feat(backend/oauth): allow CORS for token endpoint (#12814)

* feat(backend/oauth): allow CORS for token endpoint

* no need to explicitly set origin to `*`

* Update CHANGELOG.md

packages/backend/src/server/ServerService.ts

@@ -110,7 +110,8 @@ export class ServerService implements OnApplicationShutdown {
 		fastify.register(this.activityPubServerService.createServer);
 		fastify.register(this.nodeinfoServerService.createServer);
 		fastify.register(this.wellKnownServerService.createServer);
-		fastify.register(this.oauth2ProviderService.createServer);
+		fastify.register(this.oauth2ProviderService.createServer, { prefix: '/oauth' });
+		fastify.register(this.oauth2ProviderService.createTokenServer, { prefix: '/oauth/token' });
 
 		fastify.get<{ Params: { path: string }; Querystring: { static?: any; badge?: any; }; }>('/emoji/:path(.*)', async (request, reply) => {
 			const path = request.params.path;

packages/backend/src/server/WellKnownServerService.ts

@@ -16,6 +16,7 @@ import * as Acct from '@/misc/acct.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { bindThis } from '@/decorators.js';
 import { NodeinfoServerService } from './NodeinfoServerService.js';
+import { OAuth2ProviderService } from './oauth/OAuth2ProviderService.js';
 import type { FindOptionsWhere } from 'typeorm';
 import type { FastifyInstance, FastifyPluginOptions } from 'fastify';
 
@@ -30,6 +31,7 @@ export class WellKnownServerService {
 
 		private nodeinfoServerService: NodeinfoServerService,
 		private userEntityService: UserEntityService,
+		private oauth2ProviderService: OAuth2ProviderService,
 	) {
 		//this.createServer = this.createServer.bind(this);
 	}
@@ -87,6 +89,10 @@ export class WellKnownServerService {
 			return { links: this.nodeinfoServerService.getLinks() };
 		});
 
+		fastify.get('/.well-known/oauth-authorization-server', async () => {
+			return this.oauth2ProviderService.generateRFC8414();
+		});
+
 		/* TODO
 fastify.get('/.well-known/change-password', async (request, reply) => {
 });

packages/backend/src/server/oauth/OAuth2ProviderService.ts

@@ -31,6 +31,22 @@ export class OAuth2ProviderService {
 		private config: Config,
 	) { }
 
+	// https://datatracker.ietf.org/doc/html/rfc8414.html
+	// https://indieauth.spec.indieweb.org/#indieauth-server-metadata
+	public generateRFC8414() {
+		return {
+			issuer: this.config.url,
+			authorization_endpoint: new URL('/oauth/authorize', this.config.url),
+			token_endpoint: new URL('/oauth/token', this.config.url),
+			scopes_supported: kinds,
+			response_types_supported: ['code'],
+			grant_types_supported: ['authorization_code'],
+			service_documentation: 'https://misskey-hub.net',
+			code_challenge_methods_supported: ['S256'],
+			authorization_response_iss_parameter_supported: true,
+		};
+	}
+
 	@bindThis
 	public async createServer(fastify: FastifyInstance): Promise<void> {
 		// https://datatracker.ietf.org/doc/html/rfc8414.html
@@ -151,4 +167,17 @@ export class OAuth2ProviderService {
 			}
 		});
 	}
+
+	@bindThis
+	public async createTokenServer(fastify: FastifyInstance): Promise<void> {
+		fastify.register(fastifyCors);
+		fastify.post('', async () => { });
+
+		await fastify.register(fastifyExpress);
+		// Clients may use JSON or urlencoded
+		fastify.use('', bodyParser.urlencoded({ extended: false }));
+		fastify.use('', bodyParser.json({ strict: true }));
+		fastify.use('', this.#server.token());
+		fastify.use('', this.#server.errorHandler());
+	}
 }