[#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes

# Conflicts: # CHANGELOG.md # lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex # lib/pleroma/web/router.ex
2019-10-06 17:12:17 +03:00 · 2019-10-06 17:12:17 +03:00 · b93856874d
parent 06b3bb54c5
commit b93856874d
18 changed files with 186 additions and 249 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -30,11 +30,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    when action in [:activity, :object]
  )

-  plug(
-    Pleroma.Plugs.OAuthScopesPlug,
-    %{scopes: ["read:accounts"]} when action in [:followers, :following]
-  )
-
  plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
  plug(:set_requester_reachable when action in [:inbox])
  plug(:relay_active? when action in [:relay])
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@ -5,8 +5,20 @@
 defmodule Pleroma.Web.MastoFEController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User

+  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :put_settings)
+
+  # Note: :index action handles attempt of unauthenticated access to private instance with redirect
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read"], fallback: :proceed_unauthenticated, skip_instance_privacy_check: true}
+    when action == :index
+  )
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
+
  @doc "GET /web/*path"
  def index(%{assigns: %{user: user}} = conn, _params) do
    token = get_session(conn, :oauth_token)
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@ -36,6 +36,11 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do

  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :lists)

+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "read:blocks"]} when action == :blocks
+  )
+
  plug(
    OAuthScopesPlug,
    %{scopes: ["follow", "write:blocks"]} when action in [:block, :unblock]
@ -43,11 +48,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do

  plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)

+  # Note: :follows (POST /api/v1/follows) is the same as :follow, consider removing :follows
  plug(
    OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action in [:follow, :unfollow]
+    %{scopes: ["follow", "write:follows"]} when action in [:follows, :follow, :unfollow]
  )

+  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
+
  plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])

  plug(
--- a/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.MastodonAPI.AppController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Repo
  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Scopes
@ -12,6 +13,8 @@ defmodule Pleroma.Web.MastodonAPI.AppController do

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :verify_credentials)
+
  @local_mastodon_name "Mastodon-Local"

  @doc "POST /api/v1/apps"
--- a/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
@ -18,6 +18,8 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockController do
    %{scopes: ["follow", "write:blocks"]} when action != :index
  )

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  @doc "GET /api/v1/domain_blocks"
  def index(%{assigns: %{user: %{info: info}}} = conn, _) do
    json(conn, Map.get(info, :domain_blocks, []))
--- a/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
@ -21,6 +21,8 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestController do
    %{scopes: ["follow", "write:follows"]} when action != :index
  )

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  @doc "GET /api/v1/follow_requests"
  def index(%{assigns: %{user: followed}} = conn, _params) do
    follow_requests = User.get_follow_requests(followed)
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@ -7,69 +7,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

  require Logger

-  alias Pleroma.Plugs.OAuthScopesPlug
-  @unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
-
-  # Note: :index action handles attempt of unauthenticated access to private instance with redirect
-  plug(
-    OAuthScopesPlug,
-    Map.merge(@unauthenticated_access, %{scopes: ["read"], skip_instance_privacy_check: true})
-    when action == :index
-  )
-
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["read"]} when action in [:suggestions, :verify_app_credentials]
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :put_settings)
-
-  plug(
-    OAuthScopesPlug,
-    %{@unauthenticated_access | scopes: ["read:statuses"]} when action == :get_poll
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :poll_vote)
-
-  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
-
-  plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action in [:upload, :update_media])
-
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["follow", "read:blocks"]} when action == :blocks
-  )
-
-  # To do: POST /api/v1/follows is not present in Mastodon; consider removing the action
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action == :follows
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
-
-  # Note: scope not present in Mastodon: read:bookmarks
-  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
-
-  # An extra safety measure for possible actions not guarded by OAuth permissions specification
-  plug(
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
-    when action not in [
-           :create_app,
-           :index,
-           :login,
-           :logout,
-           :password_reset,
-           :masto_instance,
-           :peers,
-           :custom_emojis
-         ]
-  )
-
-  plug(RateLimiter, :password_reset when action == :password_reset)
-
-  @local_mastodon_name "Mastodon-Local"
-
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  # Stubs for unimplemented mastodon api
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@ -6,12 +6,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
  use Pleroma.Web, :controller

  alias Pleroma.Object
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
  plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)

