From d2978597053e3526e85506184a51b9af4ca08fe1 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 12:18:21 -0500
Subject: [PATCH 01/11] Reserve the username "oauth"

---
 author/author.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/author/author.go b/author/author.go
index bf3bfe1..e2e9508 100644
--- a/author/author.go
+++ b/author/author.go
@@ -65,6 +65,7 @@ var reservedUsernames = map[string]bool{
 	"metadata":         true,
 	"new":              true,
 	"news":             true,
+	"oauth":            true,
 	"post":             true,
 	"posts":            true,
 	"privacy":          true,

From f2f779e4a2d2d64594f87f93d21313fa6d9b9d0d Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 12:24:10 -0500
Subject: [PATCH 02/11] Generate non-colliding usernames in all lowercase

All usernames should be lowercase, so this generates any username suffix
(in cases of collision) with only lowercase letters. It also removes
vowels to prevent bad 5-letter words from forming.

Ref T712
---
 oauth_slack.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth_slack.go b/oauth_slack.go
index 8cf4992..f700c2c 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -157,7 +157,7 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
 	return &InspectResponse{
 		UserID:      resp.User.ID,
-		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.Generate62RandomString(5)),
+		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.GenerateRandomString("0123456789bcdfghjklmnpqrstvwxyz", 5)),
 		DisplayName: resp.User.Name,
 		Email:       resp.User.Email,
 	}

From 33a6129d1e4e548c87097306c5929858c04962ec Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:13:33 -0500
Subject: [PATCH 03/11] Add async username check on OAuth signup form

This checks the user's inputted username as they type it, and prevents
form submission if the name is taken.

Ref T712
---
 pages/signup-oauth.tmpl | 66 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 2 deletions(-)

diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 34081cf..3fd4255 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -65,7 +65,7 @@ form dd {
 	</ul>{{end}}
 
     <div id="billing">
-	    <form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
+	    <form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="return disableSubmit()">
 	        <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
 	        <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
 	        <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
@@ -85,7 +85,7 @@ form dd {
                 <label>
                     <dt>Username</dt>
 					<dd>
-		<input type="text" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
+		<input type="text" id="username" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
 		{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
                     </dd>
                 </label>
@@ -108,11 +108,73 @@ form dd {
         </form>
     </div>
 
+<script type="text/javascript" src="/js/h.js"></script>
 <script type="text/javascript">
+// Copied from signup.tmpl
+// NOTE: this element is named "alias" on signup.tmpl and "username" here
+var $alias = H.getEl('username');
+
 function disableSubmit() {
+    // Validate input
+    if (!aliasOK) {
+        var $a = $alias;
+        $a.el.className = 'error';
+        $a.el.focus();
+        $a.el.scrollIntoView();
+        return false;
+    }
+
 	var $btn = document.getElementById("btn-login");
 	$btn.value = "Logging in...";
 	$btn.disabled = true;
+	return true;
 }
+
+// Copied from signup.tmpl
+var $aliasSite = document.getElementById('alias-site');
+var aliasOK = true;
+var typingTimer;
+var doneTypingInterval = 750;
+var doneTyping = function() {
+    // Check on username
+    var alias = $alias.el.value;
+    if (alias != "") {
+        var params = {
+            username: alias
+        };
+        var http = new XMLHttpRequest();
+        http.open("POST", '/api/alias', true);
+
+        // Send the proper header information along with the request
+        http.setRequestHeader("Content-type", "application/json");
+
+        http.onreadystatechange = function() {
+            if (http.readyState == 4) {
+                data = JSON.parse(http.responseText);
+                if (http.status == 200) {
+                    aliasOK = true;
+                    $alias.removeClass('error');
+                    $aliasSite.className = $aliasSite.className.replace(/(?:^|\s)demo(?!\S)/g, '');
+                    $aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
+                    $aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
+                } else {
+                    aliasOK = false;
+                    $alias.setClass('error');
+                    $aliasSite.className = 'error';
+                    $aliasSite.textContent = data.error_msg;
+                }
+            }
+        }
+        http.send(JSON.stringify(params));
+    } else {
+        $aliasSite.className += ' demo';
+        $aliasSite.innerHTML = '{{ if .Federation }}@<strong>your-username</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>your-username</strong>/{{ end }}';
+    }
+};
+$alias.on('keyup input', function() {
+    clearTimeout(typingTimer);
+    typingTimer = setTimeout(doneTyping, doneTypingInterval);
+});
+doneTyping();
 </script>
 {{end}}

From 4d5c89e7efec6fad7b3fae7f36f92f0c58a9b30a Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:37:44 -0500
Subject: [PATCH 04/11] Fix false login state on OAuth signup page

Having a `Username` field populated in the page data tells the base
template to display navigation that only a logged in user should see. So
this renames the field to `LoginUsername`, similar to our login.tmpl
page.

