From b985292b1807327c33457c5228bd59f5ac34f019 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 15:33:39 -0500
Subject: [PATCH 1/9] First take at template updates. T712

---
 pages/login.tmpl        |  10 +++
 pages/signup-oauth.tmpl | 163 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100644 pages/signup-oauth.tmpl

diff --git a/pages/login.tmpl b/pages/login.tmpl
index 1c8e862..6c1b3ed 100644
--- a/pages/login.tmpl
+++ b/pages/login.tmpl
@@ -19,6 +19,16 @@
 	</form>
 
 	{{if and (not .SingleUser) .OpenRegistration}}<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">{{if .Message}}{{.Message}}{{else}}<em>No account yet?</em> <a href="/">Sign up</a> to start a blog.{{end}}</p>{{end}}
+	{{ if .OauthSlack }}
+	<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
+	    <a href="/oauth/slack">Sign-in with Slack.</a>
+	</p>
+	{{ end }}
+	{{ if .OauthWriteAs }}
+    <p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
+        <a href="/oauth/write.as">Sign-in with Write.As.</a>
+    </p>
+    {{ end }}
 
 <script type="text/javascript">
 function disableSubmit() {
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
new file mode 100644
index 0000000..1ca1101
--- /dev/null
+++ b/pages/signup-oauth.tmpl
@@ -0,0 +1,163 @@
+{{define "head"}}
+<title>Sign up &mdash; {{.SiteName}}</title>
+
+<style type="text/css">
+h2 {
+	font-weight: normal;
+}
+#pricing.content-container div.form-container #payment-form {
+	display: block !important;
+}
+#pricing #signup-form table {
+	max-width: inherit !important;
+	width: 100%;
+}
+#pricing #payment-form table {
+	margin-top: 0 !important;
+	max-width: inherit !important;
+	width: 100%;
+}
+tr.subscription {
+	border-spacing: 0;
+}
+#pricing.content-container tr.subscription button {
+	margin-top: 0 !important;
+	margin-bottom: 0 !important;
+	width: 100%;
+}
+#pricing tr.subscription td {
+	padding: 0 0.5em;
+}
+#pricing table.billing > tbody > tr > td:first-child {
+	vertical-align: middle !important;
+}
+.billing-section {
+	display: none;
+}
+.billing-section.bill-me {
+	display: table-row;
+}
+#btn-create {
+	color: white !important;
+}
+#total-price {
+	padding-left: 0.5em;
+}
+#alias-site.demo {
+	color: #999;
+}
+#alias-site {
+	text-align: left;
+	margin: 0.5em 0;
+}
+form dd {
+	margin: 0;
+}
+</style>
+{{end}}
+{{define "content"}}
+<div id="pricing" class="content-container wide-form">
+
+<div class="row">
+	<div style="margin: 0 auto; max-width: 25em;">
+		<h1>Sign up</h1>
+
+		{{ if .Error }}
+			<p style="font-style: italic">{{.Error}}</p>
+		{{ else }}
+		{{if .Flashes}}<ul class="errors">
+			{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
+		</ul>{{end}}
+
+		<div id="billing">
+			<form action="/auth/signup-oauth" method="POST" id="signup-form" onsubmit="return signup()">
+				<input type="hidden" name="provider" value="{{.Provider}}" />
+				<input type="hidden" name="access_token" value="{{.AccessToken}}" />
+				<dl class="billing">
+					<label>
+						<dt>Username</dt>
+						<dd>
+							<input type="text" id="alias" name="alias" style="width: 100%; box-sizing: border-box;" tabindex="1" autofocus />
+							{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
+						</dd>
+					</label>
+					<label>
+						<dt>Email (optional)</dt>
+						<dd><input type="email" name="email" id="email" style="letter-spacing: 1px; width: 100%; box-sizing: border-box;" placeholder="me@example.com" tabindex="3" /></dd>
+					</label>
+					<dt>
+						<button id="btn-create" type="submit" style="margin-top: 0">Create blog</button>
+					</dt>
+				</dl>
+			</form>
+		</div>
+		{{ end }}
+	</div>
+</div>
+
+<script type="text/javascript" src="/js/h.js"></script>
+<script type="text/javascript">
+function signup() {
+	// Validate input
+	if (!aliasOK) {
+		var $a = $alias;
+		$a.el.className = 'error';
+		$a.el.focus();
+		$a.el.scrollIntoView();
+		return false;
+	}
+
+	var $btn = document.getElementById('btn-create');
+	$btn.disabled = true;
+	$btn.value = 'Creating...';
+	return true;
+}
+
+var $alias = H.getEl('alias');
+var $aliasSite = document.getElementById('alias-site');
+var aliasOK = true;
+var typingTimer;
+var doneTypingInterval = 750;
+var doneTyping = function() {
+	// Check on username
+	var alias = $alias.el.value;
+	if (alias != "") {
+		var params = {
+			username: alias
+		};
+		var http = new XMLHttpRequest();
+		http.open("POST", '/api/alias', true);
+
+		// Send the proper header information along with the request
+		http.setRequestHeader("Content-type", "application/json");
+
+		http.onreadystatechange = function() {
+			if (http.readyState == 4) {
+				data = JSON.parse(http.responseText);
+				if (http.status == 200) {
+					aliasOK = true;
+					$alias.removeClass('error');
+					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)demo(?!\S)/g, '');
+					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
+					$aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
+				} else {
+					aliasOK = false;
+					$alias.setClass('error');
+					$aliasSite.className = 'error';
+					$aliasSite.textContent = data.error_msg;
+				}
+			}
+		}
+		http.send(JSON.stringify(params));
+	} else {
+		$aliasSite.className += ' demo';
+		$aliasSite.innerHTML = '{{ if .Federation }}@<strong>your-username</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>your-username</strong>/{{ end }}';
+	}
+};
+$alias.on('keyup input', function() {
+	clearTimeout(typingTimer);
+	typingTimer = setTimeout(doneTyping, doneTypingInterval);
+});
+</script>
+
+{{end}}

From 6429d495a2e9f2c3cef69cdb421603be45c7c340 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Fri, 3 Jan 2020 13:50:21 -0500
Subject: [PATCH 2/9] Implemented /oauth/signup. T712

---
 account.go              |   4 +
 config/config.go        |   2 +
 oauth.go                |  56 ++++-------
 oauth_signup.go         | 209 ++++++++++++++++++++++++++++++++++++++++
 oauth_slack.go          |   4 +-
 pages/signup-oauth.tmpl | 185 ++++++-----------------------------
 6 files changed, 265 insertions(+), 195 deletions(-)
 create mode 100644 oauth_signup.go

diff --git a/account.go b/account.go
index 6fb8053..2dcfd27 100644
--- a/account.go
+++ b/account.go
@@ -306,12 +306,16 @@ func viewLogin(app *App, w http.ResponseWriter, r *http.Request) error {
 		Message       template.HTML
 		Flashes       []template.HTML
 		LoginUsername string
+		OauthSlack    bool
+		OauthWriteAs  bool
 	}{
 		pageForReq(app, r),
 		r.FormValue("to"),
 		template.HTML(""),
 		[]template.HTML{},
 		getTempInfo(app, "login-user", r, w),
+		app.Config().SlackOauth.ClientID != "",
+		app.Config().WriteAsOauth.ClientID != "",
 	}
 
 	if earlyError != "" {
diff --git a/config/config.go b/config/config.go
index 996c1df..6aee69b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -42,6 +42,8 @@ type (
 		PagesParentDir     string `ini:"pages_parent_dir"`
 		KeysParentDir      string `ini:"keys_parent_dir"`
 
+		HashSeed string `ini:"hash_seed"`
+
 		Dev bool `ini:"-"`
 	}
 
diff --git a/oauth.go b/oauth.go
index 4758e0f..67c4ac8 100644
--- a/oauth.go
+++ b/oauth.go
@@ -7,8 +7,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/writeas/impart"
-	"github.com/writeas/nerds/store"
-	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
 	"io"
@@ -137,6 +135,7 @@ func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauth
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
+	r.HandleFunc("/oauth/signup", parentHandler.OAuth(handler.viewOauthSignup)).Methods("POST")
 }
 
 func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http.Request) error {
@@ -171,52 +170,31 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
-	if localUserID == -1 {
-		// We don't have, nor do we want, the password from the origin, so we
-		//create a random string. If the user needs to set a password, they
-		//can do so through the settings page or through the password reset
-		//flow.
-		randPass := store.Generate62RandomString(14)
-		hashedPass, err := auth.HashPass([]byte(randPass))
-		if err != nil {
-			return impart.HTTPError{http.StatusInternalServerError, "unable to create password hash"}
-		}
-		newUser := &User{
-			Username:   tokenInfo.Username,
-			HashedPass: hashedPass,
-			HasPass:    true,
-			Email:      prepareUserEmail(tokenInfo.Email, h.EmailKey),
-			Created:    time.Now().Truncate(time.Second).UTC(),
-		}
-		displayName := tokenInfo.DisplayName
-		if len(displayName) == 0 {
-			displayName = tokenInfo.Username
-		}
-
-		err = h.DB.CreateUser(h.Config, newUser, displayName)
-		if err != nil {
-			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
-		}
-
-		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID, provider, clientID, tokenResponse.AccessToken)
+	if localUserID != -1 {
+		user, err := h.DB.GetUserByID(localUserID)
 		if err != nil {
+			log.Error("Unable to GetUserByID %d: %s", localUserID, err)
 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
-
-		if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+		if err = loginOrFail(h.Store, w, r, user); err != nil {
+			log.Error("Unable to loginOrFail %d: %s", localUserID, err)
 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
 		return nil
 	}
 
