Comparison

mod_rest/example/rest.sh @ 5342:e28ba69b5307

mod_rest: Implement use of refresh tokens in rest.sh example Because having access tokens expire daily was becoming annoying. Now this is starting to be in dire need of refactoring.
author Kim Alvefur <zash@zash.se>
date Wed, 12 Apr 2023 11:24:50 +0200
parent 5330:071d05b13a06
child 5368:165ccec95585
comparison
equal deleted inserted replaced
5341:dcb93ffe64ae 5342:e28ba69b5307
64 source "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST" 64 source "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST"
65 fi 65 fi
66 66
67 OAUTH_META="$(http --check-status --json "https://$HOST/.well-known/oauth-authorization-server" Accept:application/json)" 67 OAUTH_META="$(http --check-status --json "https://$HOST/.well-known/oauth-authorization-server" Accept:application/json)"
68 AUTHORIZATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.authorization_endpoint')" 68 AUTHORIZATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.authorization_endpoint')"
69 TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')"
70
69 if [ -z "${OAUTH_CLIENT_INFO:-}" ]; then 71 if [ -z "${OAUTH_CLIENT_INFO:-}" ]; then
70 # Register a new OAuth client 72 # Register a new OAuth client
71 REGISTRATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.registration_endpoint')" 73 REGISTRATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.registration_endpoint')"
72 OAUTH_CLIENT_INFO="$(http --check-status "$REGISTRATION_ENDPOINT" Content-Type:application/json Accept:application/json client_name=rest client_uri="https://modules.prosody.im/mod_rest" redirect_uris:='["urn:ietf:wg:oauth:2.0:oob"]')" 74 OAUTH_CLIENT_INFO="$(http --check-status "$REGISTRATION_ENDPOINT" Content-Type:application/json Accept:application/json client_name=rest client_uri="https://modules.prosody.im/mod_rest" redirect_uris:='["urn:ietf:wg:oauth:2.0:oob"]')"
73 mkdir -p "${XDG_CACHE_HOME:-$HOME/.cache}/rest/" 75 mkdir -p "${XDG_CACHE_HOME:-$HOME/.cache}/rest/"
75 fi 77 fi
76 78
77 CLIENT_ID="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_id')" 79 CLIENT_ID="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_id')"
78 CLIENT_SECRET="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_secret')" 80 CLIENT_SECRET="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_secret')"
79 81
80 open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user" 82 if [ -n "${REFRESH_TOKEN:-}" ]; then
81 read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE 83 TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=refresh_token' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "refresh_token=$REFRESH_TOKEN")"
84 ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')"
85 if [ "$ACCESS_TOKEN" == "null" ]; then
86 ACCESS_TOKEN=""
87 fi
88 fi
82 89
83 TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')" 90 if [ -z "${ACCESS_TOKEN:-}" ]; then
84 TOKEN="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE" | jq -e -r '.access_token')" 91 open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user"
92 read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE
93
94 TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE")"
95 ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -e -r '.access_token')"
96 REFRESH_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.refresh_token')"
97
98 if [ "$REFRESH_TOKEN" != "null" ]; then
99 # FIXME Better type check would be nice, but nobody should ever have the
100 # string "null" as a legitimate refresh token...
101 typeset -p REFRESH_TOKEN >> "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST"
102 fi
103
104 if [ -n "${COLORTERM:-}" ]; then
105 echo -ne '\e[1K\e[G'
106 else
107 echo
108 fi
109 fi
85 110
86 USERINFO_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.userinfo_endpoint')" 111 USERINFO_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.userinfo_endpoint')"
87 112 http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $ACCESS_TOKEN" Accept:application/json >&2
88 if [ -n "${COLORTERM:-}" ]; then
89 echo -ne '\e[1K\e[G'
90 else
91 echo
92 fi
93 http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $TOKEN" Accept:application/json >&2
94 AUTH_METHOD="session-read-only" 113 AUTH_METHOD="session-read-only"
95 AUTH_ID="rest" 114 AUTH_ID="rest"
96 fi 115 fi
97 116
98 if [[ $# == 0 ]]; then 117 if [[ $# == 0 ]]; then