+  plug(OAuthScopesPlug, %{scopes: ["write:media"]})
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  @doc "POST /api/v1/media"
  def create(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do
    with {:ok, object} <-
--- a/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
@ -20,6 +20,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationController do

  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action not in @oauth_read_actions)

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  # GET /api/v1/notifications
  def index(%{assigns: %{user: user}} = conn, params) do
    notifications = MastodonAPI.get_notifications(user, params)
--- a/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
@ -9,11 +9,21 @@ defmodule Pleroma.Web.MastodonAPI.PollController do

  alias Pleroma.Activity
  alias Pleroma.Object
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Web.ActivityPub.Visibility
  alias Pleroma.Web.CommonAPI

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"], fallback: :proceed_unauthenticated} when action == :show
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :vote)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  @doc "GET /api/v1/polls/:id"
  def show(%{assigns: %{user: user}} = conn, %{"id" => id}) do
    with %Object{} = object <- Object.get_by_id_and_maybe_refetch(id, interval: 60),
--- a/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
@ -11,6 +11,8 @@ defmodule Pleroma.Web.MastodonAPI.ReportController do

  plug(OAuthScopesPlug, %{scopes: ["write:reports"]} when action == :create)

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  @doc "POST /api/v1/reports"
  def create(%{assigns: %{user: user}} = conn, params) do
    with {:ok, activity} <- Pleroma.Web.CommonAPI.report(user, params) do
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@ -20,6 +20,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
  # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
  plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  plug(RateLimiter, :search when action in [:search, :search2, :account_search])

  def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
--- a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
@ -47,6 +47,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
         ]
  )

+  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
  plug(
    OAuthScopesPlug,
    %{scopes: ["write:favourites"]} when action in [:favourite, :unfavourite]
@ -65,6 +67,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do

  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action in [:pin, :unpin])

+  # Note: scope not present in Mastodon: read:bookmarks
+  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
+
  # Note: scope not present in Mastodon: write:bookmarks
  plug(
    OAuthScopesPlug,
--- a/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
@ -14,6 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.SubscriptionController do

  plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  # Creates PushSubscription
  # POST /api/v1/push/subscription
  #
--- a/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
@ -8,11 +8,16 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionController do
  require Logger

  alias Pleroma.Config
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.Web.MediaProxy

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :index)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  @doc "GET /api/v1/suggestions"
  def index(%{assigns: %{user: user}} = conn, _) do
    if Config.get([:suggestions, :enabled], false) do
--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@ -1,8 +1,26 @@
 defmodule Pleroma.Web.PleromaAPI.EmojiAPIController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.OAuthScopesPlug
+
  require Logger

+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write"]}
+    when action in [
+           :create,
+           :delete,
+           :download_from,
+           :list_from,
+           :import_from_fs,
+           :update_file,
+           :update_metadata
+         ]
+  )
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  def emoji_dir_path do
    Path.join(
      Pleroma.Config.get!([:instance, :static_dir]),
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -87,31 +87,6 @@ defmodule Pleroma.Web.Router do
    plug(Pleroma.Plugs.EnsureUserKeyPlug)
  end

-  pipeline :oauth_read_or_public do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{
-      scopes: ["read"],
-      fallback: :proceed_unauthenticated
-    })
-
-    plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-  end
-
-  pipeline :oauth_read do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["read"]})
-  end
-
-  pipeline :oauth_write do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
-  end
-
-  pipeline :oauth_follow do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["follow"]})
-  end
-
-  pipeline :oauth_push do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
-  end
-
  pipeline :well_known do
    plug(:accepts, ["json", "jrd+json", "xml", "xrd+xml"])
  end
@ -154,7 +129,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through([:admin_api, :oauth_write])
+    pipe_through(:admin_api)

    post("/users/follow", AdminAPIController, :user_follow)
    post("/users/unfollow", AdminAPIController, :user_unfollow)
@ -213,7 +188,7 @@ defmodule Pleroma.Web.Router do
  scope "/api/pleroma/emoji", Pleroma.Web.PleromaAPI do
    scope "/packs" do
      # Modifying packs
-      pipe_through([:admin_api, :oauth_write])
+      pipe_through(:admin_api)

      post("/import_from_fs", EmojiAPIController, :import_from_fs)

