From eb720241da3d786c6ec79f2325277fa4af23846f Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Wed, 26 Feb 2025 13:04:55 +0100 Subject: [feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error --- internal/api/client/exports/blocks.go | 10 ++++++---- internal/api/client/exports/followers.go | 12 +++++++----- internal/api/client/exports/following.go | 10 ++++++---- internal/api/client/exports/lists.go | 10 ++++++---- internal/api/client/exports/mutes.go | 10 ++++++---- internal/api/client/exports/stats.go | 12 +++++++----- 6 files changed, 38 insertions(+), 26 deletions(-) (limited to 'internal/api/client/exports') diff --git a/internal/api/client/exports/blocks.go b/internal/api/client/exports/blocks.go index c31e2b0b4..bc8c2a6b3 100644 --- a/internal/api/client/exports/blocks.go +++ b/internal/api/client/exports/blocks.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportBlocksGETHandler swagger:operation GET /api/v1/exports/blocks.csv exportBlocks @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportBlocksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/followers.go b/internal/api/client/exports/followers.go index ceef94659..ad6306de0 100644 --- a/internal/api/client/exports/followers.go +++ b/internal/api/client/exports/followers.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportFollowersGETHandler swagger:operation GET /api/v1/exports/followers.csv exportFollowers @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:follows +// - read:accounts // // responses: // '200': @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/following.go b/internal/api/client/exports/following.go index e61cafc2a..b95492dfa 100644 --- a/internal/api/client/exports/following.go +++ b/internal/api/client/exports/following.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportFollowingGETHandler swagger:operation GET /api/v1/exports/following.csv exportFollowing @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowingGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/lists.go b/internal/api/client/exports/lists.go index 2debcc701..385df5501 100644 --- a/internal/api/client/exports/lists.go +++ b/internal/api/client/exports/lists.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportListsGETHandler swagger:operation GET /api/v1/exports/lists.csv exportLists @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/mutes.go b/internal/api/client/exports/mutes.go index ab49b7719..6b9d699c9 100644 --- a/internal/api/client/exports/mutes.go +++ b/internal/api/client/exports/mutes.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportMutesGETHandler swagger:operation GET /api/v1/exports/mutes.csv exportMutes @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportMutesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/stats.go b/internal/api/client/exports/stats.go index 9e3f1b600..783826bb3 100644 --- a/internal/api/client/exports/stats.go +++ b/internal/api/client/exports/stats.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportStatsGETHandler swagger:operation GET /api/v1/exports/stats exportStats @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:account +// - read:accounts // // responses: // '200': @@ -53,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportStatsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } -- cgit v1.2.3