aiden
/
pixelfed
mirror of https://github.com/pixelfed/pixelfed
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update ApiV1Dot1Controller, fix in app registration bug that prevents proper auth flow due to missing oauth scopes

Browse Source
pull/5067/head
Daniel Supernault 2 years ago
parent aa94dde376
commit cbf996c9b6
No known key found for this signature in database
GPG Key ID: 23740873EE6F76A1
1 changed files with 888 additions and 880 deletions
Show Stats Download Patch File Download Diff File

330
app/Http/Controllers/Api/ApiV1Dot1Controller.php
Unescape Escape View File

@ -2,45 +2,41 @@
namespace App\Http\Controllers\Api; namespace App\Http\Controllers\Api;
use Cache;
use DB;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use League\Fractal;
use League\Fractal\Serializer\ArraySerializer;
use League\Fractal\Pagination\IlluminatePaginatorAdapter;
use App\AccountLog; use App\AccountLog;
use App\EmailVerification; use App\EmailVerification;
use App\Follower; use App\Http\Controllers\Controller;
use App\Http\Resources\StatusStateless;
use App\Jobs\ReportPipeline\ReportNotifyAdminViaEmail;
use App\Jobs\StatusPipeline\RemoteStatusDelete;
use App\Jobs\StatusPipeline\StatusDelete;
use App\Mail\ConfirmAppEmail;
use App\Mail\PasswordChange;
use App\Place; use App\Place;
use App\Status;
use App\Report;
use App\Profile; use App\Profile;
use App\StatusArchived; use App\Report;
use App\User;
use App\UserSetting;
use App\Services\AccountService; use App\Services\AccountService;
use App\Services\BouncerService;
use App\Services\EmailService;
use App\Services\FollowerService; use App\Services\FollowerService;
use App\Services\StatusService; use App\Services\NetworkTimelineService;
use App\Services\ProfileStatusService; use App\Services\ProfileStatusService;
use App\Services\LikeService;
use App\Services\ReblogService;
use App\Services\PublicTimelineService; use App\Services\PublicTimelineService;
use App\Services\NetworkTimelineService; use App\Services\StatusService;
use App\Status;
use App\StatusArchived;
use App\User;
use App\UserSetting;
use App\Util\Lexer\RestrictedNames; use App\Util\Lexer\RestrictedNames;
use App\Services\BouncerService; use Cache;
use App\Services\EmailService; use DB;
use Illuminate\Support\Str; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Support\Str;
use Jenssegers\Agent\Agent; use Jenssegers\Agent\Agent;
use League\Fractal;
use League\Fractal\Serializer\ArraySerializer;
use Mail; use Mail;
use App\Mail\PasswordChange;
use App\Mail\ConfirmAppEmail;
use App\Http\Resources\StatusStateless;
use App\Jobs\StatusPipeline\StatusDelete;
use App\Jobs\StatusPipeline\RemoteStatusDelete;
use App\Jobs\ReportPipeline\ReportNotifyAdminViaEmail;
use Illuminate\Support\Facades\RateLimiter;
class ApiV1Dot1Controller extends Controller class ApiV1Dot1Controller extends Controller
{ {
@ -60,21 +56,22 @@ class ApiV1Dot1Controller extends Controller
public function error($msg, $code = 400, $extra = [], $headers = []) public function error($msg, $code = 400, $extra = [], $headers = [])
{ {
$res = [ $res = [
"msg" => $msg, 'msg' => $msg,
"code" => $code 'code' => $code,
]; ];
return response()->json(array_merge($res, $extra), $code, $headers, JSON_UNESCAPED_SLASHES); return response()->json(array_merge($res, $extra), $code, $headers, JSON_UNESCAPED_SLASHES);
} }
public function report(Request $request) public function report(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('write'), 403); abort_unless($request->user()->tokenCan('write'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
@ -91,19 +88,19 @@ class ApiV1Dot1Controller extends Controller
'copyright', 'copyright',
'impersonation', 'impersonation',
'scam', 'scam',
'terrorism' 'terrorism',
]; ];
if (!$report_type || !$object_id || !$object_type) { if (! $report_type || ! $object_id || ! $object_type) {
return $this->error("Invalid or missing parameters", 400, ["error_code" => "ERROR_INVALID_PARAMS"]); return $this->error('Invalid or missing parameters', 400, ['error_code' => 'ERROR_INVALID_PARAMS']);
} }
if (!in_array($report_type, $types)) { if (! in_array($report_type, $types)) {
return $this->error("Invalid report type", 400, ["error_code" => "ERROR_TYPE_INVALID"]); return $this->error('Invalid report type', 400, ['error_code' => 'ERROR_TYPE_INVALID']);
