Merge branch 'eyre-sec-fixes' into sec-com-twitter

2-layer domain change required to write a proper driver

arvo/eyre.hoon

@@ -745,9 +745,9 @@
         =+  usr=(slav %ta p.tee)
         =+  ((hard {pul/purl ^}) q.q.cay)
         ?.  ?=($& -.r.p.pul)
-          ~&  [%auth-lost usr p.r.p.pul]
+          ~&  [%auth-lost usr (head:earn p.pul)]
           (eyre-them tee q.cay)
-        (get-req:(dom-vi usr p.r.p.pul) q.tee q.cay)
+        (get-req:(dom-vi usr (scag 2 p.r.p.pul)) q.tee q.cay)
       ::
 ::           {$hi ^}
 ::         ?:  ?=($| -.q.sih)

gen/gmail/list.hoon

@@ -1,5 +1,5 @@
 ::
-::::  /hoon/ticket/gen
+::::  /hoon/list/gmail/gen
   ::
 /?    310
 ::

gen/hood/init-oauth2/google.hoon

@@ -0,0 +1,28 @@
+::
+::::  /hoon/google/init-oauth2/hood/gen
+  ::
+/?  314
+/-  sole
+::
+::::
+  !:
+[sole .]
+:-  %ask
+|=  $:  {now/@da eny/@uvI bec/beak}
+        {arg/$@($~ {jon/json $~})}
+        $~
+    ==
+^-  (sole-result {$write-sec-atom p/host q/@})
+%+  sole-yo  leaf+"Accepting credentials for https://*.googleapis.com"
+=+  hot=[%& /com/googleapis]
+=-  ?~  arg  -
+    (fun.q.q jon.arg)
+%+  sole-lo
+  [%& %oauth-json "json credentials: "]
+%+  sole-go  apex:poja
+|=  jon/json
+=+  ~|  bad-json+jon
+    =-  `{cid/@t cis/@t}`(need (rep jon))
+    rep=(ot web+(ot 'client_id'^so 'client_secret'^so ~) ~):jo
+%+  sole-so  %write-sec-atom    :: XX typed pair
+[hot (role cid cis ~)]

