mirror of
https://github.com/mastodon/mastodon.git
synced 2024-12-22 17:35:40 +01:00
Add userinfo oauth endpoint (#32548)
This commit is contained in:
parent
0a599d08d8
commit
e1b7382ea6
8 changed files with 112 additions and 12 deletions
11
app/controllers/oauth/userinfo_controller.rb
Normal file
11
app/controllers/oauth/userinfo_controller.rb
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class Oauth::UserinfoController < Api::BaseController
|
||||||
|
before_action -> { doorkeeper_authorize! :profile }, only: [:show]
|
||||||
|
before_action :require_user!
|
||||||
|
|
||||||
|
def show
|
||||||
|
@account = current_account
|
||||||
|
render json: @account, serializer: OauthUserinfoSerializer
|
||||||
|
end
|
||||||
|
end
|
|
@ -26,6 +26,10 @@ class OauthMetadataPresenter < ActiveModelSerializers::Model
|
||||||
oauth_token_url
|
oauth_token_url
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def userinfo_endpoint
|
||||||
|
oauth_userinfo_url
|
||||||
|
end
|
||||||
|
|
||||||
# As the api_v1_apps route doesn't technically conform to the specification
|
# As the api_v1_apps route doesn't technically conform to the specification
|
||||||
# for OAuth 2.0 Dynamic Client Registration defined in RFC 7591 we use a
|
# for OAuth 2.0 Dynamic Client Registration defined in RFC 7591 we use a
|
||||||
# non-standard property for now to indicate the mastodon specific registration
|
# non-standard property for now to indicate the mastodon specific registration
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
class OauthMetadataSerializer < ActiveModel::Serializer
|
class OauthMetadataSerializer < ActiveModel::Serializer
|
||||||
attributes :issuer, :authorization_endpoint, :token_endpoint,
|
attributes :issuer, :authorization_endpoint, :token_endpoint,
|
||||||
:revocation_endpoint, :scopes_supported,
|
:revocation_endpoint, :userinfo_endpoint, :scopes_supported,
|
||||||
:response_types_supported, :response_modes_supported,
|
:response_types_supported, :response_modes_supported,
|
||||||
:grant_types_supported, :token_endpoint_auth_methods_supported,
|
:grant_types_supported, :token_endpoint_auth_methods_supported,
|
||||||
:code_challenge_methods_supported,
|
:code_challenge_methods_supported,
|
||||||
|
|
31
app/serializers/oauth_userinfo_serializer.rb
Normal file
31
app/serializers/oauth_userinfo_serializer.rb
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class OauthUserinfoSerializer < ActiveModel::Serializer
|
||||||
|
include RoutingHelper
|
||||||
|
|
||||||
|
attributes :iss, :sub, :name, :preferred_username, :profile, :picture
|
||||||
|
|
||||||
|
def iss
|
||||||
|
root_url
|
||||||
|
end
|
||||||
|
|
||||||
|
def sub
|
||||||
|
ActivityPub::TagManager.instance.uri_for(object)
|
||||||
|
end
|
||||||
|
|
||||||
|
def name
|
||||||
|
object.display_name
|
||||||
|
end
|
||||||
|
|
||||||
|
def preferred_username
|
||||||
|
object.username
|
||||||
|
end
|
||||||
|
|
||||||
|
def profile
|
||||||
|
ActivityPub::TagManager.instance.url_for(object)
|
||||||
|
end
|
||||||
|
|
||||||
|
def picture
|
||||||
|
full_asset_url(object.avatar_original_url)
|
||||||
|
end
|
||||||
|
end
|
|
@ -23,6 +23,7 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
|
||||||
methods: %i(post put delete get patch options)
|
methods: %i(post put delete get patch options)
|
||||||
resource '/oauth/token', methods: [:post]
|
resource '/oauth/token', methods: [:post]
|
||||||
resource '/oauth/revoke', methods: [:post]
|
resource '/oauth/revoke', methods: [:post]
|
||||||
|
resource '/oauth/userinfo', methods: [:get, :post]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -64,6 +64,13 @@ Rails.application.routes.draw do
|
||||||
tokens: 'oauth/tokens'
|
tokens: 'oauth/tokens'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
namespace :oauth do
|
||||||
|
# As this is borrowed from OpenID, the specification says we must also support
|
||||||
|
# POST for the userinfo endpoint:
|
||||||
|
# https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
|
||||||
|
match 'userinfo', via: [:get, :post], to: 'userinfo#show', defaults: { format: 'json' }
|
||||||
|
end
|
||||||
|
|
||||||
scope path: '.well-known' do
|
scope path: '.well-known' do
|
||||||
scope module: :well_known do
|
scope module: :well_known do
|
||||||
get 'oauth-authorization-server', to: 'oauth_metadata#show', as: :oauth_metadata, defaults: { format: 'json' }
|
get 'oauth-authorization-server', to: 'oauth_metadata#show', as: :oauth_metadata, defaults: { format: 'json' }
|
||||||
|
|
51
spec/requests/oauth/userinfo_spec.rb
