[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil

* enforce scopes

* docs

* update test models, remove deprecated "follow"

* file header

* tests

* tweak scope matcher

* simplify...

* fix tests

* log user out of settings panel in case of oauth error

1 files changed, 8 insertions, 6 deletions

diff --git a/internal/api/client/import/import.go b/internal/api/client/import/import.go
index 6d85a6b23..c3908625b 100644
--- a/internal/api/client/import/import.go
+++ b/internal/api/client/import/import.go
@@ -28,7 +28,6 @@ import (
 	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
 	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 	"github.com/superseriousbusiness/gotosocial/internal/processing"
 )
 
@@ -109,7 +108,7 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- write:accounts
+//		- write
 //
 //	responses:
 //		'202':
@@ -123,9 +122,12 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H
 //		'500':
 //			description: internal server error
 func (m *Module) ImportPOSTHandler(c *gin.Context) {
-	authed, err := oauth.Authed(c, true, true, true, true)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		true, true, true, true,
+		apiutil.ScopeWrite,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}
 
@@ -179,7 +181,7 @@ func (m *Module) ImportPOSTHandler(c *gin.Context) {
 	overwrite := form.Mode == "overwrite"
 
 	// Trigger the import.
-	errWithCode := m.processor.Account().ImportData(
+	errWithCode = m.processor.Account().ImportData(
 		c.Request.Context(),
 		authed.Account,
 		form.Data,