lib/oauth2.hoon

@@ -1,3 +1,6 @@
+::
+::::  /hoon/oauth2/lib
+  ::
 |%
 ++  fass                                                ::  rewrite quay
   |=  a/quay
@@ -18,14 +21,42 @@
   ?~  b  ''
   (rap 3 |-([i.b ?~(t.b ~ [a $(b t.b)])]))
 ::
+++  mean-wall  !.
+  |=  {a/term b/tape}  ^+  !!
+  =-  (mean (flop `tang`[>a< -]))
+  (turn (lore (crip b)) |=(c/cord leaf+(trip c)))
+::
 ++  dbg-post  `purl`[`hart`[| `6.000 [%& /localhost]] `pork``/testing `quay`/]
-++  endpoint  |=({dom/(list cord) a/path} [[& ~ &+dom] [~ a] ~])
 ++  bad-response  |=(a/@u ?:(=(2 (div a 100)) | ~&(bad-httr+a &)))
 ++  grab-json
   |*  {a/httr b/fist:jo}
   ~|  bad-json+r.a
   ~|  (poja q:(need r.a))
   (need (;~(biff poja b) q:(need r.a)))
+::
+++  parse-url
+  |=  a/$@(cord:purl purl)  ^-  purl
+  ?^  a  a
+  ~|  bad-url+a
+  (rash a auri:epur)
+::
+++  interpolate-url
+  |=  {a/$@(cord purl) b/(unit hart) c/(list (pair term knot))}
+  ^-  purl
+  ?@  a  $(a (parse-url a))  :: deal with cord
+  %_  a
+    p    ?^(b u.b p.a)
+    q.q  (interpolate-path q.q.a c)
+  ==
+::
+++  interpolate-path    ::  [/a/:b/c [%b 'foo']~] -> /a/foo/c
+  |=  {a/path b/(list (pair term knot))}  ^-  path
+  ?~  a  ?~(b ~ ~|(unused-values+b !!))
+  =+  (rush i.a ;~(pfix col sym))
+  ?~  -  [i.a $(a t.a)]  ::  not interpolable
+  ?~  b  ~|(no-value+u !!)
+  ?.  =(u p.i.b)  ~|(mismatch+[u p.i.b] !!)
+  [q.i.b $(a t.a, b t.b)]
 --
 ::
 ::::
@@ -35,40 +66,52 @@
 ++  refresh  {tok/token needed/@da pending/_`?`|}
 ++  keys  cord:{cid/@t cis/@t}
 ++  core-move  |*(a/* $^({sec-move _a} sec-move)) ::here's a change
-++  decode-keys                       :: XX from bale w/ typed %jael
-  |=  key/keys
-  ?~  key  ~|(%oauth-no-keys ~_(leaf+"Run |init-oauth2" !!))
-  ~|  %oauth-bad-keys
-  ((hard {cid/@t cis/@t $~}) (lore key))
 --
 ::
 ::::
   ::
-|=  {dialog/{p/host q/path r/quay} code-exchange/path}
+|=  {dialog/$@(cord:purl purl) code-exchange/$@(cord:purl purl)}
-=+  state-usr=|
+=+  :+  state-usr=|
+      dialog-url=(parse-url dialog)
+    exchange-url=(parse-url code-exchange)
 |_  {(bale keys) scope/(list cord)}
-++  client-id      cid:(decode-keys key)
+++  client-id      cid:decode-keys
-++  client-secret  cis:(decode-keys key)
+++  client-secret  cis:decode-keys
+++  decode-keys                       :: XX from bale w/ typed %jael
+  ^-  {cid/@t cis/@t $~}
+  ?.  =(~ `@`key)
+    ~|  %oauth-bad-keys
+    ((hard {cid/@t cis/@t $~}) (lore key))
+  %+  mean-wall  %oauth-no-keys
+  """
+  Run |init-oauth2
+  If necessary, obtain client keys configured for a redirect_uri of
+    {(trip redirect-uri)}
+  """
 ::
-++  urb-hart  [| `8.443 [%& /localhost]]  :: XX get from eyre
+++  our-host  .^(hart %e /(scot %p our)/host/fake)
-++  toke-url  (endpoint dom code-exchange)
 ++  auth-url
-  ~&  [%oauth-warning "Make sure this urbit".
+  ~&  [%oauth-warning "Make sure this urbit ".
-                      "is running on {(earn urb-hart `~ ~)}"]
+                      "is running on {(earn our-host `~ ~)}"]
   ^-  purl
-  :+  [& ~ p.dialog]  [~ q.dialog]
+  %_    dialog-url
-  %-  fass  
+      r
-  %+  welp  r.dialog
+    %+  welp  r.dialog-url
-  :~  state+?.(state-usr '' (pack usr /''))
+    %-  fass  
-      client-id+client-id
+    :~  state+?.(state-usr '' (pack usr /''))
-      redirect-uri+redirect-uri
+        client-id+client-id
-      scope+(join ' ' scope)
+        redirect-uri+redirect-uri
+        scope+(join ' ' scope)
+    ==
   ==
 ::
-++  redirect-uri  
+++  redirect-uri
   %-    crip    %-  earn
-  =+  usr-knot=?:(state-usr '_state' (scot %ta usr))
+  %^  interpolate-url  'https://our-host/~/ac/:domain/:user/in'
-  `purl`[`hart`urb-hart `pork``/~/ac/(join '.' (flop dom))/[usr-knot]/in `quay`~]
+    `our-host
+  :~  domain+(join '.' (flop dom))
+      user+?:(state-usr '_state' (scot %ta usr))
+  ==
 ::
 ++  out-filtered
   |=  {tok/token aut/$-(hiss hiss)}
@@ -90,7 +133,7 @@
 ::
 ++  toke-req
   |=  {grant-type/cord quy/quay}  ^-  {$send hiss}
-  :+  %send  toke-url
+  :+  %send  exchange-url
   :+  %post  (malt ~[content-type+~['application/x-www-form-urlencoded']])
   =-  `(tact +:(tail:earn -))
   %-  fass
@@ -119,7 +162,9 @@
   |*  {done/* parse/(pole {knot fist}:jo)}
   |=  handle/$-(_?~(parse ~ (need *(ot:jo parse))) (core-move done))
   |=  a/httr  ^-  (core-move done)
-  ?:  (bad-response p.a)  [%redo ~]  ::  handle 4xx?
+  ?:  (bad-response p.a)
+    [%give a]
+    :: [%redo ~]  ::  handle 4xx?
   (handle (grab-json a (ot:jo parse)))
 ::
 ++  res-give  |=(a/httr [%give a])
@@ -156,4 +201,3 @@
     [[%redo ~] (handle-access axs.tok)]
   --
 --
-                                                                

sec/com/facebook.hoon

@@ -0,0 +1,26 @@
+::  Test url +https://graph.facebook.com/v2.5/me
+::
+::::  /hoon/facebook/com/sec
+  ::
+/+    oauth2
+::
+::::
+  ::
+=+  ^=  aut
+    %+   oauth2
+      dialog='https://www.facebook.com/dialog/oauth?response_type=code'
+    exchange='https://graph.facebook.com/v2.3/oauth/access_token'
+|_  {bal/(bale keys.aut) access-token/token.aut}
+++  auth  ~(. aut bal /'user_about_me'/'user_posts')
+++  out  (out-quay:auth key='access_token' value=access-token)
+++  in   in-code:auth
+++  bak
+  %-  (bak-parse:auth . access-token.aut expires-in.aut ~)
+  |=  {access-token/@t expires-in/@u}
+  ?:  (lth expires-in ^~((div ~d7 ~s1)))  ::  short-lived token
+    %^  toke-req:auth  grant-type='fb_exchange_token'
+      [key='fb_exchange_token' value=access-token]
+    ~
+  [[%redo ~] ..bak(access-token access-token)]
+::++  wyp  ~
+--

