From 21d9edac54c8227563caeff66d29f7821149b9ce Mon Sep 17 00:00:00 2001 From: tobi Date: Tue, 25 Feb 2025 14:21:44 +0100 Subject: [PATCH] enforce scopes --- internal/api/client/accounts/accountalias.go | 9 +- internal/api/client/accounts/accountcreate.go | 9 +- internal/api/client/accounts/accountdelete.go | 11 +- internal/api/client/accounts/accountget.go | 9 +- internal/api/client/accounts/accountmove.go | 9 +- internal/api/client/accounts/accountupdate.go | 9 +- internal/api/client/accounts/accountverify.go | 10 +- internal/api/client/accounts/block.go | 9 +- internal/api/client/accounts/featuredtags.go | 9 +- internal/api/client/accounts/follow.go | 9 +- internal/api/client/accounts/followers.go | 9 +- internal/api/client/accounts/following.go | 9 +- internal/api/client/accounts/lists.go | 9 +- internal/api/client/accounts/lookup.go | 9 +- internal/api/client/accounts/mute.go | 9 +- internal/api/client/accounts/note.go | 9 +- internal/api/client/accounts/profile.go | 9 +- internal/api/client/accounts/relationships.go | 11 +- internal/api/client/accounts/search.go | 9 +- internal/api/client/accounts/statuses.go | 11 +- internal/api/client/accounts/themesget.go | 9 +- internal/api/client/accounts/unblock.go | 6 +- internal/api/client/accounts/unfollow.go | 9 +- internal/api/client/accounts/unmute.go | 9 +- internal/api/client/admin/accountaction.go | 11 +- internal/api/client/admin/accountapprove.go | 11 +- internal/api/client/admin/accountget.go | 11 +- internal/api/client/admin/accountreject.go | 11 +- internal/api/client/admin/accountsgetv1.go | 11 +- internal/api/client/admin/accountsgetv2.go | 11 +- internal/api/client/admin/debug_off.go | 4 +- internal/api/client/admin/debug_on.go | 18 ++- .../api/client/admin/domainallowcreate.go | 2 +- .../api/client/admin/domainallowdelete.go | 2 +- internal/api/client/admin/domainallowget.go | 2 +- internal/api/client/admin/domainallowsget.go | 2 +- .../api/client/admin/domainblockcreate.go | 2 +- .../api/client/admin/domainblockdelete.go | 2 +- internal/api/client/admin/domainblockget.go | 2 +- internal/api/client/admin/domainblocksget.go | 2 +- internal/api/client/admin/domainkeysexpire.go | 11 +- internal/api/client/admin/domainpermission.go | 69 +++++++++-- .../admin/domainpermissiondraftaccept.go | 8 +- .../admin/domainpermissiondraftcreate.go | 11 +- .../client/admin/domainpermissiondraftget.go | 11 +- .../admin/domainpermissiondraftremove.go | 11 +- .../client/admin/domainpermissiondraftsget.go | 11 +- .../admin/domainpermissionexcludecreate.go | 11 +- .../admin/domainpermissionexcludeget.go | 11 +- .../admin/domainpermissionexcluderemove.go | 11 +- .../admin/domainpermissionexcludesget.go | 11 +- .../domainpermissionsubscriptioncreate.go | 11 +- .../admin/domainpermissionsubscriptionget.go | 11 +- .../domainpermissionsubscriptionremove.go | 11 +- .../admin/domainpermissionsubscriptionsget.go | 11 +- ...domainpermissionsubscriptionspreviewget.go | 11 +- .../admin/domainpermissionsubscriptiontest.go | 11 +- .../domainpermissionsubscriptionupdate.go | 11 +- internal/api/client/admin/emailtest.go | 13 ++- .../api/client/admin/emojicategoriesget.go | 13 ++- internal/api/client/admin/emojicreate.go | 11 +- internal/api/client/admin/emojidelete.go | 11 +- internal/api/client/admin/emojiget.go | 13 ++- internal/api/client/admin/emojisget.go | 13 ++- internal/api/client/admin/emojiupdate.go | 11 +- internal/api/client/admin/headerfilter.go | 32 ++++-- .../api/client/admin/headerfilter_create.go | 4 +- .../api/client/admin/headerfilter_delete.go | 4 +- internal/api/client/admin/headerfilter_get.go | 4 +- internal/api/client/admin/mediacleanup.go | 11 +- internal/api/client/admin/mediarefetch.go | 11 +- internal/api/client/admin/reportget.go | 11 +- internal/api/client/admin/reportresolve.go | 11 +- internal/api/client/admin/reportsget.go | 11 +- internal/api/client/admin/rulecreate.go | 11 +- internal/api/client/admin/ruledelete.go | 11 +- internal/api/client/admin/ruleget.go | 11 +- internal/api/client/admin/rulesget.go | 11 +- internal/api/client/admin/ruleupdate.go | 11 +- .../client/announcements/announcementsget.go | 11 +- internal/api/client/apps/appcreate.go | 8 +- internal/api/client/blocks/blocksget.go | 9 +- internal/api/client/bookmarks/bookmarksget.go | 9 +- .../conversations/conversationdelete.go | 9 +- .../client/conversations/conversationread.go | 9 +- .../client/conversations/conversationsget.go | 9 +- .../client/customemojis/customemojisget.go | 10 +- internal/api/client/exports/blocks.go | 9 +- internal/api/client/exports/followers.go | 11 +- internal/api/client/exports/following.go | 9 +- internal/api/client/exports/lists.go | 9 +- internal/api/client/exports/mutes.go | 9 +- internal/api/client/exports/stats.go | 11 +- .../api/client/favourites/favouritesget.go | 9 +- internal/api/client/featuredtags/get.go | 9 +- .../api/client/filters/v1/filterdelete.go | 9 +- internal/api/client/filters/v1/filterget.go | 9 +- internal/api/client/filters/v1/filterpost.go | 9 +- internal/api/client/filters/v1/filterput.go | 9 +- internal/api/client/filters/v1/filtersget.go | 9 +- .../api/client/filters/v2/filterdelete.go | 9 +- internal/api/client/filters/v2/filterget.go | 9 +- .../client/filters/v2/filterkeyworddelete.go | 9 +- .../api/client/filters/v2/filterkeywordget.go | 9 +- .../client/filters/v2/filterkeywordpost.go | 9 +- .../api/client/filters/v2/filterkeywordput.go | 9 +- .../client/filters/v2/filterkeywordsget.go | 9 +- internal/api/client/filters/v2/filterpost.go | 9 +- internal/api/client/filters/v2/filterput.go | 9 +- internal/api/client/filters/v2/filtersget.go | 9 +- .../client/filters/v2/filterstatusdelete.go | 9 +- .../client/filters/v2/filterstatusesget.go | 9 +- .../api/client/filters/v2/filterstatusget.go | 9 +- .../api/client/filters/v2/filterstatuspost.go | 9 +- internal/api/client/followedtags/get.go | 9 +- .../api/client/followrequests/authorize.go | 9 +- internal/api/client/followrequests/get.go | 9 +- internal/api/client/followrequests/reject.go | 9 +- internal/api/client/import/import.go | 13 ++- internal/api/client/instance/instancepatch.go | 11 +- .../api/client/instance/instancepeersget.go | 11 +- .../client/interactionpolicies/getdefaults.go | 9 +- .../interactionpolicies/updatedefaults.go | 9 +- .../client/interactionrequests/authorize.go | 8 +- .../api/client/interactionrequests/get.go | 9 +- .../api/client/interactionrequests/getpage.go | 9 +- .../api/client/interactionrequests/reject.go | 8 +- internal/api/client/lists/listaccounts.go | 9 +- internal/api/client/lists/listaccountsadd.go | 9 +- .../api/client/lists/listaccountsremove.go | 11 +- internal/api/client/lists/listcreate.go | 9 +- internal/api/client/lists/listdelete.go | 9 +- internal/api/client/lists/listget.go | 9 +- internal/api/client/lists/listsget.go | 9 +- internal/api/client/lists/listupdate.go | 11 +- internal/api/client/markers/markersget.go | 9 +- internal/api/client/markers/markerspost.go | 9 +- internal/api/client/media/mediacreate.go | 9 +- internal/api/client/media/mediaget.go | 11 +- internal/api/client/media/mediaupdate.go | 9 +- internal/api/client/mutes/mutesget.go | 9 +- .../client/notifications/notificationget.go | 9 +- .../notifications/notificationsclear.go | 13 ++- .../client/notifications/notificationsget.go | 9 +- internal/api/client/polls/polls_get.go | 8 +- internal/api/client/polls/polls_vote.go | 8 +- .../api/client/preferences/preferencesget.go | 9 +- .../api/client/push/pushsubscriptiondelete.go | 10 +- .../api/client/push/pushsubscriptionget.go | 10 +- .../api/client/push/pushsubscriptionpost.go | 9 +- .../api/client/push/pushsubscriptionput.go | 9 +- internal/api/client/reports/reportcreate.go | 15 ++- internal/api/client/reports/reportget.go | 11 +- internal/api/client/reports/reportsget.go | 11 +- internal/api/client/search/searchget.go | 9 +- .../api/client/statuses/statusbookmark.go | 11 +- internal/api/client/statuses/statusboost.go | 9 +- .../api/client/statuses/statusboostedby.go | 9 +- internal/api/client/statuses/statuscontext.go | 9 +- internal/api/client/statuses/statuscreate.go | 9 +- internal/api/client/statuses/statusdelete.go | 9 +- internal/api/client/statuses/statusedit.go | 9 +- internal/api/client/statuses/statusfave.go | 9 +- internal/api/client/statuses/statusfavedby.go | 9 +- internal/api/client/statuses/statusget.go | 9 +- internal/api/client/statuses/statushistory.go | 9 +- internal/api/client/statuses/statusmute.go | 9 +- internal/api/client/statuses/statuspin.go | 9 +- internal/api/client/statuses/statussource.go | 9 +- .../api/client/statuses/statusunbookmark.go | 11 +- internal/api/client/statuses/statusunboost.go | 9 +- internal/api/client/statuses/statusunfave.go | 11 +- internal/api/client/statuses/statusunmute.go | 9 +- internal/api/client/statuses/statusunpin.go | 9 +- internal/api/client/streaming/stream.go | 5 +- internal/api/client/tags/follow.go | 10 +- internal/api/client/tags/get.go | 12 +- internal/api/client/tags/unfollow.go | 10 +- internal/api/client/timelines/home.go | 9 +- internal/api/client/timelines/list.go | 9 +- internal/api/client/timelines/public.go | 20 ++-- internal/api/client/timelines/tag.go | 9 +- internal/api/client/user/emailchange.go | 11 +- internal/api/client/user/passwordchange.go | 11 +- internal/api/client/user/userget.go | 11 +- internal/api/fileserver/servefile.go | 6 +- internal/api/util/{authtoken.go => auth.go} | 63 ++++++++--- internal/api/util/scopes.go | 107 ++++++++++++++++++ internal/api/util/scopes_test.go | 96 ++++++++++++++++ internal/processing/stream/authorize.go | 21 ++++ .../components/authorization/login.tsx | 2 +- 191 files changed, 1473 insertions(+), 648 deletions(-) rename internal/api/util/{authtoken.go => auth.go} (53%) create mode 100644 internal/api/util/scopes.go create mode 100644 internal/api/util/scopes_test.go diff --git a/internal/api/client/accounts/accountalias.go b/internal/api/client/accounts/accountalias.go index 5d63f42d5..e0b67694f 100644 --- a/internal/api/client/accounts/accountalias.go +++ b/internal/api/client/accounts/accountalias.go @@ -76,9 +76,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountAliasPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountcreate.go b/internal/api/client/accounts/accountcreate.go index 642963dc5..71f343522 100644 --- a/internal/api/client/accounts/accountcreate.go +++ b/internal/api/client/accounts/accountcreate.go @@ -73,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountCreatePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, false, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountdelete.go b/internal/api/client/accounts/accountdelete.go index 5a2fb8daf..6438462c6 100644 --- a/internal/api/client/accounts/accountdelete.go +++ b/internal/api/client/accounts/accountdelete.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -79,7 +82,7 @@ func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { // Self account delete requires password to ensure it's for real. if form.Password == "" { - err = errors.New("no password provided in account delete request") + err := errors.New("no password provided in account delete request") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountget.go b/internal/api/client/accounts/accountget.go index c3e6c841e..cc6de3337 100644 --- a/internal/api/client/accounts/accountget.go +++ b/internal/api/client/accounts/accountget.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountmove.go b/internal/api/client/accounts/accountmove.go index e2026f28d..601dd7d54 100644 --- a/internal/api/client/accounts/accountmove.go +++ b/internal/api/client/accounts/accountmove.go @@ -73,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountMovePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountupdate.go b/internal/api/client/accounts/accountupdate.go index d8a6f3ae4..617031d79 100644 --- a/internal/api/client/accounts/accountupdate.go +++ b/internal/api/client/accounts/accountupdate.go @@ -235,9 +235,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUpdateCredentialsPATCHHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/accountverify.go b/internal/api/client/accounts/accountverify.go index f8b06b09a..f9dd5ae9c 100644 --- a/internal/api/client/accounts/accountverify.go +++ b/internal/api/client/accounts/accountverify.go @@ -55,9 +55,13 @@ import ( // '500': // description: internal server error func (m *Module) AccountVerifyGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeProfile, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/block.go b/internal/api/client/accounts/block.go index 4159799a4..09bf23a85 100644 --- a/internal/api/client/accounts/block.go +++ b/internal/api/client/accounts/block.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountBlockPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/featuredtags.go b/internal/api/client/accounts/featuredtags.go index ee3a46556..0cb3c7b98 100644 --- a/internal/api/client/accounts/featuredtags.go +++ b/internal/api/client/accounts/featuredtags.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFeaturedTagsGETHandler(c *gin.Context) { - _, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/follow.go b/internal/api/client/accounts/follow.go index 0b807cdc4..d72032066 100644 --- a/internal/api/client/accounts/follow.go +++ b/internal/api/client/accounts/follow.go @@ -90,9 +90,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/followers.go b/internal/api/client/accounts/followers.go index f352ea1da..d1fca7918 100644 --- a/internal/api/client/accounts/followers.go +++ b/internal/api/client/accounts/followers.go @@ -118,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowersGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/following.go b/internal/api/client/accounts/following.go index dc437a4a9..b0d47667f 100644 --- a/internal/api/client/accounts/following.go +++ b/internal/api/client/accounts/following.go @@ -118,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountFollowingGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/lists.go b/internal/api/client/accounts/lists.go index 392406a8c..f054b73bb 100644 --- a/internal/api/client/accounts/lists.go +++ b/internal/api/client/accounts/lists.go @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountListsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/lookup.go b/internal/api/client/accounts/lookup.go index 09db4d1c0..88cf7fbe9 100644 --- a/internal/api/client/accounts/lookup.go +++ b/internal/api/client/accounts/lookup.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountLookupGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/mute.go b/internal/api/client/accounts/mute.go index 71e17903a..c5e5cc24b 100644 --- a/internal/api/client/accounts/mute.go +++ b/internal/api/client/accounts/mute.go @@ -85,9 +85,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountMutePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/note.go b/internal/api/client/accounts/note.go index e3e90e3b5..bee99cf1e 100644 --- a/internal/api/client/accounts/note.go +++ b/internal/api/client/accounts/note.go @@ -74,9 +74,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountNotePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/profile.go b/internal/api/client/accounts/profile.go index 5a5cc33c0..16c312685 100644 --- a/internal/api/client/accounts/profile.go +++ b/internal/api/client/accounts/profile.go @@ -101,9 +101,12 @@ func (m *Module) AccountHeaderDELETEHandler(c *gin.Context) { // accountDeleteProfileAttachment checks that an authenticated account is present and allowed to alter itself, // runs an attachment deletion processor method, and returns the updated account. func (m *Module) accountDeleteProfileAttachment(c *gin.Context, processDelete func(context.Context, *gtsmodel.Account) (*apimodel.Account, gtserror.WithCode)) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/relationships.go b/internal/api/client/accounts/relationships.go index f18026ab4..7a5589832 100644 --- a/internal/api/client/accounts/relationships.go +++ b/internal/api/client/accounts/relationships.go @@ -72,9 +72,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -88,7 +91,7 @@ func (m *Module) AccountRelationshipsGETHandler(c *gin.Context) { // check fallback -- let's be generous and see if maybe it's just set as 'id'? id := c.Query("id") if id == "" { - err = errors.New("no account id(s) specified in query") + err := errors.New("no account id(s) specified in query") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/search.go b/internal/api/client/accounts/search.go index e42a9a9a7..671afece2 100644 --- a/internal/api/client/accounts/search.go +++ b/internal/api/client/accounts/search.go @@ -106,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountSearchGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/statuses.go b/internal/api/client/accounts/statuses.go index db0b22d29..c9f7977d8 100644 --- a/internal/api/client/accounts/statuses.go +++ b/internal/api/client/accounts/statuses.go @@ -108,7 +108,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:accounts +// - read:statuses // // responses: // '200': @@ -133,9 +133,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountStatusesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/themesget.go b/internal/api/client/accounts/themesget.go index 8dba73b4d..6055a619f 100644 --- a/internal/api/client/accounts/themesget.go +++ b/internal/api/client/accounts/themesget.go @@ -59,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountThemesGETHandler(c *gin.Context) { - _, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unblock.go b/internal/api/client/accounts/unblock.go index 0e4f4febf..615d62e60 100644 --- a/internal/api/client/accounts/unblock.go +++ b/internal/api/client/accounts/unblock.go @@ -66,9 +66,9 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnblockPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unfollow.go b/internal/api/client/accounts/unfollow.go index ee1f57d3d..1372a4ffc 100644 --- a/internal/api/client/accounts/unfollow.go +++ b/internal/api/client/accounts/unfollow.go @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnfollowPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/accounts/unmute.go b/internal/api/client/accounts/unmute.go index bf666d181..0336e920f 100644 --- a/internal/api/client/accounts/unmute.go +++ b/internal/api/client/accounts/unmute.go @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountUnmutePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountaction.go b/internal/api/client/admin/accountaction.go index 371357abe..74ff0851c 100644 --- a/internal/api/client/admin/accountaction.go +++ b/internal/api/client/admin/accountaction.go @@ -63,7 +63,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -86,9 +86,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountActionPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountapprove.go b/internal/api/client/admin/accountapprove.go index fdc5d3866..96a495924 100644 --- a/internal/api/client/admin/accountapprove.go +++ b/internal/api/client/admin/accountapprove.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountApprovePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountget.go b/internal/api/client/admin/accountget.go index 848e60e1f..b73f58adb 100644 --- a/internal/api/client/admin/accountget.go +++ b/internal/api/client/admin/accountget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountreject.go b/internal/api/client/admin/accountreject.go index 9a160e89b..fffdc5811 100644 --- a/internal/api/client/admin/accountreject.go +++ b/internal/api/client/admin/accountreject.go @@ -69,7 +69,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:accounts // // responses: // '200': @@ -89,9 +89,12 @@ import ( // '500': // description: internal server error func (m *Module) AccountRejectPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountsgetv1.go b/internal/api/client/admin/accountsgetv1.go index f932cda1e..7d542b97c 100644 --- a/internal/api/client/admin/accountsgetv1.go +++ b/internal/api/client/admin/accountsgetv1.go @@ -148,7 +148,7 @@ // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -186,9 +186,12 @@ import ( ) func (m *Module) AccountsGETV1Handler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/accountsgetv2.go b/internal/api/client/admin/accountsgetv2.go index 2e9787116..8b6d4391d 100644 --- a/internal/api/client/admin/accountsgetv2.go +++ b/internal/api/client/admin/accountsgetv2.go @@ -121,7 +121,7 @@ // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:accounts // // responses: // '200': @@ -159,9 +159,12 @@ import ( ) func (m *Module) AccountsGETV2Handler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/debug_off.go b/internal/api/client/admin/debug_off.go index a43326f02..667cf1be9 100644 --- a/internal/api/client/admin/debug_off.go +++ b/internal/api/client/admin/debug_off.go @@ -55,7 +55,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -89,7 +89,7 @@ func (m *Module) DebugAPUrlHandler(c *gin.Context) {} // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': diff --git a/internal/api/client/admin/debug_on.go b/internal/api/client/admin/debug_on.go index 5fb8fdd1d..eb38e95e5 100644 --- a/internal/api/client/admin/debug_on.go +++ b/internal/api/client/admin/debug_on.go @@ -30,9 +30,12 @@ import ( ) func (m *Module) DebugAPUrlHandler(c *gin.Context) { - authed, err := apiutil.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -57,9 +60,12 @@ func (m *Module) DebugAPUrlHandler(c *gin.Context) { } func (m *Module) DebugClearCachesHandler(c *gin.Context) { - authed, err := apiutil.Authed(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainallowcreate.go b/internal/api/client/admin/domainallowcreate.go index e8700f673..3e2baa053 100644 --- a/internal/api/client/admin/domainallowcreate.go +++ b/internal/api/client/admin/domainallowcreate.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowdelete.go b/internal/api/client/admin/domainallowdelete.go index 6237e403f..20f97fe6d 100644 --- a/internal/api/client/admin/domainallowdelete.go +++ b/internal/api/client/admin/domainallowdelete.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowget.go b/internal/api/client/admin/domainallowget.go index aa21743fa..6ed845235 100644 --- a/internal/api/client/admin/domainallowget.go +++ b/internal/api/client/admin/domainallowget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainallowsget.go b/internal/api/client/admin/domainallowsget.go index 6391c7138..4790f1a2b 100644 --- a/internal/api/client/admin/domainallowsget.go +++ b/internal/api/client/admin/domainallowsget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_allows // // responses: // '200': diff --git a/internal/api/client/admin/domainblockcreate.go b/internal/api/client/admin/domainblockcreate.go index 5234561cf..1e98c6f6f 100644 --- a/internal/api/client/admin/domainblockcreate.go +++ b/internal/api/client/admin/domainblockcreate.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblockdelete.go b/internal/api/client/admin/domainblockdelete.go index a6f6619cd..e9b207505 100644 --- a/internal/api/client/admin/domainblockdelete.go +++ b/internal/api/client/admin/domainblockdelete.