98 lines
3.0 KiB
Ruby
98 lines
3.0 KiB
Ruby
# auto_register: false
|
|
# frozen_string_literal: true
|
|
|
|
module Micropub
|
|
class Action < Adamantium::Action
|
|
include Deps["logger",
|
|
"settings",
|
|
not_found_view: "views.not_found",
|
|
error_view: "views.error",
|
|
sentry: "sentry.client"]
|
|
|
|
include Dry::Matcher.for(:handle, with: Dry::Matcher::ResultMatcher)
|
|
include Dry::Monads[:result]
|
|
|
|
handle_exception ROM::TupleCountMismatchError => :not_found
|
|
handle_exception StandardError => :handle_error
|
|
|
|
def authenticate!(req, res)
|
|
halt 400 if req.env["HTTP_AUTHORIZATION"] && req.params[:access_token]
|
|
|
|
if Hanami.env == :development || Hanami.env == :test
|
|
req.env[:scopes] = verify_token(nil)
|
|
return true
|
|
end
|
|
|
|
# Pull out and verify the authorization header or access_token
|
|
|
|
if req.env["HTTP_AUTHORIZATION"]
|
|
header = req.env["HTTP_AUTHORIZATION"].match(/^Bearer (.*)$/)
|
|
access_token = header[1] unless header.nil?
|
|
elsif req.params["access_token"]
|
|
access_token = req.params["access_token"]
|
|
else
|
|
logger.error "Received request without a token"
|
|
halt 401
|
|
end
|
|
|
|
req.env[:access_token] = access_token
|
|
|
|
# Verify the token and extract scopes
|
|
req.env[:scopes] = verify_token(access_token)
|
|
end
|
|
|
|
def not_found(_req, res, _exception)
|
|
res.status = 404
|
|
res.render not_found_view
|
|
end
|
|
|
|
def handle_error(req, res, exception)
|
|
raise exception if settings.raise_exceptions
|
|
|
|
sentry.capture_exception(exception)
|
|
|
|
res.status = 500
|
|
res.render error_view
|
|
res.headers["Cache-Control"] = "no-store, max-age=0"
|
|
end
|
|
|
|
def verify_scope(req:, scope:)
|
|
req.env[:scopes].include? scope
|
|
end
|
|
|
|
private
|
|
|
|
def verify_token(access_token)
|
|
return %i[create update delete undelete media] if settings.shortcut_key == access_token
|
|
return %i[create update delete undelete media] if Hanami.env == :development || Hanami.env == :test
|
|
|
|
# Verify with IndieAuth
|
|
resp = HTTParty.get(settings.micropub_token_endpoint, {
|
|
headers: {
|
|
"Accept" => "application/x-www-form-urlencoded",
|
|
"Authorization" => "Bearer #{access_token}"
|
|
}
|
|
})
|
|
indie_auth_decoded_response = URI.decode_www_form(resp.body).to_h.transform_keys(&:to_sym)
|
|
indie_auth_verified = (indie_auth_decoded_response.include? :scope) && (indie_auth_decoded_response.include? :me)
|
|
|
|
# Verify with micro.blog
|
|
micro_blog_verified = if settings.microblog_auth_endpoint
|
|
resp = HTTParty.post(settings.microblog_auth_endpoint, body: {
|
|
token: access_token
|
|
})
|
|
micropub_decoded_response = JSON.parse(resp.body).transform_keys(&:to_sym)
|
|
!micropub_decoded_response.include? :error
|
|
end
|
|
|
|
halt 401 unless indie_auth_verified || micro_blog_verified
|
|
|
|
if indie_auth_verified
|
|
indie_auth_decoded_response[:scope].gsub("post", "create").split.map(&:to_sym)
|
|
elsif micro_blog_verified
|
|
[:create, :update]
|
|
end
|
|
end
|
|
end
|
|
end
|