[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
2025-10-29 14:32:25 -05:00 · 2025-02-26 13:04:55 +01:00 · 2025-02-26 13:04:55 +01:00 · eb720241da
commit eb720241da
parent f734a94c1c
213 changed files with 1762 additions and 1082 deletions
--- a/internal/api/client/streaming/stream.go
+++ b/internal/api/client/streaming/stream.go
@ -28,7 +28,6 @@ import (
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"github.com/superseriousbusiness/gotosocial/internal/id"
 	"github.com/superseriousbusiness/gotosocial/internal/log"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 	streampkg "github.com/superseriousbusiness/gotosocial/internal/stream"

 	"github.com/gin-gonic/gin"
@ -187,9 +186,8 @@ func (m *Module) StreamGETHandler(c *gin.Context) {

 		// No explicit token was provided:
 		// try regular oauth as a last resort.
-		authed, err := oauth.Authed(c, true, true, true, true)
-		if err != nil {
-			errWithCode := gtserror.NewErrorUnauthorized(err, err.Error())
+		authed, errWithCode := apiutil.TokenAuth(c, true, true, true, true)
+		if errWithCode != nil {
 			apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 			return
 		}