gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-11-27 18:10:58 +00:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity

Prevent only using offline_access scope

Browse Source
This commit is contained in:
Emelia Smith 2025-04-10 21:56:22 +02:00
parent 2250aead46
commit 7898619d74
No known key found for this signature in database
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/oauth/authorizations_controller.rb
View File

@ -19,7 +19,13 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
end
def render_success
if skip_authorization? || (matching_token? && !truthy_param?('force_login'))
# FIXME: Find a better way to apply this validation: if the scopes only
# includes offline_access, then it's not valid, since offline_access doesn't
# actually give access to resources:
if pre_auth.scopes.all?('offline_access')
error = Doorkeeper::OAuth::InvalidRequestResponse.new(reason: :offline_access_only, missing_param: nil)
render :error, locals: { error_response: error }, status: 400
elsif skip_authorization? || (matching_token? && !truthy_param?('force_login'))
redirect_or_render authorize_response
elsif Doorkeeper.configuration.api_only
render json: pre_auth