summaryrefslogtreecommitdiff
path: root/internal/api/client/lists
diff options
context:
space:
mode:
authorLibravatar tobi <31960611+tsmethurst@users.noreply.github.com>2025-02-26 13:04:55 +0100
committerLibravatar GitHub <noreply@github.com>2025-02-26 13:04:55 +0100
commiteb720241da3d786c6ec79f2325277fa4af23846f (patch)
tree36e0e08699e55a56d247353d082cc0a2b8144999 /internal/api/client/lists
parent[chore]: Bump golang.org/x/crypto from 0.33.0 to 0.34.0 (#3824) (diff)
downloadgotosocial-eb720241da3d786c6ec79f2325277fa4af23846f.tar.xz
[feature] Enforce OAuth token scopes (#3835)
* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
Diffstat (limited to 'internal/api/client/lists')
-rw-r--r--internal/api/client/lists/listaccounts.go10
-rw-r--r--internal/api/client/lists/listaccountsadd.go10
-rw-r--r--internal/api/client/lists/listaccountsremove.go12
-rw-r--r--internal/api/client/lists/listcreate.go10
-rw-r--r--internal/api/client/lists/listdelete.go10
-rw-r--r--internal/api/client/lists/listget.go10
-rw-r--r--internal/api/client/lists/listsget.go10
-rw-r--r--internal/api/client/lists/listupdate.go12
8 files changed, 50 insertions, 34 deletions
diff --git a/internal/api/client/lists/listaccounts.go b/internal/api/client/lists/listaccounts.go
index d609251f7..4c6c00292 100644
--- a/internal/api/client/lists/listaccounts.go
+++ b/internal/api/client/lists/listaccounts.go
@@ -24,7 +24,6 @@ import (
"github.com/gin-gonic/gin"
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
"github.com/superseriousbusiness/gotosocial/internal/paging"
)
@@ -117,9 +116,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListAccountsGETHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeReadLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
diff --git a/internal/api/client/lists/listaccountsadd.go b/internal/api/client/lists/listaccountsadd.go
index 168c5e3fe..b27cd1e92 100644
--- a/internal/api/client/lists/listaccountsadd.go
+++ b/internal/api/client/lists/listaccountsadd.go
@@ -25,7 +25,6 @@ import (
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
)
// ListAccountsPOSTHandler swagger:operation POST /api/v1/lists/{id}/accounts addListAccounts
@@ -82,9 +81,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListAccountsPOSTHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeWriteLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
diff --git a/internal/api/client/lists/listaccountsremove.go b/internal/api/client/lists/listaccountsremove.go
index 96f8b809d..160552d62 100644
--- a/internal/api/client/lists/listaccountsremove.go
+++ b/internal/api/client/lists/listaccountsremove.go
@@ -25,7 +25,6 @@ import (
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
)
// ListAccountsDELETEHandler swagger:operation DELETE /api/v1/lists/{id}/accounts removeListAccounts
@@ -82,9 +81,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListAccountsDELETEHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeWriteLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
@@ -108,7 +110,7 @@ func (m *Module) ListAccountsDELETEHandler(c *gin.Context) {
// parsing in order to be compatible with Mastodon's client API conventions.
oldMethod := c.Request.Method
c.Request.Method = "POST"
- err = c.ShouldBind(form)
+ err := c.ShouldBind(form)
c.Request.Method = oldMethod
if err != nil {
diff --git a/internal/api/client/lists/listcreate.go b/internal/api/client/lists/listcreate.go
index c8f547ccc..5d3daf2ed 100644
--- a/internal/api/client/lists/listcreate.go
+++ b/internal/api/client/lists/listcreate.go
@@ -26,7 +26,6 @@ import (
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
"github.com/superseriousbusiness/gotosocial/internal/validate"
)
@@ -97,9 +96,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListCreatePOSTHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeWriteLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
diff --git a/internal/api/client/lists/listdelete.go b/internal/api/client/lists/listdelete.go
index b03f21e5a..33c0add70 100644
--- a/internal/api/client/lists/listdelete.go
+++ b/internal/api/client/lists/listdelete.go
@@ -24,7 +24,6 @@ import (
"github.com/gin-gonic/gin"
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
)
// ListDELETEHandler swagger:operation DELETE /api/v1/lists/{id} listDelete
@@ -64,9 +63,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListDELETEHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeWriteLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
diff --git a/internal/api/client/lists/listget.go b/internal/api/client/lists/listget.go
index 34b21d28b..008d516ba 100644
--- a/internal/api/client/lists/listget.go
+++ b/internal/api/client/lists/listget.go
@@ -24,7 +24,6 @@ import (
"github.com/gin-gonic/gin"
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
)
// ListGETHandler swagger:operation GET /api/v1/lists/{id} list
@@ -67,9 +66,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListGETHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeReadLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
diff --git a/internal/api/client/lists/listsget.go b/internal/api/client/lists/listsget.go
index 6bfc3c883..9a40702b8 100644
--- a/internal/api/client/lists/listsget.go
+++ b/internal/api/client/lists/listsget.go
@@ -23,7 +23,6 @@ import (
"github.com/gin-gonic/gin"
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
)
// ListsGETHandler swagger:operation GET /api/v1/lists lists
@@ -60,9 +59,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListsGETHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeReadLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
diff --git a/internal/api/client/lists/listupdate.go b/internal/api/client/lists/listupdate.go
index 38caa9621..388d878a9 100644
--- a/internal/api/client/lists/listupdate.go
+++ b/internal/api/client/lists/listupdate.go
@@ -27,7 +27,6 @@ import (
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
- "github.com/superseriousbusiness/gotosocial/internal/oauth"
"github.com/superseriousbusiness/gotosocial/internal/validate"
)
@@ -103,9 +102,12 @@ import (
// '500':
// description: internal server error
func (m *Module) ListUpdatePUTHandler(c *gin.Context) {
- authed, err := oauth.Authed(c, true, true, true, true)
- if err != nil {
- apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+ authed, errWithCode := apiutil.TokenAuth(c,
+ true, true, true, true,
+ apiutil.ScopeWriteLists,
+ )
+ if errWithCode != nil {
+ apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
return
}
@@ -152,7 +154,7 @@ func (m *Module) ListUpdatePUTHandler(c *gin.Context) {
}
if form.Title == nil && repliesPolicy == nil && form.Exclusive == nil {
- err = errors.New("neither title nor replies_policy nor exclusive was set; nothing to update")
+ err := errors.New("neither title nor replies_policy nor exclusive was set; nothing to update")
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
return
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-02 09:04:10 +0000