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblockget.go b/internal/api/client/admin/domainblockget.go index 9e8d29905..1d73962fa 100644 --- a/internal/api/client/admin/domainblockget.go +++ b/internal/api/client/admin/domainblockget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainblocksget.go b/internal/api/client/admin/domainblocksget.go index bdcc03469..383acbea5 100644 --- a/internal/api/client/admin/domainblocksget.go +++ b/internal/api/client/admin/domainblocksget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:domain_blocks // // responses: // '200': diff --git a/internal/api/client/admin/domainkeysexpire.go b/internal/api/client/admin/domainkeysexpire.go index 6bf891b2c..262d196b4 100644 --- a/internal/api/client/admin/domainkeysexpire.go +++ b/internal/api/client/admin/domainkeysexpire.go @@ -67,7 +67,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -94,9 +94,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainKeysExpirePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermission.go b/internal/api/client/admin/domainpermission.go index ad353b28c..c64c90eb2 100644 --- a/internal/api/client/admin/domainpermission.go +++ b/internal/api/client/admin/domainpermission.go @@ -62,9 +62,20 @@ func (m *Module) createDomainPermissions( single singleDomainPermCreate, multi multiDomainPermCreate, ) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminWriteDomainBlocks + } else { + requireScope = apiutil.ScopeAdminWriteDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -97,6 +108,7 @@ func (m *Module) createDomainPermissions( return } + var err error if importing && form.Domains.Size == 0 { err = errors.New("import was specified but list of domains is empty") } else if !importing && form.Domain == "" { @@ -170,9 +182,20 @@ func (m *Module) deleteDomainPermission( c *gin.Context, permType gtsmodel.DomainPermissionType, // block/allow ) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminWriteDomainBlocks + } else { + requireScope = apiutil.ScopeAdminWriteDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -217,9 +240,20 @@ func (m *Module) getDomainPermission( c *gin.Context, permType gtsmodel.DomainPermissionType, ) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminReadDomainBlocks + } else { + requireScope = apiutil.ScopeAdminReadDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -265,9 +299,20 @@ func (m *Module) getDomainPermissions( c *gin.Context, permType gtsmodel.DomainPermissionType, ) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + // Scope differs based on permType. + var requireScope apiutil.Scope + if permType == gtsmodel.DomainPermissionBlock { + requireScope = apiutil.ScopeAdminReadDomainBlocks + } else { + requireScope = apiutil.ScopeAdminReadDomainAllows + } + + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + requireScope, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftaccept.go b/internal/api/client/admin/domainpermissiondraftaccept.go index ef54b52cd..345b4d1c3 100644 --- a/internal/api/client/admin/domainpermissiondraftaccept.go +++ b/internal/api/client/admin/domainpermissiondraftaccept.go @@ -60,7 +60,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -80,9 +80,9 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftAcceptPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftcreate.go b/internal/api/client/admin/domainpermissiondraftcreate.go index 3a781a131..b8d3085e9 100644 --- a/internal/api/client/admin/domainpermissiondraftcreate.go +++ b/internal/api/client/admin/domainpermissiondraftcreate.go @@ -78,7 +78,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -98,9 +98,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftsPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftget.go b/internal/api/client/admin/domainpermissiondraftget.go index 2bdc30d09..bff6254f7 100644 --- a/internal/api/client/admin/domainpermissiondraftget.go +++ b/internal/api/client/admin/domainpermissiondraftget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftremove.go b/internal/api/client/admin/domainpermissiondraftremove.go index ba7e14547..6346331d1 100644 --- a/internal/api/client/admin/domainpermissiondraftremove.go +++ b/internal/api/client/admin/domainpermissiondraftremove.go @@ -60,7 +60,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -80,9 +80,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftRemovePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissiondraftsget.go b/internal/api/client/admin/domainpermissiondraftsget.go index 14efac098..fa5e1ce6a 100644 --- a/internal/api/client/admin/domainpermissiondraftsget.go +++ b/internal/api/client/admin/domainpermissiondraftsget.go @@ -98,7 +98,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -124,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionDraftsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludecreate.go b/internal/api/client/admin/domainpermissionexcludecreate.go index a9e409efc..9559ab5b2 100644 --- a/internal/api/client/admin/domainpermissionexcludecreate.go +++ b/internal/api/client/admin/domainpermissionexcludecreate.go @@ -61,7 +61,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -81,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludesPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludeget.go b/internal/api/client/admin/domainpermissionexcludeget.go index fc9b04168..200f20021 100644 --- a/internal/api/client/admin/domainpermissionexcludeget.go +++ b/internal/api/client/admin/domainpermissionexcludeget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludeGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcluderemove.go b/internal/api/client/admin/domainpermissionexcluderemove.go index 6d0d8567a..35a4bdd27 100644 --- a/internal/api/client/admin/domainpermissionexcluderemove.go +++ b/internal/api/client/admin/domainpermissionexcluderemove.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludeDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionexcludesget.go b/internal/api/client/admin/domainpermissionexcludesget.go index 4f3a6eedb..59384079c 100644 --- a/internal/api/client/admin/domainpermissionexcludesget.go +++ b/internal/api/client/admin/domainpermissionexcludesget.go @@ -86,7 +86,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -112,9 +112,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionExcludesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptioncreate.go b/internal/api/client/admin/domainpermissionsubscriptioncreate.go index 7645c10fd..b45ac8d72 100644 --- a/internal/api/client/admin/domainpermissionsubscriptioncreate.go +++ b/internal/api/client/admin/domainpermissionsubscriptioncreate.go @@ -124,7 +124,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -144,9 +144,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionget.go b/internal/api/client/admin/domainpermissionsubscriptionget.go index 6d83ebcc7..59498beea 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionremove.go b/internal/api/client/admin/domainpermissionsubscriptionremove.go index 113de70ff..c659a7559 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionremove.go +++ b/internal/api/client/admin/domainpermissionsubscriptionremove.go @@ -67,7 +67,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -87,9 +87,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionRemovePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionsget.go b/internal/api/client/admin/domainpermissionsubscriptionsget.go index b4b94c0a7..b3509a139 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionsget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionsget.go @@ -88,7 +88,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -114,9 +114,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go b/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go index 89c73dea2..d942e9612 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go +++ b/internal/api/client/admin/domainpermissionsubscriptionspreviewget.go @@ -51,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -73,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionsPreviewGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptiontest.go b/internal/api/client/admin/domainpermissionsubscriptiontest.go index 894510608..573f1ca01 100644 --- a/internal/api/client/admin/domainpermissionsubscriptiontest.go +++ b/internal/api/client/admin/domainpermissionsubscriptiontest.go @@ -51,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -75,9 +75,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionTestPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/domainpermissionsubscriptionupdate.go b/internal/api/client/admin/domainpermissionsubscriptionupdate.go index 6c2236a1a..0f6309c19 100644 --- a/internal/api/client/admin/domainpermissionsubscriptionupdate.go +++ b/internal/api/client/admin/domainpermissionsubscriptionupdate.go @@ -120,7 +120,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -140,9 +140,12 @@ import ( // '500': // description: internal server error func (m *Module) DomainPermissionSubscriptionPATCHHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emailtest.go b/internal/api/client/admin/emailtest.go index 9ed4298a7..37a5e31d3 100644 --- a/internal/api/client/admin/emailtest.go +++ b/internal/api/client/admin/emailtest.go @@ -62,7 +62,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -86,9 +86,12 @@ import ( // '500': // description: internal server error func (m *Module) EmailTestPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -120,7 +123,7 @@ func (m *Module) EmailTestPOSTHandler(c *gin.Context) { return } - errWithCode := m.processor.Admin().EmailTest( + errWithCode = m.processor.Admin().EmailTest( c.Request.Context(), authed.Account, email.Address, diff --git a/internal/api/client/admin/emojicategoriesget.go b/internal/api/client/admin/emojicategoriesget.go index 6a8496bf0..e678cea86 100644 --- a/internal/api/client/admin/emojicategoriesget.go +++ b/internal/api/client/admin/emojicategoriesget.go @@ -37,6 +37,10 @@ import ( // produces: // - application/json // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // description: Array of existing emoji categories. @@ -57,9 +61,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiCategoriesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojicreate.go b/internal/api/client/admin/emojicreate.go index c27d75dab..445c56605 100644 --- a/internal/api/client/admin/emojicreate.go +++ b/internal/api/client/admin/emojicreate.go @@ -75,7 +75,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -97,9 +97,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiCreatePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojidelete.go b/internal/api/client/admin/emojidelete.go index 30fc3f420..05d94f25d 100644 --- a/internal/api/client/admin/emojidelete.go +++ b/internal/api/client/admin/emojidelete.go @@ -53,7 +53,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -73,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojiget.go b/internal/api/client/admin/emojiget.go index d1f2afff9..41bea00f8 100644 --- a/internal/api/client/admin/emojiget.go +++ b/internal/api/client/admin/emojiget.go @@ -45,6 +45,10 @@ import ( // in: path // required: true // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // description: A single emoji. @@ -63,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojisget.go b/internal/api/client/admin/emojisget.go index c4c3dfa73..c1d05af07 100644 --- a/internal/api/client/admin/emojisget.go +++ b/internal/api/client/admin/emojisget.go @@ -98,6 +98,10 @@ import ( // Emoji with the given `[shortcode]@[domain]` will not be included in the result set. // in: query // +// security: +// - OAuth2 Bearer: +// - admin:read +// // responses: // '200': // headers: @@ -122,9 +126,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojisGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/emojiupdate.go b/internal/api/client/admin/emojiupdate.go index 0918407cf..07337eaa9 100644 --- a/internal/api/client/admin/emojiupdate.go +++ b/internal/api/client/admin/emojiupdate.go @@ -104,7 +104,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -124,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) EmojiPATCHHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/headerfilter.go b/internal/api/client/admin/headerfilter.go index e2c218b69..b101e98f6 100644 --- a/internal/api/client/admin/headerfilter.go +++ b/internal/api/client/admin/headerfilter.go @@ -31,9 +31,11 @@ import ( // getHeaderFilter is a gin handler function that returns details of an HTTP header filter