Merge pull request #322 from cloudflare/sven/fix-post-deletion

add auth to status deletion
2023-02-20 16:43:18 +00:00 · 2023-02-20 16:43:18 +00:00 · 68bc935e1a
commit 68bc935e1a
--- a/backend/src/middleware/main.ts
+++ b/backend/src/middleware/main.ts
@ -45,11 +45,12 @@ export async function main(context: EventContext<Env, any, any>) {
 		return new Response('', { headers })
 	}

-	const url = new URL(context.request.url)
+	const request = context.request
+	const url = new URL(request.url)
+
 	if (
 		url.pathname === '/oauth/token' ||
 		url.pathname === '/oauth/authorize' || // Cloudflare Access runs on /oauth/authorize
-		/^\/api\/v1\/statuses\/.*(?<!(reblog|favourite))$/.test(url.pathname) || // Unless private https://docs.joinmastodon.org/methods/statuses/#get
 		url.pathname === '/api/v1/instance' ||
 		url.pathname === '/api/v2/instance' ||
 		url.pathname === '/api/v1/instance/peers' ||
@ -65,9 +66,14 @@ export async function main(context: EventContext<Env, any, any>) {
 		url.pathname.startsWith('/ap/') // all ActivityPub endpoints
 	) {
 		return context.next()
-	} else {
+	}
+
+	if (/^\/api\/v1\/statuses\/.*(?<!(reblog|favourite))$/.test(url.pathname) && request.method === 'GET') {
+		return context.next()
+	}
+
 	try {
-			const authorization = context.request.headers.get('Authorization') || ''
+		const authorization = request.headers.get('Authorization') || ''
 		const token = authorization.replace('Bearer ', '')

 		if (token === '') {
@ -99,7 +105,7 @@ export async function main(context: EventContext<Env, any, any>) {
 			domain: context.env.ACCESS_AUTH_DOMAIN,
 			aud: context.env.ACCESS_AUD,
 		})
-			await validatate(context.request)
+		await validatate(request)

 		const identity = await access.getIdentity({ jwt, domain: context.env.ACCESS_AUTH_DOMAIN })
 		if (!identity) {
@ -112,4 +118,3 @@ export async function main(context: EventContext<Env, any, any>) {
 		return errors.notAuthorized('unknown error occurred')
 	}
 }
-}