} }
if ($object_type === "user" && $object_id == $user->profile_id) { if ($object_type === 'user' && $object_id == $user->profile_id) {
return $this->error("Cannot self report", 400, ["error_code" => "ERROR_NO_SELF_REPORTS"]); return $this->error('Cannot self report', 400, ['error_code' => 'ERROR_NO_SELF_REPORTS']);
} }
$rpid = null; $rpid = null;
@ -111,8 +108,8 @@ class ApiV1Dot1Controller extends Controller
switch ($object_type) { switch ($object_type) {
case 'post': case 'post':
$object = Status::find($object_id); $object = Status::find($object_id);
if (!$object) { if (! $object) {
return $this->error("Invalid object id", 400, ["error_code" => "ERROR_INVALID_OBJECT_ID"]); return $this->error('Invalid object id', 400, ['error_code' => 'ERROR_INVALID_OBJECT_ID']);
} }
$object_type = 'App\Status'; $object_type = 'App\Status';
$exists = Report::whereUserId($user->id) $exists = Report::whereUserId($user->id)
@ -125,8 +122,8 @@ class ApiV1Dot1Controller extends Controller
case 'user': case 'user':
$object = Profile::find($object_id); $object = Profile::find($object_id);
if (!$object) { if (! $object) {
return $this->error("Invalid object id", 400, ["error_code" => "ERROR_INVALID_OBJECT_ID"]); return $this->error('Invalid object id', 400, ['error_code' => 'ERROR_INVALID_OBJECT_ID']);
} }
$object_type = 'App\Profile'; $object_type = 'App\Profile';
$exists = Report::whereUserId($user->id) $exists = Report::whereUserId($user->id)
@ -137,16 +134,16 @@ class ApiV1Dot1Controller extends Controller
break; break;
default: default:
return $this->error("Invalid report type", 400, ["error_code" => "ERROR_REPORT_OBJECT_TYPE_INVALID"]); return $this->error('Invalid report type', 400, ['error_code' => 'ERROR_REPORT_OBJECT_TYPE_INVALID']);
break; break;
} }
if ($exists !== 0) { if ($exists !== 0) {
return $this->error("Duplicate report", 400, ["error_code" => "ERROR_REPORT_DUPLICATE"]); return $this->error('Duplicate report', 400, ['error_code' => 'ERROR_REPORT_DUPLICATE']);
} }
if ($object->profile_id == $user->profile_id) { if ($object->profile_id == $user->profile_id) {
return $this->error("Cannot self report", 400, ["error_code" => "ERROR_NO_SELF_REPORTS"]); return $this->error('Cannot self report', 400, ['error_code' => 'ERROR_NO_SELF_REPORTS']);
} }
$report = new Report; $report = new Report;
@ -158,14 +155,15 @@ class ApiV1Dot1Controller extends Controller
$report->type = $report_type; $report->type = $report_type;
$report->save(); $report->save();
if(config('instance.reports.email.enabled')) { if (config('instance.reports.email.enabled')) {
ReportNotifyAdminViaEmail::dispatch($report)->onQueue('default'); ReportNotifyAdminViaEmail::dispatch($report)->onQueue('default');
} }
$res = [ $res = [
"msg" => "Successfully sent report", 'msg' => 'Successfully sent report',
"code" => 200 'code' => 200,
]; ];
return $this->json($res); return $this->json($res);
} }
@ -176,33 +174,33 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function deleteAvatar(Request $request) public function deleteAvatar(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('write'), 403); abort_unless($request->user()->tokenCan('write'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$avatar = $user->profile->avatar; $avatar = $user->profile->avatar;
if( $avatar->media_path == 'public/avatars/default.png' || if ($avatar->media_path == 'public/avatars/default.png' ||
$avatar->media_path == 'public/avatars/default.jpg' $avatar->media_path == 'public/avatars/default.jpg'
) { ) {
return AccountService::get($user->profile_id); return AccountService::get($user->profile_id);
} }
if(is_file(storage_path('app/' . $avatar->media_path))) { if (is_file(storage_path('app/'.$avatar->media_path))) {
@unlink(storage_path('app/' . $avatar->media_path)); @unlink(storage_path('app/'.$avatar->media_path));
} }
$avatar->media_path = 'public/avatars/default.jpg'; $avatar->media_path = 'public/avatars/default.jpg';
$avatar->change_count = $avatar->change_count + 1; $avatar->change_count = $avatar->change_count + 1;
$avatar->save(); $avatar->save();
Cache::forget('avatar:' . $user->profile_id); Cache::forget('avatar:'.$user->profile_id);
Cache::forget("avatar:{$user->profile_id}"); Cache::forget("avatar:{$user->profile_id}");
