Add the device user code form

Author: duzumaki

oauth2_provider/templates/oauth2_provider/device/user_code.html

@@ -0,0 +1,15 @@
+<!-- device_verification.html -->
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Device code</title>
+</head>
+<body>
+    <h1>Enter code displayed on device</h1>
+    <form method="post">
+        {% csrf_token %}
+        {{ form.as_p }}
+        <button type="submit">Verify</button>
+    </form>
+</body>
+</html>

oauth2_provider/urls.py

@@ -11,7 +11,8 @@
     path("token/", views.TokenView.as_view(), name="token"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),
-    path("device_authorization/", views.DeviceAuthorizationView.as_view(), name="device-authorization")
+    path("device-authorization/", views.DeviceAuthorizationView.as_view(), name="device-authorization"),
+    path("device/", views.device_user_code_view, name="device"),
 ]
 
 

oauth2_provider/views/device.py

@@ -1,13 +1,21 @@
 import json
 
-from django import http
+from django import forms, http
+from django.contrib.auth.decorators import login_required
+from django.shortcuts import render
+from django.urls import reverse
+from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
 from oauthlib.oauth2 import DeviceApplicationServer
+from oauthlib.oauth2.rfc8628.errors import (
+    AccessDenied,
+    ExpiredTokenError,
+)
 
 from oauth2_provider.compat import login_not_required
-from oauth2_provider.models import DeviceCodeResponse, DeviceRequest, create_device
+from oauth2_provider.models import Device, DeviceCodeResponse, DeviceRequest, create_device, get_device_model
 from oauth2_provider.settings import oauth2_settings
 from oauth2_provider.views.mixins import OAuthLibMixin
 
@@ -31,3 +39,44 @@ def post(self, request, *args, **kwargs):
         create_device(device_request, device_response)
 
         return http.JsonResponse(data=response, status=status, headers=headers)
+
+
+class DeviceForm(forms.Form):
+    user_code = forms.CharField(required=True)
+
+
+# it's common to see in real world products
+# device flow's only asking the user to sign in after they input the
+# user code but since the user has to be signed in regardless to approve the
+# device login we're making the decision here to require being logged in
+# up front
+@login_required
+def device_user_code_view(request):
+    form = DeviceForm(request.POST)
+
+    if request.method != "POST":
+        return render(request, "oauth2_provider/device/user_code.html", {"form": form})
+
+    if not form.is_valid():
+        return render(request, "oauth2_provider/device/user_code.html", {"form": form})
+
+    user_code: str = form.cleaned_data["user_code"]
+    device: Device = get_device_model().objects.get(user_code=user_code)
+
+    if device is None:
+        form.add_error("user_code", "Incorrect user code")
+        return render(request, "oauth2_provider/device/user_code.html", {"form": form})
+
+    if timezone.now() > device.expires:
+        device.status = device.EXPIRED
+        device.save(update_fields=["status"])
+        raise ExpiredTokenError
+
+    # User of device has already made their decision for this device
+    if device.status in (device.DENIED, device.AUTHORIZED):
+        raise AccessDenied
+
+    # 308 to indicate we want to keep the redirect being a POST request
+    return http.HttpResponsePermanentRedirect(
+        reverse("oauth2_provider:device-confirm", kwargs={"device_code": device.device_code}), status=308
+    )

tests/app/idp/templates/device/user_code.html

@@ -0,0 +1,15 @@
+<!-- device_verification.html -->
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Device code</title>
+</head>
+<body>
+    <h1>Enter code displayed on device</h1>
+    <form method="post">
+        {% csrf_token %}
+        {{ form.as_p }}
+        <button type="submit">Verify</button>
+    </form>
+</body>
+</html>