Can't authorize from 3rd party application
Description
I'm a developer of Whalebird which is a Mastodon/Pleroma client.
I can not authorize from Whalebird under certain conditions.
How to reproduce
- First, login my Pleroma server using MastodonFE on FireFox
- Launch Whalebird and try to login my Pleroma server
- Open FireFox to get my authorization code, so the URL is
/oauth/authorize?redirect_uri=... - But the access token is invalid, so I can't login my Pleroma server
I've investigated further, so I can authorize following flow:
- First, logout my Pleroma server on FireFox.
- Launch Whalebird and try to login my Pleroma server
- Open FireFox to get my authorization code, so the URL is
/oauth/authorize?redirect_uri=... - But I have not logged in yet, so login page is shown
- I type my name and password, and I can login, then the access token is shown
- The access token is valid, so I can login my Pleroma
So I can login from 3rd party application, after I login Mastodon FE on FireFox.
Reason?
I think that the endpoint /oauth/authorize returns MastodonFE's access token if user is already logged in.
The endpoint GET /oauth/authorize is enabled plug oauth.
https://git.pleroma.social/pleroma/pleroma/blob/develop/lib/pleroma/web/router.ex#L244-245
This plug fills token parameter from session token. So the token is set if there is a session token for MastodonFE.
https://git.pleroma.social/pleroma/pleroma/blob/release/1.1.3/lib/pleroma/plugs/oauth_plug.ex#L38-60
Controller returns existing token if the token is provided. https://git.pleroma.social/pleroma/pleroma/blob/develop/lib/pleroma/web/oauth/oauth_controller.ex#L39-45
Finally, this endpoint returns MastodonFE's access token.
Is this the expected behavior?
Why oauth plug is enabled on /oauth/authorize ?