Merge 77cf2abb3a into 3b52dca405

Previously these specs passed incorrect parameters to both the authorization_code
and client_credentials grant flows.

The authorization_code flow does not accept a `scope` parameter, instead the scope
is set when the access grant is created, per RFC 6749 Section 4.1.2. The `code`
parameter is accepted by this flow.

https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2

The client_credentials flow does not accept a `code` parameter, and instead accepts
a `scope` parameter, per RFC 6749 Section 4.4.1

https://www.rfc-editor.org/rfc/rfc6749#section-4.4.1

This ensures we're only testing valid oauth flows, and not deviating from the
specification. The OAuth flows should ignore any unknown parameters (i.e., passing
`code` to client_credentials would have no impact on the functionality, and this
would be asserted at the Doorkeeper level).

app/helpers/context_helper.rb

@@ -26,6 +26,12 @@ module ContextHelper
     suspended: { 'toot' => 'http://joinmastodon.org/ns#', 'suspended' => 'toot:suspended' },
     attribution_domains: { 'toot' => 'http://joinmastodon.org/ns#', 'attributionDomains' => { '@id' => 'toot:attributionDomains', '@type' => '@id' } },
     quote_requests: { 'QuoteRequest' => 'https://w3id.org/fep/044f#QuoteRequest' },
+    quotes: {
+      'quote' => 'https://w3id.org/fep/044f#quote',
+      'quoteUri' => 'http://fedibird.com/ns#quoteUri',
+      '_misskey_quote' => 'https://misskey-hub.net/ns#_misskey_quote',
+      'quoteAuthorization' => 'https://w3id.org/fep/044f#quoteAuthorization',
+    },
     interaction_policies: {
       'gts' => 'https://gotosocial.org/ns#',
       'interactionPolicy' => { '@id' => 'gts:interactionPolicy', '@type' => '@id' },

app/javascript/mastodon/components/account_bio.tsx

@@ -1,12 +1,30 @@
+import { useCallback } from 'react';
+
 import { useLinks } from 'mastodon/hooks/useLinks';
 
-export const AccountBio: React.FC<{
+interface AccountBioProps {
   note: string;
   className: string;
-}> = ({ note, className }) => {
-  const handleClick = useLinks();
+  dropdownAccountId?: string;
+}
 
-  if (note.length === 0 || note === '<p></p>') {
+export const AccountBio: React.FC<AccountBioProps> = ({
+  note,
+  className,
+  dropdownAccountId,
+}) => {
+  const handleClick = useLinks(!!dropdownAccountId);
+  const handleNodeChange = useCallback(
+    (node: HTMLDivElement | null) => {
+      if (!dropdownAccountId || !node || node.childNodes.length === 0) {
+        return;
+      }
+      addDropdownToHashtags(node, dropdownAccountId);
+    },
+    [dropdownAccountId],
+  );
+
+  if (note.length === 0) {
     return null;
   }
 
@@ -15,6 +33,28 @@ export const AccountBio: React.FC<{
       className={`${className} translate`}
       dangerouslySetInnerHTML={{ __html: note }}
       onClickCapture={handleClick}
+      ref={handleNodeChange}
     />
   );
 };
+
+function addDropdownToHashtags(node: HTMLElement | null, accountId: string) {
+  if (!node) {
+    return;
+  }
+  for (const childNode of node.childNodes) {
+    if (!(childNode instanceof HTMLElement)) {
+      continue;
+    }
+    if (
+      childNode instanceof HTMLAnchorElement &&
+      (childNode.classList.contains('hashtag') ||
+        childNode.innerText.startsWith('#')) &&
+      !childNode.dataset.menuHashtag
+    ) {
+      childNode.dataset.menuHashtag = accountId;
+    } else if (childNode.childNodes.length > 0) {
+      addDropdownToHashtags(childNode, accountId);
+    }
+  }
+}

app/javascript/mastodon/features/account_timeline/components/account_header.tsx

@@ -6,6 +6,7 @@ import classNames from 'classnames';
 import { Helmet } from 'react-helmet';
 import { NavLink } from 'react-router-dom';
 
+import { AccountBio } from '@/mastodon/components/account_bio';
 import CheckIcon from '@/material-icons/400-24px/check.svg?react';
 import LockIcon from '@/material-icons/400-24px/lock.svg?react';
 import MoreHorizIcon from '@/material-icons/400-24px/more_horiz.svg?react';
@@ -773,7 +774,6 @@ export const AccountHeader: React.FC<{
     );
   }
 
-  const content = { __html: account.note_emojified };
   const displayNameHtml = { __html: account.display_name_html };
   const fields = account.fields;
   const isLocal = !account.acct.includes('@');
@@ -897,12 +897,11 @@ export const AccountHeader: React.FC<{
                   <AccountNote accountId={accountId} />
                 )}
 
-                {account.note.length > 0 && account.note !== '<p></p>' && (
-                  <div
-                    className='account__header__content translate'
-                    dangerouslySetInnerHTML={content}
-                  />
-                )}
+                <AccountBio
+                  note={account.note_emojified}
+                  dropdownAccountId={accountId}
+                  className='account__header__content'
+                />
 
