Add oauth metadata endpoint

config/runtime.exs

@@ -24,13 +24,13 @@ if Teiserver.ConfigHelpers.get_env("PHX_SERVER", nil) do
   config :teiserver, TeiserverWeb.Endpoint, server: true
 end
 
+# used for mailing, checking origins, finding tls certs…
+domain_name = Teiserver.ConfigHelpers.get_env("TEI_DOMAIN_NAME", "beyondallreason.info")
+
 # Only do some runtime configuration in production since in dev and tests the
 # files are automatically recompiled on the fly and thus, config/{dev,test}.exs
 # are just fine
 if config_env() == :prod do
-  # used for mailing, checking origins, finding tls certs…
-  domain_name = Teiserver.ConfigHelpers.get_env("TEI_DOMAIN_NAME", "beyondallreason.info")
-
   certificates = [
     keyfile: Teiserver.ConfigHelpers.get_env("TEI_TLS_PRIVATE_KEY_PATH"),
     certfile: Teiserver.ConfigHelpers.get_env("TEI_TLS_CERT_PATH"),
@@ -190,3 +190,5 @@ if config_env() == :prod do
       bot_name: Teiserver.ConfigHelpers.get_env("TEI_DISCORD_BOT_NAME")
   end
 end
+
+config :teiserver, Teiserver.OAuth, issuer: "https://#{domain_name}"

lib/teiserver_web/controllers/o_auth/code_controller.ex

@@ -79,4 +79,8 @@ defmodule TeiserverWeb.OAuth.CodeController do
       _ -> conn |> put_status(400) |> render(:error, error_description: "invalid request")
     end
   end
+
+  def metadata(conn, _params) do
+    conn |> put_status(200) |> render(:metadata)
+  end
 end

lib/teiserver_web/router.ex

@@ -601,6 +601,12 @@ defmodule TeiserverWeb.Router do
     post("/token", CodeController, :token)
   end
 
+  scope "/", TeiserverWeb.OAuth do
+    pipe_through(:api)
+    # https://datatracker.ietf.org/doc/html/rfc8414
+    get("/.well-known/oauth-authorization-server", CodeController, :metadata)
+  end
+
   scope "/admin", TeiserverWeb.Admin do
     pipe_through([:live_browser, :protected])
 

lib/teiserver_web/views/api/o_auth/code_view.ex

@@ -1,4 +1,6 @@
 defmodule TeiserverWeb.OAuth.CodeView do
+  use TeiserverWeb, :view
+
   def token(%{token: token}) do
     expires_in = DateTime.diff(token.expires_at, DateTime.utc_now(), :second)
 
@@ -13,4 +15,21 @@ defmodule TeiserverWeb.OAuth.CodeView do
   def error(conn) do
     Map.take(conn, [:error_description]) |> Map.put("error", "invalid_request")
   end
+
+  def metadata(_) do
+    base = Application.fetch_env!(:teiserver, Teiserver.OAuth)[:issuer]
+
+    %{
+      issuer: base,
+      authorization_endpoint: base <> ~p"/oauth/authorize",
+      token_endpoint: base <> ~p"/oauth/token",
+      token_endpoint_auth_methods_supported: ["none", "client_secret_post"],
+      grant_types_supported: [
+        "authorization_code",
+        "refresh_token",
+        "client_credentials"
+      ],
+      code_challenge_methods_supported: ["S256"]
+    }
+  end
 end

test/teiserver_web/controllers/o_auth/code_controller_test.exs

@@ -150,6 +150,7 @@ defmodule TeiserverWeb.OAuth.CodeControllerTest do
         client_id: credential.client_id,
         client_secret: "definitely-not-the-correct-secret"
       }
+
       resp = post(conn, ~p"/oauth/token", data)
       json_resp = json_response(resp, 400)
     end
@@ -201,4 +202,25 @@ defmodule TeiserverWeb.OAuth.CodeControllerTest do
       assert %{"error" => "invalid_request"} = json_response(resp, 400)
     end
   end
+
+  describe "medatata endpoint" do
+    setup :setup_conn
+
+    test "can query oauth metadata", %{conn: conn} do
+      resp = json_response(get(conn, ~p"/.well-known/oauth-authorization-server"), 200)
+
+      assert resp == %{
+               "issuer" => "https://beyondallreason.info",
+               "authorization_endpoint" => "https://beyondallreason.info/oauth/authorize",
+               "token_endpoint" => "https://beyondallreason.info/oauth/token",
+               "token_endpoint_auth_methods_supported" => ["none", "client_secret_post"],
+               "grant_types_supported" => [
+                 "authorization_code",
+                 "refresh_token",
+                 "client_credentials"
+               ],
+               "code_challenge_methods_supported" => ["S256"]
+             }
+    end
+  end
 end