Compare commits

..

No commits in common. "44f8a72a76fd8f0f5634c667d6c6ebb34e965fe2" and "baa1176144b131feefbd998f2b5c4435b8662f71" have entirely different histories.

15 changed files with 230 additions and 70 deletions

View File

@ -38,4 +38,5 @@ post_formats=PlainText:text/plain,HTML:text/html,Markdown:text/markdown,BBCode:t
# single_instance=pl.mydomain.com
# Path to custom CSS. Value can be a file path relative to the static directory.
# or a URL starting with either "http://" or "https://".
# custom_css=custom.css

View File

@ -8,6 +8,7 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"bloat/config"
"bloat/renderer"
@ -46,8 +47,14 @@ func main() {
errExit(err)
}
customCSS := config.CustomCSS
if len(customCSS) > 0 && !strings.HasPrefix(customCSS, "http://") &&
!strings.HasPrefix(customCSS, "https://") {
customCSS = "/static/" + customCSS
}
s := service.NewService(config.ClientName, config.ClientScope,
config.ClientWebsite, config.CustomCSS, config.SingleInstance,
config.ClientWebsite, customCSS, config.SingleInstance,
config.PostFormats, renderer)
handler := service.NewHandler(s, *verbose, config.StaticDirectory)

View File

@ -92,3 +92,50 @@ func RegisterApp(ctx context.Context, appConfig *AppConfig) (*Application, error
return &app, nil
}
type AppAuth struct {
http.Client
}
// RegisterApp make auth application and return app token.
func AuthApp(ctx context.Context, appConfig *Application, instance string) (*string, error) {
var appAuth AppAuth
params := url.Values{}
params.Set("client_id", appConfig.ClientID)
params.Set("client_secret", appConfig.ClientSecret)
params.Set("redirect_uris", "urn:ietf:wg:oauth:2.0:oob")
params.Set("grant_type", "client_credentials")
params.Set("scope", "read write follow")
u, err := url.Parse("https://" + instance)
if err != nil {
return nil, err
}
u.Path = path.Join(u.Path, "/oauth/token")
req, err := http.NewRequest(http.MethodPost, u.String(), strings.NewReader(params.Encode()))
if err != nil {
return nil, err
}
req = req.WithContext(ctx)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
resp, err := appAuth.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, parseAPIError("bad request", resp)
}
var res struct {
AccessToken string `json:"access_token"`
}
err = json.NewDecoder(resp.Body).Decode(&res)
if err != nil {
return nil, err
}
return &res.AccessToken, nil
}

View File

@ -1,6 +1,7 @@
package model
type Session struct {
ID string `json:"id,omitempty"`
UserID string `json:"uid,omitempty"`
Instance string `json:"ins,omitempty"`
ClientID string `json:"cid,omitempty"`
@ -29,7 +30,6 @@ type Settings struct {
InstanceEmojiFilter string `json:"iemojfilter,omitempty"`
AddReactionsFilter string `json:"reactionfilter,omitempty"`
CSS string `json:"css,omitempty"`
CSSHash string `json:"cssh,omitempty"`
}
func NewSettings() *Settings {
@ -48,6 +48,5 @@ func NewSettings() *Settings {
InstanceEmojiFilter: "",
AddReactionsFilter: "",
CSS: "",
CSSHash: "",
}
}

View File

@ -34,8 +34,6 @@ func (c *client) setSession(sess *model.Session) error {
}
http.SetCookie(c.w, &http.Cookie{
Name: "session",
Path: "/",
HttpOnly: true,
Value: sb.String(),
Expires: time.Now().Add(365 * 24 * time.Hour),
})
@ -55,7 +53,6 @@ func (c *client) getSession() (sess *model.Session, err error) {
func (c *client) unsetSession() {
http.SetCookie(c.w, &http.Cookie{
Name: "session",
Path: "/",
Value: "",
Expires: time.Now(),
})

