diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f7b3857
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+config.ini
+config.ini.example
+database.db
diff --git a/main b/main
index 1d5390b..4aaaeff 100644
--- a/main
+++ b/main
@@ -72,6 +72,12 @@ def check_username_taken(username):
return None
return post["id"]
+async def oauth2_token_refresh(secret, appId):
+ while True:
+ conn = get_db_connection()
+ conn.execute("UPDATE logins SET code = ?, nextcode = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone())), str(secrets.token_hex(512)), str(appId), str(secret))
+ await asyncio.sleep(3600)
+
# Disable CORS
@app.after_request
async def add_cors_headers(response):
@@ -193,32 +199,79 @@ async def apiauthenticate():
data = await request.get_json()
secretKey = data["secretKey"]
appId = data["appId"]
+ state = data["state"]
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
conn = get_db_connection()
- secretkey = {
- "key": str(conn.execute("SELECT secret FROM userdata WHERE appId = ? AND creator = ? LIMIT 1", (str(appId),int(user["id"]))))
- }
+ secretkey = str(secrets.token_hex(512))
+
+ clientidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId)))).fetchone()
+ if not str(clientidcheck) == str(appId):
+ return {}, 401
+
+ conn.execute("INSERT INTO logins (appId, authed, secret, code, nextcode, creator) VALUES (?, ?, ?, ?, ?, ?)",
+ (str(appId), int(int(time.time()) + 3600), int(0), str(secretkey), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"])))
+ conn.commit()
+ conn.close()
if secretkey:
return secretkey, 200
else:
return {}, 400
+@app.route("/api/tokenauth", methods=("GET", "POST"))
+async def apitokenexchange():
+ if request.method == "POST":
+ data = await request.get_json()
+ secret = data["client_secret"]
+ appId = data["client_id"]
+ code = data["code"]
+
+ conn = get_db_connection()
+ access_token = {
+ "access_token": str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()),
+ "token_type": "bearer",
+ "expires_in": 3600,
+ "refresh_token": str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone())
+ }
+
+ clientidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId)))).fetchone()
+ if not str(clientidcheck) == str(appId):
+ return {}, 401
+
+ secretcheck = str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId)))).fetchone()
+ if not str(secretcheck) == str(secret):
+ return {}, 402
+
+ if secretkey:
+ asyncio.run(oauth2_token_refresh(str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()), appId))
+ return access_token, 200
+ else:
+ return {}, 400
+
@app.route("/api/newauth", methods=("GET", "POST"))
async def apicreateauth():
if request.method == "POST":
data = await request.get_json()
appId = data["appId"]
secretKey = data["secretKey"]
- secret = secrets.token_hex(512)
+ secret = str(secrets.token_hex(512))
+ while True:
+ if not secret == str(conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret)))).fetchone():
+ break
+ else:
+ secret = str(secrets.token_hex(512))
+ continue
+
+ if clientId == str(conn.execute("SELECT secret FROM oauth WHERE clientId = ?", (str(clientId)))).fetchone():
+ return 401
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
conn = get_db_connection()
- conn.execute("INSERT INTO userdata (appId, creator, secret) VALUES (?, ?, ?)",
+ conn.execute("INSERT INTO keys (appId, creator, secret) VALUES (?, ?, ?)",
(str(appId),int(user["id"]),str(secret)))
conn.commit()
conn.close()
diff --git a/schema.sql b/schema.sql
index 7bc759b..326d512 100644
--- a/schema.sql
+++ b/schema.sql
@@ -21,3 +21,12 @@ CREATE TABLE sessions (
id INTEGER NOT NULL,
device TEXT NOT NULL DEFAULT "?"
