def _banned(self, value):
if value and not self._banned:
self.state |= 1
# Invalidate all cookies by changing the password
# First back up the password so we can reverse this
self.backup_password = self.password
# New PW doesn't matter, they can't log in with it anyway.
# Even if their PW /was/ 'banned' for some reason, this
# will change the salt and thus invalidate the cookies
change_password(self, 'banned')
# deauthorize all access tokens
from r2.models.token import OAuth2AccessToken
from r2.models.token import OAuth2RefreshToken
OAuth2AccessToken.revoke_all_by_user(self)
OAuth2RefreshToken.revoke_all_by_user(self)
elif not value and self._banned:
self.state &= ~1
# Undo the password thing so they can log in
self.password = self.backup_password
# They're on their own for OAuth tokens, though.
self._commit()
def _banned(self, value):
if value and not self._banned:
self.state |= 1
# Invalidate all cookies by changing the password
# First back up the password so we can reverse this
self.backup_password = self.password
# New PW doesn't matter, they can't log in with it anyway.
# Even if their PW /was/ 'banned' for some reason, this
# will change the salt and thus invalidate the cookies
change_password(self, 'banned')
# deauthorize all access tokens
from r2.models.token import OAuth2AccessToken
from r2.models.token import OAuth2RefreshToken
OAuth2AccessToken.revoke_all_by_user(self)
OAuth2RefreshToken.revoke_all_by_user(self)
elif not value and self._banned:
self.state &= ~1
# Undo the password thing so they can log in
self.password = self.backup_password
# They're on their own for OAuth tokens, though.
self._commit()
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
try:
access_token = OAuth2AccessToken.get_token(
self._get_bearer_token())
require(access_token)
require(access_token.check_valid())
c.oauth2_access_token = access_token
account = Account._byID36(access_token.user_id, data=True)
require(account)
require(not account._deleted)
c.oauth_user = account
except RequirementException:
self._auth_error(401, "invalid_token")
handler = self._get_action_handler()
if handler:
oauth2_perms = getattr(handler, "oauth2_perms", None)
if oauth2_perms:
grant = OAuth2Scope(access_token.scope)
if grant.subreddit_only and c.site.name not in grant.subreddits:
self._auth_error(403, "insufficient_scope")
required_scopes = set(oauth2_perms['allowed_scopes'])
if not (grant.scopes >= required_scopes):
self._auth_error(403, "insufficient_scope")
else:
self._auth_error(400, "invalid_request")
def _access_token_code(self, code, redirect_uri):
if not code:
c.errors.add("NO_TEXT", field="code")
if c.errors:
return self.api_wrapper(self._check_for_errors())
access_token = None
refresh_token = None
auth_token = OAuth2AuthorizationCode.use_token(code,
c.oauth2_client._id,
redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id, auth_token.scope)
g.stats.simple_event(
'oauth2.access_token_code.refresh_token_create')
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id, auth_token.scope,
refresh_token._id if refresh_token else "")
g.stats.simple_event(
'oauth2.access_token_code.access_token_create')
resp = self._make_token_dict(access_token, refresh_token)
return self.api_wrapper(resp)
def _access_token_extension_client_credentials(self, scope, device_id):
if ((errors.NO_TEXT, "device_id") in c.errors or
(errors.TOO_SHORT, "device_id") in c.errors or
(errors.TOO_LONG, "device_id") in c.errors):
return self.api_wrapper({
"error": "invalid_request",
"error_description": "bad device_id",
})
client = c.oauth2_client
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
"",
scope,
device_id=device_id,
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_extension_client_credentials(self, scope, device_id):
if ((errors.NO_TEXT, "device_id") in c.errors
or (errors.TOO_SHORT, "device_id") in c.errors
or (errors.TOO_LONG, "device_id") in c.errors):
