diff options
Diffstat (limited to 'internal/api')
| -rw-r--r-- | internal/api/client/account/account.go | 12 | ||||
| -rw-r--r-- | internal/api/client/account/follow.go | 56 | ||||
| -rw-r--r-- | internal/api/client/account/following.go | 49 | ||||
| -rw-r--r-- | internal/api/client/account/relationships.go | 46 | ||||
| -rw-r--r-- | internal/api/client/account/unfollow.go | 53 | ||||
| -rw-r--r-- | internal/api/client/auth/authorize.go | 3 | ||||
| -rw-r--r-- | internal/api/client/auth/middleware.go | 3 | ||||
| -rw-r--r-- | internal/api/client/auth/signin.go | 3 | ||||
| -rw-r--r-- | internal/api/client/followrequest/accept.go | 5 | ||||
| -rw-r--r-- | internal/api/client/status/statuscreate_test.go | 3 | ||||
| -rw-r--r-- | internal/api/model/account.go | 51 | ||||
| -rw-r--r-- | internal/api/s2s/user/followers.go | 58 | ||||
| -rw-r--r-- | internal/api/s2s/user/statusget.go | 46 | ||||
| -rw-r--r-- | internal/api/s2s/user/user.go | 8 | ||||
| -rw-r--r-- | internal/api/security/security.go | 1 | ||||
| -rw-r--r-- | internal/api/security/useragentblock.go | 43 |
16 files changed, 414 insertions, 26 deletions
diff --git a/internal/api/client/account/account.go b/internal/api/client/account/account.go index 1e4b716f5..94f753825 100644 --- a/internal/api/client/account/account.go +++ b/internal/api/client/account/account.go @@ -57,6 +57,14 @@ const ( GetStatusesPath = BasePathWithID + "/statuses" // GetFollowersPath is for showing an account's followers GetFollowersPath = BasePathWithID + "/followers" + // GetFollowingPath is for showing account's that an account follows. + GetFollowingPath = BasePathWithID + "/following" + // GetRelationshipsPath is for showing an account's relationship with other accounts + GetRelationshipsPath = BasePath + "/relationships" + // FollowPath is for POSTing new follows to, and updating existing follows + PostFollowPath = BasePathWithID + "/follow" + // PostUnfollowPath is for POSTing an unfollow + PostUnfollowPath = BasePathWithID + "/unfollow" ) // Module implements the ClientAPIModule interface for account-related actions @@ -82,6 +90,10 @@ func (m *Module) Route(r router.Router) error { r.AttachHandler(http.MethodPatch, BasePathWithID, m.muxHandler) r.AttachHandler(http.MethodGet, GetStatusesPath, m.AccountStatusesGETHandler) r.AttachHandler(http.MethodGet, GetFollowersPath, m.AccountFollowersGETHandler) + r.AttachHandler(http.MethodGet, GetFollowingPath, m.AccountFollowingGETHandler) + r.AttachHandler(http.MethodGet, GetRelationshipsPath, m.AccountRelationshipsGETHandler) + r.AttachHandler(http.MethodPost, PostFollowPath, m.AccountFollowPOSTHandler) + r.AttachHandler(http.MethodPost, PostUnfollowPath, m.AccountUnfollowPOSTHandler) return nil } diff --git a/internal/api/client/account/follow.go b/internal/api/client/account/follow.go new file mode 100644 index 000000000..bee41c280 --- /dev/null +++ b/internal/api/client/account/follow.go @@ -0,0 +1,56 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package account + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// AccountFollowPOSTHandler is the endpoint for creating a new follow request to the target account +func (m *Module) AccountFollowPOSTHandler(c *gin.Context) { + authed, err := oauth.Authed(c, true, true, true, true) + if err != nil { + c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"}) + return + } + + targetAcctID := c.Param(IDKey) + if targetAcctID == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "no account id specified"}) + return + } + form := &model.AccountFollowRequest{} + if err := c.ShouldBind(form); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + form.TargetAccountID = targetAcctID + + relationship, errWithCode := m.processor.AccountFollowCreate(authed, form) + if errWithCode != nil { + c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()}) + return + } + + c.JSON(http.StatusOK, relationship) +} diff --git a/internal/api/client/account/following.go b/internal/api/client/account/following.go new file mode 100644 index 000000000..2a1373e40 --- /dev/null +++ b/internal/api/client/account/following.go @@ -0,0 +1,49 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package account + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// AccountFollowersGETHandler serves the followers of the requested account, if they're visible to the requester. +func (m *Module) AccountFollowingGETHandler(c *gin.Context) { + authed, err := oauth.Authed(c, true, true, true, true) + if err != nil { + c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"}) + return + } + + targetAcctID := c.Param(IDKey) + if targetAcctID == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "no account id specified"}) + return + } + + following, errWithCode := m.processor.AccountFollowingGet(authed, targetAcctID) + if errWithCode != nil { + c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()}) + return + } + + c.JSON(http.StatusOK, following) +} diff --git a/internal/api/client/account/relationships.go b/internal/api/client/account/relationships.go new file mode 100644 index 000000000..fd96867ac --- /dev/null +++ b/internal/api/client/account/relationships.go @@ -0,0 +1,46 @@ +package account + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// AccountRelationshipsGETHandler serves the relationship of the requesting account with one or more requested account IDs. +func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { + l := m.log.WithField("func", "AccountRelationshipsGETHandler") + + authed, err := oauth.Authed(c, true, true, true, true) + if err != nil { + l.Debugf("error authing: %s", err) + c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"}) + return + } + + targetAccountIDs := c.QueryArray("id[]") + if len(targetAccountIDs) == 0 { + // check fallback -- let's be generous and see if maybe it's just set as 'id'? + id := c.Query("id") + if id == "" { + l.Debug("no account id specified in query") + c.JSON(http.StatusBadRequest, gin.H{"error": "no account id specified"}) + return + } + targetAccountIDs = append(targetAccountIDs, id) + } + + relationships := []model.Relationship{} + + for _, targetAccountID := range targetAccountIDs { + r, errWithCode := m.processor.AccountRelationshipGet(authed, targetAccountID) + if err != nil { + c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()}) + return + } + relationships = append(relationships, *r) + } + + c.JSON(http.StatusOK, relationships) +} diff --git a/internal/api/client/account/unfollow.go b/internal/api/client/account/unfollow.go new file mode 100644 index 000000000..69ed72b88 --- /dev/null +++ b/internal/api/client/account/unfollow.go @@ -0,0 +1,53 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package account + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// AccountUnfollowPOSTHandler is the endpoint for removing a follow and/or follow request to the target account +func (m *Module) AccountUnfollowPOSTHandler(c *gin.Context) { + l := m.log.WithField("func", "AccountUnfollowPOSTHandler") + authed, err := oauth.Authed(c, true, true, true, true) + if err != nil { + l.Debug(err) + c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"}) + return + } + + targetAcctID := c.Param(IDKey) + if targetAcctID == "" { + l.Debug(err) + c.JSON(http.StatusBadRequest, gin.H{"error": "no account id specified"}) + return + } + + relationship, errWithCode := m.processor.AccountFollowRemove(authed, targetAcctID) + if errWithCode != nil { + l.Debug(errWithCode.Error()) + c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()}) + return + } + + c.JSON(http.StatusOK, relationship) +} diff --git a/internal/api/client/auth/authorize.go b/internal/api/client/auth/authorize.go index d5f8ee214..f473579db 100644 --- a/internal/api/client/auth/authorize.go +++ b/internal/api/client/auth/authorize.go @@ -28,6 +28,7 @@ import ( "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" ) @@ -60,7 +61,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) { app := >smodel.Application{ ClientID: clientID, } - if err := m.db.GetWhere("client_id", app.ClientID, app); err != nil { + if err := m.db.GetWhere([]db.Where{{Key: "client_id", Value: app.ClientID}}, app); err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)}) return } diff --git a/internal/api/client/auth/middleware.go b/internal/api/client/auth/middleware.go index 2a63cbdb6..dba8e5a1d 100644 --- a/internal/api/client/auth/middleware.go +++ b/internal/api/client/auth/middleware.go @@ -20,6 +20,7 @@ package auth import ( "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/oauth" ) @@ -68,7 +69,7 @@ func (m *Module) OauthTokenMiddleware(c *gin.Context) { if cid := ti.GetClientID(); cid != "" { l.Tracef("authenticated client %s with bearer