summaryrefslogtreecommitdiff
path: root/internal/apimodule/account
diff options
context:
space:
mode:
Diffstat (limited to 'internal/apimodule/account')
-rw-r--r--internal/apimodule/account/account.go100
-rw-r--r--internal/apimodule/account/accountcreate.go155
-rw-r--r--internal/apimodule/account/accountcreate_test.go545
-rw-r--r--internal/apimodule/account/accountget.go57
-rw-r--r--internal/apimodule/account/accountupdate.go259
-rw-r--r--internal/apimodule/account/accountupdate_test.go298
-rw-r--r--internal/apimodule/account/accountverify.go50
-rw-r--r--internal/apimodule/account/accountverify_test.go19
8 files changed, 1483 insertions, 0 deletions
diff --git a/internal/apimodule/account/account.go b/internal/apimodule/account/account.go
new file mode 100644
index 000000000..2d9ddbb72
--- /dev/null
+++ b/internal/apimodule/account/account.go
@@ -0,0 +1,100 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "fmt"
+ "net/http"
+ "strings"
+
+ "github.com/gin-gonic/gin"
+ "github.com/sirupsen/logrus"
+ "github.com/superseriousbusiness/gotosocial/internal/apimodule"
+ "github.com/superseriousbusiness/gotosocial/internal/config"
+ "github.com/superseriousbusiness/gotosocial/internal/db"
+ "github.com/superseriousbusiness/gotosocial/internal/db/model"
+ "github.com/superseriousbusiness/gotosocial/internal/media"
+ "github.com/superseriousbusiness/gotosocial/internal/oauth"
+ "github.com/superseriousbusiness/gotosocial/internal/router"
+)
+
+const (
+ idKey = "id"
+ basePath = "/api/v1/accounts"
+ basePathWithID = basePath + "/:" + idKey
+ verifyPath = basePath + "/verify_credentials"
+ updateCredentialsPath = basePath + "/update_credentials"
+)
+
+type accountModule struct {
+ config *config.Config
+ db db.DB
+ oauthServer oauth.Server
+ mediaHandler media.MediaHandler
+ log *logrus.Logger
+}
+
+// New returns a new account module
+func New(config *config.Config, db db.DB, oauthServer oauth.Server, mediaHandler media.MediaHandler, log *logrus.Logger) apimodule.ClientAPIModule {
+ return &accountModule{
+ config: config,
+ db: db,
+ oauthServer: oauthServer,
+ mediaHandler: mediaHandler,
+ log: log,
+ }
+}
+
+// Route attaches all routes from this module to the given router
+func (m *accountModule) Route(r router.Router) error {
+ r.AttachHandler(http.MethodPost, basePath, m.accountCreatePOSTHandler)
+ r.AttachHandler(http.MethodGet, basePathWithID, m.muxHandler)
+ return nil
+}
+
+func (m *accountModule) CreateTables(db db.DB) error {
+ models := []interface{}{
+ &model.User{},
+ &model.Account{},
+ &model.Follow{},
+ &model.FollowRequest{},
+ &model.Status{},
+ &model.Application{},
+ &model.EmailDomainBlock{},
+ &model.MediaAttachment{},
+ }
+
+ for _, m := range models {
+ if err := db.CreateTable(m); err != nil {
+ return fmt.Errorf("error creating table: %s", err)
+ }
+ }
+ return nil
+}
+
+func (m *accountModule) muxHandler(c *gin.Context) {
+ ru := c.Request.RequestURI
+ if strings.HasPrefix(ru, verifyPath) {
+ m.accountVerifyGETHandler(c)
+ } else if strings.HasPrefix(ru, updateCredentialsPath) {
+ m.accountUpdateCredentialsPATCHHandler(c)
+ } else {
+ m.accountGETHandler(c)
+ }
+}
diff --git a/internal/apimodule/account/accountcreate.go b/internal/apimodule/account/accountcreate.go
new file mode 100644
index 000000000..58b98c0e4
--- /dev/null
+++ b/internal/apimodule/account/accountcreate.go
@@ -0,0 +1,155 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "errors"
+ "fmt"
+ "net"
+ "net/http"
+
+ "github.com/gin-gonic/gin"
+ "github.com/superseriousbusiness/gotosocial/internal/config"
+ "github.com/superseriousbusiness/gotosocial/internal/db"
+ "github.com/superseriousbusiness/gotosocial/internal/db/model"
+ "github.com/superseriousbusiness/gotosocial/internal/oauth"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
+ "github.com/superseriousbusiness/gotosocial/pkg/mastotypes"
+ "github.com/superseriousbusiness/oauth2/v4"
+)
+
+// accountCreatePOSTHandler handles create account requests, validates them,
+// and puts them in the database if they're valid.
+// It should be served as a POST at /api/v1/accounts
+func (m *accountModule) accountCreatePOSTHandler(c *gin.Context) {
+ l := m.log.WithField("func", "accountCreatePOSTHandler")
+ authed, err := oauth.MustAuth(c, true, true, false, false)
+ if err != nil {
+ l.Debugf("couldn't auth: %s", err)
+ c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+ return
+ }
+
+ l.Trace("parsing request form")
+ form := &mastotypes.AccountCreateRequest{}
+ if err := c.ShouldBind(form); err != nil || form == nil {
+ l.Debugf("could not parse form from request: %s", err)
+ c.JSON(http.StatusBadRequest, gin.H{"error": "missing one or more required form values"})
+ return
+ }
+
+ l.Tracef("validating form %+v", form)
+ if err := validateCreateAccount(form, m.config.AccountsConfig, m.db); err != nil {
+ l.Debugf("error validating form: %s", err)
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+
+ clientIP := c.ClientIP()
+ l.Tracef("attempting to parse client ip address %s", clientIP)
+ signUpIP := net.ParseIP(clientIP)
+ if signUpIP == nil {
+ l.Debugf("error validating sign up ip address %s", clientIP)
+ c.JSON(http.StatusBadRequest, gin.H{"error": "ip address could not be parsed from request"})
+ return
+ }
+
+ ti, err := m.accountCreate(form, signUpIP, authed.Token, authed.Application)
+ if err != nil {
+ l.Errorf("internal server error while creating new account: %s", err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+
+ c.JSON(http.StatusOK, ti)
+}
+
+// accountCreate does the dirty work of making an account and user in the database.
