Merge pull request #322 from cloudflare/sven/fix-post-deletion

add auth to status deletion

backend/src/middleware/main.ts

@@ -45,11 +45,12 @@ export async function main(context: EventContext<Env, any, any>) {
 		return new Response('', { headers })
 	}
 
-	const url = new URL(context.request.url)
+	const request = context.request
+	const url = new URL(request.url)
+
 	if (
 		url.pathname === '/oauth/token' ||
 		url.pathname === '/oauth/authorize' || // Cloudflare Access runs on /oauth/authorize
-		/^\/api\/v1\/statuses\/.*(?<!(reblog|favourite))$/.test(url.pathname) || // Unless private https://docs.joinmastodon.org/methods/statuses/#get
 		url.pathname === '/api/v1/instance' ||
 		url.pathname === '/api/v2/instance' ||
 		url.pathname === '/api/v1/instance/peers' ||
@@ -65,51 +66,55 @@ export async function main(context: EventContext<Env, any, any>) {
 		url.pathname.startsWith('/ap/') // all ActivityPub endpoints
 	) {
 		return context.next()
-	} else {
-		try {
-			const authorization = context.request.headers.get('Authorization') || ''
-			const token = authorization.replace('Bearer ', '')
+	}
 
-			if (token === '') {
-				return errors.notAuthorized('missing authorization')
-			}
+	if (/^\/api\/v1\/statuses\/.*(?<!(reblog|favourite))$/.test(url.pathname) && request.method === 'GET') {
+		return context.next()
+	}
 
-			const parts = token.split('.')
-			const [clientId, ...jwtParts] = parts
+	try {
+		const authorization = request.headers.get('Authorization') || ''
+		const token = authorization.replace('Bearer ', '')
 
-			const jwt = jwtParts.join('.')
-
-			const payload = access.getPayload(jwt)
-			if (!payload.email) {
-				return errors.notAuthorized('missing email')
-			}
-
-			// Load the user associated with the email in the payload *before*
-			// verifying the JWT validity.
-			// This is because loading the context will also load the access
-			// configuration, which are used to verify the JWT.
-			// TODO: since we don't load the instance configuration anymore, we
-			// don't need to load the user before anymore.
-			if (!(await loadContextData(context.env.DATABASE, clientId, payload.email, context))) {
-				return errors.notAuthorized('failed to load context data')
-			}
-
-			const validatate = access.generateValidator({
-				jwt,
-				domain: context.env.ACCESS_AUTH_DOMAIN,
-				aud: context.env.ACCESS_AUD,
-			})
-			await validatate(context.request)
-
-			const identity = await access.getIdentity({ jwt, domain: context.env.ACCESS_AUTH_DOMAIN })
-			if (!identity) {
-				return errors.notAuthorized('failed to load identity')
-			}
-
-			return context.next()
-		} catch (err: any) {
-			console.warn(err.stack)
-			return errors.notAuthorized('unknown error occurred')
+		if (token === '') {
+			return errors.notAuthorized('missing authorization')
 		}
+
+		const parts = token.split('.')
+		const [clientId, ...jwtParts] = parts
+
+		const jwt = jwtParts.join('.')
+
+		const payload = access.getPayload(jwt)
+		if (!payload.email) {
+			return errors.notAuthorized('missing email')
+		}
+
+		// Load the user associated with the email in the payload *before*
+		// verifying the JWT validity.
+		// This is because loading the context will also load the access
+		// configuration, which are used to verify the JWT.
+		// TODO: since we don't load the instance configuration anymore, we
+		// don't need to load the user before anymore.
+		if (!(await loadContextData(context.env.DATABASE, clientId, payload.email, context))) {
+			return errors.notAuthorized('failed to load context data')
+		}
+
+		const validatate = access.generateValidator({
+			jwt,
+			domain: context.env.ACCESS_AUTH_DOMAIN,
+			aud: context.env.ACCESS_AUD,
+		})
+		await validatate(request)
+
+		const identity = await access.getIdentity({ jwt, domain: context.env.ACCESS_AUTH_DOMAIN })
+		if (!identity) {
+			return errors.notAuthorized('failed to load identity')
+		}
+
+		return context.next()
+	} catch (err: any) {
+		console.warn(err.stack)
+		return errors.notAuthorized('unknown error occurred')
 	}
 }