gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-12-11 17:52:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge commit from fork
Some checks are pending
Bundler Audit / security (push) Waiting to run
Details
Check i18n / check-i18n (push) Waiting to run
Details
Chromatic / Run Chromatic (push) Waiting to run
Details
CodeQL / Analyze (actions) (push) Waiting to run
Details
CodeQL / Analyze (javascript) (push) Waiting to run
Details
CodeQL / Analyze (ruby) (push) Waiting to run
Details
Check formatting / lint (push) Waiting to run
Details
Haml Linting / lint (push) Waiting to run
Details
JavaScript Linting / lint (push) Waiting to run
Details
Ruby Linting / lint (push) Waiting to run
Details
JavaScript Testing / test (push) Waiting to run
Details
Historical data migration test / test (14-alpine) (push) Waiting to run
Details
Historical data migration test / test (15-alpine) (push) Waiting to run
Details
Historical data migration test / test (16-alpine) (push) Waiting to run
Details
Historical data migration test / test (17-alpine) (push) Waiting to run
Details
Ruby Testing / build (production) (push) Waiting to run
Details
Ruby Testing / build (test) (push) Waiting to run
Details
Ruby Testing / test (.ruby-version) (push) Blocked by required conditions
Details
Ruby Testing / test (3.2) (push) Blocked by required conditions
Details
Ruby Testing / test (3.3) (push) Blocked by required conditions
Details
Ruby Testing / ImageMagick tests (.ruby-version) (push) Blocked by required conditions
Details
Ruby Testing / ImageMagick tests (3.2) (push) Blocked by required conditions
Details
Ruby Testing / ImageMagick tests (3.3) (push) Blocked by required conditions
Details
Ruby Testing / End to End testing (.ruby-version) (push) Blocked by required conditions
Details
Ruby Testing / End to End testing (3.2) (push) Blocked by required conditions
Details
Ruby Testing / End to End testing (3.3) (push) Blocked by required conditions
Details
Ruby Testing / Elastic Search integration testing (.ruby-version, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions
Details
Ruby Testing / Elastic Search integration testing (.ruby-version, docker.elastic.co/elasticsearch/elasticsearch:8.10.2) (push) Blocked by required conditions
Details
Ruby Testing / Elastic Search integration testing (.ruby-version, opensearchproject/opensearch:2) (push) Blocked by required conditions
Details
Ruby Testing / Elastic Search integration testing (3.2, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions
Details
Ruby Testing / Elastic Search integration testing (3.3, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions
Details

Browse Source 
* Require read, read:statuses or read:notifications scope to access streaming APIs

* Add additional tests for scope-based channel access

We were missing tests in the affirmative for subscribing to the user:notification channel, this adds them
This commit is contained in:
Emelia Smith 2025-10-13 14:20:57 +02:00 committed by GitHub
parent 24dcb18013
commit 7e98fa9b47
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 92 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
spec/system/streaming/channel_subscriptions_spec.rb
View File

@ -1,7 +1,6 @@
# frozen_string_literal: true
require 'rails_helper'
require 'debug'
RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
let(:application) { Fabricate(:application, confidential: false) }
@ -15,6 +14,25 @@ RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
streaming_client.close
end
context 'when the access token has insufficient scope to read statuses' do
let(:scopes) { 'profile' }
it 'cannot subscribe to the public:local channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('public:local')
# Receive the error back from the subscription attempt:
message = streaming_client.wait_for_message
expect(message).to include(
error: 'Access token does not have the required scopes',
status: 401
)
end
end
context 'when the access token has read scope' do
let(:scopes) { 'read' }
@ -39,11 +57,52 @@ RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
)
)
end
it 'can subscribing to the user:notifications channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('user:notification')
# We need to perform an action that triggers a notification as there is
# no positive acknowledgement of subscriptions:
first_status = PostStatusService.new.call(user_account, text: 'Test')
ReblogService.new.call(bob_account, first_status)
message = streaming_client.wait_for_message
expect(message).to include(
event: 'notification',
stream: ['user:notification']
)
end
end
context 'when the access token cannot read notifications' do
context 'when the access token has read:statuses scope' do
let(:scopes) { 'read:statuses' }
it 'can subscribing to the public:local channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('public:local')
# We need to publish a status as there is no positive acknowledgement of
# subscriptions:
status = PostStatusService.new.call(bob_account, text: 'Hello @alice')
# And then we want to receive that status:
message = streaming_client.wait_for_message
expect(message).to include(
stream: be_an(Array).and(contain_exactly('public:local')),
event: 'update',
payload: include(
id: status.id.to_s
)
)
end
it 'cannot subscribing to the user:notifications channel' do
streaming_client.authenticate(access_token.token)
@ -59,4 +118,27 @@ RSpec.describe 'Channel Subscriptions', :inline_jobs, :streaming do
)
end
end
context 'when the access token has read:notifications scope' do
let(:scopes) { 'read:notifications' }
it 'can subscribing to the user:notifications channel' do
streaming_client.authenticate(access_token.token)
streaming_client.connect
streaming_client.subscribe('user:notification')
# We need to perform an action that triggers a notification as there is
# no positive acknowledgement of subscriptions:
first_status = PostStatusService.new.call(user_account, text: 'Test')
ReblogService.new.call(bob_account, first_status)
message = streaming_client.wait_for_message
expect(message).to include(
event: 'notification',
stream: ['user:notification']
)
end
end
end

26
streaming/index.js
View File

@ -78,17 +78,6 @@ const parseJSON = (json, req) => {
}
};
const PUBLIC_CHANNELS = [
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local',
];
// Used for priming the counters/gauges for the various metrics that are
// per-channel
const CHANNEL_NAMES = [
@ -97,7 +86,14 @@ const CHANNEL_NAMES = [
'user:notification',
'list',
'direct',
...PUBLIC_CHANNELS
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local',
];
const startServer = async () => {
@ -434,12 +430,6 @@ const startServer = async () => {
const checkScopes = (req, logger, channelName) => new Promise((resolve, reject) => {
logger.debug(`Checking OAuth scopes for ${channelName}`);
// When accessing public channels, no scopes are needed
if (channelName && PUBLIC_CHANNELS.includes(channelName)) {
resolve();
return;
}
// The `read` scope has the highest priority, if the token has it
// then it can access all streams
const requiredScopes = ['read'];