@ -238,31 +213,20 @@ defmodule Pleroma.Web.Router do
    post("/main/ostatus", UtilController, :remote_subscribe)
    get("/ostatus_subscribe", UtilController, :remote_follow)

-    scope [] do
-      pipe_through(:oauth_follow)
-      post("/ostatus_subscribe", UtilController, :do_remote_follow)
-    end
+    post("/ostatus_subscribe", UtilController, :do_remote_follow)
  end

  scope "/api/pleroma", Pleroma.Web.TwitterAPI do
    pipe_through(:authenticated_api)

-    scope [] do
-      pipe_through(:oauth_write)
+    post("/change_email", UtilController, :change_email)
+    post("/change_password", UtilController, :change_password)
+    post("/delete_account", UtilController, :delete_account)
+    put("/notification_settings", UtilController, :update_notificaton_settings)
+    post("/disable_account", UtilController, :disable_account)

-      post("/change_email", UtilController, :change_email)
-      post("/change_password", UtilController, :change_password)
-      post("/delete_account", UtilController, :delete_account)
-      put("/notification_settings", UtilController, :update_notificaton_settings)
-      post("/disable_account", UtilController, :disable_account)
-    end
-
-    scope [] do
-      pipe_through(:oauth_follow)
-
-      post("/blocks_import", UtilController, :blocks_import)
-      post("/follow_import", UtilController, :follow_import)
-    end
+    post("/blocks_import", UtilController, :blocks_import)
+    post("/follow_import", UtilController, :follow_import)
  end

  scope "/oauth", Pleroma.Web.OAuth do
@ -289,14 +253,14 @@ defmodule Pleroma.Web.Router do
  scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
    scope [] do
      pipe_through(:authenticated_api)
-      pipe_through(:oauth_read)
+
      get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
      get("/conversations/:id", PleromaAPIController, :conversation)
    end

    scope [] do
      pipe_through(:authenticated_api)
-      pipe_through(:oauth_write)
+
      patch("/conversations/:id", PleromaAPIController, :update_conversation)
      post("/notifications/read", PleromaAPIController, :read_notification)

@ -312,13 +276,11 @@ defmodule Pleroma.Web.Router do

    scope [] do
      pipe_through(:api)
-      pipe_through(:oauth_read_or_public)
      get("/accounts/:id/favourites", AccountController, :favourites)
    end

    scope [] do
      pipe_through(:authenticated_api)
-      pipe_through(:oauth_follow)

      post("/accounts/:id/subscribe", AccountController, :subscribe)
      post("/accounts/:id/unsubscribe", AccountController, :unsubscribe)
@ -328,131 +290,114 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
-    pipe_through([:api, :oauth_read_or_public])
-
+    pipe_through(:api)
    get("/accounts/:id/scrobbles", ScrobbleController, :user_scrobbles)
  end

  scope "/api/v1", Pleroma.Web.MastodonAPI do
    pipe_through(:authenticated_api)

-    scope [] do
-      pipe_through(:oauth_read)
+    get("/accounts/verify_credentials", AccountController, :verify_credentials)

-      get("/accounts/verify_credentials", AccountController, :verify_credentials)
+    get("/accounts/relationships", AccountController, :relationships)

-      get("/accounts/relationships", AccountController, :relationships)
+    get("/accounts/:id/lists", AccountController, :lists)
+    get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)

-      get("/accounts/:id/lists", AccountController, :lists)
-      get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
+    get("/follow_requests", FollowRequestController, :index)
+    get("/blocks", AccountController, :blocks)
+    get("/mutes", AccountController, :mutes)

