logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git
commit: 7bd0750787859cb30382d90162d70380441abc05
parent 427da7a99a30ebc7a7deb54e7704b5d8dffea199
Author: Mark Felder <feld@feld.me>
Date:   Wed,  4 Sep 2024 10:40:37 -0400

Ensure apps are assigned to users


Diffstat:


Mchangelog.d/oauth-app-spam.fix2+-


Mlib/pleroma/web/o_auth/app.ex10++++++++++


Mlib/pleroma/web/o_auth/o_auth_controller.ex2++


Apriv/repo/migrations/20240904142434_assign_app_user.exs21+++++++++++++++++++++


Mtest/pleroma/web/o_auth/o_auth_controller_test.exs8++++++++


5 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/changelog.d/oauth-app-spam.fix b/changelog.d/oauth-app-spam.fix
@@ -1 +1 @@
-Add a rate limiter to the OAuth App creation endpoint
+Add a rate limiter to the OAuth App creation endpoint and ensure registered apps are assigned to users.
diff --git a/lib/pleroma/web/o_auth/app.ex b/lib/pleroma/web/o_auth/app.ex
@@ -8,6 +8,7 @@ defmodule Pleroma.Web.OAuth.App do
   import Ecto.Query
   alias Pleroma.Repo
   alias Pleroma.User
+  alias Pleroma.Web.OAuth.Token
 
   @type t :: %__MODULE__{}
 
@@ -155,4 +156,13 @@ defmodule Pleroma.Web.OAuth.App do
         Map.put(acc, key, error)
     end)
   end
+
+  @spec maybe_update_owner(Token.t()) :: :ok
+  def maybe_update_owner(%Token{app_id: app_id, user_id: user_id}) when not is_nil(user_id) do
+    __MODULE__.update(app_id, %{user_id: user_id})
+
+    :ok
+  end
+
+  def maybe_update_owner(_), do: :ok
 end
diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -318,6 +318,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
   def token_exchange(%Plug.Conn{} = conn, params), do: bad_request(conn, params)
 
   def after_token_exchange(%Plug.Conn{} = conn, %{token: token} = view_params) do
+    App.maybe_update_owner(token)
+
     conn
     |> AuthHelper.put_session_token(token.token)
     |> json(OAuthView.render("token.json", view_params))
diff --git a/priv/repo/migrations/20240904142434_assign_app_user.exs b/priv/repo/migrations/20240904142434_assign_app_user.exs
@@ -0,0 +1,21 @@
+defmodule Pleroma.Repo.Migrations.AssignAppUser do
+  use Ecto.Migration
+
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.App
+  alias Pleroma.Web.OAuth.Token
+
+  def up do
+    Repo.all(Token)
+    |> Enum.group_by(fn x -> Map.get(x, :app_id) end)
+    |> Enum.each(fn {_app_id, tokens} ->
+      token =
+        Enum.filter(tokens, fn x -> not is_nil(x.user_id) end)
+        |> List.first()
+
+      App.maybe_update_owner(token)
+    end)
+  end
+
+  def down, do: :ok
+end
diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@@ -12,6 +12,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
   alias Pleroma.MFA.TOTP
   alias Pleroma.Repo
   alias Pleroma.User
+  alias Pleroma.Web.OAuth.App
   alias Pleroma.Web.OAuth.Authorization
   alias Pleroma.Web.OAuth.OAuthController
   alias Pleroma.Web.OAuth.Token
@@ -770,6 +771,9 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
 
       {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
 
+      # Verify app has no associated user yet
+      assert %Pleroma.Web.OAuth.App{user_id: nil} = Repo.get_by(App, %{id: app.id})
+
       conn =
         build_conn()
         |> post("/oauth/token", %{
@@ -786,6 +790,10 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
       assert token
       assert token.scopes == auth.scopes
       assert user.ap_id == ap_id
+
+      # Verify app has an associated user now
+      user_id = user.id
+      assert %Pleroma.Web.OAuth.App{user_id: ^user_id} = Repo.get_by(App, %{id: app.id})
     end
 
     test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do