From 9720ee2c205ad6206da38fcbb210e307fb0ce607 Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 8 Jun 2021 09:11:56 +0000 Subject: [PATCH] Rearranged scope check --- src/Module/BaseApi.php | 44 +++++++++++++++++++++++-------------- src/Security/BasicAuth.php | 4 ++-- src/Security/OAuth.php | 45 +++++--------------------------------- 3 files changed, 36 insertions(+), 57 deletions(-) diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php index 7c3e63ee84..5059693618 100644 --- a/src/Module/BaseApi.php +++ b/src/Module/BaseApi.php @@ -34,13 +34,9 @@ require_once __DIR__ . '/../../include/api.php'; class BaseApi extends BaseModule { - /** @deprecated Use OAuth class constant */ const SCOPE_READ = 'read'; - /** @deprecated Use OAuth class constant */ const SCOPE_WRITE = 'write'; - /** @deprecated Use OAuth class constant */ const SCOPE_FOLLOW = 'follow'; - /** @deprecated Use OAuth class constant */ const SCOPE_PUSH = 'push'; /** @@ -173,24 +169,14 @@ class BaseApi extends BaseModule } /** + * @deprecated Use checkAllowedScope instead * Log in user via OAuth or Basic HTTP Auth. * * @param string $scope the requested scope (read, write, follow) */ protected static function login(string $scope) { - $uid = OAuth::getCurrentUserID(); - - if (!empty($uid)) { - if (!OAuth::isAllowedScope($scope)) { - DI::mstdnError()->Forbidden(); - } - } - - if (empty($uid)) { - // The execution stops here if no one is logged in - BasicAuth::getCurrentUserID(true); - } + self::checkAllowedScope($scope); } /** @@ -225,6 +211,32 @@ class BaseApi extends BaseModule return (int)$uid; } + /** + * Check if the provided scope does exist. + * halts execution on missing scope or when not logged in. + * + * @param string $scope the requested scope (read, write, follow, push) + */ + public static function checkAllowedScope(string $scope) + { + $token = self::getCurrentApplication(); + + if (empty($token)) { + Logger::notice('Empty application token'); + DI::mstdnError()->Forbidden(); + } + + if (!isset($token[$scope])) { + Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]); + DI::mstdnError()->Forbidden(); + } + + if (empty($token[$scope])) { + Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]); + DI::mstdnError()->Forbidden(); + } + } + /** * Get user info array. * diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php index e55700bf9e..18564d289e 100644 --- a/src/Security/BasicAuth.php +++ b/src/Security/BasicAuth.php @@ -46,7 +46,7 @@ class BasicAuth * * @return int User ID */ - public static function getCurrentUserID(bool $login = true) + public static function getCurrentUserID(bool $login) { if (empty(self::$current_user_id)) { api_login(DI::app(), $login); @@ -64,7 +64,7 @@ class BasicAuth */ public static function getCurrentApplicationToken() { - if (empty(self::getCurrentUserID())) { + if (empty(self::getCurrentUserID(true))) { return []; } diff --git a/src/Security/OAuth.php b/src/Security/OAuth.php index 64a942bba7..7210df8c2e 100644 --- a/src/Security/OAuth.php +++ b/src/Security/OAuth.php @@ -24,6 +24,7 @@ namespace Friendica\Security; use Friendica\Core\Logger; use Friendica\Database\Database; use Friendica\Database\DBA; +use Friendica\Module\BaseApi; use Friendica\Util\DateTimeFormat; /** @@ -31,11 +32,6 @@ use Friendica\Util\DateTimeFormat; */ class OAuth { - const SCOPE_READ = 'read'; - const SCOPE_WRITE = 'write'; - const SCOPE_FOLLOW = 'follow'; - const SCOPE_PUSH = 'push'; - /** * @var bool|int */ @@ -78,35 +74,6 @@ class OAuth return self::$current_token; } - /** - * Check if the provided scope does exist - * - * @param string $scope the requested scope (read, write, follow, push) - * - * @return bool "true" if the scope is allowed - */ - public static function isAllowedScope(string $scope) - { - $token = self::getCurrentApplicationToken(); - - if (empty($token)) { - Logger::notice('Empty application token'); - return false; - } - - if (!isset($token[$scope])) { - Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]); - return false; - } - - if (empty($token[$scope])) { - Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]); - return false; - } - - return true; - } - /** * Get the user token via the Bearer token * @@ -200,13 +167,13 @@ class OAuth 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope, - 'read' => (stripos($scope, self::SCOPE_READ) !== false), - 'write' => (stripos($scope, self::SCOPE_WRITE) !== false), - 'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false), - 'push' => (stripos($scope, self::SCOPE_PUSH) !== false), + 'read' => (stripos($scope, BaseApi::SCOPE_READ) !== false), + 'write' => (stripos($scope, BaseApi::SCOPE_WRITE) !== false), + 'follow' => (stripos($scope, BaseApi::SCOPE_FOLLOW) !== false), + 'push' => (stripos($scope, BaseApi::SCOPE_PUSH) !== false), 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)]; - foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) { + foreach ([BaseApi::SCOPE_READ, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_PUSH] as $scope) { if ($fields[$scope] && !$application[$scope]) { Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]); }