diff options
Diffstat (limited to 'internal/processing/stream')
| -rw-r--r-- | internal/processing/stream/authorize.go | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/internal/processing/stream/authorize.go b/internal/processing/stream/authorize.go index 0baea29f1..cedd21e0b 100644 --- a/internal/processing/stream/authorize.go +++ b/internal/processing/stream/authorize.go @@ -19,8 +19,12 @@ package stream import ( "context" + "errors" "fmt" + "slices" + "strings" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -58,5 +62,22 @@ func (p *Processor) Authorize(ctx context.Context, accessToken string) (*gtsmode return nil, gtserror.NewErrorInternalError(err) } + // Ensure read scope. + // + // TODO: make this more granular + // depending on stream type. + hasScopes := strings.Split(ti.GetScope(), " ") + scopeOK := slices.ContainsFunc( + hasScopes, + func(hasScope string) bool { + return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead) + }, + ) + + if !scopeOK { + const errText = "token has insufficient scope permission" + return nil, gtserror.NewErrorForbidden(errors.New(errText), errText) + } + return acct, nil } |