Add oauth protection to admin domain blocks API

2024-11-22 06:21:27 +00:00 · 2024-03-30 00:16:06 +01:00 · 2024-03-30 00:16:06 +01:00 · 4afe72e62f
commit 4afe72e62f
parent feed580f51
4 changed files with 37 additions and 0 deletions
--- a/app/Http/Controllers/Api/V1/Admin/DomainBlocksController.php
+++ b/app/Http/Controllers/Api/V1/Admin/DomainBlocksController.php
@ -10,6 +10,12 @@ use App\Services\InstanceService;
 use App\Http\Resources\MastoApi\Admin\DomainBlockResource;

 class DomainBlocksController extends ApiController {
+
+  public function __construct() {
+    $this->middleware(['auth:api', 'api.admin', 'scope:admin:read,admin:read:domain_blocks'])->only(['index', 'show']);
+    $this->middleware(['auth:api', 'api.admin', 'scope:admin:write,admin:write:domain_blocks'])->only(['create', 'update', 'delete']);
+  }
+
  public function index(Request $request) {
    $this->validate($request, [
      'limit' => 'sometimes|integer|max:100|min:1',
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -54,6 +54,7 @@ class Kernel extends HttpKernel
     * @var array
     */
    protected $routeMiddleware = [
+        'api.admin'     => \App\Http\Middleware\Api\Admin::class,
        'admin'         => \App\Http\Middleware\Admin::class,
        'auth'          => \Illuminate\Auth\Middleware\Authenticate::class,
        'auth.basic'    => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
@ -68,6 +69,8 @@ class Kernel extends HttpKernel
        'twofactor'     => \App\Http\Middleware\TwoFactorAuth::class,
        'validemail'    => \App\Http\Middleware\EmailVerificationCheck::class,
        'interstitial'  => \App\Http\Middleware\AccountInterstitial::class,
+        'scopes'        => \Laravel\Passport\Http\Middleware\CheckScopes::class,
+        'scope'         => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class,
        // 'restricted'    => \App\Http\Middleware\RestrictedAccess::class,
    ];
 }
--- a/app/Http/Middleware/Api/Admin.php
+++ b/app/Http/Middleware/Api/Admin.php
@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware\Api;
+
+use Auth;
+use Closure;
+
+class Admin
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (Auth::check() == false || Auth::user()->is_admin == false) {
+          return abort(403, "You must be an administrator to do that");
+        }
+
+        return $next($request);
+    }
+}
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@ -37,7 +37,9 @@ class AuthServiceProvider extends ServiceProvider
                'write' => 'Full write access to your account',
                'follow' => 'Ability to follow other profiles',
                'admin:read' => 'Read all data on the server',
+                'admin:read:domain_blocks' => 'Read sensitive information of all domain blocks',
                'admin:write' => 'Modify all data on the server',
+                'admin:write:domain_blocks' => 'Perform moderation actions on domain blocks',
                'push'  => 'Receive your push notifications'
            ]);