@rmdes/indiekit-endpoint-activitypub 3.5.2 → 3.5.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/mastodon/routes/oauth.js +72 -12
- package/package.json +1 -1
|
@@ -158,7 +158,7 @@ router.get("/.well-known/oauth-authorization-server", (req, res) => {
|
|
|
158
158
|
"write:statuses",
|
|
159
159
|
],
|
|
160
160
|
response_types_supported: ["code"],
|
|
161
|
-
grant_types_supported: ["authorization_code", "client_credentials"],
|
|
161
|
+
grant_types_supported: ["authorization_code", "client_credentials", "refresh_token"],
|
|
162
162
|
token_endpoint_auth_methods_supported: [
|
|
163
163
|
"client_secret_basic",
|
|
164
164
|
"client_secret_post",
|
|
@@ -174,7 +174,7 @@ router.get("/.well-known/oauth-authorization-server", (req, res) => {
|
|
|
174
174
|
|
|
175
175
|
router.get("/oauth/authorize", async (req, res, next) => {
|
|
176
176
|
try {
|
|
177
|
-
|
|
177
|
+
let {
|
|
178
178
|
client_id,
|
|
179
179
|
redirect_uri,
|
|
180
180
|
response_type,
|
|
@@ -184,6 +184,21 @@ router.get("/oauth/authorize", async (req, res, next) => {
|
|
|
184
184
|
force_login,
|
|
185
185
|
} = req.query;
|
|
186
186
|
|
|
187
|
+
// Restore OAuth params from session after login redirect.
|
|
188
|
+
// Indiekit's login flow doesn't re-encode the redirect param, so query
|
|
189
|
+
// params with & are stripped during the /session/login → /session/auth
|
|
190
|
+
// round-trip. We store them in the session before redirecting.
|
|
191
|
+
if (!response_type && req.session?.pendingOAuth) {
|
|
192
|
+
const p = req.session.pendingOAuth;
|
|
193
|
+
delete req.session.pendingOAuth;
|
|
194
|
+
client_id = p.client_id;
|
|
195
|
+
redirect_uri = p.redirect_uri;
|
|
196
|
+
response_type = p.response_type;
|
|
197
|
+
scope = p.scope;
|
|
198
|
+
code_challenge = p.code_challenge;
|
|
199
|
+
code_challenge_method = p.code_challenge_method;
|
|
200
|
+
}
|
|
201
|
+
|
|
187
202
|
if (response_type !== "code") {
|
|
188
203
|
return res.status(400).json({
|
|
189
204
|
error: "unsupported_response_type",
|
|
@@ -219,12 +234,14 @@ router.get("/oauth/authorize", async (req, res, next) => {
|
|
|
219
234
|
// Check if user is logged in via IndieAuth session
|
|
220
235
|
const session = req.session;
|
|
221
236
|
if (!session?.access_token && !force_login) {
|
|
222
|
-
//
|
|
223
|
-
//
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
237
|
+
// Store OAuth params in session — they won't survive Indiekit's
|
|
238
|
+
// login redirect chain due to a re-encoding bug in indieauth.js.
|
|
239
|
+
req.session.pendingOAuth = {
|
|
240
|
+
client_id, redirect_uri, response_type, scope,
|
|
241
|
+
code_challenge, code_challenge_method,
|
|
242
|
+
};
|
|
243
|
+
// Redirect to Indiekit's login page with a simple return path.
