7 files changed, 861 insertions, 0 deletions
diff --git a/internal/oauth/clientstore.go b/internal/oauth/clientstore.go
new file mode 100644
index 000000000..e062383ce
--- /dev/null
+++ b/internal/oauth/clientstore.go
@@ -0,0 +1,72 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package oauth
+
+import (
+	"context"
+
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/oauth2/v4"
+	"github.com/superseriousbusiness/oauth2/v4/models"
+)
+
+type clientStore struct {
+	db db.DB
+}
+
+func newClientStore(db db.DB) oauth2.ClientStore {
+	pts := &clientStore{
+		db: db,
+	}
+	return pts
+}
+
+func (cs *clientStore) GetByID(ctx context.Context, clientID string) (oauth2.ClientInfo, error) {
+	poc := &Client{
+		ID: clientID,
+	}
+	if err := cs.db.GetByID(clientID, poc); err != nil {
+		return nil, err
+	}
+	return models.New(poc.ID, poc.Secret, poc.Domain, poc.UserID), nil
+}
+
+func (cs *clientStore) Set(ctx context.Context, id string, cli oauth2.ClientInfo) error {
+	poc := &Client{
+		ID:     cli.GetID(),
+		Secret: cli.GetSecret(),
+		Domain: cli.GetDomain(),
+		UserID: cli.GetUserID(),
+	}
+	return cs.db.UpdateByID(id, poc)
+}
+
+func (cs *clientStore) Delete(ctx context.Context, id string) error {
+	poc := &Client{
+		ID: id,
+	}
+	return cs.db.DeleteByID(id, poc)
+}
+
+type Client struct {
+	ID     string
+	Secret string
+	Domain string
+	UserID string
+}
diff --git a/internal/oauth/clientstore_test.go b/internal/oauth/clientstore_test.go
new file mode 100644
index 000000000..a7028228d
--- /dev/null
+++ b/internal/oauth/clientstore_test.go
@@ -0,0 +1,144 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+package oauth
+
+import (
+	"context"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/oauth2/v4/models"
+)
+
+type PgClientStoreTestSuite struct {
+	suite.Suite
+	db               db.DB
+	testClientID     string
+	testClientSecret string
+	testClientDomain string
+	testClientUserID string
+}
+
+const ()
+
+// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
+func (suite *PgClientStoreTestSuite) SetupSuite() {
+	suite.testClientID = "test-client-id"
+	suite.testClientSecret = "test-client-secret"
+	suite.testClientDomain = "https://example.org"
+	suite.testClientUserID = "test-client-user-id"
+}
+
+// SetupTest creates a postgres connection and creates the oauth_clients table before each test
+func (suite *PgClientStoreTestSuite) SetupTest() {
+	log := logrus.New()
+	log.SetLevel(logrus.TraceLevel)
+	c := config.Empty()
+	c.DBConfig = &config.DBConfig{
+		Type:            "postgres",
+		Address:         "localhost",
+		Port:            5432,
+		User:            "postgres",
+		Password:        "postgres",
+		Database:        "postgres",
+		ApplicationName: "gotosocial",
+	}
+	db, err := db.New(context.Background(), c, log)
+	if err != nil {
+		logrus.Panicf("error creating database connection: %s", err)
+	}
+
+	suite.db = db
+
+	models := []interface{}{
+		&Client{},
+	}
+
+	for _, m := range models {
+		if err := suite.db.CreateTable(m); err != nil {
+			logrus.Panicf("db connection error: %s", err)
+		}
+	}
+}
+
+// TearDownTest drops the oauth_clients table and closes the pg connection after each test
+func (suite *PgClientStoreTestSuite) TearDownTest() {
+	models := []interface{}{
+		&Client{},
+	}
+	for _, m := range models {
+		if err := suite.db.DropTable(m); err != nil {
+			logrus.Panicf("error dropping table: %s", err)
+		}
+	}
+	if err := suite.db.Stop(context.Background()); err != nil {
+		logrus.Panicf("error closing db connection: %s", err)
+	}
+	suite.db = nil
+}
+
+func (suite *PgClientStoreTestSuite) TestClientStoreSetAndGet() {
+	// set a new client in the store
+	cs := newClientStore(suite.db)
+	if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// fetch that client from the store
+	client, err := cs.GetByID(context.Background(), suite.testClientID)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// check that the values are the same
+	suite.NotNil(client)
+	suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client)
+}
+
+func (suite *PgClientStoreTestSuite) TestClientSetAndDelete() {
+	// set a new client in the store
+	cs := newClientStore(suite.db)
+	if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// fetch the client from the store
+	client, err := cs.GetByID(context.Background(), suite.testClientID)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// check that the values are the same
+	suite.NotNil(client)
+	suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client)
+	if err := cs.Delete(context.Background(), suite.testClientID); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// try to get the deleted client; we should get an error
+	deletedClient, err := cs.GetByID(context.Background(), suite.testClientID)
+	suite.Assert().Nil(deletedClient)
+	suite.Assert().EqualValues(db.ErrNoEntries{}, err)
+}
+
+func TestPgClientStoreTestSuite(t *testing.T) {
+	suite.Run(t, new(PgClientStoreTestSuite))
+}
diff --git a/internal/oauth/mock_Server.go b/internal/oauth/mock_Server.go
new file mode 100644
index 000000000..a5c0d603e
--- /dev/null
+++ b/internal/oauth/mock_Server.go
@@ -0,0 +1,89 @@
+// Code generated by mockery v2.7.4. DO NOT EDIT.