+// It then returns a token to the caller, for use with the new account, as per the
+// spec here: https://docs.joinmastodon.org/methods/accounts/
+func (m *accountModule) accountCreate(form *mastotypes.AccountCreateRequest, signUpIP net.IP, token oauth2.TokenInfo, app *model.Application) (*mastotypes.Token, error) {
+ l := m.log.WithField("func", "accountCreate")
+
+ // don't store a reason if we don't require one
+ reason := form.Reason
+ if !m.config.AccountsConfig.ReasonRequired {
+ reason = ""
+ }
+
+ l.Trace("creating new username and account")
+ user, err := m.db.NewSignup(form.Username, reason, m.config.AccountsConfig.RequireApproval, form.Email, form.Password, signUpIP, form.Locale, app.ID)
+ if err != nil {
+ return nil, fmt.Errorf("error creating new signup in the database: %s", err)
+ }
+
+ l.Tracef("generating a token for user %s with account %s and application %s", user.ID, user.AccountID, app.ID)
+ accessToken, err := m.oauthServer.GenerateUserAccessToken(token, app.ClientSecret, user.ID)
+ if err != nil {
+ return nil, fmt.Errorf("error creating new access token for user %s: %s", user.ID, err)
+ }
+
+ return &mastotypes.Token{
+ AccessToken: accessToken.GetAccess(),
+ TokenType: "Bearer",
+ Scope: accessToken.GetScope(),
+ CreatedAt: accessToken.GetAccessCreateAt().Unix(),
+ }, nil
+}
+
+// validateCreateAccount checks through all the necessary prerequisites for creating a new account,
+// according to the provided account create request. If the account isn't eligible, an error will be returned.
+func validateCreateAccount(form *mastotypes.AccountCreateRequest, c *config.AccountsConfig, database db.DB) error {
+ if !c.OpenRegistration {
+ return errors.New("registration is not open for this server")
+ }
+
+ if err := util.ValidateUsername(form.Username); err != nil {
+ return err
+ }
+
+ if err := util.ValidateEmail(form.Email); err != nil {
+ return err
+ }
+
+ if err := util.ValidateNewPassword(form.Password); err != nil {
+ return err
+ }
+
+ if !form.Agreement {
+ return errors.New("agreement to terms and conditions not given")
+ }
+
+ if err := util.ValidateLanguage(form.Locale); err != nil {
+ return err
+ }
+
+ if err := util.ValidateSignUpReason(form.Reason, c.ReasonRequired); err != nil {
+ return err
+ }
+
+ if err := database.IsEmailAvailable(form.Email); err != nil {
+ return err
+ }
+
+ if err := database.IsUsernameAvailable(form.Username); err != nil {
+ return err
+ }
+
+ return nil
+}
diff --git a/internal/apimodule/account/accountcreate_test.go b/internal/apimodule/account/accountcreate_test.go
new file mode 100644
index 000000000..d14ae3852
--- /dev/null
+++ b/internal/apimodule/account/accountcreate_test.go
@@ -0,0 +1,545 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "bytes"
+ "context"
+ "encoding/json"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "mime/multipart"
+ "net/http"
+ "net/http/httptest"
+ "net/url"
+ "os"
+ "testing"
+ "time"
+
+ "github.com/gin-gonic/gin"
+ "github.com/google/uuid"
+ "github.com/sirupsen/logrus"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/mock"
+ "github.com/stretchr/testify/suite"
+ "github.com/superseriousbusiness/gotosocial/internal/config"
+ "github.com/superseriousbusiness/gotosocial/internal/db"
+ "github.com/superseriousbusiness/gotosocial/internal/db/model"
+ "github.com/superseriousbusiness/gotosocial/internal/media"
+ "github.com/superseriousbusiness/gotosocial/internal/oauth"
+ "github.com/superseriousbusiness/gotosocial/internal/storage"
+ "github.com/superseriousbusiness/gotosocial/pkg/mastotypes"
+ "github.com/superseriousbusiness/oauth2/v4"
+ "github.com/superseriousbusiness/oauth2/v4/models"
+ oauthmodels "github.com/superseriousbusiness/oauth2/v4/models"
+ "golang.org/x/crypto/bcrypt"
+)
+
+type AccountCreateTestSuite struct {
+ suite.Suite
+ config *config.Config
+ log *logrus.Logger
+ testAccountLocal *model.Account
+ testApplication *model.Application
+ testToken oauth2.TokenInfo
+ mockOauthServer *oauth.MockServer
+ mockStorage *storage.MockStorage
+ mediaHandler media.MediaHandler
+ db db.DB
+ accountModule *accountModule
+ newUserFormHappyPath url.Values
+}
+
+/*
+ TEST INFRASTRUCTURE
+*/
+
+// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
+func (suite *AccountCreateTestSuite) SetupSuite() {
+ // some of our subsequent entities need a log so create this here
+ log := logrus.New()
+ log.SetLevel(logrus.TraceLevel)
+ suite.log = log
+
+ suite.testAccountLocal = &model.Account{
+ ID: uuid.NewString(),
+ Username: "test_user",
+ }
+
+ // can use this test application throughout
+ suite.testApplication = &model.Application{
+ ID: "weeweeeeeeeeeeeeee",
+ Name: "a test application",
+ Website: "https://some-application-website.com",
+ RedirectURI: "http://localhost:8080",
