From 515b502364c1280b080c062cac63ad0002176cee Mon Sep 17 00:00:00 2001 From: Georg Krause Date: Tue, 8 Nov 2022 19:37:05 +0000 Subject: [PATCH] Fix oauth to respond with unhashed token on creation --- api/funkwhale_api/users/oauth/serializers.py | 2 +- api/funkwhale_api/users/oauth/views.py | 16 ++++++++++++++++ api/tests/users/oauth/test_views.py | 2 ++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/api/funkwhale_api/users/oauth/serializers.py b/api/funkwhale_api/users/oauth/serializers.py index b95d57624..4e0c3c0c9 100644 --- a/api/funkwhale_api/users/oauth/serializers.py +++ b/api/funkwhale_api/users/oauth/serializers.py @@ -32,7 +32,7 @@ class CreateApplicationSerializer(serializers.ModelSerializer): "updated", "redirect_uris", ] - read_only_fields = ["client_id", "client_secret", "created", "updated"] + read_only_fields = ["client_id", "created", "updated"] def to_representation(self, obj): repr = super().to_representation(obj) diff --git a/api/funkwhale_api/users/oauth/views.py b/api/funkwhale_api/users/oauth/views.py index f64566d32..7be56c82c 100644 --- a/api/funkwhale_api/users/oauth/views.py +++ b/api/funkwhale_api/users/oauth/views.py @@ -1,5 +1,6 @@ import json import urllib.parse +import secrets from django import http from django.utils import timezone @@ -49,6 +50,21 @@ class ApplicationViewSet( } } + def create(self, request, *args, **kwargs): + request_data = request.data.copy() + try: + secret = request_data["client_secret"] + except KeyError: + secret = secrets.token_hex(64) + request_data["client_secret"] = secret + serializer = self.get_serializer(data=request_data) + serializer.is_valid(raise_exception=True) + self.perform_create(serializer) + headers = self.get_success_headers(serializer.data) + data = serializer.data + data["client_secret"] = secret + return response.Response(data, status=201, headers=headers) + def get_serializer_class(self): if self.request.method.lower() == "post": return serializers.CreateApplicationSerializer diff --git a/api/tests/users/oauth/test_views.py b/api/tests/users/oauth/test_views.py index 50b563156..99f6ef8fa 100644 --- a/api/tests/users/oauth/test_views.py +++ b/api/tests/users/oauth/test_views.py @@ -19,6 +19,7 @@ def test_apps_post(api_client, db): assert response.status_code == 201 app = models.Application.objects.get(name=data["name"]) + setattr(app, "client_secret", response.data["client_secret"]) assert app.client_type == models.Application.CLIENT_CONFIDENTIAL assert app.authorization_grant_type == models.Application.GRANT_AUTHORIZATION_CODE @@ -40,6 +41,7 @@ def test_apps_post_logged_in_user(logged_in_api_client, db): assert response.status_code == 201 app = models.Application.objects.get(name=data["name"]) + setattr(app, "client_secret", response.data["client_secret"]) assert app.client_type == models.Application.CLIENT_CONFIDENTIAL assert app.authorization_grant_type == models.Application.GRANT_AUTHORIZATION_CODE