Ref T712
---
 oauth_signup.go         | 12 ++++++------
 pages/signup-oauth.tmpl |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index cf90af6..96b9936 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -29,9 +29,9 @@ type viewOauthSignupVars struct {
 	ClientID        string
 	TokenHash       string
 
-	Username string
-	Alias    string
-	Email    string
+	LoginUsername string
+	Alias         string
+	Email         string
 }
 
 const (
@@ -184,9 +184,9 @@ func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *ht
 		ClientID:        tp.ClientID,
 		TokenHash:       tp.TokenHash,
 
-		Username: username,
-		Alias:    alias,
-		Email:    email,
+		LoginUsername: username,
+		Alias:         collTitle,
+		Email:         email,
 	}
 
 	// Display any error messages
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 3fd4255..40cc2e6 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -85,7 +85,7 @@ form dd {
                 <label>
                     <dt>Username</dt>
 					<dd>
-		<input type="text" id="username" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
+		<input type="text" id="username" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.LoginUsername}}" /><br />
 		{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
                     </dd>
                 </label>

From 6842ab2e3be7ffae9ce46a0613714a95cc1dd135 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:50:37 -0500
Subject: [PATCH 05/11] Rename collTitle from alias

"alias" is the name of a different collection field, so this renames the
variable internally to make things clearer.
---
 oauth_signup.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 96b9936..58071c6 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -22,7 +22,7 @@ type viewOauthSignupVars struct {
 
 	AccessToken     string
 	TokenUsername   string
-	TokenAlias      string
+	TokenAlias      string // TODO: rename this to match the data it represents: the collection title
 	TokenEmail      string
 	TokenRemoteUser string
 	Provider        string
@@ -30,7 +30,7 @@ type viewOauthSignupVars struct {
 	TokenHash       string
 
 	LoginUsername string
-	Alias         string
+	Alias         string // TODO: rename this to match the data it represents: the collection title
 	Email         string
 }
 
@@ -52,7 +52,7 @@ const (
 type oauthSignupPageParams struct {
 	AccessToken     string
 	TokenUsername   string
-	TokenAlias      string
+	TokenAlias      string // TODO: rename this to match the data it represents: the collection title
 	TokenEmail      string
 	TokenRemoteUser string
 	ClientID        string
@@ -131,8 +131,8 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	if len(username) > 100 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}
 	}
-	alias := r.FormValue(oauthParamAlias)
-	if len(alias) == 0 {
+	collTitle := r.FormValue(oauthParamAlias)
+	if len(collTitle) == 0 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
 	}
 	password := r.FormValue("password")
@@ -151,7 +151,7 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 
 func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *http.Request, tp *oauthSignupPageParams, errMsg error) error {
 	username := tp.TokenUsername
-	alias := tp.TokenAlias
+	collTitle := tp.TokenAlias
 	email := tp.TokenEmail
 
 	session, err := app.sessionStore.Get(r, cookieName)
@@ -164,7 +164,7 @@ func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *ht
 		username = tmpValue
 	}
 	if tmpValue := r.FormValue(oauthParamAlias); len(tmpValue) > 0 {
-		alias = tmpValue
+		collTitle = tmpValue
 	}
 	if tmpValue := r.FormValue(oauthParamEmail); len(tmpValue) > 0 {
 		email = tmpValue

From 130c9eb7475d93ab7d3a4a016c26d09ce3a8464c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:58:14 -0500
Subject: [PATCH 06/11] Change Blog Title to Display Name in OAuth signup

Ref T712
---
 oauth_signup.go         | 2 +-
 pages/signup-oauth.tmpl | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 58071c6..5b960ca 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -133,7 +133,7 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	}
 	collTitle := r.FormValue(oauthParamAlias)
 	if len(collTitle) == 0 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Display name is too short."}
 	}
 	password := r.FormValue("password")
 	if len(password) == 0 {
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 40cc2e6..21e8ed5 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -77,9 +77,9 @@ form dd {
 
             <dl class="billing">
                 <label>
-                    <dt>Blog Title</dt>
+                    <dt>Display Name</dt>
                     <dd>
-                        <input type="text" style="width: 100%; box-sizing: border-box;" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} />
+                        <input type="text" style="width: 100%; box-sizing: border-box;" name="alias" placeholder="Name"{{ if .Alias }} value="{{.Alias}}"{{ end }} />
                     </dd>
                 </label>
                 <label>

From b5a38efd2853f2cd81a7875b5a1ff4d41edef086 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:09:42 -0500
Subject: [PATCH 07/11] Fall back to username as coll title on OAuth signup

This uses the given username as the Display Name / Collection Title if a
user doesn't give one -- as might happen when authenticating with
Write.as.