+
+package oauth
+
+import (
+	http "net/http"
+
+	mock "github.com/stretchr/testify/mock"
+	oauth2 "github.com/superseriousbusiness/oauth2/v4"
+)
+
+// MockServer is an autogenerated mock type for the Server type
+type MockServer struct {
+	mock.Mock
+}
+
+// GenerateUserAccessToken provides a mock function with given fields: ti, clientSecret, userID
+func (_m *MockServer) GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (oauth2.TokenInfo, error) {
+	ret := _m.Called(ti, clientSecret, userID)
+
+	var r0 oauth2.TokenInfo
+	if rf, ok := ret.Get(0).(func(oauth2.TokenInfo, string, string) oauth2.TokenInfo); ok {
+		r0 = rf(ti, clientSecret, userID)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(oauth2.TokenInfo)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(oauth2.TokenInfo, string, string) error); ok {
+		r1 = rf(ti, clientSecret, userID)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// HandleAuthorizeRequest provides a mock function with given fields: w, r
+func (_m *MockServer) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error {
+	ret := _m.Called(w, r)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(http.ResponseWriter, *http.Request) error); ok {
+		r0 = rf(w, r)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// HandleTokenRequest provides a mock function with given fields: w, r
+func (_m *MockServer) HandleTokenRequest(w http.ResponseWriter, r *http.Request) error {
+	ret := _m.Called(w, r)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(http.ResponseWriter, *http.Request) error); ok {
+		r0 = rf(w, r)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// ValidationBearerToken provides a mock function with given fields: r
+func (_m *MockServer) ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) {
+	ret := _m.Called(r)
+
+	var r0 oauth2.TokenInfo
+	if rf, ok := ret.Get(0).(func(*http.Request) oauth2.TokenInfo); ok {
+		r0 = rf(r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(oauth2.TokenInfo)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(*http.Request) error); ok {
+		r1 = rf(r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go
new file mode 100644
index 000000000..594b9b5a9
--- /dev/null
+++ b/internal/oauth/oauth_test.go
@@ -0,0 +1,21 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package oauth
+
+// TODO: write tests
diff --git a/internal/oauth/server.go b/internal/oauth/server.go
new file mode 100644
index 000000000..8bac8fc2f
--- /dev/null
+++ b/internal/oauth/server.go
@@ -0,0 +1,254 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package oauth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/db/model"
+	"github.com/superseriousbusiness/oauth2/v4"
+	"github.com/superseriousbusiness/oauth2/v4/errors"
+	"github.com/superseriousbusiness/oauth2/v4/manage"
+	"github.com/superseriousbusiness/oauth2/v4/server"
+)
+
+const (
+	SessionAuthorizedToken = "authorized_token"
+	// SessionAuthorizedUser is the key set in the gin context for the id of
+	// a User who has successfully passed Bearer token authorization.
+	// The interface returned from grabbing this key should be parsed as a *gtsmodel.User
+	SessionAuthorizedUser = "authorized_user"
+	// SessionAuthorizedAccount is the key set in the gin context for the Account
+	// of a User who has successfully passed Bearer token authorization.
+	// The interface returned from grabbing this key should be parsed as a *gtsmodel.Account
+	SessionAuthorizedAccount = "authorized_account"
+	// SessionAuthorizedAccount is the key set in the gin context for the Application
+	// of a Client who has successfully passed Bearer token authorization.
