Don't allow users to set the client ID or client secret, and only display the client secret once

blag · blag · commit fd64f0ee0162 · 2024-09-24T02:23:24.000-07:00
diff --git a/oauth2_provider/templates/oauth2_provider/application_detail.html b/oauth2_provider/templates/oauth2_provider/application_detail.html
@@ -7,10 +7,20 @@ <h3 class="block-center-heading">{{ application.name }}</h3>
 
         <ul class="unstyled">
             <li>
-                <p><b>{% trans "Client id" %}</b></p>
+                <p><b>{% trans "Client ID" %}</b></p>
                 <p>{{ application.client_id }}</p>
             </li>
 
+            {% if client_secret %}
+            <li>
+                <p><b>{% trans "Client secret" %}</b></p>
+                <p>{{ client_secret }}</p>
+                {% if show_client_secret_once %}
+                <p class="error">{% translate "This will only be displayed once - copy it now!" %}</p>
+                {% endif %}
+            </li>
+            {% endif %}
+
             <li>
                 <p><b>{% trans "Hash client secret" %}</b></p>
                 <p>{{ application.hash_client_secret|yesno:_("yes,no") }}</p>
diff --git a/oauth2_provider/views/application.py b/oauth2_provider/views/application.py
@@ -22,7 +22,9 @@ class ApplicationRegistration(LoginRequiredMixin, CreateView):
     View used to register a new Application for the request.user
     """
 
+    context_object_name = "application"
     template_name = "oauth2_provider/application_registration_form.html"
+    success_template_name = "oauth2_provider/application_detail.html"
 
     def get_form_class(self):
         """
@@ -32,8 +34,6 @@ def get_form_class(self):
             get_application_model(),
             fields=(
                 "name",
-                "client_id",
-                "client_secret",
                 "hash_client_secret",
                 "client_type",
                 "authorization_grant_type",
@@ -46,7 +46,22 @@ def get_form_class(self):
 
     def form_valid(self, form):
         form.instance.user = self.request.user
-        return super().form_valid(form)
+        if not form.cleaned_data["hash_client_secret"]:
+            return super().form_valid(form)
+
+        client_secret = form.instance.client_secret
+        self.object = form.save()
+        return self.response_class(
+            request=self.request,
+            template=self.success_template_name,
+            context=self.get_context_data(
+                client_secret=client_secret,
+                show_client_secret_once=self.object.hash_client_secret,
+                **{self.context_object_name: self.object},
+            ),
+            using=self.template_engine,
+            content_type=self.content_type,
+        )
 
 
 class ApplicationDetail(ApplicationOwnerIsUserMixin, DetailView):
@@ -57,6 +72,12 @@ class ApplicationDetail(ApplicationOwnerIsUserMixin, DetailView):
     context_object_name = "application"
     template_name = "oauth2_provider/application_detail.html"
 
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+        if not ctx["application"].hash_client_secret:
+            ctx["client_secret"] = ctx["application"].client_secret
+        return ctx
+
 
 class ApplicationList(ApplicationOwnerIsUserMixin, ListView):
     """