-	user, err := h.DB.GetUserByID(localUserID)
-	if err != nil {
-		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
+	tp := &oauthSignupPageParams{
+		AccessToken:     tokenResponse.AccessToken,
+		TokenUsername:   tokenInfo.Username,
+		TokenAlias:      tokenInfo.DisplayName,
+		TokenEmail:      tokenInfo.Email,
+		TokenRemoteUser: tokenInfo.UserID,
+		Provider:        provider,
+		ClientID:        clientID,
 	}
-	if err = loginOrFail(h.Store, w, r, user); err != nil {
-		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
-	}
-	return nil
+	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)
+
+	return h.showOauthSignupPage(app, w, r, tp, nil)
 }
 
 func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {
diff --git a/oauth_signup.go b/oauth_signup.go
new file mode 100644
index 0000000..53ad5c4
--- /dev/null
+++ b/oauth_signup.go
@@ -0,0 +1,209 @@
+package writefreely
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"github.com/writeas/impart"
+	"github.com/writeas/web-core/auth"
+	"github.com/writeas/web-core/log"
+	"github.com/writeas/writefreely/page"
+	"html/template"
+	"net/http"
+	"strings"
+	"time"
+)
+
+type viewOauthSignupVars struct {
+	page.StaticPage
+	To      string
+	Message template.HTML
+	Flashes []template.HTML
+
+	AccessToken     string
+	TokenUsername   string
+	TokenAlias      string
+	TokenEmail      string
+	TokenRemoteUser string
+	Provider        string
+	ClientID        string
+	TokenHash       string
+
+	Username string
+	Alias    string
+	Email    string
+}
+
+const (
+	oauthParamAccessToken       = "access_token"
+	oauthParamTokenUsername     = "token_username"
+	oauthParamTokenAlias        = "token_alias"
+	oauthParamTokenEmail        = "token_email"
+	oauthParamTokenRemoteUserID = "token_remote_user"
+	oauthParamClientID          = "client_id"
+	oauthParamProvider          = "provider"
+	oauthParamHash              = "signature"
+	oauthParamUsername          = "username"
+	oauthParamAlias             = "alias"
+	oauthParamEmail             = "email"
+	oauthParamPassword          = "password"
+)
+
+type oauthSignupPageParams struct {
+	AccessToken     string
+	TokenUsername   string
+	TokenAlias      string
+	TokenEmail      string
+	TokenRemoteUser string
+	ClientID        string
+	Provider        string
+	TokenHash       string
+}
+
+func (p oauthSignupPageParams) HashTokenParams(key string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(key))
+	hasher.Write([]byte(p.AccessToken))
+	hasher.Write([]byte(p.TokenUsername))
+	hasher.Write([]byte(p.TokenAlias))
+	hasher.Write([]byte(p.TokenEmail))
+	hasher.Write([]byte(p.TokenRemoteUser))
+	hasher.Write([]byte(p.ClientID))
+	hasher.Write([]byte(p.Provider))
+	return hex.EncodeToString(hasher.Sum(nil))
+}
+
+func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.Request) error {
+	tp := &oauthSignupPageParams{
+		AccessToken:     r.FormValue(oauthParamAccessToken),
+		TokenUsername:   r.FormValue(oauthParamTokenUsername),
+		TokenAlias:      r.FormValue(oauthParamTokenAlias),
+		TokenEmail:      r.FormValue(oauthParamTokenEmail),
+		TokenRemoteUser: r.FormValue(oauthParamTokenRemoteUserID),
+		ClientID:        r.FormValue(oauthParamClientID),
+		Provider:        r.FormValue(oauthParamProvider),
+	}
+	if tp.HashTokenParams(h.Config.Server.HashSeed) != r.FormValue(oauthParamHash) {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Request has been tampered with."}
+	}
+	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)
+	if err := h.validateOauthSignup(r); err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+
+	hashedPass, err := auth.HashPass([]byte(r.FormValue(oauthParamPassword)))
+	if err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))
+	}
+	newUser := &User{
+		Username:   r.FormValue(oauthParamUsername),
+		HashedPass: hashedPass,
+		HasPass:    true,
+		Email:      prepareUserEmail(r.FormValue(oauthParamEmail), h.EmailKey),
+		Created:    time.Now().Truncate(time.Second).UTC(),
+	}
+	displayName := r.FormValue(oauthParamAlias)
+	if len(displayName) == 0 {
+		displayName = r.FormValue(oauthParamUsername)
+	}
+
+	err = h.DB.CreateUser(h.Config, newUser, displayName)
+	if err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+
+	err = h.DB.RecordRemoteUserID(r.Context(), newUser.ID, r.FormValue(oauthParamTokenRemoteUserID), r.FormValue(oauthParamProvider), r.FormValue(oauthParamClientID), r.FormValue(oauthParamAccessToken))
+	if err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+
+	if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+	return nil
+}
+
+func (h oauthHandler) validateOauthSignup(r *http.Request) error {
+	username := r.FormValue(oauthParamUsername)
+	if len(username) < 5 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too short."}
+	}
+	if len(username) > 20 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}
+	}
+	alias := r.FormValue(oauthParamAlias)
+	if len(alias) < 5 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
+	}
+	if len(alias) > 20 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too long."}
+	}
+	password := r.FormValue("password")
+	if len(password) < 5 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Password is too short."}
+	}
+	email := r.FormValue(oauthParamEmail)
+	if len(email) > 0 {
+		parts := strings.Split(email, "@")
+		if len(parts) != 2 || (len(parts[0]) < 1 || len(parts[1]) < 1) {
+			return impart.HTTPError{Status: http.StatusBadRequest, Message: "Invalid email address"}
+		}
+	}
+	return nil
+}
+
+func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *http.Request, tp *oauthSignupPageParams, errMsg error) error {
+	username := tp.TokenUsername
+	alias := tp.TokenAlias
+	email := tp.TokenEmail
+
+	session, err := app.sessionStore.Get(r, cookieName)
+	if err != nil {
+		// Ignore this
+		log.Error("Unable to get session; ignoring: %v", err)
+	}
+
+	if tmpValue := r.FormValue(oauthParamUsername); len(tmpValue) > 0 {
+		username = tmpValue
+	}
+	if tmpValue := r.FormValue(oauthParamAlias); len(tmpValue) > 0 {
+		alias = tmpValue
+	}
+	if tmpValue := r.FormValue(oauthParamEmail); len(tmpValue) > 0 {
+		email = tmpValue
+	}
+
+	p := &viewOauthSignupVars{
+		StaticPage: pageForReq(app, r),
+		To:         r.FormValue("to"),
+		Flashes:    []template.HTML{},
+
+		AccessToken:     tp.AccessToken,
+		TokenUsername:   tp.TokenUsername,
+		TokenAlias:      tp.TokenAlias,
+		TokenEmail:      tp.TokenEmail,
+		TokenRemoteUser: tp.TokenRemoteUser,
+		Provider:        tp.Provider,
+		ClientID:        tp.ClientID,
+		TokenHash:       tp.TokenHash,
+
+		Username: username,
+		Alias:    alias,
+		Email:    email,
+	}
+
+	// Display any error messages
+	flashes, _ := getSessionFlashes(app, w, r, session)
+	for _, flash := range flashes {
+		p.Flashes = append(p.Flashes, template.HTML(flash))
+	}
+	if errMsg != nil {
+		p.Flashes = append(p.Flashes, template.HTML(errMsg.Error()))
+	}
+	err = pages["signup-oauth.tmpl"].ExecuteTemplate(w, "base", p)
+	if err != nil {
+		log.Error("Unable to render signup-oauth: %v", err)
+		return err
+	}
+	return nil
+}
diff --git a/oauth_slack.go b/oauth_slack.go
index 066aa18..5a6f4ed 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -3,6 +3,8 @@ package writefreely
 import (
 	"context"
 	"errors"
+	"fmt"
+	"github.com/writeas/nerds/store"
 	"github.com/writeas/slug"
 	"net/http"
 	"net/url"
@@ -151,7 +153,7 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
 	return &InspectResponse{
 		UserID:      resp.User.ID,
-		Username:    slug.Make(resp.User.Name),
+		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.Generate62RandomString(5)),
 		DisplayName: resp.User.Name,
 		Email:       resp.User.Email,
 	}
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 1ca1101..35810bb 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -1,163 +1,38 @@
-{{define "head"}}
-<title>Sign up &mdash; {{.SiteName}}</title>
-
-<style type="text/css">
-h2 {
-	font-weight: normal;
-}
-#pricing.content-container div.form-container #payment-form {
-	display: block !important;
-}
-#pricing #signup-form table {
-	max-width: inherit !important;
-	width: 100%;
-}
-#pricing #payment-form table {
-	margin-top: 0 !important;
-	max-width: inherit !important;
-	width: 100%;
-}
-tr.subscription {
-	border-spacing: 0;
-}
-#pricing.content-container tr.subscription button {
-	margin-top: 0 !important;
-	margin-bottom: 0 !important;
-	width: 100%;
-}
-#pricing tr.subscription td {
-	padding: 0 0.5em;
-}
-#pricing table.billing > tbody > tr > td:first-child {
-	vertical-align: middle !important;
-}
-.billing-section {
-	display: none;
-}
-.billing-section.bill-me {
-	display: table-row;
-}
-#btn-create {
-	color: white !important;
-}
-#total-price {
-	padding-left: 0.5em;
-}
-#alias-site.demo {
-	color: #999;
-}
-#alias-site {
-	text-align: left;
-	margin: 0.5em 0;
-}
-form dd {
-	margin: 0;
-}
-</style>
+{{define "head"}}<title>Log in &mdash; {{.SiteName}}</title>
+<meta name="description" content="Log in to {{.SiteName}}.">
+<meta itemprop="description" content="Log in to {{.SiteName}}.">
+<style>input{margin-bottom:0.5em;}</style>
 {{end}}
 {{define "content"}}
-<div id="pricing" class="content-container wide-form">
-
-<div class="row">
-	<div style="margin: 0 auto; max-width: 25em;">
-		<h1>Sign up</h1>
-
-		{{ if .Error }}
-			<p style="font-style: italic">{{.Error}}</p>
-		{{ else }}
-		{{if .Flashes}}<ul class="errors">
-			{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
-		</ul>{{end}}
+<div class="tight content-container">
+	<h1>Log in to {{.SiteName}}</h1>
+
+	{{if .Flashes}}<ul class="errors">
+		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
+	</ul>{{end}}
+
+	<form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
+	    <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
+	    <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
+	    <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
+	    <input type="hidden" name="token_email" value="{{ .TokenEmail }}" />
+	    <input type="hidden" name="token_remote_user" value="{{ .TokenRemoteUser }}" />
+	    <input type="hidden" name="provider" value="{{ .Provider }}" />
+	    <input type="hidden" name="client_id" value="{{ .ClientID }}" />
+	    <input type="hidden" name="signature" value="{{ .TokenHash }}" />
+
+		<input type="text" name="username" placeholder="Username" value="{{.Username}}" /><br />
+		<input type="text" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} /><br />
+		<input type="text" name="email" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} /><br />
+		<input type="password" name="password" placeholder="Password" /><br />
+		<input type="submit" id="btn-login" value="Login" />
+	</form>
 