-      get("/follow_requests", FollowRequestController, :index)
-      get("/blocks", AccountController, :blocks)
-      get("/mutes", AccountController, :mutes)
+    get("/timelines/home", TimelineController, :home)
+    get("/timelines/direct", TimelineController, :direct)

-      get("/timelines/home", TimelineController, :home)
-      get("/timelines/direct", TimelineController, :direct)
+    get("/favourites", StatusController, :favourites)
+    get("/bookmarks", StatusController, :bookmarks)

-      get("/favourites", StatusController, :favourites)
-      get("/bookmarks", StatusController, :bookmarks)
+    get("/notifications", NotificationController, :index)
+    get("/notifications/:id", NotificationController, :show)
+    post("/notifications/clear", NotificationController, :clear)
+    post("/notifications/dismiss", NotificationController, :dismiss)
+    delete("/notifications/destroy_multiple", NotificationController, :destroy_multiple)

-      get("/notifications", NotificationController, :index)
-      get("/notifications/:id", NotificationController, :show)
-      post("/notifications/clear", NotificationController, :clear)
-      post("/notifications/dismiss", NotificationController, :dismiss)
-      delete("/notifications/destroy_multiple", NotificationController, :destroy_multiple)
+    get("/scheduled_statuses", ScheduledActivityController, :index)
+    get("/scheduled_statuses/:id", ScheduledActivityController, :show)

-      get("/scheduled_statuses", ScheduledActivityController, :index)
-      get("/scheduled_statuses/:id", ScheduledActivityController, :show)
+    get("/lists", ListController, :index)
+    get("/lists/:id", ListController, :show)
+    get("/lists/:id/accounts", ListController, :list_accounts)

-      get("/lists", ListController, :index)
-      get("/lists/:id", ListController, :show)
-      get("/lists/:id/accounts", ListController, :list_accounts)
+    get("/domain_blocks", DomainBlockController, :index)

-      get("/domain_blocks", DomainBlockController, :index)
+    get("/filters", FilterController, :index)

-      get("/filters", FilterController, :index)
+    get("/suggestions", SuggestionController, :index)

-      get("/suggestions", SuggestionController, :index)
+    get("/conversations", ConversationController, :index)
+    post("/conversations/:id/read", ConversationController, :read)

-      get("/conversations", ConversationController, :index)
-      post("/conversations/:id/read", ConversationController, :read)
+    get("/endorsements", AccountController, :endorsements)

-      get("/endorsements", MastodonAPIController, :empty_array)
-    end
+    patch("/accounts/update_credentials", AccountController, :update_credentials)

-    scope [] do
-      pipe_through(:oauth_write)
+    post("/statuses", StatusController, :create)
+    delete("/statuses/:id", StatusController, :delete)

-      patch("/accounts/update_credentials", AccountController, :update_credentials)
+    post("/statuses/:id/reblog", StatusController, :reblog)
+    post("/statuses/:id/unreblog", StatusController, :unreblog)
+    post("/statuses/:id/favourite", StatusController, :favourite)
+    post("/statuses/:id/unfavourite", StatusController, :unfavourite)
+    post("/statuses/:id/pin", StatusController, :pin)
+    post("/statuses/:id/unpin", StatusController, :unpin)
+    post("/statuses/:id/bookmark", StatusController, :bookmark)
+    post("/statuses/:id/unbookmark", StatusController, :unbookmark)
+    post("/statuses/:id/mute", StatusController, :mute_conversation)
+    post("/statuses/:id/unmute", StatusController, :unmute_conversation)

-      post("/statuses", StatusController, :create)
-      delete("/statuses/:id", StatusController, :delete)
+    put("/scheduled_statuses/:id", ScheduledActivityController, :update)
+    delete("/scheduled_statuses/:id", ScheduledActivityController, :delete)

