closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7726 Commits
4 Branches
567 MiB
Tree: 22ce4778eb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '22ce4778eb'
${ noResults }
mastodon/app/controllers/api/base_controller.rb

116 lines
3.3 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Clean up for api/base controller (#3629) * Move ApiController to Api/BaseController * API controllers inherit from Api::BaseController * Add coverage for various error cases in api/base controller
7 years ago
API pagination for all collections using Link header
7 years ago
Coverage improvement and concern extraction for rate limit headers in API controller (#3625) * Coverage for rate limit headers * Move rate limit headers methods to concern * Move throttle check to condition on before_action * Move match_data variable into method * Move utc timestamp to separate method * Move header setting into smaller methods * specs cleanup
7 years ago
Do not store last visited URL from API controllers (#1330) Sign-in redirects you back to last visited URL, but in case of API requests, this sometimes redirected users to an API URL that, of course, greeted them with an {"error":"The access token is invalid"}
7 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Allow mods to disable login, improve message when login disabled (#8329) * Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
5 years ago
Add whitelist mode (#11291)
4 years ago
Explicitly disable storage of REST API results (#10655) Fixes #10652
5 years ago
Refactor /api/web APIs to use the centralized axios instance (#6223) Also adds the ability to decouple the centralized axios logic from the state dispatcher
6 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Fix ActivityPub and REST API queries setting cookies and preventing caching (#11539) Regression from #8657
4 years ago
Add validation of media attachments, clean up mastodon-own exception classes
7 years ago
Meaningful validation errors in API response
7 years ago
The frontend will now be an OAuth app, auto-authorized. The frontend will use an access token for API requests Adding better errors for the API controllers, posting a simple status works from the frontend now
7 years ago
Fix webfinger retries (#4275) * Do not raise unretryable exceptions in ResolveRemoteAccountService * Removed fatal exceptions from ResolveRemoteAccountService Exceptions that cannot be retried should not be raised. New exception class for those that can be retried (Mastodon::UnexpectedResponseError)
6 years ago
Improved error handling for FollowRemoteService
7 years ago
Catching more exceptions that slipped through, removing AR logging from production as it's very verbose and not very useful
7 years ago
Add validation of media attachments, clean up mastodon-own exception classes
7 years ago
Add "locked" flag to accounts, prevent blocked users from following, force-unfollow blocked users
7 years ago
Fix uncaught parameter missing exceptions and missing error templates (#11702)
4 years ago
Better error message in doorkeeper json response
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
7 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
API pagination for all collections using Link header
7 years ago
Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Don't send Link header when don't know prev and next links (#4633)
6 years ago
API pagination for all collections using Link header
7 years ago
API now respects ?limit param as long as it's within 2x default limit
7 years ago
Support min_id-based pagination in REST API (#8736) * Allow min_id pagination in Feed#get * Add min_id pagination to home and list timeline APIs * Add min_id pagination to account statuses, public and tag APIs * Remove unused stub in reports API * Use min_id pagination in notifications, favourites, and fix order * Fix HomeFeed#from_database not using paginate_by_id
5 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Rename "publish" to "toot" in english locale, fix lightbox showing old image before loading new one, cache notifications API, fix missing follow button on public profiles
7 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Avoid dynamic methods due to processing speed (#2080)
7 years ago
Move timelines API from statuses to its own controller, add a check for resources that require a user context vs those that don't (such as public timeline) /api/v1/statuses/public -> /api/v1/timelines/public /api/v1/statuses/home -> /api/v1/timelines/home /api/v1/statuses/mentions -> /api/v1/timelines/mentions /api/v1/statuses/tag/:tag -> /api/v1/timelines/tag/:tag
7 years ago
Add whitelist mode (#11291)
4 years ago
Move timelines API from statuses to its own controller, add a check for resources that require a user context vs those that don't (such as public timeline) /api/v1/statuses/public -> /api/v1/timelines/public /api/v1/statuses/home -> /api/v1/timelines/home /api/v1/statuses/mentions -> /api/v1/timelines/mentions /api/v1/statuses/tag/:tag -> /api/v1/timelines/tag/:tag
7 years ago
Add error message with invalid email confirmation (#9625)
5 years ago
Disable API access when login is disabled (#7289)
6 years ago
Add error message with invalid email confirmation (#9625)
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix require_user! behavior when not logged in (#4604)
6 years ago
Add error message with invalid email confirmation (#9625)
5 years ago
Fix require_user! behavior when not logged in (#4604)
6 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API
7 years ago
Add more granular OAuth scopes (#7929) * Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope
5 years ago
Explicitly disable storage of REST API results (#10655) Fixes #10652
5 years ago
Add whitelist mode (#11291)
4 years ago
Fixing some bugs, adding pending test examples
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Api::BaseController < ApplicationController
  4.   DEFAULT_STATUSES_LIMIT = 20

  5.   DEFAULT_ACCOUNTS_LIMIT = 40

  6. 