-		<div id="billing">
-			<form action="/auth/signup-oauth" method="POST" id="signup-form" onsubmit="return signup()">
-				<input type="hidden" name="provider" value="{{.Provider}}" />
-				<input type="hidden" name="access_token" value="{{.AccessToken}}" />
-				<dl class="billing">
-					<label>
-						<dt>Username</dt>
-						<dd>
-							<input type="text" id="alias" name="alias" style="width: 100%; box-sizing: border-box;" tabindex="1" autofocus />
-							{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
-						</dd>
-					</label>
-					<label>
-						<dt>Email (optional)</dt>
-						<dd><input type="email" name="email" id="email" style="letter-spacing: 1px; width: 100%; box-sizing: border-box;" placeholder="me@example.com" tabindex="3" /></dd>
-					</label>
-					<dt>
-						<button id="btn-create" type="submit" style="margin-top: 0">Create blog</button>
-					</dt>
-				</dl>
-			</form>
-		</div>
-		{{ end }}
-	</div>
-</div>
-
-<script type="text/javascript" src="/js/h.js"></script>
 <script type="text/javascript">
-function signup() {
-	// Validate input
-	if (!aliasOK) {
-		var $a = $alias;
-		$a.el.className = 'error';
-		$a.el.focus();
-		$a.el.scrollIntoView();
-		return false;
-	}
-
-	var $btn = document.getElementById('btn-create');
+function disableSubmit() {
+	var $btn = document.getElementById("btn-login");
+	$btn.value = "Logging in...";
 	$btn.disabled = true;
-	$btn.value = 'Creating...';
-	return true;
 }
-
-var $alias = H.getEl('alias');
-var $aliasSite = document.getElementById('alias-site');
-var aliasOK = true;
-var typingTimer;
-var doneTypingInterval = 750;
-var doneTyping = function() {
-	// Check on username
-	var alias = $alias.el.value;
-	if (alias != "") {
-		var params = {
-			username: alias
-		};
-		var http = new XMLHttpRequest();
-		http.open("POST", '/api/alias', true);
-
-		// Send the proper header information along with the request
-		http.setRequestHeader("Content-type", "application/json");
-
-		http.onreadystatechange = function() {
-			if (http.readyState == 4) {
-				data = JSON.parse(http.responseText);
-				if (http.status == 200) {
-					aliasOK = true;
-					$alias.removeClass('error');
-					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)demo(?!\S)/g, '');
-					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
-					$aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
-				} else {
-					aliasOK = false;
-					$alias.setClass('error');
-					$aliasSite.className = 'error';
-					$aliasSite.textContent = data.error_msg;
-				}
-			}
-		}
-		http.send(JSON.stringify(params));
-	} else {
-		$aliasSite.className += ' demo';
-		$aliasSite.innerHTML = '{{ if .Federation }}@<strong>your-username</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>your-username</strong>/{{ end }}';
-	}
-};
-$alias.on('keyup input', function() {
-	clearTimeout(typingTimer);
-	typingTimer = setTimeout(doneTyping, doneTypingInterval);
-});
 </script>
-
 {{end}}

From 5249456ec6791f19ce117535f2d0117c4fb5ada4 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 5 Jan 2020 11:00:11 -0500
Subject: [PATCH 3/9] Add .btn.cta link styles

---
 less/core.less | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/less/core.less b/less/core.less
index 8844c84..3669d76 100644
--- a/less/core.less
+++ b/less/core.less
@@ -684,18 +684,19 @@ select.inputform, textarea.inputform {
 	border: 1px solid #999;
 }
 
-input, button, select.inputform, textarea.inputform {
+input, button, select.inputform, textarea.inputform, a.btn {
 	padding: 0.5em;
 	font-family: @serifFont;
 	font-size: 100%;
 	.rounded(.25em);
-	&[type=submit], &.submit {
+	&[type=submit], &.submit, &.cta {
 		border: 1px solid @primary;
 		background: @primary;
 		color: white;
 		.transition(0.2s);
 		&:hover {
 			background-color: lighten(@primary, 3%);
+			text-decoration: none;
 		}
 		&:disabled {
 			cursor: default;

From 77e012680853d023678e76fa784c061d852b531c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 5 Jan 2020 11:00:58 -0500
Subject: [PATCH 4/9] Move and restyle OAuth login links

- Move them above local login form
- Restyle as side-by-side buttons

Ref T712
---
 pages/login.tmpl                     |  59 ++++++++++++++++++++++-----
 static/img/sign_in_with_slack.png    | Bin 0 -> 2604 bytes
 static/img/sign_in_with_slack@2x.png | Bin 0 -> 5120 bytes
 3 files changed, 48 insertions(+), 11 deletions(-)
 create mode 100644 static/img/sign_in_with_slack.png
 create mode 100644 static/img/sign_in_with_slack@2x.png

diff --git a/pages/login.tmpl b/pages/login.tmpl
index 6c1b3ed..345b171 100644
--- a/pages/login.tmpl
+++ b/pages/login.tmpl
@@ -1,7 +1,38 @@
 {{define "head"}}<title>Log in &mdash; {{.SiteName}}</title>
 <meta name="description" content="Log in to {{.SiteName}}.">
 <meta itemprop="description" content="Log in to {{.SiteName}}.">
-<style>input{margin-bottom:0.5em;}</style>
+<style>
+input{margin-bottom:0.5em;}
+.or {
+	text-align: center;
+	margin-bottom: 3.5em;
+}
+.or p {
+	display: inline-block;
+	background-color: white;
+	padding: 0 1em;
+}
+.or hr {
+	margin-top: -1.6em;
+	margin-bottom: 0;
+}
+hr.short {
+	max-width: 30rem;
+}
+.row.signinbtns {
+	justify-content: space-evenly;
+	font-size: 1em;
+	margin-top: 3em;
+	margin-bottom: 2em;
+}
+.loginbtn {
+	height: 40px;
+}
+#writeas-login {
+	box-sizing: border-box;
+	font-size: 17px;
+}
+</style>
 {{end}}
 {{define "content"}}
 <div class="tight content-container">
@@ -11,6 +42,22 @@
 		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
 	</ul>{{end}}
 
+	{{ if or .OauthSlack .OauthWriteAs }}
+		<div class="row content-container signinbtns">
+		{{ if .OauthSlack }}
+			<a class="loginbtn" href="/oauth/slack"><img alt="Sign in with Slack" height="40" width="172" src="/img/sign_in_with_slack.png" srcset="/img/sign_in_with_slack.png 1x, /img/sign_in_with_slack@2x.png 2x" /></a>
+		{{ end }}
+		{{ if .OauthWriteAs }}
+			<a class="btn cta loginbtn" id="writeas-login" href="/oauth/write.as">Sign in with <strong>Write.as</strong></a>
+		{{ end }}
+		</div>
+
+		<div class="or">
+			<p>or</p>
+			<hr class="short" />
+		</div>
+	{{ end }}
+
 	<form action="/auth/login" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
 		<input type="text" name="alias" placeholder="Username" value="{{.LoginUsername}}" {{if not .LoginUsername}}autofocus{{end}} /><br />
 		<input type="password" name="pass" placeholder="Password" {{if .LoginUsername}}autofocus{{end}} /><br />
@@ -19,16 +66,6 @@
 	</form>
 
