feat: restrict certain endpoints from API tokens and/or read-only tokens

2023-03-30 16:58:35 +02:00 · 2023-03-30 16:58:35 +02:00 · ff75075b81
commit ff75075b81
parent 2716471fa9
13 changed files with 62 additions and 14 deletions
--- a/backend/routes/auth/discord.go
+++ b/backend/routes/auth/discord.go
@ -167,8 +167,8 @@ func (s *Server) discordLink(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	// only site tokens can be used for this endpoint
-	if claims.APIToken || !claims.TokenWrite {
-		return server.APIError{Code: server.ErrInvalidToken}
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	req, err := Decode[linkRequest](r)
@ -213,8 +213,8 @@ func (s *Server) discordUnlink(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	// only site tokens can be used for this endpoint
-	if claims.APIToken || !claims.TokenWrite {
-		return server.APIError{Code: server.ErrInvalidToken}
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	u, err := s.DB.User(ctx, claims.UserID)
--- a/backend/routes/auth/fedi_mastodon.go
+++ b/backend/routes/auth/fedi_mastodon.go
@ -189,8 +189,8 @@ func (s *Server) mastodonLink(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	// only site tokens can be used for this endpoint
-	if claims.APIToken || !claims.TokenWrite {
-		return server.APIError{Code: server.ErrInvalidToken}
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	req, err := Decode[fediLinkRequest](r)
@ -240,8 +240,8 @@ func (s *Server) mastodonUnlink(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	// only site tokens can be used for this endpoint
-	if claims.APIToken || !claims.TokenWrite {
-		return server.APIError{Code: server.ErrInvalidToken}
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	u, err := s.DB.User(ctx, claims.UserID)
--- a/backend/routes/auth/fedi_misskey.go
+++ b/backend/routes/auth/fedi_misskey.go
@ -164,8 +164,8 @@ func (s *Server) misskeyLink(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	// only site tokens can be used for this endpoint
-	if claims.APIToken || !claims.TokenWrite {
-		return server.APIError{Code: server.ErrInvalidToken}
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	req, err := Decode[fediLinkRequest](r)
--- a/backend/routes/auth/invite.go
+++ b/backend/routes/auth/invite.go
@ -32,6 +32,10 @@ func (s *Server) getInvites(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)

+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
+	}
+
 	is, err := s.DB.UserInvites(ctx, claims.UserID)
 	if err != nil {
 		return errors.Wrap(err, "getting user invites")
@ -54,6 +58,10 @@ func (s *Server) createInvite(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)

+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
+	}
+
 	inv, err := s.DB.CreateInvite(ctx, claims.UserID)
 	if err != nil {
 		if err == db.ErrTooManyInvites {
--- a/backend/routes/auth/tokens.go
+++ b/backend/routes/auth/tokens.go
@ -33,6 +33,10 @@ func (s *Server) getTokens(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)

+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
+	}
+
 	tokens, err := s.DB.Tokens(ctx, claims.UserID)
 	if err != nil {
 		return errors.Wrap(err, "getting tokens")
@ -52,7 +56,7 @@ func (s *Server) deleteToken(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	if claims.APIToken {
-		return server.APIError{Code: server.ErrInvalidToken}
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	tx, err := s.DB.Begin(ctx)
@ -89,7 +93,7 @@ func (s *Server) createToken(w http.ResponseWriter, r *http.Request) error {
 	claims, _ := server.ClaimsFromContext(ctx)

 	if claims.APIToken {
-		return server.APIError{Code: server.ErrInvalidToken}
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}

 	readOnly := r.FormValue("read_only") == "true"