[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
2025-06-05 21:59:39 +02:00 · 2025-02-26 13:04:55 +01:00
parent f734a94c1c
commit eb720241da
213 changed files with 1762 additions and 1082 deletions
--- a/internal/api/client/lists/listupdate.go
+++ b/internal/api/client/lists/listupdate.go
@@ -27,7 +27,6 @@ import (
 	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 	"github.com/superseriousbusiness/gotosocial/internal/validate"
 )

@@ -103,9 +102,12 @@ import (
 //		'500':
 //			description: internal server error
 func (m *Module) ListUpdatePUTHandler(c *gin.Context) {
-	authed, err := oauth.Authed(c, true, true, true, true)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		true, true, true, true,
+		apiutil.ScopeWriteLists,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}

@@ -152,7 +154,7 @@ func (m *Module) ListUpdatePUTHandler(c *gin.Context) {
 	}

 	if form.Title == nil && repliesPolicy == nil && form.Exclusive == nil {
-		err = errors.New("neither title nor replies_policy nor exclusive was set; nothing to update")
+		err := errors.New("neither title nor replies_policy nor exclusive was set; nothing to update")
 		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
 		return
 	}