From eb720241da3d786c6ec79f2325277fa4af23846f Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Wed, 26 Feb 2025 13:04:55 +0100 Subject: [PATCH] [feature] Enforce OAuth token scopes (#3835) * move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error --- docs/api/swagger.yaml | 192 ++++++++++-------- docs/swagger.go | 44 ++-- internal/api/client/accounts/accountalias.go | 10 +- internal/api/client/accounts/accountcreate.go | 10 +- internal/api/client/accounts/accountdelete.go | 12 +- internal/api/client/accounts/accountget.go | 10 +- internal/api/client/accounts/accountmove.go | 10 +- internal/api/client/accounts/accountupdate.go | 10 +- internal/api/client/accounts/accountverify.go | 11 +- internal/api/client/accounts/block.go | 10 +- internal/api/client/accounts/featuredtags.go | 10 +- internal/api/client/accounts/follow.go | 10 +- internal/api/client/accounts/followers.go | 10 +- internal/api/client/accounts/following.go | 10 +- internal/api/client/accounts/lists.go | 10 +- internal/api/client/accounts/lookup.go | 10 +- internal/api/client/accounts/mute.go | 10 +- internal/api/client/accounts/note.go | 10 +- internal/api/client/accounts/profile.go | 10 +- internal/api/client/accounts/relationships.go | 12 +- internal/api/client/accounts/search.go | 10 +- internal/api/client/accounts/statuses.go | 12 +- internal/api/client/accounts/themesget.go | 10 +- internal/api/client/accounts/unblock.go | 7 +- internal/api/client/accounts/unfollow.go | 10 +- internal/api/client/accounts/unmute.go | 10 +- internal/api/client/admin/accountaction.go | 12 +- internal/api/client/admin/accountapprove.go | 12 +- internal/api/client/admin/accountget.go | 12 +- internal/api/client/admin/accountreject.go | 12 +- internal/api/client/admin/accountsgetv1.go | 12 +- internal/api/client/admin/accountsgetv2.go | 12 +- internal/api/client/admin/debug_off.go | 4 +- internal/api/client/admin/debug_on.go | 19 +- .../api/client/admin/domainallowcreate.go | 2 +- .../api/client/admin/domainallowdelete.go | 2 +- internal/api/client/admin/domainallowget.go | 2 +- internal/api/client/admin/domainallowsget.go | 2 +- .../api/client/admin/domainblockcreate.go | 2 +- .../api/client/admin/domainblockdelete.go | 2 +- internal/api/client/admin/domainblockget.go | 2 +- internal/api/client/admin/domainblocksget.go | 2 +- internal/api/client/admin/domainkeysexpire.go | 12 +- internal/api/client/admin/domainpermission.go | 70 +++++-- .../admin/domainpermissiondraftaccept.go | 9 +- .../admin/domainpermissiondraftcreate.go | 12 +- .../client/admin/domainpermissiondraftget.go | 12 +- .../admin/domainpermissiondraftremove.go | 12 +- .../client/admin/domainpermissiondraftsget.go | 12 +- .../admin/domainpermissionexcludecreate.go | 12 +- .../admin/domainpermissionexcludeget.go | 12 +- .../admin/domainpermissionexcluderemove.go | 12 +- .../admin/domainpermissionexcludesget.go | 12 +- .../domainpermissionsubscriptioncreate.go | 12 +- .../admin/domainpermissionsubscriptionget.go | 12 +- .../domainpermissionsubscriptionremove.go | 12 +- .../admin/domainpermissionsubscriptionsget.go | 12 +- ...domainpermissionsubscriptionspreviewget.go | 12 +- .../admin/domainpermissionsubscriptiontest.go | 12 +- .../domainpermissionsubscriptionupdate.go | 12 +- internal/api/client/admin/emailtest.go | 14 +- .../api/client/admin/emojicategoriesget.go | 14 +- internal/api/client/admin/emojicreate.go | 12 +- internal/api/client/admin/emojidelete.go | 12 +- internal/api/client/admin/emojiget.go | 14 +- internal/api/client/admin/emojisget.go | 14 +- internal/api/client/admin/emojiupdate.go | 12 +- internal/api/client/admin/headerfilter.go | 33 +-- .../api/client/admin/headerfilter_create.go | 4 +- .../api/client/admin/headerfilter_delete.go | 4 +- internal/api/client/admin/headerfilter_get.go | 4 +- internal/api/client/admin/mediacleanup.go | 12 +- internal/api/client/admin/mediarefetch.go | 12 +- internal/api/client/admin/reportget.go | 12 +- internal/api/client/admin/reportresolve.go | 12 +- internal/api/client/admin/reportsget.go | 12 +- internal/api/client/admin/reportsget_test.go | 2 +- internal/api/client/admin/rulecreate.go | 12 +- internal/api/client/admin/ruledelete.go | 12 +- internal/api/client/admin/ruleget.go | 12 +- internal/api/client/admin/rulesget.go | 12 +- internal/api/client/admin/ruleupdate.go | 12 +- .../client/announcements/announcementsget.go | 12 +- internal/api/client/apps/appcreate.go | 9 +- internal/api/client/blocks/blocksget.go | 10 +- internal/api/client/bookmarks/bookmarksget.go | 10 +- .../conversations/conversationdelete.go | 10 +- .../client/conversations/conversationread.go | 10 +- .../client/conversations/conversationsget.go | 10 +- .../client/customemojis/customemojisget.go | 11 +- internal/api/client/exports/blocks.go | 10 +- internal/api/client/exports/followers.go | 12 +- internal/api/client/exports/following.go | 10 +- internal/api/client/exports/lists.go | 10 +- internal/api/client/exports/mutes.go | 10 +- internal/api/client/exports/stats.go | 12 +- .../api/client/favourites/favouritesget.go | 10 +- internal/api/client/featuredtags/get.go | 10 +- .../api/client/filters/v1/filterdelete.go | 10 +- internal/api/client/filters/v1/filterget.go | 10 +- internal/api/client/filters/v1/filterpost.go | 10 +- internal/api/client/filters/v1/filterput.go | 10 +- internal/api/client/filters/v1/filtersget.go | 10 +- .../api/client/filters/v2/filterdelete.go | 10 +- internal/api/client/filters/v2/filterget.go | 10 +- .../client/filters/v2/filterkeyworddelete.go | 10 +- .../api/client/filters/v2/filterkeywordget.go | 10 +- .../client/filters/v2/filterkeywordpost.go | 10 +- .../api/client/filters/v2/filterkeywordput.go | 10 +- .../client/filters/v2/filterkeywordsget.go | 10 +- internal/api/client/filters/v2/filterpost.go | 10 +- internal/api/client/filters/v2/filterput.go | 10 +- internal/api/client/filters/v2/filtersget.go | 10 +- .../client/filters/v2/filterstatusdelete.go | 10 +- .../client/filters/v2/filterstatusesget.go | 10 +- .../api/client/filters/v2/filterstatusget.go | 10 +- .../api/client/filters/v2/filterstatuspost.go | 10 +- internal/api/client/followedtags/get.go | 10 +- .../api/client/followrequests/authorize.go | 10 +- internal/api/client/followrequests/get.go | 10 +- internal/api/client/followrequests/reject.go | 10 +- internal/api/client/import/import.go | 14 +- internal/api/client/instance/instancepatch.go | 12 +- .../api/client/instance/instancepatch_test.go | 2 +- .../api/client/instance/instancepeersget.go | 12 +- .../client/interactionpolicies/getdefaults.go | 10 +- .../interactionpolicies/updatedefaults.go | 10 +- .../client/interactionrequests/authorize.go | 9 +- .../api/client/interactionrequests/get.go | 10 +- .../api/client/interactionrequests/getpage.go | 10 +- .../api/client/interactionrequests/reject.go | 9 +- internal/api/client/lists/listaccounts.go | 10 +- internal/api/client/lists/listaccountsadd.go | 10 +- .../api/client/lists/listaccountsremove.go | 12 +- internal/api/client/lists/listcreate.go | 10 +- internal/api/client/lists/listdelete.go | 10 +- internal/api/client/lists/listget.go | 10 +- internal/api/client/lists/listsget.go | 10 +- internal/api/client/lists/listupdate.go | 12 +- internal/api/client/markers/markersget.go | 10 +- internal/api/client/markers/markerspost.go | 10 +- internal/api/client/media/mediacreate.go | 10 +- internal/api/client/media/mediaget.go | 12 +- internal/api/client/media/mediaupdate.go | 10 +- internal/api/client/mutes/mutesget.go | 10 +- .../client/notifications/notificationget.go | 10 +- .../notifications/notificationsclear.go | 14 +- .../client/notifications/notificationsget.go | 10 +- internal/api/client/polls/polls_get.go | 9 +- internal/api/client/polls/polls_vote.go | 9 +- .../api/client/preferences/preferencesget.go | 10 +- .../api/client/push/pushsubscriptiondelete.go | 11 +- .../push/pushsubscriptiondelete_test.go | 2 +- .../api/client/push/pushsubscriptionget.go | 11 +- .../client/push/pushsubscriptionget_test.go | 2 +- .../api/client/push/pushsubscriptionpost.go | 10 +- .../client/push/pushsubscriptionpost_test.go | 12 +- .../api/client/push/pushsubscriptionput.go | 10 +- .../client/push/pushsubscriptionput_test.go | 2 +- internal/api/client/reports/reportcreate.go | 16 +- internal/api/client/reports/reportget.go | 12 +- internal/api/client/reports/reportsget.go | 12 +- internal/api/client/search/searchget.go | 10 +- .../api/client/statuses/statusbookmark.go | 12 +- internal/api/client/statuses/statusboost.go | 10 +- .../api/client/statuses/statusboostedby.go | 10 +- internal/api/client/statuses/statuscontext.go | 10 +- internal/api/client/statuses/statuscreate.go | 10 +- internal/api/client/statuses/statusdelete.go | 10 +- internal/api/client/statuses/statusedit.go | 10 +- internal/api/client/statuses/statusfave.go | 10 +- internal/api/client/statuses/statusfavedby.go | 10 +- internal/api/client/statuses/statusget.go | 10 +- internal/api/client/statuses/statushistory.go | 10 +- internal/api/client/statuses/statusmute.go | 10 +- internal/api/client/statuses/statuspin.go | 10 +- internal/api/client/statuses/statussource.go | 10 +- .../api/client/statuses/statusunbookmark.go | 12 +- internal/api/client/statuses/statusunboost.go | 10 +- internal/api/client/statuses/statusunfave.go | 12 +- internal/api/client/statuses/statusunmute.go | 10 +- internal/api/client/statuses/statusunpin.go | 10 +- internal/api/client/streaming/stream.go | 6 +- internal/api/client/tags/follow.go | 11 +- internal/api/client/tags/get.go | 13 +- internal/api/client/tags/unfollow.go | 11 +- internal/api/client/timelines/home.go | 10 +- internal/api/client/timelines/list.go | 10 +- internal/api/client/timelines/public.go | 21 +- internal/api/client/timelines/tag.go | 10 +- internal/api/client/user/emailchange.go | 12 +- internal/api/client/user/passwordchange.go | 12 +- internal/api/client/user/userget.go | 12 +- internal/api/fileserver/servefile.go | 7 +- internal/api/util/auth.go | 152 ++++++++++++++ internal/api/util/scopes.go | 103 ++++++++++ internal/api/util/scopes_test.go | 101 +++++++++ internal/oauth/tokenstore_test.go | 20 -- internal/oauth/util.go | 107 ---------- internal/processing/account/move.go | 4 +- internal/processing/account/move_test.go | 7 +- internal/processing/app.go | 4 +- internal/processing/processor_test.go | 5 +- internal/processing/stream/authorize.go | 21 ++ internal/processing/timeline/faved.go | 4 +- internal/processing/timeline/home.go | 4 +- internal/processing/timeline/home_test.go | 4 +- internal/processing/timeline/list.go | 4 +- internal/processing/timeline/notification.go | 6 +- internal/processing/workers/workers_test.go | 6 +- testrig/testmodels.go | 16 +- .../components/authorization/index.tsx | 10 +- .../components/authorization/login.tsx | 2 +- 213 files changed, 1762 insertions(+), 1082 deletions(-) create mode 100644 internal/api/util/auth.go create mode 100644 internal/api/util/scopes.go create mode 100644 internal/api/util/scopes_test.go delete mode 100644 internal/oauth/tokenstore_test.go delete mode 100644 internal/oauth/util.go diff --git a/docs/api/swagger.yaml b/docs/api/swagger.yaml index 2e250060a..75fa2a777 100644 --- a/docs/api/swagger.yaml +++ b/docs/api/swagger.yaml @@ -4331,7 +4331,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - read:accounts + - read:statuses summary: See statuses posted by the requested account. tags: - accounts @@ -5004,7 +5004,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:accounts summary: View + page through known accounts according to given filters. tags: - admin @@ -5038,7 +5038,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:accounts summary: View one account. tags: - admin @@ -5083,7 +5083,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:accounts summary: Perform an admin action on an account. tags: - admin @@ -5117,7 +5117,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:accounts summary: Approve pending account. tags: - admin @@ -5163,7 +5163,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:accounts summary: Reject pending account. tags: - admin @@ -5241,6 +5241,9 @@ paths: description: not acceptable "500": description: internal server error + security: + - OAuth2 Bearer: + - admin:read summary: View local and remote emojis available to / known by this instance. tags: - admin @@ -5287,7 +5290,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Upload and create a new instance emoji. tags: - admin @@ -5327,7 +5330,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Delete a **local** emoji with the given ID from the instance. tags: - admin @@ -5358,6 +5361,9 @@ paths: description: not acceptable "500": description: internal server error + security: + - OAuth2 Bearer: + - admin:read summary: Get the admin view of a single emoji. tags: - admin @@ -5429,7 +5435,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Perform admin action on a local or remote emoji known to this instance. tags: - admin @@ -5457,6 +5463,9 @@ paths: description: not acceptable "500": description: internal server error + security: + - OAuth2 Bearer: + - admin:read summary: Get a list of existing emoji categories. tags: - admin @@ -5489,7 +5498,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Perform a GET to the specified ActivityPub URL and return detailed debugging information. tags: - debug @@ -5514,7 +5523,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Sweep/clear all in-memory caches. tags: - debug @@ -5549,7 +5558,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:domain_allows summary: View all domain allows currently in place. tags: - admin @@ -5612,7 +5621,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:domain_allows summary: Create one or more domain allows, from a string or a file. tags: - admin @@ -5648,7 +5657,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:domain_allows summary: Delete domain allow with the given ID. tags: - admin @@ -5681,7 +5690,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:domain_allows summary: View domain allow with the given ID. tags: - admin @@ -5716,7 +5725,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:domain_blocks summary: View all domain blocks currently in place. tags: - admin @@ -5779,7 +5788,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:domain_blocks summary: Create one or more domain blocks, from a string or a file. tags: - admin @@ -5815,7 +5824,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:domain_blocks summary: Delete domain block with the given ID. tags: - admin @@ -5848,7 +5857,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:domain_blocks summary: View domain block with the given ID. tags: - admin @@ -5900,7 +5909,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Force expiry of cached public keys for all accounts on the given domain stored in your database. tags: - admin @@ -5976,7 +5985,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: View domain permission drafts. tags: - admin @@ -6027,7 +6036,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Create a domain permission draft with the given parameters. tags: - admin @@ -6059,7 +6068,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: Get domain permission draft with the given ID. tags: - admin @@ -6101,7 +6110,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Accept a domain permission draft, turning it into an enforced domain permission. tags: - admin @@ -6143,7 +6152,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Remove a domain permission draft, optionally ignoring all future drafts targeting the given domain. tags: - admin @@ -6211,7 +6220,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: View domain permission excludes. tags: - admin @@ -6254,7 +6263,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Create a domain permission exclude with the given parameters. tags: - admin @@ -6288,7 +6297,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Remove a domain permission exclude. tags: - admin @@ -6319,7 +6328,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: Get domain permission exclude with the given ID. tags: - admin @@ -6387,7 +6396,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: View domain permission subscriptions. tags: - admin @@ -6462,7 +6471,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Create a domain permission subscription with the given parameters. tags: - admin @@ -6535,7 +6544,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Update a domain permission subscription with the given parameters. tags: - admin @@ -6567,7 +6576,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: Get domain permission subscription with the given ID. tags: - admin @@ -6611,7 +6620,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Remove a domain permission subscription. tags: - admin @@ -6651,7 +6660,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Test one domain permission subscription by making your instance fetch and parse it *without creating permissions*. tags: - admin @@ -6688,7 +6697,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: View all domain permission subscriptions of the given permission type, in priority order (highest to lowest). tags: - admin @@ -6733,7 +6742,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Send a generic test email to a specified email address. tags: - admin @@ -6802,7 +6811,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Create new "allow" HTTP request header filter. tags: - admin @@ -6830,7 +6839,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Delete the "allow" header filter with the given ID. tags: - admin @@ -6859,7 +6868,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: Get "allow" header filter with the given ID. tags: - admin @@ -6928,7 +6937,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Create new "block" HTTP request header filter. tags: - admin @@ -6956,7 +6965,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Delete the "block" header filter with the given ID. tags: - admin @@ -6985,7 +6994,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: Get "block" header filter with the given ID. tags: - admin @@ -7014,7 +7023,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: View instance rules, with IDs. tags: - admin @@ -7050,7 +7059,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Create a new instance rule. tags: - admin @@ -7086,7 +7095,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Delete an existing instance rule. tags: - admin @@ -7117,7 +7126,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read summary: View instance rule with the given id. tags: - admin @@ -7159,7 +7168,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Update an existing instance rule. tags: - admin @@ -7199,7 +7208,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Clean up remote media older than the specified number of days. tags: - admin @@ -7233,7 +7242,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Refetch media specified in the