mirror
/
pixelfed
mirror of https://github.com/pixelfed/pixelfed.git
1
0
Fork 1
Code Issues Releases Wiki Activity

Update ApiV1Dot1Controller, fix in app registration bug that prevents proper auth flow due to missing oauth scopes

This commit is contained in:
Daniel Supernault 2024-04-30 23:05:38 -06:00
parent aa94dde376
commit cbf996c9b6
No known key found for this signature in database
GPG Key ID: 23740873EE6F76A1
1 changed files with 890 additions and 882 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
app/Http/Controllers/Api/ApiV1Dot1Controller.php
View File

@ -2,45 +2,41 @@
namespace App\Http\Controllers\Api;
use Cache;
use DB;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use League\Fractal;
use League\Fractal\Serializer\ArraySerializer;
use League\Fractal\Pagination\IlluminatePaginatorAdapter;
use App\AccountLog;
use App\EmailVerification;
use App\Follower;
use App\Http\Controllers\Controller;
use App\Http\Resources\StatusStateless;
use App\Jobs\ReportPipeline\ReportNotifyAdminViaEmail;
use App\Jobs\StatusPipeline\RemoteStatusDelete;
use App\Jobs\StatusPipeline\StatusDelete;
use App\Mail\ConfirmAppEmail;
use App\Mail\PasswordChange;
use App\Place;
use App\Status;
use App\Report;
use App\Profile;
use App\Report;
use App\Services\AccountService;
use App\Services\BouncerService;
use App\Services\EmailService;
use App\Services\FollowerService;
use App\Services\NetworkTimelineService;
use App\Services\ProfileStatusService;
use App\Services\PublicTimelineService;
use App\Services\StatusService;
use App\Status;
use App\StatusArchived;
use App\User;
use App\UserSetting;
use App\Services\AccountService;
use App\Services\FollowerService;
use App\Services\StatusService;
use App\Services\ProfileStatusService;
use App\Services\LikeService;
use App\Services\ReblogService;
use App\Services\PublicTimelineService;
use App\Services\NetworkTimelineService;
use App\Util\Lexer\RestrictedNames;
use App\Services\BouncerService;
use App\Services\EmailService;
use Illuminate\Support\Str;
use Cache;
use DB;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Jenssegers\Agent\Agent;
use Mail;
use App\Mail\PasswordChange;
use App\Mail\ConfirmAppEmail;
use App\Http\Resources\StatusStateless;
use App\Jobs\StatusPipeline\StatusDelete;
use App\Jobs\StatusPipeline\RemoteStatusDelete;
use App\Jobs\ReportPipeline\ReportNotifyAdminViaEmail;
use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Support\Str;
use Jenssegers\Agent\Agent;
use League\Fractal;
use League\Fractal\Serializer\ArraySerializer;
use Mail;
class ApiV1Dot1Controller extends Controller
{
@ -60,9 +56,10 @@ class ApiV1Dot1Controller extends Controller
public function error($msg, $code = 400, $extra = [], $headers = [])
{
$res = [
"msg" => $msg,
"code" => $code
'msg' => $msg,
'code' => $code,
];
return response()->json(array_merge($res, $extra), $code, $headers, JSON_UNESCAPED_SLASHES);
}
@ -91,19 +88,19 @@ class ApiV1Dot1Controller extends Controller
'copyright',
'impersonation',
'scam',
'terrorism'
'terrorism',
];
if (! $report_type || ! $object_id || ! $object_type) {
return $this->error("Invalid or missing parameters", 400, ["error_code" => "ERROR_INVALID_PARAMS"]);
return $this->error('Invalid or missing parameters', 400, ['error_code' => 'ERROR_INVALID_PARAMS']);
}
if (! in_array($report_type, $types)) {
return $this->error("Invalid report type", 400, ["error_code" => "ERROR_TYPE_INVALID"]);
return $this->error('Invalid report type', 400, ['error_code' => 'ERROR_TYPE_INVALID']);
}
if ($object_type === "user" && $object_id == $user->profile_id) {
return $this->error("Cannot self report", 400, ["error_code" => "ERROR_NO_SELF_REPORTS"]);
if ($object_type === 'user' && $object_id == $user->profile_id) {
return $this->error('Cannot self report', 400, ['error_code' => 'ERROR_NO_SELF_REPORTS']);
}
$rpid = null;
@ -112,7 +109,7 @@ class ApiV1Dot1Controller extends Controller
case 'post':
$object = Status::find($object_id);
if (! $object) {
return $this->error("Invalid object id", 400, ["error_code" => "ERROR_INVALID_OBJECT_ID"]);
return $this->error('Invalid object id', 400, ['error_code' => 'ERROR_INVALID_OBJECT_ID']);
}
$object_type = 'App\Status';
$exists = Report::whereUserId($user->id)
@ -126,7 +123,7 @@ class ApiV1Dot1Controller extends Controller
case 'user':
$object = Profile::find($object_id);
if (! $object) {
return $this->error("Invalid object id", 400, ["error_code" => "ERROR_INVALID_OBJECT_ID"]);
