enforce scopes

internal/api/util/auth.go

@@ -2,8 +2,11 @@ package util
 
 import (
 	"errors"
+	"slices"
+	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 	"github.com/superseriousbusiness/oauth2/v4"
@@ -36,17 +39,21 @@ func TokenAuth(
 	requireApp bool,
 	requireUser bool,
 	requireAccount bool,
-) (*Auth, error) {
-	ctx := c.Copy()
-	a := &Auth{}
-	var i interface{}
-	var ok bool
+	requireScope ...Scope,
+) (*Auth, gtserror.WithCode) {
+	var (
+		ctx = c.Copy()
+		a   = &Auth{}
+		i   interface{}
+		ok  bool
+	)
 
 	i, ok = ctx.Get(oauth.SessionAuthorizedToken)
 	if ok {
 		parsed, ok := i.(oauth2.TokenInfo)
 		if !ok {
-			return nil, errors.New("could not parse token from session context")
+			const errText = "could not parse token from session context"
+			return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 		}
 		a.Token = parsed
 	}
@@ -55,7 +62,8 @@ func TokenAuth(
 	if ok {
 		parsed, ok := i.(*gtsmodel.Application)
 		if !ok {
-			return nil, errors.New("could not parse application from session context")
+			const errText = "could not parse application from session context"
+			return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 		}
 		a.Application = parsed
 	}
@@ -64,7 +72,8 @@ func TokenAuth(
 	if ok {
 		parsed, ok := i.(*gtsmodel.User)
 		if !ok {
-			return nil, errors.New("could not parse user from session context")
+			const errText = "could not parse user from session context"
+			return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 		}
 		a.User = parsed
 	}
@@ -73,25 +82,53 @@ func TokenAuth(
 	if ok {
 		parsed, ok := i.(*gtsmodel.Account)
 		if !ok {
-			return nil, errors.New("could not parse account from session context")
+			const errText = "could not parse account from session context"
+			return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 		}
 		a.Account = parsed
 	}
 
 	if requireToken && a.Token == nil {
-		return nil, errors.New("token not supplied")
+		const errText = "token not supplied"
+		return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 	}
 
 	if requireApp && a.Application == nil {
-		return nil, errors.New("application not supplied")
+		const errText = "application not supplied"
+		return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 	}
 
 	if requireUser && a.User == nil {
-		return nil, errors.New("user not supplied or not authorized")
+		const errText = "user not supplied or not authorized"
+		return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
 	}
 
 	if requireAccount && a.Account == nil {
-		return nil, errors.New("account not supplied or not authorized")
+		const errText = "account not supplied or not authorized"
+		return nil, gtserror.NewErrorUnauthorized(errors.New(errText), errText)
+	}
+
+	if len(requireScope) != 0 {
+		// We need to match one of the
+		// required scopes, check if we can.
+		hasScopes := strings.Split(a.Token.GetScope(), " ")
+		scopeOK := slices.ContainsFunc(
+			hasScopes,
+			func(hasScope string) bool {
+				for _, requiredScope := range requireScope {
+					if Scope(hasScope).Permits(requiredScope) {
+						// Got it.
+						return true
+					}
+				}
+				return false
+			},
+		)
+
+		if !scopeOK {
+			const errText = "token has insufficient scope permission"
+			return nil, gtserror.NewErrorForbidden(errors.New(errText), errText)
+		}
 	}
 
