Merge pull request from GHSA-7pxq-6xx9-xpgm

* fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053275. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina <tamaina@hotmail.co.jp>
2023-12-27 15:08:59 +09:00
parent d87fecda7f
commit c96bc36fed
148 changed files with 797 additions and 581 deletions
--- a/packages/backend/test/e2e/streaming.ts
+++ b/packages/backend/test/e2e/streaming.ts
@@ -6,8 +6,9 @@
 process.env.NODE_ENV = 'test';

 import * as assert from 'assert';
+import { WebSocket } from 'ws';
 import { MiFollowing } from '@/models/Following.js';
-import { signup, api, post, startServer, initTestDb, waitFire } from '../utils.js';
+import { signup, api, post, startServer, initTestDb, waitFire, createAppToken, port } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
 import type * as misskey from 'misskey-js';

@@ -560,6 +561,28 @@ describe('Streaming', () => {
 			});
 		});

+		test('Authentication', async () => {
+			const application = await createAppToken(ayano, []);
+			const application2 = await createAppToken(ayano, ['read:account']);
+			const socket = new WebSocket(`ws://127.0.0.1:${port}/streaming?i=${application}`);
+			const established = await new Promise<boolean>((resolve, reject) => {
+				socket.on('error', () => resolve(false));
+				socket.on('unexpected-response', () => resolve(false));
+				setTimeout(() => resolve(true), 3000);
+			});
+
+			socket.close();
+			assert.strictEqual(established, false);
+
+			const fired = await waitFire(
+				{ token: application2 }, 'hybridTimeline',
+				() => api('notes/create', { text: 'Hello, world!' }, ayano),
+				msg => msg.type === 'note' && msg.body.userId === ayano.id,
+			);
+
+			assert.strictEqual(fired, true);
+		});
+
 		// XXX: QueryFailedError: duplicate key value violates unique constraint "IDX_347fec870eafea7b26c8a73bac"
 		/*
 		describe('Hashtag Timeline', () => {