return $this->error('Invalid object id', 400, ['error_code' => 'ERROR_INVALID_OBJECT_ID']);
}
$object_type = 'App\Profile';
$exists = Report::whereUserId($user->id)
@ -137,16 +134,16 @@ class ApiV1Dot1Controller extends Controller
break;
default:
return $this->error("Invalid report type", 400, ["error_code" => "ERROR_REPORT_OBJECT_TYPE_INVALID"]);
return $this->error('Invalid report type', 400, ['error_code' => 'ERROR_REPORT_OBJECT_TYPE_INVALID']);
break;
}
if ($exists !== 0) {
return $this->error("Duplicate report", 400, ["error_code" => "ERROR_REPORT_DUPLICATE"]);
return $this->error('Duplicate report', 400, ['error_code' => 'ERROR_REPORT_DUPLICATE']);
}
if ($object->profile_id == $user->profile_id) {
return $this->error("Cannot self report", 400, ["error_code" => "ERROR_NO_SELF_REPORTS"]);
return $this->error('Cannot self report', 400, ['error_code' => 'ERROR_NO_SELF_REPORTS']);
}
$report = new Report;
@ -163,9 +160,10 @@ class ApiV1Dot1Controller extends Controller
}
$res = [
"msg" => "Successfully sent report",
"code" => 200
'msg' => 'Successfully sent report',
'code' => 200,
];
return $this->json($res);
}
@ -270,9 +268,9 @@ class ApiV1Dot1Controller extends Controller
$this->validate($request, [
'current_password' => 'bail|required|current_password',
'new_password' => 'required|min:'.config('pixelfed.min_password_length', 8),
'confirm_password' => 'required|same:new_password'
'confirm_password' => 'required|same:new_password',
], [
'current_password' => 'The password you entered is incorrect'
'current_password' => 'The password you entered is incorrect',
]);
$user->password = bcrypt($request->input('new_password'));
@ -320,6 +318,7 @@ class ApiV1Dot1Controller extends Controller
->get()
->map(function ($item) use ($agent, $currentIp) {
$agent->setUserAgent($item->user_agent);
return [
'id' => $item->id,
'action' => $item->action,
@ -329,7 +328,7 @@ class ApiV1Dot1Controller extends Controller
'device' => $agent->device(),
'browser' => $agent->browser(),
'platform' => $agent->platform(),
'created_at' => $item->created_at->format('c')
'created_at' => $item->created_at->format('c'),
];
});
@ -355,8 +354,9 @@ class ApiV1Dot1Controller extends Controller
$res = [
'active' => (bool) $user->{'2fa_enabled'},
'setup_at' => $user->{'2fa_setup_at'}
'setup_at' => $user->{'2fa_setup_at'},
];
return $this->json($res);
}
@ -388,7 +388,7 @@ class ApiV1Dot1Controller extends Controller
'subject' => 'Confirm Email',
'to_address' => $user->email,
'from_address' => $from,
'created_at' => str_replace('@', 'at', $mail->created_at->format('M j, Y @ g:i:s A'))
'created_at' => str_replace('@', 'at', $mail->created_at->format('M j, Y @ g:i:s A')),
];
})
->toArray();
@ -405,7 +405,7 @@ class ApiV1Dot1Controller extends Controller
'subject' => 'Reset Password Notification',
'to_address' => $user->email,
'from_address' => $from,
'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A'))
'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A')),
];
})
->toArray();
@ -422,7 +422,7 @@ class ApiV1Dot1Controller extends Controller
'subject' => 'Password Change',
'to_address' => $user->email,
'from_address' => $from,
'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A'))
'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A')),
];
})
->toArray();
@ -462,7 +462,7 @@ class ApiV1Dot1Controller extends Controller
'scopes' => $token->scopes,
'revoked' => $token->revoked,
'created_at' => str_replace('@', 'at', now()->parse($token->created_at)->format('M j, Y @ g:i:s A')),
'expires_at' => str_replace('@', 'at', now()->parse($token->expires_at)->format('M j, Y @ g:i:s A'))
'expires_at' => str_replace('@', 'at', now()->parse($token->expires_at)->format('M j, Y @ g:i:s A')),
];
});
@ -487,7 +487,8 @@ class ApiV1Dot1Controller extends Controller
abort_if(BouncerService::checkIp($request->ip()), 404);
}
$rl = RateLimiter::attempt('pf:apiv1.1:iar:'.$request->ip(), config('pixelfed.app_registration_rate_limit_attempts', 3), function(){}, config('pixelfed.app_registration_rate_limit_decay', 1800));
$rl = RateLimiter::attempt('pf:apiv1.1:iar:'.$request->ip(), config('pixelfed.app_registration_rate_limit_attempts', 3), function () {
}, config('pixelfed.app_registration_rate_limit_decay', 1800));
abort_if(! $rl, 400, 'Too many requests');
$this->validate($request, [
@ -575,7 +576,7 @@ class ApiV1Dot1Controller extends Controller
