Rearranged scope check

This commit is contained in:
Michael 2021-06-08 09:11:56 +00:00
parent 95cac04540
commit 9720ee2c20
3 changed files with 36 additions and 57 deletions

View file

@ -34,13 +34,9 @@ require_once __DIR__ . '/../../include/api.php';
class BaseApi extends BaseModule class BaseApi extends BaseModule
{ {
/** @deprecated Use OAuth class constant */
const SCOPE_READ = 'read'; const SCOPE_READ = 'read';
/** @deprecated Use OAuth class constant */
const SCOPE_WRITE = 'write'; const SCOPE_WRITE = 'write';
/** @deprecated Use OAuth class constant */
const SCOPE_FOLLOW = 'follow'; const SCOPE_FOLLOW = 'follow';
/** @deprecated Use OAuth class constant */
const SCOPE_PUSH = 'push'; const SCOPE_PUSH = 'push';
/** /**
@ -173,24 +169,14 @@ class BaseApi extends BaseModule
} }
/** /**
* @deprecated Use checkAllowedScope instead
* Log in user via OAuth or Basic HTTP Auth. * Log in user via OAuth or Basic HTTP Auth.
* *
* @param string $scope the requested scope (read, write, follow) * @param string $scope the requested scope (read, write, follow)
*/ */
protected static function login(string $scope) protected static function login(string $scope)
{ {
$uid = OAuth::getCurrentUserID(); self::checkAllowedScope($scope);
if (!empty($uid)) {
if (!OAuth::isAllowedScope($scope)) {
DI::mstdnError()->Forbidden();
}
}
if (empty($uid)) {
// The execution stops here if no one is logged in
BasicAuth::getCurrentUserID(true);
}
} }
/** /**
@ -225,6 +211,32 @@ class BaseApi extends BaseModule
return (int)$uid; return (int)$uid;
} }
/**
* Check if the provided scope does exist.
* halts execution on missing scope or when not logged in.
*
* @param string $scope the requested scope (read, write, follow, push)
*/
public static function checkAllowedScope(string $scope)
{
$token = self::getCurrentApplication();
if (empty($token)) {
Logger::notice('Empty application token');
DI::mstdnError()->Forbidden();
}
if (!isset($token[$scope])) {
Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]);
DI::mstdnError()->Forbidden();
}
if (empty($token[$scope])) {
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]);
DI::mstdnError()->Forbidden();
}
}
/** /**
* Get user info array. * Get user info array.
* *

View file

@ -46,7 +46,7 @@ class BasicAuth
* *
* @return int User ID * @return int User ID
*/ */
public static function getCurrentUserID(bool $login = true) public static function getCurrentUserID(bool $login)
{ {
if (empty(self::$current_user_id)) { if (empty(self::$current_user_id)) {
api_login(DI::app(), $login); api_login(DI::app(), $login);
@ -64,7 +64,7 @@ class BasicAuth
*/ */
public static function getCurrentApplicationToken() public static function getCurrentApplicationToken()
{ {
if (empty(self::getCurrentUserID())) { if (empty(self::getCurrentUserID(true))) {
return []; return [];
} }

View file

@ -24,6 +24,7 @@ namespace Friendica\Security;
use Friendica\Core\Logger; use Friendica\Core\Logger;
use Friendica\Database\Database; use Friendica\Database\Database;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Module\BaseApi;
use Friendica\Util\DateTimeFormat; use Friendica\Util\DateTimeFormat;
/** /**
@ -31,11 +32,6 @@ use Friendica\Util\DateTimeFormat;
*/ */
class OAuth class OAuth
{ {
const SCOPE_READ = 'read';
const SCOPE_WRITE = 'write';
const SCOPE_FOLLOW = 'follow';
const SCOPE_PUSH = 'push';
/** /**
* @var bool|int * @var bool|int
*/ */
@ -78,35 +74,6 @@ class OAuth
return self::$current_token; return self::$current_token;
} }
/**
* Check if the provided scope does exist
*
* @param string $scope the requested scope (read, write, follow, push)
*
* @return bool "true" if the scope is allowed
*/
public static function isAllowedScope(string $scope)
{
$token = self::getCurrentApplicationToken();
if (empty($token)) {
Logger::notice('Empty application token');
return false;
}
if (!isset($token[$scope])) {
Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]);
return false;
}
if (empty($token[$scope])) {
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]);
return false;
}
return true;
}
/** /**
* Get the user token via the Bearer token * Get the user token via the Bearer token
* *
@ -200,13 +167,13 @@ class OAuth
'code' => $code, 'code' => $code,
'access_token' => $access_token, 'access_token' => $access_token,
'scopes' => $scope, 'scopes' => $scope,
'read' => (stripos($scope, self::SCOPE_READ) !== false), 'read' => (stripos($scope, BaseApi::SCOPE_READ) !== false),
'write' => (stripos($scope, self::SCOPE_WRITE) !== false), 'write' => (stripos($scope, BaseApi::SCOPE_WRITE) !== false),
'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false), 'follow' => (stripos($scope, BaseApi::SCOPE_FOLLOW) !== false),
'push' => (stripos($scope, self::SCOPE_PUSH) !== false), 'push' => (stripos($scope, BaseApi::SCOPE_PUSH) !== false),
'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)]; 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) { foreach ([BaseApi::SCOPE_READ, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_PUSH] as $scope) {
if ($fields[$scope] && !$application[$scope]) { if ($fields[$scope] && !$application[$scope]) {
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]); Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
} }