From 5282b5cabb7c72326c0cf6c81f880c1238aca97c Mon Sep 17 00:00:00 2001
From: Bastard Operator <bofh@nogafam.es>
Date: Thu, 25 Nov 2021 20:49:55 +0100
Subject: [PATCH] Tigthen permissions + implement mocks for OAuth testing

* We are testing the OAuth final step
---
 .gitignore                                |  1 +
 public/api/signup/mastodon/get_client.php |  2 +-
 src/action/oauth/mastodon.php             | 28 ++++++++++++++++++++++-
 src/base.methods.php                      |  9 ++++++++
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 522fc4d..4a9937a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 .*.swp
+*.mock
 config/config.php
diff --git a/public/api/signup/mastodon/get_client.php b/public/api/signup/mastodon/get_client.php
index 2a4d7e3..7813cf2 100644
--- a/public/api/signup/mastodon/get_client.php
+++ b/public/api/signup/mastodon/get_client.php
@@ -10,7 +10,7 @@ if ($instance === false) {
 $app_name      = conf('app_name', 'RealFan');
 $site_name     = conf('site_name', HOST_DEV);
 $redirect_uris = conf('site_name', HOST_DEV).'/signup/mastodon:oauth';
-$scopes        = 'read write';
+$scopes        = 'read:accounts write';
 
 # create the Authorization App
 $ch = curl_init($instance.'/api/v1/apps');
diff --git a/src/action/oauth/mastodon.php b/src/action/oauth/mastodon.php
index 9eb2594..899dc3c 100644
--- a/src/action/oauth/mastodon.php
+++ b/src/action/oauth/mastodon.php
@@ -1,11 +1,37 @@
 <?php
 
+# TODO: uncomment when done
+if (false) {
 $payload_fil = '/tmp/oauth-'.$ID;
 if (!file_exists($payload_fil)) {
 	header('Location: /signup'); die;
 }
 
 $payload = json_decode(file_get_contents($payload_fil));
+$ch = curl_init($payload->instance.'/oauth/token');
+curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
+curl_setopt($ch, CURLOPT_POSTFIELDS, [
+	'client_id'			=> $payload->result->client_id,
+	'client_secret'		=> $payload->result->client_secret,
+	'redirect_uri'		=> $payload->result->redirect_uri.'?id='.$ID,
+	'grant_type'		=> 'authorization_code',
+	'code'				=> $code
+]);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+$auth = curl_exec($ch);
+curl_close($ch);
+
+$auth = @json_decode($output);
+}
+
+# TODO: remove mock when done
+$payload = json_decode(file_get_contents('/src/mock-payload.mock'));
+$auth    = json_decode(file_get_contents('/src/mock-auth.mock'));
+
+$output = mastodon_get($payload->instance,
+	'/api/v1/accounts/verify_credentials', $auth->access_token);
+
+var_dump($output);
+echo '<br><br>';
 var_dump($payload);
-var_dump($code);
 die;
diff --git a/src/base.methods.php b/src/base.methods.php
index 918be55..34528d1 100644
--- a/src/base.methods.php
+++ b/src/base.methods.php
@@ -70,3 +70,12 @@ function resolve_instance($txt) {
 	return 'https://'.$name;
 }
 
+function mastodon_get($instance, $path, $token) {
+	$ch = curl_init($instance.$path);
+	curl_setopt($ch, CURLOPT_HTTPHEADER, ['Authorization: Bearer '.$token]);
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+	$output = curl_exec($ch);
+	curl_close($ch);
+	return @json_decode($output);
+}
+