$params = http_build_query([
'ut' => $user->app_register_token,
'rt' => $rtoken,
'ea' => base64_encode($user->email)
'ea' => base64_encode($user->email),
]);
$appUrl = url('/api/v1.1/auth/iarer?'.$params);
@ -591,7 +592,7 @@ class ApiV1Dot1Controller extends Controller
$this->validate($request, [
'ut' => 'required',
'rt' => 'required',
'ea' => 'required'
'ea' => 'required',
]);
$ut = $request->input('ut');
$rt = $request->input('rt');
@ -600,9 +601,10 @@ class ApiV1Dot1Controller extends Controller
'ut' => $ut,
'rt' => $rt,
'domain' => config('pixelfed.domain.app'),
'ea' => $ea
'ea' => $ea,
]);
$url = 'pixelfed://confirm-account/'.$ut.'?'.$params;
return redirect()->away($url);
}
@ -616,13 +618,14 @@ class ApiV1Dot1Controller extends Controller
abort_if(BouncerService::checkIp($request->ip()), 404);
}
$rl = RateLimiter::attempt('pf:apiv1.1:iarc:'.$request->ip(), config('pixelfed.app_registration_confirm_rate_limit_attempts', 20), function(){}, config('pixelfed.app_registration_confirm_rate_limit_decay', 1800));
$rl = RateLimiter::attempt('pf:apiv1.1:iarc:'.$request->ip(), config('pixelfed.app_registration_confirm_rate_limit_attempts', 20), function () {
}, config('pixelfed.app_registration_confirm_rate_limit_decay', 1800));
abort_if(! $rl, 429, 'Too many requests');
$this->validate($request, [
$request->validate([
'user_token' => 'required',
'random_token' => 'required',
'email' => 'required'
'email' => 'required',
]);
$verify = EmailVerification::whereEmail($request->input('email'))
@ -636,6 +639,7 @@ class ApiV1Dot1Controller extends Controller
if ($verify->created_at->lt(now()->subHours(24))) {
$verify->delete();
return response()->json(['error' => 'Invalid tokens'], 403);
}
@ -644,10 +648,10 @@ class ApiV1Dot1Controller extends Controller
$user->last_active_at = now();
$user->save();
$token = $user->createToken('Pixelfed');
$token = $user->createToken('Pixelfed', ['read', 'write', 'follow', 'admin:read', 'admin:write', 'push']);
return response()->json([
'access_token' => $token->accessToken
'access_token' => $token->accessToken,
]);
}
@ -760,14 +764,13 @@ class ApiV1Dot1Controller extends Controller
->values();
return [
'place' =>
[
'place' => [
'id' => $place->id,
'name' => $place->name,
'slug' => $place->slug,
'country' => $place->country,
'lat' => $place->lat,
'long' => $place->long
'long' => $place->long,
],
'posts' => $posts];
}
@ -783,7 +786,7 @@ class ApiV1Dot1Controller extends Controller
}
$this->validate($request, [
'action' => 'required|in:cw,mark-public,mark-unlisted,mark-private,mark-spammer,delete'
'action' => 'required|in:cw,mark-public,mark-unlisted,mark-private,mark-spammer,delete',
]);
$action = $request->input('action');
@ -803,7 +806,7 @@ class ApiV1Dot1Controller extends Controller
$status->profile->update([
'unlisted' => true,
'cw' => true,
'no_autolink' => true
'no_autolink' => true,
]);
Status::whereProfileId($status->profile_id)
@ -872,6 +875,7 @@ class ApiV1Dot1Controller extends Controller
StatusService::del($status->id, true);
Cache::forget('profile:status_count:'.$status->profile_id);
$status->uri ? RemoteStatusDelete::dispatch($status) : StatusDelete::dispatch($status);
return [];
}
@ -887,11 +891,12 @@ class ApiV1Dot1Controller extends Controller
$uid = $request->user()->id;
$settings = UserSetting::firstOrCreate([
'user_id' => $uid
'user_id' => $uid,
]);
if (! $settings->other) {
return [];
}
return $settings->other;
}
@ -902,12 +907,12 @@ class ApiV1Dot1Controller extends Controller
$this->validate($request, [
'field' => 'required|in:enable_reblogs,hide_reblog_banner',
'value' => 'required'
'value' => 'required',
]);
$field = $request->input('field');
$value = $request->input('value');
$settings = UserSetting::firstOrCreate([
'user_id' => $request->user()->id
'user_id' => $request->user()->id,
]);
if (! $settings->other) {
$other = [];
@ -927,7 +932,9 @@ class ApiV1Dot1Controller extends Controller
abort_unless($request->user()->tokenCan('follows'), 403);
$account = AccountService::get($id, true);
if(!$account || !isset($account['id'])) { return []; }
if (! $account || ! isset($account['id'])) {
return [];
}
$res = collect(FollowerService::mutualAccounts($request->user()->profile_id, $id))
->map(function ($accountId) {
return AccountService::get($accountId, true);
@ -935,6 +942,7 @@ class ApiV1Dot1Controller extends Controller
->filter()
->take(24)
->values();
return $this->json($res);
}
}