diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2025-02-26 13:04:55 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2025-02-26 13:04:55 +0100 |
| commit | eb720241da3d786c6ec79f2325277fa4af23846f (patch) | |
| tree | 36e0e08699e55a56d247353d082cc0a2b8144999 /internal/api | |
| parent | [chore]: Bump golang.org/x/crypto from 0.33.0 to 0.34.0 (#3824) (diff) | |
| download | gotosocial-eb720241da3d786c6ec79f2325277fa4af23846f.tar.xz | |
[feature] Enforce OAuth token scopes (#3835)
* move tokenauth to apiutil
* enforce scopes
* docs
* update test models, remove deprecated "follow"
* file header
* tests
* tweak scope matcher
* simplify...
* fix tests
* log user out of settings panel in case of oauth error
Diffstat (limited to 'internal/api')
195 files changed, 1565 insertions, 819 deletions
diff --git a/internal/api/client/accounts/accountalias.go b/internal/api/client/accounts/accountalias.go index 3f869c0d6..e0b67694f 100644 --- a/internal/api/client/accounts/accountalias.go +++ b/internal/api/client/accounts/accountalias.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountAliasPOSTHandler swagger:operation POST /api/v1/accounts/alias accountAlias @@ -77,9 +76,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountAliasPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountcreate.go b/internal/api/client/accounts/accountcreate.go index 33d743791..71f343522 100644 --- a/internal/api/client/accounts/accountcreate.go +++ b/internal/api/client/accounts/accountcreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, false, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountdelete.go b/internal/api/client/accounts/accountdelete.go index 9a1ef7931..6438462c6 100644 --- a/internal/api/client/accounts/accountdelete.go +++ b/internal/api/client/accounts/accountdelete.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "golang.org/x/crypto/bcrypt" ) @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -80,7 +82,7 @@ func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { // Self account delete requires password to ensure it's for real. if form.Password == "" { - err = errors.New("no password provided in account delete request") + err := errors.New("no password provided in account delete request") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountget.go b/internal/api/client/accounts/accountget.go index 4c1b66a20..cc6de3337 100644 --- a/internal/api/client/accounts/accountget.go +++ b/internal/api/client/accounts/accountget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountGETHandler swagger:operation GET /api/v1/accounts/{id} accountGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountmove.go b/internal/api/client/accounts/accountmove.go index 3698c06a3..601dd7d54 100644 --- a/internal/api/client/accounts/accountmove.go +++ b/internal/api/client/accounts/accountmove.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountMovePOSTHandler swagger:operation POST /api/v1/accounts/move accountMove @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountMovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountupdate.go b/internal/api/client/accounts/accountupdate.go index 5d3a3da5f..617031d79 100644 --- a/internal/api/client/accounts/accountupdate.go +++ b/internal/api/client/accounts/accountupdate.go @@ -30,7 +30,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUpdateCredentialsPATCHHandler swagger:operation PATCH /api/v1/accounts/update_credentials accountUpdate @@ -236,9 +235,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUpdateCredentialsPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountverify.go b/internal/api/client/accounts/accountverify.go index 1799089ab..f9dd5ae9c 100644 --- a/internal/api/client/accounts/accountverify.go +++ b/internal/api/client/accounts/accountverify.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountVerifyGETHandler swagger:operation GET /api/v1/accounts/verify_credentials accountVerify @@ -56,9 +55,13 @@ import ( // '500': // description: internal server error func (m *Module) AccountVerifyGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeProfile, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/block.go b/internal/api/client/accounts/block.go index 24ff099a7..09bf23a85 100644 --- a/internal/api/client/accounts/block.go +++ b/internal/api/client/accounts/block.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountBlockPOSTHandler swagger:operation POST /api/v1/accounts/{id}/block accountBlock @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountBlockPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/featuredtags.go b/internal/api/client/accounts/featuredtags.go index 312a92bcc..0cb3c7b98 100644 --- a/internal/api/client/accounts/featuredtags.go +++ b/internal/api/client/accounts/featuredtags.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountFeaturedTagsGETHandler swagger:operation GET /api/v1/accounts/{id}/featured_tags accountsFeaturedTags @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFeaturedTagsGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/follow.go b/internal/api/client/accounts/follow.go index 8a6e99744..d72032066 100644 --- a/internal/api/client/accounts/follow.go +++ b/internal/api/client/accounts/follow.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountFollowPOSTHandler swagger:operation POST /api/v1/accounts/{id}/follow accountFollow @@ -91,9 +90,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/followers.go b/internal/api/client/accounts/followers.go index 332788c3a..d1fca7918 100644 --- a/internal/api/client/accounts/followers.go +++ b/internal/api/client/accounts/followers.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -119,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/following.go b/internal/api/client/accounts/following.go index bdd9ff3de..b0d47667f 100644 --- a/internal/api/client/accounts/following.go +++ b/internal/api/client/accounts/following.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -119,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowingGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/lists.go b/internal/api/client/accounts/lists.go index 7bd1227a8..f054b73bb 100644 --- a/internal/api/client/accounts/lists.go +++ b/internal/api/client/accounts/lists.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountListsGETHandler swagger:operation GET /api/v1/accounts/{id}/lists accountLists @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/lookup.go b/internal/api/client/accounts/lookup.go index d2a8e76be..88cf7fbe9 100644 --- a/internal/api/client/accounts/lookup.go +++ b/internal/api/client/accounts/lookup.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountLookupGETHandler swagger:operation GET /api/v1/accounts/lookup accountLookupGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountLookupGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/mute.go b/internal/api/client/accounts/mute.go index c9a57a348..c5e5cc24b 100644 --- a/internal/api/client/accounts/mute.go +++ b/internal/api/client/accounts/mute.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -86,9 +85,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountMutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/note.go b/internal/api/client/accounts/note.go index bcfd232ae..bee99cf1e 100644 --- a/internal/api/client/accounts/note.go +++ b/internal/api/client/accounts/note.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountNotePOSTHandler swagger:operation POST /api/v1/accounts/{id}/note accountNote @@ -75,9 +74,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountNotePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/profile.go b/internal/api/client/accounts/profile.go index 8ff59a23b..16c312685 100644 --- a/internal/api/client/accounts/profile.go +++ b/internal/api/client/accounts/profile.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountAvatarDELETEHandler swagger:operation DELETE /api/v1/profile/avatar accountAvatarDelete @@ -102,9 +101,12 @@ func (m *Module) AccountHeaderDELETEHandler(c *gin.Context) { // accountDeleteProfileAttachment checks that an authenticated account is present and allowed to alter itself, // runs an attachment deletion processor method, and returns the updated account. func (m *Module) accountDeleteProfileAttachment(c *gin.Context, processDelete func(context.Context, *gtsmodel.Account) (*apimodel.Account, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/relationships.go b/internal/api/client/accounts/relationships.go index 30d7dd666..7a5589832 100644 --- a/internal/api/client/accounts/relationships.go +++ b/internal/api/client/accounts/relationships.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountRelationshipsGETHandler swagger:operation GET /api/v1/accounts/relationships accountRelationships @@ -73,9 +72,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -89,7 +91,7 @@ func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { // check fallback -- let's be generous and see if maybe it's just set as 'id'? id := c.Query("id") if id == "" { - err = errors.New("no account id(s) specified in query") + err := errors.New("no account id(s) specified in query") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/search.go b/internal/api/client/accounts/search.go index 13c135601..671afece2 100644 --- a/internal/api/client/accounts/search.go +++ b/internal/api/client/accounts/search.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountSearchGETHandler swagger:operation GET /api/v1/accounts/search accountSearchGet @@ -107,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountSearchGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/statuses.go b/internal/api/client/accounts/statuses.go index a72a464ed..c9f7977d8 100644 --- a/internal/api/client/accounts/statuses.go +++ b/internal/api/client/accounts/statuses.go @@ -26,7 +26,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountStatusesGETHandler swagger:operation GET /api/v1/accounts/{id}/statuses accountStatuses @@ -109,7 +108,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:accounts +// - read:statuses // // responses: // '200': @@ -134,9 +133,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountStatusesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/themesget.go b/internal/api/client/accounts/themesget.go index 5a0cb6d94..6055a619f 100644 --- a/internal/api/client/accounts/themesget.go +++ b/internal/api/client/accounts/themesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountThemesGETHandler swagger:operation GET /api/v1/accounts/themes accountThemes @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountThemesGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unblock.go b/internal/api/client/accounts/unblock.go index e8144711e..615d62e60 100644 --- a/internal/api/client/accounts/unblock.go +++ b/internal/api/client/accounts/unblock.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUnblockPOSTHandler swagger:operation POST /api/v1/accounts/{id}/unblock accountUnblock @@ -67,9 +66,9 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnblockPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unfollow.go b/internal/api/client/accounts/unfollow.go index 9eb66aed3..1372a4ffc 100644 --- a/internal/api/client/accounts/unfollow.go +++ b/internal/api/client/accounts/unfollow.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUnfollowPOSTHandler swagger:operation POST /api/v1/accounts/{id}/unfollow accountUnfollow @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnfollowPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unmute.go b/internal/api/client/accounts/unmute.go index 665c3908e..0336e920f 100644 --- a/internal/api/client/accounts/unmute.go +++ b/internal/api/client/accounts/unmute.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUnmutePOSTHandler swagger:operation POST /api/v1/accounts/{id}/unmute accountUnmute @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnmutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountaction.go b/internal/api/client/admin/accountaction.go index 64e6c39ca..74ff0851c 100644 --- a/internal/api/client/admin/accountaction.go +++ b/internal/api/client/admin/accountaction.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountActionPOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/action adminAccountAction @@ -64,7 +63,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -87,9 +86,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountActionPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountapprove.go b/internal/api/client/admin/accountapprove.go index 7aaa48509..96a495924 100644 --- a/internal/api/client/admin/accountapprove.go +++ b/internal/api/client/admin/accountapprove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountApprovePOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/approve adminAccountApprove @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountApprovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountget.go b/internal/api/client/admin/accountget.go index 3a656fecc..b73f58adb 100644 --- a/internal/api/client/admin/accountget.go +++ b/internal/api/client/admin/accountget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountGETHandler swagger:operation GET /api/v1/admin/accounts/{id} adminAccountGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountreject.go b/internal/api/client/admin/accountreject.go index a4653985d..fffdc5811 100644 --- a/internal/api/client/admin/accountreject.go +++ b/internal/api/client/admin/accountreject.