diff --git a/docs/api/authentication.md b/docs/api/authentication.md index b9fccf98b..2fb5bea5f 100644 --- a/docs/api/authentication.md +++ b/docs/api/authentication.md @@ -2,6 +2,9 @@ Using the client API requires authentication. This page documents the general flow for retrieving an authentication token with examples for doing this on the CLI using `curl`. +!!! tip + If you want to get an API access token via the settings panel instead, without having to use the command line, see the [Application documentation](https://docs.gotosocial.org/en/latest/user_guide/settings/#applications). + ## Create a new application We need to register a new application, which we can then use to request an OAuth token. This is done by making a `POST` request to the `/api/v1/apps` endpoint. Replace `your_app_name` in the command below with the name you want to use for your application: @@ -19,18 +22,15 @@ curl \ The string `urn:ietf:wg:oauth:2.0:oob` is an indication of what is known as out-of-band authentication - a technique used in multi-factor authentication to reduce the number of ways that a bad actor can intrude on the authentication process. In this instance, it allows us to view and manually copy the tokens created to use further in this process. -Note that `scopes` can be any space-separated combination of: - -- `read` -- `write` -- `admin` +!!! tip "Scopes" + It is always good practice to grant your application the lowest tier permissions it needs to do its job. e.g. If your application won't be making posts, use `scope=read` or even a subscope of that. + + In this spirit, "read" is used in the example above, which means that the application will be restricted to only being able to do "read" actions. + + For a list of available scopes, see [the swagger docs](https://docs.gotosocial.org/en/latest/api/swagger/). !!! warning - GoToSocial does not currently support scoped authorization tokens, so any token you obtain in this process will be able to perform all actions on your behalf, including admin actions if your account has admin permissions. Nevertheless, it is always good practice to grant your application the lowest tier permissions it needs to do its job. e.g. If your application won't be making posts, use scope=read. - - In this spirit, "read" is used in the example above, which means that in the future when scoped tokens are supported, the application will be restricted to only being able to do "read" actions. - - You can read more about additional planned OAuth security features [right here](https://github.com/superseriousbusiness/gotosocial/issues/2232). + GoToSocial did not support scoped authorization tokens before version 0.19.0, so if you are using a version of GoToSocial below that, then any token you obtain in this process will be able to perform all actions on your behalf, including admin actions if your account has admin permissions. A successful call returns a response with a `client_id` and `client_secret`, which we are going need to use in the rest of the process. It looks something like this: @@ -126,7 +126,6 @@ See this example: ```bash curl \ - -H 'Content-Type: application/json' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ 'https://example.org/api/v1/accounts/verify_credentials' ``` @@ -140,7 +139,6 @@ For example, you can issue another `GET` request to the API using the same acces ```bash curl \ - -H 'Content-Type: application/json' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ 'https://example.org/api/v1/notifications' ``` diff --git a/docs/api/swagger.yaml b/docs/api/swagger.yaml index 6d9ca2f95..ce415784a 100644 --- a/docs/api/swagger.yaml +++ b/docs/api/swagger.yaml @@ -828,6 +828,11 @@ definitions: description: Client secret associated with this application. type: string x-go-name: ClientSecret + created_at: + description: When the application was created. (ISO 8601 Datetime) + example: "2021-07-30T09:20:25+00:00" + type: string + x-go-name: CreatedAt id: description: The ID of the application. example: 01FBVD42CQ3ZEEVMW180SBX03B @@ -3649,6 +3654,54 @@ info: contact: email: admin@gotosocial.org name: GoToSocial Authors + description: |- + This document describes the GoToSocial HTTP API. + + For information on how to authenticate with the API using an OAuth access token, see the documentation here: https://docs.gotosocial.org/en/latest/api/authentication/. + + Available scopes are: + + admin: grants admin access to everything + admin:read: grants admin read access to everything + admin:read:accounts: grants admin read access to accounts + admin:read:domain_allows: grants admin read access to domain_allows + admin:read:domain_blocks: grants admin read access to domain_blocks + admin:read:reports: grants admin read access to reports + admin:write: grants admin write access to everything + admin:write:accounts: grants write read access to accounts + admin:write:domain_allows: grants admin write access to domain_allows + admin:write:domain_blocks: grants write read access to domain_blocks + admin:write:reports: grants admin write access to reports + profile: grants read access to verify_credentials + push: grants read/write access to push + read: grants read access to everything + read:accounts: grants read access to accounts + read:applications: grants read access to user-managed applications + read:blocks: grants read access to blocks + read:bookmarks: grants read access to bookmarks + read:favourites: grants read access to accounts + read:filters: grants read access to filters + read:follows: grants read access to follows + read:lists: grants read access to lists + read:mutes: grants read access to mutes + read:notifications: grants read access to notifications + read:search: grants read access to search + read:statuses: grants read access to statuses + write: grants write access to everything + write:accounts: grants write access to accounts + write:applications: grants write access to user-managed applications + write:blocks: grants write access to blocks + write:bookmarks: grants write access to bookmarks + write:conversations: grants write access to conversations + write:favourites: grants write access to favourites + write:filters: grants write access to filters + write:follows: grants write access to follows + write:lists: grants write access to lists + write:media: grants write access to media + write:mutes: grants write access to mutes + write:notifications: grants write access to notifications + write:reports: grants write access to reports + write:statuses: grants write access to statuses license: name: AGPL3 url: https://www.gnu.org/licenses/agpl-3.0.en.html @@ -7484,6 +7537,63 @@ paths: tags: - announcements /api/v1/apps: + get: + description: |- + The next and previous queries can be parsed from the returned Link header. + + Example: + + ``` + ; rel="next", ; rel="prev" + ```` + operationId: appsGet + parameters: + - description: Return only items *OLDER* than the given max item ID. The item with the specified ID will not be included in the response. + in: query + name: max_id + type: string + - description: Return only items *newer* than the given since item ID. The item with the specified ID will not be included in the response. + in: query + name: since_id + type: string + - description: Return only items *immediately newer* than the given since item ID. The item with the specified ID will not be included in the response. + in: query + name: min_id + type: string + - default: 20 + description: Number of items to return. + in: query + name: limit + type: integer + produces: + - application/json + responses: + "200": + description: "" + headers: + Link: + description: Links to the next and previous queries. + type: string + schema: + items: + $ref: '#/definitions/application' + type: array + "400": + description: bad request + "401": + description: unauthorized + "404": + description: not found + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: + - read:applications + summary: Get an array of applications that are managed by the requester. + tags: + - apps post: consumes: - application/json @@ -7493,8 +7603,10 @@ paths: The registered application can be used to obtain an application token. This can then be used to register a new account, or (through user auth) obtain an access token. - The parameters can also be given in the body of the request, as JSON, if the content-type is set to 'application/json'. - The parameters can also be given in the body of the request, as XML, if the content-type is set to 'application/xml'. + If the application was registered with a Bearer token passed in the Authorization header, the created application will be managed by the authenticated user (must have scope write:applications). + + Parameters can also be given in the body of the request, as JSON, if the content-type is set to 'application/json'. + Parameters can also be given in the body of the request, as XML, if the content-type is set to 'application/xml'. operationId: appCreate parameters: - description: The name of the application. @@ -7548,6 +7660,69 @@ paths: summary: Register a new application on this instance. tags: - apps + /api/v1/apps/{id}: + delete: + operationId: appDelete + parameters: + - description: The id of the application to delete. + in: path + name: id + required: true + type: string + produces: + - application/json + responses: + "200": + description: The deleted application. + schema: + $ref: '#/definitions/application' + "400": + description: bad request + "401": + description: unauthorized + "404": + description: not found + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: + - write:applications + summary: Delete a single application managed by the requester. + tags: + - apps + get: + operationId: appGet + parameters: + - description: The id of the requested application. + in: path + name: id + required: true + type: string + produces: + - application/json + responses: + "200": + description: The requested application. + schema: + $ref: '#/definitions/application' + "400": + description: bad request + "401": + description: unauthorized + "404": + description: not found + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: + - read:applications + summary: Get a single application managed by the requester. + tags: + - apps /api/v1/blocks: get: description: |- @@ -11705,15 +11880,15 @@ paths: ```` operationId: tokensInfoGet parameters: - - description: Return only items *OLDER* than the given max status ID. The item with the specified ID will not be included in the response. + - description: Return only items *OLDER* than the given max item ID. The item with the specified ID will not be included in the response. in: query name: max_id type: string - - description: Return only items *newer* than the given since status ID. The item with the specified ID will not be included in the response. + - description: Return only items *newer* than the given since item ID. The item with the specified ID will not be included in the response. in: query name: since_id type: string - - description: Return only items *immediately newer* than the given since status ID. The item with the specified ID will not be included in the response. + - description: Return only items *immediately newer* than the given since item ID. The item with the specified ID will not be included in the response. in: query name: min_id type: string @@ -12927,6 +13102,7 @@ securityDefinitions: push: grants read/write access to push read: grants read access to everything read:accounts: grants read access to accounts + read:applications: grants read access to user-managed applications read:blocks: grants read access to blocks read:bookmarks: grants read access to bookmarks read:favourites: grants read access to accounts @@ -12939,6 +13115,7 @@ securityDefinitions: read:statuses: grants read access to statuses write: grants write access to everything write:accounts: grants write access to accounts + write:applications: grants write access to user-managed applications write:blocks: grants write access to blocks write:bookmarks: grants write access to bookmarks write:conversations: grants write access to conversations diff --git a/docs/overrides/public/user-settings-applications-details.png b/docs/overrides/public/user-settings-applications-details.png new file mode 100644 index 000000000..a91433331 Binary files /dev/null and b/docs/overrides/public/user-settings-applications-details.png differ diff --git a/docs/overrides/public/user-settings-applications-new.png b/docs/overrides/public/user-settings-applications-new.png new file mode 100644 index 000000000..ff1b40f38 Binary files /dev/null and b/docs/overrides/public/user-settings-applications-new.png differ diff --git a/docs/swagger.go b/docs/swagger.go index ecd03e6b9..500abd7a2 100644 --- a/docs/swagger.go +++ b/docs/swagger.go @@ -17,6 +17,56 @@ // GoToSocial Swagger documentation. // +// This document describes the GoToSocial HTTP API. +// +// For information on how to authenticate with the API using an OAuth access token, see the documentation here: https://docs.gotosocial.org/en/latest/api/authentication/. +// +// Available scopes are: +// +// - admin: grants admin access to everything +// - admin:read: grants admin read access to everything +// - admin:read:accounts: grants admin read access to accounts +// - admin:read:domain_allows: grants admin read access to domain_allows +// - admin:read:domain_blocks: grants admin read access to domain_blocks +// - admin:read:reports: grants admin read access to reports +// - admin:write: grants admin write access to everything +// - admin:write:accounts: grants write read access to accounts +// - admin:write:domain_allows: grants admin write access to domain_allows +// - admin:write:domain_blocks: grants write read access to domain_blocks +// - admin:write:reports: grants admin write access to reports +// - profile: grants read access to verify_credentials +// - push: grants read/write access to push +// - read: grants read access to everything +// - read:accounts: grants read access to accounts +// - read:applications: grants read access to user-managed applications +// - read:blocks: grants read access to blocks +// - read:bookmarks: grants read access to bookmarks +// - read:favourites: grants read access to accounts +// - read:filters: grants read access to filters +// - read:follows: grants read access to follows +// - read:lists: grants read access to lists +// - read:mutes: grants read access to mutes +// - read:notifications: grants read access to notifications +// - read:search: grants read access to search +// - read:statuses: grants read access to statuses +// - write: grants write access to everything +// - write:accounts: grants write access to accounts +// - write:applications: grants write access to user-managed applications +// - write:blocks: grants write access to blocks +// - write:bookmarks: grants write access to bookmarks +// - write:conversations: grants write access to conversations +// - write:favourites: grants write access to favourites +// - write:filters: grants write access to filters +// - write:follows: grants write access to follows +// - write:lists: grants write access to lists +// - write:media: grants write access to media +// - write:mutes: grants write access to mutes +// - write:notifications: grants write access to notifications +// - write:reports: grants write access to reports +// - write:statuses: grants write access to statuses +// +// --- +// // Schemes: https, http // BasePath: / // Version: REPLACE_ME @@ -31,45 +81,47 @@ // authorizationUrl: https://example.org/oauth/authorize // tokenUrl: https://example.org/oauth/token // scopes: -// read: grants read access to everything -// write: grants write access to everything -// push: grants read/write access to push -// profile: grants read access to verify_credentials -// read:accounts: grants read access to accounts -// write:accounts: grants write access to accounts -// read:blocks: grants read access to blocks -// write:blocks: grants write access to blocks -// read:bookmarks: grants read access to bookmarks -// write:bookmarks: grants write access to bookmarks -// write:conversations: grants write access to conversations -// read:favourites: grants read access to accounts -// write:favourites: grants write access to favourites -// read:filters: grants read access to filters -// write:filters: grants write access to filters -// read:follows: grants read access to follows -// write:follows: grants write access to follows -// read:lists: grants read access to lists -// write:lists: grants write access to lists -// write:media: grants write access to media -// read:mutes: grants read access to mutes -// write:mutes: grants write access to mutes -// read:notifications: grants read access to notifications -// write:notifications: grants write access to notifications -// write:reports: grants write access to reports -// read:search: grants read access to search -// read:statuses: grants read access to statuses -// write:statuses: grants write access to statuses // admin: grants admin access to everything // admin:read: grants admin read access to everything -// admin:write: grants admin write access to everything // admin:read:accounts: grants admin read access to accounts -// admin:write:accounts: grants write read access to accounts -// admin:read:reports: grants admin read access to reports -// admin:write:reports: grants admin write access to reports // admin:read:domain_allows: grants admin read access to domain_allows -// admin:write:domain_allows: grants admin write access to domain_allows // admin:read:domain_blocks: grants admin read access to domain_blocks +// admin:read:reports: grants admin read access to reports +// admin:write: grants admin write access to everything +// admin:write:accounts: grants write read access to accounts +// admin:write:domain_allows: grants admin write access to domain_allows // admin:write:domain_blocks: grants write read access to domain_blocks +// admin:write:reports: grants admin write access to reports +// profile: grants read access to verify_credentials +// push: grants read/write access to push +// read: grants read access to everything +// read:accounts: grants read access to accounts +// read:applications: grants read access to user-managed applications +// read:blocks: grants read access to blocks +// read:bookmarks: grants read access to bookmarks +// read:favourites: grants read access to accounts +// read:filters: grants read access to filters +// read:follows: grants read access to follows +// read:lists: grants read access to lists +// read:mutes: grants read access to mutes +// read:notifications: grants read access to notifications +// read:search: grants read access to search +// read:statuses: grants read access to statuses +// write: grants write access to everything +// write:accounts: grants write access to accounts +// write:applications: grants write access to user-managed applications +// write:blocks: grants write access to blocks +// write:bookmarks: grants write access to bookmarks +// write:conversations: grants write access to conversations +// write:favourites: grants write access to favourites +// write:filters: grants write access to filters +// write:follows: grants write access to follows +// write:lists: grants write access to lists +// write:media: grants write access to media +// write:mutes: grants write access to mutes +// write:notifications: grants write access to notifications +// write:reports: grants write access to reports +// write:statuses: grants write access to statuses // OAuth2 Application: // type: oauth2 // flow: application diff --git a/docs/user_guide/settings.md b/docs/user_guide/settings.md index 7e85e0ed8..590b04b42 100644 --- a/docs/user_guide/settings.md +++ b/docs/user_guide/settings.md @@ -287,3 +287,70 @@ Logging out of an application does not necessarily remove the token from the GoT !!! note Token "Last used" time is approximate and may be off by an hour in either direction. + +## Applications + +In the applications section, you can create a new managed OAuth client application, and search through applications that you've created. + +### What is an OAuth client application? + +A GoToSocial OAuth client application is equivalent to an OAuth 2.0 client as described in [the Auth0 roles docs](https://auth0.com/intro-to-iam/what-is-oauth-2#oauth20-roles). + +When you create an application, you can then, as the "Resource Owner" of your account, give the application access to your account via an access token, which the application can use to interact with the GoToSocial client API "as you", or "on your behalf". + +For example, when you log in to your GoToSocial account using Tusky, Tusky first registers itself with your instance as an OAuth client application, and then requests the instance to redirect you to a page where you can sign in with your GoToSocial email address and password in order to authorize Tusky to get an access code. Tusky then stores and uses that access code in all further requests, to do what you tell it to do: post statuses, read timelines, etc. + +The advantage of OAuth client applications is that they never store (or even see) your password: they only ever act as you using their access token, which can be invalidated so that the application cannot access your account anymore, without you having to change your password (see [Access Tokens](#access-tokens)). + +!!! note "Managed vs unmanaged applications" + A *managed* application is one that you created yourself via the settings panel, and have the ability to request tokens for, and delete. This differs somewhat from applications like Tusky, which are not considered to be *managed* applications, as they were not created by a user in the settings panel. + +### What is a redirect URI? + +Redirect URIs offer a security measure that prevents applications from being to redirect to malicious addresses after authorization. This is best explained in the OAuth 2.0 documentation, see: + +- [Redirect URIs](https://www.oauth.com/oauth2-servers/redirect-uris/) +- [Redirect URL Registration](https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/) + +Whatever service you are trying to create an application for will usually tell you what redirect URI(s) you need to enter when creating an application. + +### What is a scope? + +Scopes are a space-separated list of identifiers that can be specified when creating an application (or getting a token for that application) in order to prevent the application or its access token from accessing more data than it needs to do its job. + +For example, if you create an application with only scope `read`, then any tokens owned by that application will have only `read` access to your account: they will not be able to post, delete, or take other *write*-type actions as you. + +GoToSocial offers a range of scopes very similar to what the Mastodon API offers. You can see a list of scopes (and what they do) here: https://docs.gotosocial.org/en/latest/api/swagger/. + +Like Mastodon, GoToSocial allows you to specify scopes both when you create an application, *and* when you subsequently request a token. So you could create an application with scope `read write`, but request a token with only `read` scope, or with an even narrower scope like `read:accounts`. Any scopes specified when requesting a token must be covered by the scopes permitted to the application. For example, you cannot request a token with scope `write` if your application only has scope `read`. + +For more information on scopes in general, see the OAuth 2.0 docs: + +- [Scope](https://www.oauth.com/oauth2-servers/scope/) +- [Defining Scopes](https://www.oauth.com/oauth2-servers/scope/defining-scopes/) + +### Search Applications + +Using this section, you can see an overview of applications that you've created via the settings panel, and click on an application to go to the details view for that application. + +### New Application + +![The new application form.](../public/user-settings-applications-new.png) + +To create a new managed OAuth application, you must provide at least a name for your application. If you want, you can provide a website too. + +If you don't provide any scopes, then the application will have scope `read` by default. + +If you don't specify any redirect URIs, then the application will have the out-of-band redirect URI `urn:ietf:wg:oauth:2.0:oob` by default. + +If you want to be able to use the settings panel to easily get an access token for the application that you create, then you must include the given settings panel callback URL in your redirect URIs list. This will be in the form `https://[your_instance_host]/settings/user/applications/callback`. + +### Application Details + +![The details view for an application.](../public/user-settings-applications-details.png) + +On the details page for an application, you can view the application's client ID and client secret, which you can use in a command-line tool like `curl` to manually get an authorization code + access token for the application. + +If you included the settings panel callback URL in your redirect URIs list, you can also use this page to request an access token for your account. This will redirect you to the sign in page for your instance, where you must provide your credentials in order to authorize your application. You will then be redirected again to the settings panel callback URL, where you can receive your access token. + +You can also use this page to delete your application. When a managed application is deleted, all tokens that were created via that application will also be deleted, so ensure you only do this when your application is not being used. diff --git a/internal/api/client/apps/appcreate.go b/internal/api/client/apps/appcreate.go index 6a8208a20..062b2e13d 100644 --- a/internal/api/client/apps/appcreate.go +++ b/internal/api/client/apps/appcreate.go @@ -18,8 +18,11 @@ package apps import ( + "errors" "fmt" "net/http" + "slices" + "strings" "github.com/gin-gonic/gin" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" @@ -40,8 +43,10 @@ const ( // The registered application can be used to obtain an application token. // This can then be used to register a new account, or (through user auth) obtain an access token. // -// The parameters can also be given in the body of the request, as JSON, if the content-type is set to 'application/json'. -// The parameters can also be given in the body of the request, as XML, if the content-type is set to 'application/xml'. +// If the application was registered with a Bearer token passed in the Authorization header, the created application will be managed by the authenticated user (must have scope write:applications). +// +// Parameters can also be given in the body of the request, as JSON, if the content-type is set to 'application/json'. +// Parameters can also be given in the body of the request, as XML, if the content-type is set to 'application/xml'. // // --- // tags: @@ -81,42 +86,66 @@ func (m *Module) AppsPOSTHandler(c *gin.Context) { return } + if authed.Token != nil { + // If a token has been passed, user + // needs write perm on applications. + if !slices.ContainsFunc( + strings.Split(authed.Token.GetScope(), " "), + func(hasScope string) bool { + return apiutil.Scope(hasScope).Permits(apiutil.ScopeWriteApplications) + }, + ) { + const errText = "token has insufficient scope permission" + errWithCode := gtserror.NewErrorForbidden(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + } + + if authed.Account != nil && authed.Account.IsMoving() { + apiutil.ForbiddenAfterMove(c) + return + } + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + errWithCode := gtserror.NewErrorNotAcceptable(err, err.Error()) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } form := &apimodel.ApplicationCreateRequest{} if err := c.ShouldBind(form); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + errWithCode := gtserror.NewErrorBadRequest(err, err.Error()) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } - if len([]rune(form.ClientName)) > formFieldLen { - err := fmt.Errorf("client_name must be less than %d characters", formFieldLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.ClientName)); l > formFieldLen { + m.fieldTooLong(c, "client_name", formFieldLen, l) return } - if len([]rune(form.RedirectURIs)) > formRedirectLen { - err := fmt.Errorf("redirect_uris must be less than %d characters", formRedirectLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.RedirectURIs)); l > formRedirectLen { + m.fieldTooLong(c, "redirect_uris", formRedirectLen, l) return } - if len([]rune(form.Scopes)) > formFieldLen { - err := fmt.Errorf("scopes must be less than %d characters", formFieldLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.Scopes)); l > formFieldLen { + m.fieldTooLong(c, "scopes", formFieldLen, l) return } - if len([]rune(form.Website)) > formFieldLen { - err := fmt.Errorf("website must be less than %d characters", formFieldLen) - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + if l := len([]rune(form.Website)); l > formFieldLen { + m.fieldTooLong(c, "website", formFieldLen, l) return } - apiApp, errWithCode := m.processor.AppCreate(c.Request.Context(), authed, form) + var managedByUserID string + if authed.User != nil { + managedByUserID = authed.User.ID + } + + apiApp, errWithCode := m.processor.Application().Create(c.Request.Context(), managedByUserID, form) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return @@ -124,3 +153,13 @@ func (m *Module) AppsPOSTHandler(c *gin.Context) { apiutil.JSON(c, http.StatusOK, apiApp) } + +func (m *Module) fieldTooLong(c *gin.Context, fieldName string, max int, actual int) { + errText := fmt.Sprintf( + "%s must be less than %d characters, provided %s was %d characters", + fieldName, max, fieldName, actual, + ) + + errWithCode := gtserror.NewErrorBadRequest(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) +} diff --git a/internal/api/client/apps/appdelete.go b/internal/api/client/apps/appdelete.go new file mode 100644 index 000000000..301579929 --- /dev/null +++ b/internal/api/client/apps/appdelete.go @@ -0,0 +1,98 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package apps + +import ( + "net/http" + + "github.com/gin-gonic/gin" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" +) + +// AppDELETEHandler swagger:operation DELETE /api/v1/apps/{id} appDelete +// +// Delete a single application managed by the requester. +// +// --- +// tags: +// - apps +// +// produces: +// - application/json +// +// parameters: +// - +// name: id +// type: string +// description: The id of the application to delete. +// in: path +// required: true +// +// security: +// - OAuth2 Bearer: +// - write:applications +// +// responses: +// '200': +// description: The deleted application. +// schema: +// "$ref": "#/definitions/application" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) AppDELETEHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteApplications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + appID, errWithCode := apiutil.ParseID(c.Param(apiutil.IDKey)) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + app, errWithCode := m.processor.Application().Delete( + c.Request.Context(), + authed.User.ID, + appID, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, app) +} diff --git a/internal/api/client/apps/appget.go b/internal/api/client/apps/appget.go new file mode 100644 index 000000000..f9d5050b4 --- /dev/null +++ b/internal/api/client/apps/appget.go @@ -0,0 +1,98 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package apps + +import ( + "net/http" + + "github.com/gin-gonic/gin" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" +) + +// AppGETHandler swagger:operation GET /api/v1/apps/{id} appGet +// +// Get a single application managed by the requester. +// +// --- +// tags: +// - apps +// +// produces: +// - application/json +// +// parameters: +// - +// name: id +// type: string +// description: The id of the requested application. +// in: path +// required: true +// +// security: +// - OAuth2 Bearer: +// - read:applications +// +// responses: +// '200': +// description: The requested application. +// schema: +// "$ref": "#/definitions/application" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) AppGETHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadApplications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + appID, errWithCode := apiutil.ParseID(c.Param(apiutil.IDKey)) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + app, errWithCode := m.processor.Application().Get( + c.Request.Context(), + authed.User.ID, + appID, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, app) +} diff --git a/internal/api/client/apps/apps.go b/internal/api/client/apps/apps.go index 679b985b8..2071c08bd 100644 --- a/internal/api/client/apps/apps.go +++ b/internal/api/client/apps/apps.go @@ -21,11 +21,14 @@ import ( "net/http" "github.com/gin-gonic/gin" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/processing" ) -// BasePath is the base path for this api module, excluding the api prefix -const BasePath = "/v1/apps" +const ( + BasePath = "/v1/apps" + BasePathWithID = BasePath + "/:" + apiutil.IDKey +) type Module struct { processor *processing.Processor @@ -39,4 +42,7 @@ func New(processor *processing.Processor) *Module { func (m *Module) Route(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { attachHandler(http.MethodPost, BasePath, m.AppsPOSTHandler) + attachHandler(http.MethodGet, BasePath, m.AppsGETHandler) + attachHandler(http.MethodGet, BasePathWithID, m.AppGETHandler) + attachHandler(http.MethodDelete, BasePathWithID, m.AppDELETEHandler) } diff --git a/internal/api/client/apps/appsget.go b/internal/api/client/apps/appsget.go new file mode 100644 index 000000000..6bbd4c752 --- /dev/null +++ b/internal/api/client/apps/appsget.go @@ -0,0 +1,146 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package apps + +import ( + "net/http" + + "github.com/gin-gonic/gin" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" + "github.com/superseriousbusiness/gotosocial/internal/paging" +) + +// AppsGETHandler swagger:operation GET /api/v1/apps appsGet +// +// Get an array of applications that are managed by the requester. +// +// The next and previous queries can be parsed from the returned Link header. +// +// Example: +// +// ``` +// ; rel="next", ; rel="prev" +// ```` +// +// --- +// tags: +// - apps +// +// produces: +// - application/json +// +// parameters: +// - +// name: max_id +// type: string +// description: >- +// Return only items *OLDER* than the given max item ID. +// The item with the specified ID will not be included in the response. +// in: query +// required: false +// - +// name: since_id +// type: string +// description: >- +// Return only items *newer* than the given since item ID. +// The item with the specified ID will not be included in the response. +// in: query +// - +// name: min_id +// type: string +// description: >- +// Return only items *immediately newer* than the given since item ID. +// The item with the specified ID will not be included in the response. +// in: query +// required: false +// - +// name: limit +// type: integer +// description: Number of items to return. +// default: 20 +// in: query +// required: false +// max: 80 +// min: 0 +// +// security: +// - OAuth2 Bearer: +// - read:applications +// +// responses: +// '200': +// headers: +// Link: +// type: string +// description: Links to the next and previous queries. +// schema: +// type: array +// items: +// "$ref": "#/definitions/application" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) AppsGETHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadApplications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + page, errWithCode := paging.ParseIDPage(c, + 0, // min limit + 80, // max limit + 20, // default limit + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + resp, errWithCode := m.processor.Application().GetPage( + c.Request.Context(), + authed.User.ID, + page, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if resp.LinkHeader != "" { + c.Header("Link", resp.LinkHeader) + } + + apiutil.JSON(c, http.StatusOK, resp.Items) +} diff --git a/internal/api/client/tokens/tokensget.go b/internal/api/client/tokens/tokensget.go index 2ffc2afb9..15fc5511f 100644 --- a/internal/api/client/tokens/tokensget.go +++ b/internal/api/client/tokens/tokensget.go @@ -52,7 +52,7 @@ import ( // name: max_id // type: string // description: >- -// Return only items *OLDER* than the given max status ID. +// Return only items *OLDER* than the given max item ID. // The item with the specified ID will not be included in the response. // in: query // required: false @@ -60,14 +60,14 @@ import ( // name: since_id // type: string // description: >- -// Return only items *newer* than the given since status ID. +// Return only items *newer* than the given since item ID. // The item with the specified ID will not be included in the response. // in: query // - // name: min_id // type: string // description: >- -// Return only items *immediately newer* than the given since status ID. +// Return only items *immediately newer* than the given since item ID. // The item with the specified ID will not be included in the response. // in: query // required: false diff --git a/internal/api/model/application.go b/internal/api/model/application.go index 720674ad5..3f974683f 100644 --- a/internal/api/model/application.go +++ b/internal/api/model/application.go @@ -24,6 +24,9 @@ type Application struct { // The ID of the application. // example: 01FBVD42CQ3ZEEVMW180SBX03B ID string `json:"id,omitempty"` + // When the application was created. (ISO 8601 Datetime) + // example: 2021-07-30T09:20:25+00:00 + CreatedAt string `json:"created_at,omitempty"` // The name of the application. // example: Tusky Name string `json:"name"` diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go index 8161de500..594a46ecd 100644 --- a/internal/api/util/scopes.go +++ b/internal/api/util/scopes.go @@ -27,6 +27,7 @@ const ( /* Sub-scopes / scope components */ scopeAccounts = "accounts" + scopeApplications = "applications" scopeBlocks = "blocks" scopeBookmarks = "bookmarks" scopeConversations = "conversations" @@ -57,6 +58,8 @@ const ( ScopeReadAccounts Scope = ScopeRead + ":" + scopeAccounts ScopeWriteAccounts Scope = ScopeWrite + ":" + scopeAccounts + ScopeReadApplications Scope = ScopeRead + ":" + scopeApplications + ScopeWriteApplications Scope = ScopeWrite + ":" + scopeApplications ScopeReadBlocks Scope = ScopeRead + ":" + scopeBlocks ScopeWriteBlocks Scope = ScopeWrite + ":" + scopeBlocks ScopeReadBookmarks Scope = ScopeRead + ":" + scopeBookmarks diff --git a/internal/db/application.go b/internal/db/application.go index a3061f028..76948b0fd 100644 --- a/internal/db/application.go +++ b/internal/db/application.go @@ -31,11 +31,14 @@ type Application interface { // GetApplicationByClientID fetches the application from the database with corresponding client_id value. GetApplicationByClientID(ctx context.Context, clientID string) (*gtsmodel.Application, error) + // GetApplicationsManagedByUserID fetches a page of applications managed by the given userID. + GetApplicationsManagedByUserID(ctx context.Context, userID string, page *paging.Page) ([]*gtsmodel.Application, error) + // PutApplication places the new application in the database, erroring on non-unique ID or client_id. PutApplication(ctx context.Context, app *gtsmodel.Application) error - // DeleteApplicationByClientID deletes the application with corresponding client_id value from the database. - DeleteApplicationByClientID(ctx context.Context, clientID string) error + // DeleteApplicationByID deletes the application with corresponding id from the database. + DeleteApplicationByID(ctx context.Context, id string) error // GetAllTokens fetches all client oauth tokens from database. GetAllTokens(ctx context.Context) ([]*gtsmodel.Token, error) @@ -72,4 +75,8 @@ type Application interface { // DeleteTokenByRefresh deletes client oauth token from database with refresh code. DeleteTokenByRefresh(ctx context.Context, refresh string) error + + // DeleteTokensByClientID deletes all tokens + // with the given clientID from the database. + DeleteTokensByClientID(ctx context.Context, clientID string) error } diff --git a/internal/db/bundb/admin.go b/internal/db/bundb/admin.go index a311d2fc5..02f10f44f 100644 --- a/internal/db/bundb/admin.go +++ b/internal/db/bundb/admin.go @@ -194,6 +194,17 @@ func (a *adminDB) NewSignup(ctx context.Context, newSignup gtsmodel.NewSignup) ( return nil, err } + // If no app ID was set, + // use the instance app ID. + if newSignup.AppID == "" { + instanceApp, err := a.state.DB.GetInstanceApplication(ctx) + if err != nil { + err := gtserror.Newf("db error getting instance app: %w", err) + return nil, err + } + newSignup.AppID = instanceApp.ID + } + user = >smodel.User{ ID: newUserID, AccountID: account.ID, diff --git a/internal/db/bundb/application.go b/internal/db/bundb/application.go index c21221c9f..1a600d620 100644 --- a/internal/db/bundb/application.go +++ b/internal/db/bundb/application.go @@ -56,6 +56,73 @@ func (a *applicationDB) GetApplicationByClientID(ctx context.Context, clientID s ) } +func (a *applicationDB) GetApplicationsManagedByUserID( + ctx context.Context, + userID string, + page *paging.Page, +) ([]*gtsmodel.Application, error) { + var ( + // Get paging params. + minID = page.GetMin() + maxID = page.GetMax() + limit = page.GetLimit() + order = page.GetOrder() + + // Make educated guess for slice size. + appIDs = make([]string, 0, limit) + ) + + // Ensure user ID. + if userID == "" { + return nil, gtserror.New("userID not set") + } + + q := a.db. + NewSelect(). + TableExpr("? AS ?", bun.Ident("applications"), bun.Ident("application")). + Column("application.id"). + Where("? = ?", bun.Ident("application.managed_by_user_id"), userID) + + if maxID != "" { + // Return only apps LOWER (ie., older) than maxID. + q = q.Where("? < ?", bun.Ident("application.id"), maxID) + } + + if minID != "" { + // Return only apps HIGHER (ie., newer) than minID. + q = q.Where("? > ?", bun.Ident("application.id"), minID) + } + + if limit > 0 { + q = q.Limit(limit) + } + + if order == paging.OrderAscending { + // Page up. + q = q.Order("application.id ASC") + } else { + // Page down. + q = q.Order("application.id DESC") + } + + if err := q.Scan(ctx, &appIDs); err != nil { + return nil, err + } + + if len(appIDs) == 0 { + return nil, nil + } + + // If we're paging up, we still want apps + // to be sorted by ID desc (ie., newest to + // oldest), so reverse ids slice. + if order == paging.OrderAscending { + slices.Reverse(appIDs) + } + + return a.getApplicationsByIDs(ctx, appIDs) +} + func (a *applicationDB) getApplication(ctx context.Context, lookup string, dbQuery func(*gtsmodel.Application) error, keyParts ...any) (*gtsmodel.Application, error) { return a.state.Caches.DB.Application.LoadOne(lookup, func() (*gtsmodel.Application, error) { var app gtsmodel.Application @@ -69,6 +136,37 @@ func (a *applicationDB) getApplication(ctx context.Context, lookup string, dbQue }, keyParts...) } +func (a *applicationDB) getApplicationsByIDs(ctx context.Context, ids []string) ([]*gtsmodel.Application, error) { + apps, err := a.state.Caches.DB.Application.LoadIDs("ID", + ids, + func(uncached []string) ([]*gtsmodel.Application, error) { + // Preallocate expected length of uncached apps. + apps := make([]*gtsmodel.Application, 0, len(uncached)) + + // Perform database query scanning + // the remaining (uncached) app IDs. + if err := a.db.NewSelect(). + Model(&apps). + Where("? IN (?)", bun.Ident("id"), bun.In(uncached)). + Scan(ctx); err != nil { + return nil, err + } + + return apps, nil + }, + ) + if err != nil { + return nil, err + } + + // Reorder the apps by their + // IDs to ensure in correct order. + getID := func(t *gtsmodel.Application) string { return t.ID } + xslices.OrderBy(apps, ids, getID) + + return apps, nil +} + func (a *applicationDB) PutApplication(ctx context.Context, app *gtsmodel.Application) error { return a.state.Caches.DB.Application.Store(app, func() error { _, err := a.db.NewInsert().Model(app).Exec(ctx) @@ -76,27 +174,25 @@ func (a *applicationDB) PutApplication(ctx context.Context, app *gtsmodel.Applic }) } -func (a *applicationDB) DeleteApplicationByClientID(ctx