with provided ID, using given get function. func (m *Module) getHeaderFilter(c *gin.Context, get func(context.Context, string) (*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -68,9 +70,11 @@ func (m *Module) getHeaderFilter(c *gin.Context, get func(context.Context, strin // getHeaderFilters is a gin handler function that returns details of all HTTP header filters using given get function. func (m *Module) getHeaderFilters(c *gin.Context, get func(context.Context) ([]*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -99,9 +103,11 @@ func (m *Module) getHeaderFilters(c *gin.Context, get func(context.Context) ([]* // createHeaderFilter is a gin handler function that creates a HTTP header filter entry using provided form data, passing to given create function. func (m *Module) createHeaderFilter(c *gin.Context, create func(context.Context, *gtsmodel.Account, *apimodel.HeaderFilterRequest) (*apimodel.HeaderFilter, gtserror.WithCode)) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -147,9 +153,11 @@ func (m *Module) createHeaderFilter(c *gin.Context, create func(context.Context, // deleteHeaderFilter is a gin handler function that deletes an HTTP header filter with provided ID, using given delete function. func (m *Module) deleteHeaderFilter(c *gin.Context, delete func(context.Context, string) gtserror.WithCode) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/headerfilter_create.go b/internal/api/client/admin/headerfilter_create.go index d74dc5e15..a5b5e5309 100644 --- a/internal/api/client/admin/headerfilter_create.go +++ b/internal/api/client/admin/headerfilter_create.go @@ -42,7 +42,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -82,7 +82,7 @@ func (m *Module) HeaderFilterAllowPOST(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': diff --git a/internal/api/client/admin/headerfilter_delete.go b/internal/api/client/admin/headerfilter_delete.go index 58b1c585e..400c5c4e3 100644 --- a/internal/api/client/admin/headerfilter_delete.go +++ b/internal/api/client/admin/headerfilter_delete.go @@ -39,7 +39,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': @@ -76,7 +76,7 @@ func (m *Module) HeaderFilterAllowDELETE(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '202': diff --git a/internal/api/client/admin/headerfilter_get.go b/internal/api/client/admin/headerfilter_get.go index 5bca6d18d..cd00fe24c 100644 --- a/internal/api/client/admin/headerfilter_get.go +++ b/internal/api/client/admin/headerfilter_get.go @@ -37,7 +37,7 @@ import "github.com/gin-gonic/gin" // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -76,7 +76,7 @@ func (m *Module) HeaderFilterAllowGET(c *gin.Context) { // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': diff --git a/internal/api/client/admin/mediacleanup.go b/internal/api/client/admin/mediacleanup.go index 2af86c289..2554f8508 100644 --- a/internal/api/client/admin/mediacleanup.go +++ b/internal/api/client/admin/mediacleanup.go @@ -48,7 +48,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) MediaCleanupPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/mediarefetch.go b/internal/api/client/admin/mediarefetch.go index 5913071af..47301460f 100644 --- a/internal/api/client/admin/mediarefetch.go +++ b/internal/api/client/admin/mediarefetch.go @@ -41,7 +41,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // parameters: // - @@ -70,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) MediaRefetchPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportget.go b/internal/api/client/admin/reportget.go index 536619604..163043627 100644 --- a/internal/api/client/admin/reportget.go +++ b/internal/api/client/admin/reportget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:reports // // responses: // '200': @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportresolve.go b/internal/api/client/admin/reportresolve.go index c4fd1aea4..2b9be3721 100644 --- a/internal/api/client/admin/reportresolve.go +++ b/internal/api/client/admin/reportresolve.go @@ -64,7 +64,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write:reports // // responses: // '200': @@ -83,9 +83,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportResolvePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWriteReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/reportsget.go b/internal/api/client/admin/reportsget.go index 80fb54b67..64a144767 100644 --- a/internal/api/client/admin/reportsget.go +++ b/internal/api/client/admin/reportsget.go @@ -99,7 +99,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read:reports // // responses: // '200': @@ -124,9 +124,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminReadReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/rulecreate.go b/internal/api/client/admin/rulecreate.go index 725a654b5..9e4be1da3 100644 --- a/internal/api/client/admin/rulecreate.go +++ b/internal/api/client/admin/rulecreate.go @@ -44,7 +44,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -64,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) RulePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruledelete.go b/internal/api/client/admin/ruledelete.go index 248f4c544..c2797aa8d 100644 --- a/internal/api/client/admin/ruledelete.go +++ b/internal/api/client/admin/ruledelete.go @@ -51,7 +51,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -71,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) RuleDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruleget.go b/internal/api/client/admin/ruleget.go index 36cf553b9..ce627a0d7 100644 --- a/internal/api/client/admin/ruleget.go +++ b/internal/api/client/admin/ruleget.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) RuleGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/rulesget.go b/internal/api/client/admin/rulesget.go index d1b319542..bc4961c6a 100644 --- a/internal/api/client/admin/rulesget.go +++ b/internal/api/client/admin/rulesget.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:read // // responses: // '200': @@ -63,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) RulesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminRead, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/admin/ruleupdate.go b/internal/api/client/admin/ruleupdate.go index 962c92e03..db8b610e0 100644 --- a/internal/api/client/admin/ruleupdate.go +++ b/internal/api/client/admin/ruleupdate.go @@ -43,7 +43,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -63,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) RulePATCHHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/announcements/announcementsget.go b/internal/api/client/announcements/announcementsget.go index f8960479f..92353a4e7 100644 --- a/internal/api/client/announcements/announcementsget.go +++ b/internal/api/client/announcements/announcementsget.go @@ -39,8 +39,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:announcements +// - OAuth2 Bearer: [] // // responses: // '200': @@ -58,9 +57,11 @@ import ( // '500': // description: internal server error func (m *Module) AnnouncementsGETHandler(c *gin.Context) { - _, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/apps/appcreate.go b/internal/api/client/apps/appcreate.go index 7d1e7ff0b..6a8208a20 100644 --- a/internal/api/client/apps/appcreate.go +++ b/internal/api/client/apps/appcreate.go @@ -73,9 +73,11 @@ const ( // '500': // description: internal server error func (m *Module) AppsPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/blocks/blocksget.go b/internal/api/client/blocks/blocksget.go index 8b24b4e5c..0d9a2234e 100644 --- a/internal/api/client/blocks/blocksget.go +++ b/internal/api/client/blocks/blocksget.go @@ -106,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) BlocksGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/bookmarks/bookmarksget.go b/internal/api/client/bookmarks/bookmarksget.go index e797a464d..6fa87c688 100644 --- a/internal/api/client/bookmarks/bookmarksget.go +++ b/internal/api/client/bookmarks/bookmarksget.go @@ -92,9 +92,12 @@ const ( // '500': // description: internal server error func (m *Module) BookmarksGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationdelete.go b/internal/api/client/conversations/conversationdelete.go index 7784143b2..dabb2bfc8 100644 --- a/internal/api/client/conversations/conversationdelete.go +++ b/internal/api/client/conversations/conversationdelete.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteConversations, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationread.go b/internal/api/client/conversations/conversationread.go index fdb56dd51..e168cca2e 100644 --- a/internal/api/client/conversations/conversationread.go +++ b/internal/api/client/conversations/conversationread.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationReadPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteConversations, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/conversations/conversationsget.go b/internal/api/client/conversations/conversationsget.go index 7e8eaac1d..8cd70cd00 100644 --- a/internal/api/client/conversations/conversationsget.go +++ b/internal/api/client/conversations/conversationsget.go @@ -106,9 +106,12 @@ import ( // '500': // description: internal server error func (m *Module) ConversationsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/customemojis/customemojisget.go b/internal/api/client/customemojis/customemojisget.go index 3ef7ab727..7c9b88b4c 100644 --- a/internal/api/client/customemojis/customemojisget.go +++ b/internal/api/client/customemojis/customemojisget.go @@ -37,8 +37,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:custom_emojis +// - OAuth2 Bearer: [] // // responses: // '200': @@ -54,8 +53,11 @@ import ( // '500': // description: internal server error func (m *Module) CustomEmojisGETHandler(c *gin.Context) { - if _, err := apiutil.TokenAuth(c, true, true, true, true); err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/blocks.go b/internal/api/client/exports/blocks.go index e10311483..bc8c2a6b3 100644 --- a/internal/api/client/exports/blocks.go +++ b/internal/api/client/exports/blocks.go @@ -51,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportBlocksGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadBlocks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/followers.go b/internal/api/client/exports/followers.go index 8931ac9ba..ad6306de0 100644 --- a/internal/api/client/exports/followers.go +++ b/internal/api/client/exports/followers.go @@ -38,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:follows +// - read:accounts // // responses: // '200': @@ -51,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowersGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/following.go b/internal/api/client/exports/following.go index 44954bacb..b95492dfa 100644 --- a/internal/api/client/exports/following.go +++ b/internal/api/client/exports/following.go @@ -51,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportFollowingGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/lists.go b/internal/api/client/exports/lists.go index ecf9edd2d..385df5501 100644 --- a/internal/api/client/exports/lists.go +++ b/internal/api/client/exports/lists.go @@ -51,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportListsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/mutes.go b/internal/api/client/exports/mutes.go index fe2d5dfe0..6b9d699c9 100644 --- a/internal/api/client/exports/mutes.go +++ b/internal/api/client/exports/mutes.go @@ -51,9 +51,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportMutesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/exports/stats.go b/internal/api/client/exports/stats.go index 7cc132cd6..783826bb3 100644 --- a/internal/api/client/exports/stats.go +++ b/internal/api/client/exports/stats.go @@ -38,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:account +// - read:accounts // // responses: // '200': @@ -52,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) ExportStatsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/favourites/favouritesget.go b/internal/api/client/favourites/favouritesget.go index a631e3037..5396bc155 100644 --- a/internal/api/client/favourites/favouritesget.go +++ b/internal/api/client/favourites/favouritesget.go @@ -92,9 +92,12 @@ import ( // '500': // description: internal server error func (m *Module) FavouritesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFavourites, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/featuredtags/get.go b/internal/api/client/featuredtags/get.go index 62fa66882..cab6b19a3 100644 --- a/internal/api/client/featuredtags/get.go +++ b/internal/api/client/featuredtags/get.go @@ -59,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FeaturedTagsGETHandler(c *gin.Context) { - _, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + _, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterdelete.go b/internal/api/client/filters/v1/filterdelete.go index 1d6ac3565..e28221ca6 100644 --- a/internal/api/client/filters/v1/filterdelete.go +++ b/internal/api/client/filters/v1/filterdelete.go @@ -62,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterget.go b/internal/api/client/filters/v1/filterget.go index 2ada39243..4af3dab16 100644 --- a/internal/api/client/filters/v1/filterget.go +++ b/internal/api/client/filters/v1/filterget.