[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil * enforce scopes * docs * update test models, remove deprecated "follow" * file header * tests * tweak scope matcher * simplify... * fix tests * log user out of settings panel in case of oauth error
2025-10-29 06:22:25 -05:00 · 2025-02-26 13:04:55 +01:00 · 2025-02-26 13:04:55 +01:00 · eb720241da
commit eb720241da
parent f734a94c1c
213 changed files with 1762 additions and 1082 deletions
--- a/testrig/testmodels.go
+++ b/testrig/testmodels.go
@ -51,11 +51,21 @@ func NewTestTokens() map[string]*gtsmodel.Token {
 			ClientID:        "01F8MGV8AC3NGSJW0FE8W1BV70",
 			UserID:          "01F8MGVGPHQ2D3P3X0454H54Z5",
 			RedirectURI:     "http://localhost:8080",
-			Scope:           "read write follow push",
+			Scope:           "read write push",
 			Access:          "NZAZOTC0OWITMDU0NC0ZODG4LWE4NJITMWUXM2M4MTRHZDEX",
 			AccessCreateAt:  TimeMustParse("2022-06-10T15:22:08Z"),
 			AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"),
 		},
+		"local_account_1_push_only": {
+			ID:              "01JN0X2D9GJTZQ5KYPYFWN16QW",
+			ClientID:        "01F8MGV8AC3NGSJW0FE8W1BV70",
+			UserID:          "01F8MGVGPHQ2D3P3X0454H54Z5",
+			RedirectURI:     "http://localhost:8080",
+			Scope:           "push",
+			Access:          "01JN0X49RYKMP6G9X0HJAP317101JN0X49RYKMP6G9X0HJAP",
+			AccessCreateAt:  TimeMustParse("2022-06-10T15:22:08Z"),
+			AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"),
+		},
 		"local_account_1_client_application_token": {
 			ID:              "01P9SVWS9J3SPHZQ3KCMBEN70N",
 			ClientID:        "01F8MGV8AC3NGSJW0FE8W1BV70",
@ -78,7 +88,7 @@ func NewTestTokens() map[string]*gtsmodel.Token {
 			ClientID:        "01F8MGW47HN8ZXNHNZ7E47CDMQ",
 			UserID:          "01F8MH1VYJAE00TVVGMM5JNJ8X",
 			RedirectURI:     "http://localhost:8080",
-			Scope:           "read write follow push",
+			Scope:           "read write push",
 			Access:          "PIPINALKNNNFNF98717NAMNAMNFKIJKJ881818KJKJAKJJJA",
 			AccessCreateAt:  TimeMustParse("2022-06-10T15:22:08Z"),
 			AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"),
@ -88,7 +98,7 @@ func NewTestTokens() map[string]*gtsmodel.Token {
 			ClientID:        "01F8MGWSJCND9BWBD4WGJXBM93",
 			UserID:          "01F8MGWYWKVKS3VS8DV1AMYPGE",
 			RedirectURI:     "http://localhost:8080",
-			Scope:           "read write follow push admin",
+			Scope:           "read write push admin",
 			Access:          "AININALKNENFNF98717NAMG4LWE4NJITMWUXM2M4MTRHZDEX",
 			AccessCreateAt:  TimeMustParse("2022-06-10T15:22:08Z"),
 			AccessExpiresAt: TimeMustParse("2050-01-01T15:22:08Z"),