Cache::forget('user:account:id:'.$user->id); Cache::forget('user:account:id:'.$user->id);
AccountService::del($user->profile_id); AccountService::del($user->profile_id);
@ -217,33 +215,33 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function accountPosts(Request $request, $id) public function accountPosts(Request $request, $id)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$account = AccountService::get($id); $account = AccountService::get($id);
if(!$account || $account['username'] !== $request->input('username')) { if (! $account || $account['username'] !== $request->input('username')) {
return $this->json([]); return $this->json([]);
} }
$posts = ProfileStatusService::get($id); $posts = ProfileStatusService::get($id);
if(!$posts) { if (! $posts) {
return $this->json([]); return $this->json([]);
} }
$res = collect($posts) $res = collect($posts)
->map(function($id) { ->map(function ($id) {
return StatusService::get($id); return StatusService::get($id);
}) })
->filter(function($post) { ->filter(function ($post) {
return $post && isset($post['account']); return $post && isset($post['account']);
}) })
->toArray(); ->toArray();
@ -258,21 +256,21 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function accountChangePassword(Request $request) public function accountChangePassword(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('write'), 403); abort_unless($request->user()->tokenCan('write'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$this->validate($request, [ $this->validate($request, [
'current_password' => 'bail|required|current_password', 'current_password' => 'bail|required|current_password',
'new_password' => 'required|min:' . config('pixelfed.min_password_length', 8), 'new_password' => 'required|min:'.config('pixelfed.min_password_length', 8),
'confirm_password' => 'required|same:new_password' 'confirm_password' => 'required|same:new_password',
],[ ], [
'current_password' => 'The password you entered is incorrect' 'current_password' => 'The password you entered is incorrect',
]); ]);
$user->password = bcrypt($request->input('new_password')); $user->password = bcrypt($request->input('new_password'));
@ -301,12 +299,12 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function accountLoginActivity(Request $request) public function accountLoginActivity(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$agent = new Agent(); $agent = new Agent();
@ -318,8 +316,9 @@ class ApiV1Dot1Controller extends Controller
->groupBy('ip_address') ->groupBy('ip_address')
->limit(10) ->limit(10)
->get() ->get()
->map(function($item) use($agent, $currentIp) { ->map(function ($item) use ($agent, $currentIp) {
$agent->setUserAgent($item->user_agent); $agent->setUserAgent($item->user_agent);
return [ return [
'id' => $item->id, 'id' => $item->id,
'action' => $item->action, 'action' => $item->action,
@ -329,7 +328,7 @@ class ApiV1Dot1Controller extends Controller
'device' => $agent->device(), 'device' => $agent->device(),
'browser' => $agent->browser(), 'browser' => $agent->browser(),
'platform' => $agent->platform(), 'platform' => $agent->platform(),
'created_at' => $item->created_at->format('c') 'created_at' => $item->created_at->format('c'),
]; ];
}); });
@ -343,20 +342,21 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function accountTwoFactor(Request $request) public function accountTwoFactor(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$res = [ $res = [
'active' => (bool) $user->{'2fa_enabled'}, 'active' => (bool) $user->{'2fa_enabled'},
'setup_at' => $user->{'2fa_setup_at'} 'setup_at' => $user->{'2fa_setup_at'},
]; ];
return $this->json($res); return $this->json($res);
} }
@ -367,12 +367,12 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function accountEmailsFromPixelfed(Request $request) public function accountEmailsFromPixelfed(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$from = config('mail.from.address'); $from = config('mail.from.address');
@ -382,13 +382,13 @@ class ApiV1Dot1Controller extends Controller
->where('created_at', '>', now()->subDays(14)) ->where('created_at', '>', now()->subDays(14))
->limit(10) ->limit(10)
->get() ->get()
->map(function($mail) use($user, $from) { ->map(function ($mail) use ($user, $from) {
return [ return [
'type' => 'Email Verification', 'type' => 'Email Verification',
