Merge branch 'authenticated-api-oauth-check-enforcement' into 'develop'

Enforcement of OAuth scopes check for authenticated API endpoints See merge request pleroma/pleroma!2349
2020-04-16 21:58:57 +00:00 · 2020-04-16 21:58:57 +00:00 · badd888ccb
commit badd888ccb
parent 28bcde5d98 bde1189c34
17 changed files with 248 additions and 40 deletions
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@ -21,10 +21,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  alias Pleroma.Web.CommonAPI
  alias Pleroma.Web.MastodonAPI.ListView
  alias Pleroma.Web.MastodonAPI.MastodonAPI
+  alias Pleroma.Web.MastodonAPI.MastodonAPIController
  alias Pleroma.Web.MastodonAPI.StatusView
  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.TwitterAPI.TwitterAPI

+  plug(:skip_plug, OAuthScopesPlug when action == :identity_proofs)
+
  plug(
    OAuthScopesPlug,
    %{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
@ -376,6 +379,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  end

  @doc "GET /api/v1/endorsements"
-  def endorsements(conn, params),
-    do: Pleroma.Web.MastodonAPI.MastodonAPIController.empty_array(conn, params)
+  def endorsements(conn, params), do: MastodonAPIController.empty_array(conn, params)
+
+  @doc "GET /api/v1/identity_proofs"
+  def identity_proofs(conn, params), do: MastodonAPIController.empty_array(conn, params)
 end
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@ -3,21 +3,31 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
+  @moduledoc """
+  Contains stubs for unimplemented Mastodon API endpoints.
+
+  Note: instead of routing directly to this controller's action,
+    it's preferable to define an action in relevant (non-generic) controller,
+    set up OAuth rules for it and call this controller's function from it.
+  """
+
  use Pleroma.Web, :controller

  require Logger

+  plug(:skip_plug, Pleroma.Plugs.OAuthScopesPlug when action in [:empty_array, :empty_object])
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

-  # Stubs for unimplemented mastodon api
-  #
  def empty_array(conn, _) do
-    Logger.debug("Unimplemented, returning an empty array")
+    Logger.debug("Unimplemented, returning an empty array (list)")
    json(conn, [])
  end

  def empty_object(conn, _) do
-    Logger.debug("Unimplemented, returning an empty object")
+    Logger.debug("Unimplemented, returning an empty object (map)")
    json(conn, %{})
  end
 end
--- a/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
@ -5,10 +5,13 @@
 defmodule Pleroma.Web.MastodonAPI.SuggestionController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.OAuthScopesPlug
+
  require Logger

+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :index)
+
  @doc "GET /api/v1/suggestions"
-  def index(conn, _) do
-    json(conn, [])
-  end
+  def index(conn, params),
+    do: Pleroma.Web.MastodonAPI.MastodonAPIController.empty_array(conn, params)
 end