+ ClientID: "a-known-client-id",
+ ClientSecret: "some-secret",
+ Scopes: "read",
+ VapidKey: "aaaaaa-aaaaaaaa-aaaaaaaaaaa",
+ }
+
+ // can use this test token throughout
+ suite.testToken = &oauthmodels.Token{
+ ClientID: "a-known-client-id",
+ RedirectURI: "http://localhost:8080",
+ Scope: "read",
+ Code: "123456789",
+ CodeCreateAt: time.Now(),
+ CodeExpiresIn: time.Duration(10 * time.Minute),
+ }
+
+ // Direct config to local postgres instance
+ c := config.Empty()
+ c.Protocol = "http"
+ c.Host = "localhost"
+ c.DBConfig = &config.DBConfig{
+ Type: "postgres",
+ Address: "localhost",
+ Port: 5432,
+ User: "postgres",
+ Password: "postgres",
+ Database: "postgres",
+ ApplicationName: "gotosocial",
+ }
+ c.MediaConfig = &config.MediaConfig{
+ MaxImageSize: 2 << 20,
+ }
+ c.StorageConfig = &config.StorageConfig{
+ Backend: "local",
+ BasePath: "/tmp",
+ ServeProtocol: "http",
+ ServeHost: "localhost",
+ ServeBasePath: "/fileserver/media",
+ }
+ suite.config = c
+
+ // use an actual database for this, because it's just easier than mocking one out
+ database, err := db.New(context.Background(), c, log)
+ if err != nil {
+ suite.FailNow(err.Error())
+ }
+ suite.db = database
+
+ // we need to mock the oauth server because account creation needs it to create a new token
+ suite.mockOauthServer = &oauth.MockServer{}
+ suite.mockOauthServer.On("GenerateUserAccessToken", suite.testToken, suite.testApplication.ClientSecret, mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
+ l := suite.log.WithField("func", "GenerateUserAccessToken")
+ token := args.Get(0).(oauth2.TokenInfo)
+ l.Infof("received token %+v", token)
+ clientSecret := args.Get(1).(string)
+ l.Infof("received clientSecret %+v", clientSecret)
+ userID := args.Get(2).(string)
+ l.Infof("received userID %+v", userID)
+ }).Return(&models.Token{
+ Code: "we're authorized now!",
+ }, nil)
+
+ suite.mockStorage = &storage.MockStorage{}
+ // We don't need storage to do anything for these tests, so just simulate a success and do nothing -- we won't need to return anything from storage
+ suite.mockStorage.On("StoreFileAt", mock.AnythingOfType("string"), mock.AnythingOfType("[]uint8")).Return(nil)
+
+ // set a media handler because some handlers (eg update credentials) need to upload media (new header/avatar)
+ suite.mediaHandler = media.New(suite.config, suite.db, suite.mockStorage, log)
+
+ // and finally here's the thing we're actually testing!
+ suite.accountModule = New(suite.config, suite.db, suite.mockOauthServer, suite.mediaHandler, suite.log).(*accountModule)
+}
+
+func (suite *AccountCreateTestSuite) TearDownSuite() {
+ if err := suite.db.Stop(context.Background()); err != nil {
+ logrus.Panicf("error closing db connection: %s", err)
+ }
+}
+
+// SetupTest creates a db connection and creates necessary tables before each test
+func (suite *AccountCreateTestSuite) SetupTest() {
+ // create all the tables we might need in thie suite
+ models := []interface{}{
+ &model.User{},
+ &model.Account{},
+ &model.Follow{},
+ &model.FollowRequest{},
+ &model.Status{},
+ &model.Application{},
+ &model.EmailDomainBlock{},
+ &model.MediaAttachment{},
+ }
+ for _, m := range models {
+ if err := suite.db.CreateTable(m); err != nil {
+ logrus.Panicf("db connection error: %s", err)
+ }
+ }
+
+ // form to submit for happy path account create requests -- this will be changed inside tests so it's better to set it before each test
+ suite.newUserFormHappyPath = url.Values{
+ "reason": []string{"a very good reason that's at least 40 characters i swear"},
+ "username": []string{"test_user"},
+ "email": []string{"user@example.org"},
+ "password": []string{"very-strong-password"},
+ "agreement": []string{"true"},
+ "locale": []string{"en"},
+ }
+
+ // same with accounts config
+ suite.config.AccountsConfig = &config.AccountsConfig{
+ OpenRegistration: true,
+ RequireApproval: true,
+ ReasonRequired: true,
+ }
+}
+
+// TearDownTest drops tables to make sure there's no data in the db
+func (suite *AccountCreateTestSuite) TearDownTest() {
+
+ // remove all the tables we might have used so it's clear for the next test
+ models := []interface{}{
+ &model.User{},
+ &model.Account{},
+ &model.Follow{},
+ &model.FollowRequest{},
+ &model.Status{},
+ &model.Application{},
+ &model.EmailDomainBlock{},
+ &model.MediaAttachment{},
+ }
+ for _, m := range models {
+ if err := suite.db.DropTable(m); err != nil {
+ logrus.Panicf("error dropping table: %s", err)
+ }
+ }
+}
+
+/*
+ ACTUAL TESTS
+*/
+
+/*
+ TESTING: AccountCreatePOSTHandler
+*/
+
+// TestAccountCreatePOSTHandlerSuccessful checks the happy path for an account creation request: all the fields provided are valid,
+// and at the end of it a new user and account should be added into the database.
