~sircmpwn/core.sr.ht

core.sr.ht/srht/oauth d---------
Add "internal_anon" path for internal auth tokens

This allows us to use internal auth without actually impersonating a
specific account. This is only used for the account registration
endpoint on meta.sr.ht, which needs to work prior to the user having a
record in the database.

Anonymous authentication will be implemented separately.
Fix name of srht.oauth blueprint

The latest Flask release does not support dots in Blueprint names.
Don't trust user cookie for profile details
Fix various issues with OAuth

This was preventing user webhooks from being registered properly and
from taking effect.
Circumvent SQLAlchemy for internal auth
srht.oauth: use upsert for fetching user info

This fixes an ancient issue where, when several requests come in
quickly, one worker could insert the user details, then another worker
would trip over the constraint.
More refinements to internal auth

God I hate this shit
Don't abort startup if we can't reach meta
lookup_user: return none on 404 from meta.sr.ht
Internal auth: fix invalid auth for profile req

The AbstractOAuthService.lookup_user function is used to fetch users
either from the local database or from meta.sr.ht, and the
implementation creates an Internal auth token for the requested
username. If that user does not exist, this previously tripped an
assertion failure in this code. This case now raises a 404 error, and
the assertion is made more specific.
Improve logging on missing client assertion
Fix issues with internal auth for new users
Correctly bubble HTTP status in OAuthError

Before:
-- >8 --
nabijaczleweli@tarta:~$ curl -D/dev/stdout -H "Authorization: Bearer invalid-token" http://127.0.0.1:5001/api/repos/cabal/refs; echo
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Mon, 17 Aug 2020 11:57:46 GMT
Connection: close
Content-Type: application/json
Content-Length: 58

{"errors": [{"reason": "Invalid or expired OAuth token"}]}
-- >8 --

After:
-- >8 --
nabijaczleweli@tarta:~$ curl -D/dev/stdout -H "Authorization: Bearer invalid-token" http://127.0.0.1:5001/api/repos/cabal/refs; echo
HTTP/1.1 400 BAD REQUEST
Server: gunicorn/19.9.0
Date: Mon, 17 Aug 2020 12:02:58 GMT
Connection: close
Content-Type: application/json
Content-Length: 58

{"errors": [{"reason": "Invalid or expired OAuth token"}]}
-- >8 --

Ref: ~sircmpwn/paste.sr.ht#18
Update internal auth for forwards compat with gql
OAuth: error on insufficient scopes
Support 'Bearer' auth scheme in addition to 'token'

  Authorization: Bearer <token here>

Described by RFC 6750 and registered with IANA.

This should make it easier to work with tooling and libraries that
support that.
Add unique constraint to username
Fix profile update webhook handler
Don't refresh user info from cookie

Otherwise changes which happen outside of the web interface (for
example, an account becoming delinquent) and communicated via webhooks
will be overridden by an outdated cookie.
Add srht.oauth.freshen_user
Next