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterpost.go b/internal/api/client/filters/v1/filterpost.go index 98ae6d796..fb53b8e9b 100644 --- a/internal/api/client/filters/v1/filterpost.go +++ b/internal/api/client/filters/v1/filterpost.go @@ -129,9 +129,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filterput.go b/internal/api/client/filters/v1/filterput.go index c2e27664f..051fa1f63 100644 --- a/internal/api/client/filters/v1/filterput.go +++ b/internal/api/client/filters/v1/filterput.go @@ -135,9 +135,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPUTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v1/filtersget.go b/internal/api/client/filters/v1/filtersget.go index 53205aa7a..d65776331 100644 --- a/internal/api/client/filters/v1/filtersget.go +++ b/internal/api/client/filters/v1/filtersget.go @@ -59,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FiltersGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterdelete.go b/internal/api/client/filters/v2/filterdelete.go index 965a26cd5..2fd411e98 100644 --- a/internal/api/client/filters/v2/filterdelete.go +++ b/internal/api/client/filters/v2/filterdelete.go @@ -62,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterget.go b/internal/api/client/filters/v2/filterget.go index cfe1e87e9..eed65f39a 100644 --- a/internal/api/client/filters/v2/filterget.go +++ b/internal/api/client/filters/v2/filterget.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeyworddelete.go b/internal/api/client/filters/v2/filterkeyworddelete.go index 137c60b21..4dc8b5973 100644 --- a/internal/api/client/filters/v2/filterkeyworddelete.go +++ b/internal/api/client/filters/v2/filterkeyworddelete.go @@ -62,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordget.go b/internal/api/client/filters/v2/filterkeywordget.go index ff25afb72..f298d1af0 100644 --- a/internal/api/client/filters/v2/filterkeywordget.go +++ b/internal/api/client/filters/v2/filterkeywordget.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordpost.go b/internal/api/client/filters/v2/filterkeywordpost.go index 4ae757de2..f7ccc1a80 100644 --- a/internal/api/client/filters/v2/filterkeywordpost.go +++ b/internal/api/client/filters/v2/filterkeywordpost.go @@ -99,9 +99,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordput.go b/internal/api/client/filters/v2/filterkeywordput.go index 26b8f8a14..5f9fa3c9e 100644 --- a/internal/api/client/filters/v2/filterkeywordput.go +++ b/internal/api/client/filters/v2/filterkeywordput.go @@ -96,9 +96,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordPUTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterkeywordsget.go b/internal/api/client/filters/v2/filterkeywordsget.go index af7cddee0..2fa3140a9 100644 --- a/internal/api/client/filters/v2/filterkeywordsget.go +++ b/internal/api/client/filters/v2/filterkeywordsget.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterKeywordsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterpost.go b/internal/api/client/filters/v2/filterpost.go index 295607c12..b35938692 100644 --- a/internal/api/client/filters/v2/filterpost.go +++ b/internal/api/client/filters/v2/filterpost.go @@ -149,9 +149,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterput.go b/internal/api/client/filters/v2/filterput.go index 61de9bbfd..b4b14e6c3 100644 --- a/internal/api/client/filters/v2/filterput.go +++ b/internal/api/client/filters/v2/filterput.go @@ -157,9 +157,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterPUTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filtersget.go b/internal/api/client/filters/v2/filtersget.go index c0b360cab..f304ffea5 100644 --- a/internal/api/client/filters/v2/filtersget.go +++ b/internal/api/client/filters/v2/filtersget.go @@ -59,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) FiltersGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusdelete.go b/internal/api/client/filters/v2/filterstatusdelete.go index a62eaea81..2adc48190 100644 --- a/internal/api/client/filters/v2/filterstatusdelete.go +++ b/internal/api/client/filters/v2/filterstatusdelete.go @@ -62,9 +62,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusesget.go b/internal/api/client/filters/v2/filterstatusesget.go index 2001ade62..ae76e814f 100644 --- a/internal/api/client/filters/v2/filterstatusesget.go +++ b/internal/api/client/filters/v2/filterstatusesget.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatusget.go b/internal/api/client/filters/v2/filterstatusget.go index 681be0080..efe20f0c2 100644 --- a/internal/api/client/filters/v2/filterstatusget.go +++ b/internal/api/client/filters/v2/filterstatusget.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/filters/v2/filterstatuspost.go b/internal/api/client/filters/v2/filterstatuspost.go index 2281bd996..c6921e584 100644 --- a/internal/api/client/filters/v2/filterstatuspost.go +++ b/internal/api/client/filters/v2/filterstatuspost.go @@ -87,9 +87,12 @@ import ( // '500': // description: internal server error func (m *Module) FilterStatusPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFilters, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followedtags/get.go b/internal/api/client/followedtags/get.go index 0496cd41b..f1fa45b07 100644 --- a/internal/api/client/followedtags/get.go +++ b/internal/api/client/followedtags/get.go @@ -99,9 +99,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowedTagsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/authorize.go b/internal/api/client/followrequests/authorize.go index 2fd1322ce..cc7b5598c 100644 --- a/internal/api/client/followrequests/authorize.go +++ b/internal/api/client/followrequests/authorize.go @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestAuthorizePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/get.go b/internal/api/client/followrequests/get.go index 7959e2366..4b7760a6d 100644 --- a/internal/api/client/followrequests/get.go +++ b/internal/api/client/followrequests/get.go @@ -107,9 +107,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/followrequests/reject.go b/internal/api/client/followrequests/reject.go index 5127b87fe..4207925db 100644 --- a/internal/api/client/followrequests/reject.go +++ b/internal/api/client/followrequests/reject.go @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowRequestRejectPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/import/import.go b/internal/api/client/import/import.go index e0763815a..c3908625b 100644 --- a/internal/api/client/import/import.go +++ b/internal/api/client/import/import.go @@ -108,7 +108,7 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // // security: // - OAuth2 Bearer: -// - write:accounts +// - write // // responses: // '202': @@ -122,9 +122,12 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // '500': // description: internal server error func (m *Module) ImportPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -178,7 +181,7 @@ func (m *Module) ImportPOSTHandler(c *gin.Context) { overwrite := form.Mode == "overwrite" // Trigger the import. - errWithCode := m.processor.Account().ImportData( + errWithCode = m.processor.Account().ImportData( c.Request.Context(), authed.Account, form.Data, diff --git a/internal/api/client/instance/instancepatch.go b/internal/api/client/instance/instancepatch.go index 16b132287..67856100d 100644 --- a/internal/api/client/instance/instancepatch.go +++ b/internal/api/client/instance/instancepatch.go @@ -106,7 +106,7 @@ import ( // // security: // - OAuth2 Bearer: -// - admin +// - admin:write // // responses: // '200': @@ -126,9 +126,12 @@ import ( // '500': // description: internal server error func (m *Module) InstanceUpdatePATCHHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeAdminWrite, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/instance/instancepeersget.go b/internal/api/client/instance/instancepeersget.go index 92e7120b2..4f540c89c 100644 --- a/internal/api/client/instance/instancepeersget.go +++ b/internal/api/client/instance/instancepeersget.go @@ -58,6 +58,9 @@ import ( // required: false // default: "open" // +// security: +// - OAuth2 Bearer: [] +// // responses: // '200': // description: >- @@ -98,9 +101,11 @@ import ( // '500': // description: internal server error func (m *Module) InstancePeersGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionpolicies/getdefaults.go b/internal/api/client/interactionpolicies/getdefaults.go index 6ea40c647..870425e8d 100644 --- a/internal/api/client/interactionpolicies/getdefaults.go +++ b/internal/api/client/interactionpolicies/getdefaults.go @@ -52,9 +52,12 @@ import ( // '500': // description: internal server error func (m *Module) PoliciesDefaultsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionpolicies/updatedefaults.go b/internal/api/client/interactionpolicies/updatedefaults.go index 9b9651837..8496b00aa 100644 --- a/internal/api/client/interactionpolicies/updatedefaults.go +++ b/internal/api/client/interactionpolicies/updatedefaults.go @@ -210,9 +210,12 @@ import ( // '500': // description: internal server error func (m *Module) PoliciesDefaultsPATCHHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/authorize.go b/internal/api/client/interactionrequests/authorize.go index b759ae3dd..8191923ba 100644 --- a/internal/api/client/interactionrequests/authorize.go +++ b/internal/api/client/interactionrequests/authorize.go @@ -65,9 +65,11 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestAuthorizePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/get.go b/internal/api/client/interactionrequests/get.go index a7330653e..d1d5f5eb4 100644 --- a/internal/api/client/interactionrequests/get.go +++ b/internal/api/client/interactionrequests/get.go @@ -64,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/getpage.go b/internal/api/client/interactionrequests/getpage.go index ca42986ed..f3f1251cc 100644 --- a/internal/api/client/interactionrequests/getpage.go +++ b/internal/api/client/interactionrequests/getpage.go @@ -136,9 +136,12 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/interactionrequests/reject.go b/internal/api/client/interactionrequests/reject.go index 6984699a4..0102d872a 100644 --- a/internal/api/client/interactionrequests/reject.go +++ b/internal/api/client/interactionrequests/reject.go @@ -65,9 +65,11 @@ import ( // '500': // description: internal server error func (m *Module) InteractionRequestRejectPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccounts.go b/internal/api/client/lists/listaccounts.go index 01c09a870..4c6c00292 100644 --- a/internal/api/client/lists/listaccounts.go +++ b/internal/api/client/lists/listaccounts.go @@ -116,9 +116,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccountsadd.go b/internal/api/client/lists/listaccountsadd.go index 42042e1e7..b27cd1e92 100644 --- a/internal/api/client/lists/listaccountsadd.go +++ b/internal/api/client/lists/listaccountsadd.go @@ -81,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listaccountsremove.go b/internal/api/client/lists/listaccountsremove.go index b49b3923a..160552d62 100644 --- a/internal/api/client/lists/listaccountsremove.go +++ b/internal/api/client/lists/listaccountsremove.go @@ -81,9 +81,12 @@ import ( // '500': // description: internal server error func (m *Module) ListAccountsDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -107,7 +110,7 @@ func (m *Module) ListAccountsDELETEHandler(c *gin.Context) { // parsing in order to be compatible with Mastodon's client API conventions. oldMethod := c.Request.Method c.Request.Method = "POST" - err = c.ShouldBind(form) + err := c.ShouldBind(form) c.Request.Method = oldMethod if err != nil { diff --git a/internal/api/client/lists/listcreate.go b/internal/api/client/lists/listcreate.go index c40a931be..5d3daf2ed 100644 --- a/internal/api/client/lists/listcreate.go +++ b/internal/api/client/lists/listcreate.go @@ -96,9 +96,12 @@ import ( // '500': // description: internal server error func (m *Module) ListCreatePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listdelete.go b/internal/api/client/lists/listdelete.go index 3ae9e2a48..33c0add70 100644 --- a/internal/api/client/lists/listdelete.go +++ b/internal/api/client/lists/listdelete.go @@ -63,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) ListDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listget.go b/internal/api/client/lists/listget.go index 0a391dd35..008d516ba 100644 --- a/internal/api/client/lists/listget.go +++ b/internal/api/client/lists/listget.go @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) ListGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listsget.go b/internal/api/client/lists/listsget.go index 3251f93b1..9a40702b8 100644 --- a/internal/api/client/lists/listsget.go +++ b/internal/api/client/lists/listsget.go @@ -59,9 +59,12 @@ import ( // '500': // description: internal server error func (m *Module) ListsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/lists/listupdate.go b/internal/api/client/lists/listupdate.go index f7b902cc2..388d878a9 100644 --- a/internal/api/client/lists/listupdate.go +++ b/internal/api/client/lists/listupdate.go @@ -102,9 +102,12 @@ import ( // '500': // description: internal server error func (m *Module) ListUpdatePUTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -151,7 +154,7 @@ func (m *Module) ListUpdatePUTHandler(c *gin.Context) { } if form.Title == nil && repliesPolicy == nil && form.Exclusive == nil { - err = errors.New("neither title nor replies_policy nor exclusive was set; nothing to update") + err := errors.New("neither title nor replies_policy nor exclusive was set; nothing to update") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/markers/markersget.go b/internal/api/client/markers/markersget.go index 1d168946c..f5b70ca68 100644 --- a/internal/api/client/markers/markersget.go +++ b/internal/api/client/markers/markersget.go @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) MarkersGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/markers/markerspost.go b/internal/api/client/markers/markerspost.go index 3743beefd..e2fffa265 100644 --- a/internal/api/client/markers/markerspost.go +++ b/internal/api/client/markers/markerspost.go @@ -71,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) MarkersPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediacreate.go b/internal/api/client/media/mediacreate.go index e66682a7b..0f9de7b56 100644 --- a/internal/api/client/media/mediacreate.go +++ b/internal/api/client/media/mediacreate.go @@ -101,9 +101,12 @@ func (m *Module) MediaCreatePOSTHandler(c *gin.Context) { return } - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediaget.go b/internal/api/client/media/mediaget.go index 78628cd3d..8428e202f 100644 --- a/internal/api/client/media/mediaget.go +++ b/internal/api/client/media/mediaget.go @@ -73,9 +73,14 @@ func (m *Module) MediaGETHandler(c *gin.Context) { return } - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + // This takes write even + // though it's a read. + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/media/mediaupdate.go b/internal/api/client/media/mediaupdate.go index 0afda5551..b71b0c5f1 100644 --- a/internal/api/client/media/mediaupdate.go +++ b/internal/api/client/media/mediaupdate.go @@ -105,9 +105,12 @@ func (m *Module) MediaPUTHandler(c *gin.Context) { return } - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMedia, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/mutes/mutesget.go b/internal/api/client/mutes/mutesget.go index b17dcf5a2..76c31ebc6 100644 --- a/internal/api/client/mutes/mutesget.go +++ b/internal/api/client/mutes/mutesget.go @@ -107,9 +107,12 @@ import ( // '500': // description: internal server error func (m *Module) MutesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/notifications/notificationget.go b/internal/api/client/notifications/notificationget.go index 182a97c7f..0c15cf937 100644 --- a/internal/api/client/notifications/notificationget.go +++ b/internal/api/client/notifications/notificationget.go @@ -66,9 +66,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/notifications/notificationsclear.go b/internal/api/client/notifications/notificationsclear.go index 89c40d4cd..3742f7eba 100644 --- a/internal/api/client/notifications/notificationsclear.go +++ b/internal/api/client/notifications/notificationsclear.go @@ -40,7 +40,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:notifications +// - write:notifications // // responses: // '200': @@ -57,9 +57,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationsClearPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -68,7 +71,7 @@ func (m *Module) NotificationsClearPOSTHandler(c *gin.Context) { return } - errWithCode := m.processor.Timeline().NotificationsClear(c.Request.Context(), authed) + errWithCode = m.processor.Timeline().NotificationsClear(c.Request.Context(), authed) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return diff --git a/internal/api/client/notifications/notificationsget.go b/internal/api/client/notifications/notificationsget.go index d2df905d2..e02ca23d8 100644 --- a/internal/api/client/notifications/notificationsget.go +++ b/internal/api/client/notifications/notificationsget.go @@ -142,9 +142,12 @@ import ( // '500': // description: internal server error func (m *Module) NotificationsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadNotifications, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/polls/polls_get.go b/internal/api/client/polls/polls_get.go index 55b534ccf..e432b1f8e 100644 --- a/internal/api/client/polls/polls_get.go +++ b/internal/api/client/polls/polls_get.go @@ -66,9 +66,11 @@ import ( // '500': // description: internal server error func (m *Module) PollGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/polls/polls_vote.go b/internal/api/client/polls/polls_vote.go index cf9181062..0c857e2d8 100644 --- a/internal/api/client/polls/polls_vote.go +++ b/internal/api/client/polls/polls_vote.go @@ -79,9 +79,11 @@ import ( // '500': // description: internal server error func (m *Module) PollVotePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/preferences/preferencesget.go b/internal/api/client/preferences/preferencesget.go index 6b24bd006..20cfc7d36 100644 --- a/internal/api/client/preferences/preferencesget.go +++ b/internal/api/client/preferences/preferencesget.go @@ -70,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) PreferencesGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, false, false, false, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptiondelete.go b/internal/api/client/push/pushsubscriptiondelete.go index 6880c0e04..c82222248 100644 --- a/internal/api/client/push/pushsubscriptiondelete.go +++ b/internal/api/client/push/pushsubscriptiondelete.go @@ -22,7 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" ) // PushSubscriptionDELETEHandler swagger:operation DELETE /api/v1/push/subscription pushSubscriptionDelete @@ -48,9 +47,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionget.go b/internal/api/client/push/pushsubscriptionget.go index 35117f817..d48e43108 100644 --- a/internal/api/client/push/pushsubscriptionget.go +++ b/internal/api/client/push/pushsubscriptionget.go @@ -22,7 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" ) // PushSubscriptionGETHandler swagger:operation GET /api/v1/push/subscription pushSubscriptionGet @@ -54,9 +53,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionpost.go b/internal/api/client/push/pushsubscriptionpost.go index 4d739ce85..9893d7fe1 100644 --- a/internal/api/client/push/pushsubscriptionpost.go +++ b/internal/api/client/push/pushsubscriptionpost.go @@ -180,9 +180,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/push/pushsubscriptionput.go b/internal/api/client/push/pushsubscriptionput.go index be0b020c0..53e6a72e9 100644 --- a/internal/api/client/push/pushsubscriptionput.go +++ b/internal/api/client/push/pushsubscriptionput.go @@ -156,9 +156,12 @@ import ( // '500': // description: internal server error func (m *Module) PushSubscriptionPUTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopePush, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportcreate.go b/internal/api/client/reports/reportcreate.go index ffd5505ed..b9a4666ee 100644 --- a/internal/api/client/reports/reportcreate.go +++ b/internal/api/client/reports/reportcreate.go @@ -65,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteReports, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } @@ -88,19 +91,19 @@ func (m *Module) ReportPOSTHandler(c *gin.Context) { } if form.AccountID == "" { - err = errors.New("account_id must be set") + err := errors.New("account_id must be set") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } if !regexes.ULID.MatchString(form.AccountID) { - err = errors.New("account_id was not valid") + err := errors.New("account_id was not valid") apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } if length := len([]rune(form.Comment)); length > 1000 { - err = fmt.Errorf("comment length must be no more than 1000 chars, provided comment was %d chars", length) + err := fmt.Errorf("comment length must be no more than 1000 chars, provided comment was %d chars", length) apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportget.go b/internal/api/client/reports/reportget.go index a48614830..1219e4a12 100644 --- a/internal/api/client/reports/reportget.go +++ b/internal/api/client/reports/reportget.go @@ -46,7 +46,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:reports +// - read:accounts // // responses: // '200': @@ -64,9 +64,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/reports/reportsget.go b/internal/api/client/reports/reportsget.go index b9315fa40..65adf664f 100644 --- a/internal/api/client/reports/reportsget.go +++ b/internal/api/client/reports/reportsget.go @@ -93,7 +93,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:reports +// - read:accounts // // responses: // '200': @@ -118,9 +118,12 @@ import ( // '500': // description: internal server error func (m *Module) ReportsGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/search/searchget.go b/internal/api/client/search/searchget.go index 09e80e2a6..05a64f244 100644 --- a/internal/api/client/search/searchget.go +++ b/internal/api/client/search/searchget.go @@ -177,9 +177,12 @@ func (m *Module) SearchGETHandler(c *gin.Context) { return } - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadSearch, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusbookmark.go b/internal/api/client/statuses/statusbookmark.go index aafa82465..059ed7e57 100644 --- a/internal/api/client/statuses/statusbookmark.go +++ b/internal/api/client/statuses/statusbookmark.