+	// The interface returned from grabbing this key should be parsed as a *gtsmodel.Application
+	SessionAuthorizedApplication = "authorized_app"
+)
+
+// Server wraps some oauth2 server functions in an interface, exposing only what is needed
+type Server interface {
+	HandleTokenRequest(w http.ResponseWriter, r *http.Request) error
+	HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error
+	ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error)
+	GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (accessToken oauth2.TokenInfo, err error)
+}
+
+// s fulfils the Server interface using the underlying oauth2 server
+type s struct {
+	server *server.Server
+	log    *logrus.Logger
+}
+
+type Authed struct {
+	Token       oauth2.TokenInfo
+	Application *model.Application
+	User        *model.User
+	Account     *model.Account
+}
+
+// GetAuthed is a convenience function for returning an Authed struct from a gin context.
+// In essence, it tries to extract a token, application, user, and account from the context,
+// and then sets them on a struct for convenience.
+//
+// If any are not present in the context, they will be set to nil on the returned Authed struct.
+//
+// If *ALL* are not present, then nil and an error will be returned.
+//
+// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed).
+func GetAuthed(c *gin.Context) (*Authed, error) {
+	ctx := c.Copy()
+	a := &Authed{}
+	var i interface{}
+	var ok bool
+
+	i, ok = ctx.Get(SessionAuthorizedToken)
+	if ok {
+		parsed, ok := i.(oauth2.TokenInfo)
+		if !ok {
+			return nil, errors.New("could not parse token from session context")
+		}
+		a.Token = parsed
+	}
+
+	i, ok = ctx.Get(SessionAuthorizedApplication)
+	if ok {
+		parsed, ok := i.(*model.Application)
+		if !ok {
+			return nil, errors.New("could not parse application from session context")
+		}
+		a.Application = parsed
+	}
+
+	i, ok = ctx.Get(SessionAuthorizedUser)
+	if ok {
+		parsed, ok := i.(*model.User)
+		if !ok {
+			return nil, errors.New("could not parse user from session context")
+		}
+		a.User = parsed
+	}
+
+	i, ok = ctx.Get(SessionAuthorizedAccount)
+	if ok {
+		parsed, ok := i.(*model.Account)
+		if !ok {
+			return nil, errors.New("could not parse account from session context")
+		}
+		a.Account = parsed
+	}
+
+	if a.Token == nil && a.Application == nil && a.User == nil && a.Account == nil {
+		return nil, errors.New("not authorized")
+	}
+
+	return a, nil
+}
+
+// MustAuth is like GetAuthed, but will fail if one of the requirements is not met.
+func MustAuth(c *gin.Context, requireToken bool, requireApp bool, requireUser bool, requireAccount bool) (*Authed, error) {
+	a, err := GetAuthed(c)
+	if err != nil {
+		return nil, err
+	}
+	if requireToken && a.Token == nil {
+		return nil, errors.New("token not supplied")
+	}
+	if requireApp && a.Application == nil {
+		return nil, errors.New("application not supplied")
+	}
+	if requireUser && a.User == nil {
+		return nil, errors.New("user not supplied")
+	}
+	if requireAccount && a.Account == nil {
+		return nil, errors.New("account not supplied")
+	}
+	return a, nil
+}
+
+// HandleTokenRequest wraps the oauth2 library's HandleTokenRequest function
+func (s *s) HandleTokenRequest(w http.ResponseWriter, r *http.Request) error {
+	return s.server.HandleTokenRequest(w, r)
+}
+
+// HandleAuthorizeRequest wraps the oauth2 library's HandleAuthorizeRequest function
+func (s *s) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error {
+	return s.server.HandleAuthorizeRequest(w, r)
+}
+
+// ValidationBearerToken wraps the oauth2 library's ValidationBearerToken function
+func (s *s) ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) {
+	return s.server.ValidationBearerToken(r)
+}
+
+// GenerateUserAccessToken shortcuts the normal oauth flow to create an user-level
+// bearer token *without* requiring that user to log in. This is useful when we
+// need to create a token for new users who haven't validated their email or logged in yet.
+//
+// The ti parameter refers to an existing Application token that was used to make the upstream
+// request. This token needs to be validated and exist in database in order to create a new token.