database but missing from storage. tags: - admin @@ -7307,7 +7316,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:reports summary: View user moderation reports. tags: - admin @@ -7339,7 +7348,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:reports summary: View user moderation report with the given id. tags: - admin @@ -7381,7 +7390,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write:reports summary: Mark a report as resolved. tags: - admin @@ -7408,8 +7417,7 @@ paths: "500": description: internal server error security: - - OAuth2 Bearer: - - read:announcements + - OAuth2 Bearer: [] summary: Get an array of currently active announcements. tags: - announcements @@ -7723,8 +7731,7 @@ paths: "500": description: internal server error security: - - OAuth2 Bearer: - - read:custom_emojis + - OAuth2 Bearer: [] summary: Get an array of custom emojis available on the instance. tags: - custom_emojis @@ -7764,7 +7771,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - read:follows + - read:accounts summary: Export a CSV file of accounts that follow you. tags: - import-export @@ -7846,7 +7853,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - read:account + - read:accounts summary: Returns informational stats on the number of items that can be exported for requesting account. tags: - import-export @@ -8423,7 +8430,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - write:accounts + - write summary: Upload some CSV-formatted data to your account. tags: - import-export @@ -8517,7 +8524,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:write summary: Update your instance information and/or upload a new avatar/header for the instance. tags: - instance @@ -8569,6 +8576,8 @@ paths: description: not acceptable "500": description: internal server error + security: + - OAuth2 Bearer: [] tags: - instance /api/v1/instance/rules: @@ -9643,7 +9652,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - read:notifications + - write:notifications summary: Clear/delete all notifications for currently authorized user. tags: - notifications @@ -10158,7 +10167,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - read:reports + - read:accounts summary: See reports created by the requesting account. tags: - reports @@ -10270,7 +10279,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - read:reports + - read:accounts summary: Get one report with the given id. tags: - reports @@ -10677,7 +10686,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - write:statuses + - write:bookmarks summary: Bookmark status with the given ID. tags: - statuses @@ -11035,7 +11044,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - write:statuses + - write:bookmarks summary: Unbookmark status with the given ID. tags: - statuses @@ -11069,7 +11078,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - write:statuses + - write:favourites summary: Unstar/unlike/unfavourite the given status. tags: - statuses @@ -11313,8 +11322,7 @@ paths: "500": description: internal server error security: - - OAuth2 Bearer: - - read:follows + - OAuth2 Bearer: [] summary: Get details for a hashtag, including whether you currently follow it. tags: - tags @@ -11642,7 +11650,7 @@ paths: description: internal error security: - OAuth2 Bearer: - - read:user + - read:accounts summary: Get your own user model. tags: - user @@ -11687,7 +11695,7 @@ paths: description: internal error security: - OAuth2 Bearer: - - write:user + - write:accounts summary: Request changing the email address of authenticated user. tags: - user @@ -11736,7 +11744,7 @@ paths: description: internal error security: - OAuth2 Bearer: - - write:user + - write:accounts summary: Change the password of authenticated user. tags: - user @@ -11837,7 +11845,7 @@ paths: description: internal server error security: - OAuth2 Bearer: - - admin + - admin:read:accounts summary: View + page through known accounts according to given filters. tags: - admin @@ -12724,32 +12732,44 @@ securityDefinitions: flow: accessCode scopes: admin: grants admin access to everything - admin:accounts: grants admin access to accounts + admin:read: grants admin read access to everything + admin:read:accounts: grants admin read access to accounts + admin:read:domain_allows: grants admin read access to domain_allows + admin:read:domain_blocks: grants admin read access to domain_blocks + admin:read:reports: grants admin read access to reports + admin:write: grants admin write access to everything + admin:write:accounts: grants write read access to accounts + admin:write:domain_allows: grants admin write access to domain_allows + admin:write:domain_blocks: grants write read access to domain_blocks + admin:write:reports: grants admin write access to reports + profile: grants read access to verify_credentials + push: grants read/write access to push read: grants read access to everything read:accounts: grants read access to accounts - read:blocks: grant read access to blocks - read:custom_emojis: grant read access to custom_emojis - read:favourites: grant read access to favourites - read:filters: grant read access to filters - read:follows: grant read access to follows - read:lists: grant read access to lists - read:media: grant read access to media - read:mutes: grant read access to mutes + read:blocks: grants read access to blocks + read:bookmarks: grants read access to bookmarks + read:favourites: grants read access to accounts + read:filters: grants read access to filters + read:follows: grants read access to follows + read:lists: grants read access to lists + read:mutes: grants read access to mutes read:notifications: grants read access to notifications - read:search: grant read access to searches + read:search: grants read access to search read:statuses: grants read access to statuses - read:streaming: grants read access to streaming api - read:user: grants read access to user-level info write: grants write access to everything write:accounts: grants write access to accounts write:blocks: grants write access to blocks + write:bookmarks: grants write access to bookmarks + write:conversations: grants write access to conversations + write:favourites: grants write access to favourites write:filters: grants write access to filters write:follows: grants write access to follows write:lists: grants write access to lists write:media: grants write access to media write:mutes: grants write access to mutes + write:notifications: grants write access to notifications + write:reports: grants write access to reports write:statuses: grants write access to statuses - write:user: grants write access to user-level info tokenUrl: https://example.org/oauth/token type: oauth2 swagger: "2.0" diff --git a/docs/swagger.go b/docs/swagger.go index 73c9a3d9a..ecd03e6b9 100644 --- a/docs/swagger.go +++ b/docs/swagger.go @@ -32,32 +32,44 @@ // tokenUrl: https://example.org/oauth/token // scopes: // read: grants read access to everything -// read:accounts: grants read access to accounts -// read:blocks: grant read access to blocks -// read:custom_emojis: grant read access to custom_emojis -// read:favourites: grant read access to favourites -// read:filters: grant read access to filters -// read:follows: grant read access to follows -// read:lists: grant read access to lists -// read:media: grant read access to media -// read:mutes: grant read access to mutes -// read:search: grant read access to searches -// read:statuses: grants read access to statuses -// read:streaming: grants read access to streaming api -// read:user: grants read access to user-level info -// read:notifications: grants read access to notifications // write: grants write access to everything +// push: grants read/write access to push +// profile: grants read access to verify_credentials +// read:accounts: grants read access to accounts // write:accounts: grants write access to accounts +// read:blocks: grants read access to blocks // write:blocks: grants write access to blocks +// read:bookmarks: grants read access to bookmarks +// write:bookmarks: grants write access to bookmarks +// write:conversations: grants write access to conversations +// read:favourites: grants read access to accounts +// write:favourites: grants write access to favourites +// read:filters: grants read access to filters // write:filters: grants write access to filters +// read:follows: grants read access to follows // write:follows: grants write access to follows +// read:lists: grants read access to lists // write:lists: grants write access to lists // write:media: grants write access to media +// read:mutes: grants read access to mutes // write:mutes: grants write access to mutes +// read:notifications: grants read access to notifications +// write:notifications: grants write access to notifications +// write:reports: grants write access to reports +// read:search: grants read access to search +// read:statuses: grants read access to statuses // write:statuses: grants write access to statuses -// write:user: grants write access to user-level info // admin: grants admin access to everything -// admin:accounts: grants admin access to accounts +// admin:read: grants admin read access to everything +// admin:write: grants admin write access to everything +// admin:read:accounts: grants admin read access to accounts +// admin:write:accounts: grants write read access to accounts +// admin:read:reports: grants admin read access to reports +// admin:write:reports: grants admin write access to reports +// admin:read:domain_allows: grants admin read access to domain_allows +// admin:write:domain_allows: grants admin write access to domain_allows +// admin:read:domain_blocks: grants admin read access to domain_blocks +// admin:write:domain_blocks: grants write read access to domain_blocks // OAuth2 Application: // type: oauth2 // flow: application diff --git a/internal/api/client/accounts/accountalias.go b/internal/api/client/accounts/accountalias.go index 3f869c0d6..e0b67694f 100644 --- a/internal/api/client/accounts/accountalias.go +++ b/internal/api/client/accounts/accountalias.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountAliasPOSTHandler swagger:operation POST /api/v1/accounts/alias accountAlias @@ -77,9 +76,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountAliasPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountcreate.go b/internal/api/client/accounts/accountcreate.go index 33d743791..71f343522 100644 --- a/internal/api/client/accounts/accountcreate.go +++ b/internal/api/client/accounts/accountcreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, false, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountdelete.go b/internal/api/client/accounts/accountdelete.go index 9a1ef7931..6438462c6 100644 --- a/internal/api/client/accounts/accountdelete.go +++ b/internal/api/client/accounts/accountdelete.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "golang.org/x/crypto/bcrypt" ) @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -80,7 +82,7 @@ func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { // Self account delete requires password to ensure it's for real. if form.Password == "" { - err = errors.New("no password provided in account delete request") + err := errors.New("no password provided in account delete request") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountget.go b/internal/api/client/accounts/accountget.go index 4c1b66a20..cc6de3337 100644 --- a/internal/api/client/accounts/accountget.go +++ b/internal/api/client/accounts/accountget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountGETHandler swagger:operation GET /api/v1/accounts/{id} accountGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountmove.go b/internal/api/client/accounts/accountmove.go index 3698c06a3..601dd7d54 100644 --- a/internal/api/client/accounts/accountmove.go +++ b/internal/api/client/accounts/accountmove.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountMovePOSTHandler swagger:operation POST /api/v1/accounts/move accountMove @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountMovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountupdate.go b/internal/api/client/accounts/accountupdate.go index 5d3a3da5f..617031d79 100644 --- a/internal/api/client/accounts/accountupdate.go +++ b/internal/api/client/accounts/accountupdate.go @@ -30,7 +30,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUpdateCredentialsPATCHHandler swagger:operation PATCH /api/v1/accounts/update_credentials accountUpdate @@ -236,9 +235,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUpdateCredentialsPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountverify.go b/internal/api/client/accounts/accountverify.go index 1799089ab..f9dd5ae9c 100644 --- a/internal/api/client/accounts/accountverify.go +++ b/internal/api/client/accounts/accountverify.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountVerifyGETHandler swagger:operation GET /api/v1/accounts/verify_credentials accountVerify @@ -56,9 +55,13 @@ import ( // '500': // description: internal server error func (m *Module) AccountVerifyGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeProfile, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/block.go b/internal/api/client/accounts/block.go index 24ff099a7..09bf23a85 100644 --- a/internal/api/client/accounts/block.go +++ b/internal/api/client/accounts/block.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountBlockPOSTHandler swagger:operation POST /api/v1/accounts/{id}/block accountBlock @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountBlockPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/featuredtags.go b/internal/api/client/accounts/featuredtags.go index 312a92bcc..0cb3c7b98 100644 --- a/internal/api/client/accounts/featuredtags.go +++ b/internal/api/client/accounts/featuredtags.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountFeaturedTagsGETHandler swagger:operation GET /api/v1/accounts/{id}/featured_tags accountsFeaturedTags @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFeaturedTagsGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/follow.go b/internal/api/client/accounts/follow.go index 8a6e99744..d72032066 100644 --- a/internal/api/client/accounts/follow.go +++ b/internal/api/client/accounts/follow.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountFollowPOSTHandler swagger:operation POST /api/v1/accounts/{id}/follow accountFollow @@ -91,9 +90,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/followers.go b/internal/api/client/accounts/followers.go index 332788c3a..d1fca7918 100644 --- a/internal/api/client/accounts/followers.go +++ b/internal/api/client/accounts/followers.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -119,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/following.go b/internal/api/client/accounts/following.go index bdd9ff3de..b0d47667f 100644 --- a/internal/api/client/accounts/following.go +++ b/internal/api/client/accounts/following.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -119,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowingGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/lists.go b/internal/api/client/accounts/lists.go index 7bd1227a8..f054b73bb 100644 --- a/internal/api/client/accounts/lists.go +++ b/internal/api/client/accounts/lists.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountListsGETHandler swagger:operation GET /api/v1/accounts/{id}/lists accountLists @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/lookup.go b/internal/api/client/accounts/lookup.go index d2a8e76be..88cf7fbe9 100644 --- a/internal/api/client/accounts/lookup.go +++ b/internal/api/client/accounts/lookup.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountLookupGETHandler swagger:operation GET /api/v1/accounts/lookup accountLookupGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountLookupGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/mute.go b/internal/api/client/accounts/mute.go index c9a57a348..c5e5cc24b 100644 --- a/internal/api/client/accounts/mute.go +++ b/internal/api/client/accounts/mute.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -86,9 +85,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountMutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/note.go b/internal/api/client/accounts/note.go index bcfd232ae..bee99cf1e 100644 --- a/internal/api/client/accounts/note.go +++ b/internal/api/client/accounts/note.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountNotePOSTHandler swagger:operation POST /api/v1/accounts/{id}/note accountNote @@ -75,9 +74,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountNotePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/profile.go b/internal/api/client/accounts/profile.go index 8ff59a23b..16c312685 100644 --- a/internal/api/client/accounts/profile.go +++ b/internal/api/client/accounts/profile.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountAvatarDELETEHandler swagger:operation DELETE /api/v1/profile/avatar accountAvatarDelete @@ -102,9 +101,12 @@ func (m *Module) AccountHeaderDELETEHandler(c *gin.Context) { // accountDeleteProfileAttachment checks that an authenticated account is present and allowed to alter itself, // runs an attachment deletion processor method, and returns the updated account. func (m *Module) accountDeleteProfileAttachment(c *gin.Context, processDelete func(context.Context, *gtsmodel.Account) (*apimodel.Account, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/relationships.go b/internal/api/client/accounts/relationships.go index 30d7dd666..7a5589832 100644 --- a/internal/api/client/accounts/relationships.go +++ b/internal/api/client/accounts/relationships.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountRelationshipsGETHandler swagger:operation GET /api/v1/accounts/relationships accountRelationships @@ -73,9 +72,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -89,7 +91,7 @@ func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { // check fallback -- let's be generous and see if maybe it's just set as 'id'? id := c.Query("id") if id == "" { - err = errors.New("no account id(s) specified in query") + err := errors.New("no account id(s) specified in query") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/search.go b/internal/api/client/accounts/search.go index 13c135601..671afece2 100644 --- a/internal/api/client/accounts/search.go +++ b/internal/api/client/accounts/search.