Merge 56f313ebf1 into 65093c619f

2024-04-26 18:07:05 +00:00 · 2024-04-26 18:07:05 +00:00 · 11113a6883
parent 65093c619f 56f313ebf1
commit 11113a6883
5 changed files with 122 additions and 0 deletions
--- a/app/controllers/well_known/oauth_metadata_controller.rb
+++ b/app/controllers/well_known/oauth_metadata_controller.rb
@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module WellKnown
+  class OauthMetadataController < ActionController::Base # rubocop:disable Rails/ApplicationController
+    include CacheConcern
+
+    # Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
+    # and thus re-issuing session cookies
+    serialization_scope nil
+
+    def show
+      expires_in 3.days, public: true
+      render_with_cache json: ::OauthMetadataPresenter.new, serializer: ::OauthMetadataSerializer, content_type: 'application/json'
+    end
+  end
+end
--- a/app/presenters/oauth_metadata_presenter.rb
+++ b/app/presenters/oauth_metadata_presenter.rb
@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class OauthMetadataPresenter < ActiveModelSerializers::Model
+  include RoutingHelper
+
+  attributes :issuer, :authorization_endpoint, :token_endpoint,
+             :registration_endpoint, :revocation_endpoint, :scopes_supported,
+             :response_types_supported, :response_modes_supported,
+             :grant_types_supported, :token_endpoint_auth_methods_supported
+
+  def issuer
+    root_url
+  end
+
+  def authorization_endpoint
+    oauth_authorization_url
+  end
+
+  def token_endpoint
+    oauth_token_url
+  end
+
+  # NOTE: the api_v1_apps route doesn't technically conform to the
+  # specification for OAuth 2.0 Dynamic Client Registration defined in
+  # https://datatracker.ietf.org/doc/html/rfc7591
+  # But for Mastodon, this is the API Endpoint that you would want for this property
+  def registration_endpoint
+    api_v1_apps_url
+  end
+
+  def revocation_endpoint
+    oauth_revoke_url
+  end
+
+  def scopes_supported
+    doorkeeper.scopes
+  end
+
+  def response_types_supported
+    doorkeeper.authorization_response_types
+  end
+
+  def response_modes_supported
+    doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
+  end
+
+  def grant_types_supported
+    grant_types_supported = doorkeeper.grant_flows.dup
+    grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+    grant_types_supported
+  end
+
+  def token_endpoint_auth_methods_supported
+    %w(client_secret_basic client_secret_post)
+  end
+
+  private
+
+  def doorkeeper
+    @doorkeeper ||= Doorkeeper.configuration
+  end
+end
--- a/app/serializers/oauth_metadata_serializer.rb
+++ b/app/serializers/oauth_metadata_serializer.rb
@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class OauthMetadataSerializer < ActiveModel::Serializer
+  attributes :issuer, :authorization_endpoint, :token_endpoint,
+             :registration_endpoint, :revocation_endpoint, :scopes_supported,
+             :response_types_supported, :response_modes_supported,
+             :grant_types_supported, :token_endpoint_auth_methods_supported
+end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -62,6 +62,7 @@ Rails.application.routes.draw do
                tokens: 'oauth/tokens'
  end

+  get '.well-known/oauth-authorization-server', to: 'well_known/oauth_metadata#show', as: :oauth_metadata, defaults: { format: 'json' }
  get '.well-known/host-meta', to: 'well_known/host_meta#show', as: :host_meta, defaults: { format: 'xml' }
  get '.well-known/nodeinfo', to: 'well_known/node_info#index', as: :nodeinfo, defaults: { format: 'json' }
  get '.well-known/webfinger', to: 'well_known/webfinger#show', as: :webfinger
--- a/spec/requests/well_known/oauth_metadata_spec.rb
+++ b/spec/requests/well_known/oauth_metadata_spec.rb
@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'The /.well-known/oauth-authorization-server request' do
+  let(:protocol) { ENV.fetch('LOCAL_HTTPS', true) ? :https : :http }
+
+  before do
+    host! ENV.fetch('LOCAL_DOMAIN')
+  end
+
+  it 'returns http success with valid JSON response' do
+    get '/.well-known/oauth-authorization-server'
+
+    expect(response)
+      .to have_http_status(200)
+      .and have_attributes(
+        media_type: 'application/json'
+      )
+
+    grant_types_supported = Doorkeeper.configuration.grant_flows.dup
+    grant_types_supported << 'refresh_token' if Doorkeeper.configuration.refresh_token_enabled?
+
+    expect(body_as_json).to include(
+      issuer: root_url(protocol: protocol),
+      authorization_endpoint: oauth_authorization_url(protocol: protocol),
+      token_endpoint: oauth_token_url(protocol: protocol),
+      registration_endpoint: api_v1_apps_url(protocol: protocol),
+      revocation_endpoint: oauth_revoke_url(protocol: protocol),
+      scopes_supported: Doorkeeper.configuration.scopes.map(&:to_s),
+      response_types_supported: Doorkeeper.configuration.authorization_response_types,
+      grant_types_supported: grant_types_supported
+    )
+  end
+end