From 6ca42512e98296ac3464a85721be4cf9cb6c89fc Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Wed, 12 May 2021 06:50:27 +0000
Subject: [PATCH] OAuth connections now have to be ackknowledged

---
 src/Module/BaseApi.php           | 11 +++++++
 src/Module/OAuth/Acknowledge.php | 55 ++++++++++++++++++++++++++++++++
 src/Module/OAuth/Authorize.php   | 15 ++++++---
 static/routes.config.php         | 11 +++++--
 4 files changed, 85 insertions(+), 7 deletions(-)
 create mode 100644 src/Module/OAuth/Acknowledge.php

diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php
index a0139c637e..d2240fcd68 100644
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@@ -218,7 +218,17 @@ class BaseApi extends BaseModule
 		return $application;
 	}
 
+	public static function existsTokenForUser(array $application, int $uid)
+	{
+		return DBA::exists('application-token', ['application-id' => $application['id'], 'uid' => $uid]);
+	}
+
 	public static function getTokenForUser(array $application, int $uid)
+	{
+		return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
+	}
+
+	public static function createTokenForUser(array $application, int $uid)
 	{
 		$code         = bin2hex(random_bytes(32));
 		$access_token = bin2hex(random_bytes(32));
@@ -230,6 +240,7 @@ class BaseApi extends BaseModule
 
 		return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
 	}
+
 	/**
 	 * Get user info array.
 	 *
diff --git a/src/Module/OAuth/Acknowledge.php b/src/Module/OAuth/Acknowledge.php
new file mode 100644
index 0000000000..617ab6c539
--- /dev/null
+++ b/src/Module/OAuth/Acknowledge.php
@@ -0,0 +1,55 @@
+<?php
+/**
+ * @copyright Copyright (C) 2010-2021, the Friendica project
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Friendica\Module\OAuth;
+
+use Friendica\Core\Logger;
+use Friendica\Core\Renderer;
+use Friendica\DI;
+use Friendica\Module\BaseApi;
+
+/**
+ * Dummy class for all currently unimplemented endpoints
+ */
+class Acknowledge extends BaseApi
+{
+	public static function post(array $parameters = [])
+	{
+		DI::session()->set('oauth_acknowledge', true);
+		DI::app()->redirect(DI::session()->get('return_path'));
+	}
+
+	public static function content(array $parameters = [])
+	{
+		DI::session()->set('return_path', $_REQUEST['return_path'] ?? '');
+
+		$tpl = Renderer::getMarkupTemplate('oauth_authorize.tpl');
+		$o = Renderer::replaceMacros($tpl, [
+			'$title' => DI::l10n()->t('Authorize application connection'),
+			'$app' => ['name' => $_REQUEST['application'] ?? ''],
+			'$authorize' => DI::l10n()->t('Do you want to authorize this application to access your posts and contacts, and/or create new posts for you?'),
+			'$yes' => DI::l10n()->t('Yes'),
+			'$no' => DI::l10n()->t('No'),
+		]);
+
+		return $o;
+	}
+}
diff --git a/src/Module/OAuth/Authorize.php b/src/Module/OAuth/Authorize.php
index 8afc7d48a8..4c2d9c0275 100644
--- a/src/Module/OAuth/Authorize.php
+++ b/src/Module/OAuth/Authorize.php
@@ -47,17 +47,24 @@ class Authorize extends BaseApi
 			DI::mstdnError()->RecordNotFound();
 		}
 
+		$request = $_REQUEST;
+		unset($request['pagename']);
+		$redirect = urlencode('oauth/authorize?' . http_build_query($request));
+
 		$uid = local_user();
 		if (empty($uid)) {
 			Logger::info('Redirect to login');
-			$request = $_REQUEST;
-			unset($request['pagename']);
-			DI::app()->redirect('login?return_path=' . urlencode('/oauth/authorize?' . http_build_query($request)));
+			DI::app()->redirect('login?return_path=' . $redirect);
 		} else {
 			Logger::info('Already logged in user', ['uid' => $uid]);
 		}
 
-		$token = self::getTokenForUser($application, $uid);
+		if (!self::existsTokenForUser($application, $uid) && !DI::session()->get('oauth_acknowledge')) {
+			Logger::info('Redirect to acknowledge');
+			DI::app()->redirect('oauth/acknowledge?return_path=' . $redirect);
+		}
+
+		$token = self::createTokenForUser($application, $uid);
 		if (!$token) {
 			DI::mstdnError()->RecordNotFound();
 		}
diff --git a/static/routes.config.php b/static/routes.config.php
index f666feeff5..9d8e1fda42 100644
--- a/static/routes.config.php
+++ b/static/routes.config.php
@@ -331,9 +331,14 @@ return [
 		'/mark/all' => [Module\Notifications\Notification::class, [R::GET]],
 		'/{id:\d+}' => [Module\Notifications\Notification::class, [R::GET, R::POST]],
 	],
-	'/oauth/authorize'             => [Module\OAuth\Authorize::class, [R::GET]],
-	'/oauth/revoke'                => [Module\OAuth\Revoke::class, [R::POST]],
-	'/oauth/token'                 => [Module\OAuth\Token::class, [R::POST]],
+
+	'/oauth' => [
+		'/acknowledge' => [Module\OAuth\Acknowledge::class, [R::GET, R::POST]],
+		'/authorize'   => [Module\OAuth\Authorize::class,   [R::GET]],
+		'/revoke'      => [Module\OAuth\Revoke::class,      [R::POST]],
+		'/token'       => [Module\OAuth\Token::class,       [R::POST]],
+	],
+
 	'/objects/{guid}[/{activity}]' => [Module\Objects::class, [R::GET]],
 
 	'/oembed'         => [