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountSearchGETHandler swagger:operation GET /api/v1/accounts/search accountSearchGet @@ -107,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountSearchGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/statuses.go b/internal/api/client/accounts/statuses.go index a72a464ed..c9f7977d8 100644 --- a/internal/api/client/accounts/statuses.go +++ b/internal/api/client/accounts/statuses.go @@ -26,7 +26,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountStatusesGETHandler swagger:operation GET /api/v1/accounts/{id}/statuses accountStatuses @@ -109,7 +108,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:accounts +// - read:statuses // // responses: // '200': @@ -134,9 +133,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountStatusesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/themesget.go b/internal/api/client/accounts/themesget.go index 5a0cb6d94..6055a619f 100644 --- a/internal/api/client/accounts/themesget.go +++ b/internal/api/client/accounts/themesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountThemesGETHandler swagger:operation GET /api/v1/accounts/themes accountThemes @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountThemesGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unblock.go b/internal/api/client/accounts/unblock.go index e8144711e..615d62e60 100644 --- a/internal/api/client/accounts/unblock.go +++ b/internal/api/client/accounts/unblock.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUnblockPOSTHandler swagger:operation POST /api/v1/accounts/{id}/unblock accountUnblock @@ -67,9 +66,9 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnblockPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unfollow.go b/internal/api/client/accounts/unfollow.go index 9eb66aed3..1372a4ffc 100644 --- a/internal/api/client/accounts/unfollow.go +++ b/internal/api/client/accounts/unfollow.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUnfollowPOSTHandler swagger:operation POST /api/v1/accounts/{id}/unfollow accountUnfollow @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnfollowPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unmute.go b/internal/api/client/accounts/unmute.go index 665c3908e..0336e920f 100644 --- a/internal/api/client/accounts/unmute.go +++ b/internal/api/client/accounts/unmute.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountUnmutePOSTHandler swagger:operation POST /api/v1/accounts/{id}/unmute accountUnmute @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnmutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountaction.go b/internal/api/client/admin/accountaction.go index 64e6c39ca..74ff0851c 100644 --- a/internal/api/client/admin/accountaction.go +++ b/internal/api/client/admin/accountaction.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountActionPOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/action adminAccountAction @@ -64,7 +63,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -87,9 +86,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountActionPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountapprove.go b/internal/api/client/admin/accountapprove.go index 7aaa48509..96a495924 100644 --- a/internal/api/client/admin/accountapprove.go +++ b/internal/api/client/admin/accountapprove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountApprovePOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/approve adminAccountApprove @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountApprovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountget.go b/internal/api/client/admin/accountget.go index 3a656fecc..b73f58adb 100644 --- a/internal/api/client/admin/accountget.go +++ b/internal/api/client/admin/accountget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountGETHandler swagger:operation GET /api/v1/admin/accounts/{id} adminAccountGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountreject.go b/internal/api/client/admin/accountreject.go index a4653985d..fffdc5811 100644 --- a/internal/api/client/admin/accountreject.go +++ b/internal/api/client/admin/accountreject.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AccountRejectPOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/reject adminAccountReject @@ -70,7 +69,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -90,9 +89,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountRejectPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountsgetv1.go b/internal/api/client/admin/accountsgetv1.go index f333492de..7d542b97c 100644 --- a/internal/api/client/admin/accountsgetv1.go +++ b/internal/api/client/admin/accountsgetv1.go @@ -148,7 +148,7 @@ // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -182,14 +182,16 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) func (m *Module) AccountsGETV1Handler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountsgetv2.go b/internal/api/client/admin/accountsgetv2.go index 27024e7a2..8b6d4391d 100644 --- a/internal/api/client/admin/accountsgetv2.go +++ b/internal/api/client/admin/accountsgetv2.go @@ -121,7 +121,7 @@ // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -155,14 +155,16 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) func (m *Module) AccountsGETV2Handler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/debug_off.go b/internal/api/client/admin/debug_off.go index a43326f02..667cf1be9 100644 --- a/internal/api/client/admin/debug_off.go +++ b/internal/api/client/admin/debug_off.go @@ -55,7 +55,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -89,7 +89,7 @@ func (m *Module) DebugAPUrlHandler(c *gin.Context) {} // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': diff --git a/internal/api/client/admin/debug_on.go b/internal/api/client/admin/debug_on.go index ea42206f8..eb38e95e5 100644 --- a/internal/api/client/admin/debug_on.go +++ b/internal/api/client/admin/debug_on.go @@ -27,13 +27,15 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) func (m *Module) DebugAPUrlHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -58,9 +60,12 @@ func (m *Module) DebugAPUrlHandler(c *gin.Context) { } func (m *Module) DebugClearCachesHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainallowcreate.go b/internal/api/client/admin/domainallowcreate.go index e8700f673..3e2baa053 100644 --- a/internal/api/client/admin/domainallowcreate.go +++ b/internal/api/client/admin/domainallowcreate.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowdelete.go b/internal/api/client/admin/domainallowdelete.go index 6237e403f..20f97fe6d 100644 --- a/internal/api/client/admin/domainallowdelete.go +++ b/internal/api/client/admin/domainallowdelete.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowget.go b/internal/api/client/admin/domainallowget.go index aa21743fa..6ed845235 100644 --- a/internal/api/client/admin/domainallowget.go +++ b/internal/api/client/admin/domainallowget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowsget.go b/internal/api/client/admin/domainallowsget.go index 6391c7138..4790f1a2b 100644 --- a/internal/api/client/admin/domainallowsget.go +++ b/internal/api/client/admin/domainallowsget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainblockcreate.go b/internal/api/client/admin/domainblockcreate.go index 5234561cf..1e98c6f6f 100644 --- a/internal/api/client/admin/domainblockcreate.go +++ b/internal/api/client/admin/domainblockcreate.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblockdelete.go b/internal/api/client/admin/domainblockdelete.go index a6f6619cd..e9b207505 100644 --- a/internal/api/client/admin/domainblockdelete.go +++ b/internal/api/client/admin/domainblockdelete.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblockget.go b/internal/api/client/admin/domainblockget.go index 9e8d29905..1d73962fa 100644 --- a/internal/api/client/admin/domainblockget.go +++ b/internal/api/client/admin/domainblockget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblocksget.go b/internal/api/client/admin/domainblocksget.go index bdcc03469..383acbea5 100644 --- a/internal/api/client/admin/domainblocksget.go +++ b/internal/api/client/admin/domainblocksget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainkeysexpire.go b/internal/api/client/admin/domainkeysexpire.go index 0926519f5..262d196b4 100644 --- a/internal/api/client/admin/domainkeysexpire.go +++ b/internal/api/client/admin/domainkeysexpire.go @@ -28,7 +28,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainKeysExpirePOSTHandler swagger:operation POST /api/v1/admin/domain_keys_expire domainKeysExpire @@ -68,7 +67,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -95,9 +94,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainKeysExpirePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermission.go b/internal/api/client/admin/domainpermission.go index 5138be898..c64c90eb2 100644 --- a/internal/api/client/admin/domainpermission.go +++ b/internal/api/client/admin/domainpermission.go @@ -29,7 +29,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) type singleDomainPermCreate func( @@ -63,9 +62,20 @@ func (m *Module) createDomainPermissions( single singleDomainPermCreate, multi multiDomainPermCreate, ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminWriteDomainBlocks + } else { + requireScope = apiutil.ScopeAdminWriteDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -98,6 +108,7 @@ func (m *Module) createDomainPermissions( return } + var err error if importing && form.Domains.Size == 0 { err = errors.New("import was specified but list of domains is empty") } else if !importing && form.Domain == "" { @@ -171,9 +182,20 @@ func (m *Module) deleteDomainPermission( c *gin.Context, permType gtsmodel.DomainPermissionType, // block/allow ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminWriteDomainBlocks + } else { + requireScope = apiutil.ScopeAdminWriteDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -218,9 +240,20 @@ func (m *Module) getDomainPermission( c *gin.Context, permType gtsmodel.DomainPermissionType, ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminReadDomainBlocks + } else { + requireScope = apiutil.ScopeAdminReadDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -266,9 +299,20 @@ func (m *Module) getDomainPermissions( c *gin.Context, permType gtsmodel.DomainPermissionType, ) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminReadDomainBlocks + } else { + requireScope = apiutil.ScopeAdminReadDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftaccept.go b/internal/api/client/admin/domainpermissiondraftaccept.go index 5e484cbf3..345b4d1c3 100644 --- a/internal/api/client/admin/domainpermissiondraftaccept.go +++ b/internal/api/client/admin/domainpermissiondraftaccept.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftAcceptPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_drafts/{id}/accept domainPermissionDraftAccept @@ -61,7 +60,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -81,9 +80,9 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftAcceptPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftcreate.go b/internal/api/client/admin/domainpermissiondraftcreate.go index ec94f947b..b8d3085e9 100644 --- a/internal/api/client/admin/domainpermissiondraftcreate.go +++ b/internal/api/client/admin/domainpermissiondraftcreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftsPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_drafts domainPermissionDraftCreate @@ -79,7 +78,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -99,9 +98,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftsPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftget.go b/internal/api/client/admin/domainpermissiondraftget.go index aef3b094b..bff6254f7 100644 --- a/internal/api/client/admin/domainpermissiondraftget.go +++ b/internal/api/client/admin/domainpermissiondraftget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftGETHandler swagger:operation GET /api/v1/admin/domain_permission_drafts/{id} domainPermissionDraftGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftremove.go b/internal/api/client/admin/domainpermissiondraftremove.go index 78169508c..6346331d1 100644 --- a/internal/api/client/admin/domainpermissiondraftremove.go +++ b/internal/api/client/admin/domainpermissiondraftremove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionDraftRemovePOSTHandler swagger:operation POST /api/v1/admin/domain_permission_drafts/{id}/remove domainPermissionDraftRemove @@ -61,7 +60,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -81,9 +80,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftRemovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftsget.go b/internal/api/client/admin/domainpermissiondraftsget.go index 21ce5dc43..fa5e1ce6a 100644 --- a/internal/api/client/admin/domainpermissiondraftsget.go +++ b/internal/api/client/admin/domainpermissiondraftsget.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -99,7 +98,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -125,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludecreate.go b/internal/api/client/admin/domainpermissionexcludecreate.go index dd0b3b493..9559ab5b2 100644 --- a/internal/api/client/admin/domainpermissionexcludecreate.go +++ b/internal/api/client/admin/domainpermissionexcludecreate.go @@ -25,7 +25,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionExcludesPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_excludes domainPermissionExcludeCreate @@ -62,7 +61,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -82,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludesPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludeget.go b/internal/api/client/admin/domainpermissionexcludeget.go index ca110abd5..200f20021 100644 --- a/internal/api/client/admin/domainpermissionexcludeget.go +++ b/internal/api/client/admin/domainpermissionexcludeget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionExcludeGETHandler swagger:operation GET /api/v1/admin/domain_permission_excludes/{id} domainPermissionExcludeGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludeGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcluderemove.go b/internal/api/client/admin/domainpermissionexcluderemove.go index a167ae5a5..35a4bdd27 100644 --- a/internal/api/client/admin/domainpermissionexcluderemove.go +++ b/internal/api/client/admin/domainpermissionexcluderemove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionExcludeDELETEHandler swagger:operation DELETE /api/v1/admin/domain_permission_excludes/{id} domainPermissionExcludeDelete @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludeDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludesget.go b/internal/api/client/admin/domainpermissionexcludesget.go index 71eedec52..59384079c 100644 --- a/internal/api/client/admin/domainpermissionexcludesget.go +++ b/internal/api/client/admin/domainpermissionexcludesget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -87,7 +86,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -113,9 +112,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptioncreate.go b/internal/api/client/admin/domainpermissionsubscriptioncreate.go index dd0b43aca..b45ac8d72 100644 --- a/internal/api/client/admin/domainpermissionsubscriptioncreate.go +++ b/internal/api/client/admin/domainpermissionsubscriptioncreate.go @@ -27,7 +27,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -125,7 +124,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -145,9 +144,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionget.go b/internal/api/client/admin/domainpermissionsubscriptionget.go index 841e37f24..59498beea 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionSubscriptionGETHandler swagger:operation GET /api/v1/admin/domain_permission_subscriptions/{id} domainPermissionSubscriptionGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionremove.go b/internal/api/client/admin/domainpermissionsubscriptionremove.go index 97f226a31..c659a7559 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionremove.go +++ b/internal/api/client/admin/domainpermissionsubscriptionremove.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -68,7 +67,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -88,9 +87,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionRemovePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionsget.go b/internal/api/client/admin/domainpermissionsubscriptionsget.go index 477013ec9..b3509a139 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionsget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionsget.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -89,7 +88,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -115,9 +114,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go b/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go index dc46c159b..d942e9612 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionSubscriptionsPreviewGETHandler swagger:operation GET /api/v1/admin/domain_permission_subscriptions/preview domainPermissionSubscriptionsPreviewGet @@ -52,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionsPreviewGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptiontest.go b/internal/api/client/admin/domainpermissionsubscriptiontest.go index 395a1a69c..573f1ca01 100644 --- a/internal/api/client/admin/domainpermissionsubscriptiontest.go +++ b/internal/api/client/admin/domainpermissionsubscriptiontest.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // DomainPermissionSubscriptionTestPOSTHandler swagger:operation POST /api/v1/admin/domain_permission_subscriptions/{id}/test domainPermissionSubscriptionTest @@ -52,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -76,9 +75,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionTestPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionupdate.go b/internal/api/client/admin/domainpermissionsubscriptionupdate.go index de73c4d3e..0f6309c19 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionupdate.go +++ b/internal/api/client/admin/domainpermissionsubscriptionupdate.go @@ -28,7 +28,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -121,7 +120,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -141,9 +140,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emailtest.go b/internal/api/client/admin/emailtest.go index 9b214a926..37a5e31d3 100644 --- a/internal/api/client/admin/emailtest.go +++ b/internal/api/client/admin/emailtest.