[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
2025-06-05 21:59:39 +02:00 · 2025-02-26 13:04:55 +01:00
parent f734a94c1c
commit eb720241da
213 changed files with 1762 additions and 1082 deletions
--- a/internal/processing/stream/authorize.go
+++ b/internal/processing/stream/authorize.go
@ -19,8 +19,12 @@ package stream

 import (
 	"context"
+	"errors"
 	"fmt"
+	"slices"
+	"strings"

+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@ -58,5 +62,22 @@ func (p *Processor) Authorize(ctx context.Context, accessToken string) (*gtsmode
 		return nil, gtserror.NewErrorInternalError(err)
 	}

+	// Ensure read scope.
+	//
+	// TODO: make this more granular
+	// depending on stream type.
+	hasScopes := strings.Split(ti.GetScope(), " ")
+	scopeOK := slices.ContainsFunc(
+		hasScopes,
+		func(hasScope string) bool {
+			return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead)
+		},
+	)
+
+	if !scopeOK {
+		const errText = "token has insufficient scope permission"
+		return nil, gtserror.NewErrorForbidden(errors.New(errText), errText)
+	}
+
 	return acct, nil
 }