[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
2025-11-02 20:02:25 -06:00 · 2025-02-26 13:04:55 +01:00 · 2025-02-26 13:04:55 +01:00 · eb720241da
commit eb720241da
parent f734a94c1c
213 changed files with 1762 additions and 1082 deletions
--- a/internal/api/client/instance/instancepatch.go
+++ b/internal/api/client/instance/instancepatch.go
@ -27,7 +27,6 @@ import (
 	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )

 // InstanceUpdatePATCHHandler swagger:operation PATCH /api/v1/instance instanceUpdate
@ -107,7 +106,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin
+//		- admin:write
 //
 //	responses:
 //		'200':
@ -127,9 +126,12 @@ import (
 //		'500':
 //			description: internal server error
 func (m *Module) InstanceUpdatePATCHHandler(c *gin.Context) {
-	authed, err := oauth.Authed(c, true, true, true, true)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		true, true, true, true,
+		apiutil.ScopeAdminWrite,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}

--- a/internal/api/client/instance/instancepatch_test.go
+++ b/internal/api/client/instance/instancepatch_test.go
@ -544,7 +544,7 @@ func (suite *InstancePatchTestSuite) TestInstancePatch5() {
 	b, err := io.ReadAll(result.Body)
 	suite.NoError(err)

-	suite.Equal(`{"error":"Forbidden: user is not an admin so cannot update instance settings"}`, string(b))
+	suite.Equal(`{"error":"Forbidden: token has insufficient scope permission"}`, string(b))
 }

 func (suite *InstancePatchTestSuite) TestInstancePatch6() {
--- a/internal/api/client/instance/instancepeersget.go
+++ b/internal/api/client/instance/instancepeersget.go
@ -25,7 +25,6 @@ import (
 	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"

 	"github.com/gin-gonic/gin"
 )
@ -59,6 +58,9 @@ import (
 //		required: false
 //		default: "open"
 //
+//	security:
+//	- OAuth2 Bearer: []
+//
 //	responses:
 //		'200':
 //			description: >-
@ -99,9 +101,11 @@ import (
 //		'500':
 //			description: internal server error
 func (m *Module) InstancePeersGETHandler(c *gin.Context) {
-	authed, err := oauth.Authed(c, false, false, false, false)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		false, false, false, false,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}