From c3c395c6593e2e9bf1d288e343d889a3cdd35c15 Mon Sep 17 00:00:00 2001
From: Jonny Barnes <jonny@jonnybarnes.uk>
Date: Sat, 24 Sep 2022 19:05:45 +0100
Subject: [PATCH] Rework indieauth checking in token endpoint

We know the me value, it is our app
---
 .../Controllers/TokenEndpointController.php   | 20 +-------
 config/app.php                                | 11 ++++
 resources/views/master.blade.php              |  2 +-
 tests/Feature/TokenEndpointTest.php           | 50 ++-----------------
 4 files changed, 19 insertions(+), 64 deletions(-)

diff --git a/app/Http/Controllers/TokenEndpointController.php b/app/Http/Controllers/TokenEndpointController.php
index c23590a5..f0c9ea13 100644
--- a/app/Http/Controllers/TokenEndpointController.php
+++ b/app/Http/Controllers/TokenEndpointController.php
@@ -53,24 +53,9 @@ class TokenEndpointController extends Controller
      */
     public function create(Request $request): JsonResponse
     {
-        if (empty($request->input('me'))) {
-            return response()->json([
-                'error' => 'Missing {me} param from input',
-            ], 400);
-        }
-
-        $authorizationEndpoint = $this->client::discoverAuthorizationEndpoint(normalize_url($request->input('me')));
-
-        if (empty($authorizationEndpoint)) {
-            return response()->json([
-                'error' => sprintf('Could not discover the authorization endpoint for %s', $request->input('me')),
-            ], 400);
-        }
-
         $auth = $this->verifyIndieAuthCode(
-            $authorizationEndpoint,
+            config('app.authorization_endpoint'),
             $request->input('code'),
-            $request->input('me'),
             $request->input('redirect_uri'),
             $request->input('client_id'),
         );
@@ -100,7 +85,6 @@ class TokenEndpointController extends Controller
     protected function verifyIndieAuthCode(
         string $authorizationEndpoint,
         string $code,
-        string $me,
         string $redirectUri,
         string $clientId
     ): ?array {
@@ -111,7 +95,7 @@ class TokenEndpointController extends Controller
                 ],
                 'form_params' => [
                     'code' => $code,
-                    'me' => $me,
+                    'me' => config('app.url'),
                     'redirect_uri' => $redirectUri,
                     'client_id' => $clientId,
                 ],
diff --git a/config/app.php b/config/app.php
index 2cd9d08a..2b9aaf01 100644
--- a/config/app.php
+++ b/config/app.php
@@ -78,6 +78,17 @@ return [
 
     'shorturl' => env('APP_SHORTURL', 'shorturl.local'),
 
+    /*
+    |--------------------------------------------------------------------------
+    | Authorization endpoint
+    |--------------------------------------------------------------------------
+    |
+    | The authorization endpoint for the application, used primarily for Micropub
+    |
+    */
+
+    'authorization_endpoint' => env('AUTHORIZATION_ENDPOINT', 'https://indieauth.com/auth'),
+
     /*
     |--------------------------------------------------------------------------
     | Application Display Name
diff --git a/resources/views/master.blade.php b/resources/views/master.blade.php
index 79bfc4b9..9abb1c3c 100644
--- a/resources/views/master.blade.php
+++ b/resources/views/master.blade.php
@@ -18,7 +18,7 @@
         <link rel="alternate" type="application/jf2feed+json" title="Notes JF2 Feed" href="/blog/feed.jf2">
         <link rel="openid.server" href="https://indieauth.com/openid">
         <link rel="openid.delegate" href="{{ config('app.url') }}">
-        <link rel="authorization_endpoint" href="https://indieauth.com/auth">
+        <link rel="authorization_endpoint" href="{{ config('app.authorization_endpoint') }}">
         <link rel="token_endpoint" href="{{ config('app.url') }}/api/token">
         <link rel="micropub" href="{{ config('app.url') }}/api/post">
         <link rel="webmention" href="{{ config('app.url') }}/webmention">
diff --git a/tests/Feature/TokenEndpointTest.php b/tests/Feature/TokenEndpointTest.php
index 6a973473..37e4dbcd 100644
--- a/tests/Feature/TokenEndpointTest.php
+++ b/tests/Feature/TokenEndpointTest.php
@@ -5,12 +5,10 @@ declare(strict_types=1);
 namespace Tests\Feature;
 