 	return a, nil

internal/api/util/scopes.go

@@ -0,0 +1,107 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package util
+
+import "strings"
+
+type Scope string
+
+const (
+	/* Sub-scopes / scope components */
+
+	scopeAccounts      = "accounts"
+	scopeBlocks        = "blocks"
+	scopeBookmarks     = "bookmarks"
+	scopeConversations = "conversations"
+	scopeDomainAllows  = "domain_allows"
+	scopeDomainBlocks  = "domain_blocks"
+	scopeFavourites    = "favourites"
+	scopeFilters       = "filters"
+	scopeFollows       = "follows"
+	scopeLists         = "lists"
+	scopeMedia         = "media"
+	scopeMutes         = "mutes"
+	scopeNotifications = "notifications"
+	scopeReports       = "reports"
+	scopeSearch        = "search"
+	scopeStatuses      = "statuses"
+
+	/* Top-level scopes */
+
+	ScopeProfile    Scope = "profile"
+	ScopePush       Scope = "push"
+	ScopeRead       Scope = "read"
+	ScopeWrite      Scope = "write"
+	ScopeAdmin      Scope = "admin"
+	ScopeAdminRead  Scope = ScopeAdmin + ":" + ScopeRead
+	ScopeAdminWrite Scope = ScopeAdmin + ":" + ScopeWrite
+
+	/* Granular scopes */
+
+	ScopeReadAccounts           Scope = ScopeRead + ":" + scopeAccounts
+	ScopeWriteAccounts          Scope = ScopeWrite + ":" + scopeAccounts
+	ScopeReadBlocks             Scope = ScopeRead + ":" + scopeBlocks
+	ScopeWriteBlocks            Scope = ScopeWrite + ":" + scopeBlocks
+	ScopeReadBookmarks          Scope = ScopeRead + ":" + scopeBookmarks
+	ScopeWriteBookmarks         Scope = ScopeWrite + ":" + scopeBookmarks
+	ScopeWriteConversations     Scope = ScopeWrite + ":" + scopeConversations
+	ScopeReadFavourites         Scope = ScopeRead + ":" + scopeFavourites
+	ScopeWriteFavourites        Scope = ScopeWrite + ":" + scopeFavourites
+	ScopeReadFilters            Scope = ScopeRead + ":" + scopeFilters
+	ScopeWriteFilters           Scope = ScopeWrite + ":" + scopeFilters
+	ScopeReadFollows            Scope = ScopeRead + ":" + scopeFollows
+	ScopeWriteFollows           Scope = ScopeWrite + ":" + scopeFollows
+	ScopeReadLists              Scope = ScopeRead + ":" + scopeLists
+	ScopeWriteLists             Scope = ScopeWrite + ":" + scopeLists
+	ScopeWriteMedia             Scope = ScopeWrite + ":" + scopeMedia
+	ScopeReadMutes              Scope = ScopeRead + ":" + scopeMutes
+	ScopeWriteMutes             Scope = ScopeWrite + ":" + scopeMutes
+	ScopeReadNotifications      Scope = ScopeRead + ":" + scopeNotifications
+	ScopeWriteNotifications     Scope = ScopeWrite + ":" + scopeNotifications
+	ScopeWriteReports           Scope = ScopeWrite + ":" + scopeReports
+	ScopeReadSearch             Scope = ScopeRead + ":" + scopeSearch
+	ScopeReadStatuses           Scope = ScopeRead + ":" + scopeStatuses
+	ScopeWriteStatuses          Scope = ScopeWrite + ":" + scopeStatuses
+	ScopeAdminReadAccounts      Scope = ScopeAdminRead + ":" + scopeAccounts
+	ScopeAdminWriteAccounts     Scope = ScopeAdminWrite + ":" + scopeAccounts
+	ScopeAdminReadReports       Scope = ScopeAdminRead + ":" + scopeReports
+	ScopeAdminWriteReports      Scope = ScopeAdminWrite + ":" + scopeReports
+	ScopeAdminReadDomainAllows  Scope = ScopeAdminRead + ":" + scopeDomainAllows
+	ScopeAdminWriteDomainAllows Scope = ScopeAdminWrite + ":" + scopeDomainAllows
+	ScopeAdminReadDomainBlocks  Scope = ScopeAdminRead + ":" + scopeDomainBlocks
+	ScopeAdminWriteDomainBlocks Scope = ScopeAdminWrite + ":" + scopeDomainBlocks
+)
+
+// Permits returns true if the
+// scope permits the wanted scope.
+func (has Scope) Permits(wanted Scope) bool {
+	switch {
+	case has == ScopeRead:
+		return strings.HasPrefix(string(wanted), string(ScopeRead))
+	case has == ScopeWrite:
+		return strings.HasPrefix(string(wanted), string(ScopeWrite))
+	case has == ScopeAdmin:
+		return strings.HasPrefix(string(wanted), string(ScopeAdmin))
+	case has == ScopeAdminRead:
+		return strings.HasPrefix(string(wanted), string(ScopeAdminRead))
+	case has == ScopeAdminWrite:
+		return strings.HasPrefix(string(wanted), string(ScopeAdminWrite))
+	default:
+		return has == wanted
+	}
+}

internal/api/util/scopes_test.go

@@ -0,0 +1,96 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package util_test
+
+import (
+	"testing"
+
+	"github.com/superseriousbusiness/gotosocial/internal/api/util"
+)
+
+func TestScopes(t *testing.T) {
+	for _, test := range []struct {
+		HasScope   util.Scope
+		WantsScope util.Scope
+		Expect     bool
+	}{
+		{
+			HasScope:   util.ScopeRead,
+			WantsScope: util.ScopeRead,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeRead,
+			WantsScope: util.ScopeWrite,
+			Expect:     false,
+		},
+		{
+			HasScope:   util.ScopeWrite,
+			WantsScope: util.ScopeWrite,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeWrite,
+			WantsScope: util.ScopeRead,
+			Expect:     false,
+		},
+		{
+			HasScope:   util.ScopePush,
+			WantsScope: util.ScopePush,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeAdmin,
+			WantsScope: util.ScopeAdmin,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeProfile,
+			WantsScope: util.ScopeProfile,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeReadAccounts,
+			WantsScope: util.ScopeWriteAccounts,
+			Expect:     false,
+		},
+		{
+			HasScope:   util.ScopeWriteAccounts,
+			WantsScope: util.ScopeWriteAccounts,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeWrite,
+			WantsScope: util.ScopeWriteAccounts,
+			Expect:     true,
+		},
+		{
+			HasScope:   util.ScopeRead,
+			WantsScope: util.ScopeWriteAccounts,
+			Expect:     false,
+		},
+	} {
+		res := test.HasScope.Permits(test.WantsScope)
+		if res != test.Expect {
+			t.Errorf(
+				"did not get expected result %v for input: has %s, wants %s",
+				test.Expect, test.HasScope, test.WantsScope,
+			)
+		}
+	}
+}