Remove `:auth, :enforce_oauth_admin_scope_usage`

`admin` scope has been required by default for more than a year now
and all apps that use the API seems to request a proper scope by now.

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Removed
+
+- `:auth, :enforce_oauth_admin_scope_usage` configuration option.
+
 ### Changed
 
 - **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm`

config/config.exs

@@ -611,10 +611,7 @@
        base_path: "/oauth",
        providers: ueberauth_providers
 
-config :pleroma,
-       :auth,
-       enforce_oauth_admin_scope_usage: true,
-       oauth_consumer_strategies: oauth_consumer_strategies
+config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
 
 config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
 

docs/development/API/admin_api.md

@@ -2,13 +2,6 @@
 
 Authentication is required and the user must be an admin.
 
-Configuration options:
-
-* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle.
-    If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes).
-    If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions.
-    Note that client app needs to explicitly support admin scopes and request them when obtaining auth token.
-
 ## `GET /api/pleroma/admin/users`
 
 ### List users

lib/pleroma/config.ex

@@ -100,15 +100,7 @@ def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
 
   def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
 
-  def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])
-
   def oauth_admin_scopes(scopes) when is_list(scopes) do
-    Enum.flat_map(
-      scopes,
-      fn scope ->
-        ["admin:#{scope}"] ++
-          if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
-      end
-    )
+    Enum.map(scopes, fn scope -> "admin:#{scope}" end)
   end
 end

test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs

@@ -46,104 +46,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
     assert json_response(conn, 200)
   end
 
-  describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
+  test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
+       %{admin: admin} do
+    user = insert(:user)
+    url = "/api/pleroma/admin/users/#{user.nickname}"
 
-    test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
-         %{admin: admin} do
-      user = insert(:user)
-      url = "/api/pleroma/admin/users/#{user.nickname}"
-
-      good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
-      good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
-      good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
-
-      bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
-      bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
-      bad_token3 = nil
-
-      for good_token <- [good_token1, good_token2, good_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, good_token)
-          |> get(url)
-
-        assert json_response(conn, 200)
-      end
-
-      for good_token <- [good_token1, good_token2, good_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, nil)
-          |> assign(:token, good_token)
-          |> get(url)
-
-        assert json_response(conn, :forbidden)
-      end
-
-      for bad_token <- [bad_token1, bad_token2, bad_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, bad_token)
-          |> get(url)
-
-        assert json_response(conn, :forbidden)
-      end
+    good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
+    good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
+    good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
+
+    bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
+    bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
+    bad_token3 = nil
+
+    for good_token <- [good_token1, good_token2, good_token3] do
+      conn =
+        build_conn()
+        |> assign(:user, admin)
+        |> assign(:token, good_token)
+        |> get(url)
+
+      assert json_response(conn, 200)
     end
-  end
 
-  describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
+    for good_token <- [good_token1, good_token2, good_token3] do
+      conn =
+        build_conn()
+        |> assign(:user, nil)
+        |> assign(:token, good_token)
+        |> get(url)
+
+      assert json_response(conn, :forbidden)
+    end
 
-    test "GET /api/pleroma/admin/users/:nickname requires " <>
-           "read:accounts or admin:read:accounts or broader scope",
-         %{admin: admin} do
-      user = insert(:user)
-      url = "/api/pleroma/admin/users/#{user.nickname}"
-
-      good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
-      good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
-      good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
-      good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
-      good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
-
-      good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
-
-      bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
-      bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
-      bad_token3 = nil
-
-      for good_token <- good_tokens do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, good_token)
-          |> get(url)
-
-        assert json_response(conn, 200)
-      end
-
-      for good_token <- good_tokens do
-        conn =
-          build_conn()
-          |> assign(:user, nil)
-          |> assign(:token, good_token)
-          |> get(url)
-
-        assert json_response(conn, :forbidden)
-      end
-
-      for bad_token <- [bad_token1, bad_token2, bad_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, bad_token)
-          |> get(url)
-
-        assert json_response(conn, :forbidden)
-      end
+    for bad_token <- [bad_token1, bad_token2, bad_token3] do
+      conn =
+        build_conn()
+        |> assign(:user, admin)
+        |> assign(:token, bad_token)
+        |> get(url)
+
+      assert json_response(conn, :forbidden)
     end
   end
 

test/pleroma/web/admin_api/controllers/user_controller_test.exs

@@ -47,104 +47,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
     assert json_response(conn, 200)
   end
 
