From 1326ab66a141e73f1ef7d9d39bb86596f56179e0 Mon Sep 17 00:00:00 2001
From: enahum <nahumhbl@gmail.com>
Date: Tue, 30 Aug 2016 21:15:40 -0300
Subject: PLT-3984 Add the ability to regenerate OAuth Client Secret (#3899)

---
 api/oauth.go | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

(limited to 'api/oauth.go')

diff --git a/api/oauth.go b/api/oauth.go
index d3495895f..7942b0e0c 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -32,7 +32,8 @@ func InitOAuth() {
 	BaseRoutes.OAuth.Handle("/allow", ApiUserRequired(allowOAuth)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/authorized", ApiUserRequired(getAuthorizedApps)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/delete", ApiUserRequired(deleteOAuthApp)).Methods("POST")
-	BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/deauthorize", AppHandlerIndependent(deauthorizeOAuthApp)).Methods("POST")
+	BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/deauthorize", ApiUserRequired(deauthorizeOAuthApp)).Methods("POST")
+	BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/regen_secret", ApiUserRequired(regenerateOAuthSecret)).Methods("POST")
 	BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/complete", AppHandlerIndependent(completeOAuth)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/login", AppHandlerIndependent(loginWithOAuth)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/signup", AppHandlerIndependent(signupWithOAuth)).Methods("GET")
@@ -957,6 +958,55 @@ func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 	ReturnStatusOK(w)
 }
 
+func regenerateOAuthSecret(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
+		c.Err = model.NewLocAppError("registerOAuthApp", "api.oauth.register_oauth_app.turn_off.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	isSystemAdmin := c.IsSystemAdmin()
+
+	if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
+		if !isSystemAdmin {
+			c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "")
+			c.Err.StatusCode = http.StatusForbidden
+			return
+		}
+	}
+
+	params := mux.Vars(r)
+	id := params["id"]
+
+	if len(id) == 0 {
+		c.SetInvalidParam("regenerateOAuthSecret", "id")
+		return
+	}
+
+	var app *model.OAuthApp
+	if result := <-Srv.Store.OAuth().GetApp(id); result.Err != nil {
+		c.Err = model.NewLocAppError("regenerateOAuthSecret", "api.oauth.allow_oauth.database.app_error", nil, "")
+		return
+	} else {
+		app = result.Data.(*model.OAuthApp)
+
+		//validate that is a System Admin or the same user that registered the app
+		if !isSystemAdmin && app.CreatorId != c.Session.UserId {
+			c.Err = model.NewLocAppError("regenerateOAuthSecret", "api.oauth.regenerate_secret.app_error", nil, "")
+			return
+		}
+
+		app.ClientSecret = model.NewId()
+		if update := <-Srv.Store.OAuth().UpdateApp(app); update.Err != nil {
+			c.Err = update.Err
+			return
+		}
+
+		w.Write([]byte(app.ToJson()))
+		return
+	}
+}
+
 func newSession(appName string, user *model.User) (*model.Session, *model.AppError) {
 	// set new token an session
 	session := &model.Session{UserId: user.Id, Roles: user.Roles, IsOAuth: true}
-- 
cgit v1.2.3-1-g7c22