Mercurial > prosody-modules
changeset 5342:e28ba69b5307
mod_rest: Implement use of refresh tokens in rest.sh example
Because having access tokens expire daily was becoming annoying.
Now this is starting to be in dire need of refactoring.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 12 Apr 2023 11:24:50 +0200 |
| parents | dcb93ffe64ae |
| children | 5c1c70e52635 |
| files | mod_rest/example/rest.sh |
| diffstat | 1 files changed, 30 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_rest/example/rest.sh Wed Apr 12 11:24:06 2023 +0200 +++ b/mod_rest/example/rest.sh Wed Apr 12 11:24:50 2023 +0200 @@ -66,6 +66,8 @@ OAUTH_META="$(http --check-status --json "https://$HOST/.well-known/oauth-authorization-server" Accept:application/json)" AUTHORIZATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.authorization_endpoint')" + TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')" + if [ -z "${OAUTH_CLIENT_INFO:-}" ]; then # Register a new OAuth client REGISTRATION_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.registration_endpoint')" @@ -77,20 +79,37 @@ CLIENT_ID="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_id')" CLIENT_SECRET="$(echo "$OAUTH_CLIENT_INFO" | jq -e -r '.client_secret')" - open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user" - read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE + if [ -n "${REFRESH_TOKEN:-}" ]; then + TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=refresh_token' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "refresh_token=$REFRESH_TOKEN")" + ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')" + if [ "$ACCESS_TOKEN" == "null" ]; then + ACCESS_TOKEN="" + fi + fi + + if [ -z "${ACCESS_TOKEN:-}" ]; then + open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user" + read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE - TOKEN_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.token_endpoint')" - TOKEN="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE" | jq -e -r '.access_token')" + TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE")" + ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -e -r '.access_token')" + REFRESH_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.refresh_token')" + + if [ "$REFRESH_TOKEN" != "null" ]; then + # FIXME Better type check would be nice, but nobody should ever have the + # string "null" as a legitimate refresh token... + typeset -p REFRESH_TOKEN >> "${XDG_CACHE_HOME:-$HOME/.cache}/rest/$HOST" + fi + + if [ -n "${COLORTERM:-}" ]; then + echo -ne '\e[1K\e[G' + else + echo + fi + fi USERINFO_ENDPOINT="$(echo "$OAUTH_META" | jq -e -r '.userinfo_endpoint')" - - if [ -n "${COLORTERM:-}" ]; then - echo -ne '\e[1K\e[G' - else - echo - fi - http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $TOKEN" Accept:application/json >&2 + http --check-status -b --session rest "$USERINFO_ENDPOINT" "Authorization:Bearer $ACCESS_TOKEN" Accept:application/json >&2 AUTH_METHOD="session-read-only" AUTH_ID="rest" fi