oauth: get token support code in URL

2023-02-15 18:31:20 +00:00 · 2023-02-15 18:31:20 +00:00 · 22745197e2
commit 22745197e2
--- a/backend/test/mastodon/oauth.spec.ts
+++ b/backend/test/mastodon/oauth.spec.ts
@ -240,5 +240,25 @@ describe('Mastodon APIs', () => {
 			assert.equal(res.status, 200)
 			assertCORS(res)
 		})
+
+		test('token handles code in URL', async () => {
+			const db = await makeDB()
+			const client = await createTestClient(db, 'https://localhost')
+
+			const code = client.id + '.a'
+
+			const req = new Request('https://example.com/oauth/token?code=' + code, {
+				method: 'POST',
+				headers: {
+					'content-type': 'application/json',
+				},
+				body: '',
+			})
+			const res = await oauth_token.handleRequest(db, req)
+			assert.equal(res.status, 200)
+
+			const data = await res.json<any>()
+			assert.equal(data.access_token, code)
+		})
 	})
 })
--- a/functions/oauth/token.ts
+++ b/functions/oauth/token.ts
@ -24,12 +24,23 @@ export async function handleRequest(db: D1Database, request: Request): Promise<R
 		return new Response('', { headers })
 	}

-	const data = await readBody<Body>(request)
-	if (!data.code) {
+	let data: Body = { code: null }
+	try {
+		data = await readBody<Body>(request)
+	} catch (err: any) {
+        // ignore error
+    }
+
+	let code = data.code
+	if (!code) {
+		const url = new URL(request.url)
+		code = url.searchParams.get('code')
+	}
+	if (!code) {
 		return errors.notAuthorized('missing authorization')
 	}

-	const parts = data.code.split('.')
+	const parts = code.split('.')
 	const clientId = parts[0]

 	const client = await getClientById(db, clientId)
@ -38,7 +49,7 @@ export async function handleRequest(db: D1Database, request: Request): Promise<R
 	}

 	const res = {
-		access_token: data.code,
+		access_token: code,
 		token_type: 'Bearer',
 		scope: client.scopes,
 		created_at: (Date.now() / 1000) | 0,