[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil

* enforce scopes

* docs

* update test models, remove deprecated "follow"

* file header

* tests

* tweak scope matcher

* simplify...

* fix tests

* log user out of settings panel in case of oauth error

1 files changed, 0 insertions, 107 deletions

diff --git a/internal/oauth/util.go b/internal/oauth/util.go
deleted file mode 100644
index e7b2d1292..000000000
--- a/internal/oauth/util.go
+++ /dev/null
@@ -1,107 +0,0 @@
-// GoToSocial
-// Copyright (C) GoToSocial Authors admin@gotosocial.org
-// SPDX-License-Identifier: AGPL-3.0-or-later
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package oauth
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
-	"github.com/superseriousbusiness/oauth2/v4"
-	"github.com/superseriousbusiness/oauth2/v4/errors"
-)
-
-// Auth wraps an authorized token, application, user, and account.
-// It is used in the functions GetAuthed and MustAuth.
-// Because the user might *not* be authed, any of the fields in this struct
-// might be nil, so make sure to check that when you're using this struct anywhere.
-type Auth struct {
-	Token       oauth2.TokenInfo
-	Application *gtsmodel.Application
-	User        *gtsmodel.User
-	Account     *gtsmodel.Account
-}
-
-// Authed is a convenience function for returning an Authed struct from a gin context.
-// In essence, it tries to extract a token, application, user, and account from the context,
-// and then sets them on a struct for convenience.
-//
-// If any are not present in the context, they will be set to nil on the returned Authed struct.
-//
-// If *ALL* are not present, then nil and an error will be returned.
-//
-// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed).
-// Authed is like GetAuthed, but will fail if one of the requirements is not met.
-func Authed(c *gin.Context, requireToken bool, requireApp bool, requireUser bool, requireAccount bool) (*Auth, error) {
-	ctx := c.Copy()
-	a := &Auth{}
-	var i interface{}
-	var ok bool
-
-	i, ok = ctx.Get(SessionAuthorizedToken)
-	if ok {
-		parsed, ok := i.(oauth2.TokenInfo)
-		if !ok {
-			return nil, errors.New("could not parse token from session context")
-		}
-		a.Token = parsed
-	}
-
-	i, ok = ctx.Get(SessionAuthorizedApplication)
-	if ok {
-		parsed, ok := i.(*gtsmodel.Application)
-		if !ok {
-			return nil, errors.New("could not parse application from session context")
-		}
-		a.Application = parsed
-	}
-
-	i, ok = ctx.Get(SessionAuthorizedUser)
-	if ok {
-		parsed, ok := i.(*gtsmodel.User)
-		if !ok {
-			return nil, errors.New("could not parse user from session context")
-		}
-		a.User = parsed
-	}
-
-	i, ok = ctx.Get(SessionAuthorizedAccount)
-	if ok {
-		parsed, ok := i.(*gtsmodel.Account)
-		if !ok {
-			return nil, errors.New("could not parse account from session context")
-		}
-		a.Account = parsed
-	}
-
-	if requireToken && a.Token == nil {
-		return nil, errors.New("token not supplied")
-	}
-
-	if requireApp && a.Application == nil {
-		return nil, errors.New("application not supplied")
-	}
-
-	if requireUser && a.User == nil {
-		return nil, errors.New("user not supplied or not authorized")
-	}
-
-	if requireAccount && a.Account == nil {
-		return nil, errors.New("account not supplied or not authorized")
-	}
-
-	return a, nil
-}