'subject' => 'Confirm Email', 'subject' => 'Confirm Email',
'to_address' => $user->email, 'to_address' => $user->email,
'from_address' => $from, 'from_address' => $from,
'created_at' => str_replace('@', 'at', $mail->created_at->format('M j, Y @ g:i:s A')) 'created_at' => str_replace('@', 'at', $mail->created_at->format('M j, Y @ g:i:s A')),
]; ];
}) })
->toArray(); ->toArray();
@ -399,13 +399,13 @@ class ApiV1Dot1Controller extends Controller
->orderByDesc('created_at') ->orderByDesc('created_at')
->limit(10) ->limit(10)
->get() ->get()
->map(function($mail) use($user, $from) { ->map(function ($mail) use ($user, $from) {
return [ return [
'type' => 'Password Reset', 'type' => 'Password Reset',
'subject' => 'Reset Password Notification', 'subject' => 'Reset Password Notification',
'to_address' => $user->email, 'to_address' => $user->email,
'from_address' => $from, 'from_address' => $from,
'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A')) 'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A')),
]; ];
}) })
->toArray(); ->toArray();
@ -416,13 +416,13 @@ class ApiV1Dot1Controller extends Controller
->orderByDesc('created_at') ->orderByDesc('created_at')
->limit(10) ->limit(10)
->get() ->get()
->map(function($mail) use($user, $from) { ->map(function ($mail) use ($user, $from) {
return [ return [
'type' => 'Password Change', 'type' => 'Password Change',
'subject' => 'Password Change', 'subject' => 'Password Change',
'to_address' => $user->email, 'to_address' => $user->email,
'from_address' => $from, 'from_address' => $from,
'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A')) 'created_at' => str_replace('@', 'at', now()->parse($mail->created_at)->format('M j, Y @ g:i:s A')),
]; ];
}) })
->toArray(); ->toArray();
@ -444,17 +444,17 @@ class ApiV1Dot1Controller extends Controller
*/ */
public function accountApps(Request $request) public function accountApps(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->status != null, 403); abort_if($user->status != null, 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$res = $user->tokens->sortByDesc('created_at')->take(10)->map(function($token, $key) use($request) { $res = $user->tokens->sortByDesc('created_at')->take(10)->map(function ($token, $key) use ($request) {
return [ return [
'id' => $token->id, 'id' => $token->id,
'current_session' => $request->user()->token()->id == $token->id, 'current_session' => $request->user()->token()->id == $token->id,
@ -462,7 +462,7 @@ class ApiV1Dot1Controller extends Controller
'scopes' => $token->scopes, 'scopes' => $token->scopes,
'revoked' => $token->revoked, 'revoked' => $token->revoked,
'created_at' => str_replace('@', 'at', now()->parse($token->created_at)->format('M j, Y @ g:i:s A')), 'created_at' => str_replace('@', 'at', now()->parse($token->created_at)->format('M j, Y @ g:i:s A')),
'expires_at' => str_replace('@', 'at', now()->parse($token->expires_at)->format('M j, Y @ g:i:s A')) 'expires_at' => str_replace('@', 'at', now()->parse($token->expires_at)->format('M j, Y @ g:i:s A')),
]; ];
}); });
@ -483,12 +483,13 @@ class ApiV1Dot1Controller extends Controller
abort_unless((bool) config_cache('pixelfed.open_registration'), 404); abort_unless((bool) config_cache('pixelfed.open_registration'), 404);
abort_unless((bool) config_cache('pixelfed.allow_app_registration'), 404); abort_unless((bool) config_cache('pixelfed.allow_app_registration'), 404);
abort_unless($request->hasHeader('X-PIXELFED-APP'), 403); abort_unless($request->hasHeader('X-PIXELFED-APP'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$rl = RateLimiter::attempt('pf:apiv1.1:iar:'.$request->ip(), config('pixelfed.app_registration_rate_limit_attempts', 3), function(){}, config('pixelfed.app_registration_rate_limit_decay', 1800)); $rl = RateLimiter::attempt('pf:apiv1.1:iar:'.$request->ip(), config('pixelfed.app_registration_rate_limit_attempts', 3), function () {
abort_if(!$rl, 400, 'Too many requests'); }, config('pixelfed.app_registration_rate_limit_decay', 1800));
abort_if(! $rl, 400, 'Too many requests');
$this->validate($request, [ $this->validate($request, [
'email' => [ 'email' => [
@ -499,7 +500,7 @@ class ApiV1Dot1Controller extends Controller
'unique:users', 'unique:users',
function ($attribute, $value, $fail) { function ($attribute, $value, $fail) {