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmailTestPostHandler swagger:operation POST /api/v1/admin/email/test testEmailSend @@ -63,7 +62,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -87,9 +86,12 @@ import ( // '500': // description: internal server error func (m *Module) EmailTestPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -121,7 +123,7 @@ func (m *Module) EmailTestPOSTHandler(c *gin.Context) { return } - errWithCode := m.processor.Admin().EmailTest( + errWithCode = m.processor.Admin().EmailTest( c.Request.Context(), authed.Account, email.Address, diff --git a/internal/api/client/admin/emojicategoriesget.go b/internal/api/client/admin/emojicategoriesget.go index 51eb8fee4..e678cea86 100644 --- a/internal/api/client/admin/emojicategoriesget.go +++ b/internal/api/client/admin/emojicategoriesget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojiCategoriesGETHandler swagger:operation GET /api/v1/admin/custom_emojis/categories emojiCategoriesGet @@ -38,6 +37,10 @@ import ( // produces: // - application/json // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // description: Array of existing emoji categories. @@ -58,9 +61,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiCategoriesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojicreate.go b/internal/api/client/admin/emojicreate.go index 07fa4d4a8..445c56605 100644 --- a/internal/api/client/admin/emojicreate.go +++ b/internal/api/client/admin/emojicreate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -76,7 +75,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -98,9 +97,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojidelete.go b/internal/api/client/admin/emojidelete.go index 9f9f9d286..05d94f25d 100644 --- a/internal/api/client/admin/emojidelete.go +++ b/internal/api/client/admin/emojidelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojiDELETEHandler swagger:operation DELETE /api/v1/admin/custom_emojis/{id} emojiDelete @@ -54,7 +53,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojiget.go b/internal/api/client/admin/emojiget.go index 7ecbcfa19..41bea00f8 100644 --- a/internal/api/client/admin/emojiget.go +++ b/internal/api/client/admin/emojiget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojiGETHandler swagger:operation GET /api/v1/admin/custom_emojis/{id} emojiGet @@ -46,6 +45,10 @@ import ( // in: path // required: true // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // description: A single emoji. @@ -64,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojisget.go b/internal/api/client/admin/emojisget.go index d50b553ac..c1d05af07 100644 --- a/internal/api/client/admin/emojisget.go +++ b/internal/api/client/admin/emojisget.go @@ -27,7 +27,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmojisGETHandler swagger:operation GET /api/v1/admin/custom_emojis emojisGet @@ -99,6 +98,10 @@ import ( // Emoji with the given `[shortcode]@[domain]` will not be included in the result set. // in: query // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // headers: @@ -123,9 +126,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojisGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojiupdate.go b/internal/api/client/admin/emojiupdate.go index b8ac101c0..07337eaa9 100644 --- a/internal/api/client/admin/emojiupdate.go +++ b/internal/api/client/admin/emojiupdate.go @@ -28,7 +28,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -105,7 +104,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -125,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/headerfilter.go b/internal/api/client/admin/headerfilter.go index d3dad5917..b101e98f6 100644 --- a/internal/api/client/admin/headerfilter.go +++ b/internal/api/client/admin/headerfilter.go @@ -27,14 +27,15 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // getHeaderFilter is a gin handler function that returns details of an HTTP header filter with provided ID, using given get function. func (m *Module) getHeaderFilter(c *gin.Context, get func(context.Context, string) (*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -69,9 +70,11 @@ func (m *Module) getHeaderFilter(c *gin.Context, get func(context.Context, strin // getHeaderFilters is a gin handler function that returns details of all HTTP header filters using given get function. func (m *Module) getHeaderFilters(c *gin.Context, get func(context.Context) ([]*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -100,9 +103,11 @@ func (m *Module) getHeaderFilters(c *gin.Context, get func(context.Context) ([]* // createHeaderFilter is a gin handler function that creates a HTTP header filter entry using provided form data, passing to given create function. func (m *Module) createHeaderFilter(c *gin.Context, create func(context.Context, *gtsmodel.Account, *apimodel.HeaderFilterRequest) (*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -148,9 +153,11 @@ func (m *Module) createHeaderFilter(c *gin.Context, create func(context.Context, // deleteHeaderFilter is a gin handler function that deletes an HTTP header filter with provided ID, using given delete function. func (m *Module) deleteHeaderFilter(c *gin.Context, delete func(context.Context, string) gtserror.WithCode) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/headerfilter_create.go b/internal/api/client/admin/headerfilter_create.go index d74dc5e15..a5b5e5309 100644 --- a/internal/api/client/admin/headerfilter_create.go +++ b/internal/api/client/admin/headerfilter_create.go @@ -42,7 +42,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -82,7 +82,7 @@ func (m *Module) HeaderFilterAllowPOST(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': diff --git a/internal/api/client/admin/headerfilter_delete.go b/internal/api/client/admin/headerfilter_delete.go index 58b1c585e..400c5c4e3 100644 --- a/internal/api/client/admin/headerfilter_delete.go +++ b/internal/api/client/admin/headerfilter_delete.go @@ -39,7 +39,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -76,7 +76,7 @@ func (m *Module) HeaderFilterAllowDELETE(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': diff --git a/internal/api/client/admin/headerfilter_get.go b/internal/api/client/admin/headerfilter_get.go index 5bca6d18d..cd00fe24c 100644 --- a/internal/api/client/admin/headerfilter_get.go +++ b/internal/api/client/admin/headerfilter_get.go @@ -37,7 +37,7 @@ import "github.com/gin-gonic/gin" // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -76,7 +76,7 @@ func (m *Module) HeaderFilterAllowGET(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': diff --git a/internal/api/client/admin/mediacleanup.go b/internal/api/client/admin/mediacleanup.go index 661a8ff15..2554f8508 100644 --- a/internal/api/client/admin/mediacleanup.go +++ b/internal/api/client/admin/mediacleanup.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaCleanupPOSTHandler swagger:operation POST /api/v1/admin/media_cleanup mediaCleanup @@ -49,7 +48,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) MediaCleanupPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/mediarefetch.go b/internal/api/client/admin/mediarefetch.go index b2b0516ba..47301460f 100644 --- a/internal/api/client/admin/mediarefetch.go +++ b/internal/api/client/admin/mediarefetch.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaRefetchPOSTHandler swagger:operation POST /api/v1/admin/media_refetch mediaRefetch @@ -42,7 +41,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // parameters: // - @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) MediaRefetchPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportget.go b/internal/api/client/admin/reportget.go index f2acd214c..163043627 100644 --- a/internal/api/client/admin/reportget.go +++ b/internal/api/client/admin/reportget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ReportGETHandler swagger:operation GET /api/v1/admin/reports/{id} adminReportGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:reports // // responses: // '200': @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportresolve.go b/internal/api/client/admin/reportresolve.go index f17ae24be..2b9be3721 100644 --- a/internal/api/client/admin/reportresolve.go +++ b/internal/api/client/admin/reportresolve.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ReportResolvePOSTHandler swagger:operation POST /api/v1/admin/reports/{id}/resolve adminReportResolve @@ -65,7 +64,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:reports // // responses: // '200': @@ -84,9 +83,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportResolvePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportsget.go b/internal/api/client/admin/reportsget.go index 893960e2a..64a144767 100644 --- a/internal/api/client/admin/reportsget.go +++ b/internal/api/client/admin/reportsget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -100,7 +99,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:reports // // responses: // '200': @@ -125,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportsget_test.go b/internal/api/client/admin/reportsget_test.go index 3af187ad2..8639e0c6e 100644 --- a/internal/api/client/admin/reportsget_test.go +++ b/internal/api/client/admin/reportsget_test.go @@ -1149,7 +1149,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetNotAdmin() { testToken := suite.testTokens["local_account_1"] testUser := suite.testUsers["local_account_1"] - reports, _, err := suite.getReports(testAccount, testToken, testUser, http.StatusForbidden, `{"error":"Forbidden: user 01F8MGVGPHQ2D3P3X0454H54Z5 not an admin"}`, nil, "", "", "", "", "", 20) + reports, _, err := suite.getReports(testAccount, testToken, testUser, http.StatusForbidden, `{"error":"Forbidden: token has insufficient scope permission"}`, nil, "", "", "", "", "", 20) suite.NoError(err) suite.Empty(reports) } diff --git a/internal/api/client/admin/rulecreate.go b/internal/api/client/admin/rulecreate.go index 8728940c5..9e4be1da3 100644 --- a/internal/api/client/admin/rulecreate.go +++ b/internal/api/client/admin/rulecreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RulePOSTHandler swagger:operation POST /api/v1/admin/instance/rules ruleCreate @@ -45,7 +44,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -65,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) RulePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruledelete.go b/internal/api/client/admin/ruledelete.go index 7e8fc0037..c2797aa8d 100644 --- a/internal/api/client/admin/ruledelete.go +++ b/internal/api/client/admin/ruledelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RuleDELETEHandler swagger:operation DELETE /api/v1/admin/instance/rules/{id} ruleDelete @@ -52,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) RuleDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruleget.go b/internal/api/client/admin/ruleget.go index da76232eb..ce627a0d7 100644 --- a/internal/api/client/admin/ruleget.go +++ b/internal/api/client/admin/ruleget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RuleGETHandler swagger:operation GET /api/v1/admin/instance/rules/{id} adminRuleGet @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) RuleGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/rulesget.go b/internal/api/client/admin/rulesget.go index b22ab1a8a..bc4961c6a 100644 --- a/internal/api/client/admin/rulesget.go +++ b/internal/api/client/admin/rulesget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RulesGETHandler swagger:operation GET /api/v1/admin/instance/rules adminsRuleGet @@ -44,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) RulesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruleupdate.go b/internal/api/client/admin/ruleupdate.go index d58c30d94..db8b610e0 100644 --- a/internal/api/client/admin/ruleupdate.go +++ b/internal/api/client/admin/ruleupdate.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // RulePATCHHandler swagger:operation PATCH /api/v1/admin/instance/rules/{id} ruleUpdate @@ -44,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) RulePATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/announcements/announcementsget.go b/internal/api/client/announcements/announcementsget.go index 04bd5f285..92353a4e7 100644 --- a/internal/api/client/announcements/announcementsget.go +++ b/internal/api/client/announcements/announcementsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AnnouncementsGETHandler swagger:operation GET /api/v1/announcements announcementsGet @@ -40,8 +39,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:announcements +// - OAuth2 Bearer: [] // // responses: // '200': @@ -59,9 +57,11 @@ import ( // '500': // description: internal server error func (m *Module) AnnouncementsGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/apps/appcreate.go b/internal/api/client/apps/appcreate.go index 8aa87c3b3..6a8208a20 100644 --- a/internal/api/client/apps/appcreate.go +++ b/internal/api/client/apps/appcreate.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // these consts are used to ensure users can't spam huge entries into our database @@ -74,9 +73,11 @@ const ( // '500': // description: internal server error func (m *Module) AppsPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/blocks/blocksget.go b/internal/api/client/blocks/blocksget.go index fe5104c61..0d9a2234e 100644 --- a/internal/api/client/blocks/blocksget.go +++ b/internal/api/client/blocks/blocksget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -107,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) BlocksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/bookmarks/bookmarksget.go b/internal/api/client/bookmarks/bookmarksget.go index e6489c405..6fa87c688 100644 --- a/internal/api/client/bookmarks/bookmarksget.go +++ b/internal/api/client/bookmarks/bookmarksget.go @@ -25,7 +25,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) const ( @@ -93,9 +92,12 @@ const ( // '500': // description: internal server error func (m *Module) BookmarksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationdelete.go b/internal/api/client/conversations/conversationdelete.go index 6f8f43a94..dabb2bfc8 100644 --- a/internal/api/client/conversations/conversationdelete.go +++ b/internal/api/client/conversations/conversationdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ConversationDELETEHandler swagger:operation DELETE /api/v1/conversations/{id} conversationDelete @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteConversations, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationread.go b/internal/api/client/conversations/conversationread.go index 7f68a2a33..e168cca2e 100644 --- a/internal/api/client/conversations/conversationread.go +++ b/internal/api/client/conversations/conversationread.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ConversationReadPOSTHandler swagger:operation POST /api/v1/conversation/{id}/read conversationRead @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationReadPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteConversations, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationsget.go b/internal/api/client/conversations/conversationsget.go index 663b9a707..8cd70cd00 100644 --- a/internal/api/client/conversations/conversationsget.go +++ b/internal/api/client/conversations/conversationsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -107,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/customemojis/customemojisget.go b/internal/api/client/customemojis/customemojisget.go index be595afd7..7c9b88b4c 100644 --- a/internal/api/client/customemojis/customemojisget.go +++ b/internal/api/client/customemojis/customemojisget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // CustomEmojisGETHandler swagger:operation GET /api/v1/custom_emojis customEmojisGet @@ -38,8 +37,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:custom_emojis +// - OAuth2 Bearer: [] // // responses: // '200': @@ -55,8 +53,11 @@ import ( // '500': // description: internal server error func (m *Module) CustomEmojisGETHandler(c *gin.Context) { - if _, err := oauth.Authed(c, true, true, true, true); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/blocks.go b/internal/api/client/exports/blocks.go index c31e2b0b4..bc8c2a6b3 100644 --- a/internal/api/client/exports/blocks.go +++ b/internal/api/client/exports/blocks.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportBlocksGETHandler swagger:operation GET /api/v1/exports/blocks.csv exportBlocks @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportBlocksGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/followers.go b/internal/api/client/exports/followers.go index ceef94659..ad6306de0 100644 --- a/internal/api/client/exports/followers.go +++ b/internal/api/client/exports/followers.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportFollowersGETHandler swagger:operation GET /api/v1/exports/followers.csv exportFollowers @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:follows +// - read:accounts // // responses: // '200': @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/following.go b/internal/api/client/exports/following.go index e61cafc2a..b95492dfa 100644 --- a/internal/api/client/exports/following.go +++ b/internal/api/client/exports/following.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportFollowingGETHandler swagger:operation GET /api/v1/exports/following.csv exportFollowing @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowingGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/lists.go b/internal/api/client/exports/lists.go index 2debcc701..385df5501 100644 --- a/internal/api/client/exports/lists.go +++ b/internal/api/client/exports/lists.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportListsGETHandler swagger:operation GET /api/v1/exports/lists.csv exportLists @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/mutes.go b/internal/api/client/exports/mutes.go index ab49b7719..6b9d699c9 100644 --- a/internal/api/client/exports/mutes.go +++ b/internal/api/client/exports/mutes.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportMutesGETHandler swagger:operation GET /api/v1/exports/mutes.csv exportMutes @@ -52,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportMutesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/stats.go b/internal/api/client/exports/stats.go index 9e3f1b600..783826bb3 100644 --- a/internal/api/client/exports/stats.go +++ b/internal/api/client/exports/stats.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ExportStatsGETHandler swagger:operation GET /api/v1/exports/stats exportStats @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:account +// - read:accounts // // responses: // '200': @@ -53,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportStatsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/favourites/favouritesget.go b/internal/api/client/favourites/favouritesget.go index 3ba2f9fcf..5396bc155 100644 --- a/internal/api/client/favourites/favouritesget.go +++ b/internal/api/client/favourites/favouritesget.go @@ -25,7 +25,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FavouritesGETHandler swagger:operation GET /api/v1/favourites favouritesGet @@ -93,9 +92,12 @@ import ( // '500': // description: internal server error func (m *Module) FavouritesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFavourites, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/featuredtags/get.go b/internal/api/client/featuredtags/get.go index de47f7ee2..cab6b19a3 100644 --- a/internal/api/client/featuredtags/get.go +++ b/internal/api/client/featuredtags/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FeaturedTagsGETHandler swagger:operation GET /api/v1/featured_tags getFeaturedTags @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FeaturedTagsGETHandler(c *gin.Context) { - _, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterdelete.go b/internal/api/client/filters/v1/filterdelete.go index 267dd16d0..e28221ca6 100644 --- a/internal/api/client/filters/v1/filterdelete.go +++ b/internal/api/client/filters/v1/filterdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterDELETEHandler swagger:operation DELETE /api/v1/filters/{id} filterV1Delete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterget.go b/internal/api/client/filters/v1/filterget.go index 35c44b60c..4af3dab16 100644 --- a/internal/api/client/filters/v1/filterget.go +++ b/internal/api/client/filters/v1/filterget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterGETHandler swagger:operation GET /api/v1/filters/{id} filterV1Get @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterpost.go b/internal/api/client/filters/v1/filterpost.go index a58f2273d..fb53b8e9b 100644 --- a/internal/api/client/filters/v1/filterpost.go +++ b/internal/api/client/filters/v1/filterpost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterPOSTHandler swagger:operation POST /api/v1/filters filterV1Post @@ -130,9 +129,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterput.go b/internal/api/client/filters/v1/filterput.go index edaf8104d..051fa1f63 100644 --- a/internal/api/client/filters/v1/filterput.go +++ b/internal/api/client/filters/v1/filterput.