Enforcement of OAuth scopes check for authenticated API endpoints (!2349) · Merge requests · Pleroma / pleroma

Ivan Tashkinov requested to merge authenticated-api-oauth-check-enforcement into develop Apr 06, 2020

Enforces of OAuth scopes check for authenticated API endpoints.

Adds :skip_plug plug to mark a plug explicitly skipped (disabled).

Solves the problem of potentially "forgotten" or incorrect OAuthScopesPlug calls which would result in security breaches. Some of the reasons such issue could happen:

developer(s) could be unaware of (hopefully not) or forget to define OAuthScopesPlug call for specific action
action was moved to another controller (and OAuthScopesPlug not propagated)
action was renamed (with OAuthScopesPlug call's guard clause unmodified)

With this MR an automatic check whether OAuthScopesPlug was either called or explicitly skipped (via :skip_plug plug) is performed. If the check is failed, HTTP 403 is returned.

Edited Apr 06, 2020 by Ivan Tashkinov

Enforcement of OAuth scopes check for authenticated API endpoints

Merge request reports