summaryrefslogtreecommitdiff
path: root/lib/pleroma/web/twitter_api/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'lib/pleroma/web/twitter_api/controllers')
-rw-r--r--lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex49
-rw-r--r--lib/pleroma/web/twitter_api/controllers/util_controller.ex94
2 files changed, 51 insertions, 92 deletions
diff --git a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
index fbf31c7eb..521dc9322 100644
--- a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
@@ -8,14 +8,18 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
require Logger
alias Pleroma.Activity
+ alias Pleroma.MFA
alias Pleroma.Object.Fetcher
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.User
alias Pleroma.Web.Auth.Authenticator
+ alias Pleroma.Web.Auth.TOTPAuthenticator
alias Pleroma.Web.CommonAPI
@status_types ["Article", "Event", "Note", "Video", "Page", "Question"]
+ plug(Pleroma.Web.FederatingPlug)
+
# Note: follower can submit the form (with password auth) not being signed in (having no token)
plug(
OAuthScopesPlug,
@@ -66,6 +70,8 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
# POST /ostatus_subscribe
#
+ # adds a remote account in followers if user already is signed in.
+ #
def do_follow(%{assigns: %{user: %User{} = user}} = conn, %{"user" => %{"id" => id}}) do
with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
{:ok, _, _, _} <- CommonAPI.follow(user, followee) do
@@ -76,9 +82,33 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
end
end
+ # POST /ostatus_subscribe
+ #
+ # step 1.
+ # checks login\password and displays step 2 form of MFA if need.
+ #
def do_follow(conn, %{"authorization" => %{"name" => _, "password" => _, "id" => id}}) do
- with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
+ with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
{_, {:ok, user}, _} <- {:auth, Authenticator.get_user(conn), followee},
+ {_, _, _, false} <- {:mfa_required, followee, user, MFA.require?(user)},
+ {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
+ redirect(conn, to: "/users/#{followee.id}")
+ else
+ error ->
+ handle_follow_error(conn, error)
+ end
+ end
+
+ # POST /ostatus_subscribe
+ #
+ # step 2
+ # checks TOTP code. otherwise displays form with errors
+ #
+ def do_follow(conn, %{"mfa" => %{"code" => code, "token" => token, "id" => id}}) do
+ with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
+ {_, _, {:ok, %{user: user}}} <- {:mfa_token, followee, MFA.Token.validate(token)},
+ {_, _, _, {:ok, _}} <-
+ {:verify_mfa_code, followee, token, TOTPAuthenticator.verify(code, user)},
{:ok, _, _, _} <- CommonAPI.follow(user, followee) do
redirect(conn, to: "/users/#{followee.id}")
else
@@ -92,6 +122,23 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
end
+ defp handle_follow_error(conn, {:mfa_token, followee, _} = _) do
+ render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
+ end
+
+ defp handle_follow_error(conn, {:verify_mfa_code, followee, token, _} = _) do
+ render(conn, "follow_mfa.html", %{
+ error: "Wrong authentication code",
+ followee: followee,
+ mfa_token: token
+ })
+ end
+
+ defp handle_follow_error(conn, {:mfa_required, followee, user, _} = _) do
+ {:ok, %{token: token}} = MFA.Token.create_token(user)
+ render(conn, "follow_mfa.html", %{followee: followee, mfa_token: token, error: false})
+ end
+
defp handle_follow_error(conn, {:auth, _, followee} = _) do
render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
end
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index 1873d78df..f02c4075c 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -13,23 +13,17 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
alias Pleroma.Notification
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.User
- alias Pleroma.Web
alias Pleroma.Web.CommonAPI
alias Pleroma.Web.WebFinger
+ plug(Pleroma.Web.FederatingPlug when action == :remote_subscribe)
+
plug(
OAuthScopesPlug,
%{scopes: ["follow", "write:follows"]}
when action == :follow_import
)
- # Note: follower can submit the form (with password auth) not being signed in (having no token)
- plug(
- OAuthScopesPlug,
- %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
- when action == :do_remote_follow
- )
-
plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
plug(
@@ -46,12 +40,6 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :notifications_read)
- plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])
-
- def help_test(conn, _params) do
- json(conn, "ok")
- end
-
def remote_subscribe(conn, %{"nickname" => nick, "profile" => _}) do
with %User{} = user <- User.get_cached_by_nickname(nick),
avatar = User.avatar_url(user) do
@@ -93,90 +81,14 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
end
end
- def config(%{assigns: %{format: "xml"}} = conn, _params) do
- instance = Pleroma.Config.get(:instance)
-
- response = """
- <config>
- <site>
- <name>#{Keyword.get(instance, :name)}</name>
- <site>#{Web.base_url()}</site>
- <textlimit>#{Keyword.get(instance, :limit)}</textlimit>
- <closed>#{!Keyword.get(instance, :registrations_open)}</closed>
- </site>
- </config>
- """
-
- conn
- |> put_resp_content_type("application/xml")
- |> send_resp(200, response)
- end
-
- def config(conn, _params) do
- instance = Pleroma.Config.get(:instance)
-
- vapid_public_key = Keyword.get(Pleroma.Web.Push.vapid_config(), :public_key)
-
- uploadlimit = %{
- uploadlimit: to_string(Keyword.get(instance, :upload_limit)),
- avatarlimit: to_string(Keyword.get(instance, :avatar_upload_limit)),
- backgroundlimit: to_string(Keyword.get(instance, :background_upload_limit)),
- bannerlimit: to_string(Keyword.get(instance, :banner_upload_limit))
- }
-
- data = %{
- name: Keyword.get(instance, :name),
- description: Keyword.get(instance, :description),
- server: Web.base_url(),
- textlimit: to_string(Keyword.get(instance, :limit)),
- uploadlimit: uploadlimit,
- closed: bool_to_val(Keyword.get(instance, :registrations_open), "0", "1"),
- private: bool_to_val(Keyword.get(instance, :public, true), "0", "1"),
- vapidPublicKey: vapid_public_key,
- accountActivationRequired:
- bool_to_val(Keyword.get(instance, :account_activation_required, false)),
- invitesEnabled: bool_to_val(Keyword.get(instance, :invites_enabled, false)),
- safeDMMentionsEnabled: bool_to_val(Pleroma.Config.get([:instance, :safe_dm_mentions]))
- }
-
- managed_config = Keyword.get(instance, :managed_config)
-
- data =
- if managed_config do
- pleroma_fe = Pleroma.Config.get([:frontend_configurations, :pleroma_fe])
- Map.put(data, "pleromafe", pleroma_fe)
- else
- data
- end
-
- json(conn, %{site: data})
- end
-
- defp bool_to_val(true), do: "1"
- defp bool_to_val(_), do: "0"
- defp bool_to_val(true, val, _), do: val
- defp bool_to_val(_, _, val), do: val
-
def frontend_configurations(conn, _params) do
config =
- Pleroma.Config.get(:frontend_configurations, %{})
+ Config.get(:frontend_configurations, %{})
|> Enum.into(%{})
json(conn, config)
end
- def version(%{assigns: %{format: "xml"}} = conn, _params) do
- version = Pleroma.Application.named_version()
-
- conn
- |> put_resp_content_type("application/xml")
- |> send_resp(200, "<version>#{version}</version>")
- end
-
- def version(conn, _params) do
- json(conn, Pleroma.Application.named_version())
- end
-
def emoji(conn, _params) do
emoji =
Enum.reduce(Emoji.get_all(), %{}, fn {code, %Emoji{file: file, tags: tags}}, acc ->
generated by cgit v1.2.3 (git 2.44.0) at 2024-05-05 03:24:12 +0000