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountRejectPOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/reject adminAccountReject @@ -70,7 +69,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -90,9 +89,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountRejectPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountsgetv1.go b/internal/api/client/admin/accountsgetv1.go index f333492de..7d542b97c 100644 --- a/internal/api/client/admin/accountsgetv1.go +++ b/internal/api/client/admin/accountsgetv1.go @@ -148,7 +148,7 @@ // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -182,14 +182,16 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) func (m *Module) AccountsGETV1Handler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountsgetv2.go b/internal/api/client/admin/accountsgetv2.go index 27024e7a2..8b6d4391d 100644 --- a/internal/api/client/admin/accountsgetv2.go +++ b/internal/api/client/admin/accountsgetv2.go @@ -121,7 +121,7 @@ // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -155,14 +155,16 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) func (m *Module) AccountsGETV2Handler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/debug_off.go b/internal/api/client/admin/debug_off.go index a43326f02..667cf1be9 100644 --- a/internal/api/client/admin/debug_off.go +++ b/internal/api/client/admin/debug_off.go @@ -55,7 +55,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -89,7 +89,7 @@ func (m *Module) DebugAPUrlHandler(c *gin.Context) {} // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': diff --git a/internal/api/client/admin/debug_on.go b/internal/api/client/admin/debug_on.go index ea42206f8..eb38e95e5 100644 --- a/internal/api/client/admin/debug_on.go +++ b/internal/api/client/admin/debug_on.go @@ -27,13 +27,15 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) func (m *Module) DebugAPUrlHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -58,9 +60,12 @@ func (m *Module) DebugAPUrlHandler(c *gin.Context) { } func (m *Module) DebugClearCachesHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainallowcreate.go b/internal/api/client/admin/domainallowcreate.go index e8700f673..3e2baa053 100644 --- a/internal/api/client/admin/domainallowcreate.go +++ b/internal/api/client/admin/domainallowcreate.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowdelete.go b/internal/api/client/admin/domainallowdelete.go index 6237e403f..20f97fe6d 100644 --- a/internal/api/client/admin/domainallowdelete.go +++ b/internal/api/client/admin/domainallowdelete.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowget.go b/internal/api/client/admin/domainallowget.go index aa21743fa..6ed845235 100644 --- a/internal/api/client/admin/domainallowget.go +++ b/internal/api/client/admin/domainallowget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowsget.go b/internal/api/client/admin/domainallowsget.go index 6391c7138..4790f1a2b 100644 --- a/internal/api/client/admin/domainallowsget.go +++ b/internal/api/client/admin/domainallowsget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainblockcreate.go b/internal/api/client/admin/domainblockcreate.go index 5234561cf..1e98c6f6f 100644 --- a/internal/api/client/admin/domainblockcreate.go +++ b/internal/api/client/admin/domainblockcreate.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblockdelete.go b/internal/api/client/admin/domainblockdelete.go index a6f6619cd..e9b207505 100644 --- a/internal/api/client/admin/domainblockdelete.go +++ b/internal/api/client/admin/domainblockdelete.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblockget.go b/internal/api/client/admin/domainblockget.go index 9e8d29905..1d73962fa 100644 --- a/internal/api/client/admin/domainblockget.go +++ b/internal/api/client/admin/domainblockget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblocksget.go b/internal/api/client/admin/domainblocksget.go index bdcc03469..383acbea5 100644 --- a/internal/api/client/admin/domainblocksget.go +++ b/internal/api/client/admin/domainblocksget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainkeysexpire.go b/internal/api/client/admin/domainkeysexpire.go index 0926519f5..262d196b4 100644 --- a/internal/api/client/admin/domainkeysexpire.go +++ b/internal/api/client/admin/domainkeysexpire.go @@ -28,7 +28,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainKeysExpirePOSTHandler swagger:operation POST /api/v1/admin/domain_keys_expire domainKeysExpire @@ -68,7 +67,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -95,9 +94,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainKeysExpirePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermission.go b/internal/api/client/admin/domainpermission.go index 5138be898..c64c90eb2 100644 --- a/internal/api/client/admin/domainpermission.go +++ b/internal/api/client/admin/domainpermission.go @@ -29,7 +29,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) type singleDomainPermCreate func( @@ -63,9 +62,20 @@ func (m *Module) createDomainPermissions( single singleDomainPermCreate, multi multiDomainPermCreate, ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminWriteDomainBlocks + } else { + requireScope = apiutil.ScopeAdminWriteDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -98,6 +108,7 @@ func (m *Module) createDomainPermissions( return } + var err error if importing && form.Domains.Size == 0 { err = errors.New("import was specified but list of domains is empty") } else if !importing && form.Domain == "" { @@ -171,9 +182,20 @@ func (m *Module) deleteDomainPermission( c *gin.Context, permType gtsmodel.DomainPermissionType, // block/allow ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminWriteDomainBlocks + } else { + requireScope = apiutil.ScopeAdminWriteDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -218,9 +240,20 @@ func (m *Module) getDomainPermission( c *gin.Context, permType gtsmodel.DomainPermissionType, ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminReadDomainBlocks + } else { + requireScope = apiutil.ScopeAdminReadDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -266,9 +299,20 @@ func (m *Module) getDomainPermissions( c *gin.Context, permType gtsmodel.DomainPermissionType, ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminReadDomainBlocks + } else { + requireScope = apiutil.ScopeAdminReadDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftaccept.go b/internal/api/client/admin/domainpermissiondraftaccept.go index 5e484cbf3..345b4d1c3 100644 --- a/internal/api/client/admin/domainpermissiondraftaccept.go +++ b/internal/api/client/admin/domainpermissiondraftaccept.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftAcceptPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_drafts/{id}/accept domainPermissionDraftAccept @@ -61,7 +60,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -81,9 +80,9 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftAcceptPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftcreate.go b/internal/api/client/admin/domainpermissiondraftcreate.go index ec94f947b..b8d3085e9 100644 --- a/internal/api/client/admin/domainpermissiondraftcreate.go +++ b/internal/api/client/admin/domainpermissiondraftcreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftsPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_drafts domainPermissionDraftCreate @@ -79,7 +78,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -99,9 +98,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftsPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftget.go b/internal/api/client/admin/domainpermissiondraftget.go index aef3b094b..bff6254f7 100644 --- a/internal/api/client/admin/domainpermissiondraftget.go +++ b/internal/api/client/admin/domainpermissiondraftget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftGETHandler swagger:operation GET /api/v1/admin/domain_permission_drafts/{id} domainPermissionDraftGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftremove.go b/internal/api/client/admin/domainpermissiondraftremove.go index 78169508c..6346331d1 100644 --- a/internal/api/client/admin/domainpermissiondraftremove.go +++ b/internal/api/client/admin/domainpermissiondraftremove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftRemovePOSTHandler swagger:operation POST /api/v1/admin/domain_permission_drafts/{id}/remove domainPermissionDraftRemove @@ -61,7 +60,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -81,9 +80,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftRemovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftsget.go b/internal/api/client/admin/domainpermissiondraftsget.go index 21ce5dc43..fa5e1ce6a 100644 --- a/internal/api/client/admin/domainpermissiondraftsget.go +++ b/internal/api/client/admin/domainpermissiondraftsget.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -99,7 +98,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -125,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludecreate.go b/internal/api/client/admin/domainpermissionexcludecreate.go index dd0b3b493..9559ab5b2 100644 --- a/internal/api/client/admin/domainpermissionexcludecreate.go +++ b/internal/api/client/admin/domainpermissionexcludecreate.go @@ -25,7 +25,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionExcludesPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_excludes domainPermissionExcludeCreate @@ -62,7 +61,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -82,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludesPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludeget.go b/internal/api/client/admin/domainpermissionexcludeget.go index ca110abd5..200f20021 100644 --- a/internal/api/client/admin/domainpermissionexcludeget.go +++ b/internal/api/client/admin/domainpermissionexcludeget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionExcludeGETHandler swagger:operation GET /api/v1/admin/domain_permission_excludes/{id} domainPermissionExcludeGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludeGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcluderemove.go b/internal/api/client/admin/domainpermissionexcluderemove.go index a167ae5a5..35a4bdd27 100644 --- a/internal/api/client/admin/domainpermissionexcluderemove.go +++ b/internal/api/client/admin/domainpermissionexcluderemove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionExcludeDELETEHandler swagger:operation DELETE /api/v1/admin/domain_permission_excludes/{id} domainPermissionExcludeDelete @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludeDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludesget.go b/internal/api/client/admin/domainpermissionexcludesget.go index 71eedec52..59384079c 100644 --- a/internal/api/client/admin/domainpermissionexcludesget.go +++ b/internal/api/client/admin/domainpermissionexcludesget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -87,7 +86,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -113,9 +112,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptioncreate.go b/internal/api/client/admin/domainpermissionsubscriptioncreate.go index dd0b43aca..b45ac8d72 100644 --- a/internal/api/client/admin/domainpermissionsubscriptioncreate.go +++ b/internal/api/client/admin/domainpermissionsubscriptioncreate.go @@ -27,7 +27,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -125,7 +124,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -145,9 +144,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionget.go b/internal/api/client/admin/domainpermissionsubscriptionget.go index 841e37f24..59498beea 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionSubscriptionGETHandler swagger:operation GET /api/v1/admin/domain_permission_subscriptions/{id} domainPermissionSubscriptionGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionremove.go b/internal/api/client/admin/domainpermissionsubscriptionremove.go index 97f226a31..c659a7559 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionremove.go +++ b/internal/api/client/admin/domainpermissionsubscriptionremove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -68,7 +67,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -88,9 +87,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionRemovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionsget.go b/internal/api/client/admin/domainpermissionsubscriptionsget.go index 477013ec9..b3509a139 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionsget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionsget.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -89,7 +88,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -115,9 +114,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go b/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go index dc46c159b..d942e9612 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionSubscriptionsPreviewGETHandler swagger:operation GET /api/v1/admin/domain_permission_subscriptions/preview domainPermissionSubscriptionsPreviewGet @@ -52,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionsPreviewGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptiontest.go b/internal/api/client/admin/domainpermissionsubscriptiontest.go index 395a1a69c..573f1ca01 100644 --- a/internal/api/client/admin/domainpermissionsubscriptiontest.go +++ b/internal/api/client/admin/domainpermissionsubscriptiontest.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionSubscriptionTestPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_subscriptions/{id}/test domainPermissionSubscriptionTest @@ -52,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -76,9 +75,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionTestPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionupdate.go b/internal/api/client/admin/domainpermissionsubscriptionupdate.go index de73c4d3e..0f6309c19 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionupdate.go +++ b/internal/api/client/admin/domainpermissionsubscriptionupdate.go @@ -28,7 +28,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -121,7 +120,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -141,9 +140,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emailtest.go b/internal/api/client/admin/emailtest.go index 9b214a926..37a5e31d3 100644 --- a/internal/api/client/admin/emailtest.go +++ b/internal/api/client/admin/emailtest.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmailTestPostHandler swagger:operation POST /api/v1/admin/email/test testEmailSend @@ -63,7 +62,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -87,9 +86,12 @@ import ( // '500': // description: internal server error func (m *Module) EmailTestPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -121,7 +123,7 @@ func (m *Module) EmailTestPOSTHandler(c *gin.Context) { return } - errWithCode := m.processor.Admin().EmailTest( + errWithCode = m.processor.Admin().EmailTest( c.Request.Context(), authed.Account, email.Address, diff --git a/internal/api/client/admin/emojicategoriesget.go b/internal/api/client/admin/emojicategoriesget.go index 51eb8fee4..e678cea86 100644 --- a/internal/api/client/admin/emojicategoriesget.go +++ b/internal/api/client/admin/emojicategoriesget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojiCategoriesGETHandler swagger:operation GET /api/v1/admin/custom_emojis/categories emojiCategoriesGet @@ -38,6 +37,10 @@ import ( // produces: // - application/json // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // description: Array of existing emoji categories. @@ -58,9 +61,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiCategoriesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojicreate.go b/internal/api/client/admin/emojicreate.go index 07fa4d4a8..445c56605 100644 --- a/internal/api/client/admin/emojicreate.go +++ b/internal/api/client/admin/emojicreate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -76,7 +75,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -98,9 +97,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojidelete.go b/internal/api/client/admin/emojidelete.go index 9f9f9d286..05d94f25d 100644 --- a/internal/api/client/admin/emojidelete.go +++ b/internal/api/client/admin/emojidelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojiDELETEHandler swagger:operation DELETE /api/v1/admin/custom_emojis/{id} emojiDelete @@ -54,7 +53,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojiget.go b/internal/api/client/admin/emojiget.go index 7ecbcfa19..41bea00f8 100644 --- a/internal/api/client/admin/emojiget.go +++ b/internal/api/client/admin/emojiget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojiGETHandler swagger:operation GET /api/v1/admin/custom_emojis/{id} emojiGet @@ -46,6 +45,10 @@ import ( // in: path // required: true // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // description: A single emoji. @@ -64,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojisget.go b/internal/api/client/admin/emojisget.go index d50b553ac..c1d05af07 100644 --- a/internal/api/client/admin/emojisget.go +++ b/internal/api/client/admin/emojisget.go @@ -27,7 +27,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojisGETHandler swagger:operation GET /api/v1/admin/custom_emojis emojisGet @@ -99,6 +98,10 @@ import ( // Emoji with the given `[shortcode]@[domain]` will not be included in the result set. // in: query // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // headers: @@ -123,9 +126,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojisGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojiupdate.go b/internal/api/client/admin/emojiupdate.go index b8ac101c0..07337eaa9 100644 --- a/internal/api/client/admin/emojiupdate.go +++ b/internal/api/client/admin/emojiupdate.go @@ -28,7 +28,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -105,7 +104,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -125,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/headerfilter.go b/internal/api/client/admin/headerfilter.go index d3dad5917..b101e98f6 100644 --- a/internal/api/client/admin/headerfilter.go +++ b/internal/api/client/admin/headerfilter.go @@ -27,14 +27,15 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // getHeaderFilter is a gin handler function that returns details of an HTTP header filter with provided ID, using given get function. func (m *Module) getHeaderFilter(c *gin.Context, get func(context.Context, string) (*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -69,9 +70,11 @@ func (m *Module) getHeaderFilter(c *gin.Context, get func(context.Context, strin // getHeaderFilters is a gin handler function that returns details of all HTTP header filters using given get function. func (m *Module) getHeaderFilters(c *gin.Context, get func(context.Context) ([]*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -100,9 +103,11 @@ func (m *Module) getHeaderFilters(c *gin.Context, get func(context.Context) ([]* // createHeaderFilter is a gin handler function that creates a HTTP header filter entry using provided form data, passing to given create function. func (m *Module) createHeaderFilter(c *gin.Context, create func(context.Context, *gtsmodel.Account, *apimodel.HeaderFilterRequest) (*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -148,9 +153,11 @@ func (m *Module) createHeaderFilter(c *gin.Context, create func(context.Context, // deleteHeaderFilter is a gin handler function that deletes an HTTP header filter with provided ID, using given delete function. func (m *Module) deleteHeaderFilter(c *gin.Context, delete func(context.Context, string) gtserror.WithCode) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/headerfilter_create.go b/internal/api/client/admin/headerfilter_create.go index d74dc5e15..a5b5e5309 100644 --- a/internal/api/client/admin/headerfilter_create.go +++ b/internal/api/client/admin/headerfilter_create.go @@ -42,7 +42,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -82,7 +82,7 @@ func (m *Module) HeaderFilterAllowPOST(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': diff --git a/internal/api/client/admin/headerfilter_delete.go b/internal/api/client/admin/headerfilter_delete.go index 58b1c585e..400c5c4e3 100644 --- a/internal/api/client/admin/headerfilter_delete.go +++ b/internal/api/client/admin/headerfilter_delete.go @@ -39,7 +39,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -76,7 +76,7 @@ func (m *Module) HeaderFilterAllowDELETE(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': diff --git a/internal/api/client/admin/headerfilter_get.go b/internal/api/client/admin/headerfilter_get.go index 5bca6d18d..cd00fe24c 100644 --- a/internal/api/client/admin/headerfilter_get.go +++ b/internal/api/client/admin/headerfilter_get.go @@ -37,7 +37,7 @@ import "github.com/gin-gonic/gin" // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -76,7 +76,7 @@ func (m *Module) HeaderFilterAllowGET(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': diff --git a/internal/api/client/admin/mediacleanup.go b/internal/api/client/admin/mediacleanup.go index 661a8ff15..2554f8508 100644 --- a/internal/api/client/admin/mediacleanup.go +++ b/internal/api/client/admin/mediacleanup.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaCleanupPOSTHandler swagger:operation POST /api/v1/admin/media_cleanup mediaCleanup @@ -49,7 +48,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) MediaCleanupPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/mediarefetch.go b/internal/api/client/admin/mediarefetch.go index b2b0516ba..47301460f 100644 --- a/internal/api/client/admin/mediarefetch.go +++ b/internal/api/client/admin/mediarefetch.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaRefetchPOSTHandler swagger:operation POST /api/v1/admin/media_refetch mediaRefetch @@ -42,7 +41,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // parameters: // - @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) MediaRefetchPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportget.go b/internal/api/client/admin/reportget.go index f2acd214c..163043627 100644 --- a/internal/api/client/admin/reportget.go +++ b/internal/api/client/admin/reportget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ReportGETHandler swagger:operation GET /api/v1/admin/reports/{id} adminReportGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:reports // // responses: // '200': @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportresolve.go b/internal/api/client/admin/reportresolve.go index f17ae24be..2b9be3721 100644 --- a/internal/api/client/admin/reportresolve.go +++ b/internal/api/client/admin/reportresolve.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ReportResolvePOSTHandler swagger:operation POST /api/v1/admin/reports/{id}/resolve adminReportResolve @@ -65,7 +64,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:reports // // responses: // '200': @@ -84,9 +83,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportResolvePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportsget.go b/internal/api/client/admin/reportsget.go index 893960e2a..64a144767 100644 --- a/internal/api/client/admin/reportsget.go +++ b/internal/api/client/admin/reportsget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -100,7 +99,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:reports // // responses: // '200': @@ -125,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportsget_test.go b/internal/api/client/admin/reportsget_test.go index 3af187ad2..8639e0c6e 100644 --- a/internal/api/client/admin/reportsget_test.go +++ b/internal/api/client/admin/reportsget_test.go @@ -1149,7 +1149,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetNotAdmin() { testToken := suite.testTokens["local_account_1"] testUser := suite.testUsers["local_account_1"] - reports, _, err := suite.getReports(testAccount, testToken, testUser, http.StatusForbidden, `{"error":"Forbidden: user 01F8MGVGPHQ2D3P3X0454H54Z5 not an admin"}`, nil, "", "", "", "", "", 20) + reports, _, err := suite.getReports(testAccount, testToken, testUser, http.StatusForbidden, `{"error":"Forbidden: token has insufficient scope permission"}`, nil, "", "", "", "", "", 20) suite.NoError(err) suite.Empty(reports) } diff --git a/internal/api/client/admin/rulecreate.go b/internal/api/client/admin/rulecreate.go index 8728940c5..9e4be1da3 100644 --- a/internal/api/client/admin/rulecreate.go +++ b/internal/api/client/admin/rulecreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RulePOSTHandler swagger:operation POST /api/v1/admin/instance/rules ruleCreate @@ -45,7 +44,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -65,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) RulePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruledelete.go b/internal/api/client/admin/ruledelete.go index 7e8fc0037..c2797aa8d 100644 --- a/internal/api/client/admin/ruledelete.go +++ b/internal/api/client/admin/ruledelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RuleDELETEHandler swagger:operation DELETE /api/v1/admin/instance/rules/{id} ruleDelete @@ -52,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) RuleDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruleget.go b/internal/api/client/admin/ruleget.go index da76232eb..ce627a0d7 100644 --- a/internal/api/client/admin/ruleget.go +++ b/internal/api/client/admin/ruleget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RuleGETHandler swagger:operation GET /api/v1/admin/instance/rules/{id} adminRuleGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) RuleGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/rulesget.go b/internal/api/client/admin/rulesget.go index b22ab1a8a..bc4961c6a 100644 --- a/internal/api/client/admin/rulesget.go +++ b/internal/api/client/admin/rulesget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RulesGETHandler swagger:operation GET /api/v1/admin/instance/rules adminsRuleGet @@ -44,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) RulesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruleupdate.go b/internal/api/client/admin/ruleupdate.go index d58c30d94..db8b610e0 100644 --- a/internal/api/client/admin/ruleupdate.go +++ b/internal/api/client/admin/ruleupdate.