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterPUTHandler swagger:operation PUT /api/v1/filters/{id} filterV1Put @@ -136,9 +135,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filtersget.go b/internal/api/client/filters/v1/filtersget.go index f1e07a2da..d65776331 100644 --- a/internal/api/client/filters/v1/filtersget.go +++ b/internal/api/client/filters/v1/filtersget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FiltersGETHandler swagger:operation GET /api/v1/filters filtersV1Get @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FiltersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterdelete.go b/internal/api/client/filters/v2/filterdelete.go index 7292fd631..2fd411e98 100644 --- a/internal/api/client/filters/v2/filterdelete.go +++ b/internal/api/client/filters/v2/filterdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterDELETEHandler swagger:operation DELETE /api/v2/filters/{id} filterV2Delete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterget.go b/internal/api/client/filters/v2/filterget.go index a3481e0e0..eed65f39a 100644 --- a/internal/api/client/filters/v2/filterget.go +++ b/internal/api/client/filters/v2/filterget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterGETHandler swagger:operation GET /api/v2/filters/{id} filterV2Get @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeyworddelete.go b/internal/api/client/filters/v2/filterkeyworddelete.go index e9ba2b4c5..4dc8b5973 100644 --- a/internal/api/client/filters/v2/filterkeyworddelete.go +++ b/internal/api/client/filters/v2/filterkeyworddelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordDELETEHandler swagger:operation DELETE /api/v2/filters/keywords/{id} filterKeywordDelete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordget.go b/internal/api/client/filters/v2/filterkeywordget.go index 2df6fd10a..f298d1af0 100644 --- a/internal/api/client/filters/v2/filterkeywordget.go +++ b/internal/api/client/filters/v2/filterkeywordget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordGETHandler swagger:operation GET /api/v2/filters/keywords/{id} filterKeywordGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordpost.go b/internal/api/client/filters/v2/filterkeywordpost.go index ba8f80135..f7ccc1a80 100644 --- a/internal/api/client/filters/v2/filterkeywordpost.go +++ b/internal/api/client/filters/v2/filterkeywordpost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -100,9 +99,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordput.go b/internal/api/client/filters/v2/filterkeywordput.go index 44667660f..5f9fa3c9e 100644 --- a/internal/api/client/filters/v2/filterkeywordput.go +++ b/internal/api/client/filters/v2/filterkeywordput.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordPUTHandler swagger:operation PUT /api/v2/filters/keywords{id} filterKeywordPut @@ -97,9 +96,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordsget.go b/internal/api/client/filters/v2/filterkeywordsget.go index 3414c5d8c..2fa3140a9 100644 --- a/internal/api/client/filters/v2/filterkeywordsget.go +++ b/internal/api/client/filters/v2/filterkeywordsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterKeywordsGETHandler swagger:operation GET /api/v2/filters/{id}/keywords filterKeywordsGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterpost.go b/internal/api/client/filters/v2/filterpost.go index 5e87df617..b35938692 100644 --- a/internal/api/client/filters/v2/filterpost.go +++ b/internal/api/client/filters/v2/filterpost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -150,9 +149,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterput.go b/internal/api/client/filters/v2/filterput.go index 58d3f4a22..b4b14e6c3 100644 --- a/internal/api/client/filters/v2/filterput.go +++ b/internal/api/client/filters/v2/filterput.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -158,9 +157,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filtersget.go b/internal/api/client/filters/v2/filtersget.go index 511a62d36..f304ffea5 100644 --- a/internal/api/client/filters/v2/filtersget.go +++ b/internal/api/client/filters/v2/filtersget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FiltersGETHandler swagger:operation GET /api/v2/filters filtersV2Get @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FiltersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusdelete.go b/internal/api/client/filters/v2/filterstatusdelete.go index 5a03b9a7c..2adc48190 100644 --- a/internal/api/client/filters/v2/filterstatusdelete.go +++ b/internal/api/client/filters/v2/filterstatusdelete.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterStatusDELETEHandler swagger:operation DELETE /api/v2/filters/statuses/{id} filterStatusDelete @@ -63,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusesget.go b/internal/api/client/filters/v2/filterstatusesget.go index 3b05ca73d..ae76e814f 100644 --- a/internal/api/client/filters/v2/filterstatusesget.go +++ b/internal/api/client/filters/v2/filterstatusesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterStatusesGETHandler swagger:operation GET /api/v2/filters/{id}/statuses filterStatusesGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusget.go b/internal/api/client/filters/v2/filterstatusget.go index 9e62e4466..efe20f0c2 100644 --- a/internal/api/client/filters/v2/filterstatusget.go +++ b/internal/api/client/filters/v2/filterstatusget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FilterStatusGETHandler swagger:operation GET /api/v2/filters/statuses/{id} filterStatusGet @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatuspost.go b/internal/api/client/filters/v2/filterstatuspost.go index deef54a9c..c6921e584 100644 --- a/internal/api/client/filters/v2/filterstatuspost.go +++ b/internal/api/client/filters/v2/filterstatuspost.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -88,9 +87,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followedtags/get.go b/internal/api/client/followedtags/get.go index 68e4ffb5f..f1fa45b07 100644 --- a/internal/api/client/followedtags/get.go +++ b/internal/api/client/followedtags/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -100,9 +99,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowedTagsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/authorize.go b/internal/api/client/followrequests/authorize.go index 6a6f0dc81..cc7b5598c 100644 --- a/internal/api/client/followrequests/authorize.go +++ b/internal/api/client/followrequests/authorize.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FollowRequestAuthorizePOSTHandler swagger:operation POST /api/v1/follow_requests/{account_id}/authorize authorizeFollowRequest @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestAuthorizePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/get.go b/internal/api/client/followrequests/get.go index 40cdceaea..4b7760a6d 100644 --- a/internal/api/client/followrequests/get.go +++ b/internal/api/client/followrequests/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -108,9 +107,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/reject.go b/internal/api/client/followrequests/reject.go index a8189b78a..4207925db 100644 --- a/internal/api/client/followrequests/reject.go +++ b/internal/api/client/followrequests/reject.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FollowRequestRejectPOSTHandler swagger:operation POST /api/v1/follow_requests/{account_id}/reject rejectFollowRequest @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestRejectPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/import/import.go b/internal/api/client/import/import.go index 6d85a6b23..c3908625b 100644 --- a/internal/api/client/import/import.go +++ b/internal/api/client/import/import.go @@ -28,7 +28,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/processing" ) @@ -109,7 +108,7 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // // security: // - OAuth2 Bearer: -// - write:accounts +// - write // // responses: // '202': @@ -123,9 +122,12 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // '500': // description: internal server error func (m *Module) ImportPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -179,7 +181,7 @@ func (m *Module) ImportPOSTHandler(c *gin.Context) { overwrite := form.Mode == "overwrite" // Trigger the import. - errWithCode := m.processor.Account().ImportData( + errWithCode = m.processor.Account().ImportData( c.Request.Context(), authed.Account, form.Data, diff --git a/internal/api/client/instance/instancepatch.go b/internal/api/client/instance/instancepatch.go index 5085399eb..67856100d 100644 --- a/internal/api/client/instance/instancepatch.go +++ b/internal/api/client/instance/instancepatch.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InstanceUpdatePATCHHandler swagger:operation PATCH /api/v1/instance instanceUpdate @@ -107,7 +106,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -127,9 +126,12 @@ import ( // '500': // description: internal server error func (m *Module) InstanceUpdatePATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/instance/instancepatch_test.go b/internal/api/client/instance/instancepatch_test.go index 53df20b6b..a63ca9e11 100644 --- a/internal/api/client/instance/instancepatch_test.go +++ b/internal/api/client/instance/instancepatch_test.go @@ -544,7 +544,7 @@ func (suite *InstancePatchTestSuite) TestInstancePatch5() { b, err := io.ReadAll(result.Body) suite.NoError(err) - suite.Equal(`{"error":"Forbidden: user is not an admin so cannot update instance settings"}`, string(b)) + suite.Equal(`{"error":"Forbidden: token has insufficient scope permission"}`, string(b)) } func (suite *InstancePatchTestSuite) TestInstancePatch6() { diff --git a/internal/api/client/instance/instancepeersget.go b/internal/api/client/instance/instancepeersget.go index c278c0674..0b32a87e9 100644 --- a/internal/api/client/instance/instancepeersget.go +++ b/internal/api/client/instance/instancepeersget.go @@ -25,7 +25,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/gin-gonic/gin" ) @@ -59,6 +58,9 @@ import ( // required: false // default: "open" // +// security: +// - OAuth2 Bearer: [] +// // responses: // '200': // description: >- @@ -99,9 +101,11 @@ import ( // '500': // description: internal server error func (m *Module) InstancePeersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionpolicies/getdefaults.go b/internal/api/client/interactionpolicies/getdefaults.go index 4ad0071f4..870425e8d 100644 --- a/internal/api/client/interactionpolicies/getdefaults.go +++ b/internal/api/client/interactionpolicies/getdefaults.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PoliciesDefaultsGETHandler swagger:operation GET /api/v1/interaction_policies/defaults policiesDefaultsGet @@ -53,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) PoliciesDefaultsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionpolicies/updatedefaults.go b/internal/api/client/interactionpolicies/updatedefaults.go index 39e95784f..8496b00aa 100644 --- a/internal/api/client/interactionpolicies/updatedefaults.go +++ b/internal/api/client/interactionpolicies/updatedefaults.go @@ -27,7 +27,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PoliciesDefaultsPATCHHandler swagger:operation PATCH /api/v1/interaction_policies/defaults policiesDefaultsUpdate @@ -211,9 +210,12 @@ import ( // '500': // description: internal server error func (m *Module) PoliciesDefaultsPATCHHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/authorize.go b/internal/api/client/interactionrequests/authorize.go index 1e5589f7e..8191923ba 100644 --- a/internal/api/client/interactionrequests/authorize.go +++ b/internal/api/client/interactionrequests/authorize.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InteractionRequestAuthorizePOSTHandler swagger:operation POST /api/v1/interaction_requests/{id}/authorize authorizeInteractionRequest @@ -66,9 +65,11 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestAuthorizePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/get.go b/internal/api/client/interactionrequests/get.go index a354a8623..d1d5f5eb4 100644 --- a/internal/api/client/interactionrequests/get.go +++ b/internal/api/client/interactionrequests/get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InteractionRequestGETHandler swagger:operation GET /api/v1/interaction_requests/{id} getInteractionRequest @@ -65,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/getpage.go b/internal/api/client/interactionrequests/getpage.go index 1978a055c..f3f1251cc 100644 --- a/internal/api/client/interactionrequests/getpage.go +++ b/internal/api/client/interactionrequests/getpage.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -137,9 +136,12 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/reject.go b/internal/api/client/interactionrequests/reject.go index 33c426462..0102d872a 100644 --- a/internal/api/client/interactionrequests/reject.go +++ b/internal/api/client/interactionrequests/reject.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // InteractionRequestRejectPOSTHandler swagger:operation POST /api/v1/interaction_requests/{id}/reject rejectInteractionRequest @@ -66,9 +65,11 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestRejectPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccounts.go b/internal/api/client/lists/listaccounts.go index d609251f7..4c6c00292 100644 --- a/internal/api/client/lists/listaccounts.go +++ b/internal/api/client/lists/listaccounts.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -117,9 +116,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccountsadd.go b/internal/api/client/lists/listaccountsadd.go index 168c5e3fe..b27cd1e92 100644 --- a/internal/api/client/lists/listaccountsadd.go +++ b/internal/api/client/lists/listaccountsadd.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListAccountsPOSTHandler swagger:operation POST /api/v1/lists/{id}/accounts addListAccounts @@ -82,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccountsremove.go b/internal/api/client/lists/listaccountsremove.go index 96f8b809d..160552d62 100644 --- a/internal/api/client/lists/listaccountsremove.go +++ b/internal/api/client/lists/listaccountsremove.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListAccountsDELETEHandler swagger:operation DELETE /api/v1/lists/{id}/accounts removeListAccounts @@ -82,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -108,7 +110,7 @@ func (m *Module) ListAccountsDELETEHandler(c *gin.Context) { // parsing in order to be compatible with Mastodon's client API conventions. oldMethod := c.Request.Method c.Request.Method = "POST" - err = c.ShouldBind(form) + err := c.ShouldBind(form) c.Request.Method = oldMethod if err != nil { diff --git a/internal/api/client/lists/listcreate.go b/internal/api/client/lists/listcreate.go index c8f547ccc..5d3daf2ed 100644 --- a/internal/api/client/lists/listcreate.go +++ b/internal/api/client/lists/listcreate.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -97,9 +96,12 @@ import ( // '500': // description: internal server error func (m *Module) ListCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listdelete.go b/internal/api/client/lists/listdelete.go index b03f21e5a..33c0add70 100644 --- a/internal/api/client/lists/listdelete.go +++ b/internal/api/client/lists/listdelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListDELETEHandler swagger:operation DELETE /api/v1/lists/{id} listDelete @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) ListDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listget.go b/internal/api/client/lists/listget.go index 34b21d28b..008d516ba 100644 --- a/internal/api/client/lists/listget.go +++ b/internal/api/client/lists/listget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListGETHandler swagger:operation GET /api/v1/lists/{id} list @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) ListGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listsget.go b/internal/api/client/lists/listsget.go index 6bfc3c883..9a40702b8 100644 --- a/internal/api/client/lists/listsget.go +++ b/internal/api/client/lists/listsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListsGETHandler swagger:operation GET /api/v1/lists lists @@ -60,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) ListsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listupdate.go b/internal/api/client/lists/listupdate.go index 38caa9621..388d878a9 100644 --- a/internal/api/client/lists/listupdate.go +++ b/internal/api/client/lists/listupdate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -103,9 +102,12 @@ import ( // '500': // description: internal server error func (m *Module) ListUpdatePUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -152,7 +154,7 @@ func (m *Module) ListUpdatePUTHandler(c *gin.Context) { } if form.Title == nil && repliesPolicy == nil && form.Exclusive == nil { - err = errors.New("neither title nor replies_policy nor exclusive was set; nothing to update") + err := errors.New("neither title nor replies_policy nor exclusive was set; nothing to update") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/markers/markersget.go b/internal/api/client/markers/markersget.go index 9f4fc4270..f5b70ca68 100644 --- a/internal/api/client/markers/markersget.go +++ b/internal/api/client/markers/markersget.