  7.   include RateLimitHeaders
  8. 

  9.   skip_before_action :store_current_location
  10.   skip_before_action :require_functional!
  11. 

  12.   before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
  13.   before_action :set_cache_headers
  14. 

  15.   protect_from_forgery with: :null_session
  16. 

  17.   skip_around_action :set_locale
  18. 

  19.   rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
  20.     render json: { error: e.to_s }, status: 422

  21.   end
  22. 

  23.   rescue_from ActiveRecord::RecordNotFound do
  24.     render json: { error: 'Record not found' }, status: 404

  25.   end
  26. 

  27.   rescue_from HTTP::Error, Mastodon::UnexpectedResponseError do
  28.     render json: { error: 'Remote data could not be fetched' }, status: 503

  29.   end
  30. 

  31.   rescue_from OpenSSL::SSL::SSLError do
  32.     render json: { error: 'Remote SSL certificate could not be verified' }, status: 503

  33.   end
  34. 

  35.   rescue_from Mastodon::NotPermittedError do
  36.     render json: { error: 'This action is not allowed' }, status: 403

  37.   end
  38. 

  39.   rescue_from Mastodon::RaceConditionError do
  40.     render json: { error: 'There was a temporary problem serving your request, please try again' }, status: 503

  41.   end
  42. 

  43.   rescue_from ActionController::ParameterMissing do |e|
  44.     render json: { error: e.to_s }, status: 400

  45.   end
  46. 

  47.   def doorkeeper_unauthorized_render_options(error: nil)
  48.     { json: { error: (error.try(:description) || 'Not authorized') } }
  49.   end
  50. 

  51.   def doorkeeper_forbidden_render_options(*)
  52.     { json: { error: 'This action is outside the authorized scopes' } }
  53.   end
  54. 

  55.   protected
  56. 

  57.   def set_pagination_headers(next_path = nil, prev_path = nil)
  58.     links = []
  59.     links << [next_path, [%w(rel next)]] if next_path
  60.     links << [prev_path, [%w(rel prev)]] if prev_path
  61.     response.headers['Link'] = LinkHeader.new(links) unless links.empty?
  62.   end
  63. 

  64.   def limit_param(default_limit)
  65.     return default_limit unless params[:limit]
  66.     [params[:limit].to_i.abs, default_limit * 2].min
  67.   end
  68. 

  69.   def params_slice(*keys)
  70.     params.slice(*keys).permit(*keys)
  71.   end
  72. 

  73.   def current_resource_owner
  74.     @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
  75.   end
  76. 

  77.   def current_user
  78.     current_resource_owner || super
  79.   rescue ActiveRecord::RecordNotFound
  80.     nil
  81.   end
  82. 

  83.   def require_authenticated_user!
  84.     render json: { error: 'This API requires an authenticated user' }, status: 401 unless current_user
  85.   end
  86. 

  87.   def require_user!
  88.     if !current_user
  89.       render json: { error: 'This method requires an authenticated user' }, status: 422

  90.     elsif current_user.disabled?
  91.       render json: { error: 'Your login is currently disabled' }, status: 403

  92.     elsif !current_user.confirmed?
  93.       render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403

  94.     elsif !current_user.approved?
  95.       render json: { error: 'Your login is currently pending approval' }, status: 403

  96.     else
  97.       set_user_activity
  98.     end
  99.   end
  100. 

  101.   def render_empty
  102.     render json: {}, status: 200

  103.   end
  104. 

  105.   def authorize_if_got_token!(*scopes)
  106.     doorkeeper_authorize!(*scopes) if doorkeeper_token
  107.   end
  108. 

  109.   def set_cache_headers
  110.     response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
  111.   end
  112. 

  113.   def disallow_unauthenticated_api_access?
  114.     authorized_fetch_mode?
  115.   end
  116. end