[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil

* enforce scopes

* docs

* update test models, remove deprecated "follow"

* file header

* tests

* tweak scope matcher

* simplify...

* fix tests

* log user out of settings panel in case of oauth error

1 files changed, 21 insertions, 0 deletions

diff --git a/internal/processing/stream/authorize.go b/internal/processing/stream/authorize.go
index 0baea29f1..cedd21e0b 100644
--- a/internal/processing/stream/authorize.go
+++ b/internal/processing/stream/authorize.go
@@ -19,8 +19,12 @@ package stream
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"slices"
+	"strings"
 
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@@ -58,5 +62,22 @@ func (p *Processor) Authorize(ctx context.Context, accessToken string) (*gtsmode
 		return nil, gtserror.NewErrorInternalError(err)
 	}
 
+	// Ensure read scope.
+	//
+	// TODO: make this more granular
+	// depending on stream type.
+	hasScopes := strings.Split(ti.GetScope(), " ")
+	scopeOK := slices.ContainsFunc(
+		hasScopes,
+		func(hasScope string) bool {
+			return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead)
+		},
+	)
+
+	if !scopeOK {
+		const errText = "token has insufficient scope permission"
+		return nil, gtserror.NewErrorForbidden(errors.New(errText), errText)
+	}
+
 	return acct, nil
 }