Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • pleroma pleroma
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 655
    • Issues 655
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 100
    • Merge requests 100
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • PleromaPleroma
  • pleromapleroma
  • Merge requests
  • !2349

Enforcement of OAuth scopes check for authenticated API endpoints

  • Review changes

  • Download
  • Patches
  • Plain diff
Merged Ivan Tashkinov requested to merge authenticated-api-oauth-check-enforcement into develop Apr 06, 2020
  • Overview 10
  • Commits 3
  • Pipelines 3
  • Changes 17

Enforces of OAuth scopes check for authenticated API endpoints.

Adds :skip_plug plug to mark a plug explicitly skipped (disabled).

Solves the problem of potentially "forgotten" or incorrect OAuthScopesPlug calls which would result in security breaches. Some of the reasons such issue could happen:

  • developer(s) could be unaware of (hopefully not) or forget to define OAuthScopesPlug call for specific action
  • action was moved to another controller (and OAuthScopesPlug not propagated)
  • action was renamed (with OAuthScopesPlug call's guard clause unmodified)

With this MR an automatic check whether OAuthScopesPlug was either called or explicitly skipped (via :skip_plug plug) is performed. If the check is failed, HTTP 403 is returned.

Edited Apr 06, 2020 by Ivan Tashkinov
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: authenticated-api-oauth-check-enforcement