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:bookmarks // // responses: // '200': @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusBookmarkPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusboost.go b/internal/api/client/statuses/statusboost.go index ae0183695..fb4c5e5ee 100644 --- a/internal/api/client/statuses/statusboost.go +++ b/internal/api/client/statuses/statusboost.go @@ -71,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusBoostPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusboostedby.go b/internal/api/client/statuses/statusboostedby.go index c10ab28ef..9ee82c709 100644 --- a/internal/api/client/statuses/statusboostedby.go +++ b/internal/api/client/statuses/statusboostedby.go @@ -64,9 +64,12 @@ import ( // '404': // description: not found func (m *Module) StatusBoostedByGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuscontext.go b/internal/api/client/statuses/statuscontext.go index 95d23fe93..cae48e938 100644 --- a/internal/api/client/statuses/statuscontext.go +++ b/internal/api/client/statuses/statuscontext.go @@ -70,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusContextGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuscreate.go b/internal/api/client/statuses/statuscreate.go index 7f9f90b1d..686e29ec4 100644 --- a/internal/api/client/statuses/statuscreate.go +++ b/internal/api/client/statuses/statuscreate.go @@ -261,9 +261,12 @@ import ( // '501': // description: scheduled_at was set, but this feature is not yet implemented func (m *Module) StatusCreatePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusdelete.go b/internal/api/client/statuses/statusdelete.go index 114b501c8..c5ff046f7 100644 --- a/internal/api/client/statuses/statusdelete.go +++ b/internal/api/client/statuses/statusdelete.go @@ -70,9 +70,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusDELETEHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusedit.go b/internal/api/client/statuses/statusedit.go index f3d70b47e..dbd2224f7 100644 --- a/internal/api/client/statuses/statusedit.go +++ b/internal/api/client/statuses/statusedit.go @@ -155,9 +155,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusEditPUTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusfave.go b/internal/api/client/statuses/statusfave.go index 0d32f106f..23ff2d7a1 100644 --- a/internal/api/client/statuses/statusfave.go +++ b/internal/api/client/statuses/statusfave.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusFavePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusfavedby.go b/internal/api/client/statuses/statusfavedby.go index 14f21f229..a4a0611ce 100644 --- a/internal/api/client/statuses/statusfavedby.go +++ b/internal/api/client/statuses/statusfavedby.go @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusFavedByGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusget.go b/internal/api/client/statuses/statusget.go index d6c26a9bb..f8fb2cb50 100644 --- a/internal/api/client/statuses/statusget.go +++ b/internal/api/client/statuses/statusget.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statushistory.go b/internal/api/client/statuses/statushistory.go index 399e19dce..dc5932ff7 100644 --- a/internal/api/client/statuses/statushistory.go +++ b/internal/api/client/statuses/statushistory.go @@ -69,9 +69,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusHistoryGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusmute.go b/internal/api/client/statuses/statusmute.go index f784ae35a..42df112a3 100644 --- a/internal/api/client/statuses/statusmute.go +++ b/internal/api/client/statuses/statusmute.go @@ -71,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusMutePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statuspin.go b/internal/api/client/statuses/statuspin.go index e9121ec0b..0c4c681a6 100644 --- a/internal/api/client/statuses/statuspin.go +++ b/internal/api/client/statuses/statuspin.go @@ -73,9 +73,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusPinPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statussource.go b/internal/api/client/statuses/statussource.go index 604a221ca..fd15e8719 100644 --- a/internal/api/client/statuses/statussource.go +++ b/internal/api/client/statuses/statussource.go @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusSourceGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunbookmark.go b/internal/api/client/statuses/statusunbookmark.go index f37af4eca..ca4e669a7 100644 --- a/internal/api/client/statuses/statusunbookmark.go +++ b/internal/api/client/statuses/statusunbookmark.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:bookmarks // // responses: // '200': @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnbookmarkPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteBookmarks, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunboost.go b/internal/api/client/statuses/statusunboost.go index ecf831f1e..c7fd00ab7 100644 --- a/internal/api/client/statuses/statusunboost.go +++ b/internal/api/client/statuses/statusunboost.go @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnboostPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunfave.go b/internal/api/client/statuses/statusunfave.go index 2e2f187a9..d7dbe10ce 100644 --- a/internal/api/client/statuses/statusunfave.go +++ b/internal/api/client/statuses/statusunfave.go @@ -47,7 +47,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:statuses +// - write:favourites // // responses: // '200': @@ -67,9 +67,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnfavePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFavourites, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunmute.go b/internal/api/client/statuses/statusunmute.go index 469d5b92b..76018fd27 100644 --- a/internal/api/client/statuses/statusunmute.go +++ b/internal/api/client/statuses/statusunmute.go @@ -71,9 +71,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnmutePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteMutes, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/statuses/statusunpin.go b/internal/api/client/statuses/statusunpin.go index e94d4ebe2..32cb913e0 100644 --- a/internal/api/client/statuses/statusunpin.go +++ b/internal/api/client/statuses/statusunpin.go @@ -68,9 +68,12 @@ import ( // '500': // description: internal server error func (m *Module) StatusUnpinPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/streaming/stream.go b/internal/api/client/streaming/stream.go index 59f9fb749..e6d1b80f7 100644 --- a/internal/api/client/streaming/stream.go +++ b/internal/api/client/streaming/stream.go @@ -186,9 +186,8 @@ func (m *Module) StreamGETHandler(c *gin.Context) { // No explicit token was provided: // try regular oauth as a last resort. - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - errWithCode := gtserror.NewErrorUnauthorized(err, err.Error()) + authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true) + if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/follow.go b/internal/api/client/tags/follow.go index 2e2de631a..07804013a 100644 --- a/internal/api/client/tags/follow.go +++ b/internal/api/client/tags/follow.go @@ -22,7 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" ) // FollowTagPOSTHandler swagger:operation POST /api/v1/tags/{tag_name}/follow followTag @@ -64,9 +63,12 @@ import ( // '500': // description: internal server error func (m *Module) FollowTagPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/get.go b/internal/api/client/tags/get.go index 072ab7eef..a6a433d7d 100644 --- a/internal/api/client/tags/get.go +++ b/internal/api/client/tags/get.go @@ -22,7 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" ) // TagGETHandler swagger:operation GET /api/v1/tags/{tag_name} getTag @@ -39,8 +38,7 @@ import ( // - application/json // // security: -// - OAuth2 Bearer: -// - read:follows +// - OAuth2 Bearer: [] // // parameters: // - @@ -66,9 +64,11 @@ import ( // '500': // description: internal server error func (m *Module) TagGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/tags/unfollow.go b/internal/api/client/tags/unfollow.go index 4fc2d725d..49ebd463e 100644 --- a/internal/api/client/tags/unfollow.go +++ b/internal/api/client/tags/unfollow.go @@ -22,7 +22,6 @@ import ( "github.com/gin-gonic/gin" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" ) // UnfollowTagPOSTHandler swagger:operation POST /api/v1/tags/{tag_name}/unfollow unfollowTag @@ -66,9 +65,12 @@ import ( // '500': // description: internal server error func (m *Module) UnfollowTagPOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteFollows, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/home.go b/internal/api/client/timelines/home.go index fe7b468cc..8e957d498 100644 --- a/internal/api/client/timelines/home.go +++ b/internal/api/client/timelines/home.go @@ -106,9 +106,12 @@ import ( // '400': // description: bad request func (m *Module) HomeTimelineGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/list.go b/internal/api/client/timelines/list.go index 8da6a0930..b02489d6c 100644 --- a/internal/api/client/timelines/list.go +++ b/internal/api/client/timelines/list.go @@ -105,9 +105,12 @@ import ( // '400': // description: bad request func (m *Module) ListTimelineGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadLists, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/public.go b/internal/api/client/timelines/public.go index 0b31caaa9..d6df36f09 100644 --- a/internal/api/client/timelines/public.go +++ b/internal/api/client/timelines/public.go @@ -107,19 +107,25 @@ import ( // '400': // description: bad request func (m *Module) PublicTimelineGETHandler(c *gin.Context) { - var authed *apiutil.Auth - var err error - + var ( + authed *apiutil.Auth + errWithCode gtserror.WithCode + ) if config.GetInstanceExposePublicTimeline() { // If the public timeline is allowed to be exposed, still check if we // can extract various authentication properties, but don't require them. - authed, err = apiutil.TokenAuth(c, false, false, false, false) + authed, errWithCode = apiutil.TokenAuth(c, + false, false, false, false, + ) } else { - authed, err = apiutil.TokenAuth(c, true, true, true, true) + authed, errWithCode = apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) } - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/timelines/tag.go b/internal/api/client/timelines/tag.go index f43eeca30..8c3a86f81 100644 --- a/internal/api/client/timelines/tag.go +++ b/internal/api/client/timelines/tag.go @@ -107,9 +107,12 @@ import ( // '400': // description: bad request func (m *Module) TagTimelineGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadStatuses, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/emailchange.go b/internal/api/client/user/emailchange.go index 26fc9b107..09d5e8fde 100644 --- a/internal/api/client/user/emailchange.go +++ b/internal/api/client/user/emailchange.go @@ -45,7 +45,7 @@ import ( // // security: // - OAuth2 Bearer: -// - write:user +// - write:accounts // // responses: // '202': @@ -65,9 +65,12 @@ import ( // '500': // description: internal error func (m *Module) EmailChangePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/passwordchange.go b/internal/api/client/user/passwordchange.go index 76c9ad5bc..8b1c7e29a 100644 --- a/internal/api/client/user/passwordchange.go +++ b/internal/api/client/user/passwordchange.go @@ -51,7 +51,7 @@ const OIDCPasswordHelp = "password change request cannot be processed by GoToSoc // // security: // - OAuth2 Bearer: -// - write:user +// - write:accounts // // responses: // '200': @@ -69,9 +69,12 @@ const OIDCPasswordHelp = "password change request cannot be processed by GoToSoc // '500': // description: internal error