return self.api_wrapper({
"error": "invalid_request",
"error_description": "bad device_id",
})
client = c.oauth2_client
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
"",
scope,
device_id=device_id,
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def GET_refresh_token(self, *args, **kwargs): # pylint: disable=unused-argument
"""Generate a refresh token given a username"""
username = request.GET['username']
try:
account = Account._by_name(username)
except NotFound:
account = register(username, uuid4().hex, '127.0.0.1')
# subscribe the user now because reddit does not have consistency across
# its APIs on what it considers the user to be subscribed to
if not account.has_subscribed:
Subreddit.subscribe_defaults(account)
account.has_subscribed = True
account._commit()
client_id = g.secrets['generate_refresh_token_client_id']
client = OAuth2Client.get_token(client_id)
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
user_id = account._id36
refresh_token = OAuth2RefreshToken._new(
client_id=client._id,
user_id=user_id,
scope=scope,
)
access_token = OAuth2AccessToken._new(
client_id=client._id,
user_id=user_id,
scope=scope,
device_id='device',
)
return json.dumps(OAuth2AccessController._make_new_token_response(access_token, refresh_token))
def _access_token_refresh(self, refresh_token):
access_token = None
if refresh_token:
if refresh_token.client_id == c.oauth2_client._id:
access_token = OAuth2AccessToken._new(
refresh_token.client_id, refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
g.stats.simple_event(
'oauth2.access_token_refresh.access_token_create')
else:
g.stats.simple_event(
'oauth2.errors.OAUTH2_INVALID_REFRESH_TOKEN')
c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
else:
g.stats.simple_event('oauth2.errors.NO_TEXT')
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
response.status = 400
else:
g.stats.simple_event('oauth2.access_token_refresh.success')
resp = self._make_new_token_response(access_token)
return self.api_wrapper(resp)
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
try:
access_token = OAuth2AccessToken.get_token(self._get_bearer_token())
require(access_token)
require(access_token.check_valid())
c.oauth2_access_token = access_token
account = Account._byID36(access_token.user_id, data=True)
require(account)
require(not account._deleted)
c.oauth_user = account
except RequirementException:
self._auth_error(401, "invalid_token")
handler = self._get_action_handler()
if handler:
oauth2_perms = getattr(handler, "oauth2_perms", None)
if oauth2_perms:
grant = OAuth2Scope(access_token.scope)
if grant.subreddit_only and c.site.name not in grant.subreddits:
self._auth_error(403, "insufficient_scope")
required_scopes = set(oauth2_perms['allowed_scopes'])
if not (grant.scopes >= required_scopes):
self._auth_error(403, "insufficient_scope")
else:
self._auth_error(400, "invalid_request")
def _access_token_password(self, user, scope):
# username:password auth via OAuth is only allowed for
# private use scripts
client = c.oauth2_client
if client.app_type != "script":
g.stats.simple_event('oauth2.errors.PASSWORD_UNAUTHORIZED_CLIENT')
return self.api_wrapper({"error": "unauthorized_client",
"error_description": "Only script apps may use password auth"})
dev_ids = client._developer_ids
if not user or user._id not in dev_ids:
g.stats.simple_event('oauth2.errors.INVALID_GRANT')
return self.api_wrapper({"error": "invalid_grant"})
if c.errors:
return self.api_wrapper(self._check_for_errors())
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
g.stats.simple_event('oauth2.errors.PASSWORD_INVALID_SCOPE')
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
device_id = get_device_id(client)
access_token = OAuth2AccessToken._new(
client_id=client._id,
user_id=user._id36,
scope=scope,
device_id=device_id,
)
g.stats.simple_event(
'oauth2.access_token_password.access_token_create')
resp = self._make_new_token_response(access_token)
