tmp

2023-03-25 17:34:36 +01:00
parent f5a6509663
commit a55d3f7382
7 changed files with 149 additions and 40 deletions
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -61,6 +61,7 @@
 		"@fastify/accepts": "4.2.0",
 		"@fastify/cookie": "8.3.0",
 		"@fastify/cors": "8.3.0",
+		"@fastify/express": "^2.3.0",
 		"@fastify/http-proxy": "9.2.1",
 		"@fastify/multipart": "7.7.0",
 		"@fastify/static": "6.10.2",
@@ -78,6 +79,7 @@
 		"autwh": "0.1.0",
 		"bcryptjs": "2.4.3",
 		"blurhash": "2.0.5",
+		"body-parser": "^1.20.2",
 		"bullmq": "4.1.0",
 		"cacheable-lookup": "7.0.0",
 		"cbor": "9.0.0",
@@ -170,6 +172,7 @@
 		"@types/accepts": "1.3.5",
 		"@types/archiver": "5.3.2",
 		"@types/bcryptjs": "2.4.2",
+		"@types/body-parser": "^1.19.2",
 		"@types/cbor": "6.0.0",
 		"@types/color-convert": "2.0.0",
 		"@types/content-disposition": "0.5.5",
--- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts
+++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
@@ -5,7 +5,7 @@ import fastifyMiddie, { IncomingMessageExtended } from '@fastify/middie';
 import { JSDOM } from 'jsdom';
 import parseLinkHeader from 'parse-link-header';
 import ipaddr from 'ipaddr.js';
-import oauth2orize from 'oauth2orize';
+import oauth2orize, { OAuth2 } from 'oauth2orize';
 import { bindThis } from '@/decorators.js';
 import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
@@ -23,6 +23,9 @@ import fastifyView from '@fastify/view';
 import pug from 'pug';
 import { fileURLToPath } from 'node:url';
 import { MetaService } from '@/core/MetaService.js';
+import fastifyFormbody from '@fastify/formbody';
+import bodyParser from 'body-parser';
+import fastifyExpress from '@fastify/express';

 // https://indieauth.spec.indieweb.org/#client-identifier
 function validateClientId(raw: string): URL {
@@ -58,16 +61,11 @@ function validateClientId(raw: string): URL {
 		throw new Error('client_id must not contain a username or a password');
 	}

-	// MUST NOT contain a port
-	if (url.port) {
-		throw new Error('client_id must not contain a port');
-	}
+	// (MAY contain a port)

 	// host names MUST be domain names or a loopback interface and MUST NOT be
 	// IPv4 or IPv6 addresses except for IPv4 127.0.0.1 or IPv6 [::1].
-	// (But in https://indieauth.spec.indieweb.org/#redirect-url we need to only
-	// fetch non-loopback URLs, so exclude them here.)
-	if (!url.hostname.match(/\.\w+$/)) {
+	if (!url.hostname.match(/\.\w+$/) && !['localhost', '127.0.0.1', '[::1]'].includes(url.hostname)) {
 		throw new Error('client_id must have a domain name as a host name');
 	}

@@ -351,6 +349,9 @@ export class OAuth2ProviderService {
 		// this feature for some time, given that this is security related.
 		fastify.get<{ Querystring: { code_challenge?: string, code_challenge_method?: string } }>('/oauth/authorize', async (request, reply) => {
 			console.log('HIT /oauth/authorize', request.query);
+			const oauth2 = (request.raw as any).oauth2 as (OAuth2 | undefined);
+			console.log(oauth2);
+
 			if (typeof request.query.code_challenge !== 'string') {
 				throw new Error('`code_challenge` parameter is required');
 			}
@@ -358,17 +359,11 @@ export class OAuth2ProviderService {
 				throw new Error('`code_challenge_method` parameter must be set as S256');
 			}

-			const meta = await this.metaService.fetch();
-			return await reply.view('base', {
-				img: meta.bannerUrl,
-				title: meta.name ?? 'Misskey',
-				instanceName: meta.name ?? 'Misskey',
-				url: this.config.url,
-				desc: meta.description,
-				icon: meta.iconUrl,
-				themeColor: meta.themeColor,
+			return await reply.view('oauth', {
+				transactionId: oauth2?.transactionID,
 			});
 		});
+		fastify.post('/oauth/decision', async (request, reply) => { });
 		fastify.post('/oauth/token', async () => { });
 		// fastify.get('/oauth/interaction/:uid', async () => { });
 		// fastify.get('/oauth/interaction/:uid/login', async () => { });
@@ -382,7 +377,7 @@ export class OAuth2ProviderService {
 			},
 		});

-		await fastify.register(fastifyMiddie);
+		await fastify.register(fastifyExpress);
 		fastify.use(expressSession({ secret: 'keyboard cat', resave: false, saveUninitialized: false }) as any);
 		fastify.use('/oauth/authorize', this.#server.authorization((clientId, redirectUri, done) => {
 			(async (): Promise<OmitFirstElement<Parameters<typeof done>>> => {
@@ -392,13 +387,8 @@ export class OAuth2ProviderService {
 				const clientUrl = validateClientId(clientId);
 				const redirectUrl = new URL(redirectUri);

