[feature] Refactor tokens, allow multiple app redirect_uris (#3849)

* [feature] Refactor tokens, allow multiple app redirect_uris * move + tweak handlers a bit * return error for unset oauth2.ClientStore funcs * wrap UpdateToken with cache * panic handling * cheeky little time optimization * unlock on error
2025-11-01 05:42:25 -05:00 · 2025-03-03 16:03:36 +01:00 · 2025-03-03 16:03:36 +01:00 · 1b37944f8b
commit 1b37944f8b
parent c80810eae8
77 changed files with 963 additions and 594 deletions
--- a/internal/processing/app.go
+++ b/internal/processing/app.go
@ -19,6 +19,9 @@ package processing

 import (
 	"context"
+	"fmt"
+	"net/url"
+	"strings"

 	"github.com/google/uuid"
 	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
@ -26,10 +29,12 @@ import (
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"github.com/superseriousbusiness/gotosocial/internal/id"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )

 func (p *Processor) AppCreate(ctx context.Context, authed *apiutil.Auth, form *apimodel.ApplicationCreateRequest) (*apimodel.Application, gtserror.WithCode) {
-	// set default 'read' for scopes if it's not set
+	// Set default 'read' for
+	// scopes if it's not set.
 	var scopes string
 	if form.Scopes == "" {
 		scopes = "read"
@ -37,48 +42,47 @@ func (p *Processor) AppCreate(ctx context.Context, authed *apiutil.Auth, form *a
 		scopes = form.Scopes
 	}

-	// generate new IDs for this application and its associated client
+	// Normalize + parse requested redirect URIs.
+	form.RedirectURIs = strings.TrimSpace(form.RedirectURIs)
+	var redirectURIs []string
+	if form.RedirectURIs != "" {
+		// Redirect URIs can be just one value, or can be passed
+		// as a newline-separated list of strings. Ensure each URI
+		// is parseable + normalize it by reconstructing from *url.URL.
+		for _, redirectStr := range strings.Split(form.RedirectURIs, "\n") {
+			redirectURI, err := url.Parse(redirectStr)
+			if err != nil {
+				errText := fmt.Sprintf("error parsing redirect URI: %v", err)
+				return nil, gtserror.NewErrorBadRequest(err, errText)
+			}
+			redirectURIs = append(redirectURIs, redirectURI.String())
+		}
+	} else {
+		// No redirect URI(s) provided, just set default oob.
+		redirectURIs = append(redirectURIs, oauth.OOBURI)
+	}
+
+	// Generate random client ID.
 	clientID, err := id.NewRandomULID()
 	if err != nil {
 		return nil, gtserror.NewErrorInternalError(err)
 	}
-	clientSecret := uuid.NewString()

-	appID, err := id.NewRandomULID()
-	if err != nil {
-		return nil, gtserror.NewErrorInternalError(err)
-	}
-
-	// generate the application to put in the database
+	// Generate + store app
+	// to put in the database.
 	app := &gtsmodel.Application{
-		ID:           appID,
+		ID:           id.NewULID(),
 		Name:         form.ClientName,
 		Website:      form.Website,
-		RedirectURI:  form.RedirectURIs,
+		RedirectURIs: redirectURIs,
 		ClientID:     clientID,
-		ClientSecret: clientSecret,
+		ClientSecret: uuid.NewString(),
 		Scopes:       scopes,
 	}
-
-	// chuck it in the db
 	if err := p.state.DB.PutApplication(ctx, app); err != nil {
 		return nil, gtserror.NewErrorInternalError(err)
 	}

-	// now we need to model an oauth client from the application that the oauth library can use
-	oc := &gtsmodel.Client{
-		ID:     clientID,
-		Secret: clientSecret,
-		Domain: form.RedirectURIs,
-		// This client isn't yet associated with a specific user,  it's just an app client right now
-		UserID: "",
-	}
-
-	// chuck it in the db
-	if err := p.state.DB.PutClient(ctx, oc); err != nil {
-		return nil, gtserror.NewErrorInternalError(err)
-	}
-
 	apiApp, err := p.converter.AppToAPIAppSensitive(ctx, app)
 	if err != nil {
 		return nil, gtserror.NewErrorInternalError(err)