[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
2025-06-05 21:59:39 +02:00 · 2025-02-26 13:04:55 +01:00
parent f734a94c1c
commit eb720241da
213 changed files with 1762 additions and 1082 deletions
--- a/docs/swagger.go
+++ b/docs/swagger.go
@@ -32,32 +32,44 @@
 //	    tokenUrl: https://example.org/oauth/token
 //	    scopes:
 //	      read: grants read access to everything
-//	      read:accounts: grants read access to accounts
-//	      read:blocks: grant read access to blocks
-//	      read:custom_emojis: grant read access to custom_emojis
-//	      read:favourites: grant read access to favourites
-//	      read:filters: grant read access to filters
-//	      read:follows: grant read access to follows
-//	      read:lists: grant read access to lists
-//	      read:media: grant read access to media
-//	      read:mutes: grant read access to mutes
-//	      read:search: grant read access to searches
-//	      read:statuses: grants read access to statuses
-//	      read:streaming: grants read access to streaming api
-//	      read:user: grants read access to user-level info
-//	      read:notifications: grants read access to notifications
 //	      write: grants write access to everything
+//	      push: grants read/write access to push
+//	      profile: grants read access to verify_credentials
+//	      read:accounts: grants read access to accounts
 //	      write:accounts: grants write access to accounts
+//	      read:blocks: grants read access to blocks
 //	      write:blocks: grants write access to blocks
+//	      read:bookmarks: grants read access to bookmarks
+//	      write:bookmarks: grants write access to bookmarks
+//	      write:conversations: grants write access to conversations
+//	      read:favourites: grants read access to accounts
+//	      write:favourites: grants write access to favourites
+//	      read:filters: grants read access to filters
 //	      write:filters: grants write access to filters
+//	      read:follows: grants read access to follows
 //	      write:follows: grants write access to follows
+//	      read:lists: grants read access to lists
 //	      write:lists: grants write access to lists
 //	      write:media: grants write access to media
+//	      read:mutes: grants read access to mutes
 //	      write:mutes: grants write access to mutes
+//	      read:notifications: grants read access to notifications
+//	      write:notifications: grants write access to notifications
+//	      write:reports: grants write access to reports
+//	      read:search: grants read access to search
+//	      read:statuses: grants read access to statuses
 //	      write:statuses: grants write access to statuses
-//	      write:user: grants write access to user-level info
 //	      admin: grants admin access to everything
-//	      admin:accounts: grants admin access to accounts
+//	      admin:read: grants admin read access to everything
+//	      admin:write: grants admin write access to everything
+//	      admin:read:accounts: grants admin read access to accounts
+//	      admin:write:accounts: grants write read access to accounts
+//	      admin:read:reports: grants admin read access to reports
+//	      admin:write:reports: grants admin write access to reports
+//	      admin:read:domain_allows: grants admin read access to domain_allows
+//	      admin:write:domain_allows: grants admin write access to domain_allows
+//	      admin:read:domain_blocks: grants admin read access to domain_blocks
+//	      admin:write:domain_blocks: grants write read access to domain_blocks
 //	  OAuth2 Application:
 //	    type: oauth2
 //	    flow: application