From 170262915bd627dfd821488d3fbffb2444ad44bc Mon Sep 17 00:00:00 2001 From: Robert George Date: Sat, 11 Feb 2023 17:41:16 -0800 Subject: [PATCH 1/2] Added support for oauth 2 login and registration --- .env.example | 8 ++ bookwyrm/context_processors.py | 2 + bookwyrm/forms/landing.py | 14 ++++ bookwyrm/oauth.py | 38 ++++++++++ bookwyrm/settings.py | 11 +++ bookwyrm/templates/landing/login.html | 8 +- .../templates/landing/oauth_register.html | 75 +++++++++++++++++++ bookwyrm/templates/layout.html | 6 ++ bookwyrm/urls.py | 5 +- bookwyrm/views/__init__.py | 1 + bookwyrm/views/landing/register.py | 16 ++-- bookwyrm/views/oauth.py | 35 +++++++++ requirements.txt | 1 + 13 files changed, 213 insertions(+), 7 deletions(-) create mode 100644 bookwyrm/oauth.py create mode 100644 bookwyrm/templates/landing/oauth_register.html create mode 100644 bookwyrm/views/oauth.py diff --git a/.env.example b/.env.example index 4c1c2eefea..3983e23c7e 100644 --- a/.env.example +++ b/.env.example @@ -120,3 +120,11 @@ OTEL_SERVICE_NAME= # for your instance: # https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header HTTP_X_FORWARDED_PROTO=false + +# Enable logging in and registration with OAuth 2 +OAUTH_ACTIVE=false +#OAUTH_NAME="OAuth Provider" # Displayed on Login Button as "Login with OAUTH_NAME" +#OAUTH_CLIENT_ID="" +#OAUTH_CLIENT_SECRET="" +#OAUTH_AUTHORIZE_URL="" # For mastodon use "https:///oauth/authorize" +#OAUTH_ACCESS_TOKEN_URL="" # For mastodon use "https:///oauth/token" diff --git a/bookwyrm/context_processors.py b/bookwyrm/context_processors.py index 0047bfce11..df0a1ce775 100644 --- a/bookwyrm/context_processors.py +++ b/bookwyrm/context_processors.py @@ -28,4 +28,6 @@ def site_settings(request): # pylint: disable=unused-argument "preview_images_enabled": settings.ENABLE_PREVIEW_IMAGES, "request_protocol": request_protocol, "js_cache": settings.JS_CACHE, + "oauth_active": settings.OAUTH_ACTIVE, + "oauth_name": settings.OAUTH_NAME, } diff --git a/bookwyrm/forms/landing.py b/bookwyrm/forms/landing.py index bd9884bc35..1b20146bfb 100644 --- a/bookwyrm/forms/landing.py +++ b/bookwyrm/forms/landing.py @@ -56,6 +56,20 @@ def clean(self): self.add_error("localname", _("User with this username already exists")) +class OAuthRegisterForm(CustomForm): + class Meta: + model = models.User + fields = ["localname", "email"] + help_texts = {f: None for f in fields} + + def clean(self): + """Check if the username is taken""" + cleaned_data = super().clean() + localname = cleaned_data.get("localname").strip() + if models.User.objects.filter(localname=localname).first(): + self.add_error("localname", _("User with this username already exists")) + + class InviteRequestForm(CustomForm): def clean(self): """make sure the email isn't in use by a registered user""" diff --git a/bookwyrm/oauth.py b/bookwyrm/oauth.py new file mode 100644 index 0000000000..f297877897 --- /dev/null +++ b/bookwyrm/oauth.py @@ -0,0 +1,38 @@ +""" responds to various requests to oauth """ +from django.contrib.auth import login +from django.core.exceptions import ObjectDoesNotExist +from django.dispatch import receiver +from django.urls import reverse +from django.shortcuts import render, redirect +from django.template.response import TemplateResponse +from authlib.integrations.django_client import OAuth, OAuthError + +from bookwyrm import models +from bookwyrm.settings import DOMAIN + +oauth = OAuth() +oauth.register('oauth') +oauth = oauth.oauth + +def auth(request): + try: + token = oauth.authorize_access_token(request) + except OAuthError: + data = {} + return TemplateResponse(request, "landing/login.html", data) + acct = oauth.get("https://raphus.social/api/v1/accounts/verify_credentials",token=token) + if (acct.status_code==200): + localname = dict(acct.json())['acct'] + username = "{}@{}".format(localname,DOMAIN) + try: + user = models.User.objects.get(username=username) + except ObjectDoesNotExist: + request.session['oauth-newuser'] = localname + request.session["oauth-newuser-pfp"] = dict(acct.json())['avatar'] + return redirect('oauth-register') + login(request,user) + return redirect('/') + +def request_login(request): + redirect_uri = request.build_absolute_uri(reverse('oauth')) + return oauth.authorize_redirect(request, redirect_uri, force_login=True ) diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py index c66bd636b1..64cd9c7fd7 100644 --- a/bookwyrm/settings.py +++ b/bookwyrm/settings.py @@ -388,3 +388,14 @@ # Do not change this setting unless you already have an existing # user with the same username - in which case you should change it! INSTANCE_ACTOR_USERNAME = "bookwyrm.instance.actor" +OAUTH_ACTIVE = env("OAUTH_ACTIVE",False) +if OAUTH_ACTIVE: + OAUTH_NAME=env("OAUTH_NAME","OAuth2") + AUTHLIB_OAUTH_CLIENTS = { + 'oauth': { + 'client_id': env("OAUTH_CLIENT_ID"), + 'client_secret': env("OAUTH_CLIENT_SECRET"), + 'authorize_url': env("OAUTH_AUTHORIZE_URL"), + 'access_token_url': env("OAUTH_ACCESS_TOKEN_URL"), + } + } diff --git a/bookwyrm/templates/landing/login.html b/bookwyrm/templates/landing/login.html index 369a72bd28..ed20d06006 100644 --- a/bookwyrm/templates/landing/login.html +++ b/bookwyrm/templates/landing/login.html @@ -10,10 +10,15 @@

