Home Explore Help
Sign In
RISCI_ATOM
/
mastodon
mirror of https://github.com/tootsuite/mastodon.git
1
0
Fork 0
Files Issues 8 Wiki
Browse Source

Disable administrative doorkeeper routes (#29187)

Emelia Smith 3 months ago
parent
fdde3cdb4e
commit
cdbe2855f3
2 changed files with 90 additions and 2 deletions
Split View Show Diff Stats
  1. 7 2
      config/initializers/doorkeeper.rb
  2. 83 0
      spec/requests/disabled_oauth_endpoints_spec.rb

+ 7 - 2
config/initializers/doorkeeper.rb
View File 

@@ -19,9 +19,14 @@ Doorkeeper.configure do
 
     user unless user&.otp_required_for_login?
 
   end
 
 
-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
 
+  # Doorkeeper provides some administrative interfaces for managing OAuth
 
+  # Applications, allowing creation, edit, and deletion of applications from the
 
+  # server. At present, these administrative routes are not integrated into
 
+  # Mastodon, and as such, we've disabled them by always return a 403 forbidden
 
+  # response for them. This does not affect the ability for users to manage
 
+  # their own OAuth Applications.
 
   admin_authenticator do
 
-    current_user&.admin? || redirect_to(new_user_session_url)
 
+    head 403
 
   end
 
 
   # Authorization Code expiration time (default 10 minutes).

+ 83 - 0
spec/requests/disabled_oauth_endpoints_spec.rb
View File 

@@ -0,0 +1,83 @@
 
+# frozen_string_literal: true
 
+
 
+require 'rails_helper'
 
+
 
+describe 'Disabled OAuth routes' do
 
+  # These routes are disabled via the doorkeeper configuration for
 
+  # `admin_authenticator`, as these routes should only be accessible by server
 
+  # administrators. For now, these routes are not properly designed and
 
+  # integrated into Mastodon, so we're disabling them completely
 
+  describe 'GET /oauth/applications' do
 
+    it 'returns 403 forbidden' do
 
+      get oauth_applications_path
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'POST /oauth/applications' do
 
+    it 'returns 403 forbidden' do
 
+      post oauth_applications_path
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'GET /oauth/applications/new' do
 
+    it 'returns 403 forbidden' do
 
+      get new_oauth_application_path
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'GET /oauth/applications/:id' do
 
+    let(:application) { Fabricate(:application, scopes: 'read') }
 
+
 
+    it 'returns 403 forbidden' do
 
+      get oauth_application_path(application)
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'PATCH /oauth/applications/:id' do
 
+    let(:application) { Fabricate(:application, scopes: 'read') }
 
+
 
+    it 'returns 403 forbidden' do
 
+      patch oauth_application_path(application)
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'PUT /oauth/applications/:id' do
 
+    let(:application) { Fabricate(:application, scopes: 'read') }
 
+
 
+    it 'returns 403 forbidden' do
 
+      put oauth_application_path(application)
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'DELETE /oauth/applications/:id' do
 
+    let(:application) { Fabricate(:application, scopes: 'read') }
 
+
 
+    it 'returns 403 forbidden' do
 
+      delete oauth_application_path(application)
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+
 
+  describe 'GET /oauth/applications/:id/edit' do
 
+    let(:application) { Fabricate(:application, scopes: 'read') }
 
+
 
+    it 'returns 403 forbidden' do
 
+      get edit_oauth_application_path(application)
 
+
 
+      expect(response).to have_http_status(403)
 
+    end
 
+  end
 
+end