Fix oauth to respond with unhashed token on creation

2022-11-08 19:37:05 +00:00 · 2022-11-08 19:37:05 +00:00 · 515b502364
commit 515b502364
--- a/api/funkwhale_api/users/oauth/serializers.py
+++ b/api/funkwhale_api/users/oauth/serializers.py
@ -32,7 +32,7 @@ class CreateApplicationSerializer(serializers.ModelSerializer):
            "updated",
            "redirect_uris",
        ]
-        read_only_fields = ["client_id", "client_secret", "created", "updated"]
+        read_only_fields = ["client_id", "created", "updated"]

    def to_representation(self, obj):
        repr = super().to_representation(obj)
--- a/api/funkwhale_api/users/oauth/views.py
+++ b/api/funkwhale_api/users/oauth/views.py
@ -1,5 +1,6 @@
 import json
 import urllib.parse
+import secrets

 from django import http
 from django.utils import timezone
@ -49,6 +50,21 @@ class ApplicationViewSet(
        }
    }

+    def create(self, request, *args, **kwargs):
+        request_data = request.data.copy()
+        try:
+            secret = request_data["client_secret"]
+        except KeyError:
+            secret = secrets.token_hex(64)
+            request_data["client_secret"] = secret
+        serializer = self.get_serializer(data=request_data)
+        serializer.is_valid(raise_exception=True)
+        self.perform_create(serializer)
+        headers = self.get_success_headers(serializer.data)
+        data = serializer.data
+        data["client_secret"] = secret
+        return response.Response(data, status=201, headers=headers)
+
    def get_serializer_class(self):
        if self.request.method.lower() == "post":
            return serializers.CreateApplicationSerializer
--- a/api/tests/users/oauth/test_views.py
+++ b/api/tests/users/oauth/test_views.py
@ -19,6 +19,7 @@ def test_apps_post(api_client, db):
    assert response.status_code == 201

    app = models.Application.objects.get(name=data["name"])
+    setattr(app, "client_secret", response.data["client_secret"])

    assert app.client_type == models.Application.CLIENT_CONFIDENTIAL
    assert app.authorization_grant_type == models.Application.GRANT_AUTHORIZATION_CODE
@ -40,6 +41,7 @@ def test_apps_post_logged_in_user(logged_in_api_client, db):
    assert response.status_code == 201

    app = models.Application.objects.get(name=data["name"])
+    setattr(app, "client_secret", response.data["client_secret"])

    assert app.client_type == models.Application.CLIENT_CONFIDENTIAL
    assert app.authorization_grant_type == models.Application.GRANT_AUTHORIZATION_CODE