Make auth tokens usable once and expire them.

lib/pleroma/web/oauth/authorization.ex

@@ -4,6 +4,8 @@ defmodule Pleroma.Web.OAuth.Authorization do
   alias Pleroma.{User, Repo}
   alias Pleroma.Web.OAuth.{Authorization, App}
 
+  import Ecto.{Changeset}
+
   schema "oauth_authorizations" do
     field :token, :string
     field :valid_until, :naive_datetime
@@ -27,4 +29,19 @@ def create_authorization(%App{} = app, %User{} = user) do
 
     Repo.insert(authorization)
   end
+
+  def use_changeset(%Authorization{} = auth, params) do
+    auth
+    |> cast(params, [:used])
+    |> validate_required([:used])
+  end
+
+  def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
+    if NaiveDateTime.diff(NaiveDateTime.utc_now, valid_until) < 0 do
+      Repo.update(use_changeset(auth, %{used: true}))
+    else
+      {:error, "token expired"}
+    end
+  end
+  def use_token(%Authorization{used: true}), do: {:error, "already used"}
 end

lib/pleroma/web/oauth/token.ex

@@ -2,7 +2,7 @@ defmodule Pleroma.Web.OAuth.Token do
   use Ecto.Schema
 
   alias Pleroma.{User, Repo}
-  alias Pleroma.Web.OAuth.{Token, App}
+  alias Pleroma.Web.OAuth.{Token, App, Authorization}
 
   schema "oauth_tokens" do
     field :token, :string
@@ -14,6 +14,13 @@ defmodule Pleroma.Web.OAuth.Token do
     timestamps()
   end
 
+  def exchange_token(app, auth) do
+    with {:ok, auth} <- Authorization.use_token(auth),
+         true <- auth.app_id == app.id do
+      create_token(app, Repo.get(User, auth.user_id))
+    end
+  end
+
   def create_token(%App{} = app, %User{} = user) do
     token = :crypto.strong_rand_bytes(32) |> Base.url_encode64
     refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64

test/web/oauth/authorization_test.exs

+defmodule Pleroma.Web.OAuth.AuthorizationTest do
+  use Pleroma.DataCase
+  alias Pleroma.Web.OAuth.{Authorization, App}
+  import Pleroma.Factory
+
+  test "create an authorization token for a valid app" do
+    {:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
+    user = insert(:user)
+
+    {:ok, auth} = Authorization.create_authorization(app, user)
+
+    assert auth.user_id == user.id
+    assert auth.app_id == app.id
+    assert String.length(auth.token) > 10
+    assert auth.used == false
+  end
+
+  test "use up a token" do
+    {:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
+    user = insert(:user)
+
+    {:ok, auth} = Authorization.create_authorization(app, user)
+
+    {:ok, auth} = Authorization.use_token(auth)
+
+    assert auth.used == true
+
+    assert {:error, "already used"} == Authorization.use_token(auth)
+
+    expired_auth = %Authorization{
+      user_id: user.id,
+      app_id: app.id,
+      valid_until: NaiveDateTime.add(NaiveDateTime.utc_now, -10),
+      token: "mytoken",
+      used: false
+    }
+
+    {:ok, expired_auth} = Repo.insert(expired_auth)
+
+    assert {:error, "token expired"} == Authorization.use_token(expired_auth)
+  end
+end

test/web/oauth/token_test.exs

+defmodule Pleroma.Web.OAuth.TokenTest do
+  use Pleroma.DataCase
+  alias Pleroma.Web.OAuth.{App, Token, Authorization}
+  alias Pleroma.Repo
+
+  import Pleroma.Factory
+
+  test "exchanges a auth token for an access token" do
+    {:ok, app} = Repo.insert(App.register_changeset(%App{}, %{client_name: "client", scopes: "scope", redirect_uris: "url"}))
+    user = insert(:user)
+
+    {:ok, auth} = Authorization.create_authorization(app, user)
+
+    {:ok, token} = Token.exchange_token(app, auth)
+
+    assert token.app_id == app.id
+    assert token.user_id == user.id
+    assert String.length(token.token) > 10
+    assert String.length(token.refresh_token) > 10
+
+    auth = Repo.get(Authorization, auth.id)
+    {:error, "already used"} = Token.exchange_token(app, auth)
+  end
+end