token, scope is %s", cid, ti.GetScope()) app := >smodel.Application{} - if err := m.db.GetWhere("client_id", cid, app); err != nil { + if err := m.db.GetWhere([]db.Where{{Key: "client_id",Value: cid}}, app); err != nil { l.Tracef("no app found for client %s", cid) } c.Set(oauth.SessionAuthorizedApplication, app) diff --git a/internal/api/client/auth/signin.go b/internal/api/client/auth/signin.go index 79d9b300e..e9385e39a 100644 --- a/internal/api/client/auth/signin.go +++ b/internal/api/client/auth/signin.go @@ -24,6 +24,7 @@ import ( "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "golang.org/x/crypto/bcrypt" ) @@ -87,7 +88,7 @@ func (m *Module) ValidatePassword(email string, password string) (userid string, // first we select the user from the database based on email address, bail if no user found for that email gtsUser := >smodel.User{} - if err := m.db.GetWhere("email", email, gtsUser); err != nil { + if err := m.db.GetWhere([]db.Where{{Key: "email", Value: email}}, gtsUser); err != nil { l.Debugf("user %s was not retrievable from db during oauth authorization attempt: %s", email, err) return incorrectPassword() } diff --git a/internal/api/client/followrequest/accept.go b/internal/api/client/followrequest/accept.go index 45dc1a2af..bb2910c8f 100644 --- a/internal/api/client/followrequest/accept.go +++ b/internal/api/client/followrequest/accept.go @@ -48,10 +48,11 @@ func (m *Module) FollowRequestAcceptPOSTHandler(c *gin.Context) { return } - if errWithCode := m.processor.FollowRequestAccept(authed, originAccountID); errWithCode != nil { + r, errWithCode := m.processor.FollowRequestAccept(authed, originAccountID) + if errWithCode != nil { l.Debug(errWithCode.Error()) c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()}) return } - c.Status(http.StatusOK) + c.JSON(http.StatusOK, r) } diff --git a/internal/api/client/status/statuscreate_test.go b/internal/api/client/status/statuscreate_test.go index fb9b48f8a..a78374fe8 100644 --- a/internal/api/client/status/statuscreate_test.go +++ b/internal/api/client/status/statuscreate_test.go @@ -32,6 +32,7 @@ import ( "github.com/stretchr/testify/suite" "github.com/superseriousbusiness/gotosocial/internal/api/client/status" "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/testrig" @@ -118,7 +119,7 @@ func (suite *StatusCreateTestSuite) TestPostNewStatus() { }, statusReply.Tags[0]) gtsTag := >smodel.Tag{} - err = suite.db.GetWhere("name", "helloworld", gtsTag) + err = suite.db.GetWhere([]db.Where{{Key: "name", Value: "helloworld"}}, gtsTag) assert.NoError(suite.T(), err) assert.Equal(suite.T(), statusReply.Account.ID, gtsTag.FirstSeenFromAccountID) } diff --git a/internal/api/model/account.go b/internal/api/model/account.go index efb69d6fd..ba5ac567a 100644 --- a/internal/api/model/account.go +++ b/internal/api/model/account.go @@ -77,18 +77,18 @@ type Account struct { // See https://docs.joinmastodon.org/methods/accounts/ type AccountCreateRequest struct { // Text that will be reviewed by moderators if registrations require manual approval. - Reason string `form:"reason"` + Reason string `form:"reason" json:"reason" xml:"reason"` // The desired username for the account - Username string `form:"username" binding:"required"` + Username string `form:"username" json:"username" xml:"username" binding:"required"` // The email address to be used for login - Email string `form:"email" binding:"required"` + Email string `form:"email" json:"email" xml:"email" binding:"required"` // The password to be used for login - Password string `form:"password" binding:"required"` + Password string `form:"password" json:"password" xml:"password" binding:"required"` // Whether the user agrees to the local rules, terms, and policies. // These should be presented to the user in order to allow them to consent before setting this parameter to TRUE. - Agreement bool `form:"agreement" binding:"required"` + Agreement bool `form:"agreement" json:"agreement" xml:"agreement" binding:"required"` // The language of the confirmation email that will be sent - Locale string `form:"locale" binding:"required"` + Locale string `form:"locale" json:"locale" xml:"locale" binding:"required"` // The IP of the sign up request, will not be parsed from the form but must be added manually IP net.IP `form:"-"` } @@ -97,40 +97,51 @@ type AccountCreateRequest struct { // See