Ref T712
---
 oauth_signup.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 5b960ca..d1fa9b5 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -133,7 +133,7 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	}
 	collTitle := r.FormValue(oauthParamAlias)
 	if len(collTitle) == 0 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Display name is too short."}
+		collTitle = username
 	}
 	password := r.FormValue("password")
 	if len(password) == 0 {

From f7dabd39c2c86337323d58d2fd62513a37ef6f2e Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:25:33 -0500
Subject: [PATCH 08/11] Skip password requirement on OAuth signup

This makes it possible to complete OAuth signup without creating a
password on the WriteFreely instance.

A user can then add a password to their account through their Account
Settings page without any admin action (all of this logic is already in
place).

Ref T715 T712
---
 oauth_signup.go | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index d1fa9b5..10d2306 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -91,14 +91,20 @@ func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.R
 		return h.showOauthSignupPage(app, w, r, tp, err)
 	}
 
-	hashedPass, err := auth.HashPass([]byte(r.FormValue(oauthParamPassword)))
-	if err != nil {
-		return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))
+	var err error
+	hashedPass := []byte{}
+	clearPass := r.FormValue(oauthParamPassword)
+	hasPass := clearPass != ""
+	if hasPass {
+		hashedPass, err = auth.HashPass([]byte(clearPass))
+		if err != nil {
+			return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))
+		}
 	}
 	newUser := &User{
 		Username:   r.FormValue(oauthParamUsername),
 		HashedPass: hashedPass,
-		HasPass:    true,
+		HasPass:    hasPass,
 		Email:      prepareUserEmail(r.FormValue(oauthParamEmail), h.EmailKey),
 		Created:    time.Now().Truncate(time.Second).UTC(),
 	}
@@ -135,10 +141,6 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	if len(collTitle) == 0 {
 		collTitle = username
 	}
-	password := r.FormValue("password")
-	if len(password) == 0 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Password is too short."}
-	}
 	email := r.FormValue(oauthParamEmail)
 	if len(email) > 0 {
 		parts := strings.Split(email, "@")

From 803dd78df5ea27096ef7b5b05d1f50d50ee729aa Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:30:09 -0500
Subject: [PATCH 09/11] Remove Password field from OAuth signup page

This removes a bit of friction.

Ref T715 T712
---
 pages/signup-oauth.tmpl | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 21e8ed5..ecf5db0 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -95,12 +95,6 @@ form dd {
 <input type="text" name="email" style="width: 100%; box-sizing: border-box;" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} />
                     </dd>
                 </label>
-                <label>
-                    <dt>Password</dt>
-                    <dd>
-<input type="password" name="password" style="width: 100%; box-sizing: border-box;" placeholder="Password" /><br />
-                    </dd>
-                </label>
                 <dt>
                     <input type="submit" id="btn-login" value="Login" />
                 </dt>

From dcdd4dd1ef19170e22f47ebef4be30a698fcd7eb Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:39:18 -0500
Subject: [PATCH 10/11] Add and update copyright notices

---
 author/author.go |  2 +-
 oauth_signup.go  | 10 ++++++++++
 oauth_slack.go   | 10 ++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/author/author.go b/author/author.go
index e2e9508..0114905 100644
--- a/author/author.go
+++ b/author/author.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
diff --git a/oauth_signup.go b/oauth_signup.go
index 10d2306..220afbd 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -1,3 +1,13 @@
+/*
+ * Copyright © 2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
 package writefreely
 
 import (
diff --git a/oauth_slack.go b/oauth_slack.go
index f700c2c..1db3613 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -1,3 +1,13 @@
+/*
+ * Copyright © 2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
 package writefreely
 
 import (

From c1ec6b26051ee76f63d12f9581218fe479bf8f64 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:43:32 -0500
Subject: [PATCH 11/11] Fix copyright years in oauth_slack.go

---
 oauth_slack.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth_slack.go b/oauth_slack.go
index 1db3613..35db156 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2020 A Bunch Tell LLC.
+ * Copyright © 2019-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *