From cce409ad51c498476f54f6bc05c2a6f880ddd776 Mon Sep 17 00:00:00 2001
From: arzumify <jliwin98@hectabit.org>
Date: Fri, 29 Mar 2024 11:02:22 +0000
Subject: [PATCH] Please work

---
 main                  | 42 ++++++++++++++-----------
 schema.sql            |  2 ++
 templates/main.html   | 72 +++++++++++++++++++++++--------------------
 templates/openid.json |  2 +-
 4 files changed, 65 insertions(+), 53 deletions(-)

diff --git a/main b/main
index 4ca554a..3fdd3ba 100644
--- a/main
+++ b/main
@@ -75,7 +75,8 @@ def check_username_taken(username):
 async def oauth2_token_refresh(secret, appId):
     while True:
         conn = get_db_connection()
-        conn.execute("UPDATE logins SET code = ?, nextcode = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone())), str(secrets.token_hex(512)), str(appId), str(secret))
+        conn.execute("UPDATE logins SET code = ?, nextcode = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone()[0])), str(secrets.token_hex(512)), str(appId), str(secret))
+        conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextsecret FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone()[0])), str(secrets.token_hex(512)), str(appId), str(secret))
         await asyncio.sleep(3600)
 
 # Disable CORS
@@ -199,7 +200,7 @@ async def apiopeniduserinfo():
         access_token = request.headers.get('Authorization').split(' ')[1]
 
         conn = get_db_connection()
-        userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone())
+        userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone()[0])
         user = get_user(userid)
 
         datatemplate = {
@@ -220,12 +221,13 @@ async def apiauthenticate():
         conn = get_db_connection()
         secretkey = str(secrets.token_hex(512))
 
-        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone())
+        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
         if not str(appidcheck) == str(appId):
             return {}, 401
 
-        conn.execute("INSERT INTO logins (appId, secret, code, nextcode, creator, openid) VALUES (?, ?, ?, ?, ?, ?)",
-                         (str(appId), str(secretkey), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(secrets.token_hex(512))))
+        conn.execute("INSERT INTO logins (appId, secret, newsecret, code, nextcode, creator, openid) VALUES (?, ?, ?, ?, ?, ?, ?)", 
+                (str(appId), str(secretkey), str(secret.token_hex(512)), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(secrets.token_hex(512))))
+
         conn.commit()
         conn.close()
 
@@ -237,30 +239,34 @@ async def apiauthenticate():
 @app.route("/api/tokenauth", methods=("GET", "POST"))
 async def apitokenexchange():
     if request.method == "POST":
-        data = await request.get_json()
+        data = await request.form
         secret = data["client_secret"]
         appId = data["client_id"]
         code = data["code"]
 
         conn = get_db_connection()
-        access_token = {
-            "access_token": str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()),
-            "token_type": "bearer",
-            "expires_in": 3600,
-            "refresh_token": str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()),
-            "id_token": str(conn.execute("SELECT openid FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone())
-        }
 
-        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone())
+        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
         if not str(appidcheck) == str(appId):
             return {}, 401
 
-        secretcheck = str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone())
+        secretcheck = str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
         if not str(secretcheck) == str(secret):
             return {}, 402
 
+        newkey = str(secrets.token_hex(512))
+        conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(secret)))
+
+        access_token = {
+            "access_token": str(conn.execute("SELECT code FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()[0]),
+            "token_type": "bearer",
+            "expires_in": 3600,
+            "refresh_token": newkey,
+            "id_token": str(conn.execute("SELECT openid FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()[0])
+        }
+
         if secretkey:
-            asyncio.run(oauth2_token_refresh(str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()), appId))
+            asyncio.run(oauth2_token_refresh(str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()[0]), appId))
             return access_token, 200
         else:
             return {}, 400
@@ -274,13 +280,13 @@ async def apicreateauth():
         secret = str(secrets.token_hex(512))
         conn = get_db_connection()
         while True:
-            if not secret == str(conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()):
+            if not secret == str(conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()[0]):
                 break
             else:
                 secret = str(secrets.token_hex(512))
                 continue
 
