[feature] Refactor tokens, allow multiple app redirect_uris (#3849)

* [feature] Refactor tokens, allow multiple app redirect_uris

* move + tweak handlers a bit

* return error for unset oauth2.ClientStore funcs

* wrap UpdateToken with cache

* panic handling

* cheeky little time optimization

* unlock on error

internal/gtsmodel/application.go

@@ -17,18 +17,39 @@
 
 package gtsmodel
 
-import "time"
+import "strings"
 
-// Application represents an application that can perform actions on behalf of a user.
-// It is used to authorize tokens etc, and is associated with an oauth client id in the database.
+// Application represents an application that
+// can perform actions on behalf of a user.
+//
+// It is equivalent to an OAuth client.
 type Application struct {
-	ID           string    `bun:"type:CHAR(26),pk,nullzero,notnull,unique"`                    // id of this item in the database
-	CreatedAt    time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item created
-	UpdatedAt    time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item last updated
-	Name         string    `bun:",notnull"`                                                    // name of the application given when it was created (eg., 'tusky')
-	Website      string    `bun:",nullzero"`                                                   // website for the application given when it was created (eg., 'https://tusky.app')
-	RedirectURI  string    `bun:",nullzero,notnull"`                                           // redirect uri requested by the application for oauth2 flow
-	ClientID     string    `bun:"type:CHAR(26),nullzero,notnull"`                              // id of the associated oauth client entity in the db
-	ClientSecret string    `bun:",nullzero,notnull"`                                           // secret of the associated oauth client entity in the db
-	Scopes       string    `bun:",notnull"`                                                    // scopes requested when this app was created
+	ID              string   `bun:"type:CHAR(26),pk,nullzero,notnull,unique"` // id of this item in the database
+	Name            string   `bun:",notnull"`                                 // name of the application given when it was created (eg., 'tusky')
+	Website         string   `bun:",nullzero"`                                // website for the application given when it was created (eg., 'https://tusky.app')
+	RedirectURIs    []string `bun:"redirect_uris,array"`                      // redirect uris requested by the application for oauth2 flow
+	ClientID        string   `bun:"type:CHAR(26),nullzero,notnull"`           // id of the associated oauth client entity in the db
+	ClientSecret    string   `bun:",nullzero,notnull"`                        // secret of the associated oauth client entity in the db
+	Scopes          string   `bun:",notnull"`                                 // scopes requested when this app was created
+	ManagedByUserID string   `bun:"type:CHAR(26),nullzero"`                   // id of the user that manages this application, if it was created through the settings panel
+}
+
+// Implements oauth2.ClientInfo.
+func (a *Application) GetID() string {
+	return a.ClientID
+}
+
+// Implements oauth2.ClientInfo.
+func (a *Application) GetSecret() string {
+	return a.ClientSecret
+}
+
+// Implements oauth2.ClientInfo.
+func (a *Application) GetDomain() string {
+	return strings.Join(a.RedirectURIs, "\n")
+}
+
+// Implements oauth2.ClientInfo.
+func (a *Application) GetUserID() string {
+	return a.ManagedByUserID
 }

internal/gtsmodel/client.go

@@ -1,30 +0,0 @@
-// GoToSocial
-// Copyright (C) GoToSocial Authors admin@gotosocial.org
-// SPDX-License-Identifier: AGPL-3.0-or-later
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package gtsmodel
-
-import "time"
-
-// Client is a wrapper for OAuth client details.
-type Client struct {
-	ID        string    `bun:"type:CHAR(26),pk,nullzero,notnull,unique"`                    // id of this item in the database
-	CreatedAt time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item created
-	UpdatedAt time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item last updated
-	Secret    string    `bun:",nullzero,notnull"`                                           // secret generated when client was created
-	Domain    string    `bun:",nullzero,notnull"`                                           // domain requested for client
-	UserID    string    `bun:"type:CHAR(26),nullzero"`                                      // id of the user that this client acts on behalf of
-}