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RulePATCHHandler swagger:operation PATCH /api/v1/admin/instance/rules/{id} ruleUpdate @@ -44,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) RulePATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/announcements/announcementsget.go b/internal/api/client/announcements/announcementsget.go index 04bd5f285..92353a4e7 100644 --- a/internal/api/client/announcements/announcementsget.go +++ b/internal/api/client/announcements/announcementsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AnnouncementsGETHandler swagger:operation GET /api/v1/announcements announcementsGet @@ -40,8 +39,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:announcements +// - OAuth2 Bearer: [] // // responses: // '200': @@ -59,9 +57,11 @@ import ( // '500': // description: internal server error func (m *Module) AnnouncementsGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/apps/appcreate.go b/internal/api/client/apps/appcreate.go index 8aa87c3b3..6a8208a20 100644 --- a/internal/api/client/apps/appcreate.go +++ b/internal/api/client/apps/appcreate.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // these consts are used to ensure users can't spam huge entries into our database @@ -74,9 +73,11 @@ const ( // '500': // description: internal server error func (m *Module) AppsPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/blocks/blocksget.go b/internal/api/client/blocks/blocksget.go index fe5104c61..0d9a2234e 100644 --- a/internal/api/client/blocks/blocksget.go +++ b/internal/api/client/blocks/blocksget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -107,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) BlocksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/bookmarks/bookmarksget.go b/internal/api/client/bookmarks/bookmarksget.go index e6489c405..6fa87c688 100644 --- a/internal/api/client/bookmarks/bookmarksget.go +++ b/internal/api/client/bookmarks/bookmarksget.go @@ -25,7 +25,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) const ( @@ -93,9 +92,12 @@ const ( // '500': // description: internal server error func (m *Module) BookmarksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationdelete.go b/internal/api/client/conversations/conversationdelete.go index 6f8f43a94..dabb2bfc8 100644 --- a/internal/api/client/conversations/conversationdelete.go +++ b/internal/api/client/conversations/conversationdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ConversationDELETEHandler swagger:operation DELETE /api/v1/conversations/{id} conversationDelete @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteConversations, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationread.go b/internal/api/client/conversations/conversationread.go index 7f68a2a33..e168cca2e 100644 --- a/internal/api/client/conversations/conversationread.go +++ b/internal/api/client/conversations/conversationread.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ConversationReadPOSTHandler swagger:operation POST /api/v1/conversation/{id}/read conversationRead @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationReadPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteConversations, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationsget.go b/internal/api/client/conversations/conversationsget.go index 663b9a707..8cd70cd00 100644 --- a/internal/api/client/conversations/conversationsget.go +++ b/internal/api/client/conversations/conversationsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -107,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/customemojis/customemojisget.go b/internal/api/client/customemojis/customemojisget.go index be595afd7..7c9b88b4c 100644 --- a/internal/api/client/customemojis/customemojisget.go +++ b/internal/api/client/customemojis/customemojisget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // CustomEmojisGETHandler swagger:operation GET /api/v1/custom_emojis customEmojisGet @@ -38,8 +37,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:custom_emojis +// - OAuth2 Bearer: [] // // responses: // '200': @@ -55,8 +53,11 @@ import ( // '500': // description: internal server error func (m *Module) CustomEmojisGETHandler(c *gin.Context) { - if _, err := oauth.Authed(c, true, true, true, true); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/blocks.go b/internal/api/client/exports/blocks.go index c31e2b0b4..bc8c2a6b3 100644 --- a/internal/api/client/exports/blocks.go +++ b/internal/api/client/exports/blocks.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportBlocksGETHandler swagger:operation GET /api/v1/exports/blocks.csv exportBlocks @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportBlocksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/followers.go b/internal/api/client/exports/followers.go index ceef94659..ad6306de0 100644 --- a/internal/api/client/exports/followers.go +++ b/internal/api/client/exports/followers.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportFollowersGETHandler swagger:operation GET /api/v1/exports/followers.csv exportFollowers @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:follows +// - read:accounts // // responses: // '200': @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/following.go b/internal/api/client/exports/following.go index e61cafc2a..b95492dfa 100644 --- a/internal/api/client/exports/following.go +++ b/internal/api/client/exports/following.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportFollowingGETHandler swagger:operation GET /api/v1/exports/following.csv exportFollowing @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowingGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/lists.go b/internal/api/client/exports/lists.go index 2debcc701..385df5501 100644 --- a/internal/api/client/exports/lists.go +++ b/internal/api/client/exports/lists.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportListsGETHandler swagger:operation GET /api/v1/exports/lists.csv exportLists @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/mutes.go b/internal/api/client/exports/mutes.go index ab49b7719..6b9d699c9 100644 --- a/internal/api/client/exports/mutes.go +++ b/internal/api/client/exports/mutes.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportMutesGETHandler swagger:operation GET /api/v1/exports/mutes.csv exportMutes @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportMutesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/stats.go b/internal/api/client/exports/stats.go index 9e3f1b600..783826bb3 100644 --- a/internal/api/client/exports/stats.go +++ b/internal/api/client/exports/stats.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportStatsGETHandler swagger:operation GET /api/v1/exports/stats exportStats @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:account +// - read:accounts // // responses: // '200': @@ -53,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportStatsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/favourites/favouritesget.go b/internal/api/client/favourites/favouritesget.go index 3ba2f9fcf..5396bc155 100644 --- a/internal/api/client/favourites/favouritesget.go +++ b/internal/api/client/favourites/favouritesget.go @@ -25,7 +25,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FavouritesGETHandler swagger:operation GET /api/v1/favourites favouritesGet @@ -93,9 +92,12 @@ import ( // '500': // description: internal server error func (m *Module) FavouritesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFavourites, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/featuredtags/get.go b/internal/api/client/featuredtags/get.go index de47f7ee2..cab6b19a3 100644 --- a/internal/api/client/featuredtags/get.go +++ b/internal/api/client/featuredtags/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FeaturedTagsGETHandler swagger:operation GET /api/v1/featured_tags getFeaturedTags @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FeaturedTagsGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterdelete.go b/internal/api/client/filters/v1/filterdelete.go index 267dd16d0..e28221ca6 100644 --- a/internal/api/client/filters/v1/filterdelete.go +++ b/internal/api/client/filters/v1/filterdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterDELETEHandler swagger:operation DELETE /api/v1/filters/{id} filterV1Delete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterget.go b/internal/api/client/filters/v1/filterget.go index 35c44b60c..4af3dab16 100644 --- a/internal/api/client/filters/v1/filterget.go +++ b/internal/api/client/filters/v1/filterget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterGETHandler swagger:operation GET /api/v1/filters/{id} filterV1Get @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterpost.go b/internal/api/client/filters/v1/filterpost.go index a58f2273d..fb53b8e9b 100644 --- a/internal/api/client/filters/v1/filterpost.go +++ b/internal/api/client/filters/v1/filterpost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterPOSTHandler swagger:operation POST /api/v1/filters filterV1Post @@ -130,9 +129,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterput.go b/internal/api/client/filters/v1/filterput.go index edaf8104d..051fa1f63 100644 --- a/internal/api/client/filters/v1/filterput.go +++ b/internal/api/client/filters/v1/filterput.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterPUTHandler swagger:operation PUT /api/v1/filters/{id} filterV1Put @@ -136,9 +135,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filtersget.go b/internal/api/client/filters/v1/filtersget.go index f1e07a2da..d65776331 100644 --- a/internal/api/client/filters/v1/filtersget.go +++ b/internal/api/client/filters/v1/filtersget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FiltersGETHandler swagger:operation GET /api/v1/filters filtersV1Get @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FiltersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterdelete.go b/internal/api/client/filters/v2/filterdelete.go index 7292fd631..2fd411e98 100644 --- a/internal/api/client/filters/v2/filterdelete.go +++ b/internal/api/client/filters/v2/filterdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterDELETEHandler swagger:operation DELETE /api/v2/filters/{id} filterV2Delete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterget.go b/internal/api/client/filters/v2/filterget.go index a3481e0e0..eed65f39a 100644 --- a/internal/api/client/filters/v2/filterget.go +++ b/internal/api/client/filters/v2/filterget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterGETHandler swagger:operation GET /api/v2/filters/{id} filterV2Get @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeyworddelete.go b/internal/api/client/filters/v2/filterkeyworddelete.go index e9ba2b4c5..4dc8b5973 100644 --- a/internal/api/client/filters/v2/filterkeyworddelete.go +++ b/internal/api/client/filters/v2/filterkeyworddelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordDELETEHandler swagger:operation DELETE /api/v2/filters/keywords/{id} filterKeywordDelete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordget.go b/internal/api/client/filters/v2/filterkeywordget.go index 2df6fd10a..f298d1af0 100644 --- a/internal/api/client/filters/v2/filterkeywordget.go +++ b/internal/api/client/filters/v2/filterkeywordget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordGETHandler swagger:operation GET /api/v2/filters/keywords/{id} filterKeywordGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordpost.go b/internal/api/client/filters/v2/filterkeywordpost.go index ba8f80135..f7ccc1a80 100644 --- a/internal/api/client/filters/v2/filterkeywordpost.go +++ b/internal/api/client/filters/v2/filterkeywordpost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -100,9 +99,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordput.go b/internal/api/client/filters/v2/filterkeywordput.go index 44667660f..5f9fa3c9e 100644 --- a/internal/api/client/filters/v2/filterkeywordput.go +++ b/internal/api/client/filters/v2/filterkeywordput.