From 0aaaf8d6efe26314b386a7ac4e86022cac52a069 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Fri, 14 May 2021 06:05:01 +0000
Subject: [PATCH] API: Support OAuth client credentials

---
 doc/API-Mastodon.md        |  4 ++--
 src/Module/OAuth/Token.php | 29 +++++++++++++++++------------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/doc/API-Mastodon.md b/doc/API-Mastodon.md
index 09cf169e2b..a8566ce60a 100644
--- a/doc/API-Mastodon.md
+++ b/doc/API-Mastodon.md
@@ -18,11 +18,11 @@ Supported mobile apps:
 - twitlatte
 - AndStatus
 - Twidere
+- Subway Tooter
 
 Unsupported mobile apps:
 
-- [Subway Tooter](https://github.com/tateisu/SubwayTooter) Uses the wrong grant_type when requesting a token, possibly a problem in the server type detection of the app. See issue https://github.com/tateisu/SubwayTooter/issues/156
-- [Mammut](https://github.com/jamiesanson/Mammut) States that the instance doesn't exist. Most likely an issue in the vitality check of the app, see issue https://github.com/jamiesanson/Mammut/issues/19
+- [Mammut](https://github.com/jamiesanson/Mammut) There are problems with the token request, see issue https://github.com/jamiesanson/Mammut/issues/19
 - [Fedilab](https://framagit.org/tom79/fedilab) Automatically uses the legacy API, see issue: https://framagit.org/tom79/fedilab/-/issues/520
 
 ## Entities
diff --git a/src/Module/OAuth/Token.php b/src/Module/OAuth/Token.php
index 0a1a32b744..c7a8109698 100644
--- a/src/Module/OAuth/Token.php
+++ b/src/Module/OAuth/Token.php
@@ -50,12 +50,7 @@ class Token extends BaseApi
 			}
 		}
 
-		if ($grant_type != 'authorization_code') {
-			Logger::warning('Unsupported or missing grant type', ['request' => $_REQUEST]);
-			DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Unsupported or missing grant type'));
-		}
-
-		if (empty($client_id) || empty($client_secret) || empty($redirect_uri)) {
+		if (empty($client_id) || empty($client_secret)) {
 			Logger::warning('Incomplete request data', ['request' => $_REQUEST]);
 			DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Incomplete request data'));
 		}
@@ -65,13 +60,23 @@ class Token extends BaseApi
 			DI::mstdnError()->UnprocessableEntity();
 		}
 
-		// For security reasons only allow freshly created tokens
-		$condition = ["`application-id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE", $application['id'], $code, 5];
+		if ($grant_type == 'client_credentials') {
+			// the "client_credentials" are used as a token for the application itself.
+			// see https://aaronparecki.com/oauth-2-simplified/#client-credentials
+			$token = self::createTokenForUser($application, 0, '');
+		} elseif ($grant_type == 'authorization_code') {
+			// For security reasons only allow freshly created tokens
+			$condition = ["`redirect_uri` = ? AND `id` = ? AND `code` = ? AND `created_at` > UTC_TIMESTAMP() - INTERVAL ? MINUTE",
+				$redirect_uri, $application['id'], $code, 5];
 
-		$token = DBA::selectFirst('application-token', ['access_token', 'created_at'], $condition);
-		if (!DBA::isResult($token)) {
-			Logger::warning('Token not found or outdated', $condition);
-			DI::mstdnError()->Unauthorized();
+			$token = DBA::selectFirst('application-view', ['access_token', 'created_at'], $condition);
+			if (!DBA::isResult($token)) {
+				Logger::warning('Token not found or outdated', $condition);
+				DI::mstdnError()->Unauthorized();
+			}
+		} else {
+			Logger::warning('Unsupported or missing grant type', ['request' => $_REQUEST]);
+			DI::mstdnError()->UnprocessableEntity(DI::l10n()->t('Unsupported or missing grant type'));
 		}
 
 		$object = new \Friendica\Object\Api\Mastodon\Token($token['access_token'], 'Bearer', $application['scopes'], $token['created_at']);
-- 
2.39.5