-  describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
-
-    test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
-         %{admin: admin} do
-      user = insert(:user)
-      url = "/api/pleroma/admin/users/#{user.nickname}"
-
-      good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
-      good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
-      good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
-
-      bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
-      bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
-      bad_token3 = nil
-
-      for good_token <- [good_token1, good_token2, good_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, good_token)
-          |> get(url)
+  test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
+       %{admin: admin} do
+    user = insert(:user)
+    url = "/api/pleroma/admin/users/#{user.nickname}"
 
-        assert json_response(conn, 200)
-      end
+    good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
+    good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
+    good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
 
-      for good_token <- [good_token1, good_token2, good_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, nil)
-          |> assign(:token, good_token)
-          |> get(url)
+    bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
+    bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
+    bad_token3 = nil
 
-        assert json_response(conn, :forbidden)
-      end
-
-      for bad_token <- [bad_token1, bad_token2, bad_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, bad_token)
-          |> get(url)
+    for good_token <- [good_token1, good_token2, good_token3] do
+      conn =
+        build_conn()
+        |> assign(:user, admin)
+        |> assign(:token, good_token)
+        |> get(url)
 
-        assert json_response(conn, :forbidden)
-      end
+      assert json_response(conn, 200)
     end
-  end
 
-  describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
-
-    test "GET /api/pleroma/admin/users/:nickname requires " <>
-           "read:accounts or admin:read:accounts or broader scope",
-         %{admin: admin} do
-      user = insert(:user)
-      url = "/api/pleroma/admin/users/#{user.nickname}"
-
-      good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
-      good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
-      good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
-      good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
-      good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
-
-      good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
-
-      bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
-      bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
-      bad_token3 = nil
-
-      for good_token <- good_tokens do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, good_token)
-          |> get(url)
-
-        assert json_response(conn, 200)
-      end
-
-      for good_token <- good_tokens do
-        conn =
-          build_conn()
-          |> assign(:user, nil)
-          |> assign(:token, good_token)
-          |> get(url)
+    for good_token <- [good_token1, good_token2, good_token3] do
+      conn =
+        build_conn()
+        |> assign(:user, nil)
+        |> assign(:token, good_token)
+        |> get(url)
 
-        assert json_response(conn, :forbidden)
-      end
+      assert json_response(conn, :forbidden)
+    end
 
-      for bad_token <- [bad_token1, bad_token2, bad_token3] do
-        conn =
-          build_conn()
-          |> assign(:user, admin)
-          |> assign(:token, bad_token)
-          |> get(url)
+    for bad_token <- [bad_token1, bad_token2, bad_token3] do
+      conn =
+        build_conn()
+        |> assign(:user, admin)
+        |> assign(:token, bad_token)
+        |> get(url)
 
-        assert json_response(conn, :forbidden)
-      end
+      assert json_response(conn, :forbidden)
     end
   end
 

test/pleroma/web/pleroma_api/controllers/emoji_file_controller_test.exs

@@ -13,8 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
                 Pleroma.Config.get!([:instance, :static_dir]),
                 "emoji"
               )
-  setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
-
   setup do: clear_config([:instance, :public], true)
 
   setup do

test/pleroma/web/pleroma_api/controllers/emoji_pack_controller_test.exs

@@ -13,7 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
                 Pleroma.Config.get!([:instance, :static_dir]),
                 "emoji"
               )
-  setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
 
   setup do: clear_config([:instance, :public], true)
 

test/pleroma/web/plugs/o_auth_scopes_plug_test.exs

@@ -169,42 +169,4 @@ test "filters scopes which directly match or are ancestors of supported scopes"
       assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
     end
   end
-
-  describe "transform_scopes/2" do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
-
-    setup do
-      {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
-    end
-
-    test "with :admin option, prefixes all requested scopes with `admin:` " <>
-           "and [optionally] keeps only prefixed scopes, " <>
-           "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
-         %{f: f} do
-      clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
-
-      assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
-
-      assert f.(["read", "write"], %{admin: true}) == [
-               "admin:read",
-               "read",
-               "admin:write",
-               "write"
-             ]
-
-      clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
-
-      assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
-
-      assert f.(["read", "write:reports"], %{admin: true}) == [
-               "admin:read",
-               "admin:write:reports"
-             ]
-    end
-
-    test "with no supported options, returns unmodified scopes", %{f: f} do
-      assert f.(["read"], %{}) == ["read"]
-      assert f.(["read", "write"], %{}) == ["read", "write"]
-    end
-  end
 end