From eb720241da3d786c6ec79f2325277fa4af23846f Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Wed, 26 Feb 2025 13:04:55 +0100 Subject: [feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error --- internal/api/client/accounts/accountdelete.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'internal/api/client/accounts/accountdelete.go') diff --git a/internal/api/client/accounts/accountdelete.go b/internal/api/client/accounts/accountdelete.go index 9a1ef7931..6438462c6 100644 --- a/internal/api/client/accounts/accountdelete.go +++ b/internal/api/client/accounts/accountdelete.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "golang.org/x/crypto/bcrypt" ) @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -80,7 +82,7 @@ func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { // Self account delete requires password to ensure it's for real. if form.Password == "" { - err = errors.New("no password provided in account delete request") + err := errors.New("no password provided in account delete request") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } -- cgit v1.2.3