1 files changed, 53 insertions, 16 deletions
diff --git a/internal/api/client/auth/token.go b/internal/api/client/auth/token.go
index 34fb62940..fbbd08404 100644
--- a/internal/api/client/auth/token.go
+++ b/internal/api/client/auth/token.go
@@ -19,20 +19,22 @@
 package auth
 
 import (
+	"net/http"
 	"net/url"
 
 	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 
 	"github.com/gin-gonic/gin"
 )
 
-type tokenBody struct {
-	ClientID     *string `form:"client_id" json:"client_id" xml:"client_id"`
-	ClientSecret *string `form:"client_secret" json:"client_secret" xml:"client_secret"`
-	Code         *string `form:"code" json:"code" xml:"code"`
+type tokenRequestForm struct {
 	GrantType    *string `form:"grant_type" json:"grant_type" xml:"grant_type"`
+	Code         *string `form:"code" json:"code" xml:"code"`
 	RedirectURI  *string `form:"redirect_uri" json:"redirect_uri" xml:"redirect_uri"`
+	ClientID     *string `form:"client_id" json:"client_id" xml:"client_id"`
+	ClientSecret *string `form:"client_secret" json:"client_secret" xml:"client_secret"`
 	Scope        *string `form:"scope" json:"scope" xml:"scope"`
 }
 
@@ -44,35 +46,70 @@ func (m *Module) TokenPOSTHandler(c *gin.Context) {
 		return
 	}
 
-	form := &tokenBody{}
+	help := []string{}
+
+	form := &tokenRequestForm{}
 	if err := c.ShouldBind(form); err != nil {
-		api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, helpfulAdvice), m.processor.InstanceGet)
+		api.OAuthErrorHandler(c, gtserror.NewErrorBadRequest(oauth.InvalidRequest(), err.Error()))
 		return
 	}
 
 	c.Request.Form = url.Values{}
+
+	var grantType string
+	if form.GrantType != nil {
+		grantType = *form.GrantType
+		c.Request.Form.Set("grant_type", grantType)
+	} else {
+		help = append(help, "grant_type was not set in the token request form, but must be set to authorization_code or client_credentials")
+	}
+
 	if form.ClientID != nil {
 		c.Request.Form.Set("client_id", *form.ClientID)
+	} else {
+		help = append(help, "client_id was not set in the token request form")
 	}
+
 	if form.ClientSecret != nil {
 		c.Request.Form.Set("client_secret", *form.ClientSecret)
+	} else {
+		help = append(help, "client_secret was not set in the token request form")
 	}
-	if form.Code != nil {
-		c.Request.Form.Set("code", *form.Code)
-	}
-	if form.GrantType != nil {
-		c.Request.Form.Set("grant_type", *form.GrantType)
-	}
+
 	if form.RedirectURI != nil {
 		c.Request.Form.Set("redirect_uri", *form.RedirectURI)
+	} else {
+		help = append(help, "redirect_uri was not set in the token request form")
+	}
+
+	var code string
+	if form.Code != nil {
+		if grantType != "authorization_code" {
+			help = append(help, "a code was provided in the token request form, but grant_type was not set to authorization_code")
+		} else {
+			code = *form.Code
+			c.Request.Form.Set("code", code)
+		}
+	} else if grantType == "authorization_code" {
+		help = append(help, "code was not set in the token request form, but must be set since grant_type is authorization_code")
 	}
+
 	if form.Scope != nil {
 		c.Request.Form.Set("scope", *form.Scope)
 	}
 
-	// pass the writer and request into the oauth server handler, which will
-	// take care of writing the oauth token into the response etc
-	if err := m.server.HandleTokenRequest(c.Writer, c.Request); err != nil {
-		api.ErrorHandler(c, gtserror.NewErrorInternalError(err, helpfulAdvice), m.processor.InstanceGet)
+	if len(help) != 0 {
+		api.OAuthErrorHandler(c, gtserror.NewErrorBadRequest(oauth.InvalidRequest(), help...))
+		return
+	}
+
+	token, errWithCode := m.processor.OAuthHandleTokenRequest(c.Request)
+	if errWithCode != nil {
+		api.OAuthErrorHandler(c, errWithCode)
+		return
 	}
+
+	c.Header("Cache-Control", "no-store")
+	c.Header("Pragma", "no-cache")
+	c.JSON(http.StatusOK, token)
 }