+func (s *s) GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (oauth2.TokenInfo, error) {
+
+	authToken, err := s.server.Manager.GenerateAuthToken(context.Background(), oauth2.Code, &oauth2.TokenGenerateRequest{
+		ClientID:     ti.GetClientID(),
+		ClientSecret: clientSecret,
+		UserID:       userID,
+		RedirectURI:  ti.GetRedirectURI(),
+		Scope:        ti.GetScope(),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error generating auth token: %s", err)
+	}
+	if authToken == nil {
+		return nil, errors.New("generated auth token was empty")
+	}
+	s.log.Tracef("obtained auth token: %+v", authToken)
+
+	accessToken, err := s.server.Manager.GenerateAccessToken(context.Background(), oauth2.AuthorizationCode, &oauth2.TokenGenerateRequest{
+		ClientID:     authToken.GetClientID(),
+		ClientSecret: clientSecret,
+		RedirectURI:  authToken.GetRedirectURI(),
+		Scope:        authToken.GetScope(),
+		Code:         authToken.GetCode(),
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("error generating user-level access token: %s", err)
+	}
+	if accessToken == nil {
+		return nil, errors.New("generated user-level access token was empty")
+	}
+	s.log.Tracef("obtained user-level access token: %+v", accessToken)
+	return accessToken, nil
+}
+
+func New(database db.DB, log *logrus.Logger) Server {
+	ts := newTokenStore(context.Background(), database, log)
+	cs := newClientStore(database)
+
+	manager := manage.NewDefaultManager()
+	manager.MapTokenStorage(ts)
+	manager.MapClientStorage(cs)
+	manager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg)
+	sc := &server.Config{
+		TokenType: "Bearer",
+		// Must follow the spec.
+		AllowGetAccessRequest: false,
+		// Support only the non-implicit flow.
+		AllowedResponseTypes: []oauth2.ResponseType{oauth2.Code},
+		// Allow:
+		// - Authorization Code (for first & third parties)
+		// - Client Credentials (for applications)
+		AllowedGrantTypes: []oauth2.GrantType{
+			oauth2.AuthorizationCode,
+			oauth2.ClientCredentials,
+		},
+		AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{oauth2.CodeChallengePlain},
+	}
+
+	srv := server.NewServer(sc, manager)
+	srv.SetInternalErrorHandler(func(err error) *errors.Response {
+		log.Errorf("internal oauth error: %s", err)
+		return nil
+	})
+
+	srv.SetResponseErrorHandler(func(re *errors.Response) {
+		log.Errorf("internal response error: %s", re.Error)
+	})
+
+	srv.SetUserAuthorizationHandler(func(w http.ResponseWriter, r *http.Request) (string, error) {
+		userID := r.FormValue("userid")
+		if userID == "" {
+			return "", errors.New("userid was empty")
+		}
+		return userID, nil
+	})
+	srv.SetClientInfoHandler(server.ClientFormHandler)
+	return &s{
+		server: srv,
+		log:    log,
+	}
+}
diff --git a/internal/oauth/tokenstore.go b/internal/oauth/tokenstore.go
new file mode 100644
index 000000000..c4c9ff1d5
--- /dev/null
+++ b/internal/oauth/tokenstore.go
@@ -0,0 +1,260 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package oauth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/oauth2/v4"
+	"github.com/superseriousbusiness/oauth2/v4/models"
+)
+
+// tokenStore is an implementation of oauth2.TokenStore, which uses our db interface as a storage backend.
+type tokenStore struct {
+	oauth2.TokenStore
+	db  db.DB
+	log *logrus.Logger
+}
+
+// newTokenStore returns a token store that satisfies the oauth2.TokenStore interface.
+//
+// In order to allow tokens to 'expire', it will also set off a goroutine that iterates through
+// the tokens in the DB once per minute and deletes any that have expired.
+func newTokenStore(ctx context.Context, db db.DB, log *logrus.Logger) oauth2.TokenStore {
+	pts := &tokenStore{
+		db:  db,
+		log: log,
+	}
+
+	// set the token store to clean out expired tokens once per minute, or return if we're done
+	go func(ctx context.Context, pts *tokenStore, log *logrus.Logger) {
+	cleanloop:
+		for {
+			select {
+			case <-ctx.Done():
+				log.Info("breaking cleanloop")
+				break cleanloop
+			case <-time.After(1 * time.Minute):
+				log.Debug("sweeping out old oauth entries broom broom")
+				if err := pts.sweep(); err != nil {
+					log.Errorf("error while sweeping oauth entries: %s", err)
+				}
+			}
+		}
+	}(ctx, pts, log)
+	return pts
+}
+
+// sweep clears out old tokens that have expired; it should be run on a loop about once per minute or so.