$banned = EmailService::isBanned($value); $banned = EmailService::isBanned($value);
if($banned) { if ($banned) {
return $fail('Email is invalid.'); return $fail('Email is invalid.');
} }
}, },
@ -514,24 +515,24 @@ class ApiV1Dot1Controller extends Controller
$underscore = substr_count($value, '_'); $underscore = substr_count($value, '_');
$period = substr_count($value, '.'); $period = substr_count($value, '.');
if(ends_with($value, ['.php', '.js', '.css'])) { if (ends_with($value, ['.php', '.js', '.css'])) {
return $fail('Username is invalid.'); return $fail('Username is invalid.');
} }
if(($dash + $underscore + $period) > 1) { if (($dash + $underscore + $period) > 1) {
return $fail('Username is invalid. Can only contain one dash (-), period (.) or underscore (_).'); return $fail('Username is invalid. Can only contain one dash (-), period (.) or underscore (_).');
} }
if (!ctype_alnum($value[0])) { if (! ctype_alnum($value[0])) {
return $fail('Username is invalid. Must start with a letter or number.'); return $fail('Username is invalid. Must start with a letter or number.');
} }
if (!ctype_alnum($value[strlen($value) - 1])) { if (! ctype_alnum($value[strlen($value) - 1])) {
return $fail('Username is invalid. Must end with a letter or number.'); return $fail('Username is invalid. Must end with a letter or number.');
} }
$val = str_replace(['_', '.', '-'], '', $value); $val = str_replace(['_', '.', '-'], '', $value);
if(!ctype_alnum($val)) { if (! ctype_alnum($val)) {
return $fail('Username is invalid. Username must be alpha-numeric and may contain dashes (-), periods (.) and underscores (_).'); return $fail('Username is invalid. Username must be alpha-numeric and may contain dashes (-), periods (.) and underscores (_).');
} }
@ -548,7 +549,7 @@ class ApiV1Dot1Controller extends Controller
$username = $request->input('username'); $username = $request->input('username');
$password = $request->input('password'); $password = $request->input('password');
if(config('database.default') == 'pgsql') { if (config('database.default') == 'pgsql') {
$username = strtolower($username); $username = strtolower($username);
$email = strtolower($email); $email = strtolower($email);
} }
@ -575,9 +576,9 @@ class ApiV1Dot1Controller extends Controller
$params = http_build_query([ $params = http_build_query([
'ut' => $user->app_register_token, 'ut' => $user->app_register_token,
'rt' => $rtoken, 'rt' => $rtoken,
'ea' => base64_encode($user->email) 'ea' => base64_encode($user->email),
]); ]);
$appUrl = url('/api/v1.1/auth/iarer?'. $params); $appUrl = url('/api/v1.1/auth/iarer?'.$params);
Mail::to($user->email)->send(new ConfirmAppEmail($verify, $appUrl)); Mail::to($user->email)->send(new ConfirmAppEmail($verify, $appUrl));
@ -591,7 +592,7 @@ class ApiV1Dot1Controller extends Controller
$this->validate($request, [ $this->validate($request, [
'ut' => 'required', 'ut' => 'required',
'rt' => 'required', 'rt' => 'required',
'ea' => 'required' 'ea' => 'required',
]); ]);
$ut = $request->input('ut'); $ut = $request->input('ut');
$rt = $request->input('rt'); $rt = $request->input('rt');
@ -600,9 +601,10 @@ class ApiV1Dot1Controller extends Controller
'ut' => $ut, 'ut' => $ut,
'rt' => $rt, 'rt' => $rt,
'domain' => config('pixelfed.domain.app'), 'domain' => config('pixelfed.domain.app'),
'ea' => $ea 'ea' => $ea,
]); ]);
$url = 'pixelfed://confirm-account/'. $ut . '?' . $params; $url = 'pixelfed://confirm-account/'.$ut.'?'.$params;
return redirect()->away($url); return redirect()->away($url);
} }
@ -612,17 +614,18 @@ class ApiV1Dot1Controller extends Controller
abort_unless((bool) config_cache('pixelfed.open_registration'), 404); abort_unless((bool) config_cache('pixelfed.open_registration'), 404);
abort_unless((bool) config_cache('pixelfed.allow_app_registration'), 404); abort_unless((bool) config_cache('pixelfed.allow_app_registration'), 404);
abort_unless($request->hasHeader('X-PIXELFED-APP'), 403); abort_unless($request->hasHeader('X-PIXELFED-APP'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$rl = RateLimiter::attempt('pf:apiv1.1:iarc:'.$request->ip(), config('pixelfed.app_registration_confirm_rate_limit_attempts', 20), function(){}, config('pixelfed.app_registration_confirm_rate_limit_decay', 1800)); $rl = RateLimiter::attempt('pf:apiv1.1:iarc:'.$request->ip(), config('pixelfed.app_registration_confirm_rate_limit_attempts', 20), function () {
