prosody-modules: mod_rest/example/rest.sh comparison

comparison mod_rest/example/rest.sh @ 5342:e28ba69b5307

mod_rest: Implement use of refresh tokens in rest.sh example Because having access tokens expire daily was becoming annoying. Now this is starting to be in dire need of refactoring.

author	Kim Alvefur <zash@zash.se>
date	Wed, 12 Apr 2023 11:24:50 +0200
parents	071d05b13a06
children	165ccec95585

comparison

equal deleted inserted replaced

-:dcb93ffe64ae
+:e28ba69b5307
 		source "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST"
 	fi
 	OAUTH_META="$(http --check-status --json "https://$HOST/.well-known/oauth-authorization-server" Accept:application/json)"
 	AUTHORIZATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.authorization_endpoint')"
+	TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')"
 	if [ -z "${OAUTH_CLIENT_INFO:-}" ]; then
 		# Register a new OAuth client
 		REGISTRATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.registration_endpoint')"
 		OAUTH_CLIENT_INFO="$(http --check-status "$REGISTRATION_ENDPOINT" Content-Type:application/json Accept:application/json client_name=rest client_uri="https://modules.prosody.im/mod_rest" redirect_uris:='["urn:ietf:wg:oauth:2.0:oob"]')"
 		mkdir -p "${XDG_CACHE_HOME:-$HOME/.cache}/rest/"
 	fi
 	CLIENT_ID="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_id')"
 	CLIENT_SECRET="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_secret')"
-	open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user"
+	if [ -n "${REFRESH_TOKEN:-}" ]; then
-	read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE
+		TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=refresh_token' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "refresh_token=$REFRESH_TOKEN")"
+		ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')"
+		if [ "$ACCESS_TOKEN" == "null" ]; then
+			ACCESS_TOKEN=""
+		fi
+	fi
-	TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')"
+	if [ -z "${ACCESS_TOKEN:-}" ]; then
-	TOKEN="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE" | jq -e -r '.access_token')"
+		open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user"
+		read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE
+		TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE")"
+		ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -e -r '.access_token')"
+		REFRESH_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.refresh_token')"
+		if [ "$REFRESH_TOKEN" != "null" ]; then
+			# FIXME Better type check would be nice, but nobody should ever have the
+			# string "null" as a legitimate refresh token...
+			typeset -p REFRESH_TOKEN >> "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST"
+		fi
+		if [ -n "${COLORTERM:-}" ]; then
+			echo -ne '\e[1K\e[G'
+		else
+			echo
+		fi
+	fi
 	USERINFO_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.userinfo_endpoint')"
+	http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $ACCESS_TOKEN" Accept:application/json >&2
-	if [ -n "${COLORTERM:-}" ]; then
-		echo -ne '\e[1K\e[G'
-	else
-		echo
-	fi
-	http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $TOKEN" Accept:application/json >&2
 	AUTH_METHOD="session-read-only"
 	AUTH_ID="rest"
 fi
 if [[ $# == 0 ]]; then

Mercurial > prosody-modules

comparison mod_rest/example/rest.sh @ 5342:e28ba69b5307