all repos — honk @ 4df0e48de42eb42850a1167084d2f10db92b47fd

my fork of honk 

u
Anirudh Oppiliappan x@icyphox.sh
Sun, 21 Jan 2024 15:38:42 +0200
commit

4df0e48de42eb42850a1167084d2f10db92b47fd

parent

2f2eee6d189cc5900f974563631d1750187e745d

2 files changed, 30 insertions(+), 6 deletions(-)

jump to
M database.godatabase.go 
@@ -1170,6 +1170,22 @@ row.Scan(&count)
 	return count
 }
 
+func checkClientID(clientID string) bool {
+	err := stmtCheckClientId.QueryRow(clientID).Scan()
+	if err == sql.ErrNoRows {
+		return false
+	}
+	return true
+}
+
+func checkClient(clientID, clientSecret string) bool {
+	err := stmtCheckClientId.QueryRow(clientID, clientSecret).Scan()
+	if err == sql.ErrNoRows {
+		return false
+	}
+	return true
+}
+
 var stmtHonkers, stmtDubbers, stmtNamedDubbers, stmtSaveHonker, stmtUpdateFlavor, stmtUpdateHonker *sql.Stmt
 var stmtDeleteHonker *sql.Stmt
 var stmtAnyXonk, stmtOneXonk, stmtPublicHonks, stmtUserHonks, stmtHonksByCombo, stmtHonksByConvoy *sql.Stmt

@@ -1194,6 +1210,7 @@ var stmtGetActiveUserCount *sql.Stmt
 var stmtGetLocalHonkCount *sql.Stmt
 var stmtSaveMastoApp *sql.Stmt
 var stmtCheckClientId *sql.Stmt
+var stmtCheckClient *sql.Stmt
 var stmtSaveMastoAppToken *sql.Stmt
 var stmtGetMastoApp *sqlx.Stmt
 

@@ -1299,6 +1316,7 @@
 	stmtSaveMastoApp = preparetodie(db, "insert into masto (clientname, redirecturis, scopes, clientid, clientsecret, vapidkey, authtoken) values (?, ?, ?, ?, ?, ?, ?)")
 	stmtSaveMastoAppToken = preparetodie(db, "update masto set authtoken = ?")
 	stmtCheckClientId = preparetodie(db, "select clientid from masto where clientid = ?")
+	stmtCheckClient = preparetodie(db, "select clientid, clientsecret from masto where clientid = ? and clientsecret = ?")
 }
 
 func prepareStatementsx(dbx *sqlx.DB) {
M masto.gomasto.go 
@@ -71,8 +71,7 @@ func oauthorize(rw http.ResponseWriter, r *http.Request) {
 	clientID := r.FormValue("client_id")
 	redirectURI := r.FormValue("redirect_uri")
 
-	err := stmtCheckClientId.QueryRow(clientID).Scan()
-	if err == sql.ErrNoRows {
+	if !checkClientID(clientID) {
 		elog.Println("oauth: no such client:", clientID)
 		rw.WriteHeader(http.StatusUnauthorized)
 		return

@@ -81,7 +80,7 @@
 	var nrw NotResponseWriter
 	login.LoginFunc(&nrw, r)
 
-	_, err = stmtSaveMastoAppToken.Exec(nrw.auth)
+	_, err := stmtSaveMastoAppToken.Exec(nrw.auth)
 	if err != nil {
 		elog.Println("oauth: failed to save masto app token", err)
 		rw.WriteHeader(http.StatusInternalServerError)

@@ -101,14 +100,21 @@ func oauthtoken(rw http.ResponseWriter, r *http.Request) {
 	// grantType := r.FormValue("grant_type")
 	// code := r.FormValue("code")
 	clientID := r.FormValue("client_id")
-	// clientSecret := r.FormValue("client_Secret")
+	clientSecret := r.FormValue("client_Secret")
 	// redirectURI := r.FormValue("redirect_uri")
 	// gotScopes := r.FormValue("scopes")
 
+	if !checkClient(clientID, clientSecret) {
+		elog.Println("oauth: no such client:", clientID)
+		rw.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
 	app := MastoApp{}
-	err := stmtGetMastoApp.Get(&app, clientID)
+	row := stmtGetMastoApp.QueryRowx(clientID)
+	err := row.StructScan(&app)
 	if err == sql.ErrNoRows {
-		elog.Println("oauth: no such client:", clientID)
+		elog.Println("oauth: invalid client", clientID)
 		rw.WriteHeader(http.StatusUnauthorized)
 		return
 	}