add: developer panel

2025-06-14 20:26:54 -04:00 · 2025-06-14 20:26:54 -04:00 · 39574df691
commit 39574df691
parent ebded00fd3
44 changed files with 982 additions and 84 deletions
--- a/crates/app/src/routes/api/v1/apps.rs
+++ b/crates/app/src/routes/api/v1/apps.rs
@ -1,11 +1,20 @@
 use crate::{
    get_user_from_token,
-    routes::api::v1::{UpdateAppHomepage, UpdateAppQuotaStatus, UpdateAppRedirect, UpdateAppTitle},
+    routes::api::v1::{
+        CreateGrant, UpdateAppHomepage, UpdateAppQuotaStatus, UpdateAppRedirect, UpdateAppScopes,
+        UpdateAppTitle,
+    },
    State,
 };
 use axum::{Extension, Json, extract::Path, response::IntoResponse};
 use axum_extra::extract::CookieJar;
-use tetratto_core::model::{apps::ThirdPartyApp, permissions::FinePermission, ApiReturn, Error};
+use tetratto_core::model::{
+    apps::ThirdPartyApp,
+    oauth::{AuthGrant, PkceChallengeMethod},
+    permissions::FinePermission,
+    ApiReturn, Error,
+};
+use tetratto_shared::{hash::random_id, unix_epoch_timestamp};
 use super::CreateApp;

 pub async fn create_request(
@ -129,6 +138,28 @@ pub async fn update_quota_status_request(
    }
 }

+pub async fn update_scopes_request(
+    jar: CookieJar,
+    Extension(data): Extension<State>,
+    Path(id): Path<usize>,
+    Json(req): Json<UpdateAppScopes>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    match data.update_app_scopes(id, &user, req.scopes).await {
+        Ok(_) => Json(ApiReturn {
+            ok: true,
+            message: "App updated".to_string(),
+            payload: (),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
+
 pub async fn delete_request(
    jar: CookieJar,
    Extension(data): Extension<State>,
@ -149,3 +180,50 @@ pub async fn delete_request(
        Err(e) => Json(e.into()),
    }
 }
+
+pub async fn grant_request(
+    jar: CookieJar,
+    Extension(data): Extension<State>,
+    Path(id): Path<usize>,
+    Json(req): Json<CreateGrant>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let mut user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    let app = match data.get_app_by_id(id).await {
+        Ok(a) => a,
+        Err(e) => return Json(e.into()),
+    };
+
+    if user.get_grant_by_app_id(id).is_some() {
+        return Json(Error::MiscError("This app already has a grant".to_string()).into());
+    }
+
+    let grant = AuthGrant {
+        app: app.id,
+        challenge: req.challenge,
+        method: PkceChallengeMethod::S256,
+        token: random_id(),
+        last_updated: unix_epoch_timestamp(),
+        scopes: app.scopes.clone(),
+    };
+
+    user.grants.push(grant.clone());
+    match data.update_user_grants(user.id, user.grants).await {
+        Ok(_) => {
+            if let Err(e) = data.incr_app_grants(id).await {
+                return Json(e.into());
+            }
+
+            Json(ApiReturn {
+                ok: true,
+                message: "User updated".to_string(),
+                payload: Some(grant.token),
+            })
+        }
+        Err(e) => Json(e.into()),
+    }
+}
--- a/crates/app/src/routes/api/v1/auth/profile.rs
+++ b/crates/app/src/routes/api/v1/auth/profile.rs
@ -3,8 +3,8 @@ use crate::{
    get_user_from_token,
    model::{ApiReturn, Error},
    routes::api::v1::{
-        AppendAssociations, DeleteUser, DisableTotp, UpdateUserIsVerified, UpdateUserPassword,
-        UpdateUserRole, UpdateUserUsername,
+        AppendAssociations, DeleteUser, DisableTotp, RefreshGrantToken, UpdateUserIsVerified,
+        UpdateUserPassword, UpdateUserRole, UpdateUserUsername,
    },
    State,
 };
@ -31,7 +31,10 @@ use tetratto_core::{