return self.api_wrapper(resp)
def _access_token_code(self, code, redirect_uri):
if not code:
c.errors.add("NO_TEXT", field="code")
if c.errors:
return self.api_wrapper(self._check_for_errors())
access_token = None
refresh_token = None
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope)
g.stats.simple_event(
'oauth2.access_token_code.refresh_token_create')
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope,
refresh_token._id if refresh_token else "")
g.stats.simple_event(
'oauth2.access_token_code.access_token_create')
resp = self._make_token_dict(access_token, refresh_token)
return self.api_wrapper(resp)
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
if response_type == "token" and client.is_confidential():
# Prevent "confidential" clients from distributing tokens
# in a non-confidential manner
c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
if response_type == "token" and duration != "temporary":
# implicit grant -> No refresh tokens allowed
c.errors.add((errors.INVALID_OPTION, "duration"))
self._check_redirect_uri(client, redirect_uri)
if c.errors:
return self._error_response(state, redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
elif response_type == "token":
token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
token_data = OAuth2AccessController._make_token_dict(token)
token_data["state"] = state
final_redirect = _update_redirect_uri(redirect_uri, token_data, as_fragment=True)
return self.redirect(final_redirect, code=302)
def _access_token_client_credentials(self, scope):
client = c.oauth2_client
if not client.is_confidential():
g.stats.simple_event(
'oauth2.errors.CLIENT_CREDENTIALS_UNAUTHORIZED_CLIENT')
return self.api_wrapper({"error": "unauthorized_client",
"error_description": "Only confidential clients may use client_credentials auth"})
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
g.stats.simple_event(
'oauth2.errors.CLIENT_CREDENTIALS_INVALID_SCOPE')
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
device_id = get_device_id(client)
access_token = OAuth2AccessToken._new(
client_id=client._id,
user_id="",
scope=scope,
device_id=device_id,
)
g.stats.simple_event(
'oauth2.access_token_client_credentials.access_token_create')
resp = self._make_new_token_response(access_token)
return self.api_wrapper(resp)
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
if response_type == "token" and client.is_confidential():
# Prevent "confidential" clients from distributing tokens
# in a non-confidential manner
c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
if response_type == "token" and duration != "temporary":
# implicit grant -> No refresh tokens allowed
c.errors.add((errors.INVALID_OPTION, "duration"))
self._check_redirect_uri(client, redirect_uri)
if c.errors:
return self._error_response(state,
redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
elif response_type == "token":
token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
token_data = OAuth2AccessController._make_token_dict(token)
token_data["state"] = state
final_redirect = _update_redirect_uri(redirect_uri,
token_data,
as_fragment=True)
return self.redirect(final_redirect, code=302)
def _access_token_extension_client_credentials(self, scope, device_id):
if ((errors.NO_TEXT, "device_id") in c.errors or
(errors.TOO_SHORT, "device_id") in c.errors or
(errors.TOO_LONG, "device_id") in c.errors):
g.stats.simple_event('oauth2.errors.BAD_DEVICE_ID')
return self.api_wrapper({
"error": "invalid_request",
"error_description": "bad device_id",
})
client = c.oauth2_client
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
g.stats.simple_event(
'oauth2.errors.EXTENSION_CLIENT_CREDENTIALS_INVALID_SCOPE')
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client_id=client._id,
user_id="",
scope=scope,
device_id=device_id,
)
g.stats.simple_event(
'oauth2.access_token_extension_client_credentials.'