);
+
+CREATE TABLE logins (
+ appId TEXT NOT NULL,
+ authed INTEGER NOT NULL,
+ secret TEXT NOT NULL,
+ code TEXT NOT NULL,
+ nextcode TEXT NOT NULL,
+ creator INTEGER NOT NULL
+)
diff --git a/static/js/login.js b/static/js/login.js
index 9b24b3d..11a1e5f 100644
--- a/static/js/login.js
+++ b/static/js/login.js
@@ -1,10 +1,10 @@
if (localStorage.getItem("DONOTSHARE-secretkey") !== null) {
- window.location.replace("../app")
+ window.location.replace("/app" + window.location.search)
document.body.innerHTML = "Redirecting..."
throw new Error();
}
if (localStorage.getItem("DONOTSHARE-password") !== null) {
- window.location.replace("../app")
+ window.location.replace("/app" + window.location.search)
document.body.innerHTML = "Redirecting..."
throw new Error();
}
@@ -139,7 +139,7 @@ signupButton.addEventListener("click", (event) => {
localStorage.setItem("DONOTSHARE-secretkey", responseData["key"])
localStorage.setItem("DONOTSHARE-password", await hashwasm.sha512(password))
- window.location.href = "../app"
+ window.location.href = "/app" + window.location.search
}
else if (response.status == 401) {
console.log("Trying oldhash")
@@ -163,7 +163,7 @@ signupButton.addEventListener("click", (event) => {
localStorage.setItem("DONOTSHARE-secretkey", responseData["key"])
localStorage.setItem("DONOTSHARE-password", await hashwasm.sha512(password))
- window.location.href = "../app/"
+ window.location.href = "/app" + window.location.search
}
else if (response.status == 401) {
statusBox.innerText = "Wrong username or password..."
@@ -197,3 +197,19 @@ backButton.addEventListener("click", (event) => {
});
showInput(0)
+
+document.getElementById("signuprdirButton").addEventListener("click", function(event) {
+ event.preventDefault();
+
+ var queryString = window.location.search;
+ var newURL = "/signup" + queryString;
+ window.location.href = newURL;
+});
+
+document.getElementById("privacyButton").addEventListener("click", function(event) {
+ event.preventDefault();
+
+ var queryString = window.location.search;
+ var newURL = "/privacy" + queryString;
+ window.location.href = newURL;
+});
diff --git a/static/js/signup.js b/static/js/signup.js
index 6f3368c..86057ae 100644
--- a/static/js/signup.js
+++ b/static/js/signup.js
@@ -1,10 +1,10 @@
if (localStorage.getItem("DONOTSHARE-secretkey") !== null) {
- window.location.replace("../app")
+ window.location.replace("/app" + window.location.search)
document.body.innerHTML = "Redirecting..."
throw new Error();
}
if (localStorage.getItem("DONOTSHARE-password") !== null) {
- window.location.replace("../app")
+ window.location.replace("/app" + window.location.search)
document.body.innerHTML = "Redirecting..."
throw new Error();
}
@@ -91,7 +91,7 @@ signupButton.addEventListener("click", (event) => {
localStorage.setItem("DONOTSHARE-secretkey", responseData["key"])
localStorage.setItem("DONOTSHARE-password", await hashwasm.sha512(password))
- window.location.href = "../app"
+ window.location.href = "/app" + window.location.search
}
else if (response.status == 409) {
statusBox.innerText = "Username already taken!"
@@ -107,3 +107,19 @@ signupButton.addEventListener("click", (event) => {
}
doStuff()
});
+
+document.getElementById("loginButton").addEventListener("click", function(event) {
+ event.preventDefault();
+
+ var queryString = window.location.search;
+ var newURL = "/login" + queryString;
+ window.location.href = newURL;
+});
+
+document.getElementById("privacyButton").addEventListener("click", function(event) {
+ event.preventDefault();
+
+ var queryString = window.location.search;
+ var newURL = "/privacy" + queryString;
+ window.location.href = newURL;
+});
diff --git a/templates/login.html b/templates/login.html
index 13d8c5b..c38918a 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -33,9 +33,9 @@
-
Don't have an account? If so, Create one here!
+Don't have an account? If so, Create one here!
Your homeserver is loading...
Already have an account? If so, Login instead!
+Already have an account? If so, Login instead!
Please note that it's impossible to reset your password, do not forget it!
Your homeserver is loading...