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordPUTHandler swagger:operation PUT /api/v2/filters/keywords{id} filterKeywordPut @@ -97,9 +96,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordsget.go b/internal/api/client/filters/v2/filterkeywordsget.go index 3414c5d8c..2fa3140a9 100644 --- a/internal/api/client/filters/v2/filterkeywordsget.go +++ b/internal/api/client/filters/v2/filterkeywordsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordsGETHandler swagger:operation GET /api/v2/filters/{id}/keywords filterKeywordsGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterpost.go b/internal/api/client/filters/v2/filterpost.go index 5e87df617..b35938692 100644 --- a/internal/api/client/filters/v2/filterpost.go +++ b/internal/api/client/filters/v2/filterpost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -150,9 +149,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterput.go b/internal/api/client/filters/v2/filterput.go index 58d3f4a22..b4b14e6c3 100644 --- a/internal/api/client/filters/v2/filterput.go +++ b/internal/api/client/filters/v2/filterput.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -158,9 +157,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filtersget.go b/internal/api/client/filters/v2/filtersget.go index 511a62d36..f304ffea5 100644 --- a/internal/api/client/filters/v2/filtersget.go +++ b/internal/api/client/filters/v2/filtersget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FiltersGETHandler swagger:operation GET /api/v2/filters filtersV2Get @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FiltersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusdelete.go b/internal/api/client/filters/v2/filterstatusdelete.go index 5a03b9a7c..2adc48190 100644 --- a/internal/api/client/filters/v2/filterstatusdelete.go +++ b/internal/api/client/filters/v2/filterstatusdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterStatusDELETEHandler swagger:operation DELETE /api/v2/filters/statuses/{id} filterStatusDelete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusesget.go b/internal/api/client/filters/v2/filterstatusesget.go index 3b05ca73d..ae76e814f 100644 --- a/internal/api/client/filters/v2/filterstatusesget.go +++ b/internal/api/client/filters/v2/filterstatusesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterStatusesGETHandler swagger:operation GET /api/v2/filters/{id}/statuses filterStatusesGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusget.go b/internal/api/client/filters/v2/filterstatusget.go index 9e62e4466..efe20f0c2 100644 --- a/internal/api/client/filters/v2/filterstatusget.go +++ b/internal/api/client/filters/v2/filterstatusget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterStatusGETHandler swagger:operation GET /api/v2/filters/statuses/{id} filterStatusGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatuspost.go b/internal/api/client/filters/v2/filterstatuspost.go index deef54a9c..c6921e584 100644 --- a/internal/api/client/filters/v2/filterstatuspost.go +++ b/internal/api/client/filters/v2/filterstatuspost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -88,9 +87,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followedtags/get.go b/internal/api/client/followedtags/get.go index 68e4ffb5f..f1fa45b07 100644 --- a/internal/api/client/followedtags/get.go +++ b/internal/api/client/followedtags/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -100,9 +99,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowedTagsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/authorize.go b/internal/api/client/followrequests/authorize.go index 6a6f0dc81..cc7b5598c 100644 --- a/internal/api/client/followrequests/authorize.go +++ b/internal/api/client/followrequests/authorize.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FollowRequestAuthorizePOSTHandler swagger:operation POST /api/v1/follow_requests/{account_id}/authorize authorizeFollowRequest @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestAuthorizePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/get.go b/internal/api/client/followrequests/get.go index 40cdceaea..4b7760a6d 100644 --- a/internal/api/client/followrequests/get.go +++ b/internal/api/client/followrequests/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -108,9 +107,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/reject.go b/internal/api/client/followrequests/reject.go index a8189b78a..4207925db 100644 --- a/internal/api/client/followrequests/reject.go +++ b/internal/api/client/followrequests/reject.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FollowRequestRejectPOSTHandler swagger:operation POST /api/v1/follow_requests/{account_id}/reject rejectFollowRequest @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestRejectPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/import/import.go b/internal/api/client/import/import.go index 6d85a6b23..c3908625b 100644 --- a/internal/api/client/import/import.go +++ b/internal/api/client/import/import.go @@ -28,7 +28,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/processing" ) @@ -109,7 +108,7 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // // security: // - OAuth2 Bearer: -// - write:accounts +// - write // // responses: // '202': @@ -123,9 +122,12 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // '500': // description: internal server error func (m *Module) ImportPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -179,7 +181,7 @@ func (m *Module) ImportPOSTHandler(c *gin.Context) { overwrite := form.Mode == "overwrite" // Trigger the import. - errWithCode := m.processor.Account().ImportData( + errWithCode = m.processor.Account().ImportData( c.Request.Context(), authed.Account, form.Data, diff --git a/internal/api/client/instance/instancepatch.go b/internal/api/client/instance/instancepatch.go index 5085399eb..67856100d 100644 --- a/internal/api/client/instance/instancepatch.go +++ b/internal/api/client/instance/instancepatch.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InstanceUpdatePATCHHandler swagger:operation PATCH /api/v1/instance instanceUpdate @@ -107,7 +106,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -127,9 +126,12 @@ import ( // '500': // description: internal server error func (m *Module) InstanceUpdatePATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/instance/instancepatch_test.go b/internal/api/client/instance/instancepatch_test.go index 53df20b6b..a63ca9e11 100644 --- a/internal/api/client/instance/instancepatch_test.go +++ b/internal/api/client/instance/instancepatch_test.go @@ -544,7 +544,7 @@ func (suite *InstancePatchTestSuite) TestInstancePatch5() { b, err := io.ReadAll(result.Body) suite.NoError(err) - suite.Equal(`{"error":"Forbidden: user is not an admin so cannot update instance settings"}`, string(b)) + suite.Equal(`{"error":"Forbidden: token has insufficient scope permission"}`, string(b)) } func (suite *InstancePatchTestSuite) TestInstancePatch6() { diff --git a/internal/api/client/instance/instancepeersget.go b/internal/api/client/instance/instancepeersget.go index c278c0674..0b32a87e9 100644 --- a/internal/api/client/instance/instancepeersget.go +++ b/internal/api/client/instance/instancepeersget.go @@ -25,7 +25,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/gin-gonic/gin" ) @@ -59,6 +58,9 @@ import ( // required: false // default: "open" // +// security: +// - OAuth2 Bearer: [] +// // responses: // '200': // description: >- @@ -99,9 +101,11 @@ import ( // '500': // description: internal server error func (m *Module) InstancePeersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionpolicies/getdefaults.go b/internal/api/client/interactionpolicies/getdefaults.go index 4ad0071f4..870425e8d 100644 --- a/internal/api/client/interactionpolicies/getdefaults.go +++ b/internal/api/client/interactionpolicies/getdefaults.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PoliciesDefaultsGETHandler swagger:operation GET /api/v1/interaction_policies/defaults policiesDefaultsGet @@ -53,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) PoliciesDefaultsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionpolicies/updatedefaults.go b/internal/api/client/interactionpolicies/updatedefaults.go index 39e95784f..8496b00aa 100644 --- a/internal/api/client/interactionpolicies/updatedefaults.go +++ b/internal/api/client/interactionpolicies/updatedefaults.go @@ -27,7 +27,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PoliciesDefaultsPATCHHandler swagger:operation PATCH /api/v1/interaction_policies/defaults policiesDefaultsUpdate @@ -211,9 +210,12 @@ import ( // '500': // description: internal server error func (m *Module) PoliciesDefaultsPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/authorize.go b/internal/api/client/interactionrequests/authorize.go index 1e5589f7e..8191923ba 100644 --- a/internal/api/client/interactionrequests/authorize.go +++ b/internal/api/client/interactionrequests/authorize.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InteractionRequestAuthorizePOSTHandler swagger:operation POST /api/v1/interaction_requests/{id}/authorize authorizeInteractionRequest @@ -66,9 +65,11 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestAuthorizePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/get.go b/internal/api/client/interactionrequests/get.go index a354a8623..d1d5f5eb4 100644 --- a/internal/api/client/interactionrequests/get.go +++ b/internal/api/client/interactionrequests/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InteractionRequestGETHandler swagger:operation GET /api/v1/interaction_requests/{id} getInteractionRequest @@ -65,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/getpage.go b/internal/api/client/interactionrequests/getpage.go index 1978a055c..f3f1251cc 100644 --- a/internal/api/client/interactionrequests/getpage.go +++ b/internal/api/client/interactionrequests/getpage.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -137,9 +136,12 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/reject.go b/internal/api/client/interactionrequests/reject.go index 33c426462..0102d872a 100644 --- a/internal/api/client/interactionrequests/reject.go +++ b/internal/api/client/interactionrequests/reject.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InteractionRequestRejectPOSTHandler swagger:operation POST /api/v1/interaction_requests/{id}/reject rejectInteractionRequest @@ -66,9 +65,11 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestRejectPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccounts.go b/internal/api/client/lists/listaccounts.go index d609251f7..4c6c00292 100644 --- a/internal/api/client/lists/listaccounts.go +++ b/internal/api/client/lists/listaccounts.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -117,9 +116,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccountsadd.go b/internal/api/client/lists/listaccountsadd.go index 168c5e3fe..b27cd1e92 100644 --- a/internal/api/client/lists/listaccountsadd.go +++ b/internal/api/client/lists/listaccountsadd.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListAccountsPOSTHandler swagger:operation POST /api/v1/lists/{id}/accounts addListAccounts @@ -82,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccountsremove.go b/internal/api/client/lists/listaccountsremove.go index 96f8b809d..160552d62 100644 --- a/internal/api/client/lists/listaccountsremove.go +++ b/internal/api/client/lists/listaccountsremove.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListAccountsDELETEHandler swagger:operation DELETE /api/v1/lists/{id}/accounts removeListAccounts @@ -82,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -108,7 +110,7 @@ func (m *Module) ListAccountsDELETEHandler(c *gin.Context) { // parsing in order to be compatible with Mastodon's client API conventions. oldMethod := c.Request.Method c.Request.Method = "POST" - err = c.ShouldBind(form) + err := c.ShouldBind(form) c.Request.Method = oldMethod if err != nil { diff --git a/internal/api/client/lists/listcreate.go b/internal/api/client/lists/listcreate.go index c8f547ccc..5d3daf2ed 100644 --- a/internal/api/client/lists/listcreate.go +++ b/internal/api/client/lists/listcreate.