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/validate" ) @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) MarkersGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/markers/markerspost.go b/internal/api/client/markers/markerspost.go index 8fe40c798..e2fffa265 100644 --- a/internal/api/client/markers/markerspost.go +++ b/internal/api/client/markers/markerspost.go @@ -25,7 +25,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MarkersPOSTHandler swagger:operation POST /api/v1/markers markersPost @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) MarkersPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediacreate.go b/internal/api/client/media/mediacreate.go index efe567f13..0f9de7b56 100644 --- a/internal/api/client/media/mediacreate.go +++ b/internal/api/client/media/mediacreate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaCreatePOSTHandler swagger:operation POST /api/{api_version}/media mediaCreate @@ -102,9 +101,12 @@ func (m *Module) MediaCreatePOSTHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediaget.go b/internal/api/client/media/mediaget.go index 8456f85d8..8428e202f 100644 --- a/internal/api/client/media/mediaget.go +++ b/internal/api/client/media/mediaget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaGETHandler swagger:operation GET /api/v1/media/{id} mediaGet @@ -74,9 +73,14 @@ func (m *Module) MediaGETHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + // This takes write even + // though it's a read. + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediaupdate.go b/internal/api/client/media/mediaupdate.go index 0a9ce4eb8..b71b0c5f1 100644 --- a/internal/api/client/media/mediaupdate.go +++ b/internal/api/client/media/mediaupdate.go @@ -27,7 +27,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // MediaPUTHandler swagger:operation PUT /api/v1/media/{id} mediaUpdate @@ -106,9 +105,12 @@ func (m *Module) MediaPUTHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/mutes/mutesget.go b/internal/api/client/mutes/mutesget.go index 7fcbc2b44..76c31ebc6 100644 --- a/internal/api/client/mutes/mutesget.go +++ b/internal/api/client/mutes/mutesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -108,9 +107,12 @@ import ( // '500': // description: internal server error func (m *Module) MutesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/notifications/notificationget.go b/internal/api/client/notifications/notificationget.go index 66bdefb28..0c15cf937 100644 --- a/internal/api/client/notifications/notificationget.go +++ b/internal/api/client/notifications/notificationget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // NotificationGETHandler swagger:operation GET /api/v1/notification/{id} notification @@ -67,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/notifications/notificationsclear.go b/internal/api/client/notifications/notificationsclear.go index 2d7da3c6b..3742f7eba 100644 --- a/internal/api/client/notifications/notificationsclear.go +++ b/internal/api/client/notifications/notificationsclear.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // NotificationsClearPOSTHandler swagger:operation POST /api/v1/notifications/clear clearNotifications @@ -41,7 +40,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:notifications +// - write:notifications // // responses: // '200': @@ -58,9 +57,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationsClearPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -69,7 +71,7 @@ func (m *Module) NotificationsClearPOSTHandler(c *gin.Context) { return } - errWithCode := m.processor.Timeline().NotificationsClear(c.Request.Context(), authed) + errWithCode = m.processor.Timeline().NotificationsClear(c.Request.Context(), authed) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return diff --git a/internal/api/client/notifications/notificationsget.go b/internal/api/client/notifications/notificationsget.go index b530c515d..e02ca23d8 100644 --- a/internal/api/client/notifications/notificationsget.go +++ b/internal/api/client/notifications/notificationsget.go @@ -26,7 +26,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -143,9 +142,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/polls/polls_get.go b/internal/api/client/polls/polls_get.go index fc89255e9..e432b1f8e 100644 --- a/internal/api/client/polls/polls_get.go +++ b/internal/api/client/polls/polls_get.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PollGETHandler swagger:operation GET /api/v1/polls/{id} poll @@ -67,9 +66,11 @@ import ( // '500': // description: internal server error func (m *Module) PollGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/polls/polls_vote.go b/internal/api/client/polls/polls_vote.go index 192ecbc0f..0c857e2d8 100644 --- a/internal/api/client/polls/polls_vote.go +++ b/internal/api/client/polls/polls_vote.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PollVotePOSTHandler swagger:operation POST /api/v1/polls/{id}/votes pollVote @@ -80,9 +79,11 @@ import ( // '500': // description: internal server error func (m *Module) PollVotePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/preferences/preferencesget.go b/internal/api/client/preferences/preferencesget.go index 4a6cb4b55..20cfc7d36 100644 --- a/internal/api/client/preferences/preferencesget.go +++ b/internal/api/client/preferences/preferencesget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PreferencesGETHandler swagger:operation GET /api/v1/preferences preferencesGet @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) PreferencesGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptiondelete.go b/internal/api/client/push/pushsubscriptiondelete.go index 2a5fd8e69..c82222248 100644 --- a/internal/api/client/push/pushsubscriptiondelete.go +++ b/internal/api/client/push/pushsubscriptiondelete.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PushSubscriptionDELETEHandler swagger:operation DELETE /api/v1/push/subscription pushSubscriptionDelete @@ -49,9 +47,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptiondelete_test.go b/internal/api/client/push/pushsubscriptiondelete_test.go index 3e81ce2a1..2548f2fb7 100644 --- a/internal/api/client/push/pushsubscriptiondelete_test.go +++ b/internal/api/client/push/pushsubscriptiondelete_test.go @@ -76,7 +76,7 @@ func (suite *PushTestSuite) TestDeleteSubscription() { func (suite *PushTestSuite) TestDeleteMissingSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" err := suite.deleteSubscription(accountFixtureName, tokenFixtureName, 200) suite.NoError(err) diff --git a/internal/api/client/push/pushsubscriptionget.go b/internal/api/client/push/pushsubscriptionget.go index 10774b862..d48e43108 100644 --- a/internal/api/client/push/pushsubscriptionget.go +++ b/internal/api/client/push/pushsubscriptionget.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PushSubscriptionGETHandler swagger:operation GET /api/v1/push/subscription pushSubscriptionGet @@ -55,9 +53,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionget_test.go b/internal/api/client/push/pushsubscriptionget_test.go index 23fb9e7f2..80f387195 100644 --- a/internal/api/client/push/pushsubscriptionget_test.go +++ b/internal/api/client/push/pushsubscriptionget_test.go @@ -95,7 +95,7 @@ func (suite *PushTestSuite) TestGetSubscription() { func (suite *PushTestSuite) TestGetMissingSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" _, err := suite.getSubscription(accountFixtureName, tokenFixtureName, 404) suite.NoError(err) diff --git a/internal/api/client/push/pushsubscriptionpost.go b/internal/api/client/push/pushsubscriptionpost.go index cc1be185f..9893d7fe1 100644 --- a/internal/api/client/push/pushsubscriptionpost.go +++ b/internal/api/client/push/pushsubscriptionpost.go @@ -29,7 +29,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PushSubscriptionPOSTHandler swagger:operation POST /api/v1/push/subscription pushSubscriptionPost @@ -181,9 +180,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionpost_test.go b/internal/api/client/push/pushsubscriptionpost_test.go index e7e8582df..251dde1f9 100644 --- a/internal/api/client/push/pushsubscriptionpost_test.go +++ b/internal/api/client/push/pushsubscriptionpost_test.go @@ -116,7 +116,7 @@ func (suite *PushTestSuite) postSubscription( func (suite *PushTestSuite) TestPostSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" endpoint := "https://example.test/push" auth := "cgna/fzrYLDQyPf5hD7IsA==" @@ -152,7 +152,7 @@ func (suite *PushTestSuite) TestPostSubscription() { func (suite *PushTestSuite) TestPostSubscriptionMinimal() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" endpoint := "https://example.test/push" auth := "cgna/fzrYLDQyPf5hD7IsA==" @@ -186,7 +186,7 @@ func (suite *PushTestSuite) TestPostSubscriptionMinimal() { func (suite *PushTestSuite) TestPostInvalidSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" // No endpoint. auth := "cgna/fzrYLDQyPf5hD7IsA==" @@ -212,7 +212,7 @@ func (suite *PushTestSuite) TestPostInvalidSubscription() { func (suite *PushTestSuite) TestPostSubscriptionJSON() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" requestJson := `{ "subscription": { @@ -258,7 +258,7 @@ func (suite *PushTestSuite) TestPostSubscriptionJSON() { func (suite *PushTestSuite) TestPostSubscriptionJSONMinimal() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" requestJson := `{ "subscription": { @@ -298,7 +298,7 @@ func (suite *PushTestSuite) TestPostSubscriptionJSONMinimal() { func (suite *PushTestSuite) TestPostInvalidSubscriptionJSON() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" // No endpoint. requestJson := `{ diff --git a/internal/api/client/push/pushsubscriptionput.go b/internal/api/client/push/pushsubscriptionput.go index 4d1c5765e..53e6a72e9 100644 --- a/internal/api/client/push/pushsubscriptionput.go +++ b/internal/api/client/push/pushsubscriptionput.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -157,9 +156,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionput_test.go b/internal/api/client/push/pushsubscriptionput_test.go index d9f0e395e..8b86add9e 100644 --- a/internal/api/client/push/pushsubscriptionput_test.go +++ b/internal/api/client/push/pushsubscriptionput_test.go @@ -170,7 +170,7 @@ func (suite *PushTestSuite) TestPutSubscriptionJSON() { func (suite *PushTestSuite) TestPutMissingSubscription() { accountFixtureName := "local_account_1" // This token should not have a subscription. - tokenFixtureName := "local_account_1_user_authorization_token" + tokenFixtureName := "local_account_1_push_only" alertsMention := true alertsStatus := false diff --git a/internal/api/client/reports/reportcreate.go b/internal/api/client/reports/reportcreate.go index a303cf20a..b9a4666ee 100644 --- a/internal/api/client/reports/reportcreate.go +++ b/internal/api/client/reports/reportcreate.go @@ -26,7 +26,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/regexes" ) @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -89,19 +91,19 @@ func (m *Module) ReportPOSTHandler(c *gin.Context) { } if form.AccountID == "" { - err = errors.New("account_id must be set") + err := errors.New("account_id must be set") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } if !regexes.ULID.MatchString(form.AccountID) { - err = errors.New("account_id was not valid") + err := errors.New("account_id was not valid") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } if length := len([]rune(form.Comment)); length > 1000 { - err = fmt.Errorf("comment length must be no more than 1000 chars, provided comment was %d chars", length) + err := fmt.Errorf("comment length must be no more than 1000 chars, provided comment was %d chars", length) apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportget.go b/internal/api/client/reports/reportget.go index c9ca0054f..1219e4a12 100644 --- a/internal/api/client/reports/reportget.go +++ b/internal/api/client/reports/reportget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ReportGETHandler swagger:operation GET /api/v1/reports/{id} reportGet @@ -47,7 +46,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:reports +// - read:accounts // // responses: // '200': @@ -65,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportsget.go b/internal/api/client/reports/reportsget.go index 4c3d4e33a..65adf664f 100644 --- a/internal/api/client/reports/reportsget.go +++ b/internal/api/client/reports/reportsget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" ) @@ -94,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:reports +// - read:accounts // // responses: // '200': @@ -119,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportsGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/search/searchget.go b/internal/api/client/search/searchget.go index 0f9595efc..05a64f244 100644 --- a/internal/api/client/search/searchget.go +++ b/internal/api/client/search/searchget.go @@ -24,7 +24,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // SearchGETHandler swagger:operation GET /api/{api_version}/search searchGet @@ -178,9 +177,12 @@ func (m *Module) SearchGETHandler(c *gin.Context) { return } - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadSearch, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusbookmark.go b/internal/api/client/statuses/statusbookmark.go index 9dbc0f56e..059ed7e57 100644 --- a/internal/api/client/statuses/statusbookmark.go +++ b/internal/api/client/statuses/statusbookmark.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusBookmarkPOSTHandler swagger:operation POST /api/v1/statuses/{id}/bookmark statusBookmark @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:bookmarks // // responses: // '200': @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusBookmarkPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusboost.go b/internal/api/client/statuses/statusboost.go index 035ee8747..fb4c5e5ee 100644 --- a/internal/api/client/statuses/statusboost.go +++ b/internal/api/client/statuses/statusboost.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusBoostPOSTHandler swagger:operation POST /api/v1/statuses/{id}/reblog statusReblog @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusBoostPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusboostedby.go b/internal/api/client/statuses/statusboostedby.go index 15e0e26a0..9ee82c709 100644 --- a/internal/api/client/statuses/statusboostedby.go +++ b/internal/api/client/statuses/statusboostedby.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusBoostedByGETHandler swagger:operation GET /api/v1/statuses/{id}/reblogged_by statusBoostedBy @@ -65,9 +64,12 @@ import ( // '404': // description: not found func (m *Module) StatusBoostedByGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuscontext.go b/internal/api/client/statuses/statuscontext.go index 0eea50819..cae48e938 100644 --- a/internal/api/client/statuses/statuscontext.go +++ b/internal/api/client/statuses/statuscontext.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusContextGETHandler swagger:operation GET /api/v1/statuses/{id}/context threadContext @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusContextGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuscreate.go b/internal/api/client/statuses/statuscreate.go index bfb1c486d..686e29ec4 100644 --- a/internal/api/client/statuses/statuscreate.go +++ b/internal/api/client/statuses/statuscreate.go @@ -28,7 +28,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -262,9 +261,12 @@ import ( // '501': // description: scheduled_at was set, but this feature is not yet implemented func (m *Module) StatusCreatePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusdelete.go b/internal/api/client/statuses/statusdelete.go index fa62d6893..c5ff046f7 100644 --- a/internal/api/client/statuses/statusdelete.go +++ b/internal/api/client/statuses/statusdelete.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusDELETEHandler swagger:operation DELETE /api/v1/statuses/{id} statusDelete @@ -71,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusDELETEHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusedit.go b/internal/api/client/statuses/statusedit.go index dfd7d651e..dbd2224f7 100644 --- a/internal/api/client/statuses/statusedit.go +++ b/internal/api/client/statuses/statusedit.go @@ -27,7 +27,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) @@ -156,9 +155,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusEditPUTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusfave.go b/internal/api/client/statuses/statusfave.go index 41d45c6b8..23ff2d7a1 100644 --- a/internal/api/client/statuses/statusfave.go +++ b/internal/api/client/statuses/statusfave.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusFavePOSTHandler swagger:operation POST /api/v1/statuses/{id}/favourite statusFave @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusFavePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusfavedby.go b/internal/api/client/statuses/statusfavedby.go index 7dca760cc..a4a0611ce 100644 --- a/internal/api/client/statuses/statusfavedby.go +++ b/internal/api/client/statuses/statusfavedby.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusFavedByGETHandler swagger:operation GET /api/v1/statuses/{id}/favourited_by statusFavedBy @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusFavedByGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusget.go b/internal/api/client/statuses/statusget.go index 8c3edac81..f8fb2cb50 100644 --- a/internal/api/client/statuses/statusget.go +++ b/internal/api/client/statuses/statusget.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusGETHandler swagger:operation GET /api/v1/statuses/{id} statusGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statushistory.go b/internal/api/client/statuses/statushistory.go index ba1af58cf..dc5932ff7 100644 --- a/internal/api/client/statuses/statushistory.go +++ b/internal/api/client/statuses/statushistory.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusHistoryGETHandler swagger:operation GET /api/v1/statuses/{id}/history statusHistoryGet @@ -70,9 +69,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusHistoryGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusmute.go b/internal/api/client/statuses/statusmute.go index 58d14a8bf..42df112a3 100644 --- a/internal/api/client/statuses/statusmute.go +++ b/internal/api/client/statuses/statusmute.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusMutePOSTHandler swagger:operation POST /api/v1/statuses/{id}/mute statusMute @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusMutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuspin.go b/internal/api/client/statuses/statuspin.go index e5879f715..0c4c681a6 100644 --- a/internal/api/client/statuses/statuspin.go +++ b/internal/api/client/statuses/statuspin.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusPinPOSTHandler swagger:operation POST /api/v1/statuses/{id}/pin statusPin @@ -74,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusPinPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statussource.go b/internal/api/client/statuses/statussource.go index c74d99bfc..fd15e8719 100644 --- a/internal/api/client/statuses/statussource.go +++ b/internal/api/client/statuses/statussource.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusSourceGETHandler swagger:operation GET /api/v1/statuses/{id}/source statusSourceGet @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusSourceGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunbookmark.go b/internal/api/client/statuses/statusunbookmark.go index 7dbed9658..ca4e669a7 100644 --- a/internal/api/client/statuses/statusunbookmark.go +++ b/internal/api/client/statuses/statusunbookmark.