M database.go → database.go

@@ -1212,6 +1212,7 @@ var stmtSaveMastoApp *sql.Stmt
 var stmtCheckClientId *sql.Stmt
 var stmtCheckClient *sql.Stmt
 var stmtSaveMastoAppToken *sql.Stmt
+var stmtSaveMastoAccessToken *sql.Stmt
 var stmtGetMastoApp *sqlx.Stmt
 
 func preparetodie(db *sql.DB, s string) *sql.Stmt {
@@ -1317,6 +1318,7 @@ stmtSaveMastoApp = preparetodie(db, "insert into masto (clientname, redirecturis, scopes, clientid, clientsecret, vapidkey, authtoken) values (?, ?, ?, ?, ?, ?, ?)")
 	stmtSaveMastoAppToken = preparetodie(db, "update masto set authtoken = ?")
 	stmtCheckClientId = preparetodie(db, "select clientid from masto where clientid = ?")
 	stmtCheckClient = preparetodie(db, "select clientid, clientsecret from masto where clientid = ? and clientsecret = ?")
+	stmtSaveMastoAccessToken = preparetodie(db, "insert into mastokens (clientid, accesstoken) values (?, ?)")
 }
 
 func prepareStatementsx(dbx *sqlx.DB) {

M masto.go → masto.go

@@ -5,6 +5,7 @@ "database/sql"
 	"fmt"
 	"log"
 	"net/http"
+	"time"
 
 	"humungus.tedunangst.com/r/webs/junk"
 	"humungus.tedunangst.com/r/webs/login"
@@ -97,16 +98,16 @@ }
 
 // https://docs.joinmastodon.org/methods/oauth/#token
 func oauthtoken(rw http.ResponseWriter, r *http.Request) {
-	// grantType := r.FormValue("grant_type")
-	// code := r.FormValue("code")
+	grantType := r.FormValue("grant_type")
+	code := r.FormValue("code")
 	clientID := r.FormValue("client_id")
 	clientSecret := r.FormValue("client_secret")
-	// redirectURI := r.FormValue("redirect_uri")
-	// gotScopes := r.FormValue("scopes")
+	redirectURI := r.FormValue("redirect_uri")
+	gotScopes := r.FormValue("scopes")
 
 	if !checkClient(clientID, clientSecret) {
 		elog.Println("oauth: no such client:", clientID)
-		rw.WriteHeader(http.StatusUnauthorized)
+		rw.WriteHeader(http.StatusBadRequest)
 		return
 	}
 
@@ -114,12 +115,43 @@ app := MastoApp{}
 	row := stmtGetMastoApp.QueryRowx(clientID)
 	err := row.StructScan(&app)
 	if err == sql.ErrNoRows {
-		elog.Printf("oauth: invalid client: %s", clientID)
-		rw.WriteHeader(http.StatusUnauthorized)
+		elog.Printf("oauth: invalid client: %s\n", clientID)
+		rw.WriteHeader(http.StatusBadRequest)
 		return
 	}
 
-	fmt.Printf("%#v", app)
+	if app.Scopes != gotScopes {
+		elog.Println("oauth: bad scopes")
+		rw.WriteHeader(http.StatusBadRequest)
+	}
+
+	if app.RedirectURI != redirectURI {
+		elog.Println("oauth: incorrect redirect URI")
+		rw.WriteHeader(http.StatusBadRequest)
+	}
+
+	if grantType == "authorization_code" {
+		// idk if this is ok? should code be reset?
+		if app.AuthToken == code {
+			accessToken := tokengen()
+			_, err := stmtSaveMastoAccessToken.Exec(app.ClientID, accessToken)
+			if err != nil {
+				elog.Println("oauth: failed to save masto access token", err)
+				rw.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			j := junk.New()
+			j["access_token"] = accessToken
+			j["token_type"] = "Bearer"
+			j["scope"] = app.Scopes
+			j["created_at"] = time.Now().UTC().Unix()
+			goodjunk(rw, j)
+		}
+	} else {
+		// gaslight the client
+		elog.Println("oauth: bad grant_type: must be authorization_code")
+		rw.WriteHeader(http.StatusBadRequest)
+	}
 }
 
 // https://docs.joinmastodon.org/methods/instance/#v2

M schema.sql → schema.sql

@@ -11,6 +11,7 @@ create table honkmeta (honkid integer, genus text, json text);
 create table hfcs (hfcsid integer primary key, userid integer, json text);
 create table tracks (xid text, fetches text);
 create table masto (clientname text, redirecturis text, scopes text, clientid text, clientsecret text, vapidkey text, authtoken text);
+create table mastokens (clientid text, accesstoken text)
 
 create index idx_honksxid on honks(xid);
 create index idx_honksconvoy on honks(convoy);