+func (pts *tokenStore) sweep() error {
+	// select *all* tokens from the db
+	// todo: if this becomes expensive (ie., there are fucking LOADS of tokens) then figure out a better way.
+	tokens := new([]*Token)
+	if err := pts.db.GetAll(tokens); err != nil {
+		return err
+	}
+
+	// iterate through and remove expired tokens
+	now := time.Now()
+	for _, pgt := range *tokens {
+		// The zero value of a time.Time is 00:00 january 1 1970, which will always be before now. So:
+		// we only want to check if a token expired before now if the expiry time is *not zero*;
+		// ie., if it's been explicity set.
+		if !pgt.CodeExpiresAt.IsZero() && pgt.CodeExpiresAt.Before(now) || !pgt.RefreshExpiresAt.IsZero() && pgt.RefreshExpiresAt.Before(now) || !pgt.AccessExpiresAt.IsZero() && pgt.AccessExpiresAt.Before(now) {
+			if err := pts.db.DeleteByID(pgt.ID, &pgt); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+// Create creates and store the new token information.
+// For the original implementation, see https://github.com/superseriousbusiness/oauth2/blob/master/store/token.go#L34
+func (pts *tokenStore) Create(ctx context.Context, info oauth2.TokenInfo) error {
+	t, ok := info.(*models.Token)
+	if !ok {
+		return errors.New("info param was not a models.Token")
+	}
+	if err := pts.db.Put(oauthTokenToPGToken(t)); err != nil {
+		return fmt.Errorf("error in tokenstore create: %s", err)
+	}
+	return nil
+}
+
+// RemoveByCode deletes a token from the DB based on the Code field
+func (pts *tokenStore) RemoveByCode(ctx context.Context, code string) error {
+	return pts.db.DeleteWhere("code", code, &Token{})
+}
+
+// RemoveByAccess deletes a token from the DB based on the Access field
+func (pts *tokenStore) RemoveByAccess(ctx context.Context, access string) error {
+	return pts.db.DeleteWhere("access", access, &Token{})
+}
+
+// RemoveByRefresh deletes a token from the DB based on the Refresh field
+func (pts *tokenStore) RemoveByRefresh(ctx context.Context, refresh string) error {
+	return pts.db.DeleteWhere("refresh", refresh, &Token{})
+}
+
+// GetByCode selects a token from the DB based on the Code field
+func (pts *tokenStore) GetByCode(ctx context.Context, code string) (oauth2.TokenInfo, error) {
+	if code == "" {
+		return nil, nil
+	}
+	pgt := &Token{
+		Code: code,
+	}
+	if err := pts.db.GetWhere("code", code, pgt); err != nil {
+		return nil, err
+	}
+	return pgTokenToOauthToken(pgt), nil
+}
+
+// GetByAccess selects a token from the DB based on the Access field
+func (pts *tokenStore) GetByAccess(ctx context.Context, access string) (oauth2.TokenInfo, error) {
+	if access == "" {
+		return nil, nil
+	}
+	pgt := &Token{
+		Access: access,
+	}
+	if err := pts.db.GetWhere("access", access, pgt); err != nil {
+		return nil, err
+	}
+	return pgTokenToOauthToken(pgt), nil
+}
+
+// GetByRefresh selects a token from the DB based on the Refresh field
+func (pts *tokenStore) GetByRefresh(ctx context.Context, refresh string) (oauth2.TokenInfo, error) {
+	if refresh == "" {
+		return nil, nil
+	}
+	pgt := &Token{
+		Refresh: refresh,
+	}
+	if err := pts.db.GetWhere("refresh", refresh, pgt); err != nil {
+		return nil, err
+	}
+	return pgTokenToOauthToken(pgt), nil
+}
+
+/*
+	The following models are basically helpers for the postgres token store implementation, they should only be used internally.
+*/
+
+// Token is a translation of the gotosocial token with the ExpiresIn fields replaced with ExpiresAt.
+//
+// Explanation for this: gotosocial assumes an in-memory or file database of some kind, where a time-to-live parameter (TTL) can be defined,
+// and tokens with expired TTLs are automatically removed. Since Postgres doesn't have that feature, it's easier to set an expiry time and
+// then periodically sweep out tokens when that time has passed.
+//
+// Note that this struct does *not* satisfy the token interface shown here: https://github.com/superseriousbusiness/oauth2/blob/master/model.go#L22
+// and implemented here: https://github.com/superseriousbusiness/oauth2/blob/master/models/token.go.