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnbookmarkPOSTHandler swagger:operation POST /api/v1/statuses/{id}/unbookmark statusUnbookmark @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:bookmarks // // responses: // '200': @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnbookmarkPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunboost.go b/internal/api/client/statuses/statusunboost.go index ae5c2f600..c7fd00ab7 100644 --- a/internal/api/client/statuses/statusunboost.go +++ b/internal/api/client/statuses/statusunboost.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnboostPOSTHandler swagger:operation POST /api/v1/statuses/{id}/unreblog statusUnreblog @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnboostPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunfave.go b/internal/api/client/statuses/statusunfave.go index 6fb445143..d7dbe10ce 100644 --- a/internal/api/client/statuses/statusunfave.go +++ b/internal/api/client/statuses/statusunfave.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnfavePOSTHandler swagger:operation POST /api/v1/statuses/{id}/unfavourite statusUnfave @@ -48,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:favourites // // responses: // '200': @@ -68,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnfavePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFavourites, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunmute.go b/internal/api/client/statuses/statusunmute.go index e657992ca..76018fd27 100644 --- a/internal/api/client/statuses/statusunmute.go +++ b/internal/api/client/statuses/statusunmute.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnmutePOSTHandler swagger:operation POST /api/v1/statuses/{id}/unmute statusUnmute @@ -72,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnmutePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunpin.go b/internal/api/client/statuses/statusunpin.go index fbe85755f..32cb913e0 100644 --- a/internal/api/client/statuses/statusunpin.go +++ b/internal/api/client/statuses/statusunpin.go @@ -24,7 +24,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // StatusUnpinPOSTHandler swagger:operation POST /api/v1/statuses/{id}/unpin statusUnpin @@ -69,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnpinPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/streaming/stream.go b/internal/api/client/streaming/stream.go index 6c57cea03..e6d1b80f7 100644 --- a/internal/api/client/streaming/stream.go +++ b/internal/api/client/streaming/stream.go @@ -28,7 +28,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/id" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" streampkg "github.com/superseriousbusiness/gotosocial/internal/stream" "github.com/gin-gonic/gin" @@ -187,9 +186,8 @@ func (m *Module) StreamGETHandler(c *gin.Context) { // No explicit token was provided: // try regular oauth as a last resort. - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/follow.go b/internal/api/client/tags/follow.go index 2952996b1..07804013a 100644 --- a/internal/api/client/tags/follow.go +++ b/internal/api/client/tags/follow.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // FollowTagPOSTHandler swagger:operation POST /api/v1/tags/{tag_name}/follow followTag @@ -65,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowTagPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/get.go b/internal/api/client/tags/get.go index b61b7cc65..a6a433d7d 100644 --- a/internal/api/client/tags/get.go +++ b/internal/api/client/tags/get.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // TagGETHandler swagger:operation GET /api/v1/tags/{tag_name} getTag @@ -40,8 +38,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:follows +// - OAuth2 Bearer: [] // // parameters: // - @@ -67,9 +64,11 @@ import ( // '500': // description: internal server error func (m *Module) TagGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/unfollow.go b/internal/api/client/tags/unfollow.go index 3166e08ed..49ebd463e 100644 --- a/internal/api/client/tags/unfollow.go +++ b/internal/api/client/tags/unfollow.go @@ -22,8 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // UnfollowTagPOSTHandler swagger:operation POST /api/v1/tags/{tag_name}/unfollow unfollowTag @@ -67,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) UnfollowTagPOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/home.go b/internal/api/client/timelines/home.go index 55928dd3a..8e957d498 100644 --- a/internal/api/client/timelines/home.go +++ b/internal/api/client/timelines/home.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // HomeTimelineGETHandler swagger:operation GET /api/v1/timelines/home homeTimeline @@ -107,9 +106,12 @@ import ( // '400': // description: bad request func (m *Module) HomeTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/list.go b/internal/api/client/timelines/list.go index 25695bf0e..b02489d6c 100644 --- a/internal/api/client/timelines/list.go +++ b/internal/api/client/timelines/list.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ListTimelineGETHandler swagger:operation GET /api/v1/timelines/list/{id} listTimeline @@ -106,9 +105,12 @@ import ( // '400': // description: bad request func (m *Module) ListTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/public.go b/internal/api/client/timelines/public.go index 49530216f..d6df36f09 100644 --- a/internal/api/client/timelines/public.go +++ b/internal/api/client/timelines/public.go @@ -24,7 +24,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // PublicTimelineGETHandler swagger:operation GET /api/v1/timelines/public publicTimeline @@ -108,19 +107,25 @@ import ( // '400': // description: bad request func (m *Module) PublicTimelineGETHandler(c *gin.Context) { - var authed *oauth.Auth - var err error - + var ( + authed *apiutil.Auth + errWithCode gtserror.WithCode + ) if config.GetInstanceExposePublicTimeline() { // If the public timeline is allowed to be exposed, still check if we // can extract various authentication properties, but don't require them. - authed, err = oauth.Authed(c, false, false, false, false) + authed, errWithCode = apiutil.TokenAuth(c, + false, false, false, false, + ) } else { - authed, err = oauth.Authed(c, true, true, true, true) + authed, errWithCode = apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) } - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/tag.go b/internal/api/client/timelines/tag.go index 258184355..8c3a86f81 100644 --- a/internal/api/client/timelines/tag.go +++ b/internal/api/client/timelines/tag.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // TagTimelineGETHandler swagger:operation GET /api/v1/timelines/tag/{tag_name} tagTimeline @@ -108,9 +107,12 @@ import ( // '400': // description: bad request func (m *Module) TagTimelineGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/emailchange.go b/internal/api/client/user/emailchange.go index b2e25343f..09d5e8fde 100644 --- a/internal/api/client/user/emailchange.go +++ b/internal/api/client/user/emailchange.go @@ -25,7 +25,6 @@ import ( apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // EmailChangePOSTHandler swagger:operation POST /api/v1/user/email_change userEmailChange @@ -46,7 +45,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:user +// - write:accounts // // responses: // '202': @@ -66,9 +65,12 @@ import ( // '500': // description: internal error func (m *Module) EmailChangePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/passwordchange.go b/internal/api/client/user/passwordchange.go index df9f5b0c8..8b1c7e29a 100644 --- a/internal/api/client/user/passwordchange.go +++ b/internal/api/client/user/passwordchange.go @@ -26,7 +26,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) const OIDCPasswordHelp = "password change request cannot be processed by GoToSocial as this instance is running with OIDC enabled; you must change password using your OIDC provider" @@ -52,7 +51,7 @@ const OIDCPasswordHelp = "password change request cannot be processed by GoToSoc // // security: // - OAuth2 Bearer: -// - write:user +// - write:accounts // // responses: // '200': @@ -70,9 +69,12 @@ const OIDCPasswordHelp = "password change request cannot be processed by GoToSoc // '500': // description: internal error func (m *Module) PasswordChangePOSTHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/userget.go b/internal/api/client/user/userget.go index 147c1dbd5..c82a6d644 100644 --- a/internal/api/client/user/userget.go +++ b/internal/api/client/user/userget.go @@ -23,7 +23,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // UserGETHandler swagger:operation GET /api/v1/user getUser @@ -39,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:user +// - read:accounts // // responses: // '200': @@ -57,9 +56,12 @@ import ( // '500': // description: internal error func (m *Module) UserGETHandler(c *gin.Context) { - authed, err := oauth.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/fileserver/servefile.go b/internal/api/fileserver/servefile.go index fc6ef0e7e..56285ea48 100644 --- a/internal/api/fileserver/servefile.go +++ b/internal/api/fileserver/servefile.go @@ -31,7 +31,6 @@ import ( apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // ServeFile is for serving attachments, headers, and avatars to the requester from instance storage. @@ -39,9 +38,9 @@ import ( // Note: to mitigate scraping attempts, no information should be given out on a bad request except "404 page not found". // Don't give away account ids or media ids or anything like that; callers shouldn't be able to infer anything. func (m *Module) ServeFile(c *gin.Context) { - authed, err := oauth.Authed(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorNotFound(err), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, false, false, false, false) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/util/auth.go b/internal/api/util/auth.go new file mode 100644 index 000000000..5c6afb306 --- /dev/null +++ b/internal/api/util/auth.go @@ -0,0 +1,152 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package util + +import ( + "errors" + "slices" + "strings" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" + "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/oauth2/v4" +) + +// Auth wraps an authorized token, application, user, and account. +// It is used in the functions GetAuthed and MustAuth. +// Because the user might *not* be authed, any of the fields in this struct +// might be nil, so make sure to check that when you're using this struct anywhere. +type Auth struct { + Token oauth2.TokenInfo + Application *gtsmodel.Application + User *gtsmodel.User + Account *gtsmodel.Account +} + +// TokenAuth is a convenience function for returning an TokenAuth struct from a gin context. +// In essence, it tries to extract a token, application, user, and account from the context, +// and then sets them on a struct for convenience. +// +// If any are not present in the context, they will be set to nil on the returned TokenAuth struct. +// +// If *ALL* are not present, then nil and an error will be returned. +// +// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed). +// TokenAuth is like GetAuthed, but will fail if one of the requirements is not met. +func TokenAuth( + c *gin.Context, + requireToken bool, + requireApp bool, + requireUser bool, + requireAccount bool, + requireScope ...Scope, +) (*Auth, gtserror.WithCode) { + var ( + ctx = c.Copy() + a = &Auth{} + i interface{} + ok bool + ) + + i, ok = ctx.Get(oauth.SessionAuthorizedToken) + if ok { + parsed, ok := i.(oauth2.TokenInfo) + if !ok { + const errText = "could not parse token from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.Token = parsed + } + + i, ok = ctx.Get(oauth.SessionAuthorizedApplication) + if ok { + parsed, ok := i.(*gtsmodel.Application) + if !ok { + const errText = "could not parse application from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.Application = parsed + } + + i, ok = ctx.Get(oauth.SessionAuthorizedUser) + if ok { + parsed, ok := i.(*gtsmodel.User) + if !ok { + const errText = "could not parse user from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.User = parsed + } + + i, ok = ctx.Get(oauth.SessionAuthorizedAccount) + if ok { + parsed, ok := i.(*gtsmodel.Account) + if !ok { + const errText = "could not parse account from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + a.Account = parsed + } + + if requireToken && a.Token == nil { + const errText = "token not supplied" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if requireApp && a.Application == nil { + const errText = "application not supplied" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if requireUser && a.User == nil { + const errText = "user not supplied or not authorized" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if requireAccount && a.Account == nil { + const errText = "account not supplied or not authorized" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if len(requireScope) != 0 { + // We need to match one of the + // required scopes, check if we can. + hasScopes := strings.Split(a.Token.GetScope(), " ") + scopeOK := slices.ContainsFunc( + hasScopes, + func(hasScope string) bool { + for _, requiredScope := range requireScope { + if Scope(hasScope).Permits(requiredScope) { + // Got it. + return true + } + } + return false + }, + ) + + if !scopeOK { + const errText = "token has insufficient scope permission" + return nil, gtserror.NewErrorForbidden(errors.New(errText), errText) + } + } + + return a, nil +} diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go new file mode 100644 index 000000000..d02d3cc0d --- /dev/null +++ b/internal/api/util/scopes.go @@ -0,0 +1,103 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package util + +import ( + "strings" +) + +type Scope string + +const ( + /* Sub-scopes / scope components */ + + scopeAccounts = "accounts" + scopeBlocks = "blocks" + scopeBookmarks = "bookmarks" + scopeConversations = "conversations" + scopeDomainAllows = "domain_allows" + scopeDomainBlocks = "domain_blocks" + scopeFavourites = "favourites" + scopeFilters = "filters" + scopeFollows = "follows" + scopeLists = "lists" + scopeMedia = "media" + scopeMutes = "mutes" + scopeNotifications = "notifications" + scopeReports = "reports" + scopeSearch = "search" + scopeStatuses = "statuses" + + /* Top-level scopes */ + + ScopeProfile Scope = "profile" + ScopePush Scope = "push" + ScopeRead Scope = "read" + ScopeWrite Scope = "write" + ScopeAdmin Scope = "admin" + ScopeAdminRead Scope = ScopeAdmin + ":" + ScopeRead + ScopeAdminWrite Scope = ScopeAdmin + ":" + ScopeWrite + + /* Granular scopes */ + + ScopeReadAccounts Scope = ScopeRead + ":" + scopeAccounts + ScopeWriteAccounts Scope = ScopeWrite + ":" + scopeAccounts + ScopeReadBlocks Scope = ScopeRead + ":" + scopeBlocks + ScopeWriteBlocks Scope = ScopeWrite + ":" + scopeBlocks + ScopeReadBookmarks Scope = ScopeRead + ":" + scopeBookmarks + ScopeWriteBookmarks Scope = ScopeWrite + ":" + scopeBookmarks + ScopeWriteConversations Scope = ScopeWrite + ":" + scopeConversations + ScopeReadFavourites Scope = ScopeRead + ":" + scopeFavourites + ScopeWriteFavourites Scope = ScopeWrite + ":" + scopeFavourites + ScopeReadFilters Scope = ScopeRead + ":" + scopeFilters + ScopeWriteFilters Scope = ScopeWrite + ":" + scopeFilters + ScopeReadFollows Scope = ScopeRead + ":" + scopeFollows + ScopeWriteFollows Scope = ScopeWrite + ":" + scopeFollows + ScopeReadLists Scope = ScopeRead + ":" + scopeLists + ScopeWriteLists Scope = ScopeWrite + ":" + scopeLists + ScopeWriteMedia Scope = ScopeWrite + ":" + scopeMedia + ScopeReadMutes Scope = ScopeRead + ":" + scopeMutes + ScopeWriteMutes Scope = ScopeWrite + ":" + scopeMutes + ScopeReadNotifications Scope = ScopeRead + ":" + scopeNotifications + ScopeWriteNotifications Scope = ScopeWrite + ":" + scopeNotifications + ScopeWriteReports Scope = ScopeWrite + ":" + scopeReports + ScopeReadSearch Scope = ScopeRead + ":" + scopeSearch + ScopeReadStatuses Scope = ScopeRead + ":" + scopeStatuses + ScopeWriteStatuses Scope = ScopeWrite + ":" + scopeStatuses + ScopeAdminReadAccounts Scope = ScopeAdminRead + ":" + scopeAccounts + ScopeAdminWriteAccounts Scope = ScopeAdminWrite + ":" + scopeAccounts + ScopeAdminReadReports Scope = ScopeAdminRead + ":" + scopeReports + ScopeAdminWriteReports Scope = ScopeAdminWrite + ":" + scopeReports + ScopeAdminReadDomainAllows Scope = ScopeAdminRead + ":" + scopeDomainAllows + ScopeAdminWriteDomainAllows Scope = ScopeAdminWrite + ":" + scopeDomainAllows + ScopeAdminReadDomainBlocks Scope = ScopeAdminRead + ":" + scopeDomainBlocks + ScopeAdminWriteDomainBlocks Scope = ScopeAdminWrite + ":" + scopeDomainBlocks +) + +// Permits returns true if the +// scope permits the wanted scope. +func (has Scope) Permits(wanted Scope) bool { + if has == wanted { + // Exact match. + return true + } + + // Check if we have a parent scope of what's wanted, + // eg., we have scope "admin", we want "admin:read". + return strings.HasPrefix(string(wanted), string(has)) +} diff --git a/internal/api/util/scopes_test.go b/internal/api/util/scopes_test.go new file mode 100644 index 000000000..bd533585b --- /dev/null +++ b/internal/api/util/scopes_test.go @@ -0,0 +1,101 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package util_test + +import ( + "testing" + + "github.com/superseriousbusiness/gotosocial/internal/api/util" +) + +func TestScopes(t *testing.T) { + for _, test := range []struct { + HasScope util.Scope + WantsScope util.Scope + Expect bool + }{ + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeRead, + Expect: true, + }, + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeWrite, + Expect: false, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeWrite, + Expect: true, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeRead, + Expect: false, + }, + { + HasScope: util.ScopePush, + WantsScope: util.ScopePush, + Expect: true, + }, + { + HasScope: util.ScopeAdmin, + WantsScope: util.ScopeAdmin, + Expect: true, + }, + { + HasScope: util.ScopeProfile, + WantsScope: util.ScopeProfile, + Expect: true, + }, + { + HasScope: util.ScopeReadAccounts, + WantsScope: util.ScopeWriteAccounts, + Expect: false, + }, + { + HasScope: util.ScopeWriteAccounts, + WantsScope: util.ScopeWriteAccounts, + Expect: true, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeWriteAccounts, + Expect: true, + }, + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeWriteAccounts, + Expect: false, + }, + { + HasScope: util.ScopeWriteAccounts, + WantsScope: util.ScopeWrite, + Expect: false, + }, + } { + res := test.HasScope.Permits(test.WantsScope) + if res != test.Expect { + t.Errorf( + "did not get expected result %v for input: has %s, wants %s", + test.Expect, test.HasScope, test.WantsScope, + ) + } + } +} diff --git a/internal/oauth/tokenstore_test.go b/internal/oauth/tokenstore_test.go deleted file mode 100644 index 2b76024f7..000000000 --- a/internal/oauth/tokenstore_test.go +++ /dev/null @@ -1,20 +0,0 @@ -// GoToSocial -// Copyright (C) GoToSocial Authors admin@gotosocial.org -// SPDX-License-Identifier: AGPL-3.0-or-later -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -package oauth_test - -// TODO: write tests diff --git a/internal/oauth/util.go b/internal/oauth/util.go deleted file mode 100644 index e7b2d1292..000000000 --- a/internal/oauth/util.go +++ /dev/null @@ -1,107 +0,0 @@ -// GoToSocial -// Copyright (C) GoToSocial Authors admin@gotosocial.org -// SPDX-License-Identifier: AGPL-3.0-or-later -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -package oauth - -import ( - "github.com/gin-gonic/gin" - "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/oauth2/v4" - "github.com/superseriousbusiness/oauth2/v4/errors" -) - -// Auth wraps an authorized token, application, user, and account. -// It is used in the functions GetAuthed and MustAuth. -// Because the user might *not* be authed, any of the fields in this struct -// might be nil, so make sure to check that when you're using this struct anywhere. -type Auth struct { - Token oauth2.TokenInfo - Application *gtsmodel.Application - User *gtsmodel.User - Account *gtsmodel.Account -} - -// Authed is a convenience function for returning an Authed struct from a gin context. -// In essence, it tries to extract a token, application, user, and account from the context, -// and then sets them on a struct for convenience. -// -// If any are not present in the context, they will be set to nil on the returned Authed struct. -// -// If *ALL* are not present, then nil and an error will be returned. -// -// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed). -// Authed is like GetAuthed, but will fail if one of the requirements is not met. -func Authed(c *gin.Context, requireToken bool, requireApp bool, requireUser bool, requireAccount bool) (*Auth, error) { - ctx := c.Copy() - a := &Auth{} - var i interface{} - var ok bool - - i, ok = ctx.Get(SessionAuthorizedToken) - if ok { - parsed, ok := i.