abort_if(!$rl, 429, 'Too many requests'); }, config('pixelfed.app_registration_confirm_rate_limit_decay', 1800));
abort_if(! $rl, 429, 'Too many requests');
$this->validate($request, [ $request->validate([
'user_token' => 'required', 'user_token' => 'required',
'random_token' => 'required', 'random_token' => 'required',
'email' => 'required' 'email' => 'required',
]); ]);
$verify = EmailVerification::whereEmail($request->input('email')) $verify = EmailVerification::whereEmail($request->input('email'))
@ -630,12 +633,13 @@ class ApiV1Dot1Controller extends Controller
->whereRandomToken($request->input('random_token')) ->whereRandomToken($request->input('random_token'))
->first(); ->first();
if(!$verify) { if (! $verify) {
return response()->json(['error' => 'Invalid tokens'], 403); return response()->json(['error' => 'Invalid tokens'], 403);
} }
if($verify->created_at->lt(now()->subHours(24))) { if ($verify->created_at->lt(now()->subHours(24))) {
$verify->delete(); $verify->delete();
return response()->json(['error' => 'Invalid tokens'], 403); return response()->json(['error' => 'Invalid tokens'], 403);
} }
@ -644,19 +648,19 @@ class ApiV1Dot1Controller extends Controller
$user->last_active_at = now(); $user->last_active_at = now();
$user->save(); $user->save();
$token = $user->createToken('Pixelfed'); $token = $user->createToken('Pixelfed', ['read', 'write', 'follow', 'admin:read', 'admin:write', 'push']);
return response()->json([ return response()->json([
'access_token' => $token->accessToken 'access_token' => $token->accessToken,
]); ]);
} }
public function archive(Request $request, $id) public function archive(Request $request, $id)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('write'), 403); abort_unless($request->user()->tokenCan('write'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
@ -665,7 +669,7 @@ class ApiV1Dot1Controller extends Controller
->whereProfileId($request->user()->profile_id) ->whereProfileId($request->user()->profile_id)
->findOrFail($id); ->findOrFail($id);
if($status->scope === 'archived') { if ($status->scope === 'archived') {
return [200]; return [200];
} }
@ -686,10 +690,10 @@ class ApiV1Dot1Controller extends Controller
public function unarchive(Request $request, $id) public function unarchive(Request $request, $id)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('write'), 403); abort_unless($request->user()->tokenCan('write'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
@ -698,7 +702,7 @@ class ApiV1Dot1Controller extends Controller
->whereProfileId($request->user()->profile_id) ->whereProfileId($request->user()->profile_id)
->findOrFail($id); ->findOrFail($id);
if($status->scope !== 'archived') { if ($status->scope !== 'archived') {
return [200]; return [200];
} }
@ -718,10 +722,10 @@ class ApiV1Dot1Controller extends Controller
public function archivedPosts(Request $request) public function archivedPosts(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
@ -735,16 +739,16 @@ class ApiV1Dot1Controller extends Controller
public function placesById(Request $request, $id, $slug) public function placesById(Request $request, $id, $slug)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$place = Place::whereSlug($slug)->findOrFail($id); $place = Place::whereSlug($slug)->findOrFail($id);
$posts = Cache::remember('pf-api:v1.1:places-by-id:' . $place->id, 3600, function() use($place) { $posts = Cache::remember('pf-api:v1.1:places-by-id:'.$place->id, 3600, function () use ($place) {
return Status::wherePlaceId($place->id) return Status::wherePlaceId($place->id)
->whereNull('uri') ->whereNull('uri')
->whereScope('public') ->whereScope('public')
@ -753,63 +757,62 @@ class ApiV1Dot1Controller extends Controller
->pluck('id'); ->pluck('id');
}); });
$posts = $posts->map(function($id) { $posts = $posts->map(function ($id) {
return StatusService::get($id); return StatusService::get($id);
}) })
->filter() ->filter()
->values(); ->values();
return [ return [
'place' => 'place' => [
[
'id' => $place->id, 'id' => $place->id,
'name' => $place->name, 'name' => $place->name,
'slug' => $place->slug, 'slug' => $place->slug,
'country' => $place->country, 'country' => $place->country,