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -97,9 +96,12 @@ import ( // '500': // description: internal server error func (m *Module) ListCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listdelete.go b/internal/api/client/lists/listdelete.go index b03f21e5a..33c0add70 100644 --- a/internal/api/client/lists/listdelete.go +++ b/internal/api/client/lists/listdelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListDELETEHandler swagger:operation DELETE /api/v1/lists/{id} listDelete @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) ListDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listget.go b/internal/api/client/lists/listget.go index 34b21d28b..008d516ba 100644 --- a/internal/api/client/lists/listget.go +++ b/internal/api/client/lists/listget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListGETHandler swagger:operation GET /api/v1/lists/{id} list @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) ListGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listsget.go b/internal/api/client/lists/listsget.go index 6bfc3c883..9a40702b8 100644 --- a/internal/api/client/lists/listsget.go +++ b/internal/api/client/lists/listsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListsGETHandler swagger:operation GET /api/v1/lists lists @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) ListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listupdate.go b/internal/api/client/lists/listupdate.go index 38caa9621..388d878a9 100644 --- a/internal/api/client/lists/listupdate.go +++ b/internal/api/client/lists/listupdate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -103,9 +102,12 @@ import ( // '500': // description: internal server error func (m *Module) ListUpdatePUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -152,7 +154,7 @@ func (m *Module) ListUpdatePUTHandler(c *gin.Context) { } if form.Title == nil && repliesPolicy == nil && form.Exclusive == nil { - err = errors.New("neither title nor replies_policy nor exclusive was set; nothing to update") + err := errors.New("neither title nor replies_policy nor exclusive was set; nothing to update") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/markers/markersget.go b/internal/api/client/markers/markersget.go index 9f4fc4270..f5b70ca68 100644 --- a/internal/api/client/markers/markersget.go +++ b/internal/api/client/markers/markersget.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) MarkersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/markers/markerspost.go b/internal/api/client/markers/markerspost.go index 8fe40c798..e2fffa265 100644 --- a/internal/api/client/markers/markerspost.go +++ b/internal/api/client/markers/markerspost.go @@ -25,7 +25,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MarkersPOSTHandler swagger:operation POST /api/v1/markers markersPost @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) MarkersPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediacreate.go b/internal/api/client/media/mediacreate.go index efe567f13..0f9de7b56 100644 --- a/internal/api/client/media/mediacreate.go +++ b/internal/api/client/media/mediacreate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaCreatePOSTHandler swagger:operation POST /api/{api_version}/media mediaCreate @@ -102,9 +101,12 @@ func (m *Module) MediaCreatePOSTHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediaget.go b/internal/api/client/media/mediaget.go index 8456f85d8..8428e202f 100644 --- a/internal/api/client/media/mediaget.go +++ b/internal/api/client/media/mediaget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaGETHandler swagger:operation GET /api/v1/media/{id} mediaGet @@ -74,9 +73,14 @@ func (m *Module) MediaGETHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + // This takes write even + // though it's a read. + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediaupdate.go b/internal/api/client/media/mediaupdate.go index 0a9ce4eb8..b71b0c5f1 100644 --- a/internal/api/client/media/mediaupdate.go +++ b/internal/api/client/media/mediaupdate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaPUTHandler swagger:operation PUT /api/v1/media/{id} mediaUpdate @@ -106,9 +105,12 @@ func (m *Module) MediaPUTHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/mutes/mutesget.go b/internal/api/client/mutes/mutesget.go index 7fcbc2b44..76c31ebc6 100644 --- a/internal/api/client/mutes/mutesget.go +++ b/internal/api/client/mutes/mutesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -108,9 +107,12 @@ import ( // '500': // description: internal server error func (m *Module) MutesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/notifications/notificationget.go b/internal/api/client/notifications/notificationget.go index 66bdefb28..0c15cf937 100644 --- a/internal/api/client/notifications/notificationget.go +++ b/internal/api/client/notifications/notificationget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // NotificationGETHandler swagger:operation GET /api/v1/notification/{id} notification @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/notifications/notificationsclear.go b/internal/api/client/notifications/notificationsclear.go index 2d7da3c6b..3742f7eba 100644 --- a/internal/api/client/notifications/notificationsclear.go +++ b/internal/api/client/notifications/notificationsclear.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // NotificationsClearPOSTHandler swagger:operation POST /api/v1/notifications/clear clearNotifications @@ -41,7 +40,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:notifications +// - write:notifications // // responses: // '200': @@ -58,9 +57,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationsClearPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -69,7 +71,7 @@ func (m *Module) NotificationsClearPOSTHandler(c *gin.Context) { return } - errWithCode := m.processor.Timeline().NotificationsClear(c.Request.Context(), authed) + errWithCode = m.processor.Timeline().NotificationsClear(c.Request.Context(), authed) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return diff --git a/internal/api/client/notifications/notificationsget.go b/internal/api/client/notifications/notificationsget.go index b530c515d..e02ca23d8 100644 --- a/internal/api/client/notifications/notificationsget.go +++ b/internal/api/client/notifications/notificationsget.go @@ -26,7 +26,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -143,9 +142,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/polls/polls_get.go b/internal/api/client/polls/polls_get.go index fc89255e9..e432b1f8e 100644 --- a/internal/api/client/polls/polls_get.go +++ b/internal/api/client/polls/polls_get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PollGETHandler swagger:operation GET /api/v1/polls/{id} poll @@ -67,9 +66,11 @@ import ( // '500': // description: internal server error func (m *Module) PollGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/polls/polls_vote.go b/internal/api/client/polls/polls_vote.go index 192ecbc0f..0c857e2d8 100644 --- a/internal/api/client/polls/polls_vote.go +++ b/internal/api/client/polls/polls_vote.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PollVotePOSTHandler swagger:operation POST /api/v1/polls/{id}/votes pollVote @@ -80,9 +79,11 @@ import ( // '500': // description: internal server error func (m *Module) PollVotePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/preferences/preferencesget.go b/internal/api/client/preferences/preferencesget.go index 4a6cb4b55..20cfc7d36 100644 --- a/internal/api/client/preferences/preferencesget.go +++ b/internal/api/client/preferences/preferencesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PreferencesGETHandler swagger:operation GET /api/v1/preferences preferencesGet @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) PreferencesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptiondelete.go b/internal/api/client/push/pushsubscriptiondelete.go index 2a5fd8e69..c82222248 100644 --- a/internal/api/client/push/pushsubscriptiondelete.go +++ b/internal/api/client/push/pushsubscriptiondelete.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PushSubscriptionDELETEHandler swagger:operation DELETE /api/v1/push/subscription pushSubscriptionDelete @@ -49,9 +47,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptiondelete_test.go b/internal/api/client/push/pushsubscriptiondelete_test.go index 3e81ce2a1..2548f2fb7 100644 --- a/internal/api/client/push/pushsubscriptiondelete_test.go +++ b/internal/api/client/push/pushsubscriptiondelete_test.go @@ -76,7 +76,7 @@ func (suite *PushTestSuite) TestDeleteSubscription() { func (suite *PushTestSuite) TestDeleteMissingSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" err := suite.deleteSubscription(accountFixtureName, tokenFixtureName, 200) suite.NoError(err) diff --git a/internal/api/client/push/pushsubscriptionget.go b/internal/api/client/push/pushsubscriptionget.go index 10774b862..d48e43108 100644 --- a/internal/api/client/push/pushsubscriptionget.go +++ b/internal/api/client/push/pushsubscriptionget.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PushSubscriptionGETHandler swagger:operation GET /api/v1/push/subscription pushSubscriptionGet @@ -55,9 +53,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionget_test.go b/internal/api/client/push/pushsubscriptionget_test.go index 23fb9e7f2..80f387195 100644 --- a/internal/api/client/push/pushsubscriptionget_test.go +++ b/internal/api/client/push/pushsubscriptionget_test.go @@ -95,7 +95,7 @@ func (suite *PushTestSuite) TestGetSubscription() { func (suite *PushTestSuite) TestGetMissingSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" _, err := suite.getSubscription(accountFixtureName, tokenFixtureName, 404) suite.NoError(err) diff --git a/internal/api/client/push/pushsubscriptionpost.go b/internal/api/client/push/pushsubscriptionpost.go index cc1be185f..9893d7fe1 100644 --- a/internal/api/client/push/pushsubscriptionpost.go +++ b/internal/api/client/push/pushsubscriptionpost.go @@ -29,7 +29,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PushSubscriptionPOSTHandler swagger:operation POST /api/v1/push/subscription pushSubscriptionPost @@ -181,9 +180,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionpost_test.go b/internal/api/client/push/pushsubscriptionpost_test.go index e7e8582df..251dde1f9 100644 --- a/internal/api/client/push/pushsubscriptionpost_test.go +++ b/internal/api/client/push/pushsubscriptionpost_test.go @@ -116,7 +116,7 @@ func (suite *PushTestSuite) postSubscription( func (suite *PushTestSuite) TestPostSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" endpoint := "https://example.test/push" auth := "cgna/fzrYLDQyPf5hD7IsA==" @@ -152,7 +152,7 @@ func (suite *PushTestSuite) TestPostSubscription() { func (suite *PushTestSuite) TestPostSubscriptionMinimal() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" endpoint := "https://example.test/push" auth := "cgna/fzrYLDQyPf5hD7IsA==" @@ -186,7 +186,7 @@ func (suite *PushTestSuite) TestPostSubscriptionMinimal() { func (suite *PushTestSuite) TestPostInvalidSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" // No endpoint. auth := "cgna/fzrYLDQyPf5hD7IsA==" @@ -212,7 +212,7 @@ func (suite *PushTestSuite) TestPostInvalidSubscription() { func (suite *PushTestSuite) TestPostSubscriptionJSON() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" requestJson := `{ "subscription": { @@ -258,7 +258,7 @@ func (suite *PushTestSuite) TestPostSubscriptionJSON() { func (suite *PushTestSuite) TestPostSubscriptionJSONMinimal() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" requestJson := `{ "subscription": { @@ -298,7 +298,7 @@ func (suite *PushTestSuite) TestPostSubscriptionJSONMinimal() { func (suite *PushTestSuite) TestPostInvalidSubscriptionJSON() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" // No endpoint. requestJson := `{ diff --git a/internal/api/client/push/pushsubscriptionput.go b/internal/api/client/push/pushsubscriptionput.go index 4d1c5765e..53e6a72e9 100644 --- a/internal/api/client/push/pushsubscriptionput.go +++ b/internal/api/client/push/pushsubscriptionput.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -157,9 +156,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionput_test.go b/internal/api/client/push/pushsubscriptionput_test.go index d9f0e395e..8b86add9e 100644 --- a/internal/api/client/push/pushsubscriptionput_test.go +++ b/internal/api/client/push/pushsubscriptionput_test.go @@ -170,7 +170,7 @@ func (suite *PushTestSuite) TestPutSubscriptionJSON() { func (suite *PushTestSuite) TestPutMissingSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" alertsMention := true alertsStatus := false diff --git a/internal/api/client/reports/reportcreate.go b/internal/api/client/reports/reportcreate.go index a303cf20a..b9a4666ee 100644 --- a/internal/api/client/reports/reportcreate.go +++ b/internal/api/client/reports/reportcreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/regexes" ) @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -89,19 +91,19 @@ func (m *Module) ReportPOSTHandler(c *gin.Context) { } if form.AccountID == "" { - err = errors.New("account_id must be set") + err := errors.New("account_id must be set") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } if !regexes.ULID.MatchString(form.AccountID) { - err = errors.New("account_id was not valid") + err := errors.New("account_id was not valid") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } if length := len([]rune(form.Comment)); length > 1000 { - err = fmt.Errorf("comment length must be no more than 1000 chars, provided comment was %d chars", length) + err := fmt.Errorf("comment length must be no more than 1000 chars, provided comment was %d chars", length) apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportget.go b/internal/api/client/reports/reportget.go index c9ca0054f..1219e4a12 100644 --- a/internal/api/client/reports/reportget.go +++ b/internal/api/client/reports/reportget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ReportGETHandler swagger:operation GET /api/v1/reports/{id} reportGet @@ -47,7 +46,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:reports +// - read:accounts // // responses: // '200': @@ -65,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportsget.go b/internal/api/client/reports/reportsget.go index 4c3d4e33a..65adf664f 100644 --- a/internal/api/client/reports/reportsget.go +++ b/internal/api/client/reports/reportsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -94,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:reports +// - read:accounts // // responses: // '200': @@ -119,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/search/searchget.go b/internal/api/client/search/searchget.go index 0f9595efc..05a64f244 100644 --- a/internal/api/client/search/searchget.go +++ b/internal/api/client/search/searchget.