Pleroma/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
  use Pleroma.Web, :controller

  require Logger

  alias Pleroma.Activity
  alias Pleroma.MFA
  alias Pleroma.Object.Fetcher
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.Web.Auth.Authenticator
  alias Pleroma.Web.Auth.TOTPAuthenticator
  alias Pleroma.Web.CommonAPI

  @status_types ["Article", "Event", "Note", "Video", "Page", "Question"]

  plug(Pleroma.Web.FederatingPlug)

  # Note: follower can submit the form (with password auth) not being signed in (having no token)
  plug(
    OAuthScopesPlug,
    %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
    when action in [:do_follow]
  )

  # GET /ostatus_subscribe
  #
  def follow(%{assigns: %{user: user}} = conn, %{"acct" => acct}) do
    case is_status?(acct) do
      true -> follow_status(conn, user, acct)
      _ -> follow_account(conn, user, acct)
    end
  end

  defp follow_status(conn, _user, acct) do
    with {:ok, object} <- Fetcher.fetch_object_from_id(acct),
         %Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object.data["id"]) do
      redirect(conn, to: o_status_path(conn, :notice, activity_id))
    else
      error ->
        handle_follow_error(conn, error)
    end
  end

  defp follow_account(conn, user, acct) do
    with {:ok, followee} <- User.get_or_fetch(acct) do
      render(conn, follow_template(user), %{error: false, followee: followee, acct: acct})
    else
      {:error, _reason} ->
        render(conn, follow_template(user), %{error: :error})
    end
  end

  defp follow_template(%User{} = _user), do: "follow.html"
  defp follow_template(_), do: "follow_login.html"

  defp is_status?(acct) do
    case Fetcher.fetch_and_contain_remote_object_from_id(acct) do
      {:ok, %{"type" => type}} when type in @status_types ->
        true

      _ ->
        false
    end
  end

  # POST  /ostatus_subscribe
  #
  # adds a remote account in followers if user already is signed in.
  #
  def do_follow(%{assigns: %{user: %User{} = user}} = conn, %{"user" => %{"id" => id}}) do
    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
         {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
      redirect(conn, to: "/users/#{followee.id}")
    else
      error ->
        handle_follow_error(conn, error)
    end
  end

  # POST  /ostatus_subscribe
  #
  # step 1.
  # checks login\password and displays step 2 form of MFA if need.
  #
  def do_follow(conn, %{"authorization" => %{"name" => _, "password" => _, "id" => id}}) do
    with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
         {_, {:ok, user}, _} <- {:auth, Authenticator.get_user(conn), followee},
         {_, _, _, false} <- {:mfa_required, followee, user, MFA.require?(user)},
         {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
      redirect(conn, to: "/users/#{followee.id}")
    else
      error ->
        handle_follow_error(conn, error)
    end
  end

  # POST  /ostatus_subscribe
  #
  # step 2
  # checks TOTP code. otherwise displays form with errors
  #
  def do_follow(conn, %{"mfa" => %{"code" => code, "token" => token, "id" => id}}) do
    with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
         {_, _, {:ok, %{user: user}}} <- {:mfa_token, followee, MFA.Token.validate(token)},
         {_, _, _, {:ok, _}} <-
           {:verify_mfa_code, followee, token, TOTPAuthenticator.verify(code, user)},
         {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
      redirect(conn, to: "/users/#{followee.id}")
    else
      error ->
        handle_follow_error(conn, error)
    end
  end

  def do_follow(%{assigns: %{user: nil}} = conn, _) do
    Logger.debug("Insufficient permissions: follow | write:follows.")
    render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
  end

  defp handle_follow_error(conn, {:mfa_token, followee, _} = _) do
    render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
  end

  defp handle_follow_error(conn, {:verify_mfa_code, followee, token, _} = _) do
    render(conn, "follow_mfa.html", %{
      error: "Wrong authentication code",
      followee: followee,
      mfa_token: token
    })
  end