                 <div className='account__header__fields'>
                   <dl>

app/javascript/mastodon/hooks/useLinks.ts

@@ -8,13 +8,14 @@ import { openURL } from 'mastodon/actions/search';
 import { useAppDispatch } from 'mastodon/store';
 
 const isMentionClick = (element: HTMLAnchorElement) =>
-  element.classList.contains('mention');
+  element.classList.contains('mention') &&
+  !element.classList.contains('hashtag');
 
 const isHashtagClick = (element: HTMLAnchorElement) =>
   element.textContent?.[0] === '#' ||
   element.previousSibling?.textContent?.endsWith('#');
 
-export const useLinks = () => {
+export const useLinks = (skipHashtags?: boolean) => {
   const history = useHistory();
   const dispatch = useAppDispatch();
 
@@ -61,12 +62,12 @@ export const useLinks = () => {
       if (isMentionClick(target)) {
         e.preventDefault();
         void handleMentionClick(target);
-      } else if (isHashtagClick(target)) {
+      } else if (isHashtagClick(target) && !skipHashtags) {
         e.preventDefault();
         handleHashtagClick(target);
       }
     },
-    [handleMentionClick, handleHashtagClick],
+    [skipHashtags, handleMentionClick, handleHashtagClick],
   );
 
   return handleClick;

app/javascript/mastodon/models/account.ts

@@ -126,6 +126,9 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
       ? accountJSON.username
       : accountJSON.display_name;
 
+  const accountNote =
+    accountJSON.note && accountJSON.note !== '<p></p>' ? accountJSON.note : '';
+
   return AccountFactory({
     ...accountJSON,
     moved: moved?.id,
@@ -142,8 +145,8 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
       escapeTextContentForBrowser(displayName),
       emojiMap,
     ),
-    note_emojified: emojify(accountJSON.note, emojiMap),
-    note_plain: unescapeHTML(accountJSON.note),
+    note_emojified: emojify(accountNote, emojiMap),
+    note_plain: unescapeHTML(accountNote),
     url:
       accountJSON.url.startsWith('http://') ||
       accountJSON.url.startsWith('https://')

spec/requests/oauth/token_spec.rb

@@ -5,32 +5,36 @@ require 'rails_helper'
 RSpec.describe 'Managing OAuth Tokens' do
   describe 'POST /oauth/token' do
     subject do
-      post '/oauth/token', params: params
+      post '/oauth/token', params: params, headers: headers
     end
 
     let(:application) do
       Fabricate(:application, scopes: 'read write follow', redirect_uri: 'urn:ietf:wg:oauth:2.0:oob')
     end
-    let(:params) do
+
+    # This is using the OAuth client_secret_basic client authentication method
+    let(:headers) do
       {
-        grant_type: grant_type,
-        client_id: application.uid,
-        client_secret: application.secret,
-        redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
-        code: code,
-        scope: scope,
+        Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(application.uid, application.secret),
       }
     end
 
     context "with grant_type 'authorization_code'" do
-      let(:grant_type) { 'authorization_code' }
+      let(:params) do
+        {
+          grant_type: 'authorization_code',
+          redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
+          code: code,
+        }
+      end
+
       let(:code) do
         access_grant = Fabricate(:access_grant, application: application, redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', scopes: 'read write')
         access_grant.plaintext_token
       end
 
       shared_examples 'original scope request preservation' do
-        it 'returns all scopes requested for the given code' do
+        it 'returns all scopes requested by the authorization code' do
           subject
 
           expect(response).to have_http_status(200)
@@ -38,36 +42,51 @@ RSpec.describe 'Managing OAuth Tokens' do
         end
       end
 
-      context 'with no scopes specified' do
-        let(:scope) { nil }
+      context 'with client authentication via params' do
+        let(:headers) { nil }
+        let(:params) do
+          {
+            grant_type: 'authorization_code',
+            redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
+            client_id: application.uid,
+            client_secret: application.secret,
+            code: code,
+          }
+        end
 
         it_behaves_like 'original scope request preservation'
       end
 
-      context 'with scopes specified' do
-        context 'when the scopes were requested for this code' do
-          let(:scope) { 'write' }
-
-          it_behaves_like 'original scope request preservation'
-        end
-
-        context 'when the scope was not requested for the code' do
-          let(:scope) { 'follow' }
-
-          it_behaves_like 'original scope request preservation'
-        end
-
-        context 'when the scope does not belong to the application' do
-          let(:scope) { 'push' }
-
-          it_behaves_like 'original scope request preservation'
-        end
-      end
+      it_behaves_like 'original scope request preservation'
     end
 
     context "with grant_type 'client_credentials'" do
-      let(:grant_type) { 'client_credentials' }
-      let(:code) { nil }
+      let(:scope) { nil }
+      let(:params) do
+        {
+          grant_type: 'client_credentials',
+          scope: scope,
+        }
+      end
+
+      context 'with client authentication via params' do
+        let(:headers) { nil }
+        let(:params) do
+          {
+            grant_type: 'client_credentials',
+            client_id: application.uid,
+            client_secret: application.secret,
+            scope: scope,
+          }
+        end
+
+        it 'returns only the default scope' do
+          subject
+
+          expect(response).to have_http_status(200)
+          expect(response.parsed_body[:scope]).to eq('read')
+        end
+      end
 
       context 'with no scopes specified' do
         let(:scope) { nil }
@@ -99,6 +118,7 @@ RSpec.describe 'Managing OAuth Tokens' do
             subject
 
             expect(response).to have_http_status(400)
+            expect(response.parsed_body[:error]).to eq 'invalid_scope'
           end
         end
       end