techhub/mastodon
2
0
Fork 0
Code Activity

Merge commit from fork

Browse Source 
* Require read, read:statuses or read:notifications scope to access streaming APIs

* Add additional tests for scope-based channel access

We were missing tests in the affirmative for subscribing to the user:notification channel, this adds them
This commit is contained in:
Emelia Smith
2025-10-13 14:20:57 +02:00
committed by GitHub
parent 24dcb18013
commit 7e98fa9b47
2 changed files with 92 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
spec/system/streaming/channel_subscriptions_spec.rb
View File

@@ -1,7 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
require 'rails_helper' require 'rails_helper'
require 'debug'
RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
let(:application) { Fabricate(:application, confidential: false) } let(:application) { Fabricate(:application, confidential: false) }
@@ -15,6 +14,25 @@ RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
streaming_client.close streaming_client.close
end end
context 'when the access token has insufficient scope to read statuses' do
let(:scopes) { 'profile' }
it 'cannot subscribe to the public:local channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('public:local')
# Receive the error back from the subscription attempt:
message = streaming_client.wait_for_message
expect(message).to include(
error: 'Access token does not have the required scopes',
status: 401
)
end
end
context 'when the access token has read scope' do context 'when the access token has read scope' do
let(:scopes) { 'read' } let(:scopes) { 'read' }
@@ -39,11 +57,52 @@ RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
) )
) )
end end
it 'can subscribing to the user:notifications channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('user:notification')
# We need to perform an action that triggers a notification as there is
# no positive acknowledgement of subscriptions:
first_status = PostStatusService.new.call(user_account, text: 'Test')
ReblogService.new.call(bob_account, first_status)
message = streaming_client.wait_for_message
expect(message).to include(
event: 'notification',
stream: ['user:notification']
)
end
end end
context 'when the access token cannot read notifications' do context 'when the access token has read:statuses scope' do
let(:scopes) { 'read:statuses' } let(:scopes) { 'read:statuses' }
it 'can subscribing to the public:local channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('public:local')
# We need to publish a status as there is no positive acknowledgement of
# subscriptions:
status = PostStatusService.new.call(bob_account, text: 'Hello @alice')
# And then we want to receive that status:
message = streaming_client.wait_for_message
expect(message).to include(
stream: be_an(Array).and(contain_exactly('public:local')),
event: 'update',
payload: include(
id: status.id.to_s
)
)
end
it 'cannot subscribing to the user:notifications channel' do it 'cannot subscribing to the user:notifications channel' do
streaming_client.authenticate(access_token.token) streaming_client.authenticate(access_token.token)
@@ -59,4 +118,27 @@ RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
) )
end end
end end
context 'when the access token has read:notifications scope' do
let(:scopes) { 'read:notifications' }
it 'can subscribing to the user:notifications channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('user:notification')
# We need to perform an action that triggers a notification as there is
# no positive acknowledgement of subscriptions:
first_status = PostStatusService.new.call(user_account, text: 'Test')
ReblogService.new.call(bob_account, first_status)
message = streaming_client.wait_for_message
expect(message).to include(
event: 'notification',
stream: ['user:notification']
)
end
end
end end

26
streaming/index.js
View File

@@ -78,17 +78,6 @@ const parseJSON = (json, req) => {
} }
}; };
const PUBLIC_CHANNELS = [
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local',
];
// Used for priming the counters/gauges for the various metrics that are // Used for priming the counters/gauges for the various metrics that are
// per-channel // per-channel
const CHANNEL_NAMES = [ const CHANNEL_NAMES = [
@@ -97,7 +86,14 @@ const CHANNEL_NAMES = [
'user:notification', 'user:notification',
'list', 'list',
'direct', 'direct',
...PUBLIC_CHANNELS 'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local',
]; ];
const startServer = async () => { const startServer = async () => {
@@ -434,12 +430,6 @@ const startServer = async () => {
const checkScopes = (req, logger, channelName) => new Promise((resolve, reject) => { const checkScopes = (req, logger, channelName) => new Promise((resolve, reject) => {
logger.debug(`Checking OAuth scopes for ${channelName}`); logger.debug(`Checking OAuth scopes for ${channelName}`);
// When accessing public channels, no scopes are needed
if (channelName && PUBLIC_CHANNELS.includes(channelName)) {
resolve();
return;
}
// The `read` scope has the highest priority, if the token has it // The `read` scope has the highest priority, if the token has it
// then it can access all streams // then it can access all streams
const requiredScopes = ['read']; const requiredScopes = ['read'];