OAuth 2.0 Authorization Server [MOD-559] (#733)

* WIP end-of-day push

* Authorize endpoint, accept endpoints, DB stuff for oauth clients, their redirects, and client authorizations

* OAuth Client create route

* Get user clients

* Client delete

* Edit oauth client

* Include redirects in edit client route

* Database stuff for tokens

* Reorg oauth stuff out of auth/flows and into its own module

* Impl OAuth get access token endpoint

* Accept oauth access tokens as auth and update through AuthQueue

* User OAuth authorization management routes

* Forgot to actually add the routes lol

* Bit o cleanup

* Happy path test for OAuth and minor fixes for things it found

* Add dummy data oauth client (and detect/handle dummy data version changes)

* More tests

* Another test

* More tests and reject endpoint

* Test oauth client and authorization management routes

* cargo sqlx prepare

* dead code warning

* Auto clippy fixes

* Uri refactoring

* minor name improvement

* Don't compile-time check the test sqlx queries

* Trying to fix db concurrency problem to get tests to pass

* Try fix from test PR

* Fixes for updated sqlx

* Prevent restricted scopes from being requested or issued

* Get OAuth client(s)

* Remove joined oauth client info from authorization returns

* Add default conversion to OAuthError::error so we can use ?

* Rework routes

* Consolidate scopes into SESSION_ACCESS

* Cargo sqlx prepare

* Parse to OAuthClientId automatically through serde and actix

* Cargo clippy

* Remove validation requiring 1 redirect URI on oauth client creation

* Use serde(flatten) on OAuthClientCreationResult

tests/common/api_v3/mod.rs

@@ -0,0 +1,19 @@
+#![allow(dead_code)]
+
+use super::environment::LocalService;
+use actix_web::dev::ServiceResponse;
+use std::rc::Rc;
+
+pub mod oauth;
+pub mod oauth_clients;
+
+#[derive(Clone)]
+pub struct ApiV3 {
+    pub test_app: Rc<dyn LocalService>,
+}
+
+impl ApiV3 {
+    pub async fn call(&self, req: actix_http::Request) -> ServiceResponse {
+        self.test_app.call(req).await.unwrap()
+    }
+}

tests/common/api_v3/oauth.rs

@@ -0,0 +1,156 @@
+use std::collections::HashMap;
+
+use actix_http::StatusCode;
+use actix_web::{
+    dev::ServiceResponse,
+    test::{self, TestRequest},
+};
+use labrinth::auth::oauth::{
+    OAuthClientAccessRequest, RespondToOAuthClientScopes, TokenRequest, TokenResponse,
+};
+use reqwest::header::{AUTHORIZATION, LOCATION};
+
+use crate::common::asserts::assert_status;
+
+use super::ApiV3;
+
+impl ApiV3 {
+    pub async fn complete_full_authorize_flow(
+        &self,
+        client_id: &str,
+        client_secret: &str,
+        scope: Option<&str>,
+        redirect_uri: Option<&str>,
+        state: Option<&str>,
+        user_pat: &str,
+    ) -> String {
+        let auth_resp = self
+            .oauth_authorize(client_id, scope, redirect_uri, state, user_pat)
+            .await;
+        let flow_id = get_authorize_accept_flow_id(auth_resp).await;
+        let redirect_resp = self.oauth_accept(&flow_id, user_pat).await;
+        let auth_code = get_auth_code_from_redirect_params(&redirect_resp).await;
+        let token_resp = self
+            .oauth_token(auth_code, None, client_id.to_string(), client_secret)
+            .await;
+        get_access_token(token_resp).await
+    }
+
+    pub async fn oauth_authorize(
+        &self,
+        client_id: &str,
+        scope: Option<&str>,
+        redirect_uri: Option<&str>,
+        state: Option<&str>,
+        pat: &str,
+    ) -> ServiceResponse {
+        let uri = generate_authorize_uri(client_id, scope, redirect_uri, state);
+        let req = TestRequest::get()
+            .uri(&uri)
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+        self.call(req).await
+    }
+
+    pub async fn oauth_accept(&self, flow: &str, pat: &str) -> ServiceResponse {
+        self.call(
+            TestRequest::post()
+                .uri("/v3/auth/oauth/accept")
+                .append_header((AUTHORIZATION, pat))
+                .set_json(RespondToOAuthClientScopes {
+                    flow: flow.to_string(),
+                })
+                .to_request(),
+        )
+        .await
+    }
+
+    pub async fn oauth_reject(&self, flow: &str, pat: &str) -> ServiceResponse {
+        self.call(
+            TestRequest::post()
+                .uri("/v3/auth/oauth/reject")
+                .append_header((AUTHORIZATION, pat))
+                .set_json(RespondToOAuthClientScopes {
+                    flow: flow.to_string(),
+                })
+                .to_request(),
+        )
+        .await
+    }
+
+    pub async fn oauth_token(
+        &self,
+        auth_code: String,
+        original_redirect_uri: Option<String>,
+        client_id: String,
+        client_secret: &str,
+    ) -> ServiceResponse {
+        self.call(
+            TestRequest::post()
+                .uri("/v3/auth/oauth/token")
+                .append_header((AUTHORIZATION, client_secret))
+                .set_form(TokenRequest {
+                    grant_type: "authorization_code".to_string(),
+                    code: auth_code,
+                    redirect_uri: original_redirect_uri,
+                    client_id: serde_json::from_str(&format!("\"{}\"", client_id)).unwrap(),
+                })
+                .to_request(),
+        )
+        .await
+    }
+}
+
+pub fn generate_authorize_uri(
+    client_id: &str,
+    scope: Option<&str>,
+    redirect_uri: Option<&str>,
+    state: Option<&str>,
+) -> String {
+    format!(
+        "/v3/auth/oauth/authorize?client_id={}{}{}{}",
+        urlencoding::encode(client_id),
+        optional_query_param("redirect_uri", redirect_uri),
+        optional_query_param("scope", scope),
+        optional_query_param("state", state),
+    )
+    .to_string()
+}
+
+pub async fn get_authorize_accept_flow_id(response: ServiceResponse) -> String {
+    assert_status(&response, StatusCode::OK);
+    test::read_body_json::<OAuthClientAccessRequest, _>(response)
+        .await
+        .flow_id
+}
+
+pub async fn get_auth_code_from_redirect_params(response: &ServiceResponse) -> String {
+    assert_status(response, StatusCode::FOUND);
+    let query_params = get_redirect_location_query_params(response);
+    query_params.get("code").unwrap().to_string()
+}
+
+pub async fn get_access_token(response: ServiceResponse) -> String {
+    assert_status(&response, StatusCode::OK);
+    test::read_body_json::<TokenResponse, _>(response)
+        .await
+        .access_token
+}
+
+pub fn get_redirect_location_query_params(
+    response: &ServiceResponse,
+) -> actix_web::web::Query<HashMap<String, String>> {
+    let redirect_location = response.headers().get(LOCATION).unwrap().to_str().unwrap();
+    actix_web::web::Query::<HashMap<String, String>>::from_query(
+        redirect_location.split_once('?').unwrap().1,
+    )
+    .unwrap()
+}
+
+fn optional_query_param(key: &str, value: Option<&str>) -> String {
+    if let Some(val) = value {
+        format!("&{key}={}", urlencoding::encode(val))
+    } else {
+        "".to_string()
+    }
+}

