_secret,`
			`token: state.access_token,`
			`})`
			`}).then((res) => {`
			`if (res.status != 200) {`
			`// GoToSocial doesn't actually implement this route yet,`
			`// so error is to be expected`
			`return;`
			`}`
			`return res.json();`
			`}).catch(() => {`
			`// see above`
			`}).then(() => {`
			`localStorage.removeItem("oauth");`
			`window.location = getCurrentUrl();`
			`});`
			`}`

			`return {`
			`register, authorize, callback, isAuthorized, apiRequest, logout`
			`};`
			`};`