sec/com/facebook/graph.hoon

@@ -1,18 +0,0 @@
-/+    oauth2
-::
-::::
-  ::
-=+  [`/com/facebook/www /dialog/oauth response-type/%code ~]
-=+  aut=(oauth2 - /'v2.3'/oauth/'access_token')
-|_  [bal=(bale keys.aut) access-token=token.aut]
-++  auth  ~(. aut bal /'user_about_me'/'user_posts')
-++  out  (out-quay:auth 'access_token'^access-token)
-++  in   in-code:auth
-++  bak
-  %-  (bak-parse:auth . access-token.aut expires-in.aut ~)
-  |=  [access-token=@t expires-in=@u]
-  ?:  (lth expires-in ^~((div ~d7 ~s1)))  ::  short-lived token
-    (toke-req:auth 'fb_exchange_token' fb-exchange-token/access-token ~)
-  [[%redo ~] ..bak(access-token access-token)]
-::++  wyp  ~
---

sec/com/github.hoon

@@ -1,3 +1,7 @@
+::  Test url +https://api.github.com/user
+::
+::::  /hoon/github/com/sec
+  ::
 /+    basic-auth
 !:
 |_  {bal/(bale keys:basic-auth) $~}

sec/com/googleapis.hoon

@@ -1,3 +1,7 @@
+::  Test url +https://www.googleapis.com/oauth2/v1/userinfo
+::
+::::  /hoon/googleapis/com/sec
+  ::
 /+    oauth2
 ::
 ::::
@@ -16,11 +20,16 @@
   =+  lon=(fall (slaw %t usr) usr)
   =<  .(state-usr &)
   %-  oauth2
-  =-  [[&+/com/google/accounts /o/oauth2/v2/auth -] /oauth2/v4/token]
+  :_  exchange='https://www.googleapis.com/oauth2/v4/token'
-  :~  login-hint+?~(lon '' (crip (rash lon suffix-email)))
+  ^=  dialog
-      access-type+%offline
+  %*  .  (need (epur 'https://accounts.google.com/o/oauth2/v2/auth'))
-      response-type+%code
+      r
-      prompt+%consent
+    %-  fass:oauth2
+    :~  login-hint+?~(lon '' (crip (rash lon suffix-email)))
+        access-type+%offline
+        response-type+%code
+        prompt+%consent
+    ==
   ==
 --
 !:
@@ -28,10 +37,12 @@
   ::
 |_  {bal/(bale keys:oauth2) user-state}
 ++  auth-re  ~(. (re:auth .) ref |=(a/_ref +>(ref a)))
-++  auth  ~(. (auth-usr usr.bal) bal (scopes 'userinfo.email' 'plus.me' ~))
+++  auth  ~(. (auth-usr usr.bal) bal scopes)
 ++  scopes
-  =+  scope=|=(b/@ta (endpoint:oauth2 dom.bal /auth/[b]))
+  :~  'https://mail.google.com'
-  |=(a/(list @ta) ['https://mail.google.com' (turn a |=(b/@ta (crip (earn (scope b)))))])
+      'https://www.googleapis.com/auth/plus.me'
+      'https://www.googleapis.com/auth/userinfo.email'
+  ==
 ::
 ++  out  (out-fix-expired:auth-re (out-math:auth ber))
 ++  res  |=(a/httr ((res-handle-refreshed:auth-re save-access res-give:auth) a))
@@ -43,5 +54,4 @@
   (in-code:auth a)
 ++  bak  |=(a/httr ((bak-save-tokens:auth-re save-access) a))
 ++  upd  *user-state
-::
 --

sec/com/slack.hoon

@@ -1,11 +1,18 @@
+::  Test url +https://slack.com/api/auth.test
+::
+::::  /hoon/slack/com/sec
+  ::
 /+    oauth2
 ::
 ::::
   ::
-=+  aut=(oauth2 [`/com/slack /oauth/authorize ~] /api/'oauth.access')
+=+  ^=  aut
-|_  [(bale keys:oauth2) tok=token.aut]
+    %+  oauth2
+      'https://slack.com/oauth/authorize'
+    'https://slack.com/api/oauth.access'
+|_  {(bale keys:oauth2) tok/token.aut}
 ++  aut  ~(. ^aut +<- /client/admin)
 ++  out  (out-quay:aut 'token'^tok)
 ++  in   in-code:aut
-++  bak  (bak-save-access:aut . |=(tok=token:aut +>(tok tok)))
+++  bak  (bak-save-access:aut . |=(tok/token:aut +>(tok tok)))
 --

web/listen.hoon

@@ -1,5 +1,5 @@
 ::
-::::  /hoon/talk/web
+::::  /hoon/listen/web
   ::
 /?    310
 ;div.mini-module