diff --git a/.env.example b/.env.example index 4c1c2eefea..3983e23c7e 100644 --- a/.env.example +++ b/.env.example @@ -120,3 +120,11 @@ OTEL_SERVICE_NAME= # for your instance: # https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header HTTP_X_FORWARDED_PROTO=false + +# Enable logging in and registration with OAuth 2 +OAUTH_ACTIVE=false +#OAUTH_NAME="OAuth Provider" # Displayed on Login Button as "Login with OAUTH_NAME" +#OAUTH_CLIENT_ID="" +#OAUTH_CLIENT_SECRET="" +#OAUTH_AUTHORIZE_URL="" # For mastodon use "https:///oauth/authorize" +#OAUTH_ACCESS_TOKEN_URL="" # For mastodon use "https:///oauth/token" diff --git a/bookwyrm/context_processors.py b/bookwyrm/context_processors.py index 0047bfce11..df0a1ce775 100644 --- a/bookwyrm/context_processors.py +++ b/bookwyrm/context_processors.py @@ -28,4 +28,6 @@ def site_settings(request): # pylint: disable=unused-argument "preview_images_enabled": settings.ENABLE_PREVIEW_IMAGES, "request_protocol": request_protocol, "js_cache": settings.JS_CACHE, + "oauth_active": settings.OAUTH_ACTIVE, + "oauth_name": settings.OAUTH_NAME, } diff --git a/bookwyrm/forms/landing.py b/bookwyrm/forms/landing.py index bd9884bc35..1b20146bfb 100644 --- a/bookwyrm/forms/landing.py +++ b/bookwyrm/forms/landing.py @@ -56,6 +56,20 @@ def clean(self): self.add_error("localname", _("User with this username already exists")) +class OAuthRegisterForm(CustomForm): + class Meta: + model = models.User + fields = ["localname", "email"] + help_texts = {f: None for f in fields} + + def clean(self): + """Check if the username is taken""" + cleaned_data = super().clean() + localname = cleaned_data.get("localname").strip() + if models.User.objects.filter(localname=localname).first(): + self.add_error("localname", _("User with this username already exists")) + + class InviteRequestForm(CustomForm): def clean(self): """make sure the email isn't in use by a registered user""" diff --git a/bookwyrm/oauth.py b/bookwyrm/oauth.py new file mode 100644 index 0000000000..45cf253fe6 --- /dev/null +++ b/bookwyrm/oauth.py @@ -0,0 +1,42 @@ +""" responds to various requests to oauth """ +from django.contrib.auth import login +from django.core.exceptions import ObjectDoesNotExist +from django.dispatch import receiver +from django.urls import reverse +from django.shortcuts import render, redirect +from django.template.response import TemplateResponse +from authlib.integrations.django_client import OAuth, OAuthError + +from bookwyrm import models +from bookwyrm.settings import DOMAIN + +oauth = OAuth() +oauth.register("oauth") +oauth = oauth.oauth + + +def auth(request): + try: + token = oauth.authorize_access_token(request) + except OAuthError: + data = {} + return TemplateResponse(request, "landing/login.html", data) + acct = oauth.get( + "https://raphus.social/api/v1/accounts/verify_credentials", token=token + ) + if acct.status_code == 200: + localname = dict(acct.json())["acct"] + username = "{}@{}".format(localname, DOMAIN) + try: + user = models.User.objects.get(username=username) + except ObjectDoesNotExist: + request.session["oauth-newuser"] = localname + request.session["oauth-newuser-pfp"] = dict(acct.json())["avatar"] + return redirect("oauth-register") + login(request, user) + return redirect("/") + + +def request_login(request): + redirect_uri = request.build_absolute_uri(reverse("oauth")) + return oauth.authorize_redirect(request, redirect_uri, force_login=True) diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py index c66bd636b1..e9e06b6c4c 100644 --- a/bookwyrm/settings.py +++ b/bookwyrm/settings.py @@ -388,3 +388,14 @@ # Do not change this setting unless you already have an existing # user with the same username - in which case you should change it! INSTANCE_ACTOR_USERNAME = "bookwyrm.instance.actor" +OAUTH_ACTIVE = env("OAUTH_ACTIVE", False) +if OAUTH_ACTIVE: + OAUTH_NAME = env("OAUTH_NAME", "OAuth2") + AUTHLIB_OAUTH_CLIENTS = { + "oauth": { + "client_id": env("OAUTH_CLIENT_ID"), + "client_secret": env("OAUTH_CLIENT_SECRET"), + "authorize_url": env("OAUTH_AUTHORIZE_URL"), + "access_token_url": env("OAUTH_ACCESS_TOKEN_URL"), + } + } diff --git a/bookwyrm/templates/landing/login.html b/bookwyrm/templates/landing/login.html index 369a72bd28..ed20d06006 100644 --- a/bookwyrm/templates/landing/login.html +++ b/bookwyrm/templates/landing/login.html @@ -10,10 +10,15 @@

{% trans "Log in" %}

{% if login_form.non_field_errors %}

{{ login_form.non_field_errors }}

{% endif %} - + {% if show_confirmed_email %}

{% trans "Success! Email address confirmed." %}

{% endif %} + {% if oauth_active %} + + + + {% else %}
{% csrf_token %} {% if show_confirmed_email %}{% endif %} @@ -40,6 +45,7 @@

