branch: elpa/mastodon
commit c7bf5fec29cd0bc4fc6f5690a6d5b129b2341997
Author: marty hiatt <martianhia...@disroot.org>
Commit: marty hiatt <martianhia...@disroot.org>
encrypt client secrets in plstore. remove
mastodon-auth-encrypt-access-token. #669
---
lisp/mastodon-auth.el | 27 +++++++----------
lisp/mastodon-client.el | 77 +++++++++++++++++++++++++++----------------------
2 files changed, 52 insertions(+), 52 deletions(-)
diff --git a/lisp/mastodon-auth.el b/lisp/mastodon-auth.el
index 3af992768a..3c8cff6e7c 100644
--- a/lisp/mastodon-auth.el
+++ b/lisp/mastodon-auth.el
@@ -47,6 +47,7 @@
(autoload 'mastodon-http--get-json "mastodon-http")
(autoload 'mastodon-http--post "mastodon-http")
(autoload 'mastodon-return-credential-account "mastodon")
+(autoload 'mastodon-client--general-read "mastodon-client")
(defvar mastodon-instance-url)
(defvar mastodon-client-scopes)
@@ -72,17 +73,6 @@ again, as auth-source.el only provides unreliable tools for
updating
entries."
:type 'boolean)
-;; FIXME: remove this! either we auth-source encrypt or plstore encrypt.
-;; the only unencrypted shall be people who don't update.
-;; but fetching from plstore is agnostic, so we don't need to sweat it.
-(defcustom mastodon-auth-encrypt-access-token t
- "Whether to encrypt the user's authentication token in the plstore.
-If you set this to non-nil, you also likely need to set
-`plstore-encrypt-to' to your GPG key ID for decryption.
-If you change the value of this variable, call
-`mastodon-forget-all-logins' and log in again."
- :type 'boolean)
-
(defvar mastodon-auth-source-file nil
"This variable is obsolete.
This variable currently serves no purpose and will be removed in
@@ -111,12 +101,15 @@ We apologize for the inconvenience.
(defun mastodon-auth--get-browser-login-url ()
"Return properly formed browser login url."
- (mastodon-http--concat-params-to-url
- (concat mastodon-instance-url "/oauth/authorize/")
- `(("response_type" . "code")
- ("redirect_uri" . ,mastodon-client-redirect-uri)
- ("scope" . ,mastodon-client-scopes)
- ("client_id" . ,(plist-get (mastodon-client) :client_id)))))
+ (let ((client-id (plist-get (mastodon-client) :client_id)))
+ (if (not client-id)
+ (error "Failed to set up client id")
+ (mastodon-http--concat-params-to-url
+ (concat mastodon-instance-url "/oauth/authorize/")
+ `(("response_type" . "code")
+ ("redirect_uri" . ,mastodon-client-redirect-uri)
+ ("scope" . ,mastodon-client-scopes)
+ ("client_id" . ,client-id))))))
(defvar mastodon-auth--explanation
(format
diff --git a/lisp/mastodon-client.el b/lisp/mastodon-client.el
index a19cd3a2f8..d6f1b6cde8 100644
--- a/lisp/mastodon-client.el
+++ b/lisp/mastodon-client.el
@@ -37,7 +37,6 @@
(defvar mastodon-instance-url)
(defvar mastodon-active-user)
(defvar mastodon-auth-use-auth-source)
-(defvar mastodon-auth-encrypt-access-token)
(autoload 'mastodon-http--api "mastodon-http")
(autoload 'mastodon-http--post "mastodon-http")
@@ -92,20 +91,28 @@
(defun mastodon-client--store ()
"Store client_id and client_secret in `mastodon-client--token-file'.
-
Make `mastodon-client--fetch' call to determine client values."
- (let ((plstore (plstore-open (mastodon-client--token-file)))
- (client (mastodon-client--fetch))
- ;; alexgriffith reported seeing ellipses in the saved output
- ;; which indicate some output truncating. Nothing in `plstore-save'
- ;; seems to ensure this cannot happen so let's do that ourselves:
- (print-length nil)
- (print-level nil))
+ (let* ((plstore (plstore-open (mastodon-client--token-file)))
+ (client (mastodon-client--fetch))
+ (secrets `( :client_id ,(plist-get client :client_id)
+ :client_secret ,(plist-get client :client_secret)))
+ (sans-secrets
+ (dolist (x '(:client_id :client_secret) client)
+ (cl-remf client x)))
+ ;; alexgriffith reported seeing ellipses in the saved output
+ ;; which indicate some output truncating. Nothing in
+ ;; `plstore-save' seems to ensure this cannot happen so let's do
+ ;; that ourselves:
+ (print-length nil)
+ (print-level nil))
(plstore-put plstore
- (concat "mastodon-" mastodon-instance-url) client nil)
+ (concat "mastodon-" mastodon-instance-url)
+ sans-secrets secrets)
(plstore-save plstore)
(plstore-close plstore)
- client))
+ ;; FIXME: why did we not have to do this before?
+ ;; maybe we never ran into this bug?
+ (mastodon-client--remove-key-from-plstore client)))
(defun mastodon-client--remove-key-from-plstore (plstore)
"Remove KEY from PLSTORE."
@@ -136,28 +143,29 @@ Return plist without the KEY."
:client_secret ,(plist-get (mastodon-client) :client_secret)))
(defun mastodon-client--store-access-token (token)
- "Save TOKEN as :access_token in plstore of the current user.
+ "Save TOKEN as :access_token encrypted in the plstore.
Return the plist after the operation.
-If `mastodon-auth-encrypt-access-token', encrypt it in the plstore.
If `mastodon-auth-use-auth-source', encrypt it in auth source file."
(let* ((user-details (mastodon-client--make-user-details-plist))
(plstore (plstore-open (mastodon-client--token-file)))
(username (mastodon-client--form-user-from-vars))
(key (concat "user-" username))
+ (secrets `( :client_id ,(plist-get user-details :client_id)
+ :client_secret ,(plist-get user-details :client_secret)))
+ (sans-secrets
+ (dolist (x '(:client_id :client_secret) user-details)
+ (cl-remf user-details x)))
(print-length nil)
(print-level nil))
- (cond (mastodon-auth-use-auth-source
- ;; auth-source:
- (mastodon-auth-source-token
- mastodon-instance-url username token :create)
- (plstore-put plstore key user-details nil))
- ;; plstore encrypted:
- (mastodon-auth-encrypt-access-token
- (plstore-put plstore key user-details `(:access_token ,token)))
- (t ;; plstore sans encryption:
- ;; (kept only because changing from this disrupts users):
- (plstore-put plstore key
- (append user-details `(:access_token ,token)) nil)))
+ (if mastodon-auth-use-auth-source
+ ;; auth-source:
+ (progn
+ (mastodon-auth-source-token
+ mastodon-instance-url username token :create)
+ (plstore-put plstore key sans-secrets secrets))
+ ;; plstore encrypted:
+ (plstore-put plstore key sans-secrets
+ (append secrets `(:access_token ,token))))
(plstore-save plstore)
(plstore-close plstore)
(cdr (plstore-get plstore key))))
@@ -173,17 +181,15 @@ from the user's auth source file and add it to the active
user entry."
(if mastodon-auth-use-auth-source
(mastodon-auth-source-token mastodon-instance-url handle)
(plist-get user-details :access_token)))
- (sans-token (if mastodon-auth-use-auth-source
- user-details
- ;; remove acces_token from user-details:
- (cl-remf user-details :access_token)
- user-details))
+ (secrets `( :access-token ,token
+ :client_id ,(plist-get user-details :client_id)
+ :client_secret ,(plist-get user-details :client_secret)))
+ (sans-secrets
+ (dolist (x '(:client_id :client_secret :access_token) user-details)
+ (cl-remf user-details x)))
(print-length nil)
(print-level nil))
- (if (not mastodon-auth-encrypt-access-token)
- (plstore-put plstore "active-user" user-details nil)
- (plstore-put plstore "active-user"
- sans-token `(:access_token ,token)))
+ (plstore-put plstore "active-user" sans-secrets secrets)
(plstore-save plstore)
(plstore-close plstore)))
@@ -228,7 +234,8 @@ Details is a plist."
(defun mastodon-client ()
"Return variable client secrets to use for `mastodon-instance-url'.
-Read plist from `mastodon-client--token-file' if variable is nil.
+Read plist from `mastodon-client--token-file' if
+`mastodon-client--client-details-alist' is nil.
Fetch and store plist if `mastodon-client--read' returns nil."
(let ((client-details
(cdr (assoc mastodon-instance-url