+// As such, manual translation is always required between Token and the gotosocial *model.Token. The helper functions oauthTokenToPGToken
+// and pgTokenToOauthToken can be used for that.
+type Token struct {
+	ID                  string `pg:"type:uuid,default:gen_random_uuid(),pk,notnull"`
+	ClientID            string
+	UserID              string
+	RedirectURI         string
+	Scope               string
+	Code                string `pg:"default:'',pk"`
+	CodeChallenge       string
+	CodeChallengeMethod string
+	CodeCreateAt        time.Time `pg:"type:timestamp"`
+	CodeExpiresAt       time.Time `pg:"type:timestamp"`
+	Access              string    `pg:"default:'',pk"`
+	AccessCreateAt      time.Time `pg:"type:timestamp"`
+	AccessExpiresAt     time.Time `pg:"type:timestamp"`
+	Refresh             string    `pg:"default:'',pk"`
+	RefreshCreateAt     time.Time `pg:"type:timestamp"`
+	RefreshExpiresAt    time.Time `pg:"type:timestamp"`
+}
+
+// oauthTokenToPGToken is a lil util function that takes a gotosocial token and gives back a token for inserting into postgres
+func oauthTokenToPGToken(tkn *models.Token) *Token {
+	now := time.Now()
+
+	// For the following, we want to make sure we're not adding a time.Now() to an *empty* ExpiresIn, otherwise that's
+	// going to cause all sorts of interesting problems. So check first to make sure that the ExpiresIn is not equal
+	// to the zero value of a time.Duration, which is 0s. If it *is* empty/nil, just leave the ExpiresAt at nil as well.
+
+	var cea time.Time
+	if tkn.CodeExpiresIn != 0*time.Second {
+		cea = now.Add(tkn.CodeExpiresIn)
+	}
+
+	var aea time.Time
+	if tkn.AccessExpiresIn != 0*time.Second {
+		aea = now.Add(tkn.AccessExpiresIn)
+	}
+
+	var rea time.Time
+	if tkn.RefreshExpiresIn != 0*time.Second {
+		rea = now.Add(tkn.RefreshExpiresIn)
+	}
+
+	return &Token{
+		ClientID:            tkn.ClientID,
+		UserID:              tkn.UserID,
+		RedirectURI:         tkn.RedirectURI,
+		Scope:               tkn.Scope,
+		Code:                tkn.Code,
+		CodeChallenge:       tkn.CodeChallenge,
+		CodeChallengeMethod: tkn.CodeChallengeMethod,
+		CodeCreateAt:        tkn.CodeCreateAt,
+		CodeExpiresAt:       cea,
+		Access:              tkn.Access,
+		AccessCreateAt:      tkn.AccessCreateAt,
+		AccessExpiresAt:     aea,
+		Refresh:             tkn.Refresh,
+		RefreshCreateAt:     tkn.RefreshCreateAt,
+		RefreshExpiresAt:    rea,
+	}
+}
+
+// pgTokenToOauthToken is a lil util function that takes a postgres token and gives back a gotosocial token
+func pgTokenToOauthToken(pgt *Token) *models.Token {
+	now := time.Now()
+
+	return &models.Token{
+		ClientID:            pgt.ClientID,
+		UserID:              pgt.UserID,
+		RedirectURI:         pgt.RedirectURI,
+		Scope:               pgt.Scope,
+		Code:                pgt.Code,
+		CodeChallenge:       pgt.CodeChallenge,
+		CodeChallengeMethod: pgt.CodeChallengeMethod,
+		CodeCreateAt:        pgt.CodeCreateAt,
+		CodeExpiresIn:       pgt.CodeExpiresAt.Sub(now),
+		Access:              pgt.Access,
+		AccessCreateAt:      pgt.AccessCreateAt,
+		AccessExpiresIn:     pgt.AccessExpiresAt.Sub(now),
+		Refresh:             pgt.Refresh,
+		RefreshCreateAt:     pgt.RefreshCreateAt,
+		RefreshExpiresIn:    pgt.RefreshExpiresAt.Sub(now),
+	}
+}
diff --git a/internal/oauth/tokenstore_test.go b/internal/oauth/tokenstore_test.go
new file mode 100644
index 000000000..594b9b5a9
--- /dev/null
+++ b/internal/oauth/tokenstore_test.go
@@ -0,0 +1,21 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package oauth
+
+// TODO: write tests