[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil

* enforce scopes

* docs

* update test models, remove deprecated "follow"

* file header

* tests

* tweak scope matcher

* simplify...

* fix tests

* log user out of settings panel in case of oauth error
This commit is contained in:
tobi
2025-02-26 13:04:55 +01:00
committed by GitHub
parent f734a94c1c
commit eb720241da
213 changed files with 1762 additions and 1082 deletions

View File

@ -32,32 +32,44 @@
// tokenUrl: https://example.org/oauth/token
// scopes:
// read: grants read access to everything
// read:accounts: grants read access to accounts
// read:blocks: grant read access to blocks
// read:custom_emojis: grant read access to custom_emojis
// read:favourites: grant read access to favourites
// read:filters: grant read access to filters
// read:follows: grant read access to follows
// read:lists: grant read access to lists
// read:media: grant read access to media
// read:mutes: grant read access to mutes
// read:search: grant read access to searches
// read:statuses: grants read access to statuses
// read:streaming: grants read access to streaming api
// read:user: grants read access to user-level info
// read:notifications: grants read access to notifications
// write: grants write access to everything
// push: grants read/write access to push
// profile: grants read access to verify_credentials
// read:accounts: grants read access to accounts
// write:accounts: grants write access to accounts
// read:blocks: grants read access to blocks
// write:blocks: grants write access to blocks
// read:bookmarks: grants read access to bookmarks
// write:bookmarks: grants write access to bookmarks
// write:conversations: grants write access to conversations
// read:favourites: grants read access to accounts
// write:favourites: grants write access to favourites
// read:filters: grants read access to filters
// write:filters: grants write access to filters
// read:follows: grants read access to follows
// write:follows: grants write access to follows
// read:lists: grants read access to lists
// write:lists: grants write access to lists
// write:media: grants write access to media
// read:mutes: grants read access to mutes
// write:mutes: grants write access to mutes
// read:notifications: grants read access to notifications
// write:notifications: grants write access to notifications
// write:reports: grants write access to reports
// read:search: grants read access to search
// read:statuses: grants read access to statuses
// write:statuses: grants write access to statuses
// write:user: grants write access to user-level info
// admin: grants admin access to everything
// admin:accounts: grants admin access to accounts
// admin:read: grants admin read access to everything
// admin:write: grants admin write access to everything
// admin:read:accounts: grants admin read access to accounts
// admin:write:accounts: grants write read access to accounts
// admin:read:reports: grants admin read access to reports
// admin:write:reports: grants admin write access to reports
// admin:read:domain_allows: grants admin read access to domain_allows
// admin:write:domain_allows: grants admin write access to domain_allows
// admin:read:domain_blocks: grants admin read access to domain_blocks
// admin:write:domain_blocks: grants write read access to domain_blocks
// OAuth2 Application:
// type: oauth2
// flow: application