Add Accept header negotiation to relevant API endpoints (#337)

* start centralizing negotiation logic for API

* swagger document nodeinfo endpoint

* go fmt

* document negotiate function

* use content negotiation

* tidy up negotiation logic

* negotiate content throughout client api

* swagger

* remove attachment on Content

* add accept header to test requests

internal/api/client/status/statusboost.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -74,13 +75,18 @@ func (m *Module) StatusBoostPOSTHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, true, false, true, true) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, true, true, true, true)
 	if err != nil {
 		l.Debug("not authed so can't boost status")
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusboost_test.go

@@ -51,6 +51,7 @@ func (suite *StatusBoostTestSuite) TestPostBoost() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.ReblogPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.
@@ -117,6 +118,7 @@ func (suite *StatusBoostTestSuite) TestPostUnboostable() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.ReblogPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.
@@ -155,6 +157,7 @@ func (suite *StatusBoostTestSuite) TestPostNotVisible() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_2"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_2"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.ReblogPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.

internal/api/client/status/statuscontext.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -80,6 +81,11 @@ func (m *Module) StatusContextGETHandler(c *gin.Context) {
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statuscreate.go

@@ -27,6 +27,7 @@ import (
 	"github.com/spf13/viper"
 
 	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/api/model"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
@@ -71,13 +72,18 @@ import (
 //      description: internal error
 func (m *Module) StatusCreatePOSTHandler(c *gin.Context) {
 	l := logrus.WithField("func", "statusCreatePOSTHandler")
-	authed, err := oauth.Authed(c, true, true, true, true) // posting a status is serious business so we want *everything*
+	authed, err := oauth.Authed(c, true, true, true, true)
 	if err != nil {
 		l.Debugf("couldn't auth: %s", err)
 		c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	// First check this user/account is permitted to post new statuses.
 	// There's no point continuing otherwise.
 	if authed.User.Disabled || !authed.User.Approved || !authed.Account.SuspendedAt.IsZero() {

internal/api/client/status/statuscreate_test.go

@@ -65,6 +65,7 @@ func (suite *StatusCreateTestSuite) TestPostNewStatus() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", status.BasePath), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 	ctx.Request.Form = url.Values{
 		"status":       {"this is a brand new status! #helloworld"},
 		"spoiler_text": {"hello hello"},
@@ -119,6 +120,7 @@ func (suite *StatusCreateTestSuite) TestPostAnotherNewStatus() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", status.BasePath), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 	ctx.Request.Form = url.Values{
 		"status": {statusWithLinksAndTags},
 	}
@@ -154,6 +156,7 @@ func (suite *StatusCreateTestSuite) TestPostNewStatusWithEmoji() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", status.BasePath), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 	ctx.Request.Form = url.Values{
 		"status": {"here is a rainbow emoji a few times! :rainbow: :rainbow: :rainbow: \n here's an emoji that isn't in the db: :test_emoji: "},
 	}
@@ -195,6 +198,7 @@ func (suite *StatusCreateTestSuite) TestReplyToNonexistentStatus() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", status.BasePath), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 	ctx.Request.Form = url.Values{
 		"status":         {"this is a reply to a status that doesn't exist"},
 		"spoiler_text":   {"don't open cuz it won't work"},
@@ -226,6 +230,7 @@ func (suite *StatusCreateTestSuite) TestReplyToLocalStatus() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", status.BasePath), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 	ctx.Request.Form = url.Values{
 		"status":         {fmt.Sprintf("hello @%s this reply should work!", testrig.NewTestAccounts()["local_account_2"].Username)},
 		"in_reply_to_id": {testrig.NewTestStatuses()["local_account_2_status_1"].ID},
@@ -268,6 +273,7 @@ func (suite *StatusCreateTestSuite) TestAttachNewMediaSuccess() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", status.BasePath), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 	ctx.Request.Form = url.Values{
 		"status":    {"here's an image attachment"},
 		"media_ids": {attachment.ID},

internal/api/client/status/statusdelete.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -73,13 +74,18 @@ func (m *Module) StatusDELETEHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, true, false, true, true) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, true, true, true, true)
 	if err != nil {
 		l.Debug("not authed so can't delete status")
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusfave.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -70,13 +71,18 @@ func (m *Module) StatusFavePOSTHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, true, false, true, true) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, true, true, true, true)
 	if err != nil {
 		l.Debug("not authed so can't fave status")
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusfave_test.go

@@ -55,6 +55,7 @@ func (suite *StatusFaveTestSuite) TestPostFave() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.FavouritePath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.
@@ -103,6 +104,7 @@ func (suite *StatusFaveTestSuite) TestPostUnfaveable() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.FavouritePath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.

internal/api/client/status/statusfavedby.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -71,13 +72,18 @@ func (m *Module) StatusFavedByGETHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, false, false, false, false) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, true, true, true, true) // we don't really need an app here but we want everything else
 	if err != nil {
 		l.Errorf("error authing status faved by request: %s", err)
 		c.JSON(http.StatusBadRequest, gin.H{"error": "not authed"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusfavedby_test.go

@@ -53,6 +53,7 @@ func (suite *StatusFavedByTestSuite) TestGetFavedBy() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_2"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_2"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.FavouritedPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.

internal/api/client/status/statusget.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -70,13 +71,18 @@ func (m *Module) StatusGETHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, false, false, false, false) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, false, false, false, false)
 	if err != nil {
 		l.Errorf("error authing status faved by request: %s", err)
 		c.JSON(http.StatusBadRequest, gin.H{"error": "not authed"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusunboost.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -71,13 +72,18 @@ func (m *Module) StatusUnboostPOSTHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, true, false, true, true) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, true, true, true, true)
 	if err != nil {
 		l.Debug("not authed so can't unboost status")
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusunfave.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
@@ -70,13 +71,18 @@ func (m *Module) StatusUnfavePOSTHandler(c *gin.Context) {
 	})
 	l.Debugf("entering function")
 
-	authed, err := oauth.Authed(c, true, false, true, true) // we don't really need an app here but we want everything else
+	authed, err := oauth.Authed(c, true, true, true, true)
 	if err != nil {
 		l.Debug("not authed so can't unfave status")
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
 		return
 	}
 
+	if _, err := api.NegotiateAccept(c, api.JSONAcceptHeaders...); err != nil {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		return
+	}
+
 	targetStatusID := c.Param(IDKey)
 	if targetStatusID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})

internal/api/client/status/statusunfave_test.go

@@ -56,6 +56,7 @@ func (suite *StatusUnfaveTestSuite) TestPostUnfave() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.UnfavouritePath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.
@@ -105,6 +106,7 @@ func (suite *StatusUnfaveTestSuite) TestPostAlreadyNotFaved() {
 	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.UnfavouritePath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+	ctx.Request.Header.Set("accept", "application/json")
 
 	// normally the router would populate these params from the path values,
 	// but because we're calling the function directly, we need to set them manually.