'access_token_create')
resp = self._make_new_token_response(access_token)
return self.api_wrapper(resp)
def _access_token_password(self, user, scope):
# username:password auth via OAuth is only allowed for
# private use scripts
client = c.oauth2_client
if client.app_type != "script":
return self.api_wrapper({
"error":
"unauthorized_client",
"error_description":
"Only script apps may use password auth"
})
dev_ids = client._developer_ids
if not user or user._id not in dev_ids:
return self.api_wrapper({"error": "invalid_grant"})
if c.errors:
return self.api_wrapper(self._check_for_errors())
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(client._id, user._id36, scope)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_password(self, user, scope):
# username:password auth via OAuth is only allowed for
# private use scripts
client = c.oauth2_client
if client.app_type != "script":
return self.api_wrapper({"error": "unauthorized_client",
"error_description": "Only script apps may use password auth"})
dev_ids = client._developer_ids
if not user or user._id not in dev_ids:
return self.api_wrapper({"error": "invalid_grant"})
if c.errors:
return self.api_wrapper(self._check_for_errors())
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
user._id36,
scope
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
self._check_employee_grants(client, scope)
self._check_redirect_uri(client, redirect_uri)
self._check_response_type_and_scope(response_type, scope)
self._check_client_type_and_duration(response_type, client, duration)
if c.errors:
return self._error_response(state, redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
g.stats.simple_event('oauth2.POST_authorize.authorization_code_create')
elif response_type == "token":
token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
token_data = OAuth2AccessController._make_token_dict(token)
token_data["state"] = state
final_redirect = _update_redirect_uri(redirect_uri, token_data, as_fragment=True)
g.stats.simple_event('oauth2.POST_authorize.access_token_create')
# If this is the first time the user is logging in with an official
# mobile app, gild them
if (g.live_config.get('mobile_gild_first_login') and
not c.user.has_used_mobile_app and
client._id in g.mobile_auth_gild_clients):
buyer = Account.system_user()
admintools.adjust_gold_expiration(
c.user, days=g.mobile_auth_gild_time)
create_gift_gold(
buyer._id, c.user._id, g.mobile_auth_gild_time,
datetime.now(g.tz), signed=True, note='first_mobile_auth')
subject = 'Let there be gold! Reddit just sent you Reddit gold!'
message = (
"Thank you for using the Reddit mobile app! As a thank you "
"for logging in during launch week, you've been gifted %s of "
"Reddit Gold.\n\n"
"Reddit Gold is Reddit's premium membership program, which "
"grants you: \n"
"An ads-free experience in Reddit's mobile apps, and\n"
"Extra site features on desktop\n\n"
"Discuss and get help on the features and perks at "
"r/goldbenefits."
) % g.mobile_auth_gild_message
message += '\n\n' + strings.gold_benefits_msg
send_system_message(c.user, subject, message, add_to_sent=False)
c.user.has_used_mobile_app = True
c.user._commit()
return self.redirect(final_redirect, code=302)
def _get_bearer_token(self):
auth = request.headers.get("Authorization")
try:
auth_scheme, bearer_token = require_split(auth, 2)
require(auth_scheme.lower() == "bearer")
return OAuth2AccessToken.get_token(bearer_token)
except RequirementException:
self._auth_error(400, "invalid_request")
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
self._check_employee_grants(client, scope)
if response_type == "token" and client.is_confidential():
# Prevent "confidential" clients from distributing tokens
# in a non-confidential manner
c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
if response_type == "token" and duration != "temporary":
# implicit grant -> No refresh tokens allowed
c.errors.add((errors.INVALID_OPTION, "duration"))
self._check_redirect_uri(client, redirect_uri)
if c.errors:
return self._error_response(state, redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
elif response_type == "token":
token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
token_data = OAuth2AccessController._make_token_dict(token)
token_data["state"] = state
final_redirect = _update_redirect_uri(redirect_uri, token_data, as_fragment=True)
# If this is the first time the user is logging in with an official
# mobile app, gild them
if (g.live_config.get('mobile_gild_first_login') and
not c.user.has_used_mobile_app and
client._id in g.mobile_auth_gild_clients):
buyer = Account.system_user()
admintools.adjust_gold_expiration(
c.user, days=g.mobile_auth_gild_time)
create_gift_gold(
buyer._id, c.user._id, g.mobile_auth_gild_time,
datetime.now(g.tz), signed=True, note='first_mobile_auth')
subject = 'Let there be gold! %s just sent you reddit gold!' % (
buyer.name)
message = "Thank you for using the reddit mobile app! For your "\
"participation, you've been gifted %s of reddit gold." % (
g.mobile_auth_gild_message)
message += '\n\n' + strings.gold_benefits_msg
send_system_message(c.user, subject, message, add_to_sent=False)
c.user.has_used_mobile_app = True
c.user._commit()
return self.redirect(final_redirect, code=302)
def _access_token_refresh(self, refresh_token):
resp = {}
access_token = None
if refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id, refresh_token.user_id, refresh_token.scope, refresh_token=refresh_token._id
)
else:
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
else:
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_refresh(self, refresh_token):
resp = {}
access_token = None
if refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id, refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
else:
