OAuth2 authorize bot flow

assets/preload-plugins/oauth2.js

@@ -0,0 +1,9 @@
+// Fixes /oauth2 endpoints not requesting a CSS file
+
+if (location.pathname.startsWith("/oauth2/")) {
+	const link = document.createElement("link");
+	link.rel = "stylesheet"
+	link.type = "text/css"
+	link.href = "/assets/40532.f7b1e10347ef10e790ac.css"
+	document.head.appendChild(link)
+}

src/api/routes/oauth2/authorize.ts

@@ -0,0 +1,146 @@
+import { Router, Request, Response } from "express";
+import { route } from "@fosscord/api";
+import { ApiError, Application, ApplicationAuthorizeSchema, getPermission, DiscordApiErrors, Member, Permissions, User, getRights, Rights, MemberPrivateProjection } from "@fosscord/util";
+const router = Router();
+
+// TODO: scopes, other oauth types
+
+router.get("/", route({}), async (req: Request, res: Response) => {
+	const {
+		client_id,
+		scope,
+		response_type,
+		redirect_url,
+	} = req.query;
+
+	const app = await Application.findOne({
+		where: {
+			id: client_id as string,
+		},
+		relations: ["bot"],
+	});
+
+	// TODO: use DiscordApiErrors
+	// findOneOrFail throws code 404
+	if (!app) throw DiscordApiErrors.UNKNOWN_APPLICATION;
+	if (!app.bot) throw DiscordApiErrors.OAUTH2_APPLICATION_BOT_ABSENT;
+
+	const bot = app.bot;
+	delete app.bot;
+
+	const user = await User.findOneOrFail({
+		where: {
+			id: req.user_id,
+			bot: false,
+		},
+		select: ["id", "username", "avatar", "discriminator", "public_flags"]
+	});
+
+	const guilds = await Member.find({
+		where: {
+			user: {
+				id: req.user_id,
+			},
+		},
+		relations: ["guild", "roles"],
+		//@ts-ignore
+		select: ["guild.id", "guild.name", "guild.icon", "guild.mfa_level", "guild.owner_id", "roles.id"]
+	});
+
+	const guildsWithPermissions = guilds.map(x => {
+		const perms = x.guild.owner_id === user.id
+			? new Permissions(Permissions.FLAGS.ADMINISTRATOR)
+			: Permissions.finalPermission({
+				user: {
+					id: user.id,
+					roles: x.roles?.map(x => x.id) || [],
+				},
+				guild: {
+					roles: x?.roles || [],
+				}
+			});
+
+		return {
+			id: x.guild.id,
+			name: x.guild.name,
+			icon: x.guild.icon,
+			mfa_level: x.guild.mfa_level,
+			permissions: perms.bitfield.toString(),
+		};
+	});
+
+	return res.json({
+		guilds: guildsWithPermissions,
+		user: {
+			id: user.id,
+			username: user.username,
+			avatar: user.avatar,
+			avatar_decoration: null,	// TODO
+			discriminator: user.discriminator,
+			public_flags: user.public_flags,
+		},
+		application: {
+			id: app.id,
+			name: app.name,
+			icon: app.icon,
+			description: app.description,
+			summary: app.summary,
+			type: app.type,
+			hook: app.hook,
+			guild_id: null,	// TODO support guilds
+			bot_public: app.bot_public,
+			bot_require_code_grant: app.bot_require_code_grant,
+			verify_key: app.verify_key,
+			flags: app.flags,
+		},
+		bot: {
+			id: bot.id,
+			username: bot.username,
+			avatar: bot.avatar,
+			avatar_decoration: null,	// TODO
+			discriminator: bot.discriminator,
+			public_flags: bot.public_flags,
+			bot: true,
+			approximated_guild_count: 0,	// TODO
+		},
+		authorized: false,
+	});
+});
+
+router.post("/", route({ body: "ApplicationAuthorizeSchema" }), async (req: Request, res: Response) => {
+	const body = req.body as ApplicationAuthorizeSchema;
+	const {
+		client_id,
+		scope,
+		response_type,
+		redirect_url
+	} = req.query;
+
+	// TODO: captcha verification
+	// TODO: MFA verification
+
+	const perms = await getPermission(req.user_id, body.guild_id, undefined, { member_relations: ["user"] });
+	// getPermission cache won't exist if we're owner
+	if (Object.keys(perms.cache || {}).length > 0 && perms.cache.member!.user.bot) throw DiscordApiErrors.UNAUTHORIZED;
+	perms.hasThrow("MANAGE_GUILD");
+
+	const app = await Application.findOne({
+		where: {
+			id: client_id as string,
+		},
+		relations: ["bot"],
+	});
+
+	// TODO: use DiscordApiErrors
+	// findOneOrFail throws code 404
+	if (!app) throw new ApiError("Unknown Application", 10002, 404);
+	if (!app.bot) throw new ApiError("OAuth2 application does not have a bot", 50010, 400);
+
+	await Member.addToGuild(app.id, body.guild_id);
+
+	return res.json({
+		location: "/oauth2/authorized",	// redirect URL
+	});
+});
+
+export default router;

src/util/schemas/ApplicationAuthorizeSchema.ts

@@ -0,0 +1,7 @@
+export interface ApplicationAuthorizeSchema {
+	authorize: boolean;
+	guild_id: string;
+	permissions: string;
+	captcha_key?: string;
+	code?: string;	// 2fa code
+}

src/util/schemas/index.ts

@@ -58,4 +58,5 @@ export * from "./ChannelReorderSchema";
 export * from "./UserSettingsSchema";
 export * from "./BotModifySchema";
 export * from "./ApplicationModifySchema";
-export * from "./ApplicationCreateSchema";
+export * from "./ApplicationCreateSchema";
+export * from "./ApplicationAuthorizeSchema";