+//
+// This is the handler served at /api/v1/accounts as POST
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerSuccessful() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+
+ // 1. we should have OK from our call to the function
+ suite.EqualValues(http.StatusOK, recorder.Code)
+
+ // 2. we should have a token in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ t := &mastotypes.Token{}
+ err = json.Unmarshal(b, t)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), "we're authorized now!", t.AccessToken)
+
+ // check new account
+
+ // 1. we should be able to get the new account from the db
+ acct := &model.Account{}
+ err = suite.db.GetWhere("username", "test_user", acct)
+ assert.NoError(suite.T(), err)
+ assert.NotNil(suite.T(), acct)
+ // 2. reason should be set
+ assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("reason"), acct.Reason)
+ // 3. display name should be equal to username by default
+ assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("username"), acct.DisplayName)
+ // 4. domain should be nil because this is a local account
+ assert.Nil(suite.T(), nil, acct.Domain)
+ // 5. id should be set and parseable as a uuid
+ assert.NotNil(suite.T(), acct.ID)
+ _, err = uuid.Parse(acct.ID)
+ assert.Nil(suite.T(), err)
+ // 6. private and public key should be set
+ assert.NotNil(suite.T(), acct.PrivateKey)
+ assert.NotNil(suite.T(), acct.PublicKey)
+
+ // check new user
+
+ // 1. we should be able to get the new user from the db
+ usr := &model.User{}
+ err = suite.db.GetWhere("unconfirmed_email", suite.newUserFormHappyPath.Get("email"), usr)
+ assert.Nil(suite.T(), err)
+ assert.NotNil(suite.T(), usr)
+
+ // 2. user should have account id set to account we got above
+ assert.Equal(suite.T(), acct.ID, usr.AccountID)
+
+ // 3. id should be set and parseable as a uuid
+ assert.NotNil(suite.T(), usr.ID)
+ _, err = uuid.Parse(usr.ID)
+ assert.Nil(suite.T(), err)
+
+ // 4. locale should be equal to what we requested
+ assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("locale"), usr.Locale)
+
+ // 5. created by application id should be equal to the app id
+ assert.Equal(suite.T(), suite.testApplication.ID, usr.CreatedByApplicationID)
+
+ // 6. password should be matcheable to what we set above
+ err = bcrypt.CompareHashAndPassword([]byte(usr.EncryptedPassword), []byte(suite.newUserFormHappyPath.Get("password")))
+ assert.Nil(suite.T(), err)
+}
+
+// TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no authorization is provided:
+// only registered applications can create accounts, and we don't provide one here.
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoAuth() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+
+ // 1. we should have forbidden from our call to the function because we didn't auth
+ suite.EqualValues(http.StatusForbidden, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
+}
+
+// TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no form is provided at all.
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoForm() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+ suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"missing one or more required form values"}`, string(b))
+}
+
+// TestAccountCreatePOSTHandlerWeakPassword makes sure that the handler fails when a weak password is provided
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeakPassword() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+ // set a weak password
+ ctx.Request.Form.Set("password", "weak")
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+ suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"insecure password, try including more special characters, using uppercase letters, using numbers or using a longer password"}`, string(b))
+}
+
+// TestAccountCreatePOSTHandlerWeirdLocale makes sure that the handler fails when a weird locale is provided
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeirdLocale() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+ // set an invalid locale
+ ctx.Request.Form.Set("locale", "neverneverland")
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+ suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"language: tag is not well-formed"}`, string(b))
+}
+
+// TestAccountCreatePOSTHandlerRegistrationsClosed makes sure that the handler fails when registrations are closed
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerRegistrationsClosed() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+
+ // close registrations
+ suite.config.AccountsConfig.OpenRegistration = false
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+ suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"registration is not open for this server"}`, string(b))
+}
+
+// TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when no reason is provided but one is required
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerReasonNotProvided() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+
+ // remove reason
+ ctx.Request.Form.Set("reason", "")
+
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+ suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"no reason provided"}`, string(b))
+}
+
+// TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when a crappy reason is presented but a good one is required
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerInsufficientReason() {
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", basePath), nil) // the endpoint we're hitting
+ ctx.Request.Form = suite.newUserFormHappyPath
+
+ // remove reason
+ ctx.Request.Form.Set("reason", "just cuz")
+
+ suite.accountModule.accountCreatePOSTHandler(ctx)
+
+ // check response
+ suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ b, err := ioutil.ReadAll(result.Body)
+ assert.NoError(suite.T(), err)
+ assert.Equal(suite.T(), `{"error":"reason should be at least 40 chars but 'just cuz' was 8"}`, string(b))
+}
+
+/*
+ TESTING: AccountUpdateCredentialsPATCHHandler
+*/
+
+func (suite *AccountCreateTestSuite) TestAccountUpdateCredentialsPATCHHandler() {
+
+ // put test local account in db
+ err := suite.db.Put(suite.testAccountLocal)
+ assert.NoError(suite.T(), err)
+
+ // attach avatar to request
+ aviFile, err := os.Open("../../media/test/test-jpeg.jpg")
+ assert.NoError(suite.T(), err)
+ body := &bytes.Buffer{}
+ writer := multipart.NewWriter(body)
+
+ part, err := writer.CreateFormFile("avatar", "test-jpeg.jpg")
+ assert.NoError(suite.T(), err)
+
+ _, err = io.Copy(part, aviFile)
+ assert.NoError(suite.T(), err)
+
+ err = aviFile.Close()
+ assert.NoError(suite.T(), err)
+
+ err = writer.Close()
+ assert.NoError(suite.T(), err)
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccountLocal)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPatch, fmt.Sprintf("http://localhost:8080/%s", updateCredentialsPath), body) // the endpoint we're hitting
+ ctx.Request.Header.Set("Content-Type", writer.FormDataContentType())
+ suite.accountModule.accountUpdateCredentialsPATCHHandler(ctx)
+
+ // check response
+
+ // 1. we should have OK because our request was valid
+ suite.EqualValues(http.StatusOK, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ // TODO: implement proper checks here
+ //
+ // b, err := ioutil.ReadAll(result.Body)
+ // assert.NoError(suite.T(), err)
+ // assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
+}
+
+func TestAccountCreateTestSuite(t *testing.T) {
+ suite.Run(t, new(AccountCreateTestSuite))
+}
diff --git a/internal/apimodule/account/accountget.go b/internal/apimodule/account/accountget.go
new file mode 100644
index 000000000..5ee93386d
--- /dev/null
+++ b/internal/apimodule/account/accountget.go
@@ -0,0 +1,57 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "net/http"
+
+ "github.com/gin-gonic/gin"
+ "github.com/superseriousbusiness/gotosocial/internal/db"
+ "github.com/superseriousbusiness/gotosocial/internal/db/model"
+)
+
+// accountGetHandler serves the account information held by the server in response to a GET
+// request. It should be served as a GET at /api/v1/accounts/:id.