tests/common/api_v3/oauth_clients.rs

@@ -0,0 +1,107 @@
+use actix_http::StatusCode;
+use actix_web::{
+    dev::ServiceResponse,
+    test::{self, TestRequest},
+};
+use labrinth::{
+    models::{
+        oauth_clients::{OAuthClient, OAuthClientAuthorization},
+        pats::Scopes,
+    },
+    routes::v3::oauth_clients::OAuthClientEdit,
+};
+use reqwest::header::AUTHORIZATION;
+use serde_json::json;
+
+use crate::common::asserts::assert_status;
+
+use super::ApiV3;
+
+impl ApiV3 {
+    pub async fn add_oauth_client(
+        &self,
+        name: String,
+        max_scopes: Scopes,
+        redirect_uris: Vec<String>,
+        pat: &str,
+    ) -> ServiceResponse {
+        let max_scopes = max_scopes.bits();
+        let req = TestRequest::post()
+            .uri("/v3/oauth/app")
+            .append_header((AUTHORIZATION, pat))
+            .set_json(json!({
+                "name": name,
+                "max_scopes": max_scopes,
+                "redirect_uris": redirect_uris
+            }))
+            .to_request();
+
+        self.call(req).await
+    }
+
+    pub async fn get_user_oauth_clients(&self, user_id: &str, pat: &str) -> Vec<OAuthClient> {
+        let req = TestRequest::get()
+            .uri(&format!("/v3/user/{}/oauth_apps", user_id))
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+        let resp = self.call(req).await;
+        assert_status(&resp, StatusCode::OK);
+
+        test::read_body_json(resp).await
+    }
+
+    pub async fn get_oauth_client(&self, client_id: String, pat: &str) -> ServiceResponse {
+        let req = TestRequest::get()
+            .uri(&format!("/v3/oauth/app/{}", client_id))
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+
+        self.call(req).await
+    }
+
+    pub async fn edit_oauth_client(
+        &self,
+        client_id: &str,
+        edit: OAuthClientEdit,
+        pat: &str,
+    ) -> ServiceResponse {
+        let req = TestRequest::patch()
+            .uri(&format!("/v3/oauth/app/{}", urlencoding::encode(client_id)))
+            .set_json(edit)
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+
+        self.call(req).await
+    }
+
+    pub async fn delete_oauth_client(&self, client_id: &str, pat: &str) -> ServiceResponse {
+        let req = TestRequest::delete()
+            .uri(&format!("/v3/oauth/app/{}", client_id))
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+
+        self.call(req).await
+    }
+
+    pub async fn revoke_oauth_authorization(&self, client_id: &str, pat: &str) -> ServiceResponse {
+        let req = TestRequest::delete()
+            .uri(&format!(
+                "/v3/oauth/authorizations?client_id={}",
+                urlencoding::encode(client_id)
+            ))
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+        self.call(req).await
+    }
+
+    pub async fn get_user_oauth_authorizations(&self, pat: &str) -> Vec<OAuthClientAuthorization> {
+        let req = TestRequest::get()
+            .uri("/v3/oauth/authorizations")
+            .append_header((AUTHORIZATION, pat))
+            .to_request();
+        let resp = self.call(req).await;
+        assert_status(&resp, StatusCode::OK);
+
+        test::read_body_json(resp).await
+    }
+}