context.Context, clientID string) error { - // Attempt to delete application. - if _, err := a.db.NewDelete(). +// DeleteApplicationByID deletes application with the given ID. +// +// The function does not delete tokens owned by the application +// or update statuses/accounts that used the application, since +// the latter can be extremely expensive given the size of the +// statuses table. +// +// Callers to this function should ensure that they do side +// effects themselves (if required) before or after calling. +func (a *applicationDB) DeleteApplicationByID(ctx context.Context, id string) error { + _, err := a.db.NewDelete(). Table("applications"). - Where("? = ?", bun.Ident("client_id"), clientID). - Exec(ctx); err != nil { + Where("? = ?", bun.Ident("id"), id). + Exec(ctx) + if err != nil { return err } - // NOTE about further side effects: - // - // We don't need to handle updating any statuses or users - // (both of which may contain refs to applications), as - // DeleteApplication__() is only ever called during an - // account deletion, which handles deletion of the user - // and all their statuses already. - // - - // Clear application from the cache. - a.state.Caches.DB.Application.Invalidate("ClientID", clientID) - + a.state.Caches.DB.Application.Invalidate("ID", id) return nil } @@ -363,3 +459,27 @@ func (a *applicationDB) DeleteTokenByRefresh(ctx context.Context, refresh string a.state.Caches.DB.Token.Invalidate("Refresh", refresh) return nil } + +func (a *applicationDB) DeleteTokensByClientID(ctx context.Context, clientID string) error { + // Delete tokens owned by + // clientID and gather token IDs. + var tokenIDs []string + if _, err := a.db. + NewDelete(). + Table("tokens"). + Where("? = ?", bun.Ident("client_id"), clientID). + Returning("id"). + Exec(ctx, &tokenIDs); err != nil { + return err + } + + if len(tokenIDs) == 0 { + // Nothing was deleted, + // nothing to invalidate. + return nil + } + + // Invalidate all deleted tokens. + a.state.Caches.DB.Token.InvalidateIDs("ID", tokenIDs) + return nil +} diff --git a/internal/db/bundb/application_test.go b/internal/db/bundb/application_test.go index b6b19319c..540c632b5 100644 --- a/internal/db/bundb/application_test.go +++ b/internal/db/bundb/application_test.go @@ -92,7 +92,7 @@ func (suite *ApplicationTestSuite) TestDeleteApplicationBy() { for _, app := range suite.testApplications { for lookup, dbfunc := range map[string]func() error{ "client_id": func() error { - return suite.db.DeleteApplicationByClientID(ctx, app.ClientID) + return suite.db.DeleteApplicationByID(ctx, app.ID) }, } { // Clear database caches. @@ -124,6 +124,36 @@ func (suite *ApplicationTestSuite) TestGetAllTokens() { suite.NotEmpty(tokens) } +func (suite *ApplicationTestSuite) TestDeleteTokensByClientID() { + ctx := context.Background() + + // Delete tokens by each app. + for _, app := range suite.testApplications { + if err := suite.state.DB.DeleteTokensByClientID(ctx, app.ClientID); err != nil { + suite.FailNow(err.Error()) + } + } + + // Ensure all tokens deleted. + for _, token := range suite.testTokens { + _, err := suite.db.GetTokenByID(ctx, token.ID) + if !errors.Is(err, db.ErrNoEntries) { + suite.FailNow("", "token %s not deleted", token.ID) + } + } +} + +func (suite *ApplicationTestSuite) TestDeleteTokensByUnknownClientID() { + // Should not return ErrNoRows even though + // the client with given ID doesn't exist. + if err := suite.state.DB.DeleteTokensByClientID( + context.Background(), + "01JPJ4NCGH6GHY7ZVYBHNP55XS", + ); err != nil { + suite.FailNow(err.Error()) + } +} + func TestApplicationTestSuite(t *testing.T) { suite.Run(t, new(ApplicationTestSuite)) } diff --git a/internal/db/bundb/migrations/20250310144102_application_management.go b/internal/db/bundb/migrations/20250310144102_application_management.go new file mode 100644 index 000000000..46ff9926b --- /dev/null +++ b/internal/db/bundb/migrations/20250310144102_application_management.go @@ -0,0 +1,105 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package migrations + +import ( + "context" + + "github.com/superseriousbusiness/gotosocial/internal/config" + "github.com/uptrace/bun" +) + +func init() { + up := func(ctx context.Context, db *bun.DB) error { + return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error { + // Add client_id index to token table, + // needed for invalidation if/when the + // token's app is deleted. + if _, err := tx. + NewCreateIndex(). + Table("tokens"). + Index("tokens_client_id_idx"). + Column("client_id"). + IfNotExists(). + Exec(ctx); err != nil { + return err + } + + // Update users to set all "created_by_application_id" + // values to the instance application, to correct some + // past issues where this wasn't set. Skip this if there's + // no users though, as in that case we probably don't even + // have an instance application yet. + usersLen, err := tx. + NewSelect(). + Table("users"). + Count(ctx) + if err != nil { + return err + } + + if usersLen == 0 { + // Nothing to do. + return nil + } + + // Get Instance account ID. + var instanceAcctID string + if err := tx. + NewSelect(). + Table("accounts"). + Column("id"). + Where("? = ?", bun.Ident("username"), config.GetHost()). + Where("? IS NULL", bun.Ident("domain")). + Scan(ctx, &instanceAcctID); err != nil { + return err + } + + // Get the instance app ID. + var instanceAppID string + if err := tx. + NewSelect(). + Table("applications"). + Column("id"). + Where("? = ?", bun.Ident("client_id"), instanceAcctID). + Scan(ctx, &instanceAppID); err != nil { + return err + } + + // Set instance app + // ID on all users. + if _, err := tx. + NewUpdate(). + Table("users"). + Set("? = ?", bun.Ident("created_by_application_id"), instanceAppID). + Exec(ctx); err != nil { + return err + } + + return nil + }) + } + + down := func(ctx context.Context, db *bun.DB) error { + return nil + } + + if err := Migrations.Register(up, down); err != nil { + panic(err) + } +} diff --git a/internal/db/bundb/status.go b/internal/db/bundb/status.go index fea5594dd..8383a9c01 100644 --- a/internal/db/bundb/status.go +++ b/internal/db/bundb/status.go @@ -299,11 +299,12 @@ func (s *statusDB) PopulateStatus(ctx context.Context, status *gtsmodel.Status) if status.CreatedWithApplicationID != "" && status.CreatedWithApplication == nil { // Populate the status' expected CreatedWithApplication (not always set). + // Don't error on ErrNoEntries, as the application may have been cleaned up. status.CreatedWithApplication, err = s.state.DB.GetApplicationByID( gtscontext.SetBarebones(ctx), status.CreatedWithApplicationID, ) - if err != nil { + if err != nil && !errors.Is(err, db.ErrNoEntries) { errs.Appendf("error populating status application: %w", err) } } diff --git a/internal/gtsmodel/token.go b/internal/gtsmodel/token.go index 6fe944290..46d30ba7d 100644 --- a/internal/gtsmodel/token.go +++ b/internal/gtsmodel/token.go @@ -27,7 +27,7 @@ type Token struct { ClientID string `bun:"type:CHAR(26),nullzero,notnull"` // ID of the client who owns this token UserID string `bun:"type:CHAR(26),nullzero"` // ID of the user who owns this token RedirectURI string `bun:",nullzero,notnull"` // Oauth redirect URI for this token - Scope string `bun:",nullzero,notnull,default:'read'"` // Oauth scope // Oauth scope + Scope string `bun:",nullzero,notnull,default:'read'"` // Oauth scope Code string `bun:",pk,nullzero,notnull,default:''"` // Code, if present CodeChallenge string `bun:",nullzero"` // Code challenge, if code present CodeChallengeMethod string `bun:",nullzero"` // Code challenge method, if code present diff --git a/internal/processing/account/delete.go b/internal/processing/account/delete.go index 0064d7eb4..ab64c3270 100644 --- a/internal/processing/account/delete.go +++ b/internal/processing/account/delete.go @@ -107,19 +107,33 @@ func (p *Processor) deleteUserAndTokensForAccount(ctx context.Context, account * return gtserror.Newf("db error getting user: %w", err) } - tokens := []*gtsmodel.Token{} - if err := p.state.DB.GetWhere(ctx, []db.Where{{Key: "user_id", Value: user.ID}}, &tokens); err != nil { + // Get all applications owned by user. + apps, err := p.state.DB.GetApplicationsManagedByUserID(ctx, user.ID, nil) + if err != nil { + return gtserror.Newf("db error getting apps: %w", err) + } + + // Delete each app and any tokens it had created + // (not necessarily owned by deleted account). + for _, a := range apps { + if err := p.state.DB.DeleteApplicationByID(ctx, a.ID); err != nil { + return gtserror.Newf("db error deleting app: %w", err) + } + + if err := p.state.DB.DeleteTokensByClientID(ctx, a.ClientID); err != nil { + return gtserror.Newf("db error deleting tokens for app: %w", err) + } + } + + // Get any remaining access tokens owned by user. + tokens, err := p.state.DB.GetAccessTokens(ctx, user.ID, nil) + if err != nil { return gtserror.Newf("db error getting tokens: %w", err) } + // Delete each token. for _, t := range tokens { - // Delete any OAuth applications associated with this token. - if err := p.state.DB.DeleteApplicationByClientID(ctx, t.ClientID); err != nil { - return gtserror.Newf("db error deleting application: %w", err) - } - - // Delete the token itself. - if err := p.state.DB.DeleteByID(ctx, t.ID, t); err != nil { + if err := p.state.DB.DeleteTokenByID(ctx, t.ID); err != nil { return gtserror.Newf("db error deleting token: %w", err) } } diff --git a/internal/processing/application/application.go b/internal/processing/application/application.go new file mode 100644 index 000000000..4ad35749e --- /dev/null +++ b/internal/processing/application/application.go @@ -0,0 +1,38 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package application + +import ( + "github.com/superseriousbusiness/gotosocial/internal/state" + "github.com/superseriousbusiness/gotosocial/internal/typeutils" +) + +type Processor struct { + state *state.State + converter *typeutils.Converter +} + +func New( + state *state.State, + converter *typeutils.Converter, +) Processor { + return Processor{ + state: state, + converter: converter, + } +} diff --git a/internal/processing/app.go b/internal/processing/application/create.go similarity index 68% rename from internal/processing/app.go rename to internal/processing/application/create.go index c9bd4eb68..d1340a39f 100644 --- a/internal/processing/app.go +++ b/internal/processing/application/create.go @@ -15,24 +15,28 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . -package processing +package application import ( "context" + "errors" "fmt" "net/url" "strings" "github.com/google/uuid" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" - apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/id" "github.com/superseriousbusiness/gotosocial/internal/oauth" ) -func (p *Processor) AppCreate(ctx context.Context, authed *apiutil.Auth, form *apimodel.ApplicationCreateRequest) (*apimodel.Application, gtserror.WithCode) { +func (p *Processor) Create( + ctx context.Context, + managedByUserID string, + form *apimodel.ApplicationCreateRequest, +) (*apimodel.Application, gtserror.WithCode) { // Set default 'read' for // scopes if it's not set. var scopes string @@ -49,13 +53,32 @@ func (p *Processor) AppCreate(ctx context.Context, authed *apiutil.Auth, form *a // Redirect URIs can be just one value, or can be passed // as a newline-separated list of strings. Ensure each URI // is parseable + normalize it by reconstructing from *url.URL. - for _, redirectStr := range strings.Split(form.RedirectURIs, "\n") { + // Also ensure we don't add multiple copies of the same URI. + redirectStrs := strings.Split(form.RedirectURIs, "\n") + added := make(map[string]struct{}, len(redirectStrs)) + + for _, redirectStr := range redirectStrs { + redirectStr = strings.TrimSpace(redirectStr) + if redirectStr == "" { + continue + } + redirectURI, err := url.Parse(redirectStr) if err != nil { errText := fmt.Sprintf("error parsing redirect URI: %v", err) return nil, gtserror.NewErrorBadRequest(err, errText) } - redirectURIs = append(redirectURIs, redirectURI.String()) + + redirectURIStr := redirectURI.String() + if _, alreadyAdded := added[redirectURIStr]; !alreadyAdded { + redirectURIs = append(redirectURIs, redirectURIStr) + added[redirectURIStr] = struct{}{} + } + } + + if len(redirectURIs) == 0 { + errText := "no redirect URIs left after trimming space" + return nil, gtserror.NewErrorBadRequest(errors.New(errText), errText) } } else { // No redirect URI(s) provided, just set default oob. @@ -71,13 +94,14 @@ func (p *Processor) AppCreate(ctx context.Context, authed *apiutil.Auth, form *a // Generate + store app // to put in the database. app := >smodel.Application{ - ID: id.NewULID(), - Name: form.ClientName, - Website: form.Website, - RedirectURIs: redirectURIs, - ClientID: clientID, - ClientSecret: uuid.NewString(), - Scopes: scopes, + ID: id.NewULID(), + Name: form.ClientName, + Website: form.Website, + RedirectURIs: redirectURIs, + ClientID: clientID, + ClientSecret: uuid.NewString(), + Scopes: scopes, + ManagedByUserID: managedByUserID, } if err := p.state.DB.PutApplication(ctx, app); err != nil { return nil, gtserror.NewErrorInternalError(err) diff --git a/internal/processing/application/delete.go b/internal/processing/application/delete.go new file mode 100644 index 000000000..02f5e4bfa --- /dev/null +++ b/internal/processing/application/delete.go @@ -0,0 +1,70 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package application + +import ( + "context" + "errors" + + apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" +) + +func (p *Processor) Delete( + ctx context.Context, + userID string, + appID string, +) (*apimodel.Application, gtserror.WithCode) { + app, err := p.state.DB.GetApplicationByID(ctx, appID) + if err != nil && !errors.Is(err, db.ErrNoEntries) { + err := gtserror.Newf("db error getting app %s: %w", appID, err) + return nil, gtserror.NewErrorInternalError(err) + } + + if app == nil { + err := gtserror.Newf("app %s not found in the db", appID) + return nil, gtserror.NewErrorNotFound(err) + } + + if app.ManagedByUserID != userID { + err := gtserror.Newf("app %s not managed by user %s", appID, userID) + return nil, gtserror.NewErrorNotFound(err) + } + + // Convert app before deletion. + apiApp, err := p.converter.AppToAPIAppSensitive(ctx, app) + if err != nil { + err := gtserror.Newf("error converting app to api app: %w", err) + return nil, gtserror.NewErrorInternalError(err) + } + + // Delete app itself. + if err := p.state.DB.DeleteApplicationByID(ctx, appID); err != nil { + err := gtserror.Newf("db error deleting app %s: %w", appID, err) + return nil, gtserror.NewErrorInternalError(err) + } + + // Delete all tokens owned by app. + if err := p.state.DB.DeleteTokensByClientID(ctx, app.ClientID); err != nil { + err := gtserror.Newf("db error deleting tokens for