'lat' => $place->lat, 'lat' => $place->lat,
'long' => $place->long 'long' => $place->long,
], ],
'posts' => $posts]; 'posts' => $posts];
} }
public function moderatePost(Request $request, $id) public function moderatePost(Request $request, $id)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_if($request->user()->is_admin != true, 403); abort_if($request->user()->is_admin != true, 403);
abort_unless($request->user()->tokenCan('admin:write'), 403); abort_unless($request->user()->tokenCan('admin:write'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if (config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);
} }
$this->validate($request, [ $this->validate($request, [
'action' => 'required|in:cw,mark-public,mark-unlisted,mark-private,mark-spammer,delete' 'action' => 'required|in:cw,mark-public,mark-unlisted,mark-private,mark-spammer,delete',
]); ]);
$action = $request->input('action'); $action = $request->input('action');
$status = Status::find($id); $status = Status::find($id);
if(!$status) { if (! $status) {
return response()->json(['error' => 'Cannot find status'], 400); return response()->json(['error' => 'Cannot find status'], 400);
} }
if($status->uri == null) { if ($status->uri == null) {
if($status->profile->user && $status->profile->user->is_admin) { if ($status->profile->user && $status->profile->user->is_admin) {
return response()->json(['error' => 'Cannot moderate admin accounts'], 400); return response()->json(['error' => 'Cannot moderate admin accounts'], 400);
} }
} }
if($action == 'mark-spammer') { if ($action == 'mark-spammer') {
$status->profile->update([ $status->profile->update([
'unlisted' => true, 'unlisted' => true,
'cw' => true, 'cw' => true,
'no_autolink' => true 'no_autolink' => true,
]); ]);
Status::whereProfileId($status->profile_id) Status::whereProfileId($status->profile_id)
->get() ->get()
->each(function($s) { ->each(function ($s) {
if(in_array($s->scope, ['public', 'unlisted'])) { if (in_array($s->scope, ['public', 'unlisted'])) {
$s->scope = 'private'; $s->scope = 'private';
$s->visibility = 'private'; $s->visibility = 'private';
} }
@ -818,60 +821,61 @@ class ApiV1Dot1Controller extends Controller
StatusService::del($s->id, true); StatusService::del($s->id, true);
}); });
Cache::forget('pf:bouncer_v0:exemption_by_pid:' . $status->profile_id); Cache::forget('pf:bouncer_v0:exemption_by_pid:'.$status->profile_id);
Cache::forget('pf:bouncer_v0:recent_by_pid:' . $status->profile_id); Cache::forget('pf:bouncer_v0:recent_by_pid:'.$status->profile_id);
Cache::forget('admin-dash:reports:spam-count'); Cache::forget('admin-dash:reports:spam-count');
} else if ($action == 'cw') { } elseif ($action == 'cw') {
$state = $status->is_nsfw; $state = $status->is_nsfw;
$status->is_nsfw = !$state; $status->is_nsfw = ! $state;
$status->save(); $status->save();
StatusService::del($status->id); StatusService::del($status->id);
} else if ($action == 'mark-public') { } elseif ($action == 'mark-public') {
$state = $status->scope; $state = $status->scope;
$status->scope = 'public'; $status->scope = 'public';
$status->visibility = 'public'; $status->visibility = 'public';
$status->save(); $status->save();
StatusService::del($status->id, true); StatusService::del($status->id, true);
if($state !== 'public') { if ($state !== 'public') {
if($status->uri) { if ($status->uri) {
if($status->in_reply_to_id == null && $status->reblog_of_id == null) { if ($status->in_reply_to_id == null && $status->reblog_of_id == null) {
NetworkTimelineService::add($status->id); NetworkTimelineService::add($status->id);
} }
} else { } else {
if($status->in_reply_to_id == null && $status->reblog_of_id == null) { if ($status->in_reply_to_id == null && $status->reblog_of_id == null) {
PublicTimelineService::add($status->id); PublicTimelineService::add($status->id);
} }
} }
} }
} else if ($action == 'mark-unlisted') { } elseif ($action == 'mark-unlisted') {
$state = $status->scope; $state = $status->scope;
$status->scope = 'unlisted'; $status->scope = 'unlisted';
$status->visibility = 'unlisted'; $status->visibility = 'unlisted';
$status->save(); $status->save();
StatusService::del($status->id); StatusService::del($status->id);
if($state == 'public') { if ($state == 'public') {