 	{{if and (not .SingleUser) .OpenRegistration}}<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">{{if .Message}}{{.Message}}{{else}}<em>No account yet?</em> <a href="/">Sign up</a> to start a blog.{{end}}</p>{{end}}
-	{{ if .OauthSlack }}
-	<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
-	    <a href="/oauth/slack">Sign-in with Slack.</a>
-	</p>
-	{{ end }}
-	{{ if .OauthWriteAs }}
-    <p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
-        <a href="/oauth/write.as">Sign-in with Write.As.</a>
-    </p>
-    {{ end }}
 
 <script type="text/javascript">
 function disableSubmit() {
diff --git a/static/img/sign_in_with_slack.png b/static/img/sign_in_with_slack.png
new file mode 100644
index 0000000000000000000000000000000000000000..66e4298e6c5e55d0c1bd16fb239f6a0e2088f958
GIT binary patch
literal 2604
zcmV+{3e)w8P)<h;3K|Lk000e1NJLTq00682001Zm1^@s6V-OJ*000T|Nkl<ZcmeF1
z)tB2?*2U}3_@2J!c^P<VhA=ZTGcz+YGbfE<W@ad62p40DnfBB#J=d$%vMa8nQ%=ul
zuXR$^m26AbKb^bJQT%?dCjmht`~yRR9|r`NJn|2cufho@VDK%AL7~HI!q3FpfBd7O
z{_ja($i0ZD*n*s#T$Pts$dMyo3I<^jCSemsYr+p${TN70O8F!yb>s*(VYDXRX4v6S
ztWQ{u97ROM6u_z<K7rKxDa(-~7==|o%<W&nvpRA-Ev))ck^L3q$PuhMz&dh(b>!%i
z1@>Ncg*pZ0tGR!^eoQWt(ZQGZ)!_O{wZ6Sxx6@<g$dS*1Evk|lJkHbS4{}`*Sx~9)
z+(iB3;yhP;d3A}3D$C@^kxzk*FR21jOPok6(~)?8K($14Ua}lH@+q)YlKO@gSb#m2
zTBgJCPi(+O<|fJKa^!f}yoze=Ni5Z(XT^m4b1NKR9r+$u<5^=0D-~T}kL1#78Px`C
zwW{^HFzdZM?TeQ$b@1SiTDNYajvhOq)U-4i?cB9TbLK8kadEN!Y*kiPYRS?Se6Q+5
zWo2bruwaR{Y}u~b#Qp&Thbk$_`(%)jk)gf&4lq|*w0N0LojT*1vpswEt9^&AnlopC
zK2%$`?%=buc=2-I082N(6j+{OR$Ni7z~+?~tK0o;rVy)B_u%5i%lhv7Ci?2@2Cit>
zsJTKy!&FsO<=Ph%6rw*{ujAug-<h4At&gpkm{`6`Uw_k3MMcFz&z?Qk<SEltSXd~d
zS+nPf<G7K%QA9+Pnl@|2do0nX??9pT8#asW(PJj)L$!RxYCel|_6e}Gu7L8L@i51;
zCD`%ore%zlm$w<Gag&y6*{Z#wqhrL6`1tV?&6~f-l^yQhy{{ujj;Xr3S|3BF&z#eh
zE7w$CI)415Zrr>jqo02{3;;Y+e{Wz14IVCz?>}IOE?vH&BS(*`XRm(x`R8B%`+#lk
z?;Wt$v&wZjHNpmLQgM#vhMlmCHN3G>-ssh<*W%*GjGgHDVjevaK(Txq1qKD{mtT(v
z*jP5-ym_Pi`~sDfl!#-=mg(skI&t!}&R@8wyu3Vl(zWY1bo=&QA&%qy1qB6sF7^Zf
zOg6OX{)30WXStdD{R4IX{zLs<ckbTPgNKiV`22hK9=J06q)F4n99+G2T@N2VR%vOe
z3)tt+U+D1@e;unikI2X<xf9?0?RSmE@tm(+Zh_^ynIG&2e{Gg4KR;hw`|jQQboT6d
zWoBl11eWVNeE6uYUcLVDf#spVyI}1ZQUgPkR9soEPWQIBz?>3tSm=+y@^HZ$0oeBq
znu;ZI<HjvYOic2aJ<O6x_GP<myUrFXv2@u=;eB~MaL_O{YTQD6F54YCb`wCm6ZWHh
zhb}_V|5>t!4jaX1yWZccSASLmd$w7=O6=zbLPbSIu5(IDOBVt<wpXlNBjDn7kDh&n
zIIll0<4H-$E@1gya}ET))SWta?!kU+fp+cQOJ=SW*h7bYve_`s$v_(w70vuw_BU_Q
zRxe+^vH{CYYitgyW4#nzJQSeMdMwo**Rsli)g_?4k{YS|nNMZ(IO_#=fj%t{7wWu3
znhZe<88U*b;uhE!FJAJRLP>}$%EXhUfWZLUrfnw$2ZxXuDL_p2@fz4JU3+3t$h4X=
zbp~T(Vz(KVeLHsS7P@}@CfA~GzHLO-Vu)p#V^}F{z_Mx#A2FISWoBloyu93E2{vus
z#&s(+G@Na~^i&5}z$QkG9!COj3oP?Hea39vxN(cjuNE!avY+3Ax<S4B3}9R1$4_QX
zxGrtowv+R>080{R*Zw!KH*eWie_evIkmoA+@w)O4T~*1w2pN^!3RThh$Eq$al}nYy
zDoehs(pQJ=@%o4=a>7+tVGXE0J9p`6?pBH{8?Xrpi55V}2xOJH^A-vjU?)tRVuNbK
zhRt3ByKvD`8J#<Skuka$ZasLDrmZx1$OxhN^A~f&v8_pyrwfgrFs0@kTdSg?!UilF
zF><U|9=3arKFkY{dn&xRImv_uT6`?uS*wS|J~7VzwQD!HY#I?88|Tr(cI?#6{5B*E
zuCIQ8&D(iium8WdE3zi-5Xv02$u*YJbUM%it8#C3Qr6jj)EXtv59)n|HDD4}tzPHW
z5-eV_oD8PXqsNnRfI)F_Pdx#Pr(}%Q)q4Sp=VWaE{zGyn+DM!aKDt@+Hh``D2M(!0
z!)D6P$>A>`3w;Q%efth#>|J26-^`)07&c(z;}bY1uHBNASFT!X=8IrHJp#*hQ84qG
z-=f}%uEc+humM|<kYO1kiq1V!S;`fFd}m}|X&^7fk7_G|-U7CMlUra}CTZ9F^wY1p
zaN&}2b904!1T4jpIbZ&gp^R@e;82)-Oki2!%}t9aA`NuRj|Es(1+$DZCjo&$nmB2y
z3)qyDRP$b}Ky6(DEQj&JtVHz#Z1T4gEnwzuIH9tz7dBwA3+3teyaG1odTV*3o40P0
zoy?t0l?jYY00!PIu-w_S!6<m}Rlojv6hM3hEQJ<@BcEdd5g$z9$2iu-6R<O8&M|#v
zD)%}A`}%dfDO|a3icdVe@v$}!Yitz}5)z6(#)`RsMc5j)yLInPmxUrtLxzsTKG=#b
zYy{hF+H~YM`uM;WUk_Ho-v<A-^tYU)s@y`4z@mb{DYe4-=HizsPrEH|6!-L*0n`LV
z3#}B7U4m)TXW`TEQ20mo0X=~G1XzS$<(Tc;cgbkurmc)=+O%0ho`B^hHP=qIqL8cu
zu&hu9dP~rgO-@d+0gDIj+iwutuDKgKZlVQPx&d9g^<vBf+gJ%3ut03A0oPnFMOSrU
zi7H;CFrz}X0gI}NlT?`#X^-4!sj^6Q5kF#BSh!A}JPjPS$B_X6fh?&^G<{blhKaNE
z02$-4Bt1-y<tdpF6UrDjhdZ%+n!YK$M~<bfV?=w3F_wA{;s@p!ONODROBGHA{GB+C
zj)Coo8`ox*_3(&DaU9v(=*g1+SI^g-SjsP5x<c!V4hi#RNesM~annw`eEF)5pE$+&
z(HY<Yjit!q82ZI@SLh^|8-=HJd={D6i0%#7dgsnP-~8tnkCq_wu?j=xiYSiTq3ZHH
z)u(vk1)QtbtQQl^Byp!>6P^O(rz=N30G8I3W%<v&(~TUd`VyId|HwgifTfI<*0^z#
z6doQSNB_&fhQItHu=Hu^v)VjsRpD#-Lcr_D0oHh0Q;3=1;Q|i@Yy}pc)sZ8g0&BVl
zw7lrk@^Hb3hXV9jX<d2S4fuC^cWeUy2*W^-{ig;O=_zCBUJ4U@%Ny{`8-xW2iw_7}
z6@!BqTvcupa+?)FV<3*k)d<^@jE7`=o~BU_80DB-H+$sF9>vLbXYK+(5H6|i9pnoD
O0000<MNUMnLSTXfbPdS>