 use Exception;
-use GuzzleHttp\Client as GuzzleClient;
+use GuzzleHttp\Client;
 use GuzzleHttp\Handler\MockHandler;
 use GuzzleHttp\HandlerStack;
-use IndieAuth\Client as IndieAuthClient;
 use JsonException;
-use Mockery;
 use Tests\TestCase;
 
 class TokenEndpointTest extends TestCase
@@ -23,11 +21,6 @@ class TokenEndpointTest extends TestCase
      */
     public function tokenEndpointIssuesToken(): void
     {
-        $mockIndieAuthClient = Mockery::mock(IndieAuthClient::class);
-        $mockIndieAuthClient->shouldReceive('discoverAuthorizationEndpoint')
-            ->with(normalize_url(config('app.url')))
-            ->once()
-            ->andReturn('https://indieauth.com/auth');
         $mockHandler = new MockHandler([
             new \GuzzleHttp\Psr7\Response(200, [], json_encode([
                 'me' => config('app.url'),
@@ -35,9 +28,8 @@ class TokenEndpointTest extends TestCase
             ], JSON_THROW_ON_ERROR)),
         ]);
         $handlerStack = HandlerStack::create($mockHandler);
-        $mockGuzzleClient = new GuzzleClient(['handler' => $handlerStack]);
-        $this->app->instance(IndieAuthClient::class, $mockIndieAuthClient);
-        $this->app->instance(GuzzleClient::class, $mockGuzzleClient);
+        $mockGuzzleClient = new Client(['handler' => $handlerStack]);
+        $this->app->instance(Client::class, $mockGuzzleClient);
         $response = $this->post('/api/token', [
             'me' => config('app.url'),
             'code' => 'abc123',
@@ -59,20 +51,14 @@ class TokenEndpointTest extends TestCase
      */
     public function tokenEndpointReturnsErrorWhenAuthEndpointLacksMeData(): void
     {
-        $mockIndieAuthClient = Mockery::mock(IndieAuthClient::class);
-        $mockIndieAuthClient->shouldReceive('discoverAuthorizationEndpoint')
-            ->with(normalize_url(config('app.url')))
-            ->once()
-            ->andReturn('https://indieauth.com/auth');
         $mockHandler = new MockHandler([
             new \GuzzleHttp\Psr7\Response(400, [], json_encode([
                 'error' => 'error_message',
             ], JSON_THROW_ON_ERROR)),
         ]);
         $handlerStack = HandlerStack::create($mockHandler);
-        $mockGuzzleClient = new GuzzleClient(['handler' => $handlerStack]);
-        $this->app->instance(IndieAuthClient::class, $mockIndieAuthClient);
-        $this->app->instance(GuzzleClient::class, $mockGuzzleClient);
+        $mockGuzzleClient = new Client(['handler' => $handlerStack]);
+        $this->app->instance(Client::class, $mockGuzzleClient);
         $response = $this->post('/api/token', [
             'me' => config('app.url'),
             'code' => 'abc123',
@@ -85,30 +71,4 @@ class TokenEndpointTest extends TestCase
             'error' => 'There was an error verifying the IndieAuth code',
         ]);
     }
-
-    /**
-     * @test
-     *
-     * @throws Exception
-     */
-    public function tokenEndpointReturnsErrorWhenNoAuthEndpointFound(): void
-    {
-        $mockIndieAuthClient = Mockery::mock(IndieAuthClient::class);
-        $mockIndieAuthClient->shouldReceive('discoverAuthorizationEndpoint')
-            ->with(normalize_url(config('app.url')))
-            ->once()
-            ->andReturn(null);
-        $this->app->instance(IndieAuthClient::class, $mockIndieAuthClient);
-        $response = $this->post('/api/token', [
-            'me' => config('app.url'),
-            'code' => 'abc123',
-            'redirect_uri' => config('app.url') . '/indieauth-callback',
-            'client_id' => config('app.url') . '/micropub-client',
-            'state' => random_int(1000, 10000),
-        ]);
-        $response->assertStatus(400);
-        $response->assertJson([
-            'error' => 'Could not discover the authorization endpoint for ' . config('app.url'),
-        ]);
-    }
 }