From eb720241da3d786c6ec79f2325277fa4af23846f Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Wed, 26 Feb 2025 13:04:55 +0100 Subject: [feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error --- internal/api/client/timelines/home.go | 10 ++++++---- internal/api/client/timelines/list.go | 10 ++++++---- internal/api/client/timelines/public.go | 21 +++++++++++++-------- internal/api/client/timelines/tag.go | 10 ++++++---- 4 files changed, 31 insertions(+), 20 deletions(-) (limited to 'internal/api/client/timelines') diff --git a/internal/api/client/timelines/home.go b/internal/api/client/timelines/home.go index 55928dd3a..8e957d498 100644 --- a/internal/api/client/timelines/home.go +++ b/internal/api/client/timelines/home.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // HomeTimelineGETHandler swagger:operation GET /api/v1/timelines/home homeTimeline @@ -107,9 +106,12 @@ import ( // '400': // description: bad request func (m *Module) HomeTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/list.go b/internal/api/client/timelines/list.go index 25695bf0e..b02489d6c 100644 --- a/internal/api/client/timelines/list.go +++ b/internal/api/client/timelines/list.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListTimelineGETHandler swagger:operation GET /api/v1/timelines/list/{id} listTimeline @@ -106,9 +105,12 @@ import ( // '400': // description: bad request func (m *Module) ListTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/public.go b/internal/api/client/timelines/public.go index 49530216f..d6df36f09 100644 --- a/internal/api/client/timelines/public.go +++ b/internal/api/client/timelines/public.go @@ -24,7 +24,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PublicTimelineGETHandler swagger:operation GET /api/v1/timelines/public publicTimeline @@ -108,19 +107,25 @@ import ( // '400': // description: bad request func (m *Module) PublicTimelineGETHandler(c *gin.Context) { - var authed *oauth.Auth - var err error - + var ( + authed *apiutil.Auth + errWithCode gtserror.WithCode + ) if config.GetInstanceExposePublicTimeline() { // If the public timeline is allowed to be exposed, still check if we // can extract various authentication properties, but don't require them. - authed, err = oauth.Authed(c, false, false, false, false) + authed, errWithCode = apiutil.TokenAuth(c, + false, false, false, false, + ) } else { - authed, err = oauth.Authed(c, true, true, true, true) + authed, errWithCode = apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) } - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/tag.go b/internal/api/client/timelines/tag.go index 258184355..8c3a86f81 100644 --- a/internal/api/client/timelines/tag.go +++ b/internal/api/client/timelines/tag.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // TagTimelineGETHandler swagger:operation GET /api/v1/timelines/tag/{tag_name} tagTimeline @@ -108,9 +107,12 @@ import ( // '400': // description: bad request func (m *Module) TagTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } -- cgit v1.2.3