literal 0
HcmV?d00001

diff --git a/static/img/sign_in_with_slack@2x.png b/static/img/sign_in_with_slack@2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..14a674ae1f0340cc739451794b182e78d4f1ed02
GIT binary patch
literal 5120
zcmV+b6#wgqP)<h;3K|Lk000e1NJLTq00CG4002-31^@s6Tu5!1000xmNkl<ZcmeF&
z1FS4(9ES0UZ5FZBMzw9*He=OpgW9%jyItejHrAZQ+xh4A+k0%E=a;<4#*@kHtT&KQ
zI=y>18ox0VO?(rIBo_Z0O%(r)#Kjn6vvJlyYoRsK+Gvdo=JmHeUzkWFb`3tzOTh<h
z_V<YxV~klN6E9jbgLysI>jj}`@)UQZ8jdB}OO~zBw(S{JYc;i6EzMQ{U=6euS`)2}
z)<}0`8|>s@Uf1n>#uiK59E$FE2YcsQt**WS0IZSLN^7RI(;6DgbL%`|^|d#!ZP>V3
zLjwS?X1acMJ(9Ht?wo7UDok7fU__C1=Vc4l)Xq6rJ4x$K3ycf^z@09zrUu(_DVE(5
zW+!Vo=L!I$Iw$LH_-a~P?W%zrIC=$uu|0~lwt9BKtUY6w9gGeDz*=fewYGY8uLOI>
zuI(Bf0D!gBnrdzJ+|>i4zY_rfz*_3=eBjv=HUPlba9t&^06<^?fWQL4NDx>60D%Pn
z0=wOB>%L_boslT&$Z%da%rEJWOhf(ob@M`96@FC*{`i1S{QWWAIrmd-s}}_T1h$K%
z<(7_$6twr>xn6r}byYn*w)h9_@y+eMcF<1`YDr;}0D!;-TEQ+%6?=u%ZJ&SgishSf
zBHLGJ&u{PO6<4>j{(4$1wfXG=Ah3%|t$yR`W~UAuI~CAhT-_GtH}cyBKw!V#;tv|w
zi_=9p=luQbpn?5tU4q{(00NuLHwO*u*~y}uQ~r2j(7?X8I?Qhu0D-NxWH)dTSO5fe
zJp8oHC$Inr?0ES*+t4ZT0)YiUV8_d*dRx(4v)kqtn*<gBfgNwtHL&G!Sql~}(xy$D
zHJE0zsV~0xN-w_nik2-~uIXm$)~$N=wKw$6yYH)1Dru%!yLO#kdihm-^zo;v*XtUo
zdGqG${`(*9Y{7zs8gH3QM$uSY_V@Mk&%esP2K#&K%a$!$bmdjob=&8kf2ql~e8q}h
zU)RsS{5tyr+xq`H*Dp8w`fy`?$op=qua%Y7m<G1e^cByn(wFN~cAe~m+!-O8&FO&$
zAJJ*2pRN7&KcurGk2+3QU46aYc;hYkzOSC{xZ|GA+a7fA5n338dAi8w^E%<g(>h=O
zg%@7tzQ-A1{rU|$;>hDV-`@>4-l~!M{`()h{ayU{)6e>ky|emq9M{(PUvlrk$HV7o
zm}i=qnVFfHnVFfHnVFfnJ5xQy%=^smL0O8*E<0|gAeC>e-C!$;ZAqWDHaQX~EG(35
z+ja!|#gy-Vs3eTJ$B&<gj(6|g6=}P4*$OFbuqc?<wRP+Eibb%bzp4x^uhQdwhQ#F*
zelo!x4&0Nkk4-c)z9O1d%ZmC-rRsEkvC^<nGr4l*n)b@yZ298L??T$loH<9z3rx~L
zZr!>g(Sr5sHx{|SckkX?YJX_BO#IZ;)KVkZxVVqfwrxkg-%&pQ;#-+FZy~QcDa!;K
zBUlQzn4wo*rP0ka$u0CwuxCF$v1>=|f`}A|dH(!`eDm#3bi6C+)w`eQs8qQ|$oaMF
zHb{BFwd*&EOj@?o(Sk#Vj)dGF{hXGTCML#?n;2~K^5v^iAy_omE?s)?-L3^Pj%l!E
zoM1_9g&h5oweNF06KtiE(~E6O>aE{s)v8@c=Z_jaPO!hGrlz6oFp)431PSQTqsOA-
z-1!UgOQmYU`M&)IDm!1f!K_(x1uY!%*|cd()V<7Z<jAo?zhNpkc<8WLp?QlorB1M$
zw`{ZBHDUAZ-Dd#i0sR~cWQ<_TI>AzM&`*Nx`!K^3!3MID9otgs&`;pR(mTFizd>S$
zvuDrS8t0kF<=H`$m6auVd3h48z-ejY9OAyQotHYncIn#FB%%;=6kv?4Sh-qi)vhm7
zrp_o2HrN=!QqR>-f^B;zT@;#KT;fQY``_Oda5>?HV_WLU`iWDg&V+RQjvc!shKhwJ
zPoC2ErAn}v2XLn9-`}!TJ8^^$1e=_kEZCsEf(42N%my)nrC7F~1UvObmMBcPzt530
zU!?yg;Bx$P$F>yh_7f*ho(}2w$y26FxWMDf_DxAbLV~R$t^a_*(ztO8VXKE0f<5=Z
zfkX26$<q*F&@20}`d-=ry!;H%PMy08p62=un##~&BLxlH3x<yv9sG^yGiHm9bLTDy
z$1#0ezkX8yrjzB%S4rzO9i(!Vn$oO!YZ)_Uf?!q&2W!@@5B~0i36mu=GgGW^?AQtE
z(W4I$0L9w3=Py{KzK?clXA#mjglj3>zyCm3PzMYg5;6wx&`+B-GbpcKy|yJ-`U11c
z;330_K9R;vTFA&zW98<p+Y%1Yu5~RMp>H|vH^CAugL91MS*2>tVB4R6sU|&p^=15t
z6V6|_D5J-Wr|*N;U8hb%o~7*Ex!V)LZvVY6nlx?6yih`)mVbghotWnvxqfjmMV@68
zh{DsfIQj3P(YA!y>FR0$ZVC2OoWCJZuV23j>G-d|`7vxQcIvd5A>Z-gL%`G!3_Gv0
zs6l%3=B<$9ckbSUplv@lYxX<|7y2Y?)w;dtz_YH-RjXb{Zrr#jRjbyr{B0&0*X<Vj
z_8$oOJh7fus9vK^h!ZY8KEY8-+Q0vxBCe3*{re9V1tznbzPNn(swKfP`I|OtW%-#e
zzxrO*t=lN!z^Y$yV$tV*5G;!g$^b-awln(C))vnqNGPMzGwas9mjr(O)iuEq>r3D2
zZR*u;jAk4aVOqS2fMVI7Os>1)a>c~<x7RF5w)WY%5|@?YhF~e$&6^P-;smKtvu=?A
z(4b*cv>?dxlL(dxj;5fWCmd|xprLj|MN|S>lO@42_|1Qta_RCFe+kz8@3TN@_wT$l
zg^1K=hYcSk2GBA&=SajWR;<>^jrd+if<>eCPOwVsp9PLXb|5Z+Gp^Y1z$HtT^L?HP
zmhtR%f#(^b$(nP8U5nfAz<KISu-L~l(SFV6N#93Tq5*FrAfkYJt_^Ow7i_LmUSuiF
z)e>m3<L~d2<`<VrkL&AY)r)hITaYh0?j*g%DHbBslO=M1HzPy}Y<G$qC}f_XZ4n(1
zF2NF0s-Ii6YAusq4=C5q^MCa_mIRC74B<HKm~ay(O$|BUv18YW5iG*ikYoz(gRL;;
zgAg;z<Z0p-`r?DR!NkHvON;zI+fWnSv#vb>CxYeqqai^AS{pL7IIe{6uqD_*gNFsP
ztN44!&=DLr77h0qXWxGJvm<eFua_=e4x3<ckg*F<=P+kL+FO1nyYAh4D-F`}IRbWe
z=J&I^z+8kG2a`|TdW|^Fj*ao@ieMQp=6Sv=mMR-X*t>VX%J{JrY@K)R+zpFh*(R#v
zOdd1R02`j3;6PwJup?MP$j~HA`<=e+`|kT+B1W(*5GL3P>TTK(o9PlvZvC?=JIUO}
zW3#4z)crAeHR8}UVHPQ8f;DWnUYuO><}VTxBq?w$`j`m^2M->0MY0I?;c#uRZ{ED6
z4+$+46WCw*j6RN7gp`(P#(T3M5`|+rye?k6%yV#MgJpMMoWtJE??xHH#=u}<(wJL!
zbL#>LxFT3Hwvla+6<TWcS=tvzu<JK$vUODH?Wivh34*oKoPcJFgzUYB$+3;KB#a(C
z`|1S1uER1C1T74Yc;pDyIf|fTr*8Uq;TpnDeCgA7fR-U>FN_zT!nClv+Gf33?WEXU
zcn#BHo?W<bNw=>fnCp~{J^BbX`@(&R@4rL>Rfo#^@B4*F&JDw}n3E?di}uOKHq#_f
zd!!@|UnRMZ-iRIYQ=dxu-3gL%wwWZItm#^k&oq?uTO%be{z{1kr!%0~I<iWeg9EL~
zCBb4#)z9(0W{41zP~V<<B3Qh_dOLo%#0b`~XF?3&0K1+}qzV+DQOBA5n>TM&|JP$c
ziTp4#n@Wvf&Ds<Q+MgG&GvK~4qu7wG(&jxAED;5_Z{HyT#Wa;5$_|S2(mcml@IbKk
zf>SFH2t;Qsf~1KX<@Fz$%B%lxVkueY?ukNvAVEI-IG{+I*MDsxX&X)yCGOYTC1Kxx
zC4SF8JWImfe@e!KSyIwq%d=p?VskK{CAlJ4Q=?(~M|;SE0j<YA_U_%Etx<&|ShlSC
z^HGG+xl8xpaV8$mRsFwat@@%+r*0#|b{7o<YgRmqXHl^vChXzi5G-SN(c-0qL7DCC
z2-b>xsT}7g!D0eJ!H7PB%{+2VBT8q2jcYc^wjCs^X|iapid=n>++R;gDL^9-V~grc
zuoQ%G^jLT3*hS^YS2%)&(9G;5A`JK*J>cF<X~oNpV@UffVRz9-unv(1r2o1hSQc-z
zeSOE|mS7hzS!SMt480O8<}zYvG3l7mJNPA{i(um#k9SS5c~9Rvw#8hakbZZ(Z{&)k
zTxc()0qUjd1A(A>w*-q8JZbW@ptA-$6Phb_O9Ir-oH-{76_H>8VMyxpXjjCss{a#$
zr9jPHb(}ugwQEm^R~$qg!8%k2qaJ|^f`wcy9Jfsvzu3NI#>_dk1bgJ@G4mWrI-i^>
zyKvzW^BiSCql;kQ{=L03!JfY_Absa~$F_l5BSj(QTytLuHu2Dx;xh=IcXSGk8$U@O
z1b9hZ5v&=8!X$M-g(O(r3`59}9`2;aeo|;h9mj+~2AKLkT2?tGSQc%f4hZeSx#Z*!
zRYJ_KBf(-~aSDYxedeq!!D0?D&T*fgOt3r~ZTu-Eg!vdf1pEH$K8~cB|2|$o>gpqo
zZE=bzq+aRaE5RlmuO@zi_&sI&W94K!Z-T850rY0*jT?eB3yBcJNf^tE7ca4^F~DL3
zYa|rlSp4bdszD9QfU+I(Tyc!3&q2PP2-ei1?%us$;si^)ZH=1s^n?u-51dc*CEB97
z$Rq56oTCV|ajuK$P+GluogKmQ9I<tq5j8{tm~(~nZ$jmq2-YrC55W`?H3UoKK(U1R
z?(?1kybx^GvsJzlED;5MR#-B_L<rHMG#v4(Y{$qeXCRsOSC<59rh3|Wg0V-D<_hsv
zNP-25V07WWOiZ6Xt4KTQ001upYX;C0@&;KQIdY7wxCj%haZm1r=S&2EGr?-($c(8b
z5eChb<Pm!ttbIZbF~3xxn=^Mle{)TSZP=M$Q9=yzMo40b4uUQCm@IGq(ZSw4aPpRC
zf|Y_?Nj_QIC-cBpQkWg@Bf(}eD8d@l6lMlt5G+|>ZXF9~(r5)0l3=G9&k?c8!@qj<
z8t2TnNO&b!oMoJ|OIya_7HNWo%#B*F&N6rI0@sNKBxA5Ea6{S#!P>-II|~}P8-fLp
zvDv0Y%eI6}Mn{-d?!!0oq0-<GqI~<$j*_wOk^rv+3ktI0B=u6KPa@ak)Ac1k^+`nD
ze?%1@CoPi@61Fn54~JkGAdn)&sj^hCF+yaR8q5-PNTbHhD<r`h#7SBw&)bqT4YJ@l
zc_vsu0TUa-VS$V^!KzeQv`Uo;W+znH!s!%lsw|)3ery+Zw)L~;%rBN;8P9~(nF@pX
zU8-uCTY{yZ^#~Cq%+2V@<SHnX+<UJiefwF-zWh)MGqVMFCRhXcX)h$_-G0e_xyik}
z*(LcY54kvrB#6BvBZyU(w->NwApjnY6;k6}Np|4PokNF?3`$~BlGVgz(Aib=G7G{`
z5>SOOY2R&Mk`N6*Zx@b}fO}S-Gt)mIRQ-ENjIaXsJJp8Li5>tMLQXii_#ShMXqHi=
z9fBFhR@33Qe*MMexbOPCA4zl|pPqbwB0ru!eWury(7($vZ5j~cthZxqg#*SKW(y)r
zSnx1^@G2P=atMd9VFk)$>c5L%do{DfC@sm@#+FT5GfqC0^2%a>sfy3?Y$1Is;Pj%7
z0d*({xk4!*`;2G=uER{vHLnXlgb8fI#QO5PN^lTEzEPVh>z!a@;4K0AwvR#V;@wfa
ze#UuF#SlXbF@nuYx+8hNU6!E4UzUQ*fK&jWY3SQM;yG>872CG!^uPA*0#~Xa2%~Us
z16d34gc$4t+YqdPIPNZ^{W4M9-QA(NC!~;Z!`_@PsV5^5<j<YD-PQ5B@vZ<R8L-R~
z=)2tN(Ax6h{;9Iu@e!(f2Mad}xNFR61$wgdvwnV_7Q@se8L(0B@9Zzj7(FeHb|E~+
zn)AucDM@o-z&_cxrj$=_%5uk%7<}}P^SI(}E9+lr=F{|-G*<>J_3?4LESjFBJCY38
zSKE(|3|QvL2Ijer3fT8Iclx(0$$({@?5Kcc>uq3b>!^TbovTWbwBP~DW`x-B)vp-Z
z&B+LXlL#1=J#2>-n+PPyfc>_ucHry+PDbd$NdyCD3$XoFk__0c0Wq`!7<I@zS%!AM
zIoKW?%J+^kESq_*j2xtO5QAGJ$$*t416Gn`z)F$<D@g{dB*}pN=SVVOoB1U_%zj>t
zB#A5~Q_0p;Yvl9%@|Gi}B}p?OOUYESHPxDV55GKm{G>>dW<!>esbp)aHJ3K>%Y{o<
ziX>?^WGR_Swx(LAv%31_Q@xeHynFY)NRp;QhLWXZD%ncFrn8N_)vMU~kmS`XnOap!
ze91YljMW5p?%pqwq{)z-v3h_^ttutHP}PI$YR&wGGGrxbvT%+3BulGG6kmQ+D{tWi
z(JrtjD@lWqk<k_)JIT<hQWRf)DbhFE1vG1UGs_NG+vR2iNsEjOBn!zzvXP98wm_}9
zw7#nJbMd9Sq9?nJJ7K)JZ&{XQS)a(t=(%<mUj`P-4C>AHCKk-HD<Q6I7qKkMvdBQP
ikW3^S$;hhGp!y0prNEzRPc1C~0000<MNUMnLSTXd)e)Nj

