From bfea4c5b7cf5aa1e1267f3e886fd41aa2fc8fce6 Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Wed, 16 Apr 2025 02:26:38 +0300
Subject: indieauth: Grant `profile` scope to apps that didn't request any
 scopes

This should fix logging into legacy IndieAuth applications that don't
request scopes.

Change-Id: I7063f825fdd26ecf57aef52bc172d5bf81d05ca2
---
 src/indieauth/mod.rs | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'src/indieauth/mod.rs')

diff --git a/src/indieauth/mod.rs b/src/indieauth/mod.rs
index 2f90a19..2e8a44b 100644
--- a/src/indieauth/mod.rs
+++ b/src/indieauth/mod.rs
@@ -158,7 +158,7 @@ pub async fn metadata(Host(host): Host) -> Metadata {
 
 async fn authorization_endpoint_get<A: AuthBackend, D: Storage + 'static>(
     Host(host): Host,
-    Query(request): Query<AuthorizationRequest>,
+    Query(mut request): Query<AuthorizationRequest>,
     State(db): State<D>,
     State(http): State<reqwest_middleware::ClientWithMiddleware>,
     State(auth): State<A>,
@@ -306,6 +306,18 @@ async fn authorization_endpoint_get<A: AuthBackend, D: Storage + 'static>(
 
     tracing::debug!("Application metadata: {:#?}", h_app);
 
+    // Sanity check: some older applications don't ask for scopes when they're supposed to.
+    //
+    // Give them the profile scope at least?
+    if request
+        .scope
+        .as_ref()
+        .map(|scope: &Scopes| scope.is_empty())
+        .unwrap_or(true)
+    {
+        request.scope.replace(Scopes::new(vec![Scope::Profile]));
+    }
+
     Html(
         kittybox_frontend_renderer::Template {
             title: "Confirm sign-in via IndieAuth",
-- 
cgit 1.4.1