pleroma-fe/src/services/new_api/oauth.js

import { reduce } from 'lodash'
import { StatusCodeError } from 'src/services/errors/errors.js'

const REDIRECT_URI = `${window.location.origin}/oauth-callback`

export const getJsonOrError = async (response) => {
  if (response.ok) {
    return response.json().catch((error) => {
      throw new StatusCodeError(response.status, error, {}, response)
    })
  } else {
    throw new StatusCodeError(
      response.status,
      await response.text(),
      {},
      response,
    )
  }
}

export const createApp = (instance) => {
  const url = `${instance}/api/v1/apps`
  const form = new window.FormData()

  form.append('client_name', 'PleromaFE')
  form.append('website', 'https://pleroma.social')
  form.append('redirect_uris', REDIRECT_URI)
  form.append('scopes', 'read write follow push admin')

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then(getJsonOrError)
    .then((app) => ({
      clientId: app.client_id,
      clientSecret: app.client_secret,
    }))
}

export const verifyAppToken = ({ instance, appToken }) => {
  return window
    .fetch(`${instance}/api/v1/apps/verify_credentials`, {
      method: 'GET',
      headers: { Authorization: `Bearer ${appToken}` },
    })
    .then(getJsonOrError)
}

const login = ({ instance, clientId }) => {
  const data = {
    response_type: 'code',
    client_id: clientId,
    redirect_uri: REDIRECT_URI,
    scope: 'read write follow push admin',
  }

  const dataString = reduce(
    data,
    (acc, v, k) => {
      const encoded = `${k}=${encodeURIComponent(v)}`
      if (!acc) {
        return encoded
      } else {
        return `${acc}&${encoded}`
      }
    },
    false,
  )

  // Do the redirect...
  const url = `${instance}/oauth/authorize?${dataString}`

  window.location.href = url
}

const getTokenWithCredentials = ({
  clientId,
  clientSecret,
  instance,
  username,
  password,
}) => {
  const url = `${instance}/oauth/token`
  const form = new window.FormData()

  form.append('client_id', clientId)
  form.append('client_secret', clientSecret)
  form.append('grant_type', 'password')
  form.append('username', username)
  form.append('password', password)

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then((data) => data.json())
}

const getToken = ({ clientId, clientSecret, instance, code }) => {
  const url = `${instance}/oauth/token`
  const form = new window.FormData()

  form.append('client_id', clientId)
  form.append('client_secret', clientSecret)
  form.append('grant_type', 'authorization_code')
  form.append('code', code)
  form.append('redirect_uri', `${window.location.origin}/oauth-callback`)

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then((data) => data.json())
}

export const getClientToken = ({ clientId, clientSecret, instance }) => {
  const url = `${instance}/oauth/token`
  const form = new window.FormData()

  form.append('client_id', clientId)
  form.append('client_secret', clientSecret)
  form.append('grant_type', 'client_credentials')
  form.append('redirect_uri', `${window.location.origin}/oauth-callback`)

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then(getJsonOrError)
}
const verifyOTPCode = ({ app, instance, mfaToken, code }) => {
  const url = `${instance}/oauth/mfa/challenge`
  const form = new window.FormData()

  form.append('client_id', app.client_id)
  form.append('client_secret', app.client_secret)
  form.append('mfa_token', mfaToken)
  form.append('code', code)
  form.append('challenge_type', 'totp')

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then((data) => data.json())
}

const verifyRecoveryCode = ({ app, instance, mfaToken, code }) => {
  const url = `${instance}/oauth/mfa/challenge`
  const form = new window.FormData()

  form.append('client_id', app.client_id)
  form.append('client_secret', app.client_secret)
  form.append('mfa_token', mfaToken)
  form.append('code', code)
  form.append('challenge_type', 'recovery')

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then((data) => data.json())
}

const revokeToken = ({ app, instance, token }) => {
  const url = `${instance}/oauth/revoke`
  const form = new window.FormData()

  form.append('client_id', app.clientId)
  form.append('client_secret', app.clientSecret)
  form.append('token', token)

  return window
    .fetch(url, {
      method: 'POST',
      body: form,
    })
    .then((data) => data.json())
}

const oauth = {
  login,
  getToken,
  getTokenWithCredentials,
  verifyOTPCode,
  verifyRecoveryCode,
  revokeToken,
}

export default oauth
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`import { reduce } from 'lodash'`
Create an app only when needed 2025-03-09 15:06:19 -04:00			`import { StatusCodeError } from 'src/services/errors/errors.js'`
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00
			const REDIRECT_URI = `${window.location.origin}/oauth-callback`