literal 0
HcmV?d00001


From 28cf4dd5f57472a2376877276e138422d7329bbd Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 15:22:25 -0500
Subject: [PATCH 5/9] Added state location register hook. T712.

---
 config/config.go | 18 +++++----
 oauth.go         | 97 ++++++++++++++++++++++++++++++++++++++----------
 oauth_slack.go   |  4 ++
 oauth_writeas.go |  4 ++
 4 files changed, 96 insertions(+), 27 deletions(-)

diff --git a/config/config.go b/config/config.go
index 6aee69b..56f83a5 100644
--- a/config/config.go
+++ b/config/config.go
@@ -59,17 +59,19 @@ type (
 	}
 
 	WriteAsOauthCfg struct {
-		ClientID        string `ini:"client_id"`
-		ClientSecret    string `ini:"client_secret"`
-		AuthLocation    string `ini:"auth_location"`
-		TokenLocation   string `ini:"token_location"`
-		InspectLocation string `ini:"inspect_location"`
+		ClientID              string `ini:"client_id"`
+		ClientSecret          string `ini:"client_secret"`
+		AuthLocation          string `ini:"auth_location"`
+		TokenLocation         string `ini:"token_location"`
+		InspectLocation       string `ini:"inspect_location"`
+		StateRegisterLocation string `ini:"state_register_location"`
 	}
 
 	SlackOauthCfg struct {
-		ClientID     string `ini:"client_id"`
-		ClientSecret string `ini:"client_secret"`
-		TeamID       string `ini:"team_id"`
+		ClientID              string `ini:"client_id"`
+		ClientSecret          string `ini:"client_secret"`
+		TeamID                string `ini:"team_id"`
+		StateRegisterLocation string `ini:"state_register_location"`
 	}
 
 	// AppCfg holds values that affect how the application functions
diff --git a/oauth.go b/oauth.go
index 67c4ac8..363999a 100644
--- a/oauth.go
+++ b/oauth.go
@@ -3,6 +3,7 @@ package writefreely
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
@@ -12,6 +13,8 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 )
 
@@ -71,17 +74,25 @@ type HttpClient interface {
 type oauthClient interface {
 	GetProvider() string
 	GetClientID() string
+	GetCallbackLocation() string
 	buildLoginURL(state string) (string, error)
 	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)
 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)
 }
 