https://docs.joinmastodon.org/methods/accounts/ type UpdateCredentialsRequest struct { // Whether the account should be shown in the profile directory. - Discoverable *bool `form:"discoverable"` + Discoverable *bool `form:"discoverable" json:"discoverable" xml:"discoverable"` // Whether the account has a bot flag. - Bot *bool `form:"bot"` + Bot *bool `form:"bot" json:"bot" xml:"bot"` // The display name to use for the profile. - DisplayName *string `form:"display_name"` + DisplayName *string `form:"display_name" json:"display_name" xml:"display_name"` // The account bio. - Note *string `form:"note"` + Note *string `form:"note" json:"note" xml:"note"` // Avatar image encoded using multipart/form-data - Avatar *multipart.FileHeader `form:"avatar"` + Avatar *multipart.FileHeader `form:"avatar" json:"avatar" xml:"avatar"` // Header image encoded using multipart/form-data - Header *multipart.FileHeader `form:"header"` + Header *multipart.FileHeader `form:"header" json:"header" xml:"header"` // Whether manual approval of follow requests is required. - Locked *bool `form:"locked"` + Locked *bool `form:"locked" json:"locked" xml:"locked"` // New Source values for this account - Source *UpdateSource `form:"source"` + Source *UpdateSource `form:"source" json:"source" xml:"source"` // Profile metadata name and value - FieldsAttributes *[]UpdateField `form:"fields_attributes"` + FieldsAttributes *[]UpdateField `form:"fields_attributes" json:"fields_attributes" xml:"fields_attributes"` } // UpdateSource is to be used specifically in an UpdateCredentialsRequest. type UpdateSource struct { // Default post privacy for authored statuses. - Privacy *string `form:"privacy"` + Privacy *string `form:"privacy" json:"privacy" xml:"privacy"` // Whether to mark authored statuses as sensitive by default. - Sensitive *bool `form:"sensitive"` + Sensitive *bool `form:"sensitive" json:"sensitive" xml:"sensitive"` // Default language to use for authored statuses. (ISO 6391) - Language *string `form:"language"` + Language *string `form:"language" json:"language" xml:"language"` } // UpdateField is to be used specifically in an UpdateCredentialsRequest. // By default, max 4 fields and 255 characters per property/value. type UpdateField struct { // Name of the field - Name *string `form:"name"` + Name *string `form:"name" json:"name" xml:"name"` // Value of the field - Value *string `form:"value"` + Value *string `form:"value" json:"value" xml:"value"` +} + +// AccountFollowRequest is for parsing requests at /api/v1/accounts/:id/follow +type AccountFollowRequest struct { + // ID of the account to follow request + // This should be a URL parameter not a form field + TargetAccountID string `form:"-"` + // Show reblogs for this account? + Reblogs *bool `form:"reblogs" json:"reblogs" xml:"reblogs"` + // Notify when this account posts? + Notify *bool `form:"notify" json:"notify" xml:"notify"` } diff --git a/internal/api/s2s/user/followers.go b/internal/api/s2s/user/followers.go new file mode 100644 index 000000000..0b633619f --- /dev/null +++ b/internal/api/s2s/user/followers.go @@ -0,0 +1,58 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package user + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" +) + +func (m *Module) FollowersGETHandler(c *gin.Context) { + l := m.log.WithFields(logrus.Fields{ + "func": "FollowersGETHandler", + "url": c.Request.RequestURI, + }) + + requestedUsername := c.Param(UsernameKey) + if requestedUsername == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "no username specified in request"}) + return + } + + // make sure this actually an AP request + format := c.NegotiateFormat(ActivityPubAcceptHeaders...) + if format == "" { + c.JSON(http.StatusNotAcceptable, gin.H{"error": "could not negotiate format with given Accept header(s)"}) + return + } + l.Tracef("negotiated format: %s", format) + + // make a copy of the context to pass along so we don't break anything + cp := c.Copy() + user, err := m.processor.GetFediFollowers(requestedUsername, cp.Request) // GetFediUser handles auth as well + if err != nil { + l.Info(err.Error()) + c.JSON(err.Code(), gin.H{"error": err.Safe()}) + return + } + + c.JSON(http.StatusOK, user) +} diff --git a/internal/api/s2s/user/statusget.go b/internal/api/s2s/user/statusget.go new file mode 100644 index 000000000..60efd484e --- /dev/null +++ b/internal/api/s2s/user/statusget.go @@ -0,0 +1,46 @@ +package user + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" +) + +func (m *Module) StatusGETHandler(c *gin.Context) { + l := m.log.WithFields(logrus.Fields{ + "func": "StatusGETHandler", + "url": c.Request.RequestURI, + }) + + requestedUsername := c.Param(UsernameKey) + if requestedUsername == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "no username specified in request"}) + return + } + + requestedStatusID := c.Param(StatusIDKey) + if requestedStatusID == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "no status id specified in request"}) + return + } + + // make sure this actually an AP request + format := c.NegotiateFormat(ActivityPubAcceptHeaders...) + if format == "" { + c.JSON(http.StatusNotAcceptable, gin.H{"error": "could not negotiate format with given Accept header(s)"}) + return + } + l.Tracef("negotiated format: %s", format) + + // make a copy of the context to pass along so we don't break anything + cp := c.Copy() + status, err := m.processor.GetFediStatus(requestedUsername, requestedStatusID, cp.Request) // handles auth as well + if err != nil { + l.Info(err.Error()) + c.JSON(err.Code(), gin.H{"error": err.Safe()}) + return + } + + c.JSON(http.StatusOK, status) +} diff --git a/internal/api/s2s/user/user.go b/internal/api/s2s/user/user.go index a6116247d..d866e47e1 100644 --- a/internal/api/s2s/user/user.go +++ b/internal/api/s2s/user/user.go @@ -32,6 +32,8 @@ import ( const ( // UsernameKey is for account usernames. UsernameKey = "username" + // StatusIDKey is for status IDs + StatusIDKey = "status" // UsersBasePath is the base path for serving information about Users eg https://example.org/users UsersBasePath = "/" + util.UsersPath // UsersBasePathWithUsername is just the users base path with the Username key in it. @@ -40,6 +42,10 @@ const ( UsersBasePathWithUsername = UsersBasePath + "/:" + UsernameKey // UsersInboxPath is for serving POST requests to a user's inbox with the given username key. UsersInboxPath = UsersBasePathWithUsername + "/" + util.InboxPath + // UsersFollowersPath is for serving GET request's to a user's followers list, with the given username key. + UsersFollowersPath = UsersBasePathWithUsername + "/" + util.FollowersPath + // UsersStatusPath is for serving GET requests to a particular status by a user, with the given username key and status ID + UsersStatusPath = UsersBasePathWithUsername + "/" + util.StatusesPath + "/:" + StatusIDKey ) // ActivityPubAcceptHeaders represents the Accept headers mentioned here: @@ -69,5 +75,7 @@ func New(config *config.Config, processor message.Processor, log *logrus.Logger) func (m *Module) Route(s router.Router) error { s.AttachHandler(http.MethodGet, UsersBasePathWithUsername, m.UsersGETHandler) s.AttachHandler(http.MethodPost, UsersInboxPath, m.InboxPOSTHandler) + s.AttachHandler(http.MethodGet, UsersFollowersPath, m.FollowersGETHandler) + s.AttachHandler(http.MethodGet, UsersStatusPath, m.StatusGETHandler) return nil } diff --git a/internal/api/security/security.go b/internal/api/security/security.go index eaae8471e..523b5dd55 100644 --- a/internal/api/security/security.go +++ b/internal/api/security/security.go @@ -43,5 +43,6 @@ func New(config *config.Config, log *logrus.Logger) api.ClientModule { func (m *Module) Route(s router.Router) error { s.AttachMiddleware(m.FlocBlock) s.AttachMiddleware(m.ExtraHeaders) + s.AttachMiddleware(m.UserAgentBlock) return nil } diff --git a/internal/api/security/useragentblock.go b/internal/api/security/useragentblock.go new file mode 100644 index 000000000..f7d3a4ffc --- /dev/null +++ b/internal/api/security/useragentblock.go @@ -0,0 +1,43 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package security + +import ( + "net/http" + "strings" + + "github.com/gin-gonic/gin" +) + +// UserAgentBlock is a middleware that prevents google chrome cohort tracking by +// writing the Permissions-Policy header after all other parts of the request have been completed. +// See: https://plausible.io/blog/google-floc +func (m *Module) UserAgentBlock(c *gin.Context) { + + ua := c.Request.UserAgent() + if ua == "" { + c.AbortWithStatus(http.StatusTeapot) + return + } + + if strings.Contains(strings.ToLower(c.Request.UserAgent()), strings.ToLower("friendica")) { + c.AbortWithStatus(http.StatusTeapot) + return + } +} |