PublicTimelineService::del($status->id); PublicTimelineService::del($status->id);
NetworkTimelineService::del($status->id); NetworkTimelineService::del($status->id);
} }
} else if ($action == 'mark-private') { } elseif ($action == 'mark-private') {
$state = $status->scope; $state = $status->scope;
$status->scope = 'private'; $status->scope = 'private';
$status->visibility = 'private'; $status->visibility = 'private';
$status->save(); $status->save();
StatusService::del($status->id); StatusService::del($status->id);
if($state == 'public') { if ($state == 'public') {
PublicTimelineService::del($status->id); PublicTimelineService::del($status->id);
NetworkTimelineService::del($status->id); NetworkTimelineService::del($status->id);
} }
} else if ($action == 'delete') { } elseif ($action == 'delete') {
PublicTimelineService::del($status->id); PublicTimelineService::del($status->id);
NetworkTimelineService::del($status->id); NetworkTimelineService::del($status->id);
Cache::forget('_api:statuses:recent_9:' . $status->profile_id); Cache::forget('_api:statuses:recent_9:'.$status->profile_id);
Cache::forget('profile:status_count:' . $status->profile_id); Cache::forget('profile:status_count:'.$status->profile_id);
Cache::forget('profile:embed:' . $status->profile_id); Cache::forget('profile:embed:'.$status->profile_id);
StatusService::del($status->id, true); StatusService::del($status->id, true);
Cache::forget('profile:status_count:'.$status->profile_id); Cache::forget('profile:status_count:'.$status->profile_id);
$status->uri ? RemoteStatusDelete::dispatch($status) : StatusDelete::dispatch($status); $status->uri ? RemoteStatusDelete::dispatch($status) : StatusDelete::dispatch($status);
return []; return [];
} }
@ -882,34 +886,35 @@ class ApiV1Dot1Controller extends Controller
public function getWebSettings(Request $request) public function getWebSettings(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('read'), 403); abort_unless($request->user()->tokenCan('read'), 403);
$uid = $request->user()->id; $uid = $request->user()->id;
$settings = UserSetting::firstOrCreate([ $settings = UserSetting::firstOrCreate([
'user_id' => $uid 'user_id' => $uid,
]); ]);
if(!$settings->other) { if (! $settings->other) {
return []; return [];
} }
return $settings->other; return $settings->other;
} }
public function setWebSettings(Request $request) public function setWebSettings(Request $request)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('write'), 403); abort_unless($request->user()->tokenCan('write'), 403);
$this->validate($request, [ $this->validate($request, [
'field' => 'required|in:enable_reblogs,hide_reblog_banner', 'field' => 'required|in:enable_reblogs,hide_reblog_banner',
'value' => 'required' 'value' => 'required',
]); ]);
$field = $request->input('field'); $field = $request->input('field');
$value = $request->input('value'); $value = $request->input('value');
$settings = UserSetting::firstOrCreate([ $settings = UserSetting::firstOrCreate([
'user_id' => $request->user()->id 'user_id' => $request->user()->id,
]); ]);
if(!$settings->other) { if (! $settings->other) {
$other = []; $other = [];
} else { } else {
$other = $settings->other; $other = $settings->other;
@ -923,18 +928,21 @@ class ApiV1Dot1Controller extends Controller
public function getMutualAccounts(Request $request, $id) public function getMutualAccounts(Request $request, $id)
{ {
abort_if(!$request->user() || !$request->user()->token(), 403); abort_if(! $request->user() || ! $request->user()->token(), 403);
abort_unless($request->user()->tokenCan('follows'), 403); abort_unless($request->user()->tokenCan('follows'), 403);
$account = AccountService::get($id, true); $account = AccountService::get($id, true);
if(!$account || !isset($account['id'])) { return []; } if (! $account || ! isset($account['id'])) {
return [];
}
$res = collect(FollowerService::mutualAccounts($request->user()->profile_id, $id)) $res = collect(FollowerService::mutualAccounts($request->user()->profile_id, $id))
->map(function($accountId) { ->map(function ($accountId) {
return AccountService::get($accountId, true); return AccountService::get($accountId, true);
}) })
->filter() ->filter()
->take(24) ->take(24)
->values(); ->values();
return $this->json($res); return $this->json($res);
} }
} }

Write Preview
Loading…
Cancel
Save