-      post("/statuses/:id/reblog", StatusController, :reblog)
-      post("/statuses/:id/unreblog", StatusController, :unreblog)
-      post("/statuses/:id/favourite", StatusController, :favourite)
-      post("/statuses/:id/unfavourite", StatusController, :unfavourite)
-      post("/statuses/:id/pin", StatusController, :pin)
-      post("/statuses/:id/unpin", StatusController, :unpin)
-      post("/statuses/:id/bookmark", StatusController, :bookmark)
-      post("/statuses/:id/unbookmark", StatusController, :unbookmark)
-      post("/statuses/:id/mute", StatusController, :mute_conversation)
-      post("/statuses/:id/unmute", StatusController, :unmute_conversation)
+    post("/polls/:id/votes", PollController, :vote)

-      put("/scheduled_statuses/:id", ScheduledActivityController, :update)
-      delete("/scheduled_statuses/:id", ScheduledActivityController, :delete)
+    post("/media", MediaController, :create)
+    put("/media/:id", MediaController, :update)

-      post("/polls/:id/votes", PollController, :vote)
+    delete("/lists/:id", ListController, :delete)
+    post("/lists", ListController, :create)
+    put("/lists/:id", ListController, :update)

-      post("/media", MediaController, :create)
-      put("/media/:id", MediaController, :update)
+    post("/lists/:id/accounts", ListController, :add_to_list)
+    delete("/lists/:id/accounts", ListController, :remove_from_list)

-      delete("/lists/:id", ListController, :delete)
-      post("/lists", ListController, :create)
-      put("/lists/:id", ListController, :update)
+    post("/filters", FilterController, :create)
+    get("/filters/:id", FilterController, :show)
+    put("/filters/:id", FilterController, :update)
+    delete("/filters/:id", FilterController, :delete)

-      post("/lists/:id/accounts", ListController, :add_to_list)
-      delete("/lists/:id/accounts", ListController, :remove_from_list)
+    post("/reports", ReportController, :create)

-      post("/filters", FilterController, :create)
-      get("/filters/:id", FilterController, :show)
-      put("/filters/:id", FilterController, :update)
-      delete("/filters/:id", FilterController, :delete)
+    post("/follows", AccountController, :follows)
+    post("/accounts/:id/follow", AccountController, :follow)
+    post("/accounts/:id/unfollow", AccountController, :unfollow)
+    post("/accounts/:id/block", AccountController, :block)
+    post("/accounts/:id/unblock", AccountController, :unblock)
+    post("/accounts/:id/mute", AccountController, :mute)
+    post("/accounts/:id/unmute", AccountController, :unmute)

-      post("/reports", ReportController, :create)
-    end
+    post("/follow_requests/:id/authorize", FollowRequestController, :authorize)
+    post("/follow_requests/:id/reject", FollowRequestController, :reject)

-    scope [] do
-      pipe_through(:oauth_follow)
+    post("/domain_blocks", DomainBlockController, :create)
+    delete("/domain_blocks", DomainBlockController, :delete)

-      post("/follows", AccountController, :follows)
-      post("/accounts/:id/follow", AccountController, :follow)
-      post("/accounts/:id/unfollow", AccountController, :unfollow)
-      post("/accounts/:id/block", AccountController, :block)
-      post("/accounts/:id/unblock", AccountController, :unblock)
-      post("/accounts/:id/mute", AccountController, :mute)
-      post("/accounts/:id/unmute", AccountController, :unmute)
-
-      post("/follow_requests/:id/authorize", FollowRequestController, :authorize)
-      post("/follow_requests/:id/reject", FollowRequestController, :reject)
-
-      post("/domain_blocks", DomainBlockController, :create)
-      delete("/domain_blocks", DomainBlockController, :delete)
-    end
-
-    scope [] do
-      pipe_through(:oauth_push)
-
-      post("/push/subscription", SubscriptionController, :create)
-      get("/push/subscription", SubscriptionController, :get)
-      put("/push/subscription", SubscriptionController, :update)
-      delete("/push/subscription", SubscriptionController, :delete)
-    end
+    post("/push/subscription", SubscriptionController, :create)
+    get("/push/subscription", SubscriptionController, :get)
+    put("/push/subscription", SubscriptionController, :update)
+    delete("/push/subscription", SubscriptionController, :delete)
  end

  scope "/api/web", Pleroma.Web do
-    pipe_through([:authenticated_api, :oauth_write])
+    pipe_through(:authenticated_api)

    put("/settings", MastoFEController, :put_settings)
  end
@ -477,30 +422,26 @@ defmodule Pleroma.Web.Router do

    get("/trends", MastodonAPIController, :empty_array)

