closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7542 Commits
4 Branches
567 MiB
Tree: 964ae8eee5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '964ae8eee5'
${ noResults }
mastodon/app/controllers/api/base_controller.rb

97 lines
2.7 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Clean up for api/base controller (#3629) * Move ApiController to Api/BaseController * API controllers inherit from Api::BaseController * Add coverage for various error cases in api/base controller
7 years ago
API pagination for all collections using Link header
7 years ago
Coverage improvement and concern extraction for rate limit headers in API controller (#3625) * Coverage for rate limit headers * Move rate limit headers methods to concern * Move throttle check to condition on before_action * Move match_data variable into method * Move utc timestamp to separate method * Move header setting into smaller methods * specs cleanup
7 years ago
Do not store last visited URL from API controllers (#1330) Sign-in redirects you back to last visited URL, but in case of API requests, this sometimes redirected users to an API URL that, of course, greeted them with an {"error":"The access token is invalid"}
7 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Allow mods to disable login, improve message when login disabled (#8329) * Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
5 years ago
Explicitly disable storage of REST API results (#10655) Fixes #10652
5 years ago
Refactor /api/web APIs to use the centralized axios instance (#6223) Also adds the ability to decouple the centralized axios logic from the state dispatcher
6 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Add validation of media attachments, clean up mastodon-own exception classes
7 years ago
Meaningful validation errors in API response
7 years ago
The frontend will now be an OAuth app, auto-authorized. The frontend will use an access token for API requests Adding better errors for the API controllers, posting a simple status works from the frontend now
7 years ago
Fix webfinger retries (#4275) * Do not raise unretryable exceptions in ResolveRemoteAccountService * Removed fatal exceptions from ResolveRemoteAccountService Exceptions that cannot be retried should not be raised. New exception class for those that can be retried (Mastodon::UnexpectedResponseError)
6 years ago
Improved error handling for FollowRemoteService
7 years ago
Catching more exceptions that slipped through, removing AR logging from production as it's very verbose and not very useful
7 years ago
Add validation of media attachments, clean up mastodon-own exception classes
7 years ago
Add "locked" flag to accounts, prevent blocked users from following, force-unfollow blocked users
7 years ago
Better error message in doorkeeper json response
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
7 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
API pagination for all collections using Link header
7 years ago
Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Don't send Link header when don't know prev and next links (#4633)
6 years ago
API pagination for all collections using Link header
7 years ago
API now respects ?limit param as long as it's within 2x default limit
7 years ago
Support min_id-based pagination in REST API (#8736) * Allow min_id pagination in Feed#get * Add min_id pagination to home and list timeline APIs * Add min_id pagination to account statuses, public and tag APIs * Remove unused stub in reports API * Use min_id pagination in notifications, favourites, and fix order * Fix HomeFeed#from_database not using paginate_by_id
5 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Rename "publish" to "toot" in english locale, fix lightbox showing old image before loading new one, cache notifications API, fix missing follow button on public profiles
7 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Avoid dynamic methods due to processing speed (#2080)
7 years ago
Move timelines API from statuses to its own controller, add a check for resources that require a user context vs those that don't (such as public timeline) /api/v1/statuses/public -> /api/v1/timelines/public /api/v1/statuses/home -> /api/v1/timelines/home /api/v1/statuses/mentions -> /api/v1/timelines/mentions /api/v1/statuses/tag/:tag -> /api/v1/timelines/tag/:tag
7 years ago
Add error message with invalid email confirmation (#9625)
5 years ago
Disable API access when login is disabled (#7289)
6 years ago
Add error message with invalid email confirmation (#9625)
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix require_user! behavior when not logged in (#4604)
6 years ago
Add error message with invalid email confirmation (#9625)
5 years ago
Fix require_user! behavior when not logged in (#4604)
6 years ago
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
8 years ago
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API
7 years ago
Add more granular OAuth scopes (#7929) * Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope
5 years ago
Explicitly disable storage of REST API results (#10655) Fixes #10652
5 years ago
Fixing some bugs, adding pending test examples
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Api::BaseController < ApplicationController
  4.   DEFAULT_STATUSES_LIMIT = 20

  5.   DEFAULT_ACCOUNTS_LIMIT = 40

  6. 

  7.   include RateLimitHeaders
  8. 

  9.   skip_before_action :store_current_location
  10.   skip_before_action :require_functional!
  11. 

  12.   before_action :set_cache_headers
  13. 

  14.   protect_from_forgery with: :null_session
  15. 

  16.   rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
  17.     render json: { error: e.to_s }, status: 422

  18.   end
  19. 

  20.   rescue_from ActiveRecord::RecordNotFound do
  21.     render json: { error: 'Record not found' }, status: 404

  22.   end
  23. 

  24.   rescue_from HTTP::Error, Mastodon::UnexpectedResponseError do
  25.     render json: { error: 'Remote data could not be fetched' }, status: 503

  26.   end
  27. 

  28.   rescue_from OpenSSL::SSL::SSLError do
  29.     render json: { error: 'Remote SSL certificate could not be verified' }, status: 503

  30.   end
  31. 

  32.   rescue_from Mastodon::NotPermittedError do
  33.     render json: { error: 'This action is not allowed' }, status: 403

  34.   end
  35. 

  36.   def doorkeeper_unauthorized_render_options(error: nil)
  37.     { json: { error: (error.try(:description) || 'Not authorized') } }
  38.   end
  39. 

  40.   def doorkeeper_forbidden_render_options(*)
  41.     { json: { error: 'This action is outside the authorized scopes' } }
  42.   end
  43. 

  44.   protected
  45. 

  46.   def set_pagination_headers(next_path = nil, prev_path = nil)
  47.     links = []
  48.     links << [next_path, [%w(rel next)]] if next_path
  49.     links << [prev_path, [%w(rel prev)]] if prev_path
  50.     response.headers['Link'] = LinkHeader.new(links) unless links.empty?
  51.   end
  52. 

  53.   def limit_param(default_limit)
  54.     return default_limit unless params[:limit]
  55.     [params[:limit].to_i.abs, default_limit * 2].min
  56.   end
  57. 

  58.   def params_slice(*keys)
  59.     params.slice(*keys).permit(*keys)
  60.   end
  61. 

  62.   def current_resource_owner
  63.     @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
  64.   end
  65. 

  66.   def current_user
  67.     current_resource_owner || super
  68.   rescue ActiveRecord::RecordNotFound
  69.     nil
  70.   end
  71. 

  72.   def require_user!
  73.     if !current_user
  74.       render json: { error: 'This method requires an authenticated user' }, status: 422

  75.     elsif current_user.disabled?
  76.       render json: { error: 'Your login is currently disabled' }, status: 403

  77.     elsif !current_user.confirmed?
  78.       render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403

  79.     elsif !current_user.approved?
  80.       render json: { error: 'Your login is currently pending approval' }, status: 403

  81.     else
  82.       set_user_activity
  83.     end
  84.   end
  85. 

  86.   def render_empty
  87.     render json: {}, status: 200

  88.   end
  89. 

  90.   def authorize_if_got_token!(*scopes)
  91.     doorkeeper_authorize!(*scopes) if doorkeeper_token
  92.   end
  93. 

  94.   def set_cache_headers
  95.     response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
  96.   end
  97. end