 #[cfg(feature = "redis")]
 use tetratto_core::cache::redis::Commands;
-use tetratto_shared::hash;
+use tetratto_shared::{
+    hash::{self, random_id},
+    unix_epoch_timestamp,
+};

 pub async fn redirect_from_id(
    Extension(data): Extension<State>,
@ -717,3 +720,104 @@ pub async fn get_user_gpa_request(
        payload: Some(gpa),
    });
 }
+
+/// Remove a grant token.
+pub async fn remove_grant_request(
+    jar: CookieJar,
+    Path((user_id, app_id)): Path<(usize, usize)>,
+    Extension(data): Extension<State>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let mut user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    if user_id != user.id && !user.permissions.check(FinePermission::MANAGE_USERS) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    if user.get_grant_by_app_id(app_id).is_none() {
+        return Json(Error::GeneralNotFound("grant".to_string()).into());
+    }
+
+    // remove grant
+    user.grants
+        .remove(user.grants.iter().position(|x| x.app == app_id).unwrap());
+
+    if let Err(e) = data.decr_app_grants(app_id).await {
+        return Json(e.into());
+    }
+
+    // update grants
+    match data.update_user_grants(user_id, user.grants).await {
+        Ok(_) => Json(ApiReturn {
+            ok: true,
+            message: "User updated".to_string(),
+            payload: (),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
+
+/// Refresh a grant token.
+pub async fn refresh_grant_request(
+    jar: CookieJar,
+    Path((user_id, app_id)): Path<(usize, usize)>,
+    Extension(data): Extension<State>,
+    Json(req): Json<RefreshGrantToken>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let mut user = if let Some(token) = jar.get("Atto-Grant") {
+        match data
+            .get_user_by_grant_token(&token.to_string().replace("Atto-Grant=", ""), false)
+            .await
+        {
+            Ok((grant, ua)) => {
+                if grant.check_verifier(&req.verifier).is_err() {
+                    return Json(Error::NotAllowed.into());
+                }
+
+                if ua.permissions.check_banned() {
+                    tetratto_core::model::auth::User::banned()
+                } else {
+                    ua
+                }
+            }
+            Err(_) => return Json(Error::NotAllowed.into()),
+        }
+    } else {
+        return Json(Error::NotAllowed.into());
+    };
+
+    if user_id != user.id && !user.permissions.check(FinePermission::MANAGE_USERS) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    let mut grant = match user.get_grant_by_app_id(app_id) {
+        Some(g) => g.to_owned(),
+        None => return Json(Error::GeneralNotFound("grant".to_string()).into()),
+    };
+
+    // remove grant
+    user.grants
+        .remove(user.grants.iter().position(|x| x.app == app_id).unwrap());
+
+    // refresh token
+    let token = random_id();
+    grant.token = token.clone();
+    grant.last_updated = unix_epoch_timestamp();
+
+    // add grant
+    user.grants.push(grant);
+
+    // update grants
+    match data.update_user_grants(user_id, user.grants).await {
+        Ok(_) => Json(ApiReturn {
+            ok: true,
+            message: "User updated".to_string(),
+            payload: Some(token),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
--- a/crates/app/src/routes/api/v1/mod.rs
+++ b/crates/app/src/routes/api/v1/mod.rs
@ -24,6 +24,7 @@ use tetratto_core::model::{
        PollOption, PostContext,
    },
    communities_permissions::CommunityPermission,
+    oauth::AppScope,
    permissions::FinePermission,
    reactions::AssetType,
    stacks::{StackMode, StackPrivacy, StackSort},
@ -348,6 +349,14 @@ pub fn routes() -> Router {
            "/auth/user/{id}/followers",
            get(auth::social::followers_request),
        )
+        .route(
+            "/auth/user/{id}/grants/{app}",
+            delete(auth::profile::remove_grant_request),
+        )
+        .route(
+            "/auth/user/{id}/grants/{app}/refresh",
+            post(auth::profile::refresh_grant_request),
+        )
        // apps
        .route("/apps", post(apps::create_request))
        .route("/apps/{id}/title", post(apps::update_title_request))
@ -357,7 +366,9 @@ pub fn routes() -> Router {
            "/apps/{id}/quota_status",
            post(apps::update_quota_status_request),
        )
+        .route("/apps/{id}/scopes", post(apps::update_scopes_request))
        .route("/apps/{id}", delete(apps::delete_request))
+        .route("/apps/{id}/grant", post(apps::grant_request))
        // warnings
        .route("/warnings/{id}", get(auth::user_warnings::get_request))
        .route("/warnings/{id}", post(auth::user_warnings::create_request))
@ -816,3 +827,18 @@ pub struct UpdateAppRedirect {
 pub struct UpdateAppQuotaStatus {
    pub quota_status: AppQuota,
 }
+
+#[derive(Deserialize)]
+pub struct UpdateAppScopes {
+    pub scopes: Vec<AppScope>,
+}
+
+#[derive(Deserialize)]
+pub struct CreateGrant {
+    pub challenge: String,
+}
+
+#[derive(Deserialize)]
+pub struct RefreshGrantToken {
+    pub verifier: String,
+}