Conditional OAuth scopes

2021-08-22 19:13:09 -05:00 · 2021-08-22 19:13:09 -05:00 · 39c95f7a00
commit 39c95f7a00
--- a/app/soapbox/actions/auth.js
+++ b/app/soapbox/actions/auth.js
@ -17,6 +17,7 @@ import { getLoggedInAccount, parseBaseURL } from 'soapbox/utils/auth';
 import { createApp } from 'soapbox/actions/apps';
 import { obtainOAuthToken, revokeOAuthToken } from 'soapbox/actions/oauth';
 import sourceCode from 'soapbox/utils/code';
+import { getFeatures } from 'soapbox/utils/features';

 export const SWITCH_ACCOUNT = 'SWITCH_ACCOUNT';

@ -36,6 +37,12 @@ export const messages = defineMessages({

 const noOp = () => () => new Promise(f => f());

+const getScopes = state => {
+  const instance = state.get('instance');
+  const { scopes } = getFeatures(instance);
+  return scopes;
+};
+
 function createAppAndToken() {
  return (dispatch, getState) => {
    return dispatch(createAuthApp()).then(() => {
@ -49,7 +56,7 @@ function createAuthApp() {
    const params = {
      client_name:   sourceCode.displayName,
      redirect_uris: 'urn:ietf:wg:oauth:2.0:oob',
-      scopes:        'read write follow push admin',
+      scopes:        getScopes(getState()),
      website:       sourceCode.homepage,
    };

@ -68,6 +75,7 @@ function createAppToken() {
      client_secret: app.get('client_secret'),
      redirect_uri:  'urn:ietf:wg:oauth:2.0:oob',
      grant_type:    'client_credentials',
+      scope:         getScopes(getState()),
    };

    return dispatch(obtainOAuthToken(params)).then(token => {
@ -87,6 +95,7 @@ function createUserToken(username, password) {
      grant_type:    'password',
      username:      username,
      password:      password,
+      scope:         getScopes(getState()),
    };

    return dispatch(obtainOAuthToken(params))
@ -107,6 +116,7 @@ export function refreshUserToken() {
      refresh_token: refreshToken,
      redirect_uri:  'urn:ietf:wg:oauth:2.0:oob',
      grant_type:    'refresh_token',
+      scope:         getScopes(getState()),
    };

    return dispatch(obtainOAuthToken(params))
--- a/app/soapbox/actions/external_auth.js
+++ b/app/soapbox/actions/external_auth.js
@ -6,39 +6,51 @@
 * @see module:soapbox/actions/oauth
 */

+import { baseClient } from '../api';
 import { createApp } from 'soapbox/actions/apps';
 import { obtainOAuthToken } from 'soapbox/actions/oauth';
 import { authLoggedIn, verifyCredentials } from 'soapbox/actions/auth';
 import { parseBaseURL } from 'soapbox/utils/auth';
+import { getFeatures } from 'soapbox/utils/features';
 import sourceCode from 'soapbox/utils/code';
+import { fromJS } from 'immutable';

-const scope = 'read write follow push';
+const fetchExternalInstance = baseURL => {
+  return baseClient(null, baseURL)
+    .get('/api/v1/instance')
+    .then(({ data: instance }) => fromJS(instance));
+};

 export function createAppAndRedirect(host) {
  return (dispatch, getState) => {
    const baseURL = parseBaseURL(host) || parseBaseURL(`https://${host}`);

-    const params = {
-      client_name:   sourceCode.displayName,
-      redirect_uris: `${window.location.origin}/auth/external`,
-      website:       sourceCode.homepage,
-      scopes:        scope,
-    };
+    return fetchExternalInstance(baseURL).then(instance => {
+      const { scopes } = getFeatures(instance);

-    return dispatch(createApp(params, baseURL)).then(app => {
-      const { client_id, redirect_uri } = app;
+      const params = {
+        client_name:   sourceCode.displayName,
+        redirect_uris: `${window.location.origin}/auth/external`,
+        website:       sourceCode.homepage,
+        scopes,
+      };

-      const query = new URLSearchParams({
-        client_id,
-        redirect_uri,
-        response_type: 'code',
-        scope,
+      return dispatch(createApp(params, baseURL)).then(app => {
+        const { client_id, redirect_uri } = app;
+
+        const query = new URLSearchParams({
+          client_id,
+          redirect_uri,
+          response_type: 'code',
+          scope: scopes,
+        });
+
+        localStorage.setItem('soapbox:external:app', JSON.stringify(app));
+        localStorage.setItem('soapbox:external:baseurl', baseURL);
+        localStorage.setItem('soapbox:external:scopes', scopes);
+
+        window.location.href = `${baseURL}/oauth/authorize?${query.toString()}`;
      });
-
-      localStorage.setItem('soapbox:external:app', JSON.stringify(app));
-      localStorage.setItem('soapbox:external:baseurl', baseURL);
-
-      window.location.href = `${baseURL}/oauth/authorize?${query.toString()}`;
    });
  };
 }
@ -47,6 +59,7 @@ export function loginWithCode(code) {
  return (dispatch, getState) => {
    const { client_id, client_secret, redirect_uri } = JSON.parse(localStorage.getItem('soapbox:external:app'));
    const baseURL = localStorage.getItem('soapbox:external:baseurl');
+    const scope   = localStorage.getItem('soapbox:external:scopes');

    const params = {
      client_id,
--- a/app/soapbox/utils/features.js
+++ b/app/soapbox/utils/features.js
@ -17,6 +17,7 @@ export const getFeatures = createSelector([
    importMutes: v.software === 'Pleroma' && gte(v.version, '2.2.0'),
    emailList: f.includes('email_list'),
    chats: v.software === 'Pleroma' && gte(v.version, '2.1.0'),
+    scopes: v.software === 'Pleroma' ? 'read write follow push admin' : 'read write follow push',
  };
 });