View File

@ -1,8 +1,6 @@
package service
import (
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"mime/multipart"
@ -938,6 +936,10 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
instanceURL = "https://" + instance
}
sid, err := util.NewSessionID()
if err != nil {
return
}
csrf, err := util.NewCSRFToken()
if err != nil {
return
@ -953,14 +955,28 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
if err != nil {
return
}
rurl = app.AuthURI
sess = &model.Session{
ID: sid,
Instance: instance,
ClientID: app.ClientID,
ClientSecret: app.ClientSecret,
CSRFToken: csrf,
Settings: *model.NewSettings(),
}
u, err := url.Parse("/oauth/authorize")
if err != nil {
return
}
q := make(url.Values)
q.Set("scope", "read write follow")
q.Set("client_id", app.ClientID)
q.Set("response_type", "code")
q.Set("redirect_uri", s.cwebsite+"/oauth_callback")
u.RawQuery = q.Encode()
rurl = instanceURL + u.String()
return
}
@ -982,6 +998,71 @@ func (s *service) Signin(c *client, code string) (err error) {
return c.setSession(c.s)
}
func (s *service) NewSessionRegister(c *client, instance string, reason string, username string, email string, password string, agreement bool, locale string, registerCredintals mastodon.RegisterCredintals) (rurl string, sess *model.Session, err error) {
var instanceURL string
if strings.HasPrefix(instance, "https://") {
instanceURL = instance
instance = strings.TrimPrefix(instance, "https://")
} else {
instanceURL = "https://" + instance
}
sid, err := util.NewSessionID()
if err != nil {
return
}
csrf, err := util.NewCSRFToken()
if err != nil {
return
}
app, err := mastodon.RegisterApp(c.ctx, &mastodon.AppConfig{
Server: instanceURL,
ClientName: s.cname,
Scopes: s.cscope,
Website: s.cwebsite,
RedirectURIs: s.cwebsite + "/oauth_callback",
})
if err != nil {
return
}
registerCredintals.App = app
bearer, err := mastodon.AuthApp(c.ctx, app, instance)
if err != nil {
return
}
token, err := mastodon.RegisterAccount(c.ctx, instance, reason, username, email, password, agreement, locale, registerCredintals, *bearer)
if err != nil {
return
}
sess = &model.Session{
ID: sid,
Instance: instance,
UserID: "1",
ClientID: app.ClientID,
ClientSecret: app.ClientSecret,
AccessToken: *token,
CSRFToken: csrf,
Settings: *model.NewSettings(),
}
u, err := url.Parse("/oauth/authorize")
if err != nil {
return
}
q := make(url.Values)
q.Set("scope", "read write follow")
q.Set("client_id", app.ClientID)
q.Set("response_type", "code")
q.Set("redirect_uri", s.cwebsite+"/oauth_callback")
u.RawQuery = q.Encode()
rurl = instanceURL + u.String()
return
}
func (s *service) Signout(c *client) (err error) {
return c.RevokeToken(c.ctx)
}
@ -1132,19 +1213,9 @@ func (s *service) SaveSettings(c *client, settings *model.Settings) (err error)
default:
return errInvalidArgument
}
if len(settings.CSS) > 0 {
if len(settings.CSS) > 1<<20 {
return errInvalidArgument
}
// For some reason, browsers convert CRLF to LF before calculating
// the hash of the inline resources.
settings.CSS = strings.Replace(settings.CSS, "\x0d\x0a", "\x0a", -1)
h := sha256.Sum256([]byte(settings.CSS))
settings.CSSHash = base64.StdEncoding.EncodeToString(h[:])
} else {
settings.CSSHash = ""
}
c.s.Settings = *settings
return c.setSession(c.s)
}