+//
+// See: https://docs.joinmastodon.org/methods/accounts/
+func (m *accountModule) accountGETHandler(c *gin.Context) {
+ targetAcctID := c.Param(idKey)
+ if targetAcctID == "" {
+ c.JSON(http.StatusBadRequest, gin.H{"error": "no account id specified"})
+ return
+ }
+
+ targetAccount := &model.Account{}
+ if err := m.db.GetByID(targetAcctID, targetAccount); err != nil {
+ if _, ok := err.(db.ErrNoEntries); ok {
+ c.JSON(http.StatusNotFound, gin.H{"error": "Record not found"})
+ return
+ }
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+
+ acctInfo, err := m.db.AccountToMastoPublic(targetAccount)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+
+ c.JSON(http.StatusOK, acctInfo)
+}
diff --git a/internal/apimodule/account/accountupdate.go b/internal/apimodule/account/accountupdate.go
new file mode 100644
index 000000000..6686d3a50
--- /dev/null
+++ b/internal/apimodule/account/accountupdate.go
@@ -0,0 +1,259 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "bytes"
+ "errors"
+ "fmt"
+ "io"
+ "mime/multipart"
+ "net/http"
+
+ "github.com/gin-gonic/gin"
+ "github.com/superseriousbusiness/gotosocial/internal/db/model"
+ "github.com/superseriousbusiness/gotosocial/internal/oauth"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
+ "github.com/superseriousbusiness/gotosocial/pkg/mastotypes"
+)
+
+// accountUpdateCredentialsPATCHHandler allows a user to modify their account/profile settings.
+// It should be served as a PATCH at /api/v1/accounts/update_credentials
+//
+// TODO: this can be optimized massively by building up a picture of what we want the new account
+// details to be, and then inserting it all in the database at once. As it is, we do queries one-by-one
+// which is not gonna make the database very happy when lots of requests are going through.
+// This way it would also be safer because the update won't happen until *all* the fields are validated.
+// Otherwise we risk doing a partial update and that's gonna cause probllleeemmmsss.
+func (m *accountModule) accountUpdateCredentialsPATCHHandler(c *gin.Context) {
+ l := m.log.WithField("func", "accountUpdateCredentialsPATCHHandler")
+ authed, err := oauth.MustAuth(c, true, false, false, true)
+ if err != nil {
+ l.Debugf("couldn't auth: %s", err)
+ c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+ return
+ }
+ l.Tracef("retrieved account %+v", authed.Account.ID)
+
+ l.Trace("parsing request form")
+ form := &mastotypes.UpdateCredentialsRequest{}
+ if err := c.ShouldBind(form); err != nil || form == nil {
+ l.Debugf("could not parse form from request: %s", err)
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+
+ // if everything on the form is nil, then nothing has been set and we shouldn't continue
+ if form.Discoverable == nil && form.Bot == nil && form.DisplayName == nil && form.Note == nil && form.Avatar == nil && form.Header == nil && form.Locked == nil && form.Source == nil && form.FieldsAttributes == nil {
+ l.Debugf("could not parse form from request")
+ c.JSON(http.StatusBadRequest, gin.H{"error": "empty form submitted"})
+ return
+ }
+
+ if form.Discoverable != nil {
+ if err := m.db.UpdateOneByID(authed.Account.ID, "discoverable", *form.Discoverable, &model.Account{}); err != nil {
+ l.Debugf("error updating discoverable: %s", err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.Bot != nil {
+ if err := m.db.UpdateOneByID(authed.Account.ID, "bot", *form.Bot, &model.Account{}); err != nil {
+ l.Debugf("error updating bot: %s", err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.DisplayName != nil {
+ if err := util.ValidateDisplayName(*form.DisplayName); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+ if err := m.db.UpdateOneByID(authed.Account.ID, "display_name", *form.DisplayName, &model.Account{}); err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.Note != nil {
+ if err := util.ValidateNote(*form.Note); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+ if err := m.db.UpdateOneByID(authed.Account.ID, "note", *form.Note, &model.Account{}); err != nil {
+ l.Debugf("error updating note: %s", err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.Avatar != nil && form.Avatar.Size != 0 {
+ avatarInfo, err := m.UpdateAccountAvatar(form.Avatar, authed.Account.ID)
+ if err != nil {
+ l.Debugf("could not update avatar for account %s: %s", authed.Account.ID, err)
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+ l.Tracef("new avatar info for account %s is %+v", authed.Account.ID, avatarInfo)
+ }
+
+ if form.Header != nil && form.Header.Size != 0 {