-    scope [] do
-      pipe_through(:oauth_read_or_public)
+    get("/timelines/public", TimelineController, :public)
+    get("/timelines/tag/:tag", TimelineController, :hashtag)
+    get("/timelines/list/:list_id", TimelineController, :list)

-      get("/timelines/public", TimelineController, :public)
-      get("/timelines/tag/:tag", TimelineController, :hashtag)
-      get("/timelines/list/:list_id", TimelineController, :list)
+    get("/statuses", StatusController, :index)
+    get("/statuses/:id", StatusController, :show)
+    get("/statuses/:id/context", StatusController, :context)

-      get("/statuses", StatusController, :index)
-      get("/statuses/:id", StatusController, :show)
-      get("/statuses/:id/context", StatusController, :context)
+    get("/polls/:id", PollController, :show)

-      get("/polls/:id", PollController, :show)
+    get("/accounts/:id/statuses", AccountController, :statuses)
+    get("/accounts/:id/followers", AccountController, :followers)
+    get("/accounts/:id/following", AccountController, :following)
+    get("/accounts/:id", AccountController, :show)

-      get("/accounts/:id/statuses", AccountController, :statuses)
-      get("/accounts/:id/followers", AccountController, :followers)
-      get("/accounts/:id/following", AccountController, :following)
-      get("/accounts/:id", AccountController, :show)
-
-      get("/search", SearchController, :search)
-    end
+    get("/search", SearchController, :search)
  end

  scope "/api/v2", Pleroma.Web.MastodonAPI do
-    pipe_through([:api, :oauth_read_or_public])
+    pipe_through(:api)
    get("/search", SearchController, :search2)
  end

@ -531,11 +472,7 @@ defmodule Pleroma.Web.Router do
    get("/oauth_tokens", TwitterAPI.Controller, :oauth_tokens)
    delete("/oauth_tokens/:id", TwitterAPI.Controller, :revoke_token)

-    scope [] do
-      pipe_through(:oauth_read)
-
-      post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
-    end
+    post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
  end

  pipeline :ap_service_actor do
@ -599,23 +536,14 @@ defmodule Pleroma.Web.Router do
  scope "/", Pleroma.Web.ActivityPub do
    pipe_through([:activitypub_client])

-    scope [] do
-      pipe_through(:oauth_read)
-      get("/api/ap/whoami", ActivityPubController, :whoami)
-      get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
-    end
+    get("/api/ap/whoami", ActivityPubController, :whoami)
+    get("/users/:nickname/inbox", ActivityPubController, :read_inbox)

-    scope [] do
-      pipe_through(:oauth_write)
-      post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
-      post("/api/ap/upload_media", ActivityPubController, :upload_media)
-    end
+    post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
+    post("/api/ap/upload_media", ActivityPubController, :upload_media)

-    scope [] do
-      pipe_through(:oauth_read_or_public)
-      get("/users/:nickname/followers", ActivityPubController, :followers)
-      get("/users/:nickname/following", ActivityPubController, :following)
-    end
+    get("/users/:nickname/followers", ActivityPubController, :followers)
+    get("/users/:nickname/following", ActivityPubController, :following)
  end

  scope "/", Pleroma.Web.ActivityPub do
@ -665,10 +593,7 @@ defmodule Pleroma.Web.Router do

    post("/auth/password", MastodonAPI.AuthController, :password_reset)

-    scope [] do
-      pipe_through(:oauth_read)
-      get("/web/*path", MastoFEController, :index)
-    end
+    get("/web/*path", MastoFEController, :index)
  end

  pipeline :remote_media do
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@ -39,6 +39,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
         ]
  )

+  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :notifications_read)
+
  plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])

  def help_test(conn, _params) do