func (m *Module) PasswordChangePOSTHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeWriteAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/client/user/userget.go b/internal/api/client/user/userget.go index 73a538a12..c82a6d644 100644 --- a/internal/api/client/user/userget.go +++ b/internal/api/client/user/userget.go @@ -38,7 +38,7 @@ import ( // // security: // - OAuth2 Bearer: -// - read:user +// - read:accounts // // responses: // '200': @@ -56,9 +56,12 @@ import ( // '500': // description: internal error func (m *Module) UserGETHandler(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, true, true, true, true) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, + true, true, true, true, + apiutil.ScopeReadAccounts, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/fileserver/servefile.go b/internal/api/fileserver/servefile.go index 3ae87a0cc..56285ea48 100644 --- a/internal/api/fileserver/servefile.go +++ b/internal/api/fileserver/servefile.go @@ -38,9 +38,9 @@ import ( // Note: to mitigate scraping attempts, no information should be given out on a bad request except "404 page not found". // Don't give away account ids or media ids or anything like that; callers shouldn't be able to infer anything. func (m *Module) ServeFile(c *gin.Context) { - authed, err := apiutil.TokenAuth(c, false, false, false, false) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorNotFound(err), m.processor.InstanceGetV1) + authed, errWithCode := apiutil.TokenAuth(c, false, false, false, false) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } diff --git a/internal/api/util/authtoken.go b/internal/api/util/auth.go similarity index 53% rename from internal/api/util/authtoken.go rename to internal/api/util/auth.go index 40d9ffd50..b4154ff4d 100644 --- a/internal/api/util/authtoken.go +++ b/internal/api/util/auth.go @@ -2,8 +2,11 @@ package util import ( "errors" + "slices" + "strings" "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/oauth" "github.com/superseriousbusiness/oauth2/v4" @@ -36,17 +39,21 @@ func TokenAuth( requireApp bool, requireUser bool, requireAccount bool, -) (*Auth, error) { - ctx := c.Copy() - a := &Auth{} - var i interface{} - var ok bool + requireScope ...Scope, +) (*Auth, gtserror.WithCode) { + var ( + ctx = c.Copy() + a = &Auth{} + i interface{} + ok bool + ) i, ok = ctx.Get(oauth.SessionAuthorizedToken) if ok { parsed, ok := i.(oauth2.TokenInfo) if !ok { - return nil, errors.New("could not parse token from session context") + const errText = "could not parse token from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } a.Token = parsed } @@ -55,7 +62,8 @@ func TokenAuth( if ok { parsed, ok := i.(*gtsmodel.Application) if !ok { - return nil, errors.New("could not parse application from session context") + const errText = "could not parse application from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } a.Application = parsed } @@ -64,7 +72,8 @@ func TokenAuth( if ok { parsed, ok := i.(*gtsmodel.User) if !ok { - return nil, errors.New("could not parse user from session context") + const errText = "could not parse user from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } a.User = parsed } @@ -73,25 +82,53 @@ func TokenAuth( if ok { parsed, ok := i.(*gtsmodel.Account) if !ok { - return nil, errors.New("could not parse account from session context") + const errText = "could not parse account from session context" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } a.Account = parsed } if requireToken && a.Token == nil { - return nil, errors.New("token not supplied") + const errText = "token not supplied" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } if requireApp && a.Application == nil { - return nil, errors.New("application not supplied") + const errText = "application not supplied" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } if requireUser && a.User == nil { - return nil, errors.New("user not supplied or not authorized") + const errText = "user not supplied or not authorized" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) } if requireAccount && a.Account == nil { - return nil, errors.New("account not supplied or not authorized") + const errText = "account not supplied or not authorized" + return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText) + } + + if len(requireScope) != 0 { + // We need to match one of the + // required scopes, check if we can. + hasScopes := strings.Split(a.Token.GetScope(), " ") + scopeOK := slices.ContainsFunc( + hasScopes, + func(hasScope string) bool { + for _, requiredScope := range requireScope { + if Scope(hasScope).Permits(requiredScope) { + // Got it. + return true + } + } + return false + }, + ) + + if !scopeOK { + const errText = "token has insufficient scope permission" + return nil, gtserror.NewErrorForbidden(errors.New(errText), errText) + } } return a, nil diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go new file mode 100644 index 000000000..285d8c4d0 --- /dev/null +++ b/internal/api/util/scopes.go @@ -0,0 +1,107 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package util + +import "strings" + +type Scope string + +const ( + /* Sub-scopes / scope components */ + + scopeAccounts = "accounts" + scopeBlocks = "blocks" + scopeBookmarks = "bookmarks" + scopeConversations = "conversations" + scopeDomainAllows = "domain_allows" + scopeDomainBlocks = "domain_blocks" + scopeFavourites = "favourites" + scopeFilters = "filters" + scopeFollows = "follows" + scopeLists = "lists" + scopeMedia = "media" + scopeMutes = "mutes" + scopeNotifications = "notifications" + scopeReports = "reports" + scopeSearch = "search" + scopeStatuses = "statuses" + + /* Top-level scopes */ + + ScopeProfile Scope = "profile" + ScopePush Scope = "push" + ScopeRead Scope = "read" + ScopeWrite Scope = "write" + ScopeAdmin Scope = "admin" + ScopeAdminRead Scope = ScopeAdmin + ":" + ScopeRead + ScopeAdminWrite Scope = ScopeAdmin + ":" + ScopeWrite + + /* Granular scopes */ + + ScopeReadAccounts Scope = ScopeRead + ":" + scopeAccounts + ScopeWriteAccounts Scope = ScopeWrite + ":" + scopeAccounts + ScopeReadBlocks Scope = ScopeRead + ":" + scopeBlocks + ScopeWriteBlocks Scope = ScopeWrite + ":" + scopeBlocks + ScopeReadBookmarks Scope = ScopeRead + ":" + scopeBookmarks + ScopeWriteBookmarks Scope = ScopeWrite + ":" + scopeBookmarks + ScopeWriteConversations Scope = ScopeWrite + ":" + scopeConversations + ScopeReadFavourites Scope = ScopeRead + ":" + scopeFavourites + ScopeWriteFavourites Scope = ScopeWrite + ":" + scopeFavourites + ScopeReadFilters Scope = ScopeRead + ":" + scopeFilters + ScopeWriteFilters Scope = ScopeWrite + ":" + scopeFilters + ScopeReadFollows Scope = ScopeRead + ":" + scopeFollows + ScopeWriteFollows Scope = ScopeWrite + ":" + scopeFollows + ScopeReadLists Scope = ScopeRead + ":" + scopeLists + ScopeWriteLists Scope = ScopeWrite + ":" + scopeLists + ScopeWriteMedia Scope = ScopeWrite + ":" + scopeMedia + ScopeReadMutes Scope = ScopeRead + ":" + scopeMutes + ScopeWriteMutes Scope = ScopeWrite + ":" + scopeMutes + ScopeReadNotifications Scope = ScopeRead + ":" + scopeNotifications + ScopeWriteNotifications Scope = ScopeWrite + ":" + scopeNotifications + ScopeWriteReports Scope = ScopeWrite + ":" + scopeReports + ScopeReadSearch Scope = ScopeRead + ":" + scopeSearch + ScopeReadStatuses Scope = ScopeRead + ":" + scopeStatuses + ScopeWriteStatuses Scope = ScopeWrite + ":" + scopeStatuses + ScopeAdminReadAccounts Scope = ScopeAdminRead + ":" + scopeAccounts + ScopeAdminWriteAccounts Scope = ScopeAdminWrite + ":" + scopeAccounts + ScopeAdminReadReports Scope = ScopeAdminRead + ":" + scopeReports + ScopeAdminWriteReports Scope = ScopeAdminWrite + ":" + scopeReports + ScopeAdminReadDomainAllows Scope = ScopeAdminRead + ":" + scopeDomainAllows + ScopeAdminWriteDomainAllows Scope = ScopeAdminWrite + ":" + scopeDomainAllows + ScopeAdminReadDomainBlocks Scope = ScopeAdminRead + ":" + scopeDomainBlocks + ScopeAdminWriteDomainBlocks Scope = ScopeAdminWrite + ":" + scopeDomainBlocks +) + +// Permits returns true if the +// scope permits the wanted scope. +func (has Scope) Permits(wanted Scope) bool { + switch { + case has == ScopeRead: + return strings.HasPrefix(string(wanted), string(ScopeRead)) + case has == ScopeWrite: + return strings.HasPrefix(string(wanted), string(ScopeWrite)) + case has == ScopeAdmin: + return strings.HasPrefix(string(wanted), string(ScopeAdmin)) + case has == ScopeAdminRead: + return strings.HasPrefix(string(wanted), string(ScopeAdminRead)) + case has == ScopeAdminWrite: + return strings.HasPrefix(string(wanted), string(ScopeAdminWrite)) + default: + return has == wanted + } +} diff --git a/internal/api/util/scopes_test.go b/internal/api/util/scopes_test.go new file mode 100644 index 000000000..7eed31af6 --- /dev/null +++ b/internal/api/util/scopes_test.go @@ -0,0 +1,96 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package util_test + +import ( + "testing" + + "github.com/superseriousbusiness/gotosocial/internal/api/util" +) + +func TestScopes(t *testing.T) { + for _, test := range []struct { + HasScope util.Scope + WantsScope util.Scope + Expect bool + }{ + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeRead, + Expect: true, + }, + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeWrite, + Expect: false, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeWrite, + Expect: true, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeRead, + Expect: false, + }, + { + HasScope: util.ScopePush, + WantsScope: util.ScopePush, + Expect: true, + }, + { + HasScope: util.ScopeAdmin, + WantsScope: util.ScopeAdmin, + Expect: true, + }, + { + HasScope: util.ScopeProfile, + WantsScope: util.ScopeProfile, + Expect: true, + }, + { + HasScope: util.ScopeReadAccounts, + WantsScope: util.ScopeWriteAccounts, + Expect: false, + }, + { + HasScope: util.ScopeWriteAccounts, + WantsScope: util.ScopeWriteAccounts, + Expect: true, + }, + { + HasScope: util.ScopeWrite, + WantsScope: util.ScopeWriteAccounts, + Expect: true, + }, + { + HasScope: util.ScopeRead, + WantsScope: util.ScopeWriteAccounts, + Expect: false, + }, + } { + res := test.HasScope.Permits(test.WantsScope) + if res != test.Expect { + t.Errorf( + "did not get expected result %v for input: has %s, wants %s", + test.Expect, test.HasScope, test.WantsScope, + ) + } + } +} diff --git a/internal/processing/stream/authorize.go b/internal/processing/stream/authorize.go index 0baea29f1..cedd21e0b 100644 --- a/internal/processing/stream/authorize.go +++ b/internal/processing/stream/authorize.go @@ -19,8 +19,12 @@ package stream import ( "context" + "errors" "fmt" + "slices" + "strings" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -58,5 +62,22 @@ func (p *Processor) Authorize(ctx context.Context, accessToken string) (*gtsmode return nil, gtserror.NewErrorInternalError(err) } + // Ensure read scope. + // + // TODO: make this more granular + // depending on stream type. + hasScopes := strings.Split(ti.GetScope(), " ") + scopeOK := slices.ContainsFunc( + hasScopes, + func(hasScope string) bool { + return apiutil.Scope(hasScope).Permits(apiutil.ScopeRead) + }, + ) + + if !scopeOK { + const errText = "token has insufficient scope permission" + return nil, gtserror.NewErrorForbidden(errors.New(errText), errText) + } + return acct, nil } diff --git a/web/source/settings/components/authorization/login.tsx b/web/source/settings/components/authorization/login.tsx index 870e9c343..28ed7953c 100644 --- a/web/source/settings/components/authorization/login.tsx +++ b/web/source/settings/components/authorization/login.tsx @@ -31,7 +31,7 @@ export default function Login({ }) { instance: useTextInput("instance", { defaultValue: window.location.origin }), - scopes: useValue("scopes", "user admin"), + scopes: useValue("scopes", "read write admin"), }; const [formSubmit, result] = useFormSubmit(form, useAuthorizeFlowMutation(), {