+ headerInfo, err := m.UpdateAccountHeader(form.Header, authed.Account.ID)
+ if err != nil {
+ l.Debugf("could not update header for account %s: %s", authed.Account.ID, err)
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+ l.Tracef("new header info for account %s is %+v", authed.Account.ID, headerInfo)
+ }
+
+ if form.Locked != nil {
+ if err := m.db.UpdateOneByID(authed.Account.ID, "locked", *form.Locked, &model.Account{}); err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.Source != nil {
+ if form.Source.Language != nil {
+ if err := util.ValidateLanguage(*form.Source.Language); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+ if err := m.db.UpdateOneByID(authed.Account.ID, "language", *form.Source.Language, &model.Account{}); err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.Source.Sensitive != nil {
+ if err := m.db.UpdateOneByID(authed.Account.ID, "locked", *form.Locked, &model.Account{}); err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+
+ if form.Source.Privacy != nil {
+ if err := util.ValidatePrivacy(*form.Source.Privacy); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
+ if err := m.db.UpdateOneByID(authed.Account.ID, "privacy", *form.Source.Privacy, &model.Account{}); err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+ }
+ }
+
+ // if form.FieldsAttributes != nil {
+ // // TODO: parse fields attributes nicely and update
+ // }
+
+ // fetch the account with all updated values set
+ updatedAccount := &model.Account{}
+ if err := m.db.GetByID(authed.Account.ID, updatedAccount); err != nil {
+ l.Debugf("could not fetch updated account %s: %s", authed.Account.ID, err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+
+ acctSensitive, err := m.db.AccountToMastoSensitive(updatedAccount)
+ if err != nil {
+ l.Tracef("could not convert account into mastosensitive account: %s", err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+
+ l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive)
+ c.JSON(http.StatusOK, acctSensitive)
+}
+
+/*
+ HELPER FUNCTIONS
+*/
+
+// TODO: try to combine the below two functions because this is a lot of code repetition.
+
+// UpdateAccountAvatar does the dirty work of checking the avatar part of an account update form,
+// parsing and checking the image, and doing the necessary updates in the database for this to become
+// the account's new avatar image.
+func (m *accountModule) UpdateAccountAvatar(avatar *multipart.FileHeader, accountID string) (*model.MediaAttachment, error) {
+ var err error
+ if int(avatar.Size) > m.config.MediaConfig.MaxImageSize {
+ err = fmt.Errorf("avatar with size %d exceeded max image size of %d bytes", avatar.Size, m.config.MediaConfig.MaxImageSize)
+ return nil, err
+ }
+ f, err := avatar.Open()
+ if err != nil {
+ return nil, fmt.Errorf("could not read provided avatar: %s", err)
+ }
+
+ // extract the bytes
+ buf := new(bytes.Buffer)
+ size, err := io.Copy(buf, f)
+ if err != nil {
+ return nil, fmt.Errorf("could not read provided avatar: %s", err)
+ }
+ if size == 0 {
+ return nil, errors.New("could not read provided avatar: size 0 bytes")
+ }
+
+ // do the setting
+ avatarInfo, err := m.mediaHandler.SetHeaderOrAvatarForAccountID(buf.Bytes(), accountID, "avatar")
+ if err != nil {
+ return nil, fmt.Errorf("error processing avatar: %s", err)
+ }
+
+ return avatarInfo, f.Close()
+}
+
+// UpdateAccountHeader does the dirty work of checking the header part of an account update form,
+// parsing and checking the image, and doing the necessary updates in the database for this to become
+// the account's new header image.
+func (m *accountModule) UpdateAccountHeader(header *multipart.FileHeader, accountID string) (*model.MediaAttachment, error) {
+ var err error
+ if int(header.Size) > m.config.MediaConfig.MaxImageSize {
+ err = fmt.Errorf("header with size %d exceeded max image size of %d bytes", header.Size, m.config.MediaConfig.MaxImageSize)
+ return nil, err
+ }
+ f, err := header.Open()
+ if err != nil {
+ return nil, fmt.Errorf("could not read provided header: %s", err)
+ }
+
+ // extract the bytes
+ buf := new(bytes.Buffer)
+ size, err := io.Copy(buf, f)
+ if err != nil {
+ return nil, fmt.Errorf("could not read provided header: %s", err)
+ }
+ if size == 0 {
+ return nil, errors.New("could not read provided header: size 0 bytes")
+ }
+
+ // do the setting
+ headerInfo, err := m.mediaHandler.SetHeaderOrAvatarForAccountID(buf.Bytes(), accountID, "header")
+ if err != nil {
+ return nil, fmt.Errorf("error processing header: %s", err)
+ }
+
+ return headerInfo, f.Close()
+}