app %s: %w", appID, err) + return nil, gtserror.NewErrorInternalError(err) + } + + return apiApp, nil +} diff --git a/internal/processing/application/get.go b/internal/processing/application/get.go new file mode 100644 index 000000000..0a3eb8e04 --- /dev/null +++ b/internal/processing/application/get.go @@ -0,0 +1,104 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package application + +import ( + "context" + "errors" + + apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" + "github.com/superseriousbusiness/gotosocial/internal/log" + "github.com/superseriousbusiness/gotosocial/internal/paging" +) + +func (p *Processor) Get( + ctx context.Context, + userID string, + appID string, +) (*apimodel.Application, gtserror.WithCode) { + app, err := p.state.DB.GetApplicationByID(ctx, appID) + if err != nil && !errors.Is(err, db.ErrNoEntries) { + err := gtserror.Newf("db error getting app %s: %w", appID, err) + return nil, gtserror.NewErrorInternalError(err) + } + + if app == nil { + err := gtserror.Newf("app %s not found in the db", appID) + return nil, gtserror.NewErrorNotFound(err) + } + + if app.ManagedByUserID != userID { + err := gtserror.Newf("app %s not managed by user %s", appID, userID) + return nil, gtserror.NewErrorNotFound(err) + } + + apiApp, err := p.converter.AppToAPIAppSensitive(ctx, app) + if err != nil { + err := gtserror.Newf("error converting app to api app: %w", err) + return nil, gtserror.NewErrorInternalError(err) + } + + return apiApp, nil +} + +func (p *Processor) GetPage( + ctx context.Context, + userID string, + page *paging.Page, +) (*apimodel.PageableResponse, gtserror.WithCode) { + apps, err := p.state.DB.GetApplicationsManagedByUserID(ctx, userID, page) + if err != nil && !errors.Is(err, db.ErrNoEntries) { + err := gtserror.Newf("db error getting apps: %w", err) + return nil, gtserror.NewErrorInternalError(err) + } + + count := len(apps) + if count == 0 { + return paging.EmptyResponse(), nil + } + + var ( + // Get the lowest and highest + // ID values, used for paging. + lo = apps[count-1].ID + hi = apps[0].ID + + // Best-guess items length. + items = make([]interface{}, 0, count) + ) + + for _, app := range apps { + apiApp, err := p.converter.AppToAPIAppSensitive(ctx, app) + if err != nil { + log.Errorf(ctx, "error converting app to api app: %v", err) + continue + } + + // Append req to return items. + items = append(items, apiApp) + } + + return paging.PackageResponse(paging.ResponseParams{ + Items: items, + Path: "/api/v1/apps", + Next: page.Next(lo, hi), + Prev: page.Prev(lo, hi), + }), nil +} diff --git a/internal/processing/processor.go b/internal/processing/processor.go index 0bba23089..0324f49cf 100644 --- a/internal/processing/processor.go +++ b/internal/processing/processor.go @@ -29,6 +29,7 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/processing/account" "github.com/superseriousbusiness/gotosocial/internal/processing/admin" "github.com/superseriousbusiness/gotosocial/internal/processing/advancedmigrations" + "github.com/superseriousbusiness/gotosocial/internal/processing/application" "github.com/superseriousbusiness/gotosocial/internal/processing/common" "github.com/superseriousbusiness/gotosocial/internal/processing/conversations" "github.com/superseriousbusiness/gotosocial/internal/processing/fedi" @@ -81,6 +82,7 @@ type Processor struct { account account.Processor admin admin.Processor advancedmigrations advancedmigrations.Processor + application application.Processor conversations conversations.Processor fedi fedi.Processor filtersv1 filtersv1.Processor @@ -113,6 +115,10 @@ func (p *Processor) AdvancedMigrations() *advancedmigrations.Processor { return &p.advancedmigrations } +func (p *Processor) Application() *application.Processor { + return &p.application +} + func (p *Processor) Conversations() *conversations.Processor { return &p.conversations } @@ -221,6 +227,7 @@ func NewProcessor( // processors + pin them to this struct. processor.account = account.New(&common, state, converter, mediaManager, federator, visFilter, parseMentionFunc) processor.admin = admin.New(&common, state, cleaner, subscriptions, federator, converter, mediaManager, federator.TransportController(), emailSender) + processor.application = application.New(state, converter) processor.conversations = conversations.New(state, converter, visFilter) processor.fedi = fedi.New(state, &common, converter, federator, visFilter) processor.filtersv1 = filtersv1.New(state, converter, &processor.stream) diff --git a/internal/typeutils/internaltofrontend.go b/internal/typeutils/internaltofrontend.go index 537eeb6db..b0e137f75 100644 --- a/internal/typeutils/internaltofrontend.go +++ b/internal/typeutils/internaltofrontend.go @@ -623,8 +623,14 @@ func (c *Converter) AppToAPIAppSensitive(ctx context.Context, a *gtsmodel.Applic return nil, gtserror.Newf("error getting VAPID public key: %w", err) } + createdAt, err := id.TimeFromULID(a.ID) + if err != nil { + return nil, gtserror.Newf("error converting id to time: %w", err) + } + return &apimodel.Application{ ID: a.ID, + CreatedAt: util.FormatISO8601(createdAt), Name: a.Name, Website: a.Website, RedirectURI: strings.Join(a.RedirectURIs, "\n"), @@ -1412,14 +1418,28 @@ func (c *Converter) baseStatusToFrontend( apiStatus.InReplyToAccountID = util.PtrIf(s.InReplyToAccountID) apiStatus.Language = util.PtrIf(s.Language) - if app := s.CreatedWithApplication; app != nil { - apiStatus.Application, err = c.AppToAPIAppPublic(ctx, app) + switch { + case s.CreatedWithApplication != nil: + // App exists for this status and is set. + apiStatus.Application, err = c.AppToAPIAppPublic(ctx, s.CreatedWithApplication) if err != nil { return nil, gtserror.Newf( "error converting application %s: %w", s.CreatedWithApplicationID, err, ) } + + case s.CreatedWithApplicationID != "": + // App existed for this status but not + // anymore, it's probably been cleaned up. + // Set a dummy application. + apiStatus.Application = &apimodel.Application{ + Name: "unknown application", + } + + default: + // No app stored for this (probably remote) + // status, so nothing to do (app is optional). } if s.Poll != nil { diff --git a/internal/typeutils/internaltofrontend_test.go b/internal/typeutils/internaltofrontend_test.go index 0b2c6ddfa..c94d4481a 100644 --- a/internal/typeutils/internaltofrontend_test.go +++ b/internal/typeutils/internaltofrontend_test.go @@ -753,6 +753,156 @@ func (suite *InternalToFrontendTestSuite) TestStatusToFrontendHTMLContentWarning }`, string(b)) } +func (suite *InternalToFrontendTestSuite) TestStatusToFrontendApplicationDeleted() { + ctx := context.Background() + testStatus := suite.testStatuses["admin_account_status_1"] + + // Delete the application this status was created with. + if err := suite.state.DB.DeleteApplicationByID(ctx, testStatus.CreatedWithApplicationID); err != nil { + suite.FailNow(err.Error()) + } + + requestingAccount := suite.testAccounts["local_account_1"] + apiStatus, err := suite.typeconverter.StatusToAPIStatus(ctx, testStatus, requestingAccount, statusfilter.FilterContextNone, nil, nil) + suite.NoError(err) + + b, err := json.MarshalIndent(apiStatus, "", " ") + suite.NoError(err) + + suite.Equal(`{ + "id": "01F8MH75CBF9JFX4ZAD54N0W0R", + "created_at": "2021-10-20T11:36:45.000Z", + "edited_at": null, + "in_reply_to_id": null, + "in_reply_to_account_id": null, + "sensitive": false, + "spoiler_text": "", + "visibility": "public", + "language": "en", + "uri": "http://localhost:8080/users/admin/statuses/01F8MH75CBF9JFX4ZAD54N0W0R", + "url": "http://localhost:8080/@admin/statuses/01F8MH75CBF9JFX4ZAD54N0W0R", + "replies_count": 1, + "reblogs_count": 0, + "favourites_count": 1, + "favourited": true, + "reblogged": false, + "muted": false, + "bookmarked": true, + "pinned": false, + "content": "\u003cp\u003ehello world! \u003ca href=\"http://localhost:8080/tags/welcome\" class=\"mention hashtag\" rel=\"tag nofollow noreferrer noopener\" target=\"_blank\"\u003e#\u003cspan\u003ewelcome\u003c/span\u003e\u003c/a\u003e ! first post on the instance :rainbow: !\u003c/p\u003e", + "reblog": null, + "application": { + "name": "unknown application" + }, + "account": { + "id": "01F8MH17FWEB39HZJ76B6VXSKF", + "username": "admin", + "acct": "admin", + "display_name": "", + "locked": false, + "discoverable": true, + "bot": false, + "created_at": "2022-05-17T13:10:59.000Z", + "note": "", + "url": "http://localhost:8080/@admin", + "avatar": "", + "avatar_static": "", + "header": "http://localhost:8080/assets/default_header.webp", + "header_static": "http://localhost:8080/assets/default_header.webp", + "header_description": "Flat gray background (default header).", + "followers_count": 1, + "following_count": 1, + "statuses_count": 4, + "last_status_at": "2021-10-20", + "emojis": [], + "fields": [], + "enable_rss": true, + "roles": [ + { + "id": "admin", + "name": "admin", + "color": "" + } + ], + "group": false + }, + "media_attachments": [ + { + "id": "01F8MH6NEM8D7527KZAECTCR76", + "type": "image", + "url": "http://localhost:8080/fileserver/01F8MH17FWEB39HZJ76B6VXSKF/attachment/original/01F8MH6NEM8D7527KZAECTCR76.jpg", + "text_url": "http://localhost:8080/fileserver/01F8MH17FWEB39HZJ76B6VXSKF/attachment/original/01F8MH6NEM8D7527KZAECTCR76.jpg", + "preview_url": "http://localhost:8080/fileserver/01F8MH17FWEB39HZJ76B6VXSKF/attachment/small/01F8MH6NEM8D7527KZAECTCR76.webp", + "remote_url": null, + "preview_remote_url": null, + "meta": { + "original": { + "width": 1200, + "height": 630, + "size": "1200x630", + "aspect": 1.9047619 + }, + "small": { + "width": 512, + "height": 268, + "size": "512x268", + "aspect": 1.9104477 + }, + "focus": { + "x": 0, + "y": 0 + } + }, + "description": "Black and white image of some 50's style text saying: Welcome On Board", + "blurhash": "LIIE|gRj00WB-;j[t7j[4nWBj[Rj" + } + ], + "mentions": [], + "tags": [ + { + "name": "welcome", + "url": "http://localhost:8080/tags/welcome" + } + ], + "emojis": [ + { + "shortcode": "rainbow", + "url": "http://localhost:8080/fileserver/01AY6P665V14JJR0AFVRT7311Y/emoji/original/01F8MH9H8E4VG3KDYJR9EGPXCQ.png", + "static_url": "http://localhost:8080/fileserver/01AY6P665V14JJR0AFVRT7311Y/emoji/static/01F8MH9H8E4VG3KDYJR9EGPXCQ.png", + "visible_in_picker": true, + "category": "reactions" + } + ], + "card": null, + "poll": null, + "text": "hello world! #welcome ! first post on the instance :rainbow: !", + "content_type": "text/plain", + "interaction_policy": { + "can_favourite": { + "always": [ + "public", + "me" + ], + "with_approval": [] + }, + "can_reply": { + "always": [ + "public", + "me" + ], + "with_approval": [] + }, + "can_reblog": { + "always": [ + "public", + "me" + ], + "with_approval": [] + } + } +}`, string(b)) +} + // Modify a fixture status into a status that should be filtered, // and then filter it, returning the API status or any error from converting it. func (suite *InternalToFrontendTestSuite) filteredStatusToFrontend(action gtsmodel.FilterAction, boost bool) (*apimodel.Status, error) { diff --git a/web/source/settings/components/authorization/index.tsx b/web/source/settings/components/authorization/index.tsx index 7c6373399..3eeeb393a 100644 --- a/web/source/settings/components/authorization/index.tsx +++ b/web/source/settings/components/authorization/index.tsx @@ -17,7 +17,7 @@ along with this program. If not, see . */ -import { useLogoutMutation, useVerifyCredentialsQuery } from "../../lib/query/oauth"; +import { useLogoutMutation, useVerifyCredentialsQuery } from "../../lib/query/login"; import { store } from "../../redux/store"; import React, { ReactNode } from "react"; @@ -27,8 +27,8 @@ import { Error } from "../error"; import { NoArg } from "../../lib/types/query"; export function Authorization({ App }) { - const { loginState, expectingRedirect } = store.getState().oauth; - const skip = (loginState == "none" || loginState == "logout" || expectingRedirect); + const { current: loginState, expectingRedirect } = store.getState().login; + const skip = (loginState == "none" || loginState == "loggedout" || expectingRedirect); const [ logoutQuery ] = useLogoutMutation(); const { @@ -46,9 +46,9 @@ export function Authorization({ App }) { showLogin = false; let loadingInfo = ""; - if (loginState == "callback") { + if (loginState == "awaitingcallback") { loadingInfo = "Processing OAUTH callback."; - } else if (loginState == "login") { + } else if (loginState == "loggedin") { loadingInfo = "Verifying stored login."; } @@ -70,7 +70,7 @@ export function Authorization({ App }) { ); } - if (loginState == "login" && isSuccess) { + if (loginState == "loggedin" && isSuccess) { return ; } else { return ( diff --git a/web/source/settings/components/authorization/login.tsx b/web/source/settings/components/authorization/login.tsx index 28ed7953c..c54125972 100644 --- a/web/source/settings/components/authorization/login.tsx +++ b/web/source/settings/components/authorization/login.tsx @@ -19,7 +19,7 @@ import React from "react"; -import { useAuthorizeFlowMutation } from "../../lib/query/oauth"; +import { useAuthorizeFlowMutation } from "../../lib/query/login"; import { useTextInput, useValue } from "../../lib/form"; import useFormSubmit from "../../lib/form/submit"; import MutationButton from "../form/mutation-button"; diff --git a/web/source/settings/components/highlightedcode.tsx b/web/source/settings/components/highlightedcode.tsx new file mode 100644 index 000000000..eccecd709 --- /dev/null +++ b/web/source/settings/components/highlightedcode.tsx @@ -0,0 +1,44 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import React, { useEffect, useRef } from "react"; + +// Used for syntax highlighting of json result. +import Prism from "../../frontend/prism"; + +export function HighlightedCode({ code, lang }: { code: string, lang: string }) { + const ref = useRef(null); + useEffect(() => { + if (ref.current) { + Prism.highlightElement(ref.current); + } + }, []); + + // Prism takes control of the `pre` so wrap + // the whole thing in a div that we control. + return ( +
+ 
+				
+					{code}
+				
+
+
