mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2025-06-05 21:59:39 +02:00
[feature] Enforce OAuth token scopes (#3835)
* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
This commit is contained in:
@ -27,7 +27,6 @@ import (
|
||||
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/config"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/oauth"
|
||||
)
|
||||
|
||||
// InstanceUpdatePATCHHandler swagger:operation PATCH /api/v1/instance instanceUpdate
|
||||
@ -107,7 +106,7 @@ import (
|
||||
//
|
||||
// security:
|
||||
// - OAuth2 Bearer:
|
||||
// - admin
|
||||
// - admin:write
|
||||
//
|
||||
// responses:
|
||||
// '200':
|
||||
@ -127,9 +126,12 @@ import (
|
||||
// '500':
|
||||
// description: internal server error
|
||||
func (m *Module) InstanceUpdatePATCHHandler(c *gin.Context) {
|
||||
authed, err := oauth.Authed(c, true, true, true, true)
|
||||
if err != nil {
|
||||
apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
|
||||
authed, errWithCode := apiutil.TokenAuth(c,
|
||||
true, true, true, true,
|
||||
apiutil.ScopeAdminWrite,
|
||||
)
|
||||
if errWithCode != nil {
|
||||
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -544,7 +544,7 @@ func (suite *InstancePatchTestSuite) TestInstancePatch5() {
|
||||
b, err := io.ReadAll(result.Body)
|
||||
suite.NoError(err)
|
||||
|
||||
suite.Equal(`{"error":"Forbidden: user is not an admin so cannot update instance settings"}`, string(b))
|
||||
suite.Equal(`{"error":"Forbidden: token has insufficient scope permission"}`, string(b))
|
||||
}
|
||||
|
||||
func (suite *InstancePatchTestSuite) TestInstancePatch6() {
|
||||
|
@ -25,7 +25,6 @@ import (
|
||||
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/config"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/oauth"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
@ -59,6 +58,9 @@ import (
|
||||
// required: false
|
||||
// default: "open"
|
||||
//
|
||||
// security:
|
||||
// - OAuth2 Bearer: []
|
||||
//
|
||||
// responses:
|
||||
// '200':
|
||||
// description: >-
|
||||
@ -99,9 +101,11 @@ import (
|
||||
// '500':
|
||||
// description: internal server error
|
||||
func (m *Module) InstancePeersGETHandler(c *gin.Context) {
|
||||
authed, err := oauth.Authed(c, false, false, false, false)
|
||||
if err != nil {
|
||||
apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
|
||||
authed, errWithCode := apiutil.TokenAuth(c,
|
||||
false, false, false, false,
|
||||
)
|
||||
if errWithCode != nil {
|
||||
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
||||
return
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user