Normal file
51
spec/requests/oauth/userinfo_spec.rb
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe 'Oauth Userinfo Endpoint' do
|
||||||
|
include RoutingHelper
|
||||||
|
|
||||||
|
let(:user) { Fabricate(:user) }
|
||||||
|
let(:account) { user.account }
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
|
||||||
|
let(:scopes) { 'profile' }
|
||||||
|
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
||||||
|
|
||||||
|
shared_examples 'returns successfully' do
|
||||||
|
it 'returns http success' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(:success)
|
||||||
|
expect(response.content_type).to start_with('application/json')
|
||||||
|
expect(response.parsed_body).to include({
|
||||||
|
iss: root_url,
|
||||||
|
sub: account_url(account),
|
||||||
|
name: account.display_name,
|
||||||
|
preferred_username: account.username,
|
||||||
|
profile: short_account_url(account),
|
||||||
|
picture: full_asset_url(account.avatar_original_url),
|
||||||
|
})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'GET /oauth/userinfo' do
|
||||||
|
subject do
|
||||||
|
get '/oauth/userinfo', headers: headers
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'forbidden for wrong scope', 'read:accounts'
|
||||||
|
it_behaves_like 'returns successfully'
|
||||||
|
end
|
||||||
|
|
||||||
|
# As this is borrowed from OpenID, the specification says we must also support
|
||||||
|
# POST for the userinfo endpoint:
|
||||||
|
# https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
|
||||||
|
describe 'POST /oauth/userinfo' do
|
||||||
|
subject do
|
||||||
|
post '/oauth/userinfo', headers: headers
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'forbidden for wrong scope', 'read:accounts'
|
||||||
|
it_behaves_like 'returns successfully'
|
||||||
|
end
|
||||||
|
end
|
|
@ -3,12 +3,6 @@
|
||||||
require 'rails_helper'
|
require 'rails_helper'
|
||||||
|
|
||||||
RSpec.describe 'The /.well-known/oauth-authorization-server request' do
|
RSpec.describe 'The /.well-known/oauth-authorization-server request' do
|
||||||
let(:protocol) { ENV.fetch('LOCAL_HTTPS', true) ? :https : :http }
|
|
||||||
|
|
||||||
before do
|
|
||||||
host! Rails.configuration.x.local_domain
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'returns http success with valid JSON response' do
|
it 'returns http success with valid JSON response' do
|
||||||
get '/.well-known/oauth-authorization-server'
|
get '/.well-known/oauth-authorization-server'
|
||||||
|
|
||||||
|
@ -22,11 +16,12 @@ RSpec.describe 'The /.well-known/oauth-authorization-server request' do
|
||||||
grant_types_supported << 'refresh_token' if Doorkeeper.configuration.refresh_token_enabled?
|
grant_types_supported << 'refresh_token' if Doorkeeper.configuration.refresh_token_enabled?
|
||||||
|
|
||||||
expect(response.parsed_body).to include(
|
expect(response.parsed_body).to include(
|
||||||
issuer: root_url(protocol: protocol),
|
issuer: root_url,
|
||||||
service_documentation: 'https://docs.joinmastodon.org/',
|
service_documentation: 'https://docs.joinmastodon.org/',
|
||||||
authorization_endpoint: oauth_authorization_url(protocol: protocol),
|
authorization_endpoint: oauth_authorization_url,
|
||||||
token_endpoint: oauth_token_url(protocol: protocol),
|
token_endpoint: oauth_token_url,
|
||||||
revocation_endpoint: oauth_revoke_url(protocol: protocol),
|
userinfo_endpoint: oauth_userinfo_url,
|
||||||
|
revocation_endpoint: oauth_revoke_url,
|
||||||
scopes_supported: Doorkeeper.configuration.scopes.map(&:to_s),
|
scopes_supported: Doorkeeper.configuration.scopes.map(&:to_s),
|
||||||
response_types_supported: Doorkeeper.configuration.authorization_response_types,
|
response_types_supported: Doorkeeper.configuration.authorization_response_types,
|
||||||
response_modes_supported: Doorkeeper.configuration.authorization_response_flows.flat_map(&:response_mode_matches).uniq,
|
response_modes_supported: Doorkeeper.configuration.authorization_response_flows.flat_map(&:response_mode_matches).uniq,
|
||||||
|
@ -34,7 +29,7 @@ RSpec.describe 'The /.well-known/oauth-authorization-server request' do
|
||||||
grant_types_supported: grant_types_supported,
|
grant_types_supported: grant_types_supported,
|
||||||
code_challenge_methods_supported: ['S256'],
|
code_challenge_methods_supported: ['S256'],
|
||||||
# non-standard extension:
|
# non-standard extension:
|
||||||
app_registration_endpoint: api_v1_apps_url(protocol: protocol)
|
app_registration_endpoint: api_v1_apps_url
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue