Merge #39

39: small improvements r=Emilgardis a=Emilgardis

- expose oauth2 and RedirectUrl
- minor changes to get_user_token, making it more accessible.

This could be considered weaker security wise. But I don't see the point personally. This makes the interface easier to use, as we only compare these fields, not consume like with client secrets etc

Co-authored-by: Emil Gardström <[email protected]>

Author: bors[bot]

src/lib.rs

@@ -34,7 +34,9 @@ pub mod tokens;
 #[doc(hidden)]
 pub use oauth2;
 #[doc(no_inline)]
-pub use oauth2::{AccessToken, ClientId, ClientSecret, RedirectUrl, RefreshToken};
+pub use oauth2::{
+    AccessToken, AuthorizationCode, ClientId, ClientSecret, CsrfToken, RedirectUrl, RefreshToken,
+};
 
 use id::{TwitchClient, TwitchTokenErrorResponse};
 use oauth2::{url::Url, AuthUrl, HttpRequest, HttpResponse, TokenResponse};

src/tokens/user_token.rs

@@ -192,16 +192,17 @@ impl UserTokenBuilder {
     pub async fn get_user_token<RE, C, F>(
         self,
         http_client: C,
-        state: Option<&str>,
-        code: oauth2::AuthorizationCode,
+        state: &str,
+        // TODO: Should be either str or AuthorizationCode
+        code: &str,
     ) -> Result<UserToken, UserTokenExchangeError<RE>>
     where
         RE: std::error::Error + Send + Sync + 'static,
         C: Copy + FnOnce(HttpRequest) -> F,
         F: Future<Output = Result<HttpResponse, RE>>,
     {
         if let Some(csrf) = self.csrf {
-            if state.is_none() || csrf.secret() != state.expect("should not fail") {
+            if csrf.secret() != state {
                 return Err(UserTokenExchangeError::StateMismatch);
             }
         } else {
@@ -214,7 +215,7 @@ impl UserTokenBuilder {
         let mut params = HashMap::new();
         params.insert("client_id", self.client_id.as_str());
         params.insert("client_secret", self.client_secret.secret().as_str());
-        params.insert("code", code.secret().as_str());
+        params.insert("code", code);
         params.insert("grant_type", "authorization_code");
         params.insert("redirect_uri", self.redirect_url.as_str());
         let req = HttpRequest {
@@ -278,17 +279,13 @@ mod tests {
         let mut t = UserTokenBuilder::new(
             ClientId::new("clientid".to_string()),
             ClientSecret::new("secret".to_string()),
-            oauth2::RedirectUrl::new(r#"https://localhost"#.to_string()).unwrap(),
+            crate::RedirectUrl::new(r#"https://localhost"#.to_string()).unwrap(),
         )
         .unwrap()
         .force_verify(true);
         t.csrf = Some(oauth2::CsrfToken::new("random".to_string()));
         let token = t
-            .get_user_token(
-                crate::client::surf_http_client,
-                Some("random"),
-                oauth2::AuthorizationCode::new("authcode".to_string()),
-            )
+            .get_user_token(crate::client::surf_http_client, "random", "authcode")
             .await
             .unwrap();
         println!("token: {:?} - {}", token, token.access_token.secret());