{% trans "Log in" %}

{% if login_form.non_field_errors %}

{{ login_form.non_field_errors }}

{% endif %} - + {% if show_confirmed_email %}

{% trans "Success! Email address confirmed." %}

{% endif %} + {% if oauth_active %} + + + + {% else %}
{% csrf_token %} {% if show_confirmed_email %}{% endif %} @@ -40,6 +45,7 @@

{% trans "Log in" %}

+ {% endif %} {% if site.allow_registration %} diff --git a/bookwyrm/templates/landing/oauth_register.html b/bookwyrm/templates/landing/oauth_register.html new file mode 100644 index 0000000000..215140baf2 --- /dev/null +++ b/bookwyrm/templates/landing/oauth_register.html @@ -0,0 +1,75 @@ +{% extends 'layout.html' %} +{% load i18n %} + +{% block title %}{% trans "Create an Account" %}{% endblock %} + +{% block content %} + +

{% trans "Create an Account" %}

+
+
+
+ {% if valid %} +
+
+{% csrf_token %} +
+ +
+ {{ username }} +
+

+ {% trans "Your username cannot be changed." %} +

+
+
+
+
+ +
+ + + {% include 'snippets/form_errors.html' with errors_list=register_form.email.errors id="desc_email_register" %} +
+
+ + + +
+
+ +
+
+
+
+ {% else %} +
+