+ ); +} diff --git a/web/source/settings/components/status.tsx b/web/source/settings/components/status.tsx index ec7af3ad3..701a9f8b7 100644 --- a/web/source/settings/components/status.tsx +++ b/web/source/settings/components/status.tsx @@ -18,7 +18,7 @@ */ import React from "react"; -import { useVerifyCredentialsQuery } from "../lib/query/oauth"; +import { useVerifyCredentialsQuery } from "../lib/query/login"; import { MediaAttachment, Status as StatusType } from "../lib/types/status"; import sanitize from "sanitize-html"; diff --git a/web/source/settings/components/user-logout-card.tsx b/web/source/settings/components/user-logout-card.tsx index f9acc9698..e15a1ee6a 100644 --- a/web/source/settings/components/user-logout-card.tsx +++ b/web/source/settings/components/user-logout-card.tsx @@ -20,7 +20,7 @@ import React from "react"; import Loading from "./loading"; import { Error as ErrorC } from "./error"; -import { useVerifyCredentialsQuery, useLogoutMutation } from "../lib/query/oauth"; +import { useVerifyCredentialsQuery, useLogoutMutation } from "../lib/query/login"; import { useInstanceV1Query } from "../lib/query/gts-api"; export default function UserLogoutCard() { diff --git a/web/source/settings/index.tsx b/web/source/settings/index.tsx index 5317658d2..c9ed5c30b 100644 --- a/web/source/settings/index.tsx +++ b/web/source/settings/index.tsx @@ -66,7 +66,7 @@ export function App({ account }: AppProps) { Ensure user ends up somewhere if they just open /settings. */} - + diff --git a/web/source/settings/lib/query/admin/custom-emoji/index.ts b/web/source/settings/lib/query/admin/custom-emoji/index.ts index 56684f03b..c5dd0a814 100644 --- a/web/source/settings/lib/query/admin/custom-emoji/index.ts +++ b/web/source/settings/lib/query/admin/custom-emoji/index.ts @@ -141,7 +141,7 @@ const extended = gtsApi.injectEndpoints({ searchItemForEmoji: build.mutation({ async queryFn(url, api, _extraOpts, fetchWithBQ) { const state = api.getState() as RootState; - const oauthState = state.oauth; + const loginState = state.login; // First search for given url. const searchRes = await fetchWithBQ({ @@ -161,8 +161,8 @@ const extended = gtsApi.injectEndpoints({ // Ensure emojis domain is not OUR domain. If it // is, we already have the emojis by definition. - if (oauthState.instanceUrl !== undefined) { - if (domain == new URL(oauthState.instanceUrl).host) { + if (loginState.instanceUrl !== undefined) { + if (domain == new URL(loginState.instanceUrl).host) { throw "LOCAL_INSTANCE"; } } diff --git a/web/source/settings/lib/query/admin/domain-permissions/export.ts b/web/source/settings/lib/query/admin/domain-permissions/export.ts index 868e3f7a4..f258991c6 100644 --- a/web/source/settings/lib/query/admin/domain-permissions/export.ts +++ b/web/source/settings/lib/query/admin/domain-permissions/export.ts @@ -116,7 +116,7 @@ const extended = gtsApi.injectEndpoints({ // Parse filename to something like: // `example.org-blocklist-2023-10-09.json`. const state = api.getState() as RootState; - const instanceUrl = state.oauth.instanceUrl?? "unknown"; + const instanceUrl = state.login.instanceUrl?? "unknown"; const domain = new URL(instanceUrl).host; const date = new Date(); const filename = [ diff --git a/web/source/settings/lib/query/gts-api.ts b/web/source/settings/lib/query/gts-api.ts index 401423766..540191132 100644 --- a/web/source/settings/lib/query/gts-api.ts +++ b/web/source/settings/lib/query/gts-api.ts @@ -77,7 +77,7 @@ const gtsBaseQuery: BaseQueryFn< // Retrieve state at the moment // this function was called. const state = api.getState() as RootState; - const { instanceUrl, token } = state.oauth; + const { instanceUrl, token } = state.login; // Derive baseUrl dynamically. let baseUrl: string | undefined; @@ -160,6 +160,7 @@ export const gtsApi = createApi({ reducerPath: "api", baseQuery: gtsBaseQuery, tagTypes: [ + "Application", "Auth", "Emoji", "Report", diff --git a/web/source/settings/lib/query/oauth/index.ts b/web/source/settings/lib/query/login/index.ts similarity index 87% rename from web/source/settings/lib/query/oauth/index.ts rename to web/source/settings/lib/query/login/index.ts index e151b0aee..e3b3b94a1 100644 --- a/web/source/settings/lib/query/oauth/index.ts +++ b/web/source/settings/lib/query/login/index.ts @@ -24,17 +24,10 @@ import { setToken as oauthSetToken, remove as oauthRemove, authorize as oauthAuthorize, -} from "../../../redux/oauth"; +} from "../../../redux/login"; import { RootState } from '../../../redux/store'; import { Account } from '../../types/account'; - -export interface OauthTokenRequestBody { - client_id: string; - client_secret: string; - redirect_uri: string; - grant_type: string; - code: string; -} +import { OAuthAccessTokenRequestBody } from '../../types/oauth'; function getSettingsURL() { /* @@ -45,7 +38,7 @@ function getSettingsURL() { Also drops anything past /settings/, because authorization urls that are too long get rejected by GTS. */ - let [pre, _past] = window.location.pathname.split("/settings"); + const [pre, _past] = window.location.pathname.split("/settings"); return `${window.location.origin}${pre}/settings`; } @@ -64,12 +57,12 @@ const extended = gtsApi.injectEndpoints({ error == undefined ? ["Auth"] : [], async queryFn(_arg, api, _extraOpts, fetchWithBQ) { const state = api.getState() as RootState; - const oauthState = state.oauth; + const loginState = state.login; // If we're not in the middle of an auth/callback, // we may already have an auth token, so just // return a standard verify_credentials query. - if (oauthState.loginState != 'callback') { + if (loginState.current != 'awaitingcallback') { return fetchWithBQ({ url: `/api/v1/accounts/verify_credentials` }); @@ -77,8 +70,8 @@ const extended = gtsApi.injectEndpoints({ // We're in the middle of an auth/callback flow. // Try to retrieve callback code from URL query. - let urlParams = new URLSearchParams(window.location.search); - let code = urlParams.get("code"); + const urlParams = new URLSearchParams(window.location.search); + const code = urlParams.get("code"); if (code == undefined) { return { error: { @@ -91,7 +84,7 @@ const extended = gtsApi.injectEndpoints({ // Retrieve app with which the // callback code was generated. - let app = oauthState.app; + const app = loginState.app; if (app == undefined || app.client_id == undefined) { return { error: { @@ -104,7 +97,7 @@ const extended = gtsApi.injectEndpoints({ // Use the provided code and app // secret to request an auth token. - const tokenReqBody: OauthTokenRequestBody = { + const tokenReqBody: OAuthAccessTokenRequestBody = { client_id: app.client_id, client_secret: app.client_secret, redirect_uri: SETTINGS_URL, @@ -139,7 +132,7 @@ const extended = gtsApi.injectEndpoints({ authorizeFlow: build.mutation({ async queryFn(formData, api, _extraOpts, fetchWithBQ) { const state = api.getState() as RootState; - const oauthState = state.oauth; + const loginState = state.login; let instanceUrl: string; if (!formData.instance.startsWith("http")) { @@ -147,8 +140,8 @@ const extended = gtsApi.injectEndpoints({ } instanceUrl = new URL(formData.instance).origin; - if (oauthState?.instanceUrl == instanceUrl && oauthState.app) { - return { data: oauthState.app }; + if (loginState?.instanceUrl == instanceUrl && loginState.app) { + return { data: loginState.app }; } const appResult = await fetchWithBQ({ @@ -166,24 +159,24 @@ const extended = gtsApi.injectEndpoints({ return { error: appResult.error as FetchBaseQueryError }; } - let app = appResult.data as any; + const app = appResult.data as any; app.scopes = formData.scopes; api.dispatch(oauthAuthorize({ instanceUrl: instanceUrl, app: app, - loginState: "callback", + current: "awaitingcallback", expectingRedirect: true })); - let url = new URL(instanceUrl); + const url = new URL(instanceUrl); url.pathname = "/oauth/authorize"; url.searchParams.set("client_id", app.client_id); url.searchParams.set("redirect_uri", SETTINGS_URL); url.searchParams.set("response_type", "code"); url.searchParams.set("scope", app.scopes); - let redirectURL = url.toString(); + const redirectURL = url.toString(); window.location.assign(redirectURL); return { data: null }; }, diff --git a/web/source/settings/lib/query/user/applications.ts b/web/source/settings/lib/query/user/applications.ts new file mode 100644 index 000000000..9d271a1e1 --- /dev/null +++ b/web/source/settings/lib/query/user/applications.ts @@ -0,0 +1,146 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import { RootState } from "../../../redux/store"; +import { + SearchAppParams, + SearchAppResp, + App, + AppCreateParams, +} from "../../types/application"; +import { OAuthAccessToken, OAuthAccessTokenRequestBody } from "../../types/oauth"; +import { gtsApi } from "../gts-api"; +import parse from "parse-link-header"; + +const extended = gtsApi.injectEndpoints({ + endpoints: (build) => ({ + searchApp: build.query({ + query: (form) => { + const params = new(URLSearchParams); + Object.entries(form).forEach(([k, v]) => { + if (v !== undefined) { + params.append(k, v); + } + }); + + let query = ""; + if (params.size !== 0) { + query = `?${params.toString()}`; + } + + return { + url: `/api/v1/apps${query}` + }; + }, + // Headers required for paging. + transformResponse: (apiResp: App[], meta) => { + const apps = apiResp; + const linksStr = meta?.response?.headers.get("Link"); + const links = parse(linksStr); + return { apps, links }; + }, + providesTags: [{ type: "Application", id: "TRANSFORMED" }] + }), + + getApp: build.query({ + query: (id) => ({ + method: "GET", + url: `/api/v1/apps/${id}`, + }), + providesTags: (_result, _error, id) => [ + { type: 'Application', id } + ], + }), + + createApp: build.mutation({ + query: (formData) => ({ + method: "POST", + url: `/api/v1/apps`, + asForm: true, + body: formData, + discardEmpty: true + }), + invalidatesTags: [{ type: "Application", id: "TRANSFORMED" }], + }), + + deleteApp: build.mutation({ + query: (id) => ({ + method: "DELETE", + url: `/api/v1/apps/${id}` + }), + invalidatesTags: (_result, _error, id) => [ + { type: 'Application', id }, + { type: "Application", id: "TRANSFORMED" }, + { type: "TokenInfo", id: "TRANSFORMED" }, + ], + }), + + getOOBAuthCode: build.mutation({ + async queryFn({ app, scope, redirectURI }, api, _extraOpts, _fetchWithBQ) { + // Fetch the instance URL string from + // oauth state, eg., https://example.org. + const state = api.getState() as RootState; + if (!state.login.instanceUrl) { + return { + error: { + status: 'CUSTOM_ERROR', + error: "oauthState.instanceUrl undefined", + } + }; + } + const instanceUrl = state.login.instanceUrl; + + // Parse instance URL + set params on it. + const url = new URL(instanceUrl); + url.pathname = "/oauth/authorize"; + url.searchParams.set("client_id", app.client_id); + url.searchParams.set("redirect_uri", redirectURI); + url.searchParams.set("response_type", "code"); + url.searchParams.set("scope", scope); + + // Set the app ID in state so we know which + // app to get out of our store after redirect. + url.searchParams.set("state", app.id); + + // Whisk the user away to the authorize page. + window.location.assign(url.toString()); + return { data: null }; + } + }), + + getAccessTokenForApp: build.mutation({ + query: (formData) => ({ + method: "POST", + url: `/oauth/token`, + asForm: true, + body: formData, + discardEmpty: true + }), + }), + }) +}); + +export const { + useLazySearchAppQuery, + useCreateAppMutation, + useGetAppQuery, + useGetOOBAuthCodeMutation, + useGetAccessTokenForAppMutation, + useDeleteAppMutation, +} = extended; diff --git a/web/source/settings/lib/types/application.ts b/web/source/settings/lib/types/application.ts new file mode 100644 index 000000000..125e82c95 --- /dev/null +++ b/web/source/settings/lib/types/application.ts @@ -0,0 +1,71 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import { Links } from "parse-link-header"; + +export interface App { + id: string; + created_at: string; + name: string; + website?: string; + redirect_uris: string[]; + redirect_uri: string; + client_id: string; + client_secret: string; + vapid_key: string; + scopes: string[]; +} + +/** + * Parameters for GET to /api/v1/apps. + */ +export interface SearchAppParams { + /** + * If set, show only items older (ie., lower) than the given ID. + * Item with the given ID will not be included in response. + */ + max_id?: string; + /** + * If set, show only items newer (ie., higher) than the given ID. + * Item with the given ID will not be included in response. + */ + since_id?: string; + /** + * If set, show only items *immediately newer* than the given ID. + * Item with the given ID will not be included in response. + */ + min_id?: string; + /** + * If set, limit returned items to this number. + * Else, fall back to GtS API defaults. + */ + limit?: number; +} + +export interface SearchAppResp { + apps: App[]; + links: Links | null; +} + +export interface AppCreateParams { + client_name: string; + redirect_uris: string; + scopes: string; + website: string; +} diff --git a/web/source/settings/lib/types/oauth.ts b/web/source/settings/lib/types/oauth.ts new file mode 100644 index 000000000..b077ed356 --- /dev/null +++ b/web/source/settings/lib/types/oauth.ts @@ -0,0 +1,49 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +/** + * OAuthToken represents a response + * to an OAuth token request. + */ +export interface OAuthAccessToken { + /** + * Most likely to be 'Bearer' + * but may be something else. + */ + token_type: string; + /** + * The actual token. Can be passed in to + * authenticate further requests using the + * Authorization header and the token type. + */ + access_token: string; +} + +export interface OAuthApp { + client_id: string; + client_secret: string; +} + +export interface OAuthAccessTokenRequestBody { + client_id: string; + client_secret: string; + redirect_uri: string; + grant_type: string; + code: string; +} diff --git a/web/source/settings/lib/types/scopes.ts b/web/source/settings/lib/types/scopes.ts new file mode 100644 index 000000000..2bf5c21b4 --- /dev/null +++ b/web/source/settings/lib/types/scopes.ts @@ -0,0 +1,139 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +/* Sub-scopes / scope components */ + +const scopeAccounts = "accounts"; +const scopeApplications = "applications"; +const scopeBlocks = "blocks"; +const scopeBookmarks = "bookmarks"; +const scopeConversations = "conversations"; +const scopeDomainAllows = "domain_allows"; +const scopeDomainBlocks = "domain_blocks"; +const scopeFavourites = "favourites"; +const scopeFilters = "filters"; +const scopeFollows = "follows"; +const scopeLists = "lists"; +const scopeMedia = "media"; +const scopeMutes = "mutes"; +const scopeNotifications = "notifications"; +const scopeReports = "reports"; +const scopeSearch = "search"; +const scopeStatuses = "statuses"; + +/* Top-level scopes */ + +export const ScopeProfile = "profile"; +export const ScopePush = "push"; +export const ScopeRead = "read"; +export const ScopeWrite = "write"; +export const ScopeAdmin = "admin"; +export const ScopeAdminRead = ScopeAdmin + ":" + ScopeRead; +export const ScopeAdminWrite = ScopeAdmin + ":" + ScopeWrite; + +/* Granular scopes */ + +export const ScopeReadAccounts = ScopeRead + ":" + scopeAccounts; +export const ScopeWriteAccounts = ScopeWrite + ":" + scopeAccounts; +export const ScopeReadApplications = ScopeRead + ":" + scopeApplications; +export const ScopeWriteApplications = ScopeWrite + ":" + scopeApplications; +export const ScopeReadBlocks = ScopeRead + ":" + scopeBlocks; +export const ScopeWriteBlocks = ScopeWrite + ":" + scopeBlocks; +export