add /openid/request_token and /openid/userinfo routes

heavily changed and improved by me Co-authored-by: mikoto <avdb@keemail.me> Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-07-02 21:51:11 -04:00 · 2024-07-02 21:51:11 -04:00 · 1a64e42cfe
commit 1a64e42cfe
parent 5edd391e83
11 changed files with 151 additions and 7 deletions
--- a/src/api/client/openid.rs
+++ b/src/api/client/openid.rs
@ -0,0 +1,41 @@
+use std::time::Duration;
+
+use conduit::utils;
+use ruma::{
+	api::client::{account, error::ErrorKind},
+	authentication::TokenType,
+};
+
+use super::TOKEN_LENGTH;
+use crate::{services, Error, Result, Ruma};
+
+/// # `POST /_matrix/client/v3/user/{userId}/openid/request_token`
+///
+/// Request an OpenID token to verify identity with third-party services.
+///
+/// - The token generated is only valid for the OpenID API
+pub(crate) async fn create_openid_token_route(
+	body: Ruma<account::request_openid_token::v3::Request>,
+) -> Result<account::request_openid_token::v3::Response> {
+	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+
+	if sender_user != &body.user_id {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Not allowed to request OpenID tokens on behalf of other users",
+		));
+	}
+
+	let access_token = utils::random_string(TOKEN_LENGTH);
+
+	let expires_in = services()
+		.users
+		.create_openid_token(&body.user_id, &access_token)?;
+
+	Ok(account::request_openid_token::v3::Response {
+		access_token,
+		token_type: TokenType::Bearer,
+		matrix_server_name: services().globals.config.server_name.clone(),
+		expires_in: Duration::from_secs(expires_in),
+	})
+}