View File

@ -26,15 +26,6 @@ const (
CSRF
)
const csp = "default-src 'none';" +
" img-src *;" +
" media-src *;" +
" font-src *;" +
" child-src *;" +
" connect-src 'self';" +
" script-src 'self';" +
" style-src 'self'"
func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
r := mux.NewRouter()
@ -67,14 +58,14 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
}(time.Now())
}
h := c.w.Header()
var ct string
switch rt {
case HTML:
h.Set("Content-Type", "text/html; charset=utf-8")
h.Set("Content-Security-Policy", csp)
ct = "text/html; charset=utf-8"
case JSON:
h.Set("Content-Type", "application/json")
ct = "application/json"
}
c.w.Header().Add("Content-Type", ct)
err = c.authenticate(at, s.instance)
if err != nil {
@ -82,13 +73,6 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
return
}
// Override the CSP header to allow custom CSS
if rt == HTML && len(c.s.Settings.CSS) > 0 &&
len(c.s.Settings.CSSHash) > 0 {
v := fmt.Sprintf("%s 'sha256-%s'", csp, c.s.Settings.CSSHash)
h.Set("Content-Security-Policy", v)
}
err = f(c)
if err != nil {
writeError(c, err, rt, req.Method == http.MethodGet)
@ -293,6 +277,32 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
return nil
}, NOAUTH, HTML)
signup := handle(func(c *client) error {
instance := c.r.FormValue("instanceup")
reason := c.r.FormValue("reason")
username := c.r.FormValue("username")
email := c.r.FormValue("email")
password := c.r.FormValue("password")
agreement := c.r.FormValue("agreement") == "true"
locale := c.r.FormValue("locale")
url, sess, err := s.NewSessionRegister(c, instance, reason, username, email, password, agreement, locale, mastodon.RegisterCredintals{
Server: "https://"+instance,
Reason: reason,
Username: username,
Email: email,
Password: password,
Agreement: agreement,
Locale: locale,
})
if err != nil {
return err
}
c.setSession(sess)
url = "/confirmation"
c.redirect(url)
return nil
}, NOAUTH, HTML)
oauthCallback := handle(func(c *client) error {
q := c.r.URL.Query()
token := q.Get("code")
@ -830,6 +840,7 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
r.HandleFunc("/profile/delavatar", profileDelAvatar).Methods(http.MethodPost)
r.HandleFunc("/profile/delbanner", profileDelBanner).Methods(http.MethodPost)
r.HandleFunc("/signin", signin).Methods(http.MethodPost)
r.HandleFunc("/signup", signup).Methods(http.MethodPost)
r.HandleFunc("/oauth_callback", oauthCallback).Methods(http.MethodGet)
r.HandleFunc("/post", post).Methods(http.MethodPost)
r.HandleFunc("/like/{id}", like).Methods(http.MethodPost)

View File

@ -326,7 +326,7 @@ document.addEventListener("DOMContentLoaded", function() {
links[j].target = "_blank";
}
var links = document.querySelectorAll(".status-media-container .img-link, .user-profile-img-container .img-link");
var links = document.querySelectorAll(".status-media-container .img-link");
for (var j = 0; j < links.length; j++) {
handleImgPreview(links[j]);
}

View File

@ -123,17 +123,8 @@ frame, body {
display: inline-block;
}
.pleroma-reactions #emoj {
display: inline-block;
}
.pleroma-reactions form {
display: block;
}
.scrollable-emoji {
max-height: 240px;
overflow: scroll;
display: inline-block;
}
.status-action a {
@ -642,7 +633,6 @@ kbd {
.profile-banner {
width: 100%;
max-height: 500px;
}
.block-label,

View File

@ -20,7 +20,7 @@
<title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title}} </title>
<link rel="stylesheet" href="/static/style.css">
{{if .CustomCSS}}
<link rel="stylesheet" href="/static/{{.CustomCSS}}">
<link rel="stylesheet" href="{{.CustomCSS}}">
{{end}}
{{if $.Ctx.FluorideMode}}
<script src="/static/fluoride.js"></script>