+type oauthStateRegisterer struct {
+	location         string
+	callbackLocation string
+	httpClient       HttpClient
+}
+
 type oauthHandler struct {
-	Config      *config.Config
-	DB          OAuthDatastore
-	Store       sessions.Store
-	EmailKey    []byte
-	oauthClient oauthClient
+	Config               *config.Config
+	DB                   OAuthDatastore
+	Store                sessions.Store
+	EmailKey             []byte
+	oauthClient          oauthClient
+	oauthStateRegisterer *oauthStateRegisterer
 }
 
 func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {
@@ -90,6 +101,13 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 	if err != nil {
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
 	}
+
+	if h.oauthStateRegisterer != nil {
+		if err := h.oauthStateRegisterer.register(ctx, state); err != nil {
+			return impart.HTTPError{http.StatusInternalServerError, "could not register state location"}
+		}
+	}
+
 	location, err := h.oauthClient.buildLoginURL(state)
 	if err != nil {
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
@@ -99,19 +117,36 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 
 func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().SlackOauth.ClientID != "" {
+		var stateRegisterClient *oauthStateRegisterer = nil
+		if app.Config().SlackOauth.StateRegisterLocation != "" {
+			stateRegisterClient = &oauthStateRegisterer{
+				location:         app.Config().SlackOauth.StateRegisterLocation,
+				callbackLocation: app.Config().App.Host + "/oauth/callback",
+				httpClient:       config.DefaultHTTPClient(),
+			}
+		}
 		oauthClient := slackOauthClient{
-			ClientID:         app.Config().SlackOauth.ClientID,
-			ClientSecret:     app.Config().SlackOauth.ClientSecret,
-			TeamID:           app.Config().SlackOauth.TeamID,
-			CallbackLocation: app.Config().App.Host + "/oauth/callback",
-			HttpClient:       config.DefaultHTTPClient(),
+			ClientID:     app.Config().SlackOauth.ClientID,
+			ClientSecret: app.Config().SlackOauth.ClientSecret,
+			TeamID:       app.Config().SlackOauth.TeamID,
+			HttpClient:   config.DefaultHTTPClient(),
+			//CallbackLocation: app.Config().App.Host + "/oauth/callback",
+			CallbackLocation: "http://localhost:5000/callback",
 		}
-		configureOauthRoutes(parentHandler, r, app, oauthClient)
+		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
 	}
 }
 
 func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().WriteAsOauth.ClientID != "" {
+		var stateRegisterClient *oauthStateRegisterer = nil
+		if app.Config().WriteAsOauth.StateRegisterLocation != "" {
+			stateRegisterClient = &oauthStateRegisterer{
+				location:         app.Config().WriteAsOauth.StateRegisterLocation,
+				callbackLocation: app.Config().App.Host + "/oauth/callback",
+				httpClient:       config.DefaultHTTPClient(),
+			}
+		}
 		oauthClient := writeAsOauthClient{
 			ClientID:         app.Config().WriteAsOauth.ClientID,
 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -119,19 +154,20 @@ func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),
 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
 			HttpClient:       config.DefaultHTTPClient(),
-			CallbackLocation: app.Config().App.Host + "/oauth/callback",
+			CallbackLocation: "http://localhost:5000/callback",
 		}
-		configureOauthRoutes(parentHandler, r, app, oauthClient)
+		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
 	}
 }
 
-func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient) {
+func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, stateRegisterClient *oauthStateRegisterer) {
 	handler := &oauthHandler{
-		Config:      app.Config(),
-		DB:          app.DB(),
-		Store:       app.SessionStore(),
-		oauthClient: oauthClient,
-		EmailKey:    app.keys.EmailKey,
+		Config:               app.Config(),
+		DB:                   app.DB(),
+		Store:                app.SessionStore(),
+		oauthClient:          oauthClient,
+		EmailKey:             app.keys.EmailKey,
+		oauthStateRegisterer: stateRegisterClient,
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
@@ -197,6 +233,29 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	return h.showOauthSignupPage(app, w, r, tp, nil)
 }
 
+func (r *oauthStateRegisterer) register(ctx context.Context, state string) error {
+	form := url.Values{}
+	form.Add("state", state)
+	form.Add("location", r.callbackLocation)
+	req, err := http.NewRequestWithContext(ctx, "POST", r.location, strings.NewReader(form.Encode()))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := r.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != http.StatusCreated {
+		return errors.New("register state and location")
+	}
+
+	return nil
+}
+
 func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {
 	lr := io.LimitReader(body, int64(n+1))
 	data, err := ioutil.ReadAll(lr)
diff --git a/oauth_slack.go b/oauth_slack.go
index 5a6f4ed..8cf4992 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -62,6 +62,10 @@ func (c slackOauthClient) GetClientID() string {
 	return c.ClientID
 }
 
+func (c slackOauthClient) GetCallbackLocation() string {
+	return c.CallbackLocation
+}
+
 func (c slackOauthClient) buildLoginURL(state string) (string, error) {
 	u, err := url.Parse(slackAuthLocation)
 	if err != nil {
diff --git a/oauth_writeas.go b/oauth_writeas.go
index eb12f64..6251a16 100644
--- a/oauth_writeas.go
+++ b/oauth_writeas.go
@@ -34,6 +34,10 @@ func (c writeAsOauthClient) GetClientID() string {
 	return c.ClientID
 }
 
+func (c writeAsOauthClient) GetCallbackLocation() string {
+	return c.CallbackLocation
+}
+
 func (c writeAsOauthClient) buildLoginURL(state string) (string, error) {
 	u, err := url.Parse(c.AuthLocation)
 	if err != nil {

From d66091a356fa1a1b22a83cd227cc7093b3de59db Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 7 Jan 2020 16:27:25 -0500
Subject: [PATCH 6/9] Bump Travis build to Go 1.13

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 1e58d6b..fddc71c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - "1.11.x"
+  - "1.13.x"
 
 env:
   - GO111MODULE=on

From 5e765652719d7bbdaa5ff96a678fcf2bc1328708 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 21:47:23 -0500
Subject: [PATCH 7/9] Code cleanup per PR feedback. T712

---
 config/config.go | 22 +++++++------
 oauth.go         | 81 +++++++++++++++++++++++++-----------------------
 2 files changed, 55 insertions(+), 48 deletions(-)

diff --git a/config/config.go b/config/config.go
index 56f83a5..2616e9e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -59,19 +59,21 @@ type (
 	}
 
 	WriteAsOauthCfg struct {
-		ClientID              string `ini:"client_id"`
-		ClientSecret          string `ini:"client_secret"`
-		AuthLocation          string `ini:"auth_location"`
-		TokenLocation         string `ini:"token_location"`
-		InspectLocation       string `ini:"inspect_location"`
-		StateRegisterLocation string `ini:"state_register_location"`
+		ClientID         string `ini:"client_id"`
+		ClientSecret     string `ini:"client_secret"`
+		AuthLocation     string `ini:"auth_location"`
+		TokenLocation    string `ini:"token_location"`
+		InspectLocation  string `ini:"inspect_location"`
+		CallbackProxy    string `ini:"callback_proxy"`
+		CallbackProxyAPI string `ini:"callback_proxy_api"`
 	}
 
 	SlackOauthCfg struct {
-		ClientID              string `ini:"client_id"`
-		ClientSecret          string `ini:"client_secret"`
-		TeamID                string `ini:"team_id"`
-		StateRegisterLocation string `ini:"state_register_location"`
+		ClientID         string `ini:"client_id"`
+		ClientSecret     string `ini:"client_secret"`
+		TeamID           string `ini:"team_id"`
+		CallbackProxy    string `ini:"callback_proxy"`
+		CallbackProxyAPI string `ini:"callback_proxy_api"`
 	}
 
 	// AppCfg holds values that affect how the application functions
diff --git a/oauth.go b/oauth.go
index 363999a..eb47c91 100644
--- a/oauth.go
+++ b/oauth.go
@@ -3,7 +3,6 @@ package writefreely
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
@@ -80,19 +79,19 @@ type oauthClient interface {
 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)
 }
 
-type oauthStateRegisterer struct {
-	location         string
+type callbackProxyClient struct {
+	server           string
 	callbackLocation string
 	httpClient       HttpClient
 }
 
 type oauthHandler struct {
-	Config               *config.Config
-	DB                   OAuthDatastore
-	Store                sessions.Store
-	EmailKey             []byte
-	oauthClient          oauthClient
-	oauthStateRegisterer *oauthStateRegisterer
+	Config        *config.Config
+	DB            OAuthDatastore
+	Store         sessions.Store
+	EmailKey      []byte
+	oauthClient   oauthClient
+	callbackProxy *callbackProxyClient
 }
 
 func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {
@@ -102,9 +101,9 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
 	}
 
-	if h.oauthStateRegisterer != nil {
-		if err := h.oauthStateRegisterer.register(ctx, state); err != nil {
-			return impart.HTTPError{http.StatusInternalServerError, "could not register state location"}
+	if h.callbackProxy != nil {
+		if err := h.callbackProxy.register(ctx, state); err != nil {
+			return impart.HTTPError{http.StatusInternalServerError, "could not register state server"}
 		}
 	}
 
