2.4 KiB
This document contains notes and guidelines for Pleroma developers.
Authentication & Authorization
OAuth token-based authentication & authorization
-
Pleroma supports hierarchical OAuth scopes, just like Mastodon but with added granularity of admin scopes. For a reference, see Mastodon OAuth scopes.
-
It is important to either define OAuth scope restrictions or explicitly mark OAuth scope check as skipped, for every controller action. To define scopes, call
plug(Pleroma.Web.Plugs.OAuthScopesPlug, %{scopes: [...]})
. To explicitly set OAuth scopes check skipped, callplug(:skip_plug, Pleroma.Web.Plugs.OAuthScopesPlug <when ...>)
. -
In controllers,
use Pleroma.Web, :controller
will result inaction/2
(seePleroma.Web.controller/0
for definition) be called prior to actual controller action, and it'll perform security / privacy checks before passing control to actual controller action.For routes with
:authenticated_api
pipeline, authentication & authorization are expected, thusOAuthScopesPlug
will be run unless explicitly skipped (alsoEnsureAuthenticatedPlug
will be executed immediately before action even if there was an early run to give an early error, sinceOAuthScopesPlug
supports:proceed_unauthenticated
option, and other plugs may support similar options as well).For
:api
pipeline routes, it'll be verified whetherOAuthScopesPlug
was called or explicitly skipped, and if it was not then auth information will be dropped for request. ThenEnsurePublicOrAuthenticatedPlug
will be called to ensure that either the instance is not private or user is authenticated (unless explicitly skipped). Such automated checks help to prevent human errors and result in higher security / privacy for users.
HTTP Basic Authentication
- With HTTP Basic Auth, OAuth scopes check is not performed for any action (since password is provided during the auth, requester is able to obtain a token with full permissions anyways).
Pleroma.Plugs.AuthenticationPlug
andPleroma.Plugs.LegacyAuthenticationPlug
both callPleroma.Web.Plugs.OAuthScopesPlug.skip_plug(conn)
when password is provided.
Auth-related configuration, OAuth consumer mode etc.
See Authentication
section of the configuration cheatsheet.