internal/gtsmodel/token.go

@@ -22,22 +22,21 @@ import "time"
 // Token is a translation of the gotosocial token
 // with the ExpiresIn fields replaced with ExpiresAt.
 type Token struct {
-	ID                  string    `bun:"type:CHAR(26),pk,nullzero,notnull,unique"`                    // id of this item in the database
-	CreatedAt           time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item created
-	UpdatedAt           time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item last updated
-	ClientID            string    `bun:"type:CHAR(26),nullzero,notnull"`                              // ID of the client who owns this token
-	UserID              string    `bun:"type:CHAR(26),nullzero"`                                      // ID of the user who owns this token
-	RedirectURI         string    `bun:",nullzero,notnull"`                                           // Oauth redirect URI for this token
-	Scope               string    `bun:",notnull"`                                                    // Oauth scope
-	Code                string    `bun:",pk,nullzero,notnull,default:''"`                             // Code, if present
-	CodeChallenge       string    `bun:",nullzero"`                                                   // Code challenge, if code present
-	CodeChallengeMethod string    `bun:",nullzero"`                                                   // Code challenge method, if code present
-	CodeCreateAt        time.Time `bun:"type:timestamptz,nullzero"`                                   // Code created time, if code present
-	CodeExpiresAt       time.Time `bun:"type:timestamptz,nullzero"`                                   // Code expires at -- null means the code never expires
-	Access              string    `bun:",pk,nullzero,notnull,default:''"`                             // User level access token, if present
-	AccessCreateAt      time.Time `bun:"type:timestamptz,nullzero"`                                   // User level access token created time, if access present
-	AccessExpiresAt     time.Time `bun:"type:timestamptz,nullzero"`                                   // User level access token expires at -- null means the token never expires
-	Refresh             string    `bun:",pk,nullzero,notnull,default:''"`                             // Refresh token, if present
-	RefreshCreateAt     time.Time `bun:"type:timestamptz,nullzero"`                                   // Refresh created at, if refresh present
-	RefreshExpiresAt    time.Time `bun:"type:timestamptz,nullzero"`                                   // Refresh expires at -- null means the refresh token never expires
+	ID                  string    `bun:"type:CHAR(26),pk,nullzero,notnull,unique"` // id of this item in the database
+	LastUsed            time.Time `bun:"type:timestamptz,nullzero"`                // approximate time when this token was last used
+	ClientID            string    `bun:"type:CHAR(26),nullzero,notnull"`           // ID of the client who owns this token
+	UserID              string    `bun:"type:CHAR(26),nullzero"`                   // ID of the user who owns this token
+	RedirectURI         string    `bun:",nullzero,notnull"`                        // Oauth redirect URI for this token
+	Scope               string    `bun:",nullzero,notnull,default:'read'"`         // Oauth scope                                // Oauth scope
+	Code                string    `bun:",pk,nullzero,notnull,default:''"`          // Code, if present
+	CodeChallenge       string    `bun:",nullzero"`                                // Code challenge, if code present
+	CodeChallengeMethod string    `bun:",nullzero"`                                // Code challenge method, if code present
+	CodeCreateAt        time.Time `bun:"type:timestamptz,nullzero"`                // Code created time, if code present
+	CodeExpiresAt       time.Time `bun:"type:timestamptz,nullzero"`                // Code expires at -- null means the code never expires
+	Access              string    `bun:",pk,nullzero,notnull,default:''"`          // User level access token, if present
+	AccessCreateAt      time.Time `bun:"type:timestamptz,nullzero"`                // User level access token created time, if access present
+	AccessExpiresAt     time.Time `bun:"type:timestamptz,nullzero"`                // User level access token expires at -- null means the token never expires
+	Refresh             string    `bun:",pk,nullzero,notnull,default:''"`          // Refresh token, if present
+	RefreshCreateAt     time.Time `bun:"type:timestamptz,nullzero"`                // Refresh created at, if refresh present
+	RefreshExpiresAt    time.Time `bun:"type:timestamptz,nullzero"`                // Refresh expires at -- null means the refresh token never expires
 }