router: require oauth_read for searching
Search calls are generally expensive and allow unauthenticated users to crawl the instance for user profiles or posts which contain specified keywords. An adversary can build a distributed search engine which not only will consume significant instance resources, but also can be used for undesirable purposes such as datamining. Accordingly, require authenticated access to use the search API endpoints. This acts as a nice balance as it allows guest users to make use of most functionality available in Pleroma FE while ensuring that Pleroma instances are reasonably protected from resource exhaustion. It also removes Pleroma as a potential vector in distributed search engines.
This commit is contained in:
parent
26e7613824
commit
0159a6dbe9
@ -414,7 +414,12 @@ defmodule Pleroma.Web.Router do
|
|||||||
|
|
||||||
get("/trends", MastodonAPIController, :empty_array)
|
get("/trends", MastodonAPIController, :empty_array)
|
||||||
|
|
||||||
|
scope [] do
|
||||||
|
pipe_through(:oauth_read)
|
||||||
|
|
||||||
|
get("/search", MastodonAPIController, :search)
|
||||||
get("/accounts/search", MastodonAPIController, :account_search)
|
get("/accounts/search", MastodonAPIController, :account_search)
|
||||||
|
end
|
||||||
|
|
||||||
scope [] do
|
scope [] do
|
||||||
pipe_through(:oauth_read_or_public)
|
pipe_through(:oauth_read_or_public)
|
||||||
@ -431,14 +436,12 @@ defmodule Pleroma.Web.Router do
|
|||||||
get("/accounts/:id/following", MastodonAPIController, :following)
|
get("/accounts/:id/following", MastodonAPIController, :following)
|
||||||
get("/accounts/:id", MastodonAPIController, :user)
|
get("/accounts/:id", MastodonAPIController, :user)
|
||||||
|
|
||||||
get("/search", MastodonAPIController, :search)
|
|
||||||
|
|
||||||
get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
|
get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
scope "/api/v2", Pleroma.Web.MastodonAPI do
|
scope "/api/v2", Pleroma.Web.MastodonAPI do
|
||||||
pipe_through([:api, :oauth_read_or_public])
|
pipe_through([:api, :oauth_read])
|
||||||
get("/search", MastodonAPIController, :search2)
|
get("/search", MastodonAPIController, :search2)
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -480,9 +483,14 @@ defmodule Pleroma.Web.Router do
|
|||||||
get("/statuses/show/:id", TwitterAPI.Controller, :fetch_status)
|
get("/statuses/show/:id", TwitterAPI.Controller, :fetch_status)
|
||||||
get("/statusnet/conversation/:id", TwitterAPI.Controller, :fetch_conversation)
|
get("/statusnet/conversation/:id", TwitterAPI.Controller, :fetch_conversation)
|
||||||
|
|
||||||
get("/search", TwitterAPI.Controller, :search)
|
|
||||||
get("/statusnet/tags/timeline/:tag", TwitterAPI.Controller, :public_and_external_timeline)
|
get("/statusnet/tags/timeline/:tag", TwitterAPI.Controller, :public_and_external_timeline)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
scope [] do
|
||||||
|
pipe_through(:oauth_read)
|
||||||
|
|
||||||
|
get("/search", TwitterAPI.Controller, :search)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
scope "/api", Pleroma.Web do
|
scope "/api", Pleroma.Web do
|
||||||
@ -500,7 +508,7 @@ defmodule Pleroma.Web.Router do
|
|||||||
end
|
end
|
||||||
|
|
||||||
scope "/api", Pleroma.Web, as: :twitter_api_search do
|
scope "/api", Pleroma.Web, as: :twitter_api_search do
|
||||||
pipe_through([:api, :oauth_read_or_public])
|
pipe_through([:api, :oauth_read])
|
||||||
get("/pleroma/search_user", TwitterAPI.Controller, :search_user)
|
get("/pleroma/search_user", TwitterAPI.Controller, :search_user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user