{% trans "Log in" %}

+ {% endif %} {% if site.allow_registration %} diff --git a/bookwyrm/templates/landing/oauth_register.html b/bookwyrm/templates/landing/oauth_register.html new file mode 100644 index 0000000000..215140baf2 --- /dev/null +++ b/bookwyrm/templates/landing/oauth_register.html @@ -0,0 +1,75 @@ +{% extends 'layout.html' %} +{% load i18n %} + +{% block title %}{% trans "Create an Account" %}{% endblock %} + +{% block content %} + +

{% trans "Create an Account" %}

+
+
+
+ {% if valid %} +
+
+{% csrf_token %} +
+ +
+ {{ username }} +
+

+ {% trans "Your username cannot be changed." %} +

+
+
+
+
+ +
+ + + {% include 'snippets/form_errors.html' with errors_list=register_form.email.errors id="desc_email_register" %} +
+
+ + + +
+
+ +
+
+
+
+ {% else %} +
+

{% trans "Permission Denied" %}

+

{% trans "Sorry!" %}

+
+ {% endif %} +
+
+
+
+ {% include 'snippets/about.html' %} +
+
+
+ +{% endblock %} diff --git a/bookwyrm/templates/layout.html b/bookwyrm/templates/layout.html index c3408f44e1..78c53b9ce7 100644 --- a/bookwyrm/templates/layout.html +++ b/bookwyrm/templates/layout.html @@ -115,6 +115,12 @@ + {% elif oauth_active %} +
+ + + +
{% else %}
{% if request.path != '/login' and request.path != '/login/' %} diff --git a/bookwyrm/urls.py b/bookwyrm/urls.py index 3fbf7dda1b..25fe01c569 100644 --- a/bookwyrm/urls.py +++ b/bookwyrm/urls.py @@ -4,7 +4,7 @@ from django.urls import path, re_path from django.views.generic.base import TemplateView -from bookwyrm import settings, views +from bookwyrm import settings, views, oauth from bookwyrm.utils import regex USER_PATH = rf"^user/(?P{regex.USERNAME})" @@ -81,6 +81,9 @@ re_path( r"^password-reset/(?P[A-Za-z0-9]+)/?$", views.PasswordReset.as_view() ), + re_path(r"^oauth$", oauth.auth, name="oauth"), + re_path(r"^oauth/login$", oauth.request_login, name="oauth-login"), + re_path(r"^oauth/register$", views.OAuthRegister.as_view(), name="oauth-register"), # admin re_path( r"^settings/dashboard/?$", views.Dashboard.as_view(), name="settings-dashboard" diff --git a/bookwyrm/views/__init__.py b/bookwyrm/views/__init__.py index 8081130997..8c6c44ab26 100644 --- a/bookwyrm/views/__init__.py +++ b/bookwyrm/views/__init__.py @@ -164,3 +164,4 @@ summary_add_key, summary_revoke_key, ) +from .oauth import OAuthRegister diff --git a/bookwyrm/views/landing/register.py b/bookwyrm/views/landing/register.py index 2e1a1d3213..af6f249215 100644 --- a/bookwyrm/views/landing/register.py +++ b/bookwyrm/views/landing/register.py @@ -29,7 +29,7 @@ def post(self, request): if settings.install_mode: raise PermissionDenied() - if not settings.allow_registration: + if not settings.allow_registration and "oauth-newuser" not in request.session: invite_code = request.POST.get("invite_code") if not invite_code: @@ -41,7 +41,13 @@ def post(self, request): else: invite = None - form = forms.RegisterForm(request.POST) + if "oauth-newuser" in request.session: + newuser = request.POST.get("localname") + if newuser != request.session["oauth-newuser"]: + raise PremissionDenied() + form = forms.OAuthRegisterForm(request.POST) + else: + form = forms.RegisterForm(request.POST) if not form.is_valid(): data = { "login_form": forms.LoginForm(), @@ -55,7 +61,7 @@ def post(self, request): localname = form.data["localname"].strip() email = form.data["email"] - password = form.data["password"] + password = None if "oauth-newuser" in request.session else form.data["password"] try: preferred_timezone = pytz.timezone(form.data.get("preferred_timezone")) except pytz.exceptions.UnknownTimeZoneError: diff --git a/bookwyrm/views/oauth.py b/bookwyrm/views/oauth.py new file mode 100644 index 0000000000..47505aa5ac --- /dev/null +++ b/bookwyrm/views/oauth.py @@ -0,0 +1,35 @@ +""" invites when registration is closed """ +from functools import reduce +import operator +from urllib.parse import urlencode + +from django.contrib.auth.decorators import login_required, permission_required +from django.core.paginator import Paginator +from django.db.models import Q +from django.http import HttpResponseBadRequest +from django.shortcuts import get_object_or_404, redirect +from django.template.response import TemplateResponse +from django.urls import reverse +from django.utils.decorators import method_decorator +from django.views import View +from django.views.decorators.http import require_POST + +from bookwyrm import emailing, forms, models +from bookwyrm.settings import PAGE_LENGTH + + +# pylint: disable= no-self-use +class OAuthRegister(View): + """use an invite to register""" + + def get(self, request): + if request.user.is_authenticated or "oauth-newuser" not in request.session: + return redirect("/") + data = { + "register_form": forms.RegisterForm(), + "username": request.session["oauth-newuser"], + "valid": True, + } + return TemplateResponse(request, "landing/oauth_register.html", data) + + # post handling is in views.register.Register diff --git a/requirements.txt b/requirements.txt index 0f287e9700..d4d438abf3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ aiohttp==3.8.3 +oauthlib==3.2.2 bleach==5.0.1 celery==5.2.7 colorthief==0.2.1