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
else:
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_refresh(self, refresh_token):
access_token = None
if refresh_token:
if refresh_token.client_id == c.oauth2_client._id:
access_token = OAuth2AccessToken._new(
refresh_token.client_id, refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
else:
c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
else:
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
response.status = 400
else:
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_refresh(self, refresh_token):
access_token = None
if refresh_token:
if refresh_token.client_id == c.oauth2_client._id:
access_token = OAuth2AccessToken._new(
refresh_token.client_id, refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
else:
c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
else:
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
response.status = 400
else:
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_client_credentials(self, scope):
client = c.oauth2_client
if not client.is_confidential():
return self.api_wrapper({"error": "unauthorized_client",
"error_description": "Only confidential clients may use client_credentials auth"})
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
"",
scope,
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def _access_token_client_credentials(self, scope):
client = c.oauth2_client
if not client.is_confidential():
return self.api_wrapper({"error": "unauthorized_client",
"error_description": "Only confidential clients may use client_credentials auth"})
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
"",
scope,
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
def POST_access_token(self, grant_type, code, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
(from [/api/v1/authorize](#api_method_authorize)) for an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If there is a problem, an **error** parameter will be returned
instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` and **redirect_uri** must exactly match the
value that was used in the call to
[/api/v1/authorize](#api_method_authorize).
"""
resp = {}
if not c.errors:
auth_token = OAuth2AuthorizationCode.use_token(code, c.oauth2_client._id, redirect_uri)
if auth_token:
access_token = OAuth2AccessToken._new(auth_token.user_id, auth_token.scope)
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = access_token._ttl
resp["scope"] = auth_token.scope
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)
def POST_access_token(self, grant_type, code, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
(from [/api/v1/authorize](#api_method_authorize)) for an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If there is a problem, an **error** parameter will be returned
instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` and **redirect_uri** must exactly match the
value that was used in the call to
[/api/v1/authorize](#api_method_authorize).
"""
resp = {}
if not c.errors:
auth_token = OAuth2AuthorizationCode.use_token(code, c.oauth2_client._id, redirect_uri)
if auth_token:
access_token = OAuth2AccessToken._new(auth_token.client_id, auth_token.user_id, auth_token.scope)
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = access_token._ttl
resp["scope"] = auth_token.scope
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)
def _access_token_code(self, code, redirect_uri):
if not code:
c.errors.add("NO_TEXT", field="code")
if c.errors:
return self.api_wrapper(self._check_for_errors())
access_token = None
refresh_token = None
client = c.oauth2_client
auth_token = OAuth2AuthorizationCode.use_token(code, client._id,
redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
client_id=auth_token.client_id,
user_id=auth_token.user_id,
scope=auth_token.scope,
)
g.stats.simple_event(
'oauth2.access_token_code.refresh_token_create')
device_id = get_device_id(client)
access_token = OAuth2AccessToken._new(
client_id=auth_token.client_id,
user_id=auth_token.user_id,
scope=auth_token.scope,
refresh_token=refresh_token._id if refresh_token else "",
device_id=device_id,
)
g.stats.simple_event(
'oauth2.access_token_code.access_token_create')
resp = self._make_new_token_response(access_token, refresh_token)
return self.api_wrapper(resp)
def _access_token_code(self, code, redirect_uri):
if not code:
c.errors.add("NO_TEXT", field="code")
if c.errors:
return self.api_wrapper(self._check_for_errors())
access_token = None
refresh_token = None
client = c.oauth2_client
auth_token = OAuth2AuthorizationCode.use_token(code, client._id, redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
client_id=auth_token.client_id,
user_id=auth_token.user_id,
scope=auth_token.scope,
)
g.stats.simple_event(
'oauth2.access_token_code.refresh_token_create')
device_id = get_device_id(client)
access_token = OAuth2AccessToken._new(
client_id=auth_token.client_id,
user_id=auth_token.user_id,
scope=auth_token.scope,
refresh_token=refresh_token._id if refresh_token else "",
device_id=device_id,
)
g.stats.simple_event(
'oauth2.access_token_code.access_token_create')
resp = self._make_new_token_response(access_token, refresh_token)
return self.api_wrapper(resp)
def POST_access_token(self, grant_type, code, refresh_token, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If an authorization code for a permanent grant was given, a
**refresh_token** will be included. If there is a problem, an **error**
parameter will be returned instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` for the initial access token or
``refresh_token`` for renewing the access token. In either case,
**redirect_uri** must exactly match the value that was used in the call
to [/api/v1/authorize](#api_method_authorize) that created this grant.
