[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil

* enforce scopes

* docs

* update test models, remove deprecated "follow"

* file header

* tests

* tweak scope matcher

* simplify...

* fix tests

* log user out of settings panel in case of oauth error

2 files changed, 4 insertions, 8 deletions

diff --git a/web/source/settings/components/authorization/index.tsx b/web/source/settings/components/authorization/index.tsx
index e8f4d6673..7c6373399 100644
--- a/web/source/settings/components/authorization/index.tsx
+++ b/web/source/settings/components/authorization/index.tsx
@@ -58,13 +58,9 @@ export function Authorization({ App }) {
 			</div>
 		);
 	} else if (error !== undefined) {
-		if ("status" in error && error.status === 401) {
-			// 401 unauthorized was received.
-			// That means the token or app we
-			// were using is no longer valid,
-			// so just log the user out.
-			logoutQuery(NoArg);
-		}
+		// Something went wrong,
+		// log the user out.
+		logoutQuery(NoArg);
 
 		content = (
 			<div>
diff --git a/web/source/settings/components/authorization/login.tsx b/web/source/settings/components/authorization/login.tsx
index 870e9c343..28ed7953c 100644
--- a/web/source/settings/components/authorization/login.tsx
+++ b/web/source/settings/components/authorization/login.tsx
@@ -31,7 +31,7 @@ export default function Login({ }) {
 		instance: useTextInput("instance", {
 			defaultValue: window.location.origin
 		}),
-		scopes: useValue("scopes", "user admin"),
+		scopes: useValue("scopes", "read write admin"),
 	};
 
 	const [formSubmit, result] = useFormSubmit(form, useAuthorizeFlowMutation(), {