liquid_feedback_frontend
view app/main/oauth2/validate.lua @ 1622:72442abafb3c
Allow delegations when initiative right is given
| author | bsw | 
|---|---|
| date | Sat Feb 06 23:30:20 2021 +0100 (2021-02-06) | 
| parents | 020fd82c6cb4 | 
| children | 
 line source
     1 if not request.is_post() then
     2   return execute.view { module = "index", view = "405" }
     3 end
     5 slot.set_layout(nil, "application/json")
     7 local function error_result(error_code, description)
     8   local r = json.object()
     9   r.error = error_code
    10   r.error_description = description
    11   slot.put_into("data", json.export(r))
    12   request.set_status("400 Bad Request")
    13 end
    15 local access_token, access_token_err = util.get_access_token()
    17 if access_token_err then
    18   if access_token_err == "header_and_param" then
    19     return error_result("invalid_request", "Access token passed both via header and param")
    20   end
    21   error("Error in util.get_access_token")
    22 end
    24 if not access_token then
    25   return error_result("invalid_token", "No access token supplied")  
    26 end
    28 local token = Token:by_token_type_and_token("access", access_token)
    30 if not token then
    31   return error_result("invalid_token", "Access token invalid")  
    32 end
    34 local scopes = {}
    35 for scope in string.gmatch(token.scope, "[^ ]+") do
    36   local match = string.match(scope, "(.+)_detached$")
    37   scopes[match or scope] = true
    38 end
    39 local scope_list = {}
    40 for scope in pairs(scopes) do
    41   scope_list[#scope_list+1] = scope
    42 end
    43 table.sort(scope_list)
    44 local scope = table.concat(scope_list, " ")
    46 local r = json.object()
    47 r.scope = scope
    49 local expiry = db:query({ "SELECT FLOOR(EXTRACT(EPOCH FROM ? - now())) AS access_time_left", token.expiry }, "object")
    50 r.expires_in = expiry.access_time_left
    52 r.member_id = token.member_id
    53 if token.member.role then
    54   r.member_is_role = true
    55 end
    56 if token.session then
    57   r.real_member_id = token.session.real_member_id
    58 end
    60 if scopes.identification or scopes.authentication then
    61   if param.get("include_member", atom.boolean) then
    62     local member = token.member
    63     r.member = json.object{
    64       id = member.id,
    65       name = member.name,
    66     }
    67     if token.session and token.session.real_member then
    68       r.real_member = json.object{
    69         id = token.session.real_member.id,
    70         name = token.session.real_member.name,
    71       }
    72     end
    73     if scopes.identification then
    74       r.member.identification = member.identification
    75       if token.session and token.session.real_member then
    76         r.real_member.identification = token.session.real_member.identification
    77       end
    78     end
    79     if param.get("include_member_notify_email", atom.boolean) then
    80       r.member.notify_email = member.notify_email
    81     end
    82     if param.get("include_roles", atom.boolean) then
    83       for i, unit in ipairs(member.units) do
    84         if unit.attr.role then
    85           r.roles = json.object()
    86           if not unit.attr.only_visible_for_role 
    87             or member:has_role(unit.attr.only_visible_for_role)
    88           then
    89             r.roles[unit.attr.role] = true
    90           end
    91         end
    92       end
    93     end
    94   end
    95 end
    97 r.logged_in = token.session_id and true or false
    98 slot.put_into("data", json.export(r))