const ScopeReadBookmarks = ScopeRead + ":" + scopeBookmarks; +export const ScopeWriteBookmarks = ScopeWrite + ":" + scopeBookmarks; +export const ScopeWriteConversations = ScopeWrite + ":" + scopeConversations; +export const ScopeReadFavourites = ScopeRead + ":" + scopeFavourites; +export const ScopeWriteFavourites = ScopeWrite + ":" + scopeFavourites; +export const ScopeReadFilters = ScopeRead + ":" + scopeFilters; +export const ScopeWriteFilters = ScopeWrite + ":" + scopeFilters; +export const ScopeReadFollows = ScopeRead + ":" + scopeFollows; +export const ScopeWriteFollows = ScopeWrite + ":" + scopeFollows; +export const ScopeReadLists = ScopeRead + ":" + scopeLists; +export const ScopeWriteLists = ScopeWrite + ":" + scopeLists; +export const ScopeWriteMedia = ScopeWrite + ":" + scopeMedia; +export const ScopeReadMutes = ScopeRead + ":" + scopeMutes; +export const ScopeWriteMutes = ScopeWrite + ":" + scopeMutes; +export const ScopeReadNotifications = ScopeRead + ":" + scopeNotifications; +export const ScopeWriteNotifications = ScopeWrite + ":" + scopeNotifications; +export const ScopeWriteReports = ScopeWrite + ":" + scopeReports; +export const ScopeReadSearch = ScopeRead + ":" + scopeSearch; +export const ScopeReadStatuses = ScopeRead + ":" + scopeStatuses; +export const ScopeWriteStatuses = ScopeWrite + ":" + scopeStatuses; +export const ScopeAdminReadAccounts = ScopeAdminRead + ":" + scopeAccounts; +export const ScopeAdminWriteAccounts = ScopeAdminWrite + ":" + scopeAccounts; +export const ScopeAdminReadReports = ScopeAdminRead + ":" + scopeReports; +export const ScopeAdminWriteReports = ScopeAdminWrite + ":" + scopeReports; +export const ScopeAdminReadDomainAllows = ScopeAdminRead + ":" + scopeDomainAllows; +export const ScopeAdminWriteDomainAllows = ScopeAdminWrite + ":" + scopeDomainAllows; +export const ScopeAdminReadDomainBlocks = ScopeAdminRead + ":" + scopeDomainBlocks; +export const ScopeAdminWriteDomainBlocks = ScopeAdminWrite + ":" + scopeDomainBlocks; + +export const ValidScopes = [ + ScopeProfile, + ScopePush, + ScopeRead, + ScopeWrite, + ScopeAdmin, + ScopeAdminRead, + ScopeAdminWrite, + ScopeReadAccounts, + ScopeWriteAccounts, + ScopeReadApplications, + ScopeWriteApplications, + ScopeReadBlocks, + ScopeWriteBlocks, + ScopeReadBookmarks, + ScopeWriteBookmarks, + ScopeWriteConversations, + ScopeReadFavourites, + ScopeWriteFavourites, + ScopeReadFilters, + ScopeWriteFilters, + ScopeReadFollows, + ScopeWriteFollows, + ScopeReadLists, + ScopeWriteLists, + ScopeWriteMedia, + ScopeReadMutes, + ScopeWriteMutes, + ScopeReadNotifications, + ScopeWriteNotifications, + ScopeWriteReports, + ScopeReadSearch, + ScopeReadStatuses, + ScopeWriteStatuses, + ScopeAdminReadAccounts, + ScopeAdminWriteAccounts, + ScopeAdminReadReports, + ScopeAdminWriteReports, + ScopeAdminReadDomainAllows, + ScopeAdminWriteDomainAllows, + ScopeAdminReadDomainBlocks, + ScopeAdminWriteDomainBlocks, +]; + +export const ValidTopLevelScopes = [ + ScopeProfile, + ScopePush, + ScopeRead, + ScopeWrite, + ScopeAdmin, + ScopeAdminRead, + ScopeAdminWrite, +]; diff --git a/web/source/settings/lib/util/formvalidators.ts b/web/source/settings/lib/util/formvalidators.ts index 358db616c..4e0e4a6a8 100644 --- a/web/source/settings/lib/util/formvalidators.ts +++ b/web/source/settings/lib/util/formvalidators.ts @@ -18,6 +18,8 @@ */ import isValidDomain from "is-valid-domain"; +import { useCallback } from "react"; +import { ValidScopes, ValidTopLevelScopes } from "../types/scopes"; /** * Validate the "domain" field of a form. @@ -29,6 +31,11 @@ export function formDomainValidator(domain: string): string { return ""; } + // Allow localhost for testing. + if (domain === "localhost") { + return ""; + } + if (domain[domain.length-1] === ".") { return "invalid domain"; } @@ -63,5 +70,67 @@ export function urlValidator(urlStr: string): string { return `invalid protocol, must be http or https`; } - return formDomainValidator(url.host); + return formDomainValidator(url.hostname); } + +export function useScopesValidator(): (_scopes: string[]) => string { + return useCallback((scopes) => { + return scopes. + map((scope) => validateScope(scope)). + flatMap((msg) => msg || []). + join(", "); + }, []); +} + +export function useScopeValidator(): (_scope: string) => string { + return useCallback((scope) => validateScope(scope), []); +} + +const validateScope = (scope: string) => { + if (!ValidScopes.includes(scope)) { + return scope + " is not a recognized scope"; + } + return ""; +}; + +export function useScopesPermittedBy(): (_hasScopes: string[], _wantScopes: string[]) => string { + return useCallback((hasScopes, wantsScopes) => { + return wantsScopes. + map((wanted) => scopePermittedByScopes(hasScopes, wanted)). + flatMap((msg) => msg || []). + join(", "); + }, []); +} + +const scopePermittedByScopes = (hasScopes: string[], wanted: string) => { + if (hasScopes.some((hasScope) => scopePermittedByScope(hasScope, wanted) === "")) { + return ""; + } + return `scopes [${hasScopes}] do not permit ${wanted}`; +}; + +const scopePermittedByScope = (has: string, wanted: string) => { + if (has === wanted) { + // Exact match on either a + // top-level or granular scope. + return ""; + } + + // Ensure we have a + // known top-level scope. + switch (true) { + case (ValidTopLevelScopes.includes(has)): + // Check if top-level includes wanted, + // eg., have "admin", want "admin:read". + if (wanted.startsWith(has + ":")) { + return ""; + } else { + return `scope ${has} does not permit ${wanted}`; + } + + default: + // Unknown top-level scope, + // can't permit anything. + return `unrecognized scope ${has}`; + } +}; diff --git a/web/source/settings/lib/util/index.ts b/web/source/settings/lib/util/index.ts index 4c8a90626..8bcf5ab5d 100644 --- a/web/source/settings/lib/util/index.ts +++ b/web/source/settings/lib/util/index.ts @@ -30,7 +30,7 @@ export function UseOurInstanceAccount(account: AdminAccount): boolean { // Pull our own URL out of storage so we can // tell if account is our instance account. const ourDomain = useMemo(() => { - const instanceUrlStr = store.getState().oauth.instanceUrl; + const instanceUrlStr = store.getState().login.instanceUrl; if (!instanceUrlStr) { return ""; } diff --git a/web/source/settings/redux/oauth.ts b/web/source/settings/redux/login.ts similarity index 59% rename from web/source/settings/redux/oauth.ts rename to web/source/settings/redux/login.ts index 1d6bf9bb1..2ba06dfff 100644 --- a/web/source/settings/redux/oauth.ts +++ b/web/source/settings/redux/login.ts @@ -18,33 +18,11 @@ */ import { PayloadAction, createSlice } from "@reduxjs/toolkit"; +import { OAuthApp, OAuthAccessToken } from "../lib/types/oauth"; -/** - * OAuthToken represents a response - * to an OAuth token request. - */ -export interface OAuthToken { - /** - * Most likely to be 'Bearer' - * but may be something else. - */ - token_type: string; - /** - * The actual token. Can be passed in to - * authenticate further requests using the - * Authorization header and the token type. - */ - access_token: string; -} - -export interface OAuthApp { - client_id: string; - client_secret: string; -} - -export interface OAuthState { +export interface LoginState { instanceUrl?: string; - loginState: "none" | "callback" | "login" | "logout"; + current: "none" | "awaitingcallback" | "loggedin" | "loggedout"; expectingRedirect: boolean; /** * Token stored in easy-to-use format. @@ -55,29 +33,31 @@ export interface OAuthState { app?: OAuthApp; } -const initialState: OAuthState = { - loginState: 'none', +const initialState: LoginState = { + current: 'none', expectingRedirect: false, }; -export const oauthSlice = createSlice({ - name: "oauth", +export const loginSlice = createSlice({ + name: "login", initialState: initialState, reducers: { - authorize: (_state, action: PayloadAction) => { + authorize: (_state, action: PayloadAction) => { // Overrides state with payload. return action.payload; }, - setToken: (state, action: PayloadAction) => { - // Mark us as logged in by storing token. + setToken: (state, action: PayloadAction) => { + // Mark us as logged + // in by storing token. state.token = `${action.payload.token_type} ${action.payload.access_token}`; - state.loginState = "login"; + state.current = "loggedin"; }, remove: (state) => { - // Mark us as logged out by clearing auth. + // Mark us as logged + // out by clearing auth. delete state.token; delete state.app; - state.loginState = "logout"; + state.current = "loggedout"; } } }); @@ -86,4 +66,4 @@ export const { authorize, setToken, remove, -} = oauthSlice.actions; +} = loginSlice.actions; diff --git a/web/source/settings/redux/store.ts b/web/source/settings/redux/store.ts index 0c1285187..076f5f88d 100644 --- a/web/source/settings/redux/store.ts +++ b/web/source/settings/redux/store.ts @@ -30,19 +30,19 @@ import { REGISTER, } from "redux-persist"; -import { oauthSlice } from "./oauth"; +import { loginSlice } from "./login"; import { gtsApi } from "../lib/query/gts-api"; const combinedReducers = combineReducers({ [gtsApi.reducerPath]: gtsApi.reducer, - oauth: oauthSlice.reducer, + login: loginSlice.reducer, }); const persistedReducer = persistReducer({ key: "gotosocial-settings", storage: require("redux-persist/lib/storage").default, stateReconciler: require("redux-persist/lib/stateReconciler/autoMergeLevel1").default, - whitelist: ["oauth"], + whitelist: ["login"], migrate: async (state) => { if (state == undefined) { return state; @@ -51,8 +51,8 @@ const persistedReducer = persistReducer({ // This is a cheeky workaround for // redux-persist being a stickler. let anyState = state as any; - if (anyState?.oauth != undefined) { - anyState.oauth.expectingRedirect = false; + if (anyState?.login != undefined) { + anyState.login.expectingRedirect = false; } return anyState; diff --git a/web/source/settings/style.css b/web/source/settings/style.css index 5a85f370e..fc146cdd7 100644 --- a/web/source/settings/style.css +++ b/web/source/settings/style.css @@ -1495,6 +1495,62 @@ button.tab-button { } } +.access-token-receive-form { + > .access-token-frame { + background-color: $gray2; + width: 100%; + padding: 0.25rem; + border-radius: $br-inner; + white-space: pre; + overflow-x: auto; + -webkit-overflow-scrolling: touch; + font-family: monospace; + font-size: large; + } + + .closed { + text-align: center; + } +} + +.applications-view { + .application { + .info-list { + border: none; + width: 100%; + + .info-list-entry { + background: none; + padding: 0; + } + + > .info-list-entry > .monospace { + font-size: large; + } + } + } +} + +.application-details { + .info-list { + margin-top: 1rem; + + > .info-list-entry .monospace { + font-size: large; + } + + > .info-list-entry > dd > button { + font-size: medium; + padding-top: 0; + padding-bottom: 0; + } + } +} + +.application-new > .form-section-docs > p > .monospace { + font-size: large; +} + .instance-rules { list-style-position: inside; margin: 0; diff --git a/web/source/settings/views/admin/debug/apurl/index.tsx b/web/source/settings/views/admin/debug/apurl/index.tsx index b66794132..9ad88aa03 100644 --- a/web/source/settings/views/admin/debug/apurl/index.tsx +++ b/web/source/settings/views/admin/debug/apurl/index.tsx @@ -17,16 +17,14 @@ along with this program. If not, see . */ -import React, { useEffect, useRef } from "react"; +import React from "react"; import { useTextInput } from "../../../../lib/form"; import { useLazyApURLQuery } from "../../../../lib/query/admin/debug"; import { TextInput } from "../../../../components/form/inputs"; import MutationButton from "../../../../components/form/mutation-button"; import { ApURLResponse } from "../../../../lib/types/debug"; import Loading from "../../../../components/loading"; - -// Used for syntax highlighting of json result. -import Prism from "../../../../../frontend/prism"; +import { HighlightedCode } from "../../../../components/highlightedcode"; export default function ApURL() { const urlField = useTextInput("url"); @@ -102,26 +100,5 @@ function ApURLResult({ }; const jsonStr = JSON.stringify(jsonObj, null, 2); - return ; -} - -function Highlighted({ jsonStr }: { jsonStr: string }) { - const ref = useRef(null); - useEffect(() => { - if (ref.current) { - Prism.highlightElement(ref.current); - } - }, []); - - // Prism takes control of the `pre` so wrap - // the whole thing in a div that we control. - return ( -
- 
-				
-					{jsonStr}
-				
-
-
- ); + return ; } diff --git a/web/source/settings/views/user/applications/callback.tsx b/web/source/settings/views/user/applications/callback.tsx new file mode 100644 index 000000000..f1634cc6f --- /dev/null +++ b/web/source/settings/views/user/applications/callback.tsx @@ -0,0 +1,121 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import React from "react"; +import { useSearch } from "wouter"; +import { Error as ErrorCmp } from "../../../components/error"; +import { useGetAccessTokenForAppMutation, useGetAppQuery } from "../../../lib/query/user/applications"; +import { useCallbackURL } from "./common"; +import useFormSubmit from "../../../lib/form/submit"; +import { useValue } from "../../../lib/form"; +import MutationButton from "../../../components/form/mutation-button"; +import FormWithData from "../../../lib/form/form-with-data"; +import { App } from "../../../lib/types/application"; +import { OAuthAccessToken } from "../../../lib/types/oauth"; + +export function AppTokenCallback({}) { + // Read the callback authorization + // information from the search params. + const search = useSearch(); + const urlQueryParams = new URLSearchParams(search); + const code = urlQueryParams.get("code"); + const appId = urlQueryParams.get("state"); + const error = urlQueryParams.get("error"); + const errorDescription = urlQueryParams.get("error_description"); + + if (error) { + let errString = error; + if (errorDescription) { + errString += ": " + errorDescription; + } + if (error === "invalid_scope") { + errString += ". You probably requested a token (sub-)scope that wasn't contained in the scopes of your application."; + } + const err = Error(errString); + return ; + } + + if (!code || !appId) { + const err = Error("code or app id not defined"); + return ; + } + + return( + <> + + + ); +} + + +function AccessForAppForm({ data: app, code }: { data: App, code: string }) { + const redirectURI = useCallbackURL(); + + // Prepare to call /oauth/token to + // exchange code for access token. + const form = { + client_id: useValue("client_id", app.client_id), + client_secret: useValue("client_secret", app.client_secret), + redirect_uri: useValue("redirect_uri", redirectURI), + code: useValue("code", code), + grant_type: useValue("grant_type", "authorization_code"), + + }; + const [ submit, result ] = useFormSubmit(form, useGetAccessTokenForAppMutation()); + + return ( +
+
+