View File

@ -3,26 +3,24 @@
<div class="page-title"> Reactions </div>
{{$st_id := .ID}}
<div class="page-title"> Add reaction </div>
<div class="scrollable-emoji">
<div class="scrollable-emoji" style="overflow-y: scroll; height:200px;">
<div class="pleroma-reactions">
<form action="/react-with/{{$st_id}}" method="post" target="_self" title="Custom akkoma reactions (ex. :blobemoji:)">
<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
<input type="hidden" name="referrer" value="{{$.Ctx.Referrer}}">
<input type="text" placeholder=":blobfoxexample: or 🤗" id="akkoma-reaction" cols=30 name="akkoma-reaction" autofocus autocomplete="on">
<input type="submit" value="Send custom reaction" class="pleroma-emoji">
<a href="/emojis">emoji list</a>
</form>
{{$emoji_filter := $.Ctx.AddReactionsFilter}}
{{range $shortcode, $code := .ReactionEmojis}}
{{if Allowed_emoji_page $shortcode $emoji_filter}}
<form action="/react-with/{{$st_id}}?emoji={{$code}}" method="post" target="_self" >
<form action="/react-with/{{$st_id}}?emoji={{$code}}" method="post" target="_self" title="{{$shortcode}}">
<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
<input type="hidden" name="referrer" value="{{$.Ctx.Referrer}}">
<input type="submit" value="{{$code}}" class="pleroma-emoji">
{{$shortcode}}
</form>
{{end}}
{{end}}
<form action="/react-with/{{$st_id}}" method="post" target="_self" title="Custom akkoma reactions (ex. :blobemoji:)">
<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
<input type="hidden" name="referrer" value="{{$.Ctx.Referrer}}">
<input type="text" label="ex. :pleromaemoji:" id="akkoma-reaction" cols=30 name="akkoma-reaction">
<input type="submit" value="Send custom reaction" class="pleroma-emoji">
</form>
</div>
</div>

View File

@ -13,12 +13,47 @@
<button type="submit"> Signin </button>
</form>
<details>
<summary>Sign up</summary>
<p>
<form class="signup-form" action="/signup" method="post">
Enter the domain name of your instance to continue
<br/>
<input type="text" name="instanceup" placeholder="example.com" required>
<br/>
Enter the reason why you want register
<br/>
<textarea type="text" name="reason" cols="80" rows="3" required></textarea>
<br/>
The desired username for the account
<br/>
<input type="text" name="username" placeholder="exampleusernick" required>
<br/>
The email address to be used for login
<br/>
<input type="text" name="email" placeholder="example@example.com" required>
<br/>
The password to be used for login (Please use strong password!)
<br/>
<input type="password" name="password" required>
<br/>
You agrees to the terms, conditions, and policies of the instance
<br/>
<input type="checkbox" value="true" name="agreement" required>
<input type="hidden" name="locale" value="en">
<br/>
<button type="submit"> Signup </button>
</form>
</p>
</details>
<p>
See
<a href="https://git.freesoftwareextremist.com/bloat" target="_blank">git.freesoftwareextremist.com/bloat</a>
for more details.
<br/>
<a href="https://git.phreedom.club/localhost_frssoft/bloat/src/branch/localhost_custom" target="_blank">localhost_custom fork branch</a>
<a href="https://gitea.phreedom.club/localhost_frssoft/bloat/src/branch/bloat-gts" target="_blank">bloat-gts fork branch</a>
</P>
{{template "footer.tmpl"}}

View File

@ -121,7 +121,7 @@
<div class="pleroma-reactions">
{{range .Pleroma.Reactions}}
{{$react := "react"}} {{if .Me}} {{$react = "unreact"}} {{end}}
<form id="emoj" action="/{{$react}}-with/{{$st_id}}?emoji={{.Name}}" method="post" target="_self">
<form action="/{{$react}}-with/{{$st_id}}?emoji={{.Name}}" method="post" target="_self">
<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
<input type="hidden" name="referrer" value="{{$.Ctx.Referrer}}">
{{if .Url}}

View File

@ -135,7 +135,7 @@
<summary>Banner</summary>
<div class="user-profile-img-container">
<a class="img-link" href="{{.User.Header}}" target="_blank">
<img class="profile-banner" src="{{.User.Header}}" alt="profile-header" loading="lazy" />
<img class="profile-banner" src="{{.User.Header}}" alt="profile-header" height="500" loading="lazy" />
</a>
</div>
</details>

View File

@ -16,6 +16,10 @@ func NewRandID(n int) (string, error) {
return enc.EncodeToString(data), nil
}
func NewSessionID() (string, error) {
return NewRandID(24)
}
func NewCSRFToken() (string, error) {
return NewRandID(24)
}