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // SearchGETHandler swagger:operation GET /api/{api_version}/search searchGet @@ -178,9 +177,12 @@ func (m *Module) SearchGETHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadSearch, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusbookmark.go b/internal/api/client/statuses/statusbookmark.go index 9dbc0f56e..059ed7e57 100644 --- a/internal/api/client/statuses/statusbookmark.go +++ b/internal/api/client/statuses/statusbookmark.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusBookmarkPOSTHandler swagger:operation POST /api/v1/statuses/{id}/bookmark statusBookmark @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:bookmarks // // responses: // '200': @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusBookmarkPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusboost.go b/internal/api/client/statuses/statusboost.go index 035ee8747..fb4c5e5ee 100644 --- a/internal/api/client/statuses/statusboost.go +++ b/internal/api/client/statuses/statusboost.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusBoostPOSTHandler swagger:operation POST /api/v1/statuses/{id}/reblog statusReblog @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusBoostPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusboostedby.go b/internal/api/client/statuses/statusboostedby.go index 15e0e26a0..9ee82c709 100644 --- a/internal/api/client/statuses/statusboostedby.go +++ b/internal/api/client/statuses/statusboostedby.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusBoostedByGETHandler swagger:operation GET /api/v1/statuses/{id}/reblogged_by statusBoostedBy @@ -65,9 +64,12 @@ import ( // '404': // description: not found func (m *Module) StatusBoostedByGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuscontext.go b/internal/api/client/statuses/statuscontext.go index 0eea50819..cae48e938 100644 --- a/internal/api/client/statuses/statuscontext.go +++ b/internal/api/client/statuses/statuscontext.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusContextGETHandler swagger:operation GET /api/v1/statuses/{id}/context threadContext @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusContextGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuscreate.go b/internal/api/client/statuses/statuscreate.go index bfb1c486d..686e29ec4 100644 --- a/internal/api/client/statuses/statuscreate.go +++ b/internal/api/client/statuses/statuscreate.go @@ -28,7 +28,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -262,9 +261,12 @@ import ( // '501': // description: scheduled_at was set, but this feature is not yet implemented func (m *Module) StatusCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusdelete.go b/internal/api/client/statuses/statusdelete.go index fa62d6893..c5ff046f7 100644 --- a/internal/api/client/statuses/statusdelete.go +++ b/internal/api/client/statuses/statusdelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusDELETEHandler swagger:operation DELETE /api/v1/statuses/{id} statusDelete @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusedit.go b/internal/api/client/statuses/statusedit.go index dfd7d651e..dbd2224f7 100644 --- a/internal/api/client/statuses/statusedit.go +++ b/internal/api/client/statuses/statusedit.go @@ -27,7 +27,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -156,9 +155,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusEditPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusfave.go b/internal/api/client/statuses/statusfave.go index 41d45c6b8..23ff2d7a1 100644 --- a/internal/api/client/statuses/statusfave.go +++ b/internal/api/client/statuses/statusfave.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusFavePOSTHandler swagger:operation POST /api/v1/statuses/{id}/favourite statusFave @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusFavePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusfavedby.go b/internal/api/client/statuses/statusfavedby.go index 7dca760cc..a4a0611ce 100644 --- a/internal/api/client/statuses/statusfavedby.go +++ b/internal/api/client/statuses/statusfavedby.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusFavedByGETHandler swagger:operation GET /api/v1/statuses/{id}/favourited_by statusFavedBy @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusFavedByGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusget.go b/internal/api/client/statuses/statusget.go index 8c3edac81..f8fb2cb50 100644 --- a/internal/api/client/statuses/statusget.go +++ b/internal/api/client/statuses/statusget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusGETHandler swagger:operation GET /api/v1/statuses/{id} statusGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statushistory.go b/internal/api/client/statuses/statushistory.go index ba1af58cf..dc5932ff7 100644 --- a/internal/api/client/statuses/statushistory.go +++ b/internal/api/client/statuses/statushistory.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusHistoryGETHandler swagger:operation GET /api/v1/statuses/{id}/history statusHistoryGet @@ -70,9 +69,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusHistoryGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusmute.go b/internal/api/client/statuses/statusmute.go index 58d14a8bf..42df112a3 100644 --- a/internal/api/client/statuses/statusmute.go +++ b/internal/api/client/statuses/statusmute.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusMutePOSTHandler swagger:operation POST /api/v1/statuses/{id}/mute statusMute @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusMutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuspin.go b/internal/api/client/statuses/statuspin.go index e5879f715..0c4c681a6 100644 --- a/internal/api/client/statuses/statuspin.go +++ b/internal/api/client/statuses/statuspin.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusPinPOSTHandler swagger:operation POST /api/v1/statuses/{id}/pin statusPin @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusPinPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statussource.go b/internal/api/client/statuses/statussource.go index c74d99bfc..fd15e8719 100644 --- a/internal/api/client/statuses/statussource.go +++ b/internal/api/client/statuses/statussource.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusSourceGETHandler swagger:operation GET /api/v1/statuses/{id}/source statusSourceGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusSourceGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunbookmark.go b/internal/api/client/statuses/statusunbookmark.go index 7dbed9658..ca4e669a7 100644 --- a/internal/api/client/statuses/statusunbookmark.go +++ b/internal/api/client/statuses/statusunbookmark.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnbookmarkPOSTHandler swagger:operation POST /api/v1/statuses/{id}/unbookmark statusUnbookmark @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:bookmarks // // responses: // '200': @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnbookmarkPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunboost.go b/internal/api/client/statuses/statusunboost.go index ae5c2f600..c7fd00ab7 100644 --- a/internal/api/client/statuses/statusunboost.go +++ b/internal/api/client/statuses/statusunboost.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnboostPOSTHandler swagger:operation POST /api/v1/statuses/{id}/unreblog statusUnreblog @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnboostPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunfave.go b/internal/api/client/statuses/statusunfave.go index 6fb445143..d7dbe10ce 100644 --- a/internal/api/client/statuses/statusunfave.go +++ b/internal/api/client/statuses/statusunfave.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnfavePOSTHandler swagger:operation POST /api/v1/statuses/{id}/unfavourite statusUnfave @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:favourites // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnfavePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFavourites, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunmute.go b/internal/api/client/statuses/statusunmute.go index e657992ca..76018fd27 100644 --- a/internal/api/client/statuses/statusunmute.go +++ b/internal/api/client/statuses/statusunmute.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnmutePOSTHandler swagger:operation POST /api/v1/statuses/{id}/unmute statusUnmute @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnmutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunpin.go b/internal/api/client/statuses/statusunpin.go index fbe85755f..32cb913e0 100644 --- a/internal/api/client/statuses/statusunpin.go +++ b/internal/api/client/statuses/statusunpin.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnpinPOSTHandler swagger:operation POST /api/v1/statuses/{id}/unpin statusUnpin @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnpinPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/streaming/stream.go b/internal/api/client/streaming/stream.go index 6c57cea03..e6d1b80f7 100644 --- a/internal/api/client/streaming/stream.go +++ b/internal/api/client/streaming/stream.go @@ -28,7 +28,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/id" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" streampkg "github.com/superseriousbusiness/gotosocial/internal/stream" "github.com/gin-gonic/gin" @@ -187,9 +186,8 @@ func (m *Module) StreamGETHandler(c *gin.Context) { // No explicit token was provided: // try regular oauth as a last resort. - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/follow.go b/internal/api/client/tags/follow.go index 2952996b1..07804013a 100644 --- a/internal/api/client/tags/follow.go +++ b/internal/api/client/tags/follow.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FollowTagPOSTHandler swagger:operation POST /api/v1/tags/{tag_name}/follow followTag @@ -65,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowTagPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/get.go b/internal/api/client/tags/get.go index b61b7cc65..a6a433d7d 100644 --- a/internal/api/client/tags/get.go +++ b/internal/api/client/tags/get.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // TagGETHandler swagger:operation GET /api/v1/tags/{tag_name} getTag @@ -40,8 +38,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:follows +// - OAuth2 Bearer: [] // // parameters: // - @@ -67,9 +64,11 @@ import ( // '500': // description: internal server error func (m *Module) TagGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/unfollow.go b/internal/api/client/tags/unfollow.go index 3166e08ed..49ebd463e 100644 --- a/internal/api/client/tags/unfollow.go +++ b/internal/api/client/tags/unfollow.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // UnfollowTagPOSTHandler swagger:operation POST /api/v1/tags/{tag_name}/unfollow unfollowTag @@ -67,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) UnfollowTagPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/home.go b/internal/api/client/timelines/home.go index 55928dd3a..8e957d498 100644 --- a/internal/api/client/timelines/home.go +++ b/internal/api/client/timelines/home.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // HomeTimelineGETHandler swagger:operation GET /api/v1/timelines/home homeTimeline @@ -107,9 +106,12 @@ import ( // '400': // description: bad request func (m *Module) HomeTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/list.go b/internal/api/client/timelines/list.go index 25695bf0e..b02489d6c 100644 --- a/internal/api/client/timelines/list.go +++ b/internal/api/client/timelines/list.