tykayn
/
mastodon
mirror of https://framagit.org/tykayn/mastodon.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add REST API for creating an account 

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.
This commit is contained in:
Eugen Rochko 2018-12-19 06:50:16 +01:00
parent 102e4cfa32
commit 05ef749a0f
6 changed files with 88 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/api/base_controller.rb
View File

@ -68,7 +68,7 @@ class Api::BaseController < ApplicationController
end
def require_user!
if current_user && !current_user.disabled?
if current_user && !current_user.disabled? && current_user.confirmed?
set_user_activity
elsif current_user
render json: { error: 'Your login is currently disabled' }, status: 403

21
app/controllers/api/v1/accounts_controller.rb
View File

@ -1,13 +1,14 @@
# frozen_string_literal: true
class Api::V1::AccountsController < Api::BaseController
before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:follow, :unfollow, :block, :unblock, :mute, :unmute]
before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:create, :follow, :unfollow, :block, :unblock, :mute, :unmute]
before_action -> { doorkeeper_authorize! :follow, :'write:follows' }, only: [:follow, :unfollow]
before_action -> { doorkeeper_authorize! :follow, :'write:mutes' }, only: [:mute, :unmute]
before_action -> { doorkeeper_authorize! :follow, :'write:blocks' }, only: [:block, :unblock]
before_action -> { doorkeeper_authorize! }, only: [:create]
before_action :require_user!, except: [:show]
before_action :set_account
before_action :require_user!, except: [:show, :create]
before_action :set_account, except: [:create]
before_action :check_account_suspension, only: [:show]
respond_to :json
@ -16,6 +17,16 @@ class Api::V1::AccountsController < Api::BaseController
render json: @account, serializer: REST::AccountSerializer
end
def create
token = AppSignUpService.new.call(doorkeeper_token.application, account_params)
response = Doorkeeper::OAuth::TokenResponse.new(token)
headers.merge!(response.headers)
self.response_body = Oj.dump(response.body)
self.status = response.status
end
def follow
FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs))
@ -62,4 +73,8 @@ class Api::V1::AccountsController < Api::BaseController
def check_account_suspension
gone if @account.suspended?
end
def account_params
params.permit(:username, :email, :password)
end
end

23
app/services/app_sign_up_service.rb Normal file
View File

@ -0,0 +1,23 @@
# frozen_string_literal: true
class AppSignUpService < BaseService
def call(app, params)
return unless allowed_registrations?
user_params = params.slice(:email, :password)
account_params = params.slice(:username)
user = User.create!(user_params.merge(password_confirmation: user_params[:password], account_attributes: account_params))
Doorkeeper::AccessToken.create!(application: app,
resource_owner_id: user.id,
scopes: app.scopes,
expires_in: Doorkeeper.configuration.access_token_expires_in,
use_refresh_token: Doorkeeper.configuration.refresh_token_enabled?)
end
private
def allowed_registrations?
Setting.open_registrations && !Rails.configuration.x.single_user_mode
end
end

4
config/initializers/rack_attack.rb
View File

@ -57,6 +57,10 @@ class Rack::Attack
req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media')
end
throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
req.ip if req.post? && req.path == '/api/v1/accounts'
end
throttle('protected_paths', limit: 25, period: 5.minutes) do |req|
req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX
end

2
config/routes.rb
View File

@ -328,7 +328,7 @@ Rails.application.routes.draw do
resources :relationships, only: :index
end
resources :accounts, only: [:show] do
resources :accounts, only: [:create, :show] do
resources :statuses, only: :index, controller: 'accounts/statuses'
resources :followers, only: :index, controller: 'accounts/follower_accounts'
resources :following, only: :index, controller: 'accounts/following_accounts'

41
spec/services/app_sign_up_service_spec.rb Normal file
View File

@ -0,0 +1,41 @@
require 'rails_helper'
RSpec.describe AppSignUpService, type: :service do
let(:app) { Fabricate(:application, scopes: 'read write') }
let(:good_params) { { username: 'alice', password: '12345678', email: 'good@email.com' } }
subject { described_class.new }
describe '#call' do
it 'returns nil when registrations are closed' do
Setting.open_registrations = false
expect(subject.call(app, good_params)).to be_nil
end
it 'raises an error when params are missing' do
expect { subject.call(app, {}) }.to raise_error ActiveRecord::RecordInvalid
end
it 'creates an unconfirmed user with access token' do
access_token = subject.call(app, good_params)
expect(access_token).to_not be_nil
user = User.find_by(id: access_token.resource_owner_id)
expect(user).to_not be_nil
expect(user.confirmed?).to be false
end
it 'creates access token with the app\'s scopes' do
access_token = subject.call(app, good_params)
expect(access_token).to_not be_nil
expect(access_token.scopes.to_s).to eq 'read write'
end
it 'creates an account' do
access_token = subject.call(app, good_params)
expect(access_token).to_not be_nil
user = User.find_by(id: access_token.resource_owner_id)
expect(user).to_not be_nil
expect(user.account).to_not be_nil
end
end
end