Please work

2024-03-29 11:02:22 +00:00 · 2024-03-29 11:02:22 +00:00 · cce409ad51
parent f1697695f2
commit cce409ad51
4 changed files with 65 additions and 53 deletions
--- a/42
+++ b/42
@ -75,7 +75,8 @@ def check_username_taken(username):
 async def oauth2_token_refresh(secret, appId):
    while True:
        conn = get_db_connection()
-        conn.execute("UPDATE logins SET code = ?, nextcode = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone())), str(secrets.token_hex(512)), str(appId), str(secret))
+        conn.execute("UPDATE logins SET code = ?, nextcode = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone()[0])), str(secrets.token_hex(512)), str(appId), str(secret))
+        conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(conn.execute("SELECT nextsecret FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(secret))).fetchone()[0])), str(secrets.token_hex(512)), str(appId), str(secret))
        await asyncio.sleep(3600)

 # Disable CORS
@ -199,7 +200,7 @@ async def apiopeniduserinfo():
        access_token = request.headers.get('Authorization').split(' ')[1]

        conn = get_db_connection()
-        userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone())
+        userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone()[0])
        user = get_user(userid)

        datatemplate = {
@ -220,12 +221,13 @@ async def apiauthenticate():
        conn = get_db_connection()
        secretkey = str(secrets.token_hex(512))

-        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone())
+        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
        if not str(appidcheck) == str(appId):
            return {}, 401

-        conn.execute("INSERT INTO logins (appId, secret, code, nextcode, creator, openid) VALUES (?, ?, ?, ?, ?, ?)",
-                         (str(appId), str(secretkey), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(secrets.token_hex(512))))
+        conn.execute("INSERT INTO logins (appId, secret, newsecret, code, nextcode, creator, openid) VALUES (?, ?, ?, ?, ?, ?, ?)", 
+                (str(appId), str(secretkey), str(secret.token_hex(512)), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(secrets.token_hex(512))))
+
        conn.commit()
        conn.close()

@ -237,30 +239,34 @@ async def apiauthenticate():
@app.route("/api/tokenauth", methods=("GET", "POST"))
 async def apitokenexchange():
    if request.method == "POST":
-        data = await request.get_json()
+        data = await request.form
        secret = data["client_secret"]
        appId = data["client_id"]
        code = data["code"]

        conn = get_db_connection()
-        access_token = {
-            "access_token": str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()),
-            "token_type": "bearer",
-            "expires_in": 3600,
-            "refresh_token": str(conn.execute("SELECT nextcode FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()),
-            "id_token": str(conn.execute("SELECT openid FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone())
-        }

-        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone())
+        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
        if not str(appidcheck) == str(appId):
            return {}, 401

-        secretcheck = str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone())
+        secretcheck = str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
        if not str(secretcheck) == str(secret):
            return {}, 402

+        newkey = str(secrets.token_hex(512))
+        conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(secret)))
+
+        access_token = {
+            "access_token": str(conn.execute("SELECT code FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()[0]),
+            "token_type": "bearer",
+            "expires_in": 3600,
+            "refresh_token": newkey,
+            "id_token": str(conn.execute("SELECT openid FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()[0])
+        }
+
        if secretkey:
-            asyncio.run(oauth2_token_refresh(str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()), appId))
+            asyncio.run(oauth2_token_refresh(str(conn.execute("SELECT secret FROM logins WHERE appId = ? AND code = ?", (str(appId), str(code))).fetchone()[0]), appId))
            return access_token, 200
        else:
            return {}, 400
@ -274,13 +280,13 @@ async def apicreateauth():
        secret = str(secrets.token_hex(512))
        conn = get_db_connection()
        while True:
-            if not secret == str(conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()):
+            if not secret == str(conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()[0]):
                break
            else:
                secret = str(secrets.token_hex(512))
                continue

-        if appId == str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()):
+        if appId == str(conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0]):
            return 401

        userCookie = get_session(secretKey)
--- a/schema.sql
+++ b/schema.sql
@ -29,6 +29,8 @@ CREATE TABLE logins (
    secret TEXT NOT NULL,
    code TEXT NOT NULL,
    nextcode TEXT NOT NULL,
+    refresh TEXT NOT NULL,
+    nextrefresh TEXT NOT NULL,
    creator INTEGER NOT NULL,
    openid TEXT NOT NULL
 );
--- a/templates/main.html
+++ b/templates/main.html
@ -9,47 +9,51 @@
  <h1>Sending data...</h1>

  <script>
-    // Function to parse URL parameters
-    function getUrlParameter(name) {
-      name = name.replace(/[[]/, '\\[').replace(/[\]]/, '\\]');
-      var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
-      var results = regex.exec(location.search);
-      return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' '));
-    };
+    function oauth() {
+      // Function to parse URL parameters
+      function getUrlParameter(name) {
+        name = name.replace(/[[]/, '\\[').replace(/[\]]/, '\\]');
+        var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
+        var results = regex.exec(location.search);
+        return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' '));
+      };

-    // Get URL parameters
-    var client_id = getUrlParameter('client_id');
-    var redirect_uri = getUrlParameter('redirect_uri');
-    var response_type = getUrlParameter('response_type');
-    var state = getUrlParameter('state');
+      // Get URL parameters
+      var client_id = getUrlParameter('client_id');
+      var redirect_uri = getUrlParameter('redirect_uri');
+      var response_type = getUrlParameter('response_type');
+      var state = getUrlParameter('state');

-    // Get DONOTSHARE-secretkey from localStorage
-    var secret_key = localStorage.getItem("DONOTSHARE-secretkey");
+      // Get DONOTSHARE-secretkey from localStorage
+      var secret_key = localStorage.getItem("DONOTSHARE-secretkey");

-    // Create data object to send
-    var data = {
-      appId: client_id,
-      secretKey: secret_key
-    };
+      // Create data object to send
+      var data = {
+        appId: client_id,
+        secretKey: secret_key
+      };

-    // Send data to example.org using POST request
-    fetch("https://auth.hectabit.org/api/auth", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(data)
-    })
-    .then(response => {
+      // Send data to example.org using POST request
+      fetch("https://auth.hectabit.org/api/auth", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(data)
+      })
+      .then(response => {
        async function doStuff() {
-            let code = await response.text()
-            window.location.replace(redirect_uri + "?code=" + code + "&state=" + state)
+          let code = await response.text()
+          console.log(code)
+          console.log(redirect_uri + "?code=" + code + "&state=" + state)
        }
        doStuff()
-    })
-    .catch(error => {
-      alert("Error sending data: " + error.message);
-    });
+      })
+      .catch(error => {
+        alert("Error sending data: " + error.message);
+      });
+    }
+    //oauth()
  </script>
 </body>
 </html>
--- a/templates/openid.json
+++ b/templates/openid.json
@ -1,7 +1,7 @@
 {
  "issuer": "https://auth.hectabit.org",
  "authorization_endpoint": "https://auth.hectabit.org/login",
-  "token_endpoint": "https://auth.hectabit.org/authtoken",
+  "token_endpoint": "https://auth.hectabit.org/api/tokenauth",
  "userinfo_endpoint": "https://auth.hectabit.org/userinfo",
  "response_types_supported": ["code"],
  "subject_types_supported": ["public"]