|
|
244
|
+
return res.redirect("/session/login?redirect=/oauth/authorize");
|
|
228
245
|
}
|
|
229
246
|
|
|
230
247
|
// Render simple authorization page
|
|
@@ -406,10 +423,49 @@ router.post("/oauth/token", async (req, res, next) => {
|
|
|
406
423
|
});
|
|
407
424
|
}
|
|
408
425
|
|
|
426
|
+
// ─── Refresh token grant ──────────────────────────────────────────
|
|
427
|
+
if (grant_type === "refresh_token") {
|
|
428
|
+
const { refresh_token } = req.body;
|
|
429
|
+
if (!refresh_token) {
|
|
430
|
+
return res.status(400).json({
|
|
431
|
+
error: "invalid_request",
|
|
432
|
+
error_description: "Missing refresh_token",
|
|
433
|
+
});
|
|
434
|
+
}
|
|
435
|
+
|
|
436
|
+
const existing = await collections.ap_oauth_tokens.findOne({
|
|
437
|
+
refreshToken: refresh_token,
|
|
438
|
+
revokedAt: null,
|
|
439
|
+
});
|
|
440
|
+
|
|
441
|
+
if (!existing) {
|
|
442
|
+
return res.status(400).json({
|
|
443
|
+
error: "invalid_grant",
|
|
444
|
+
error_description: "Refresh token is invalid or revoked",
|
|
445
|
+
});
|
|
446
|
+
}
|
|
447
|
+
|
|
448
|
+
// Rotate: new access token + new refresh token
|
|
449
|
+
const newAccessToken = randomHex(64);
|
|
450
|
+
const newRefreshToken = randomHex(64);
|
|
451
|
+
await collections.ap_oauth_tokens.updateOne(
|
|
452
|
+
{ _id: existing._id },
|
|
453
|
+
{ $set: { accessToken: newAccessToken, refreshToken: newRefreshToken } },
|
|
454
|
+
);
|
|
455
|
+
|
|
456
|
+
return res.json({
|
|
457
|
+
access_token: newAccessToken,
|
|
458
|
+
token_type: "Bearer",
|
|
459
|
+
scope: existing.scopes.join(" "),
|
|
460
|
+
created_at: Math.floor(existing.createdAt.getTime() / 1000),
|
|
461
|
+
refresh_token: newRefreshToken,
|
|
462
|
+
});
|
|
463
|
+
}
|
|
464
|
+
|
|
409
465
|
if (grant_type !== "authorization_code") {
|
|
410
466
|
return res.status(400).json({
|
|
411
467
|
error: "unsupported_grant_type",
|
|
412
|
-
error_description: "Only authorization_code and
|
|
468
|
+
error_description: "Only authorization_code, client_credentials, and refresh_token are supported",
|
|
413
469
|
});
|
|
414
470
|
}
|
|
415
471
|
|
|
@@ -470,11 +526,13 @@ router.post("/oauth/token", async (req, res, next) => {
|
|
|
470
526
|
}
|
|
471
527
|
}
|
|
472
528
|
|
|
473
|
-
// Generate access token
|
|
529
|
+
// Generate access token and refresh token.
|
|
530
|
+
// Clear expiresAt — it was set for the auth code, not the access token.
|
|
474
531
|
const accessToken = randomHex(64);
|
|
532
|
+
const refreshToken = randomHex(64);
|
|
475
533
|
await collections.ap_oauth_tokens.updateOne(
|
|
476
534
|
{ _id: grant._id },
|
|
477
|
-
{ $set: { accessToken } },
|
|
535
|
+
{ $set: { accessToken, refreshToken, expiresAt: null } },
|
|
478
536
|
);
|
|
479
537
|
|
|
480
538
|
res.json({
|
|
@@ -482,6 +540,7 @@ router.post("/oauth/token", async (req, res, next) => {
|
|
|
482
540
|
token_type: "Bearer",
|
|
483
541
|
scope: grant.scopes.join(" "),
|
|
484
542
|
created_at: Math.floor(grant.createdAt.getTime() / 1000),
|
|
543
|
+
refresh_token: refreshToken,
|
|
485
544
|
});
|
|
486
545
|
} catch (error) {
|
|
487
546
|
next(error);
|
|
@@ -502,8 +561,9 @@ router.post("/oauth/revoke", async (req, res, next) => {
|
|
|
502
561
|
}
|
|
503
562
|
|
|
504
563
|
const collections = req.app.locals.mastodonCollections;
|
|
564
|
+
// Match by access token or refresh token
|
|
505
565
|
await collections.ap_oauth_tokens.updateOne(
|
|
506
|
-
{ accessToken: token },
|
|
566
|
+
{ $or: [{ accessToken: token }, { refreshToken: token }] },
|
|
507
567
|
{ $set: { revokedAt: new Date() } },
|
|
508
568
|
);
|
|
509
569
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@rmdes/indiekit-endpoint-activitypub",
|
|
3
|
-
"version": "3.5.
|
|
3
|
+
"version": "3.5.4",
|
|
4
4
|
"description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"indiekit",
|