Create an app only when needed 2025-03-09 15:06:19 -04:00			`export const getJsonOrError = async (response) => {`
			`if (response.ok) {`
biome format --write 2026-01-06 16:22:52 +02:00			`return response.json().catch((error) => {`
			`throw new StatusCodeError(response.status, error, {}, response)`
			`})`
Create an app only when needed 2025-03-09 15:06:19 -04:00			`} else {`
biome format --write 2026-01-06 16:22:52 +02:00			`throw new StatusCodeError(`
			`response.status,`
			`await response.text(),`
			`{},`
			`response,`
			`)`
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`}`
Create an app only when needed 2025-03-09 15:06:19 -04:00			`}`
Move login to oauth. 2018-10-26 15:16:23 +02:00
Create an app only when needed 2025-03-09 15:06:19 -04:00			`export const createApp = (instance) => {`
Move login to oauth. 2018-10-26 15:16:23 +02:00			const url = `${instance}/api/v1/apps`
			`const form = new window.FormData()`

Simplify the OAuth client_name Every time PleromaFE is used to login it will need to do the OAuth dance and request an app key. If the client name is not stable it will pollute the server's database with entries. This also happens on every unauthenticated page load at the moment until #1339 is resolved 2024-08-04 15:17:48 -04:00			`form.append('client_name', 'PleromaFE')`
			`form.append('website', 'https://pleroma.social')`
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`form.append('redirect_uris', REDIRECT_URI)`
Revert "Merge branch 'revert-96cab6d8' into 'develop'" This reverts merge request !1032 2019-12-12 14:43:48 +00:00			`form.append('scopes', 'read write follow push admin')`
Move login to oauth. 2018-10-26 15:16:23 +02:00
biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
Create an app only when needed 2025-03-09 15:06:19 -04:00			`.then(getJsonOrError)`
biome format --write 2026-01-06 16:22:52 +02:00			`.then((app) => ({`
			`clientId: app.client_id,`
			`clientSecret: app.client_secret,`
			`}))`
Create an app only when needed 2025-03-09 15:06:19 -04:00			`}`

			`export const verifyAppToken = ({ instance, appToken }) => {`
biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			.fetch(`${instance}/api/v1/apps/verify_credentials`, {
			`method: 'GET',`
			headers: { Authorization: `Bearer ${appToken}` },
			`})`
Create an app only when needed 2025-03-09 15:06:19 -04:00			`.then(getJsonOrError)`
Move login to oauth. 2018-10-26 15:16:23 +02:00			`}`

Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`const login = ({ instance, clientId }) => {`
			`const data = {`
			`response_type: 'code',`
			`client_id: clientId,`
			`redirect_uri: REDIRECT_URI,`
biome format --write 2026-01-06 16:22:52 +02:00			`scope: 'read write follow push admin',`
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`}`
Move login to oauth. 2018-10-26 15:16:23 +02:00
biome format --write 2026-01-06 16:22:52 +02:00			`const dataString = reduce(`
			`data,`
			`(acc, v, k) => {`
			const encoded = `${k}=${encodeURIComponent(v)}`
			`if (!acc) {`
			`return encoded`
			`} else {`
			return `${acc}&${encoded}`
			`}`
			`},`
			`false,`
			`)`
Move login to oauth. 2018-10-26 15:16:23 +02:00
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`// Do the redirect...`
			const url = `${instance}/oauth/authorize?${dataString}`

			`window.location.href = url`
Move login to oauth. 2018-10-26 15:16:23 +02:00			`}`

biome format --write 2026-01-06 16:22:52 +02:00			`const getTokenWithCredentials = ({`
			`clientId,`
			`clientSecret,`
			`instance,`
			`username,`
			`password,`
			`}) => {`
Re-activate registration, use oauth password flow to fetch token. 2018-11-06 21:48:05 +01:00			const url = `${instance}/oauth/token`
			`const form = new window.FormData()`

Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`form.append('client_id', clientId)`
			`form.append('client_secret', clientSecret)`
Re-activate registration, use oauth password flow to fetch token. 2018-11-06 21:48:05 +01:00			`form.append('grant_type', 'password')`
			`form.append('username', username)`
			`form.append('password', password)`

biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
			`.then((data) => data.json())`
Re-activate registration, use oauth password flow to fetch token. 2018-11-06 21:48:05 +01:00			`}`

Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`const getToken = ({ clientId, clientSecret, instance, code }) => {`
Move login to oauth. 2018-10-26 15:16:23 +02:00			const url = `${instance}/oauth/token`
			`const form = new window.FormData()`

Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`form.append('client_id', clientId)`
			`form.append('client_secret', clientSecret)`
Move login to oauth. 2018-10-26 15:16:23 +02:00			`form.append('grant_type', 'authorization_code')`
			`form.append('code', code)`
Restore old routes, enable user route as fallback. 2018-12-25 18:43:52 +01:00			form.append('redirect_uri', `${window.location.origin}/oauth-callback`)
Move login to oauth. 2018-10-26 15:16:23 +02:00
biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
Proper clientId/secret/token caching, MastoAPI registration 2019-05-22 19:13:41 +03:00			`.then((data) => data.json())`
			`}`

			`export const getClientToken = ({ clientId, clientSecret, instance }) => {`
			const url = `${instance}/oauth/token`
			`const form = new window.FormData()`

			`form.append('client_id', clientId)`
			`form.append('client_secret', clientSecret)`
			`form.append('grant_type', 'client_credentials')`
			form.append('redirect_uri', `${window.location.origin}/oauth-callback`)

biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
			`.then(getJsonOrError)`
Move login to oauth. 2018-10-26 15:16:23 +02:00			`}`
npm eslint --fix . 2019-07-05 10:02:14 +03:00			`const verifyOTPCode = ({ app, instance, mfaToken, code }) => {`
Revert "add TOTP/Recovery Form for mobile version" This reverts commit a3811f944819430c278b6da6b08dc322a9b9ff65. 2019-06-12 20:16:55 +00:00			const url = `${instance}/oauth/mfa/challenge`
			`const form = new window.FormData()`

			`form.append('client_id', app.client_id)`
			`form.append('client_secret', app.client_secret)`
			`form.append('mfa_token', mfaToken)`
			`form.append('code', code)`
			`form.append('challenge_type', 'totp')`

biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
			`.then((data) => data.json())`
Revert "add TOTP/Recovery Form for mobile version" This reverts commit a3811f944819430c278b6da6b08dc322a9b9ff65. 2019-06-12 20:16:55 +00:00			`}`

npm eslint --fix . 2019-07-05 10:02:14 +03:00			`const verifyRecoveryCode = ({ app, instance, mfaToken, code }) => {`
Revert "add TOTP/Recovery Form for mobile version" This reverts commit a3811f944819430c278b6da6b08dc322a9b9ff65. 2019-06-12 20:16:55 +00:00			const url = `${instance}/oauth/mfa/challenge`
			`const form = new window.FormData()`

			`form.append('client_id', app.client_id)`
			`form.append('client_secret', app.client_secret)`
			`form.append('mfa_token', mfaToken)`
			`form.append('code', code)`
			`form.append('challenge_type', 'recovery')`

biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
			`.then((data) => data.json())`
Revert "add TOTP/Recovery Form for mobile version" This reverts commit a3811f944819430c278b6da6b08dc322a9b9ff65. 2019-06-12 20:16:55 +00:00			`}`
Move login to oauth. 2018-10-26 15:16:23 +02:00
Revoke oAuth token 2019-07-02 15:33:40 +07:00			`const revokeToken = ({ app, instance, token }) => {`
			const url = `${instance}/oauth/revoke`
			`const form = new window.FormData()`

			`form.append('client_id', app.clientId)`
			`form.append('client_secret', app.clientSecret)`
			`form.append('token', token)`

biome format --write 2026-01-06 16:22:52 +02:00			`return window`
			`.fetch(url, {`
			`method: 'POST',`
			`body: form,`
			`})`
			`.then((data) => data.json())`
Revoke oAuth token 2019-07-02 15:33:40 +07:00			`}`

Move login to oauth. 2018-10-26 15:16:23 +02:00			`const oauth = {`
			`login,`
Re-activate registration, use oauth password flow to fetch token. 2018-11-06 21:48:05 +01:00			`getToken,`
			`getTokenWithCredentials,`
Revert "add TOTP/Recovery Form for mobile version" This reverts commit a3811f944819430c278b6da6b08dc322a9b9ff65. 2019-06-12 20:16:55 +00:00			`verifyOTPCode,`
Revoke oAuth token 2019-07-02 15:33:40 +07:00			`verifyRecoveryCode,`
biome format --write 2026-01-06 16:22:52 +02:00			`revokeToken,`
Move login to oauth. 2018-10-26 15:16:23 +02:00			`}`

			`export default oauth`