Add artdag to OAuth clients + POST /auth/oauth/token endpoint

Standard HTTP token exchange for clients that don't share the coop DB. Returns user_id, username, display_name, grant_token in exchange for a valid authorization code. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 23:26:10 +00:00
parent 40b8aa3b0e
commit f5153b711c
1 changed files with 64 additions and 1 deletions
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -43,7 +43,7 @@ from .services import (
 SESSION_USER_KEY = "uid"
 ACCOUNT_SESSION_KEY = "account_sid"
-ALLOWED_CLIENTS = {"blog", "market", "cart", "events", "federation"}
+ALLOWED_CLIENTS = {"blog", "market", "cart", "events", "federation", "artdag"}
 def register(url_prefix="/auth"):
@@ -121,6 +121,69 @@ def register(url_prefix="/auth"):
            f"&account_did={account_did}"
        )
    # --- OAuth2 token exchange (for external clients like artdag) -------------
    @auth_bp.post("/oauth/token")
    @auth_bp.post("/oauth/token/")
    async def oauth_token():
        """Exchange an authorization code for user info + grant token.
        Used by clients that don't share the coop database (e.g. artdag).
        Accepts JSON: {code, client_id, redirect_uri}
        Returns JSON: {user_id, username, display_name, grant_token}
        """
        data = await request.get_json()
        if not data:
            return jsonify({"error": "invalid_request"}), 400
        code = data.get("code", "")
        client_id = data.get("client_id", "")
        redirect_uri = data.get("redirect_uri", "")
        if client_id not in ALLOWED_CLIENTS:
            return jsonify({"error": "invalid_client"}), 400
        now = datetime.now(timezone.utc)
        async with get_session() as s:
            async with s.begin():
                result = await s.execute(
                    select(OAuthCode)
                    .where(OAuthCode.code == code)
                    .with_for_update()
                )
                oauth_code = result.scalar_one_or_none()
                if not oauth_code:
                    return jsonify({"error": "invalid_grant"}), 400
                if oauth_code.used_at is not None:
                    return jsonify({"error": "invalid_grant"}), 400
                if oauth_code.expires_at < now:
                    return jsonify({"error": "invalid_grant"}), 400
                if oauth_code.client_id != client_id:
                    return jsonify({"error": "invalid_grant"}), 400
                if oauth_code.redirect_uri != redirect_uri:
                    return jsonify({"error": "invalid_grant"}), 400
                oauth_code.used_at = now
                user_id = oauth_code.user_id
                grant_token = oauth_code.grant_token
                user = await s.get(User, user_id)
                if not user:
                    return jsonify({"error": "invalid_grant"}), 400
                return jsonify({
                    "user_id": user_id,
                    "username": user.email or "",
                    "display_name": user.name or "",
                    "grant_token": grant_token,
                })
    # --- Grant verification (internal endpoint) ------------------------------
    @auth_bp.get("/internal/verify-grant")