Rearranged scope check
This commit is contained in:
parent
95cac04540
commit
9720ee2c20
3 changed files with 36 additions and 57 deletions
|
@ -34,13 +34,9 @@ require_once __DIR__ . '/../../include/api.php';
|
||||||
|
|
||||||
class BaseApi extends BaseModule
|
class BaseApi extends BaseModule
|
||||||
{
|
{
|
||||||
/** @deprecated Use OAuth class constant */
|
|
||||||
const SCOPE_READ = 'read';
|
const SCOPE_READ = 'read';
|
||||||
/** @deprecated Use OAuth class constant */
|
|
||||||
const SCOPE_WRITE = 'write';
|
const SCOPE_WRITE = 'write';
|
||||||
/** @deprecated Use OAuth class constant */
|
|
||||||
const SCOPE_FOLLOW = 'follow';
|
const SCOPE_FOLLOW = 'follow';
|
||||||
/** @deprecated Use OAuth class constant */
|
|
||||||
const SCOPE_PUSH = 'push';
|
const SCOPE_PUSH = 'push';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -173,24 +169,14 @@ class BaseApi extends BaseModule
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
* @deprecated Use checkAllowedScope instead
|
||||||
* Log in user via OAuth or Basic HTTP Auth.
|
* Log in user via OAuth or Basic HTTP Auth.
|
||||||
*
|
*
|
||||||
* @param string $scope the requested scope (read, write, follow)
|
* @param string $scope the requested scope (read, write, follow)
|
||||||
*/
|
*/
|
||||||
protected static function login(string $scope)
|
protected static function login(string $scope)
|
||||||
{
|
{
|
||||||
$uid = OAuth::getCurrentUserID();
|
self::checkAllowedScope($scope);
|
||||||
|
|
||||||
if (!empty($uid)) {
|
|
||||||
if (!OAuth::isAllowedScope($scope)) {
|
|
||||||
DI::mstdnError()->Forbidden();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (empty($uid)) {
|
|
||||||
// The execution stops here if no one is logged in
|
|
||||||
BasicAuth::getCurrentUserID(true);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -225,6 +211,32 @@ class BaseApi extends BaseModule
|
||||||
return (int)$uid;
|
return (int)$uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the provided scope does exist.
|
||||||
|
* halts execution on missing scope or when not logged in.
|
||||||
|
*
|
||||||
|
* @param string $scope the requested scope (read, write, follow, push)
|
||||||
|
*/
|
||||||
|
public static function checkAllowedScope(string $scope)
|
||||||
|
{
|
||||||
|
$token = self::getCurrentApplication();
|
||||||
|
|
||||||
|
if (empty($token)) {
|
||||||
|
Logger::notice('Empty application token');
|
||||||
|
DI::mstdnError()->Forbidden();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isset($token[$scope])) {
|
||||||
|
Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]);
|
||||||
|
DI::mstdnError()->Forbidden();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (empty($token[$scope])) {
|
||||||
|
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]);
|
||||||
|
DI::mstdnError()->Forbidden();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get user info array.
|
* Get user info array.
|
||||||
*
|
*
|
||||||
|
|
|
@ -46,7 +46,7 @@ class BasicAuth
|
||||||
*
|
*
|
||||||
* @return int User ID
|
* @return int User ID
|
||||||
*/
|
*/
|
||||||
public static function getCurrentUserID(bool $login = true)
|
public static function getCurrentUserID(bool $login)
|
||||||
{
|
{
|
||||||
if (empty(self::$current_user_id)) {
|
if (empty(self::$current_user_id)) {
|
||||||
api_login(DI::app(), $login);
|
api_login(DI::app(), $login);
|
||||||
|
@ -64,7 +64,7 @@ class BasicAuth
|
||||||
*/
|
*/
|
||||||
public static function getCurrentApplicationToken()
|
public static function getCurrentApplicationToken()
|
||||||
{
|
{
|
||||||
if (empty(self::getCurrentUserID())) {
|
if (empty(self::getCurrentUserID(true))) {
|
||||||
return [];
|
return [];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,7 @@ namespace Friendica\Security;
|
||||||
use Friendica\Core\Logger;
|
use Friendica\Core\Logger;
|
||||||
use Friendica\Database\Database;
|
use Friendica\Database\Database;
|
||||||
use Friendica\Database\DBA;
|
use Friendica\Database\DBA;
|
||||||
|
use Friendica\Module\BaseApi;
|
||||||
use Friendica\Util\DateTimeFormat;
|
use Friendica\Util\DateTimeFormat;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -31,11 +32,6 @@ use Friendica\Util\DateTimeFormat;
|
||||||
*/
|
*/
|
||||||
class OAuth
|
class OAuth
|
||||||
{
|
{
|
||||||
const SCOPE_READ = 'read';
|
|
||||||
const SCOPE_WRITE = 'write';
|
|
||||||
const SCOPE_FOLLOW = 'follow';
|
|
||||||
const SCOPE_PUSH = 'push';
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @var bool|int
|
* @var bool|int
|
||||||
*/
|
*/
|
||||||
|
@ -78,35 +74,6 @@ class OAuth
|
||||||
return self::$current_token;
|
return self::$current_token;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if the provided scope does exist
|
|
||||||
*
|
|
||||||
* @param string $scope the requested scope (read, write, follow, push)
|
|
||||||
*
|
|
||||||
* @return bool "true" if the scope is allowed
|
|
||||||
*/
|
|
||||||
public static function isAllowedScope(string $scope)
|
|
||||||
{
|
|
||||||
$token = self::getCurrentApplicationToken();
|
|
||||||
|
|
||||||
if (empty($token)) {
|
|
||||||
Logger::notice('Empty application token');
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!isset($token[$scope])) {
|
|
||||||
Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (empty($token[$scope])) {
|
|
||||||
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the user token via the Bearer token
|
* Get the user token via the Bearer token
|
||||||
*
|
*
|
||||||
|
@ -200,13 +167,13 @@ class OAuth
|
||||||
'code' => $code,
|
'code' => $code,
|
||||||
'access_token' => $access_token,
|
'access_token' => $access_token,
|
||||||
'scopes' => $scope,
|
'scopes' => $scope,
|
||||||
'read' => (stripos($scope, self::SCOPE_READ) !== false),
|
'read' => (stripos($scope, BaseApi::SCOPE_READ) !== false),
|
||||||
'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
|
'write' => (stripos($scope, BaseApi::SCOPE_WRITE) !== false),
|
||||||
'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
|
'follow' => (stripos($scope, BaseApi::SCOPE_FOLLOW) !== false),
|
||||||
'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
|
'push' => (stripos($scope, BaseApi::SCOPE_PUSH) !== false),
|
||||||
'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
|
'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
|
||||||
|
|
||||||
foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
|
foreach ([BaseApi::SCOPE_READ, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_PUSH] as $scope) {
|
||||||
if ($fields[$scope] && !$application[$scope]) {
|
if ($fields[$scope] && !$application[$scope]) {
|
||||||
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
|
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue