gotosocial/internal/processing/stream/authorize.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package stream

import (
	"context"
	"errors"
	"fmt"
	"slices"
	"strings"

	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
	"github.com/superseriousbusiness/gotosocial/internal/db"
	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
)

// Authorize returns an oauth2 token info in response to an access token query from the streaming API
func (p *Processor) Authorize(ctx context.Context, accessToken string) (*gtsmodel.Account, gtserror.WithCode) {
	ti, err := p.oauthServer.LoadAccessToken(ctx, accessToken)
	if err != nil {
		err := fmt.Errorf("could not load access token: %s", err)
		return nil, gtserror.NewErrorUnauthorized(err)
	}

	uid := ti.GetUserID()
	if uid == "" {
		err := fmt.Errorf("no userid in token")
		return nil, gtserror.NewErrorUnauthorized(err)
	}

	user, err := p.state.DB.GetUserByID(ctx, uid)
	if err != nil {
		if err == db.ErrNoEntries {
			err := fmt.Errorf("no user found for validated uid %s", uid)
			return nil, gtserror.NewErrorUnauthorized(err)
		}
		return nil, gtserror.NewErrorInternalError(err)
	}

	acct, err := p.state.DB.GetAccountByID(ctx, user.AccountID)
	if err != nil {
		if err == db.ErrNoEntries {
			err := fmt.Errorf("no account found for validated uid %s", uid)
			return nil, gtserror.NewErrorUnauthorized(err)
		}
		return nil, gtserror.NewErrorInternalError(err)
	}

	// Ensure read scope.
	//
	// TODO: make this more granular
	// depending on stream type.
	hasScopes := strings.Split(ti.GetScope(), " ")
	scopeOK := slices.ContainsFunc(
		hasScopes,
		func(hasScope string) bool {
			return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead)
		},
	)

	if !scopeOK {
		const errText = "token has insufficient scope permission"
		return nil, gtserror.NewErrorForbidden(errors.New(errText), errText)
	}

	return acct, nil
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 15:00:57 +00:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
Refactor/tidy (#261) * tidy up streaming * cut down code duplication * test get followers/following * test streaming processor * fix some test models * add TimeMustParse * fix uri / url typo * make trace logging less verbose * make logging more consistent * disable quote on logging * remove context.Background * remove many extraneous mastodon references * regenerate swagger * don't log query on no rows result * log latency first for easier reading 2021-10-04 13:24:19 +00:00
[chore] Deinterface processor and subprocessors (#1501) * [chore] Deinterface processor and subprocessors * expose subprocessors via function calls * missing license header 2023-02-22 15:05:26 +00:00			`package stream`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00
			`import (`
			`"context"`
[feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error 2025-02-26 12:04:55 +00:00			`"errors"`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`"fmt"`
[feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error 2025-02-26 12:04:55 +00:00			`"slices"`
			`"strings"`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00
[feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error 2025-02-26 12:04:55 +00:00			`apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 18:38:03 +00:00			`"github.com/superseriousbusiness/gotosocial/internal/db"`
			`"github.com/superseriousbusiness/gotosocial/internal/gtserror"`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"`
			`)`

[chore] Deinterface processor and subprocessors (#1501) * [chore] Deinterface processor and subprocessors * expose subprocessors via function calls * missing license header 2023-02-22 15:05:26 +00:00			`// Authorize returns an oauth2 token info in response to an access token query from the streaming API`
			`func (p Processor) Authorize(ctx context.Context, accessToken string) (gtsmodel.Account, gtserror.WithCode) {`
Refactor/tidy (#261) * tidy up streaming * cut down code duplication * test get followers/following * test streaming processor * fix some test models * add TimeMustParse * fix uri / url typo * make trace logging less verbose * make logging more consistent * disable quote on logging * remove context.Background * remove many extraneous mastodon references * regenerate swagger * don't log query on no rows result * log latency first for easier reading 2021-10-04 13:24:19 +00:00			`ti, err := p.oauthServer.LoadAccessToken(ctx, accessToken)`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`if err != nil {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 18:38:03 +00:00			`err := fmt.Errorf("could not load access token: %s", err)`
			`return nil, gtserror.NewErrorUnauthorized(err)`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`}`

			`uid := ti.GetUserID()`
			`if uid == "" {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 18:38:03 +00:00			`err := fmt.Errorf("no userid in token")`
			`return nil, gtserror.NewErrorUnauthorized(err)`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`}`

[chore] move client/federator workerpools to Workers{} (#1575) * replace concurrency worker pools with base models in State.Workers, update code and tests accordingly * improve code comment * change back testrig default log level * un-comment-out TestAnnounceTwice() and fix --------- Signed-off-by: kim <grufwub@gmail.com> Reviewed-by: tobi 2023-03-01 18:26:53 +00:00			`user, err := p.state.DB.GetUserByID(ctx, uid)`
[performance] add user cache and database (#879) * go fmt * add + use user cache and database * fix import * update tests * remove unused relation 2022-10-03 08:46:11 +00:00			`if err != nil {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 18:38:03 +00:00			`if err == db.ErrNoEntries {`
			`err := fmt.Errorf("no user found for validated uid %s", uid)`
			`return nil, gtserror.NewErrorUnauthorized(err)`
			`}`
			`return nil, gtserror.NewErrorInternalError(err)`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`}`

[chore] move client/federator workerpools to Workers{} (#1575) * replace concurrency worker pools with base models in State.Workers, update code and tests accordingly * improve code comment * change back testrig default log level * un-comment-out TestAnnounceTwice() and fix --------- Signed-off-by: kim <grufwub@gmail.com> Reviewed-by: tobi 2023-03-01 18:26:53 +00:00			`acct, err := p.state.DB.GetAccountByID(ctx, user.AccountID)`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 18:38:03 +00:00			`if err != nil {`
			`if err == db.ErrNoEntries {`
			`err := fmt.Errorf("no account found for validated uid %s", uid)`
			`return nil, gtserror.NewErrorUnauthorized(err)`
			`}`
			`return nil, gtserror.NewErrorInternalError(err)`
Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`}`

[feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error 2025-02-26 12:04:55 +00:00			`// Ensure read scope.`
			`//`
			`// TODO: make this more granular`
			`// depending on stream type.`
			`hasScopes := strings.Split(ti.GetScope(), " ")`
			`scopeOK := slices.ContainsFunc(`
			`hasScopes,`
			`func(hasScope string) bool {`
			`return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead)`
			`},`
			`)`

			`if !scopeOK {`
			`const errText = "token has insufficient scope permission"`
			`return nil, gtserror.NewErrorForbidden(errors.New(errText), errText)`
			`}`

Streaming (#49) Add new status and notification websocket streaming capabilities 2021-06-19 09:18:55 +00:00			`return acct, nil`
			`}`