From d5847e2d2b68a1eb41d43be170cd4ddff9003cff Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Mon, 17 Mar 2025 15:06:17 +0100 Subject: [feature] Application creation + management via API + settings panel (#3906) * [feature] Application creation + management via API + settings panel * fix docs links * add errnorows test * use known application as shorter * add comment about side effects --- internal/api/client/apps/appcreate.go | 73 +++++++++++++++++++++++++++-------- 1 file changed, 56 insertions(+), 17 deletions(-) (limited to 'internal/api/client/apps/appcreate.go') diff --git a/internal/api/client/apps/appcreate.go b/internal/api/client/apps/appcreate.go index 6a8208a20..062b2e13d 100644 --- a/internal/api/client/apps/appcreate.go +++ b/internal/api/client/apps/appcreate.go @@ -18,8 +18,11 @@ package apps import ( + "errors" "fmt" "net/http" + "slices" + "strings" "github.com/gin-gonic/gin" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" @@ -40,8 +43,10 @@ const ( // The registered application can be used to obtain an application token. // This can then be used to register a new account, or (through user auth) obtain an access token. // -// The parameters can also be given in the body of the request, as JSON, if the content-type is set to 'application/json'. -// The parameters can also be given in the body of the request, as XML, if the content-type is set to 'application/xml'. +// If the application was registered with a Bearer token passed in the Authorization header, the created application will be managed by the authenticated user (must have scope write:applications). +// +// Parameters can also be given in the body of the request, as JSON, if the content-type is set to 'application/json'. +// Parameters can also be given in the body of the request, as XML, if the content-type is set to 'application/xml'. // // --- // tags: @@ -81,42 +86,66 @@ func (m *Module) AppsPOSTHandler(c *gin.Context) { return } + if authed.Token != nil { + // If a token has been passed, user + // needs write perm on applications. + if !slices.ContainsFunc( + strings.Split(authed.Token.GetScope(), " "), + func(hasScope string) bool { + return apiutil.Scope(hasScope).Permits(apiutil.ScopeWriteApplications) + }, + ) { + const errText = "token has insufficient scope permission" + errWithCode := gtserror.NewErrorForbidden(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + } + + if authed.Account != nil && authed.Account.IsMoving() { + apiutil.ForbiddenAfterMove(c) + return + } + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + errWithCode := gtserror.NewErrorNotAcceptable(err, err.Error()) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } form := &apimodel.ApplicationCreateRequest{} if err := c.ShouldBind(form); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + errWithCode := gtserror.NewErrorBadRequest(err, err.Error()) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } - if len([]rune(form.ClientName)) > formFieldLen { - err := fmt.Errorf("client_name must be less than %d characters", formFieldLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.ClientName)); l > formFieldLen { + m.fieldTooLong(c, "client_name", formFieldLen, l) return } - if len([]rune(form.RedirectURIs)) > formRedirectLen { - err := fmt.Errorf("redirect_uris must be less than %d characters", formRedirectLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.RedirectURIs)); l > formRedirectLen { + m.fieldTooLong(c, "redirect_uris", formRedirectLen, l) return } - if len([]rune(form.Scopes)) > formFieldLen { - err := fmt.Errorf("scopes must be less than %d characters", formFieldLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.Scopes)); l > formFieldLen { + m.fieldTooLong(c, "scopes", formFieldLen, l) return } - if len([]rune(form.Website)) > formFieldLen { - err := fmt.Errorf("website must be less than %d characters", formFieldLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.Website)); l > formFieldLen { + m.fieldTooLong(c, "website", formFieldLen, l) return } - apiApp, errWithCode := m.processor.AppCreate(c.Request.Context(), authed, form) + var managedByUserID string + if authed.User != nil { + managedByUserID = authed.User.ID + } + + apiApp, errWithCode := m.processor.Application().Create(c.Request.Context(), managedByUserID, form) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return @@ -124,3 +153,13 @@ func (m *Module) AppsPOSTHandler(c *gin.Context) { apiutil.JSON(c, http.StatusOK, apiApp) } + +func (m *Module) fieldTooLong(c *gin.Context, fieldName string, max int, actual int) { + errText := fmt.Sprintf( + "%s must be less than %d characters, provided %s was %d characters", + fieldName, max, fieldName, actual, + ) + + errWithCode := gtserror.NewErrorBadRequest(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) +} -- cgit v1.2.3