{% trans "Permission Denied" %}

+

{% trans "Sorry!" %}

+
+ {% endif %} +
+
+
+
+ {% include 'snippets/about.html' %} +
+
+
+ +{% endblock %} diff --git a/bookwyrm/templates/layout.html b/bookwyrm/templates/layout.html index c3408f44e1..78c53b9ce7 100644 --- a/bookwyrm/templates/layout.html +++ b/bookwyrm/templates/layout.html @@ -115,6 +115,12 @@ + {% elif oauth_active %} +
+ + + +
{% else %}
{% if request.path != '/login' and request.path != '/login/' %} diff --git a/bookwyrm/urls.py b/bookwyrm/urls.py index 3fbf7dda1b..16e0d58fb8 100644 --- a/bookwyrm/urls.py +++ b/bookwyrm/urls.py @@ -4,7 +4,7 @@ from django.urls import path, re_path from django.views.generic.base import TemplateView -from bookwyrm import settings, views +from bookwyrm import settings, views, oauth from bookwyrm.utils import regex USER_PATH = rf"^user/(?P{regex.USERNAME})" @@ -81,6 +81,9 @@ re_path( r"^password-reset/(?P[A-Za-z0-9]+)/?$", views.PasswordReset.as_view() ), + re_path(r"^oauth$",oauth.auth,name="oauth"), + re_path(r"^oauth/login$",oauth.request_login, name="oauth-login"), + re_path(r"^oauth/register$", views.OAuthRegister.as_view(), name="oauth-register"), # admin re_path( r"^settings/dashboard/?$", views.Dashboard.as_view(), name="settings-dashboard" diff --git a/bookwyrm/views/__init__.py b/bookwyrm/views/__init__.py index 8081130997..8c6c44ab26 100644 --- a/bookwyrm/views/__init__.py +++ b/bookwyrm/views/__init__.py @@ -164,3 +164,4 @@ summary_add_key, summary_revoke_key, ) +from .oauth import OAuthRegister diff --git a/bookwyrm/views/landing/register.py b/bookwyrm/views/landing/register.py index 2e1a1d3213..dfb982a24f 100644 --- a/bookwyrm/views/landing/register.py +++ b/bookwyrm/views/landing/register.py @@ -29,7 +29,7 @@ def post(self, request): if settings.install_mode: raise PermissionDenied() - if not settings.allow_registration: + if not settings.allow_registration and 'oauth-newuser' not in request.session: invite_code = request.POST.get("invite_code") if not invite_code: @@ -40,8 +40,14 @@ def post(self, request): raise PermissionDenied() else: invite = None - - form = forms.RegisterForm(request.POST) + + if 'oauth-newuser' in request.session: + newuser = request.POST.get("localname") + if newuser != request.session["oauth-newuser"]: + raise PremissionDenied() + form = forms.OAuthRegisterForm(request.POST) + else: + form = forms.RegisterForm(request.POST) if not form.is_valid(): data = { "login_form": forms.LoginForm(), @@ -55,7 +61,7 @@ def post(self, request): localname = form.data["localname"].strip() email = form.data["email"] - password = form.data["password"] + password = None if 'oauth-newuser' in request.session else form.data["password"] try: preferred_timezone = pytz.timezone(form.data.get("preferred_timezone")) except pytz.exceptions.UnknownTimeZoneError: @@ -86,7 +92,7 @@ def post(self, request): if settings.require_confirm_email: emailing.email_confirmation_email(user) return redirect("confirm-email") - + login(request, user) return redirect("get-started-profile") diff --git a/bookwyrm/views/oauth.py b/bookwyrm/views/oauth.py new file mode 100644 index 0000000000..8ad1e51228 --- /dev/null +++ b/bookwyrm/views/oauth.py @@ -0,0 +1,35 @@ +""" invites when registration is closed """ +from functools import reduce +import operator +from urllib.parse import urlencode + +from django.contrib.auth.decorators import login_required, permission_required +from django.core.paginator import Paginator +from django.db.models import Q +from django.http import HttpResponseBadRequest +from django.shortcuts import get_object_or_404, redirect +from django.template.response import TemplateResponse +from django.urls import reverse +from django.utils.decorators import method_decorator +from django.views import View +from django.views.decorators.http import require_POST + +from bookwyrm import emailing, forms, models +from bookwyrm.settings import PAGE_LENGTH + + +# pylint: disable= no-self-use +class OAuthRegister(View): + """use an invite to register""" + + def get(self, request): + if request.user.is_authenticated or 'oauth-newuser' not in request.session: + return redirect("/") + data = { + "register_form": forms.RegisterForm(), + "username": request.session['oauth-newuser'], + "valid": True, + } + return TemplateResponse(request, "landing/oauth_register.html", data) + + # post handling is in views.register.Register diff --git a/requirements.txt b/requirements.txt index 0f287e9700..d4d438abf3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ aiohttp==3.8.3 +oauthlib==3.2.2 bleach==5.0.1 celery==5.2.7 colorthief==0.2.1 From b6fc7ef39cd71db47a2f2bb764eeff146fc928ab Mon Sep 17 00:00:00 2001 From: Robert George Date: Sat, 11 Feb 2023 17:48:34 -0800 Subject: [PATCH 2/2] Forgot to run lint --- bookwyrm/oauth.py | 28 ++++++++++++++++------------ bookwyrm/settings.py | 14 +++++++------- bookwyrm/urls.py | 4 ++-- bookwyrm/views/landing/register.py | 10 +++++----- bookwyrm/views/oauth.py | 4 ++-- 5 files changed, 32 insertions(+), 28 deletions(-) diff --git a/bookwyrm/oauth.py b/bookwyrm/oauth.py index f297877897..45cf253fe6 100644 --- a/bookwyrm/oauth.py +++ b/bookwyrm/oauth.py @@ -11,28 +11,32 @@ from bookwyrm.settings import DOMAIN oauth = OAuth() -oauth.register('oauth') +oauth.register("oauth") oauth = oauth.oauth + def auth(request): try: token = oauth.authorize_access_token(request) except OAuthError: data = {} return TemplateResponse(request, "landing/login.html", data) - acct = oauth.get("https://raphus.social/api/v1/accounts/verify_credentials",token=token) - if (acct.status_code==200): - localname = dict(acct.json())['acct'] - username = "{}@{}".format(localname,DOMAIN) + acct = oauth.get( + "https://raphus.social/api/v1/accounts/verify_credentials", token=token + ) + if acct.status_code == 200: + localname = dict(acct.json())["acct"] + username = "{}@{}".format(localname, DOMAIN) try: user = models.User.objects.get(username=username) except ObjectDoesNotExist: - request.session['oauth-newuser'] = localname - request.session["oauth-newuser-pfp"] = dict(acct.json())['avatar'] - return redirect('oauth-register') - login(request,user) - return redirect('/') + request.session["oauth-newuser"] = localname + request.session["oauth-newuser-pfp"] = dict(acct.json())["avatar"] + return redirect("oauth-register") + login(request, user) + return redirect("/") + def request_login(request): - redirect_uri = request.build_absolute_uri(reverse('oauth')) - return oauth.authorize_redirect(request, redirect_uri, force_login=True ) + redirect_uri = request.build_absolute_uri(reverse("oauth")) + return oauth.authorize_redirect(request, redirect_uri, force_login=True) diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py index 64cd9c7fd7..e9e06b6c4c 100644 --- a/bookwyrm/settings.py +++ b/bookwyrm/settings.py @@ -388,14 +388,14 @@ # Do not change this setting unless you already have an existing # user with the same username - in which case you should change it! INSTANCE_ACTOR_USERNAME = "bookwyrm.instance.actor" -OAUTH_ACTIVE = env("OAUTH_ACTIVE",False) +OAUTH_ACTIVE = env("OAUTH_ACTIVE", False) if OAUTH_ACTIVE: - OAUTH_NAME=env("OAUTH_NAME","OAuth2") + OAUTH_NAME = env("OAUTH_NAME", "OAuth2") AUTHLIB_OAUTH_CLIENTS = { - 'oauth': { - 'client_id': env("OAUTH_CLIENT_ID"), - 'client_secret': env("OAUTH_CLIENT_SECRET"), - 'authorize_url': env("OAUTH_AUTHORIZE_URL"), - 'access_token_url': env("OAUTH_ACCESS_TOKEN_URL"), + "oauth": { + "client_id": env("OAUTH_CLIENT_ID"), + "client_secret": env("OAUTH_CLIENT_SECRET"), + "authorize_url": env("OAUTH_AUTHORIZE_URL"), + "access_token_url": env("OAUTH_ACCESS_TOKEN_URL"), } } diff --git a/bookwyrm/urls.py b/bookwyrm/urls.py index 16e0d58fb8..25fe01c569 100644 --- a/bookwyrm/urls.py +++ b/bookwyrm/urls.py @@ -81,8 +81,8 @@ re_path( r"^password-reset/(?P[A-Za-z0-9]+)/?$", views.PasswordReset.as_view() ), - re_path(r"^oauth$",oauth.auth,name="oauth"), - re_path(r"^oauth/login$",oauth.request_login, name="oauth-login"), + re_path(r"^oauth$", oauth.auth, name="oauth"), + re_path(r"^oauth/login$", oauth.request_login, name="oauth-login"), re_path(r"^oauth/register$", views.OAuthRegister.as_view(), name="oauth-register"), # admin re_path( diff --git a/bookwyrm/views/landing/register.py b/bookwyrm/views/landing/register.py index dfb982a24f..af6f249215 100644 --- a/bookwyrm/views/landing/register.py +++ b/bookwyrm/views/landing/register.py @@ -29,7 +29,7 @@ def post(self, request): if settings.install_mode: raise PermissionDenied() - if not settings.allow_registration and 'oauth-newuser' not in request.session: + if not settings.allow_registration and "oauth-newuser" not in request.session: invite_code = request.POST.get("invite_code") if not invite_code: @@ -40,8 +40,8 @@ def post(self, request): raise PermissionDenied() else: invite = None - - if 'oauth-newuser' in request.session: + + if "oauth-newuser" in request.session: newuser = request.POST.get("localname") if newuser != request.session["oauth-newuser"]: raise PremissionDenied() @@ -61,7 +61,7 @@ def post(self, request): localname = form.data["localname"].strip() email = form.data["email"] - password = None if 'oauth-newuser' in request.session else form.data["password"] + password = None if "oauth-newuser" in request.session else form.data["password"] try: preferred_timezone = pytz.timezone(form.data.get("preferred_timezone")) except pytz.exceptions.UnknownTimeZoneError: @@ -92,7 +92,7 @@ def post(self, request): if settings.require_confirm_email: emailing.email_confirmation_email(user) return redirect("confirm-email") - + login(request, user) return redirect("get-started-profile") diff --git a/bookwyrm/views/oauth.py b/bookwyrm/views/oauth.py index 8ad1e51228..47505aa5ac 100644 --- a/bookwyrm/views/oauth.py +++ b/bookwyrm/views/oauth.py @@ -23,11 +23,11 @@ class OAuthRegister(View): """use an invite to register""" def get(self, request): - if request.user.is_authenticated or 'oauth-newuser' not in request.session: + if request.user.is_authenticated or "oauth-newuser" not in request.session: return redirect("/") data = { "register_form": forms.RegisterForm(), - "username": request.session['oauth-newuser'], + "username": request.session["oauth-newuser"], "valid": True, } return TemplateResponse(request, "landing/oauth_register.html", data)