tranquil.farm / tranquil-pds
Our Personal Data Server from scratch! tranquil.farm
oauth atproto pds rust postgresql objectstorage fun
fork atom

fix: trusted device save

lewis.moe 104f3056 61a60a31

+78 -25
unified split
+76 -24
crates/tranquil-pds/src/oauth/endpoints/authorize.rs
··· 964 964 let has_totp = crate::api::server::has_totp_enabled(&state, &did).await; 965 965 let select_early_device_typed = device_id.clone(); 966 966 if has_totp { 967 - if state 968 - .oauth_repo 969 - .set_authorization_did(&select_request_id, &did, Some(&select_early_device_typed)) 970 - .await 971 - .is_err() 972 - { 973 - return json_error( 974 - StatusCode::INTERNAL_SERVER_ERROR, 975 - "server_error", 976 - "An error occurred. Please try again.", 977 - ); 967 + let device_is_trusted = 968 + crate::api::server::is_device_trusted(state.oauth_repo.as_ref(), &device_id, &did) 969 + .await; 970 + if !device_is_trusted { 971 + if state 972 + .oauth_repo 973 + .set_authorization_did( 974 + &select_request_id, 975 + &did, 976 + Some(&select_early_device_typed), 977 + ) 978 + .await 979 + .is_err() 980 + { 981 + return json_error( 982 + StatusCode::INTERNAL_SERVER_ERROR, 983 + "server_error", 984 + "An error occurred. Please try again.", 985 + ); 986 + } 987 + return Json(serde_json::json!({ 988 + "needs_totp": true 989 + })) 990 + .into_response(); 978 991 } 979 - return Json(serde_json::json!({ 980 - "needs_totp": true 981 - })) 982 - .into_response(); 992 + let _ = crate::api::server::extend_device_trust(state.oauth_repo.as_ref(), &device_id) 993 + .await; 983 994 } 984 995 if user.two_factor_enabled { 985 996 let _ = state ··· 1912 1923 "Invalid verification code. Please try again.", 1913 1924 ); 1914 1925 } 1915 - let device_id = extract_device_cookie(&headers); 1916 - if form.trust_device 1917 - && let Some(ref dev_id) = device_id 1918 - { 1919 - let _ = crate::api::server::trust_device(state.oauth_repo.as_ref(), dev_id).await; 1926 + let mut device_id = extract_device_cookie(&headers); 1927 + let mut new_cookie: Option<String> = None; 1928 + if form.trust_device { 1929 + let trust_device_id = match &device_id { 1930 + Some(existing_id) => existing_id.clone(), 1931 + None => { 1932 + let new_id = DeviceId::generate(); 1933 + let new_device_id_typed = DeviceIdType::new(new_id.0.clone()); 1934 + let device_data = DeviceData { 1935 + session_id: SessionId::generate(), 1936 + user_agent: extract_user_agent(&headers), 1937 + ip_address: extract_client_ip(&headers, None), 1938 + last_seen_at: Utc::now(), 1939 + }; 1940 + if state 1941 + .oauth_repo 1942 + .create_device(&new_device_id_typed, &device_data) 1943 + .await 1944 + .is_ok() 1945 + { 1946 + new_cookie = Some(make_device_cookie(&new_device_id_typed)); 1947 + device_id = Some(new_device_id_typed.clone()); 1948 + } 1949 + new_device_id_typed 1950 + } 1951 + }; 1952 + let _ = state 1953 + .oauth_repo 1954 + .upsert_account_device(&did, &trust_device_id) 1955 + .await; 1956 + let _ = crate::api::server::trust_device(state.oauth_repo.as_ref(), &trust_device_id) 1957 + .await; 1920 1958 } 1921 1959 let requested_scope_str = request_data 1922 1960 .parameters ··· 1941 1979 "/app/oauth/consent?request_uri={}", 1942 1980 url_encode(&form.request_uri) 1943 1981 ); 1982 + if let Some(cookie) = new_cookie { 1983 + return ( 1984 + StatusCode::OK, 1985 + [(SET_COOKIE, cookie)], 1986 + Json(serde_json::json!({"redirect_uri": consent_url})), 1987 + ) 1988 + .into_response(); 1989 + } 1944 1990 return Json(serde_json::json!({"redirect_uri": consent_url})).into_response(); 1945 1991 } 1946 1992 let code = Code::generate(); ··· 1969 2015 request_data.parameters.state.as_deref(), 1970 2016 request_data.parameters.response_mode.map(|m| m.as_str()), 1971 2017 ); 1972 - Json(serde_json::json!({ 1973 - "redirect_uri": redirect_url 1974 - })) 1975 - .into_response() 2018 + if let Some(cookie) = new_cookie { 2019 + ( 2020 + StatusCode::OK, 2021 + [(SET_COOKIE, cookie)], 2022 + Json(serde_json::json!({"redirect_uri": redirect_url})), 2023 + ) 2024 + .into_response() 2025 + } else { 2026 + Json(serde_json::json!({"redirect_uri": redirect_url})).into_response() 2027 + } 1976 2028 } 1977 2029 1978 2030 #[derive(Debug, Deserialize)]
+2 -1
frontend/src/routes/OAuthLogin.svelte
··· 1 1 <script lang="ts"> 2 2 import { navigate, routes, getFullUrl } from '../lib/router.svelte' 3 3 import { _ } from '../lib/i18n' 4 - import { startOAuthLogin } from '../lib/oauth' 4 + import { startOAuthLogin, ensureRequestUri } from '../lib/oauth' 5 5 import { 6 6 prepareRequestOptions, 7 7 serializeAssertionResponse, ··· 57 57 }) 58 58 59 59 $effect(() => { 60 + ensureRequestUri('').catch(() => {}) 60 61 fetchAuthRequestInfo() 61 62 fetchSsoProviders() 62 63 })