Implement proper OAuth authorization on Admin API endpoints

app/Http/Controllers/Api/AdminApiController.php

@@ -40,16 +40,20 @@ class AdminApiController extends Controller
 {
     public function supported(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         return response()->json(['supported' => true]);
     }
 
     public function getStats(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         $res = AdminStatsService::summary();
         $res['autospam_count'] = AccountInterstitial::whereType('post.autospam')
@@ -60,8 +64,10 @@ class AdminApiController extends Controller
 
     public function autospam(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         $appeals = AccountInterstitial::whereType('post.autospam')
             ->whereNull('appeal_handled_at')
@@ -95,8 +101,10 @@ class AdminApiController extends Controller
 
     public function autospamHandle(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
 
         $this->validate($request, [
             'action' => 'required|in:dismiss,approve,dismiss-all,approve-all,delete-post,delete-account',
@@ -239,8 +247,10 @@ class AdminApiController extends Controller
 
     public function modReports(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         $reports = Report::whereNull('admin_seen')
             ->orderBy('created_at','desc')
@@ -285,8 +295,10 @@ class AdminApiController extends Controller
 
     public function modReportHandle(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
 
         $this->validate($request, [
             'action'    => 'required|string',
@@ -343,8 +355,11 @@ class AdminApiController extends Controller
 
     public function getConfiguration(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
+
         abort_unless(config('instance.enable_cc'), 400);
 
         return collect([
@@ -386,8 +401,11 @@ class AdminApiController extends Controller
 
     public function updateConfiguration(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
+
         abort_unless(config('instance.enable_cc'), 400);
 
         $this->validate($request, [
@@ -448,8 +466,11 @@ class AdminApiController extends Controller
 
     public function getUsers(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
+
         $this->validate($request, [
             'sort' => 'sometimes|in:asc,desc',
         ]);
@@ -466,8 +487,10 @@ class AdminApiController extends Controller
 
     public function getUser(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         $id = $request->input('user_id');
         $key = 'pf-admin-api:getUser:byId:' . $id;
@@ -497,8 +520,10 @@ class AdminApiController extends Controller
 
     public function userAdminAction(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
 
         $this->validate($request, [
             'id' => 'required',
@@ -669,8 +694,10 @@ class AdminApiController extends Controller
 
     public function instances(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
 
         $this->validate($request, [
             'q' => 'sometimes',
@@ -707,8 +734,10 @@ class AdminApiController extends Controller
 
     public function getInstance(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         $id = $request->input('id');
         $res = Instance::findOrFail($id);
@@ -718,8 +747,10 @@ class AdminApiController extends Controller
 
     public function moderateInstance(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
 
         $this->validate($request, [
             'id' => 'required',
@@ -742,8 +773,10 @@ class AdminApiController extends Controller
 
     public function refreshInstanceStats(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin == 1, 404);
+        abort_unless($request->user()->tokenCan('admin:write'), 404);
 
         $this->validate($request, [
             'id' => 'required',
@@ -760,8 +793,10 @@ class AdminApiController extends Controller
 
     public function getAllStats(Request $request)
     {
-        abort_if(!$request->user(), 404);
+        abort_if(!$request->user() || !$request->user()->token(), 404);
+
         abort_unless($request->user()->is_admin === 1, 404);
+        abort_unless($request->user()->tokenCan('admin:read'), 404);
 
         if($request->has('refresh')) {
             Cache::forget('admin-api:instance-all-stats-v1');

app/Http/Controllers/Api/ApiV1Dot1Controller.php

@@ -757,8 +757,9 @@ class ApiV1Dot1Controller extends Controller
 
 	public function moderatePost(Request $request, $id)
 	{
-		abort_if(!$request->user(), 403);
+		abort_if(!$request->user() || !$request->user()->token(), 403);
 		abort_if($request->user()->is_admin != true, 403);
+		abort_unless($request->user()->tokenCan('admin:write'), 403);
 
 		if(config('pixelfed.bouncer.cloud_ips.ban_signups')) {
 			abort_if(BouncerService::checkIp($request->ip()), 404);

app/Providers/AuthServiceProvider.php

@@ -41,7 +41,9 @@ class AuthServiceProvider extends ServiceProvider
                 'read' => 'Full read access to your account',
                 'write' => 'Full write access to your account',
                 'follow' => 'Ability to follow other profiles',
-                'push'  => ''
+                'admin:read' => 'Read all data on the server',
+                'admin:write' => 'Modify all data on the server',
+                'push'  => 'Receive your push notifications'
             ]);
         }