diff --git a/internal/apimodule/account/accountupdate_test.go b/internal/apimodule/account/accountupdate_test.go
new file mode 100644
index 000000000..651b4d29d
--- /dev/null
+++ b/internal/apimodule/account/accountupdate_test.go
@@ -0,0 +1,298 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "bytes"
+ "context"
+ "fmt"
+ "io"
+ "mime/multipart"
+ "net/http"
+ "net/http/httptest"
+ "net/url"
+ "os"
+ "testing"
+ "time"
+
+ "github.com/gin-gonic/gin"
+ "github.com/google/uuid"
+ "github.com/sirupsen/logrus"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/mock"
+ "github.com/stretchr/testify/suite"
+ "github.com/superseriousbusiness/gotosocial/internal/config"
+ "github.com/superseriousbusiness/gotosocial/internal/db"
+ "github.com/superseriousbusiness/gotosocial/internal/db/model"
+ "github.com/superseriousbusiness/gotosocial/internal/media"
+ "github.com/superseriousbusiness/gotosocial/internal/oauth"
+ "github.com/superseriousbusiness/gotosocial/internal/storage"
+ "github.com/superseriousbusiness/oauth2/v4"
+ "github.com/superseriousbusiness/oauth2/v4/models"
+ oauthmodels "github.com/superseriousbusiness/oauth2/v4/models"
+)
+
+type AccountUpdateTestSuite struct {
+ suite.Suite
+ config *config.Config
+ log *logrus.Logger
+ testAccountLocal *model.Account
+ testApplication *model.Application
+ testToken oauth2.TokenInfo
+ mockOauthServer *oauth.MockServer
+ mockStorage *storage.MockStorage
+ mediaHandler media.MediaHandler
+ db db.DB
+ accountModule *accountModule
+ newUserFormHappyPath url.Values
+}
+
+/*
+ TEST INFRASTRUCTURE
+*/
+
+// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
+func (suite *AccountUpdateTestSuite) SetupSuite() {
+ // some of our subsequent entities need a log so create this here
+ log := logrus.New()
+ log.SetLevel(logrus.TraceLevel)
+ suite.log = log
+
+ suite.testAccountLocal = &model.Account{
+ ID: uuid.NewString(),
+ Username: "test_user",
+ }
+
+ // can use this test application throughout
+ suite.testApplication = &model.Application{
+ ID: "weeweeeeeeeeeeeeee",
+ Name: "a test application",
+ Website: "https://some-application-website.com",
+ RedirectURI: "http://localhost:8080",
+ ClientID: "a-known-client-id",
+ ClientSecret: "some-secret",
+ Scopes: "read",
+ VapidKey: "aaaaaa-aaaaaaaa-aaaaaaaaaaa",
+ }
+
+ // can use this test token throughout
+ suite.testToken = &oauthmodels.Token{
+ ClientID: "a-known-client-id",
+ RedirectURI: "http://localhost:8080",
+ Scope: "read",
+ Code: "123456789",
+ CodeCreateAt: time.Now(),
+ CodeExpiresIn: time.Duration(10 * time.Minute),
+ }
+
+ // Direct config to local postgres instance
+ c := config.Empty()
+ c.Protocol = "http"
+ c.Host = "localhost"
+ c.DBConfig = &config.DBConfig{
+ Type: "postgres",
+ Address: "localhost",
+ Port: 5432,
+ User: "postgres",
+ Password: "postgres",
+ Database: "postgres",
+ ApplicationName: "gotosocial",
+ }
+ c.MediaConfig = &config.MediaConfig{
+ MaxImageSize: 2 << 20,
+ }
+ c.StorageConfig = &config.StorageConfig{
+ Backend: "local",
+ BasePath: "/tmp",
+ ServeProtocol: "http",
+ ServeHost: "localhost",
+ ServeBasePath: "/fileserver/media",
+ }
+ suite.config = c
+
+ // use an actual database for this, because it's just easier than mocking one out
+ database, err := db.New(context.Background(), c, log)
+ if err != nil {
+ suite.FailNow(err.Error())
+ }
+ suite.db = database
+
+ // we need to mock the oauth server because account creation needs it to create a new token
+ suite.mockOauthServer = &oauth.MockServer{}
+ suite.mockOauthServer.On("GenerateUserAccessToken", suite.testToken, suite.testApplication.ClientSecret, mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
+ l := suite.log.WithField("func", "GenerateUserAccessToken")
+ token := args.Get(0).(oauth2.TokenInfo)
+ l.Infof("received token %+v", token)
+ clientSecret := args.Get(1).(string)
+ l.Infof("received clientSecret %+v", clientSecret)
+ userID := args.Get(2).(string)
+ l.Infof("received userID %+v", userID)
+ }).Return(&models.Token{
+ Code: "we're authorized now!",
+ }, nil)
+
+ suite.mockStorage = &storage.MockStorage{}
+ // We don't need storage to do anything for these tests, so just simulate a success and do nothing -- we won't need to return anything from storage
+ suite.mockStorage.On("StoreFileAt", mock.AnythingOfType("string"), mock.AnythingOfType("[]uint8")).Return(nil)
+
+ // set a media handler because some handlers (eg update credentials) need to upload media (new header/avatar)
+ suite.mediaHandler = media.New(suite.config, suite.db, suite.mockStorage, log)
+
+ // and finally here's the thing we're actually testing!