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListTimelineGETHandler swagger:operation GET /api/v1/timelines/list/{id} listTimeline @@ -106,9 +105,12 @@ import ( // '400': // description: bad request func (m *Module) ListTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/public.go b/internal/api/client/timelines/public.go index 49530216f..d6df36f09 100644 --- a/internal/api/client/timelines/public.go +++ b/internal/api/client/timelines/public.go @@ -24,7 +24,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PublicTimelineGETHandler swagger:operation GET /api/v1/timelines/public publicTimeline @@ -108,19 +107,25 @@ import ( // '400': // description: bad request func (m *Module) PublicTimelineGETHandler(c *gin.Context) { - var authed *oauth.Auth - var err error - + var ( + authed *apiutil.Auth + errWithCode gtserror.WithCode + ) if config.GetInstanceExposePublicTimeline() { // If the public timeline is allowed to be exposed, still check if we // can extract various authentication properties, but don't require them. - authed, err = oauth.Authed(c, false, false, false, false) + authed, errWithCode = apiutil.TokenAuth(c, + false, false, false, false, + ) } else { - authed, err = oauth.Authed(c, true, true, true, true) + authed, errWithCode = apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) } - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/tag.go b/internal/api/client/timelines/tag.go index 258184355..8c3a86f81 100644 --- a/internal/api/client/timelines/tag.go +++ b/internal/api/client/timelines/tag.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // TagTimelineGETHandler swagger:operation GET /api/v1/timelines/tag/{tag_name} tagTimeline @@ -108,9 +107,12 @@ import ( // '400': // description: bad request func (m *Module) TagTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/emailchange.go b/internal/api/client/user/emailchange.go index b2e25343f..09d5e8fde 100644 --- a/internal/api/client/user/emailchange.go +++ b/internal/api/client/user/emailchange.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmailChangePOSTHandler swagger:operation POST /api/v1/user/email_change userEmailChange @@ -46,7 +45,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:user +// - write:accounts // // responses: // '202': @@ -66,9 +65,12 @@ import ( // '500': // description: internal error func (m *Module) EmailChangePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/passwordchange.go b/internal/api/client/user/passwordchange.go index df9f5b0c8..8b1c7e29a 100644 --- a/internal/api/client/user/passwordchange.go +++ b/internal/api/client/user/passwordchange.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) const OIDCPasswordHelp = "password change request cannot be processed by GoToSocial as this instance is running with OIDC enabled; you must change password using your OIDC provider" @@ -52,7 +51,7 @@ const OIDCPasswordHelp = "password change request cannot be processed by GoToSoc // // security: // - OAuth2 Bearer: -// - write:user +// - write:accounts // // responses: // '200': @@ -70,9 +69,12 @@ const OIDCPasswordHelp = "password change request cannot be processed by GoToSoc // '500': // description: internal error func (m *Module) PasswordChangePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/userget.go b/internal/api/client/user/userget.go index 147c1dbd5..c82a6d644 100644 --- a/internal/api/client/user/userget.go +++ b/internal/api/client/user/userget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // UserGETHandler swagger:operation GET /api/v1/user getUser @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:user +// - read:accounts // // responses: // '200': @@ -57,9 +56,12 @@ import ( // '500': // description: internal error func (m *Module) UserGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/fileserver/servefile.go b/internal/api/fileserver/servefile.go index fc6ef0e7e..56285ea48 100644 --- a/internal/api/fileserver/servefile.go +++ b/internal/api/fileserver/servefile.go @@ -31,7 +31,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ServeFile is for serving attachments, headers, and avatars to the requester from instance storage. @@ -39,9 +38,9 @@ import ( // Note: to mitigate scraping attempts, no information should be given out on a bad request except "404 page not found". // Don't give away account ids or media ids or anything like that; callers shouldn't be able to infer anything. func (m *Module) ServeFile(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorNotFound(err), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, false, false, false, false) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/util/auth.go b/internal/api/util/auth.go new file mode 100644 index 000000000..5c6afb306 --- /dev/null +++ b/internal/api/util/auth.go @@ -0,0 +1,152 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package util + +import ( + "errors" + "slices" + "strings" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" + "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/oauth2/v4" +) + +// Auth wraps an authorized token, application, user, and account. +// It is used in the functions GetAuthed and MustAuth. +// Because the user might *not* be authed, any of the fields in this struct +// might be nil, so make sure to check that when you're using this struct anywhere. +type Auth struct { + Token oauth2.TokenInfo + Application *gtsmodel.Application + User *gtsmodel.User + Account *gtsmodel.Account +} + +// TokenAuth is a convenience function for returning an TokenAuth struct from a gin context. +// In essence, it tries to extract a token, application, user, and account from the context, +// and then sets them on a struct for convenience. +// +// If any are not present in the context, they will be set to nil on the returned TokenAuth struct. +// +// If *ALL* are not present, then nil and an error will be returned. +// +// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed). +// TokenAuth is like GetAuthed, but will fail if one of the requirements is not met. +func TokenAuth( + c *gin.Context, + requireToken bool, + requireApp bool, + requireUser bool, + requireAccount bool, + requireScope ...Scope, +) (*Auth, gtserror.WithCode) { + var ( + ctx = c.Copy() + a = &Auth{} + i interface{} + ok bool + ) + + i, ok = ctx.Get(oauth.SessionAuthorizedToken) + if ok { + parsed, ok := i.(oauth2.TokenInfo) + if !ok { + const errText = "could not parse token from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.Token = parsed + } + + i, ok = ctx.Get(oauth.SessionAuthorizedApplication) + if ok { + parsed, ok := i.(*gtsmodel.Application) + if !ok { + const errText = "could not parse application from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.Application = parsed + } + + i, ok = ctx.Get(oauth.SessionAuthorizedUser) + if ok { + parsed, ok := i.(*gtsmodel.User) + if !ok { + const errText = "could not parse user from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.User = parsed + } + + i, ok = ctx.Get(oauth.SessionAuthorizedAccount) + if ok { + parsed, ok := i.(*gtsmodel.Account) + if !ok { + const errText = "could not parse account from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.Account = parsed + } + + if requireToken && a.Token == nil { + const errText = "token not supplied" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if requireApp && a.Application == nil { + const errText = "application not supplied" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if requireUser && a.User == nil { + const errText = "user not supplied or not authorized" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if requireAccount && a.Account == nil { + const errText = "account not supplied or not authorized" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if len(requireScope) != 0 { + // We need to match one of the + // required scopes, check if we can. + hasScopes := strings.Split(a.Token.GetScope(), " ") + scopeOK := slices.ContainsFunc( + hasScopes, + func(hasScope string) bool { + for _, requiredScope := range requireScope { + if Scope(hasScope).Permits(requiredScope) { + // Got it. + return true + } + } + return false + }, + ) + + if !scopeOK { + const errText = "token has insufficient scope permission" + return nil, gtserror.NewErrorForbidden(errors.New(errText), errText) + } + } + + return a, nil +} diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go new file mode 100644 index 000000000..d02d3cc0d --- /dev/null +++ b/internal/api/util/scopes.go @@ -0,0 +1,103 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package util + +import ( + "strings" +) + +type Scope string + +const ( + /* Sub-scopes / scope components */ + + scopeAccounts = "accounts" + scopeBlocks = "blocks" + scopeBookmarks = "bookmarks" + scopeConversations = "conversations" + scopeDomainAllows = "domain_allows" + scopeDomainBlocks = "domain_blocks" + scopeFavourites = "favourites" + scopeFilters = "filters" + scopeFollows = "follows" + scopeLists = "lists" + scopeMedia = "media" + scopeMutes = "mutes" + scopeNotifications = "notifications" + scopeReports = "reports" + scopeSearch = "search" + scopeStatuses = "statuses" + + /* Top-level scopes */ + + ScopeProfile Scope = "profile" + ScopePush Scope = "push" + ScopeRead Scope = "read" + ScopeWrite Scope = "write" + ScopeAdmin Scope = "admin" + ScopeAdminRead Scope = ScopeAdmin + ":" + ScopeRead + ScopeAdminWrite Scope = ScopeAdmin + ":" + ScopeWrite + + /* Granular scopes */ + + ScopeReadAccounts Scope = ScopeRead + ":" + scopeAccounts + ScopeWriteAccounts Scope = ScopeWrite + ":" + scopeAccounts + ScopeReadBlocks Scope = ScopeRead + ":" + scopeBlocks + ScopeWriteBlocks Scope = ScopeWrite + ":" + scopeBlocks + ScopeReadBookmarks Scope = ScopeRead + ":" + scopeBookmarks + ScopeWriteBookmarks Scope = ScopeWrite + ":" + scopeBookmarks + ScopeWriteConversations Scope = ScopeWrite + ":" + scopeConversations + ScopeReadFavourites Scope = ScopeRead + ":" + scopeFavourites + ScopeWriteFavourites Scope = ScopeWrite + ":" + scopeFavourites + ScopeReadFilters Scope = ScopeRead + ":" + scopeFilters + ScopeWriteFilters Scope = ScopeWrite + ":" + scopeFilters + ScopeReadFollows Scope = ScopeRead + ":" + scopeFollows + ScopeWriteFollows Scope = ScopeWrite + ":" + scopeFollows + ScopeReadLists Scope = ScopeRead + ":" + scopeLists + ScopeWriteLists Scope = ScopeWrite + ":" + scopeLists + ScopeWriteMedia Scope = ScopeWrite + ":" + scopeMedia + ScopeReadMutes Scope = ScopeRead + ":" + scopeMutes + ScopeWriteMutes Scope = ScopeWrite + ":" + scopeMutes + ScopeReadNotifications Scope = ScopeRead + ":" + scopeNotifications + ScopeWriteNotifications Scope = ScopeWrite + ":" + scopeNotifications + ScopeWriteReports Scope = ScopeWrite + ":" + scopeReports + ScopeReadSearch Scope = ScopeRead + ":" + scopeSearch + ScopeReadStatuses Scope = ScopeRead + ":" + scopeStatuses + ScopeWriteStatuses Scope = ScopeWrite + ":" + scopeStatuses + ScopeAdminReadAccounts Scope = ScopeAdminRead + ":" + scopeAccounts + ScopeAdminWriteAccounts Scope = ScopeAdminWrite + ":" + scopeAccounts + ScopeAdminReadReports Scope = ScopeAdminRead + ":" + scopeReports + ScopeAdminWriteReports Scope = ScopeAdminWrite + ":" + scopeReports + ScopeAdminReadDomainAllows Scope = ScopeAdminRead + ":" + scopeDomainAllows + ScopeAdminWriteDomainAllows Scope = ScopeAdminWrite + ":" + scopeDomainAllows + ScopeAdminReadDomainBlocks Scope = ScopeAdminRead + ":" + scopeDomainBlocks + ScopeAdminWriteDomainBlocks Scope = ScopeAdminWrite + ":" + scopeDomainBlocks +) + +// Permits returns true if the +// scope permits the wanted scope. +func (has Scope) Permits(wanted Scope) bool { + if has == wanted { + // Exact match. + return true + } + + // Check if we have a parent scope of what's wanted, + // eg., we have scope "admin", we want "admin:read". + return strings.HasPrefix(string(wanted), string(has)) +} diff --git a/internal/api/util/scopes_test.go b/internal/api/util/scopes_test.go new file mode 100644 index 000000000..bd533585b --- /dev/null +++ b/internal/api/util/scopes_test.go @@ -0,0 +1,101 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package util_test + +import ( + "testing" + + "github.com/superseriousbusiness/gotosocial/internal/api/util" +) + +func TestScopes(t *testing.T) { + for _, test := range []struct { + HasScope util.Scope + WantsScope util.Scope + Expect bool + }{ + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeRead, + Expect: true, + }, + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeWrite, + Expect: false, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeWrite, + Expect: true, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeRead, + Expect: false, + }, + { + HasScope: util.ScopePush, + WantsScope: util.ScopePush, + Expect: true, + }, + { + HasScope: util.ScopeAdmin, + WantsScope: util.ScopeAdmin, + Expect: true, + }, + { + HasScope: util.ScopeProfile, + WantsScope: util.ScopeProfile, + Expect: true, + }, + { + HasScope: util.ScopeReadAccounts, + WantsScope: util.ScopeWriteAccounts, + Expect: false, + }, + { + HasScope: util.ScopeWriteAccounts, + WantsScope: util.ScopeWriteAccounts, + Expect: true, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeWriteAccounts, + Expect: true, + }, + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeWriteAccounts, + Expect: false, + }, + { + HasScope: util.ScopeWriteAccounts, + WantsScope: util.ScopeWrite, + Expect: false, + }, + } { + res := test.HasScope.Permits(test.WantsScope) + if res != test.Expect { + t.Errorf( + "did not get expected result %v for input: has %s, wants %s", + test.Expect, test.HasScope, test.WantsScope, + ) + } + } +} |