(oauth2.TokenInfo) - if !ok { - return nil, errors.New("could not parse token from session context") - } - a.Token = parsed - } - - i, ok = ctx.Get(SessionAuthorizedApplication) - if ok { - parsed, ok := i.(*gtsmodel.Application) - if !ok { - return nil, errors.New("could not parse application from session context") - } - a.Application = parsed - } - - i, ok = ctx.Get(SessionAuthorizedUser) - if ok { - parsed, ok := i.(*gtsmodel.User) - if !ok { - return nil, errors.New("could not parse user from session context") - } - a.User = parsed - } - - i, ok = ctx.Get(SessionAuthorizedAccount) - if ok { - parsed, ok := i.(*gtsmodel.Account) - if !ok { - return nil, errors.New("could not parse account from session context") - } - a.Account = parsed - } - - if requireToken && a.Token == nil { - return nil, errors.New("token not supplied") - } - - if requireApp && a.Application == nil { - return nil, errors.New("application not supplied") - } - - if requireUser && a.User == nil { - return nil, errors.New("user not supplied or not authorized") - } - - if requireAccount && a.Account == nil { - return nil, errors.New("account not supplied or not authorized") - } - - return a, nil -} diff --git a/internal/processing/account/move.go b/internal/processing/account/move.go index 44f8da268..1c5209e70 100644 --- a/internal/processing/account/move.go +++ b/internal/processing/account/move.go @@ -27,6 +27,7 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/ap" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/federation/dereferencing" "github.com/superseriousbusiness/gotosocial/internal/gtscontext" @@ -34,14 +35,13 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/id" "github.com/superseriousbusiness/gotosocial/internal/messages" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/uris" "golang.org/x/crypto/bcrypt" ) func (p *Processor) MoveSelf( ctx context.Context, - authed *oauth.Auth, + authed *apiutil.Auth, form *apimodel.AccountMoveRequest, ) gtserror.WithCode { // Ensure valid MovedToURI. diff --git a/internal/processing/account/move_test.go b/internal/processing/account/move_test.go index 9d06829ca..76cbe1512 100644 --- a/internal/processing/account/move_test.go +++ b/internal/processing/account/move_test.go @@ -24,6 +24,7 @@ import ( "github.com/stretchr/testify/suite" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/oauth" ) @@ -56,7 +57,7 @@ func (suite *MoveTestSuite) TestMoveAccountOK() { // Trigger move from zork to admin. if err := suite.accountProcessor.MoveSelf( ctx, - &oauth.Auth{ + &apiutil.Auth{ Token: oauth.DBTokenToToken(suite.testTokens["local_account_1"]), Application: suite.testApplications["local_account_1"], User: suite.testUsers["local_account_1"], @@ -120,7 +121,7 @@ func (suite *MoveTestSuite) TestMoveAccountNotAliased() { // not aliased back to zork. err := suite.accountProcessor.MoveSelf( ctx, - &oauth.Auth{ + &apiutil.Auth{ Token: oauth.DBTokenToToken(suite.testTokens["local_account_1"]), Application: suite.testApplications["local_account_1"], User: suite.testUsers["local_account_1"], @@ -150,7 +151,7 @@ func (suite *MoveTestSuite) TestMoveAccountBadPassword() { // not aliased back to zork. err := suite.accountProcessor.MoveSelf( ctx, - &oauth.Auth{ + &apiutil.Auth{ Token: oauth.DBTokenToToken(suite.testTokens["local_account_1"]), Application: suite.testApplications["local_account_1"], User: suite.testUsers["local_account_1"], diff --git a/internal/processing/app.go b/internal/processing/app.go index d492b3bc4..2a43c5212 100644 --- a/internal/processing/app.go +++ b/internal/processing/app.go @@ -22,13 +22,13 @@ import ( "github.com/google/uuid" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/id" - "github.com/superseriousbusiness/gotosocial/internal/oauth" ) -func (p *Processor) AppCreate(ctx context.Context, authed *oauth.Auth, form *apimodel.ApplicationCreateRequest) (*apimodel.Application, gtserror.WithCode) { +func (p *Processor) AppCreate(ctx context.Context, authed *apiutil.Auth, form *apimodel.ApplicationCreateRequest) (*apimodel.Application, gtserror.WithCode) { // set default 'read' for scopes if it's not set var scopes string if form.Scopes == "" { diff --git a/internal/processing/processor_test.go b/internal/processing/processor_test.go index 84ab9ef48..9cf6cbd60 100644 --- a/internal/processing/processor_test.go +++ b/internal/processing/processor_test.go @@ -22,6 +22,7 @@ import ( "github.com/stretchr/testify/suite" "github.com/superseriousbusiness/gotosocial/internal/admin" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/cleaner" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/email" @@ -66,7 +67,7 @@ type ProcessingStandardTestSuite struct { testStatuses map[string]*gtsmodel.Status testTags map[string]*gtsmodel.Tag testMentions map[string]*gtsmodel.Mention - testAutheds map[string]*oauth.Auth + testAutheds map[string]*apiutil.Auth testBlocks map[string]*gtsmodel.Block testActivities map[string]testrig.ActivityWithSignature testLists map[string]*gtsmodel.List @@ -85,7 +86,7 @@ func (suite *ProcessingStandardTestSuite) SetupSuite() { suite.testStatuses = testrig.NewTestStatuses() suite.testTags = testrig.NewTestTags() suite.testMentions = testrig.NewTestMentions() - suite.testAutheds = map[string]*oauth.Auth{ + suite.testAutheds = map[string]*apiutil.Auth{ "local_account_1": { Application: suite.testApplications["local_account_1"], User: suite.testUsers["local_account_1"], diff --git a/internal/processing/stream/authorize.go b/internal/processing/stream/authorize.go index 0baea29f1..cedd21e0b 100644 --- a/internal/processing/stream/authorize.go +++ b/internal/processing/stream/authorize.go @@ -19,8 +19,12 @@ package stream import ( "context" + "errors" "fmt" + "slices" + "strings" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -58,5 +62,22 @@ func (p *Processor) Authorize(ctx context.Context, accessToken string) (*gtsmode return nil, gtserror.NewErrorInternalError(err) } + // Ensure read scope. + // + // TODO: make this more granular + // depending on stream type. + hasScopes := strings.Split(ti.GetScope(), " ") + scopeOK := slices.ContainsFunc( + hasScopes, + func(hasScope string) bool { + return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead) + }, + ) + + if !scopeOK { + const errText = "token has insufficient scope permission" + return nil, gtserror.NewErrorForbidden(errors.New(errText), errText) + } + return acct, nil } diff --git a/internal/processing/timeline/faved.go b/internal/processing/timeline/faved.go index bb7f03fff..6e915f4ef 100644 --- a/internal/processing/timeline/faved.go +++ b/internal/processing/timeline/faved.go @@ -23,15 +23,15 @@ import ( "fmt" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" statusfilter "github.com/superseriousbusiness/gotosocial/internal/filter/status" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/util" ) -func (p *Processor) FavedTimelineGet(ctx context.Context, authed *oauth.Auth, maxID string, minID string, limit int) (*apimodel.PageableResponse, gtserror.WithCode) { +func (p *Processor) FavedTimelineGet(ctx context.Context, authed *apiutil.Auth, maxID string, minID string, limit int) (*apimodel.PageableResponse, gtserror.WithCode) { statuses, nextMaxID, prevMinID, err := p.state.DB.GetFavedTimeline(ctx, authed.Account.ID, maxID, minID, limit) if err != nil && !errors.Is(err, db.ErrNoEntries) { err = fmt.Errorf("FavedTimelineGet: db error getting statuses: %w", err) diff --git a/internal/processing/timeline/home.go b/internal/processing/timeline/home.go index 215000933..38cf38405 100644 --- a/internal/processing/timeline/home.go +++ b/internal/processing/timeline/home.go @@ -22,6 +22,7 @@ import ( "errors" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" statusfilter "github.com/superseriousbusiness/gotosocial/internal/filter/status" "github.com/superseriousbusiness/gotosocial/internal/filter/usermute" @@ -29,7 +30,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtscontext" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/state" "github.com/superseriousbusiness/gotosocial/internal/timeline" "github.com/superseriousbusiness/gotosocial/internal/typeutils" @@ -118,7 +118,7 @@ func HomeTimelineStatusPrepare(state *state.State, converter *typeutils.Converte } } -func (p *Processor) HomeTimelineGet(ctx context.Context, authed *oauth.Auth, maxID string, sinceID string, minID string, limit int, local bool) (*apimodel.PageableResponse, gtserror.WithCode) { +func (p *Processor) HomeTimelineGet(ctx context.Context, authed *apiutil.Auth, maxID string, sinceID string, minID string, limit int, local bool) (*apimodel.PageableResponse, gtserror.WithCode) { statuses, err := p.state.Timelines.Home.GetTimeline(ctx, authed.Account.ID, maxID, sinceID, minID, limit, local) if err != nil && !errors.Is(err, db.ErrNoEntries) { err = gtserror.Newf("error getting statuses: %w", err) diff --git a/internal/processing/timeline/home_test.go b/internal/processing/timeline/home_test.go index c73c209a3..ea56418f6 100644 --- a/internal/processing/timeline/home_test.go +++ b/internal/processing/timeline/home_test.go @@ -23,10 +23,10 @@ import ( "github.com/stretchr/testify/suite" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/filter/visibility" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/id" - "github.com/superseriousbusiness/gotosocial/internal/oauth" tlprocessor "github.com/superseriousbusiness/gotosocial/internal/processing/timeline" "github.com/superseriousbusiness/gotosocial/internal/timeline" "github.com/superseriousbusiness/gotosocial/internal/typeutils" @@ -64,7 +64,7 @@ func (suite *HomeTestSuite) TestHomeTimelineGetHideFiltered() { var ( ctx = context.Background() requester = suite.testAccounts["local_account_1"] - authed = &oauth.Auth{Account: requester} + authed = &apiutil.Auth{Account: requester} maxID = "" sinceID = "" minID = "01F8MHAAY43M6RJ473VQFCVH36" // 1 before filteredStatus diff --git a/internal/processing/timeline/list.go b/internal/processing/timeline/list.go index a7f5e9d71..147f87ab4 100644 --- a/internal/processing/timeline/list.go +++ b/internal/processing/timeline/list.go @@ -22,6 +22,7 @@ import ( "errors" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" statusfilter "github.com/superseriousbusiness/gotosocial/internal/filter/status" "github.com/superseriousbusiness/gotosocial/internal/filter/usermute" @@ -29,7 +30,6 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtscontext" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/state" "github.com/superseriousbusiness/gotosocial/internal/timeline" "github.com/superseriousbusiness/gotosocial/internal/typeutils" @@ -130,7 +130,7 @@ func ListTimelineStatusPrepare(state *state.State, converter *typeutils.Converte } } -func (p *Processor) ListTimelineGet(ctx context.Context, authed *oauth.Auth, listID string, maxID string, sinceID string, minID string, limit int) (*apimodel.PageableResponse, gtserror.WithCode) { +func (p *Processor) ListTimelineGet(ctx context.Context, authed *apiutil.Auth, listID string, maxID string, sinceID string, minID string, limit int) (*apimodel.PageableResponse, gtserror.WithCode) { // Ensure list exists + is owned by this account. list, err := p.state.DB.GetListByID(ctx, listID) if err != nil { diff --git a/internal/processing/timeline/notification.go b/internal/processing/timeline/notification.go index 09636e7eb..04a898198 100644 --- a/internal/processing/timeline/notification.go +++ b/internal/processing/timeline/notification.go @@ -24,6 +24,7 @@ import ( "net/url" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/filter/status" "github.com/superseriousbusiness/gotosocial/internal/filter/usermute" @@ -31,14 +32,13 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/log" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/paging" "github.com/superseriousbusiness/gotosocial/internal/util" ) func (p *Processor) NotificationsGet( ctx context.Context, - authed *oauth.Auth, + authed *apiutil.Auth, page *paging.Page, types []gtsmodel.NotificationType, excludeTypes []gtsmodel.NotificationType, @@ -164,7 +164,7 @@ func (p *Processor) NotificationGet(ctx context.Context, account *gtsmodel.Accou return apiNotif, nil } -func (p *Processor) NotificationsClear(ctx context.Context, authed *oauth.Auth) gtserror.WithCode { +func (p *Processor) NotificationsClear(ctx context.Context, authed *apiutil.Auth) gtserror.WithCode { // Delete all notifications of all types that target the authorized account. if err := p.state.DB.DeleteNotifications(ctx, nil, authed.Account.ID, ""); err != nil && !errors.Is(err, db.ErrNoEntries) { return gtserror.NewErrorInternalError(err) diff --git a/internal/processing/workers/workers_test.go b/internal/processing/workers/workers_test.go index ffd40d8fb..b7ec54c1e 100644 --- a/internal/processing/workers/workers_test.go +++ b/internal/processing/workers/workers_test.go @@ -21,8 +21,8 @@ import ( "context" "github.com/stretchr/testify/suite" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" - "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/gotosocial/internal/processing" "github.com/superseriousbusiness/gotosocial/internal/stream" "github.com/superseriousbusiness/gotosocial/testrig" @@ -48,7 +48,7 @@ type WorkersTestSuite struct { testStatuses map[string]*gtsmodel.Status testTags map[string]*gtsmodel.Tag testMentions map[string]*gtsmodel.Mention - testAutheds map[string]*oauth.Auth + testAutheds map[string]*apiutil.Auth testBlocks map[string]*gtsmodel.Block testActivities map[string]testrig.ActivityWithSignature testLists map[string]*gtsmodel.List @@ -66,7 +66,7 @@ func (suite *WorkersTestSuite) SetupSuite() { suite.testStatuses = testrig.NewTestStatuses() suite.testTags = testrig.NewTestTags() suite.testMentions = testrig.NewTestMentions() - suite.testAutheds = map[string]*oauth.Auth{ + suite.testAutheds = map[string]*apiutil.Auth{ "local_account_1": { Application: suite.testApplications["local_account_1"], User: suite.testUsers["local_account_1"], diff --git a/testrig/testmodels.go b/testrig/testmodels.go index 806e64891..15b28b8c9 100644 --- a/testrig/testmodels.go +++ b/testrig/testmodels.go @@ -51,11 +51,21 @@ func NewTestTokens() map[string]*gtsmodel.Token { ClientID: "01F8MGV8AC3NGSJW0FE8W1BV70", UserID: "01F8MGVGPHQ2D3P3X0454H54Z5", RedirectURI: "http://localhost:8080", - Scope: "read write follow push", + Scope: "read write push", Access: "NZAZOTC0OWITMDU0NC0ZODG4LWE4NJITMWUXM2M4MTRHZDEX", AccessCreateAt: TimeMustParse("2022-06-10T15:22:08Z"), AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"), }, + "local_account_1_push_only": { + ID: "01JN0X2D9GJTZQ5KYPYFWN16QW", + ClientID: "01F8MGV8AC3NGSJW0FE8W1BV70", + UserID: "01F8MGVGPHQ2D3P3X0454H54Z5", + RedirectURI: "http://localhost:8080", + Scope: "push", + Access: "01JN0X49RYKMP6G9X0HJAP317101JN0X49RYKMP6G9X0HJAP", + AccessCreateAt: TimeMustParse("2022-06-10T15:22:08Z"), + AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"), + }, "local_account_1_client_application_token": { ID: "01P9SVWS9J3SPHZQ3KCMBEN70N", ClientID: "01F8MGV8AC3NGSJW0FE8W1BV70", @@ -78,7 +88,7 @@ func NewTestTokens() map[string]*gtsmodel.Token { ClientID: "01F8MGW47HN8ZXNHNZ7E47CDMQ", UserID: "01F8MH1VYJAE00TVVGMM5JNJ8X", RedirectURI: "http://localhost:8080", - Scope: "read write follow push", + Scope: "read write push", Access: "PIPINALKNNNFNF98717NAMNAMNFKIJKJ881818KJKJAKJJJA", AccessCreateAt: TimeMustParse("2022-06-10T15:22:08Z"), AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"), @@ -88,7 +98,7 @@ func NewTestTokens() map[string]*gtsmodel.Token { ClientID: "01F8MGWSJCND9BWBD4WGJXBM93", UserID: "01F8MGWYWKVKS3VS8DV1AMYPGE", RedirectURI: "http://localhost:8080", - Scope: "read write follow push admin", + Scope: "read write push admin", Access: "AININALKNENFNF98717NAMG4LWE4NJITMWUXM2M4MTRHZDEX", AccessCreateAt: TimeMustParse("2022-06-10T15:22:08Z"), AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"), diff --git a/web/source/settings/components/authorization/index.tsx b/web/source/settings/components/authorization/index.tsx index e8f4d6673..7c6373399 100644 --- a/web/source/settings/components/authorization/index.tsx +++ b/web/source/settings/components/authorization/index.tsx @@ -58,13 +58,9 @@ export function Authorization({ App }) { ); } else if (error !== undefined) { - if ("status" in error && error.status === 401) { - // 401 unauthorized was received. - // That means the token or app we - // were using is no longer valid, - // so just log the user out. - logoutQuery(NoArg); - } + // Something went wrong, + // log the user out. + logoutQuery(NoArg); content = (
diff --git a/web/source/settings/components/authorization/login.tsx b/web/source/settings/components/authorization/login.tsx index 870e9c343..28ed7953c 100644 --- a/web/source/settings/components/authorization/login.tsx +++ b/web/source/settings/components/authorization/login.tsx @@ -31,7 +31,7 @@ export default function Login({ }) { instance: useTextInput("instance", { defaultValue: window.location.origin }), - scopes: useValue("scopes", "user admin"), + scopes: useValue("scopes", "read write admin"), }; const [formSubmit, result] = useFormSubmit(form, useAuthorizeFlowMutation(), {