+ suite.accountModule = New(suite.config, suite.db, suite.mockOauthServer, suite.mediaHandler, suite.log).(*accountModule)
+}
+
+func (suite *AccountUpdateTestSuite) TearDownSuite() {
+ if err := suite.db.Stop(context.Background()); err != nil {
+ logrus.Panicf("error closing db connection: %s", err)
+ }
+}
+
+// SetupTest creates a db connection and creates necessary tables before each test
+func (suite *AccountUpdateTestSuite) SetupTest() {
+ // create all the tables we might need in thie suite
+ models := []interface{}{
+ &model.User{},
+ &model.Account{},
+ &model.Follow{},
+ &model.FollowRequest{},
+ &model.Status{},
+ &model.Application{},
+ &model.EmailDomainBlock{},
+ &model.MediaAttachment{},
+ }
+ for _, m := range models {
+ if err := suite.db.CreateTable(m); err != nil {
+ logrus.Panicf("db connection error: %s", err)
+ }
+ }
+
+ // form to submit for happy path account create requests -- this will be changed inside tests so it's better to set it before each test
+ suite.newUserFormHappyPath = url.Values{
+ "reason": []string{"a very good reason that's at least 40 characters i swear"},
+ "username": []string{"test_user"},
+ "email": []string{"user@example.org"},
+ "password": []string{"very-strong-password"},
+ "agreement": []string{"true"},
+ "locale": []string{"en"},
+ }
+
+ // same with accounts config
+ suite.config.AccountsConfig = &config.AccountsConfig{
+ OpenRegistration: true,
+ RequireApproval: true,
+ ReasonRequired: true,
+ }
+}
+
+// TearDownTest drops tables to make sure there's no data in the db
+func (suite *AccountUpdateTestSuite) TearDownTest() {
+
+ // remove all the tables we might have used so it's clear for the next test
+ models := []interface{}{
+ &model.User{},
+ &model.Account{},
+ &model.Follow{},
+ &model.FollowRequest{},
+ &model.Status{},
+ &model.Application{},
+ &model.EmailDomainBlock{},
+ &model.MediaAttachment{},
+ }
+ for _, m := range models {
+ if err := suite.db.DropTable(m); err != nil {
+ logrus.Panicf("error dropping table: %s", err)
+ }
+ }
+}
+
+/*
+ ACTUAL TESTS
+*/
+
+/*
+ TESTING: AccountUpdateCredentialsPATCHHandler
+*/
+
+func (suite *AccountUpdateTestSuite) TestAccountUpdateCredentialsPATCHHandler() {
+
+ // put test local account in db
+ err := suite.db.Put(suite.testAccountLocal)
+ assert.NoError(suite.T(), err)
+
+ // attach avatar to request form
+ avatarFile, err := os.Open("../../media/test/test-jpeg.jpg")
+ assert.NoError(suite.T(), err)
+ body := &bytes.Buffer{}
+ writer := multipart.NewWriter(body)
+
+ avatarPart, err := writer.CreateFormFile("avatar", "test-jpeg.jpg")
+ assert.NoError(suite.T(), err)
+
+ _, err = io.Copy(avatarPart, avatarFile)
+ assert.NoError(suite.T(), err)
+
+ err = avatarFile.Close()
+ assert.NoError(suite.T(), err)
+
+ // set display name to a new value
+ displayNamePart, err := writer.CreateFormField("display_name")
+ assert.NoError(suite.T(), err)
+
+ _, err = io.Copy(displayNamePart, bytes.NewBufferString("test_user_wohoah"))
+ assert.NoError(suite.T(), err)
+
+ // set locked to true
+ lockedPart, err := writer.CreateFormField("locked")
+ assert.NoError(suite.T(), err)
+
+ _, err = io.Copy(lockedPart, bytes.NewBufferString("true"))
+ assert.NoError(suite.T(), err)
+
+ // close the request writer, the form is now prepared
+ err = writer.Close()
+ assert.NoError(suite.T(), err)
+
+ // setup
+ recorder := httptest.NewRecorder()
+ ctx, _ := gin.CreateTestContext(recorder)
+ ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccountLocal)
+ ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+ ctx.Request = httptest.NewRequest(http.MethodPatch, fmt.Sprintf("http://localhost:8080/%s", updateCredentialsPath), body) // the endpoint we're hitting
+ ctx.Request.Header.Set("Content-Type", writer.FormDataContentType())
+ suite.accountModule.accountUpdateCredentialsPATCHHandler(ctx)
+
+ // check response
+
+ // 1. we should have OK because our request was valid
+ suite.EqualValues(http.StatusOK, recorder.Code)
+
+ // 2. we should have an error message in the result body
+ result := recorder.Result()
+ defer result.Body.Close()
+ // TODO: implement proper checks here
+ //
+ // b, err := ioutil.ReadAll(result.Body)
+ // assert.NoError(suite.T(), err)
+ // assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
+}
+
+func TestAccountUpdateTestSuite(t *testing.T) {
+ suite.Run(t, new(AccountUpdateTestSuite))
+}
diff --git a/internal/apimodule/account/accountverify.go b/internal/apimodule/account/accountverify.go
new file mode 100644
index 000000000..fe8d24b22
--- /dev/null
+++ b/internal/apimodule/account/accountverify.go
@@ -0,0 +1,50 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+ "net/http"
+
+ "github.com/gin-gonic/gin"
+ "github.com/superseriousbusiness/gotosocial/internal/oauth"
+)
+
+// accountVerifyGETHandler serves a user's account details to them IF they reached this
+// handler while in possession of a valid token, according to the oauth middleware.
+// It should be served as a GET at /api/v1/accounts/verify_credentials
+func (m *accountModule) accountVerifyGETHandler(c *gin.Context) {
+ l := m.log.WithField("func", "accountVerifyGETHandler")
+ authed, err := oauth.MustAuth(c, true, false, false, true)
+ if err != nil {
+ l.Debugf("couldn't auth: %s", err)
+ c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+ return
+ }
+
+ l.Tracef("retrieved account %+v, converting to mastosensitive...", authed.Account.ID)
+ acctSensitive, err := m.db.AccountToMastoSensitive(authed.Account)
+ if err != nil {
+ l.Tracef("could not convert account into mastosensitive account: %s", err)
+ c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ return
+ }
+
+ l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive)
+ c.JSON(http.StatusOK, acctSensitive)
+}
diff --git a/internal/apimodule/account/accountverify_test.go b/internal/apimodule/account/accountverify_test.go
new file mode 100644
index 000000000..223a0c145
--- /dev/null
+++ b/internal/apimodule/account/accountverify_test.go
@@ -0,0 +1,19 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-24 09:19:52 +0000