-				if (process.env.NODE_ENV !== 'test') {
-					const lookup = await dns.lookup(clientUrl.hostname);
-					if (ipaddr.parse(lookup.address).range() === 'loopback') {
-						throw new Error('client_id unexpectedly resolves to loopback IP.');
-					}
-				}
-
+				// https://indieauth.spec.indieweb.org/#authorization-request
+				// Allow same-origin redirection
 				if (redirectUrl.protocol !== clientUrl.protocol || redirectUrl.host !== clientUrl.host) {
 					// TODO: allow more redirect_uri by Client Information Discovery
 					throw new Error('cross-origin redirect_uri is not supported yet.');
@@ -407,6 +397,13 @@ export class OAuth2ProviderService {
 				return [clientId, redirectUri];
 			})().then(args => done(null, ...args), err => done(err));
 		}));
+		// for (const middleware of this.#server.decision()) {
+
+		fastify.use('/oauth/decision', bodyParser.urlencoded({
+			extend: false,
+		}));
+		fastify.use('/oauth/decision', this.#server.decision());
+		// }

 		// fastify.use('/oauth', this.#provider.callback());
 	}
--- a/packages/backend/src/server/web/views/oauth.pug
+++ b/packages/backend/src/server/web/views/oauth.pug
@@ -0,0 +1,10 @@
+extends ./base
+
+block meta
+	//- Should be removed by the page when it loads, so that it won't leak when
+	//- user navigates away via the navigation bar
+	//- XXX: Remove navigation bar in auth page?
+	meta(name='misskey:oauth:transaction-id' content=transactionId)
+	meta(name='misskey:oauth:client-id' content=clientId)
+	meta(name='misskey:oauth:scope' content=scope)
+	meta(name='misskey:oauth:redirection-uri' content=redirectionUri)
--- a/packages/frontend/src/components/MkButton.vue
+++ b/packages/frontend/src/components/MkButton.vue
@@ -4,6 +4,7 @@
 	ref="el" class="_button"
 	:class="[$style.root, { [$style.inline]: inline, [$style.primary]: primary, [$style.gradate]: gradate, [$style.danger]: danger, [$style.rounded]: rounded, [$style.full]: full, [$style.small]: small, [$style.large]: large, [$style.transparent]: transparent, [$style.asLike]: asLike }]"
 	:type="type"
+	:name="name"
 	@click="emit('click', $event)"
 	@mousedown="onMousedown"
 >
@@ -44,6 +45,7 @@ const props = defineProps<{
 	large?: boolean;
 	transparent?: boolean;
 	asLike?: boolean;
+	name?: string;
 }>();

 const emit = defineEmits<{
--- a/packages/frontend/src/pages/oauth.vue
+++ b/packages/frontend/src/pages/oauth.vue
@@ -0,0 +1,71 @@
+<template>
+<MkStickyContainer>
+	<template #header><MkPageHeader :actions="headerActions" :tabs="headerTabs"/></template>
+	<MkSpacer :content-max="800">
+		<div v-if="$i">
+			<div v-if="_permissions.length > 0">
+				<p v-if="name">{{ $t('_auth.permission', { name }) }}</p>
+				<p v-else>{{ i18n.ts._auth.permissionAsk }}</p>
+				<ul>
+					<li v-for="p in _permissions" :key="p">{{ $t(`_permissions.${p}`) }}</li>
+				</ul>
+			</div>
+			<div v-if="name">{{ $t('_auth.shareAccess', { name }) }}</div>
+			<div v-else>{{ i18n.ts._auth.shareAccessAsk }}</div>
+			<form :class="$style.buttons" action="/oauth/decision" accept-charset="utf-8" method="post">
+				<input name="transaction_id" type="hidden" :value="transactionIdMeta?.content"/>
+				<MkButton inline name="cancel">{{ i18n.ts.cancel }}</MkButton>
+				<MkButton inline primary>{{ i18n.ts.accept }}</MkButton>
+			</form>
+		</div>
+		<div v-else>
+			<p :class="$style.loginMessage">{{ i18n.ts._auth.pleaseLogin }}</p>
+			<MkSignin @login="onLogin"/>
+		</div>
+	</MkSpacer>
+</MkStickyContainer>
+</template>
+
+<script lang="ts" setup>
+import { } from 'vue';
+import MkSignin from '@/components/MkSignin.vue';
+import MkButton from '@/components/MkButton.vue';
+import { $i, login } from '@/account';
+import { i18n } from '@/i18n';
+import { definePageMetadata } from '@/scripts/page-metadata';
+
+const transactionIdMeta = document.querySelector<HTMLMetaElement>('meta[name="misskey:oauth:transaction-id"]');
+if (transactionIdMeta) {
+	transactionIdMeta.remove();
+}
+
+const name = document.querySelector<HTMLMetaElement>('meta[name="misskey:oauth:client-id"]')?.content;
+const _permissions = document.querySelector<HTMLMetaElement>('meta[name="misskey:oauth:scope"]')?.content.split(' ') ?? [];
+
+function onLogin(res): void {
+	login(res.i);
+}
+
+const headerActions = $computed(() => []);
+
+const headerTabs = $computed(() => []);
+
+definePageMetadata({
+	title: 'OAuth',
+	icon: 'ti ti-apps',
+});
+</script>
+
+<style lang="scss" module>
+.buttons {
+	margin-top: 16px;
+	display: flex;
+	gap: 8px;
+	flex-wrap: wrap;
+}
+
+.loginMessage {
+	text-align: center;
+	margin: 8px 0 24px;
+}
+</style>
--- a/packages/frontend/src/router.ts
+++ b/packages/frontend/src/router.ts
@@ -254,6 +254,9 @@ export const routes = [{
 		icon: 'icon',
 		permission: 'permission',
 	},
+}, {
+	path: '/oauth/authorize',
+	component: page(() => import('./pages/oauth.vue')),
 }, {
 	path: '/tags/:tag',
 	component: page(() => import('./pages/tag.vue')),