@@ -117,21 +116,23 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 
 func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().SlackOauth.ClientID != "" {
-		var stateRegisterClient *oauthStateRegisterer = nil
-		if app.Config().SlackOauth.StateRegisterLocation != "" {
-			stateRegisterClient = &oauthStateRegisterer{
-				location:         app.Config().SlackOauth.StateRegisterLocation,
+		callbackLocation := app.Config().App.Host + "/oauth/callback"
+
+		var stateRegisterClient *callbackProxyClient = nil
+		if app.Config().SlackOauth.CallbackProxyAPI != "" {
+			stateRegisterClient = &callbackProxyClient{
+				server:           app.Config().SlackOauth.CallbackProxyAPI,
 				callbackLocation: app.Config().App.Host + "/oauth/callback",
 				httpClient:       config.DefaultHTTPClient(),
 			}
+			callbackLocation = app.Config().SlackOauth.CallbackProxy
 		}
 		oauthClient := slackOauthClient{
-			ClientID:     app.Config().SlackOauth.ClientID,
-			ClientSecret: app.Config().SlackOauth.ClientSecret,
-			TeamID:       app.Config().SlackOauth.TeamID,
-			HttpClient:   config.DefaultHTTPClient(),
-			//CallbackLocation: app.Config().App.Host + "/oauth/callback",
-			CallbackLocation: "http://localhost:5000/callback",
+			ClientID:         app.Config().SlackOauth.ClientID,
+			ClientSecret:     app.Config().SlackOauth.ClientSecret,
+			TeamID:           app.Config().SlackOauth.TeamID,
+			HttpClient:       config.DefaultHTTPClient(),
+			CallbackLocation: callbackLocation,
 		}
 		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
 	}
@@ -139,14 +140,18 @@ func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 
 func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().WriteAsOauth.ClientID != "" {
-		var stateRegisterClient *oauthStateRegisterer = nil
-		if app.Config().WriteAsOauth.StateRegisterLocation != "" {
-			stateRegisterClient = &oauthStateRegisterer{
-				location:         app.Config().WriteAsOauth.StateRegisterLocation,
+		callbackLocation := app.Config().App.Host + "/oauth/callback"
+
+		var callbackProxy *callbackProxyClient = nil
+		if app.Config().WriteAsOauth.CallbackProxy != "" {
+			callbackProxy = &callbackProxyClient{
+				server:           app.Config().WriteAsOauth.CallbackProxyAPI,
 				callbackLocation: app.Config().App.Host + "/oauth/callback",
 				httpClient:       config.DefaultHTTPClient(),
 			}
+			callbackLocation = app.Config().SlackOauth.CallbackProxy
 		}
+
 		oauthClient := writeAsOauthClient{
 			ClientID:         app.Config().WriteAsOauth.ClientID,
 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -154,20 +159,20 @@ func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),
 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
 			HttpClient:       config.DefaultHTTPClient(),
-			CallbackLocation: "http://localhost:5000/callback",
+			CallbackLocation: callbackLocation,
 		}
-		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
+		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)
 	}
 }
 
-func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, stateRegisterClient *oauthStateRegisterer) {
+func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, callbackProxy *callbackProxyClient) {
 	handler := &oauthHandler{
-		Config:               app.Config(),
-		DB:                   app.DB(),
-		Store:                app.SessionStore(),
-		oauthClient:          oauthClient,
-		EmailKey:             app.keys.EmailKey,
-		oauthStateRegisterer: stateRegisterClient,
+		Config:        app.Config(),
+		DB:            app.DB(),
+		Store:         app.SessionStore(),
+		oauthClient:   oauthClient,
+		EmailKey:      app.keys.EmailKey,
+		callbackProxy: callbackProxy,
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
@@ -233,11 +238,11 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	return h.showOauthSignupPage(app, w, r, tp, nil)
 }
 
-func (r *oauthStateRegisterer) register(ctx context.Context, state string) error {
+func (r *callbackProxyClient) register(ctx context.Context, state string) error {
 	form := url.Values{}
 	form.Add("state", state)
 	form.Add("location", r.callbackLocation)
-	req, err := http.NewRequestWithContext(ctx, "POST", r.location, strings.NewReader(form.Encode()))
+	req, err := http.NewRequestWithContext(ctx, "POST", r.server, strings.NewReader(form.Encode()))
 	if err != nil {
 		return err
 	}
@@ -250,7 +255,7 @@ func (r *oauthStateRegisterer) register(ctx context.Context, state string) error
 		return err
 	}
 	if resp.StatusCode != http.StatusCreated {
-		return errors.New("register state and location")
+		return fmt.Errorf("unable register state location: %d", resp.StatusCode)
 	}
 
 	return nil

From 6d79ed3cfdf3e2fcc80ed4938c68a5b04d85dcb0 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 21:52:51 -0500
Subject: [PATCH 8/9] Updating oauth form validation per PR feedback. T712

---
 oauth_signup.go | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 53ad5c4..cf90af6 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -125,21 +125,18 @@ func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.R
 
 func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	username := r.FormValue(oauthParamUsername)
-	if len(username) < 5 {
+	if len(username) < h.Config.App.MinUsernameLen {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too short."}
 	}
-	if len(username) > 20 {
+	if len(username) > 100 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}
 	}
 	alias := r.FormValue(oauthParamAlias)
-	if len(alias) < 5 {
+	if len(alias) == 0 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
 	}
-	if len(alias) > 20 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too long."}
-	}
 	password := r.FormValue("password")
-	if len(password) < 5 {
+	if len(password) == 0 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Password is too short."}
 	}
 	email := r.FormValue(oauthParamEmail)

From 8ddfce4f199a85aee3a205a91f7f229967132dee Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 22:13:29 -0500
Subject: [PATCH 9/9] oauth signup page changes per PR feedback. T712

---
 pages/signup-oauth.tmpl | 112 ++++++++++++++++++++++++++++++++++------
 1 file changed, 96 insertions(+), 16 deletions(-)

diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 35810bb..34081cf 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -2,31 +2,111 @@
 <meta name="description" content="Log in to {{.SiteName}}.">
 <meta itemprop="description" content="Log in to {{.SiteName}}.">
 <style>input{margin-bottom:0.5em;}</style>
+<style type="text/css">
+h2 {
+	font-weight: normal;
+}
+#pricing.content-container div.form-container #payment-form {
+	display: block !important;
+}
+#pricing #signup-form table {
+	max-width: inherit !important;
+	width: 100%;
+}
+#pricing #payment-form table {
+	margin-top: 0 !important;
+	max-width: inherit !important;
+	width: 100%;
+}
+tr.subscription {
+	border-spacing: 0;
+}
+#pricing.content-container tr.subscription button {
+	margin-top: 0 !important;
+	margin-bottom: 0 !important;
+	width: 100%;
+}
+#pricing tr.subscription td {
+	padding: 0 0.5em;
+}
+#pricing table.billing > tbody > tr > td:first-child {
+	vertical-align: middle !important;
+}
+.billing-section {
+	display: none;
+}
+.billing-section.bill-me {
+	display: table-row;
+}
+#btn-create {
+	color: white !important;
+}
+#total-price {
+	padding-left: 0.5em;
+}
+#alias-site.demo {
+	color: #999;
+}
+#alias-site {
+	text-align: left;
+	margin: 0.5em 0;
+}
+form dd {
+	margin: 0;
+}
+</style>
 {{end}}
 {{define "content"}}
-<div class="tight content-container">
+<div id="pricing" class="tight content-container">
 	<h1>Log in to {{.SiteName}}</h1>
 
 	{{if .Flashes}}<ul class="errors">
 		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
 	</ul>{{end}}
 
-	<form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
-	    <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
-	    <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
-	    <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
-	    <input type="hidden" name="token_email" value="{{ .TokenEmail }}" />
-	    <input type="hidden" name="token_remote_user" value="{{ .TokenRemoteUser }}" />
-	    <input type="hidden" name="provider" value="{{ .Provider }}" />
-	    <input type="hidden" name="client_id" value="{{ .ClientID }}" />
-	    <input type="hidden" name="signature" value="{{ .TokenHash }}" />
+    <div id="billing">
+	    <form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
+	        <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
+	        <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
+	        <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
+	        <input type="hidden" name="token_email" value="{{ .TokenEmail }}" />
+	        <input type="hidden" name="token_remote_user" value="{{ .TokenRemoteUser }}" />
+	        <input type="hidden" name="provider" value="{{ .Provider }}" />
+	        <input type="hidden" name="client_id" value="{{ .ClientID }}" />
+	        <input type="hidden" name="signature" value="{{ .TokenHash }}" />
 
-		<input type="text" name="username" placeholder="Username" value="{{.Username}}" /><br />
-		<input type="text" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} /><br />
-		<input type="text" name="email" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} /><br />
-		<input type="password" name="password" placeholder="Password" /><br />
-		<input type="submit" id="btn-login" value="Login" />
-	</form>
+            <dl class="billing">
+                <label>
+                    <dt>Blog Title</dt>
+                    <dd>
+                        <input type="text" style="width: 100%; box-sizing: border-box;" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} />
+                    </dd>
+                </label>
+                <label>
+                    <dt>Username</dt>
+					<dd>
+		<input type="text" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
+		{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
+                    </dd>
+                </label>
+                <label>
+                    <dt>Email</dt>
+                    <dd>
+<input type="text" name="email" style="width: 100%; box-sizing: border-box;" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} />
+                    </dd>
+                </label>
+                <label>
+                    <dt>Password</dt>
+                    <dd>
+<input type="password" name="password" style="width: 100%; box-sizing: border-box;" placeholder="Password" /><br />
+                    </dd>
+                </label>
+                <dt>
+                    <input type="submit" id="btn-login" value="Login" />
+                </dt>
+            </dl>
+        </form>
+    </div>
 
 <script type="text/javascript">
 function disableSubmit() {