Receive Access Token

+

+ To receive your user-level access token for application{app.name}, click on the button below. +
Your access token will be shown once and only once. +
Your access token provides access to your account; store it as carefully as you would store a password! +

+ + Learn more about how to use your access token (opens in a new tab) + +
+ + { result.data + ?
{(result.data as OAuthAccessToken).access_token}
+ :
+ } + + + + ); +} diff --git a/web/source/settings/views/user/applications/common.tsx b/web/source/settings/views/user/applications/common.tsx new file mode 100644 index 000000000..44f5570cb --- /dev/null +++ b/web/source/settings/views/user/applications/common.tsx @@ -0,0 +1,85 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import React, { useMemo } from "react"; +import { App } from "../../../lib/types/application"; +import { useStore } from "react-redux"; +import { RootState } from "../../../redux/store"; + +export const useAppWebsite = (app: App) => { + return useMemo(() => { + if (!app.website) { + return ""; + } + + try { + // Try to parse nicely and return link. + const websiteURL = new URL(app.website); + const websiteURLStr = websiteURL.toString(); + return ( + {websiteURLStr} + ); + } catch { + // Fall back to returning string. + return app.website; + } + }, [app.website]); +}; + +export const useCreated = (app: App) => { + return useMemo(() => { + const createdAt = new Date(app.created_at); + return ; + }, [app.created_at]); +}; + +export const useRedirectURIs= (app: App) => { + return useMemo(() => { + const length = app.redirect_uris.length; + if (length === 1) { + return app.redirect_uris[0]; + } + + return app.redirect_uris.map((redirectURI, i) => { + return i === 0 ? <>{redirectURI} : <>
{redirectURI}; + }); + + }, [app.redirect_uris]); +}; + +export const useCallbackURL = () => { + const state = useStore().getState() as RootState; + const instanceUrl = state.login.instanceUrl; + if (instanceUrl === undefined) { + throw "instanceUrl undefined"; + } + + return useMemo(() => { + const url = new URL(instanceUrl); + if (url === null) { + throw "redirectURI null"; + } + url.pathname = "/settings/user/applications/callback"; + return url.toString(); + }, [instanceUrl]); +}; diff --git a/web/source/settings/views/user/applications/detail.tsx b/web/source/settings/views/user/applications/detail.tsx new file mode 100644 index 000000000..5beeb0cce --- /dev/null +++ b/web/source/settings/views/user/applications/detail.tsx @@ -0,0 +1,226 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import React, { useState } from "react"; +import { useLocation, useParams } from "wouter"; +import FormWithData from "../../../lib/form/form-with-data"; +import BackButton from "../../../components/back-button"; +import { useBaseUrl } from "../../../lib/navigation/util"; +import { useDeleteAppMutation, useGetAppQuery, useGetOOBAuthCodeMutation } from "../../../lib/query/user/applications"; +import { App } from "../../../lib/types/application"; +import { useAppWebsite, useCallbackURL, useCreated, useRedirectURIs } from "./common"; +import MutationButton from "../../../components/form/mutation-button"; +import { useTextInput } from "../../../lib/form"; +import { TextInput } from "../../../components/form/inputs"; +import { useScopesPermittedBy, useScopesValidator } from "../../../lib/util/formvalidators"; + +export default function AppDetail({ }) { + const params: { appId: string } = useParams(); + const baseUrl = useBaseUrl(); + const backLocation: String = history.state?.backLocation ?? `~${baseUrl}`; + + return ( +
+

Application Details

+ +
+ ); +} + +function AppDetailForm({ data: app, backLocation }: { data: App, backLocation: string }) { + return ( + <> + + + + + ); +} + +function AppBasicInfo({ app }: { app: App }) { + const appWebsite = useAppWebsite(app); + const created = useCreated(app); + const redirectURIs = useRedirectURIs(app); + const [ showClient, setShowClient ] = useState(false); + const [ showSecret, setShowSecret ] = useState(false); + + return ( +
+
+
Name:
+
{app.name}
+
+ + { appWebsite && +
+
Website:
+
{appWebsite}
+
+ } + +
+
Created:
+
{created}
+
+ +
+
Scopes:
+
{app.scopes.join(" ")}
+
+ +
+
Redirect URI(s):
+
{redirectURIs}
+
+ +
+
Vapid key:
+
{app.vapid_key}
+
+ +
+
Client ID:
+ { showClient + ?
{app.client_id}
+ :
+ } +
+ +
+
Client secret:
+ { showSecret + ?
{app.client_secret}
+ :
+ } +
+
+ ); +} + +function AccessTokenForm({ app }: { app: App }) { + const [ getOOBAuthCode, result ] = useGetOOBAuthCodeMutation(); + const permittedScopes = useScopesPermittedBy(); + const validateScopes = useScopesValidator(); + const scope = useTextInput("scope", { + defaultValue: app.scopes.join(" "), + validator: (wantsScopesStr: string) => { + if (wantsScopesStr === "") { + return ""; + } + + // Check requested scopes are valid scopes. + const wantsScopes = wantsScopesStr.split(" "); + const invalidScopesMsg = validateScopes(wantsScopes); + if (invalidScopesMsg !== "") { + return invalidScopesMsg; + } + + // Check requested scopes are permitted by the app. + return permittedScopes(app.scopes, wantsScopes); + } + }); + + const callbackURL = useCallbackURL(); + const disabled = !app.redirect_uris.includes(callbackURL); + return ( +
{ + e.preventDefault(); + getOOBAuthCode({ + app, + scope: scope.value ?? "", + redirectURI: callbackURL, + }); + }} + > +
+

Request An API Access Token

+

+ If your application redirect URIs includes the settings panel callback URL, + you can use this section to request an access token that you can use to make API calls. +
The token scopes specified below must be equal to, or a subset of, the scopes + you provided when you created the application. +
After clicking "Request access token", you will be redirected to the sign in + page for your instance, where you must provide your credentials in order to authorize + your application to act on your behalf. You will then be redirected again to a page + where you can view your new access token. +

+ + Learn more about the OAuth authentication flow (opens in a new tab) + +
+ + + + + + ); +} + +function DeleteAppForm({ app, backLocation }: { app: App, backLocation: string }) { + const [ _location, setLocation ] = useLocation(); + const [ deleteApp, result ] = useDeleteAppMutation(); + + return ( +
+
+

Delete Application

+

+ You can use this button to delete the application. +
Any tokens created by the application will also be deleted. +

+
+ { + e.preventDefault(); + deleteApp(app.id); + setLocation(backLocation); + }} + disabled={false} + showError={false} + result={result} + /> + + ); +} diff --git a/web/source/settings/views/user/applications/index.tsx b/web/source/settings/views/user/applications/index.tsx new file mode 100644 index 000000000..0a86adf16 --- /dev/null +++ b/web/source/settings/views/user/applications/index.tsx @@ -0,0 +1,44 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import React from "react"; +import AppsSearchForm from "./search"; + +export default function Applications() { + return ( +
+
+

Applications

+

+ On this page you can search through applications you've created. + To manage an application, click on it to go to the detailed view. +

+ + Learn more about managing your applications (opens in a new tab) + +
+ +
+ ); +} diff --git a/web/source/settings/views/user/applications/new.tsx b/web/source/settings/views/user/applications/new.tsx new file mode 100644 index 000000000..fc5e5cc42 --- /dev/null +++ b/web/source/settings/views/user/applications/new.tsx @@ -0,0 +1,150 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import React from "react"; +import useFormSubmit from "../../../lib/form/submit"; +import { useTextInput } from "../../../lib/form"; +import MutationButton from "../../../components/form/mutation-button"; +import { TextArea, TextInput } from "../../../components/form/inputs"; +import { useLocation } from "wouter"; +import { useCreateAppMutation } from "../../../lib/query/user/applications"; +import { urlValidator, useScopesValidator } from "../../../lib/util/formvalidators"; +import { useCallbackURL } from "./common"; +import { HighlightedCode } from "../../../components/highlightedcode"; + +export default function NewApp() { + const [ _location, setLocation ] = useLocation(); + const callbackURL = useCallbackURL(); + const scopesValidator = useScopesValidator(); + + const form = { + name: useTextInput("client_name"), + redirect_uris: useTextInput("redirect_uris", { + validator: (redirectURIs: string) => { + if (redirectURIs === "") { + return ""; + } + + const invalids = redirectURIs. + split("\n"). + map(redirectURI => redirectURI === "urn:ietf:wg:oauth:2.0:oob" ? "" : urlValidator(redirectURI)). + flatMap((invalid) => invalid || []); + + return invalids.join(", "); + } + }), + scopes: useTextInput("scopes", { + validator: (scopesStr: string) => { + if (scopesStr === "") { + return ""; + } + return scopesValidator(scopesStr.split(" ")); + } + }), + website: useTextInput("website", { + validator: urlValidator, + }), + }; + + const [formSubmit, result] = useFormSubmit( + form, + useCreateAppMutation(), + { + changedOnly: false, + onFinish: (res) => { + if (res.data) { + // Creation successful, + // redirect to apps overview. + setLocation(`/search`); + } + }, + }); + + return ( +
+
+

New Application

+

+ On this page you can create a new managed OAuth client application, with the specified redirect URIs and scopes. +
If not specified, redirect URIs defaults to urn:ietf:wg:oauth:2.0:oob, and scopes defaults to read. +
If you want to obtain an access token for your application here in the settings panel, include this settings panel callback URL in your redirect URIs: + +

+ + Learn more about application redirect URIs and scopes (opens in a new tab) + +
+ + + + + +