Fixed OAuth restrictions for :api routes. Made auth info dropped for :api routes if OAuth check was neither performed nor explicitly skipped.

2020-04-22 18:50:25 +03:00 · 2020-04-22 18:50:25 +03:00 · 2958a7d246
commit 2958a7d246
parent f685cbd309
14 changed files with 101 additions and 53 deletions
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@ -28,9 +28,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
        conn

      options[:fallback] == :proceed_unauthenticated ->
-        conn
-        |> assign(:user, nil)
-        |> assign(:token, nil)
+        drop_auth_info(conn)

      true ->
        missing_scopes = scopes -- matched_scopes
@ -46,6 +44,15 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
    end
  end

+  @doc "Drops authentication info from connection"
+  def drop_auth_info(conn) do
+    # To simplify debugging, setting a private variable on `conn` if auth info is dropped
+    conn
+    |> put_private(:authentication_ignored, true)
+    |> assign(:user, nil)
+    |> assign(:token, nil)
+  end
+
  @doc "Filters descendants of supported scopes"
  def filter_descendants(scopes, supported_scopes) do
    Enum.filter(