-        if appId == str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()):
+        if appId == str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0]):
             return 401
 
         userCookie = get_session(secretKey)
diff --git a/schema.sql b/schema.sql
index fa0fbc6..96edd9c 100644
--- a/schema.sql
+++ b/schema.sql
@@ -29,6 +29,8 @@ CREATE TABLE logins (
     secret TEXT NOT NULL,
     code TEXT NOT NULL,
     nextcode TEXT NOT NULL,
+    refresh TEXT NOT NULL,
+    nextrefresh TEXT NOT NULL,
     creator INTEGER NOT NULL,
     openid TEXT NOT NULL
 );
diff --git a/templates/main.html b/templates/main.html
index e8441f1..cdf3166 100644
--- a/templates/main.html
+++ b/templates/main.html
@@ -9,47 +9,51 @@
   <h1>Sending data...</h1>
 
   <script>
-    // Function to parse URL parameters
-    function getUrlParameter(name) {
-      name = name.replace(/[[]/, '\\[').replace(/[\]]/, '\\]');
-      var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
-      var results = regex.exec(location.search);
-      return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' '));
-    };
+    function oauth() {
+      // Function to parse URL parameters
+      function getUrlParameter(name) {
+        name = name.replace(/[[]/, '\\[').replace(/[\]]/, '\\]');
+        var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
+        var results = regex.exec(location.search);
+        return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' '));
+      };
 
-    // Get URL parameters
-    var client_id = getUrlParameter('client_id');
-    var redirect_uri = getUrlParameter('redirect_uri');
-    var response_type = getUrlParameter('response_type');
-    var state = getUrlParameter('state');
+      // Get URL parameters
+      var client_id = getUrlParameter('client_id');
+      var redirect_uri = getUrlParameter('redirect_uri');
+      var response_type = getUrlParameter('response_type');
+      var state = getUrlParameter('state');
 
-    // Get DONOTSHARE-secretkey from localStorage
-    var secret_key = localStorage.getItem("DONOTSHARE-secretkey");
+      // Get DONOTSHARE-secretkey from localStorage
+      var secret_key = localStorage.getItem("DONOTSHARE-secretkey");
 
-    // Create data object to send
-    var data = {
-      appId: client_id,
-      secretKey: secret_key
-    };
+      // Create data object to send
+      var data = {
+        appId: client_id,
+        secretKey: secret_key
+      };
 
-    // Send data to example.org using POST request
-    fetch("https://auth.hectabit.org/api/auth", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(data)
-    })
-    .then(response => {
+      // Send data to example.org using POST request
+      fetch("https://auth.hectabit.org/api/auth", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(data)
+      })
+      .then(response => {
         async function doStuff() {
-            let code = await response.text()
-            window.location.replace(redirect_uri + "?code=" + code + "&state=" + state)
+          let code = await response.text()
+          console.log(code)
+          console.log(redirect_uri + "?code=" + code + "&state=" + state)
         }
         doStuff()
-    })
-    .catch(error => {
-      alert("Error sending data: " + error.message);
-    });
+      })
+      .catch(error => {
+        alert("Error sending data: " + error.message);
+      });
+    }
+    //oauth()
   </script>
 </body>
 </html>
diff --git a/templates/openid.json b/templates/openid.json
index 4565063..cee0452 100644
--- a/templates/openid.json
+++ b/templates/openid.json
@@ -1,7 +1,7 @@
 {
   "issuer": "https://auth.hectabit.org",
   "authorization_endpoint": "https://auth.hectabit.org/login",
-  "token_endpoint": "https://auth.hectabit.org/authtoken",
+  "token_endpoint": "https://auth.hectabit.org/api/tokenauth",
   "userinfo_endpoint": "https://auth.hectabit.org/userinfo",
   "response_types_supported": ["code"],
   "subject_types_supported": ["public"]