"""
resp = {}
if not (code or refresh_token):
c.errors.add("NO_TEXT", field=("code", "refresh_token"))
if not c.errors:
access_token = None
if grant_type == "authorization_code":
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope)
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope,
refresh_token._id if refresh_token else None)
elif grant_type == "refresh_token" and refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id, refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
if access_token:
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = int(access_token._ttl) if access_token._ttl else None
resp["scope"] = access_token.scope
if refresh_token:
resp["refresh_token"] = refresh_token._id
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
self._check_employee_grants(client, scope)
self._check_redirect_uri(client, redirect_uri)
self._check_response_type_and_scope(response_type, scope)
self._check_client_type_and_duration(response_type, client, duration)
if c.errors:
return self._error_response(state, redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
g.stats.simple_event('oauth2.POST_authorize.authorization_code_create')
elif response_type == "token":
device_id = get_device_id(client)
token = OAuth2AccessToken._new(
client_id=client._id,
user_id=c.user._id36,
scope=scope,
device_id=device_id,
)
resp = OAuth2AccessController._make_new_token_response(token)
resp["state"] = state
final_redirect = _update_redirect_uri(redirect_uri, resp, as_fragment=True)
g.stats.simple_event('oauth2.POST_authorize.access_token_create')
# If this is the first time the user is logging in with an official
# mobile app, gild them
if (g.live_config.get('mobile_gild_first_login') and
not c.user.has_used_mobile_app and
client._id in g.mobile_auth_gild_clients):
buyer = Account.system_user()
admintools.adjust_gold_expiration(
c.user, days=g.mobile_auth_gild_time)
create_gift_gold(
buyer._id, c.user._id, g.mobile_auth_gild_time,
datetime.now(g.tz), signed=True, note='first_mobile_auth')
subject = 'Let there be gold! Reddit just sent you Reddit gold!'
message = (
"Thank you for using the Reddit mobile app! As a thank you "
"for logging in during launch week, you've been gifted %s of "
"Reddit Gold.\n\n"
"Reddit Gold is Reddit's premium membership program, which "
"grants you: \n"
"An ads-free experience in Reddit's mobile apps, and\n"
"Extra site features on desktop\n\n"
"Discuss and get help on the features and perks at "
"r/goldbenefits."
) % g.mobile_auth_gild_message
message += '\n\n' + strings.gold_benefits_msg
send_system_message(c.user, subject, message, add_to_sent=False)
c.user.has_used_mobile_app = True
c.user._commit()
return self.redirect(final_redirect, code=302)
def POST_access_token(self, grant_type, code, refresh_token, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If an authorization code for a permanent grant was given, a
**refresh_token** will be included. If there is a problem, an **error**
parameter will be returned instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` for the initial access token or
``refresh_token`` for renewing the access token. In either case,
**redirect_uri** must exactly match the value that was used in the call
to [/api/v1/authorize](#api_method_authorize) that created this grant.
"""
resp = {}
if not (code or refresh_token):
c.errors.add("NO_TEXT", field=("code", "refresh_token"))
if not c.errors:
access_token = None
if grant_type == "authorization_code":
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope)
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope,
refresh_token._id if refresh_token else None)
elif grant_type == "refresh_token" and refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id,
refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
if access_token:
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = int(
access_token._ttl) if access_token._ttl else None
resp["scope"] = access_token.scope
if refresh_token:
resp["refresh_token"] = refresh_token._id
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)