Allow Users to Register Client Credentials

.gitignore

@@ -1,3 +1,5 @@
+.env
+
 # IDE files
 .vscode/
 .idea/

backend/accounts/serializers.py

@@ -1,12 +1,37 @@
 from django.utils import timezone
 from django.utils.crypto import get_random_string
+from oauth2_provider.models import Application
 from rest_framework import serializers
 
 from accounts.mixins import ManyToManySaveMixin
 from accounts.models import Email, Major, PhoneNumber, School, Student, User
 from accounts.verification import sendEmailVerification, sendSMSVerification
 
 
+class ApplicationSerializer(serializers.ModelSerializer):
+    # Hardcode grant type (for now) so it's impossible for someone to create a copycat
+    # Penn Labs login flow to collect access tokens on behalf of unsuspecting users.
+    # We may want to relax this if we add more a explicit permission grant prompt
+    # to the authentication flow for non-Labs applications. For now we are just
+    # allowing application registration on behalf of a user's own resources,
+    # via the client credentials grant:
+    # https://oauth.net/2/grant-types/client-credentials/
+    authorization_grant_type = serializers.CharField(
+        default=Application.GRANT_CLIENT_CREDENTIALS
+    )
+    client_type = serializers.CharField(default=Application.CLIENT_CONFIDENTIAL)
+
+    class Meta:
+        model = Application
+        read_only = [
+            "client_id",
+            "client_secret",
+            "authorization_grant_type",
+            "client_type",
+        ]
+        fields = read_only + ["name", "redirect_uris"]
+
+
 class SchoolSerializer(serializers.ModelSerializer):
     class Meta:
         model = School

backend/accounts/urls.py

@@ -4,6 +4,7 @@
 from rest_framework import routers
 
 from accounts.views import (
+    ApplicationViewSet,
     DevLoginView,
     DevLogoutView,
     EmailViewSet,
@@ -22,6 +23,7 @@
 app_name = "accounts"
 
 router = routers.SimpleRouter()
+router.register("application", ApplicationViewSet, basename="application")
 router.register("me/phonenumber", PhoneNumberViewSet, basename="me-phonenumber")
 router.register("me/email", EmailViewSet, basename="me-email")
 router.register("majors", MajorViewSet, basename="majors")

backend/accounts/views.py

@@ -29,6 +29,7 @@
 
 from accounts.models import Major, School, User
 from accounts.serializers import (
+    ApplicationSerializer,
     EmailSerializer,
     MajorSerializer,
     PhoneNumberSerializer,
@@ -123,6 +124,24 @@ def get(self, request):
         return redirect("accounts:login")
 
 
+class ApplicationViewSet(viewsets.ModelViewSet):
+    """
+    A ViewSet for managing Applications, through which users can register
+    confidential client credentials to access API resources on their behalf
+    (e.g. for external developers writing automated scripts that access authenticated
+    Penn Labs routes, logged into their own Penn Labs account).
+    See ApplicationSerializer for an explanation of why we are not currently allowing
+    applications of other grant types (other than `client-credentials`).
+    """
+
+    serializer_class = ApplicationSerializer
+    lookup_field = "client_id"
+    permission_classes = [IsAuthenticated]
+
+    def get_queryset(self):
+        return self.request.user.oauth2_provider_application.all()
+
+
 @method_decorator(csrf_exempt, name="dispatch")
 class UUIDIntrospectTokenView(IntrospectTokenView):
     @staticmethod