  defp handle_follow_error(conn, {:mfa_required, followee, user, _} = _) do
    {:ok, %{token: token}} = MFA.Token.create_token(user)
    render(conn, "follow_mfa.html", %{followee: followee, mfa_token: token, error: false})
  end

  defp handle_follow_error(conn, {:auth, _, followee} = _) do
    render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
  end

  defp handle_follow_error(conn, {:fetch_user, error} = _) do
    Logger.debug("Remote follow failed with error #{inspect(error)}")
    render(conn, "followed.html", %{error: "Could not find user"})
  end

  defp handle_follow_error(conn, {:error, "Could not follow user:" <> _} = _) do
    render(conn, "followed.html", %{error: "Error following account"})
  end

  defp handle_follow_error(conn, error) do
    Logger.debug("Remote follow failed with error #{inspect(error)}")
    render(conn, "followed.html", %{error: "Something went wrong."})
  end
end
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`# Pleroma: A lightweight social networking server`
remote_follow_controller.ex: Redirect to the user page on success Closes: https://git.pleroma.social/pleroma/pleroma/issues/1245 2020-01-21 16:16:59 +01:00			`# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`# SPDX-License-Identifier: AGPL-3.0-only`

			`defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do`
			`use Pleroma.Web, :controller`

			`require Logger`

			`alias Pleroma.Activity`
Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`alias Pleroma.MFA`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`alias Pleroma.Object.Fetcher`
			`alias Pleroma.Plugs.OAuthScopesPlug`
			`alias Pleroma.User`
			`alias Pleroma.Web.Auth.Authenticator`
Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`alias Pleroma.Web.Auth.TOTPAuthenticator`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`alias Pleroma.Web.CommonAPI`

			`@status_types ["Article", "Event", "Note", "Video", "Page", "Question"]`

[#1560] Restricted AP- & OStatus-related routes for non-federating instances. 2020-02-22 17:48:41 +01:00			`plug(Pleroma.Web.FederatingPlug)`

added code of mr#2067 2019-12-25 13:12:43 +01:00			`# Note: follower can submit the form (with password auth) not being signed in (having no token)`
			`plug(`
			`OAuthScopesPlug,`
			`%{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}`
			`when action in [:do_follow]`
			`)`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00
			`# GET /ostatus_subscribe`
			`#`
			`def follow(%{assigns: %{user: user}} = conn, %{"acct" => acct}) do`
			`case is_status?(acct) do`
			`true -> follow_status(conn, user, acct)`
			`_ -> follow_account(conn, user, acct)`
			`end`
			`end`

			`defp follow_status(conn, _user, acct) do`
			`with {:ok, object} <- Fetcher.fetch_object_from_id(acct),`
			`%Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object.data["id"]) do`
Apply suggestion to lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex 2019-12-22 18:58:45 +01:00			`redirect(conn, to: o_status_path(conn, :notice, activity_id))`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`else`
			`error ->`
			`handle_follow_error(conn, error)`
			`end`
			`end`

			`defp follow_account(conn, user, acct) do`
			`with {:ok, followee} <- User.get_or_fetch(acct) do`
			`render(conn, follow_template(user), %{error: false, followee: followee, acct: acct})`
			`else`
			`{:error, _reason} ->`
			`render(conn, follow_template(user), %{error: :error})`
			`end`
			`end`

			`defp follow_template(%User{} = _user), do: "follow.html"`
			`defp follow_template(_), do: "follow_login.html"`

			`defp is_status?(acct) do`
			`case Fetcher.fetch_and_contain_remote_object_from_id(acct) do`
			`{:ok, %{"type" => type}} when type in @status_types ->`
			`true`

			`_ ->`
			`false`
			`end`
			`end`

			`# POST /ostatus_subscribe`
			`#`
Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`# adds a remote account in followers if user already is signed in.`
			`#`
added code of mr#2067 2019-12-25 13:12:43 +01:00			`def do_follow(%{assigns: %{user: %User{} = user}} = conn, %{"user" => %{"id" => id}}) do`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},`
			`{:ok, _, _, _} <- CommonAPI.follow(user, followee) do`
remote_follow_controller.ex: Redirect to the user page on success Closes: https://git.pleroma.social/pleroma/pleroma/issues/1245 2020-01-21 16:16:59 +01:00			`redirect(conn, to: "/users/#{followee.id}")`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`else`
			`error ->`
			`handle_follow_error(conn, error)`
			`end`
			`end`

Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`# POST /ostatus_subscribe`
			`#`
			`# step 1.`
			`# checks login\password and displays step 2 form of MFA if need.`
			`#`
added code of mr#2067 2019-12-25 13:12:43 +01:00			`def do_follow(conn, %{"authorization" => %{"name" => _, "password" => _, "id" => id}}) do`
Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},`
added code of mr#2067 2019-12-25 13:12:43 +01:00			`{_, {:ok, user}, _} <- {:auth, Authenticator.get_user(conn), followee},`
Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`{_, _, _, false} <- {:mfa_required, followee, user, MFA.require?(user)},`
			`{:ok, _, _, _} <- CommonAPI.follow(user, followee) do`
			`redirect(conn, to: "/users/#{followee.id}")`
			`else`
			`error ->`
			`handle_follow_error(conn, error)`
			`end`
			`end`

			`# POST /ostatus_subscribe`
			`#`
			`# step 2`
			`# checks TOTP code. otherwise displays form with errors`
			`#`
			`def do_follow(conn, %{"mfa" => %{"code" => code, "token" => token, "id" => id}}) do`
			`with {_, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},`
			`{_, _, {:ok, %{user: user}}} <- {:mfa_token, followee, MFA.Token.validate(token)},`
			`{_, _, _, {:ok, _}} <-`
			`{:verify_mfa_code, followee, token, TOTPAuthenticator.verify(code, user)},`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`{:ok, _, _, _} <- CommonAPI.follow(user, followee) do`
remote_follow_controller.ex: Redirect to the user page on success Closes: https://git.pleroma.social/pleroma/pleroma/issues/1245 2020-01-21 16:16:59 +01:00			`redirect(conn, to: "/users/#{followee.id}")`
moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`else`
			`error ->`
			`handle_follow_error(conn, error)`
			`end`
			`end`

added code of mr#2067 2019-12-25 13:12:43 +01:00			`def do_follow(%{assigns: %{user: nil}} = conn, _) do`
			`Logger.debug("Insufficient permissions: follow \| write:follows.")`
			`render(conn, "followed.html", %{error: "Insufficient permissions: follow \| write:follows."})`
			`end`

Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController 2020-05-07 10:14:54 +02:00			`defp handle_follow_error(conn, {:mfa_token, followee, _} = _) do`
			`render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})`
			`end`

			`defp handle_follow_error(conn, {:verify_mfa_code, followee, token, _} = _) do`
			`render(conn, "follow_mfa.html", %{`
			`error: "Wrong authentication code",`
			`followee: followee,`
			`mfa_token: token`
			`})`
			`end`

			`defp handle_follow_error(conn, {:mfa_required, followee, user, _} = _) do`
			`{:ok, %{token: token}} = MFA.Token.create_token(user)`
			`render(conn, "follow_mfa.html", %{followee: followee, mfa_token: token, error: false})`
			`end`

moved remote follow in separate controller 2019-12-20 14:34:14 +01:00			`defp handle_follow_error(conn, {:auth, _, followee} = _) do`
			`render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})`
			`end`

			`defp handle_follow_error(conn, {:fetch_user, error} = _) do`
			`Logger.debug("Remote follow failed with error #{inspect(error)}")`
			`render(conn, "followed.html", %{error: "Could not find user"})`
			`end`

			`defp handle_follow_error(conn, {:error, "Could not follow user:" <> _} = _) do`
			`render(conn, "followed.html", %{error: "Error following account"})`
			`end`

			`defp handle_follow_error(conn, error) do`
			`Logger.debug("Remote follow failed with error #{inspect(error)}")`
			`render(conn, "followed.html", %{error: "Something went wrong."})`
			`end`
			`end`