[feature] Refactor tokens, allow multiple app redirect_uris

internal/api/util/auth.go

@@ -18,15 +18,21 @@
 package util
 
 import (
+	"context"
 	"errors"
 	"slices"
 	"strings"
 
 	"codeberg.org/superseriousbusiness/oauth2/v4"
+	"codeberg.org/superseriousbusiness/oauth2/v4/server"
 	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtscontext"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/log"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/state"
 )
 
 // Auth wraps an authorized token, application, user, and account.
@@ -150,3 +156,51 @@ func TokenAuth(
 
 	return a, nil
 }
+
+// GetClientScopeHandler returns a handler for testing scope on a TokenGenerateRequest.
+func GetClientScopeHandler(ctx context.Context, state *state.State) server.ClientScopeHandler {
+	return func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error) {
+		application, err := state.DB.GetApplicationByClientID(
+			gtscontext.SetBarebones(ctx),
+			tgr.ClientID,
+		)
+		if err != nil && !errors.Is(err, db.ErrNoEntries) {
+			log.Errorf(ctx, "database error getting application: %v", err)
+			return false, err
+		}
+
+		if application == nil {
+			err := gtserror.Newf("no application found with client id %s", tgr.ClientID)
+			return false, err
+		}
+
+		// Normalize scope.
+		if strings.TrimSpace(tgr.Scope) == "" {
+			tgr.Scope = "read"
+		}
+
+		// Make sure requested scopes are all
+		// within scopes permitted by application.
+		hasScopes := strings.Split(application.Scopes, " ")
+		wantsScopes := strings.Split(tgr.Scope, " ")
+		for _, wantsScope := range wantsScopes {
+			thisOK := slices.ContainsFunc(
+				hasScopes,
+				func(hasScope string) bool {
+					has := Scope(hasScope)
+					wants := Scope(wantsScope)
+					return has.Permits(wants)
+				},
+			)
+
+			if !thisOK {
+				// Requested unpermitted
+				// scope for this app.
+				return false, nil
+			}
+		}
+
+		// All OK.
+		return true, nil
+	}
+}

internal/api/util/scopes.go

@@ -93,11 +93,29 @@ const (
 // scope permits the wanted scope.
 func (has Scope) Permits(wanted Scope) bool {
 	if has == wanted {
-		// Exact match.
+		// Exact match on either a
+		// top-level or granular scope.
 		return true
 	}
 
-	// Check if we have a parent scope of what's wanted,
-	// eg., we have scope "admin", we want "admin:read".
-	return strings.HasPrefix(string(wanted), string(has))
+	// Ensure we have a
+	// known top-level scope.
+	switch has {
+
+	case ScopeProfile,
+		ScopePush,
+		ScopeRead,
+		ScopeWrite,
+		ScopeAdmin,
+		ScopeAdminRead,
+		ScopeAdminWrite:
+		// Check if top-level includes wanted,
+		// eg., have "admin", want "admin:read".
+		return strings.HasPrefix(string(wanted), string(has)+":")
+
+	default:
+		// Unknown top-level scope,
+		// can't permit anything.
+		return false
+	}
 }

internal/api/util/scopes_test.go

@@ -89,6 +89,16 @@ func TestScopes(t *testing.T) {
 			WantsScope: util.ScopeWrite,
 			Expect:     false,
 		},
+		{
+			HasScope:   util.ScopeProfile,
+			WantsScope: util.ScopePush,
+			Expect:     false,
+		},
+		{
+			HasScope:   util.Scope("p"),
+			WantsScope: util.ScopePush,
+			Expect:     false,
+		},
 	} {
 		res := test.HasScope.Permits(test.WantsScope)
 		if res != test.Expect {