Fixed OAuth restrictions for :api routes. Made auth info dropped for :api routes if OAuth check was neither performed nor explicitly skipped.

2020-04-22 18:50:25 +03:00 · 2020-04-22 18:50:25 +03:00 · 2958a7d246
commit 2958a7d246
parent f685cbd309
14 changed files with 101 additions and 53 deletions
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@ -37,7 +37,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  plug(
    OAuthScopesPlug,
    %{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
-    when action in [:show, :endorsements]
+    when action in [:show, :followers, :following, :endorsements]
  )

  plug(
@ -49,7 +49,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  plug(
    OAuthScopesPlug,
    %{scopes: ["read:accounts"]}
-    when action in [:endorsements, :verify_credentials, :followers, :following]
+    when action in [:endorsements, :verify_credentials]
  )

  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :update_credentials)
--- a/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.MastodonAPI.AppController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Repo
  alias Pleroma.Web.OAuth.App
@ -13,7 +14,14 @@ defmodule Pleroma.Web.MastodonAPI.AppController do

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

+  plug(
+    :skip_plug,
+    [OAuthScopesPlug, EnsurePublicOrAuthenticatedPlug]
+    when action == :create
+  )
+
  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :verify_credentials)
+
  plug(OpenApiSpex.Plug.CastAndValidate)

  @local_mastodon_name "Mastodon-Local"
--- a/lib/pleroma/web/mastodon_api/controllers/custom_emoji_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/custom_emoji_controller.ex
@ -7,6 +7,12 @@ defmodule Pleroma.Web.MastodonAPI.CustomEmojiController do

  plug(OpenApiSpex.Plug.CastAndValidate)

+  plug(
+    :skip_plug,
+    [Pleroma.Plugs.OAuthScopesPlug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug]
+    when action == :index
+  )
+
  defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.CustomEmojiOperation

  def index(conn, _params) do
--- a/lib/pleroma/web/mastodon_api/controllers/instance_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/instance_controller.ex
@ -5,6 +5,12 @@
 defmodule Pleroma.Web.MastodonAPI.InstanceController do
  use Pleroma.Web, :controller

+  plug(
+    :skip_plug,
+    [Pleroma.Plugs.OAuthScopesPlug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug]
+    when action in [:show, :peers]
+  )
+
  @doc "GET /api/v1/instance"
  def show(conn, _params) do
    render(conn, "show.json")
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@ -15,7 +15,11 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

  require Logger

-  plug(:skip_plug, Pleroma.Plugs.OAuthScopesPlug when action in [:empty_array, :empty_object])
+  plug(
+    :skip_plug,
+    [Pleroma.Plugs.OAuthScopesPlug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug]
+    when action in [:empty_array, :empty_object]
+  )

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@ -21,6 +21,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
  # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
  plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})

+  # Note: on private instances auth is required (EnsurePublicOrAuthenticatedPlug is not skipped)
+
  plug(RateLimiter, [name: :search] when action in [:search, :search2, :account_search])

  def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
--- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
@ -9,6 +9,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
    only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1, skip_relationships?: 1]

  alias Pleroma.Pagination
+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Plugs.RateLimiter
  alias Pleroma.User
@ -26,7 +27,13 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in [:home, :direct])
  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :list)

-  plug(:skip_plug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action == :public)
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"], fallback: :proceed_unauthenticated}
+    when action in [:public, :hashtag]
+  )
+
+  plug(:skip_plug, EnsurePublicOrAuthenticatedPlug when action in [:public, :hashtag])

  plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)

@ -93,7 +100,9 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do

    restrict? = Pleroma.Config.get([:restrict_unauthenticated, :timelines, cfg_key])

-    if not (restrict? and is_nil(user)) do
+    if restrict? and is_nil(user) do
+      render_error(conn, :unauthorized, "authorization required for timeline view")
+    else
      activities =
        params
        |> Map.put("type", ["Create", "Announce"])
@ -110,12 +119,10 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
        as: :activity,
        skip_relationships: skip_relationships?(params)
      )
-    else
-      render_error(conn, :unauthorized, "authorization required for timeline view")
    end
  end

-  def hashtag_fetching(params, user, local_only) do
+  defp hashtag_fetching(params, user, local_only) do
    tags =
      [params["tag"], params["any"]]
      |> List.flatten()