Software /
code /
prosody-modules
Comparison
mod_rest/example/rest.sh @ 5342:e28ba69b5307
mod_rest: Implement use of refresh tokens in rest.sh example
Because having access tokens expire daily was becoming annoying.
Now this is starting to be in dire need of refactoring.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 12 Apr 2023 11:24:50 +0200 |
parent | 5330:071d05b13a06 |
child | 5368:165ccec95585 |
comparison
equal
deleted
inserted
replaced
5341:dcb93ffe64ae | 5342:e28ba69b5307 |
---|---|
64 source "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST" | 64 source "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST" |
65 fi | 65 fi |
66 | 66 |
67 OAUTH_META="$(http --check-status --json "https://$HOST/.well-known/oauth-authorization-server" Accept:application/json)" | 67 OAUTH_META="$(http --check-status --json "https://$HOST/.well-known/oauth-authorization-server" Accept:application/json)" |
68 AUTHORIZATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.authorization_endpoint')" | 68 AUTHORIZATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.authorization_endpoint')" |
69 TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')" | |
70 | |
69 if [ -z "${OAUTH_CLIENT_INFO:-}" ]; then | 71 if [ -z "${OAUTH_CLIENT_INFO:-}" ]; then |
70 # Register a new OAuth client | 72 # Register a new OAuth client |
71 REGISTRATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.registration_endpoint')" | 73 REGISTRATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.registration_endpoint')" |
72 OAUTH_CLIENT_INFO="$(http --check-status "$REGISTRATION_ENDPOINT" Content-Type:application/json Accept:application/json client_name=rest client_uri="https://modules.prosody.im/mod_rest" redirect_uris:='["urn:ietf:wg:oauth:2.0:oob"]')" | 74 OAUTH_CLIENT_INFO="$(http --check-status "$REGISTRATION_ENDPOINT" Content-Type:application/json Accept:application/json client_name=rest client_uri="https://modules.prosody.im/mod_rest" redirect_uris:='["urn:ietf:wg:oauth:2.0:oob"]')" |
73 mkdir -p "${XDG_CACHE_HOME:-$HOME/.cache}/rest/" | 75 mkdir -p "${XDG_CACHE_HOME:-$HOME/.cache}/rest/" |
75 fi | 77 fi |
76 | 78 |
77 CLIENT_ID="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_id')" | 79 CLIENT_ID="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_id')" |
78 CLIENT_SECRET="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_secret')" | 80 CLIENT_SECRET="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_secret')" |
79 | 81 |
80 open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user" | 82 if [ -n "${REFRESH_TOKEN:-}" ]; then |
81 read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE | 83 TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=refresh_token' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "refresh_token=$REFRESH_TOKEN")" |
84 ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')" | |
85 if [ "$ACCESS_TOKEN" == "null" ]; then | |
86 ACCESS_TOKEN="" | |
87 fi | |
88 fi | |
82 | 89 |
83 TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')" | 90 if [ -z "${ACCESS_TOKEN:-}" ]; then |
84 TOKEN="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE" | jq -e -r '.access_token')" | 91 open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user" |
92 read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE | |
93 | |
94 TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE")" | |
95 ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -e -r '.access_token')" | |
96 REFRESH_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.refresh_token')" | |
97 | |
98 if [ "$REFRESH_TOKEN" != "null" ]; then | |
99 # FIXME Better type check would be nice, but nobody should ever have the | |
100 # string "null" as a legitimate refresh token... | |
101 typeset -p REFRESH_TOKEN >> "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST" | |
102 fi | |
103 | |
104 if [ -n "${COLORTERM:-}" ]; then | |
105 echo -ne '\e[1K\e[G' | |
106 else | |
107 echo | |
108 fi | |
109 fi | |
85 | 110 |
86 USERINFO_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.userinfo_endpoint')" | 111 USERINFO_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.userinfo_endpoint')" |
87 | 112 http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $ACCESS_TOKEN" Accept:application/json >&2 |
88 if [ -n "${COLORTERM:-}" ]; then | |
89 echo -ne '\e[1K\e[G' | |
90 else | |
91 echo | |
92 fi | |
93 http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $TOKEN" Accept:application/json >&2 | |
94 AUTH_METHOD="session-read-only" | 113 AUTH_METHOD="session-read-only" |
95 AUTH_ID="rest" | 114 AUTH_ID="rest" |
96 fi | 115 fi |
97 | 116 |
98 if [[ $# == 0 ]]; then | 117 if [[ $# == 0 ]]; then |