Some OAuth 2.0 clients will always send it. The RFC says it's optional,
so clients don't expect it to fail. Instead of forcing them to add
special handling for sr.ht, tolerate the parameter as long as it matches
the one configured in the registered OAuth client.

Same as [1] but for the token endpoint.

[1]: https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/35260
---

This is annoyingly more code than [1]. Alternatively, a less
intrusive solution could use _lookup_client() and check that
the URI matches on the Python side.
[message trimmed]

We need to hash the client secret before comparing it with the DB
field.

Fixes: 5f5d84c02a4c ("api/graph: verify client secret in issueOAuthGrant")
---

Sorry, this fixup got squashed into an unrelated commit during a
rebase...

 api/graph/model/oauthclient.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/api/graph/model/oauthclient.go b/api/graph/model/oauthclient.go
index e29d76d59037..4802f27010cd 100644
[message trimmed]

Nice! A few comments below.

On Wednesday, September 28th, 2022 at 19:23, delthas <delthas@dille.cc> wrote:

> diff --git a/irc.go b/irc.go
> index bb17d64..dd56f36 100644
> --- a/irc.go
> +++ b/irc.go
> @@ -459,10 +459,24 @@ func (cm *monitorCasemapMap) ForEach(f func(name string, online bool)) {
>  	}
>  }
>  
> -type casemapSet struct{ casemapMap }
> +type pushTargetCasemapMap struct{ casemapMap }

LGTM

A new GraphQL query is added, "myOauthGrant". Just like the "me"
query returns the current user, this query returns the current
OAuth grant, if any.

This is used by the Python frontend to implement OAuth 2.0 token
introspection, defined in RFC 7662.

Depends on [1].

[1]: https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/35536
---
 api/graph/schema.graphqls     |  3 ++
 api/graph/schema.resolvers.go | 32 +++++++++++++++++++++
 metasrht/blueprints/oauth2.py | 54 ++++++++++++++++++++++++++++++++++-
[message trimmed]

This executes a GraphQL operation with the specified OAuth 2.0
token used for authentication.

This will be useful to implement OAuth 2.0 token introspection.
---
 srht/graphql/client.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/srht/graphql/client.py b/srht/graphql/client.py
index 8b3d6b546978..18b4b015e86f 100644
--- a/srht/graphql/client.py
+++ b/srht/graphql/client.py
@@ -47,7 +47,7 @@ class GraphQLOperation:
         else:
[message trimmed]

---
 metasrht/blueprints/oauth2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/metasrht/blueprints/oauth2.py b/metasrht/blueprints/oauth2.py
index d59dea06f0a9..e1e29f5c2765 100644
--- a/metasrht/blueprints/oauth2.py
+++ b/metasrht/blueprints/oauth2.py
@@ -501,7 +501,7 @@ def access_token_POST():
     auth = request.headers.get("Authorization")
     if auth and (client_id or client_secret):
         return access_token_error("invalid_client",
-                "Cannot supply both client_id & client_secret and Authorziation header",
+                "Cannot supply both client_id & client_secret and Authorization header",
[message trimmed]

This allows webapps to use OAuth 2.0. An example use-case is gamja.

Uses the new API introduced in [1].

[1]: https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/35272
---
 metasrht/blueprints/oauth2.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/metasrht/blueprints/oauth2.py b/metasrht/blueprints/oauth2.py
index 5efd3e832e8f..d59dea06f0a9 100644
--- a/metasrht/blueprints/oauth2.py
+++ b/metasrht/blueprints/oauth2.py
@@ -8,7 +8,7 @@ from flask import Blueprint, render_template, redirect, request, session
[message trimmed]

LGTM

For instance, failure to open the private PGP key would just fail
with an unhelpful "panic: open : no such file or directory" error.
---
 email/worker.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/email/worker.go b/email/worker.go
index b63b3a244f31..82da5b7148c0 100644
--- a/email/worker.go
+++ b/email/worker.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"errors"
[message trimmed]