From 975e92b7f1fb92c2c0475e9ec65fd2521625252c Mon Sep 17 00:00:00 2001 From: Vyr Cossont Date: Wed, 29 May 2024 03:57:44 -0700 Subject: [PATCH] [feature] Implement profile API (#2926) * Implement profile API This Mastodon 4.2 extension provides capabilities missing from the existing Mastodon account update API: deleting an account's avatar or header. See: https://docs.joinmastodon.org/methods/profile/ * Move profile media methods to media processor * Remove check for moved account --- docs/api/swagger.yaml | 54 +++++++ internal/api/client/accounts/accounts.go | 9 ++ internal/api/client/accounts/profile.go | 123 ++++++++++++++++ internal/api/client/accounts/profile_test.go | 141 +++++++++++++++++++ internal/processing/media/profile.go | 77 ++++++++++ internal/typeutils/defaulticons.go | 2 +- 6 files changed, 405 insertions(+), 1 deletion(-) create mode 100644 internal/api/client/accounts/profile.go create mode 100644 internal/api/client/accounts/profile_test.go create mode 100644 internal/processing/media/profile.go diff --git a/docs/api/swagger.yaml b/docs/api/swagger.yaml index b86d4b9eb..7e61dcf1c 100644 --- a/docs/api/swagger.yaml +++ b/docs/api/swagger.yaml @@ -7276,6 +7276,60 @@ paths: summary: Return an object of user preferences. tags: - preferences + /api/v1/profile/avatar: + delete: + description: If the account doesn't have an avatar, the call succeeds anyway. + operationId: accountAvatarDelete + produces: + - application/json + responses: + "200": + description: The updated account, including profile source information. + schema: + $ref: '#/definitions/account' + "400": + description: bad request + "401": + description: unauthorized + "403": + description: forbidden + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: + - admin + summary: Delete the authenticated account's avatar. + tags: + - accounts + /api/v1/profile/header: + delete: + description: If the account doesn't have a header, the call succeeds anyway. + operationId: accountHeaderDelete + produces: + - application/json + responses: + "200": + description: The updated account, including profile source information. + schema: + $ref: '#/definitions/account' + "400": + description: bad request + "401": + description: unauthorized + "403": + description: forbidden + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: + - admin + summary: Delete the authenticated account's header. + tags: + - accounts /api/v1/reports: get: description: |- diff --git a/internal/api/client/accounts/accounts.go b/internal/api/client/accounts/accounts.go index 8b92bd7a5..61fdc41ad 100644 --- a/internal/api/client/accounts/accounts.go +++ b/internal/api/client/accounts/accounts.go @@ -56,6 +56,11 @@ MovePath = BasePath + "/move" AliasPath = BasePath + "/alias" ThemesPath = BasePath + "/themes" + + // ProfileBasePath for the profile API, an extension of the account update API with a different path. + ProfileBasePath = "/v1/profile" + AvatarPath = ProfileBasePath + "/avatar" + HeaderPath = ProfileBasePath + "/header" ) type Module struct { @@ -84,6 +89,10 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H // modify account attachHandler(http.MethodPatch, UpdatePath, m.AccountUpdateCredentialsPATCHHandler) + // modify account profile media + attachHandler(http.MethodDelete, AvatarPath, m.AccountAvatarDELETEHandler) + attachHandler(http.MethodDelete, HeaderPath, m.AccountHeaderDELETEHandler) + // get account's statuses attachHandler(http.MethodGet, StatusesPath, m.AccountStatusesGETHandler) diff --git a/internal/api/client/accounts/profile.go b/internal/api/client/accounts/profile.go new file mode 100644 index 000000000..8ff59a23b --- /dev/null +++ b/internal/api/client/accounts/profile.go @@ -0,0 +1,123 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package accounts + +import ( + "context" + "net/http" + + "github.com/gin-gonic/gin" + apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" + "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// AccountAvatarDELETEHandler swagger:operation DELETE /api/v1/profile/avatar accountAvatarDelete +// +// Delete the authenticated account's avatar. +// If the account doesn't have an avatar, the call succeeds anyway. +// +// --- +// tags: +// - accounts +// +// produces: +// - application/json +// +// security: +// - OAuth2 Bearer: +// - admin +// +// responses: +// '200': +// description: The updated account, including profile source information. +// schema: +// "$ref": "#/definitions/account" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '403': +// description: forbidden +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) AccountAvatarDELETEHandler(c *gin.Context) { + m.accountDeleteProfileAttachment(c, m.processor.Media().DeleteAvatar) +} + +// AccountHeaderDELETEHandler swagger:operation DELETE /api/v1/profile/header accountHeaderDelete +// +// Delete the authenticated account's header. +// If the account doesn't have a header, the call succeeds anyway. +// +// --- +// tags: +// - accounts +// +// produces: +// - application/json +// +// security: +// - OAuth2 Bearer: +// - admin +// +// responses: +// '200': +// description: The updated account, including profile source information. +// schema: +// "$ref": "#/definitions/account" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '403': +// description: forbidden +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) AccountHeaderDELETEHandler(c *gin.Context) { + m.accountDeleteProfileAttachment(c, m.processor.Media().DeleteHeader) +} + +// accountDeleteProfileAttachment checks that an authenticated account is present and allowed to alter itself, +// runs an attachment deletion processor method, and returns the updated account. +func (m *Module) accountDeleteProfileAttachment(c *gin.Context, processDelete func(context.Context, *gtsmodel.Account) (*apimodel.Account, gtserror.WithCode)) { + authed, err := oauth.Authed(c, true, true, true, true) + if err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + acctSensitive, errWithCode := processDelete(c, authed.Account) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, acctSensitive) +} diff --git a/internal/api/client/accounts/profile_test.go b/internal/api/client/accounts/profile_test.go new file mode 100644 index 000000000..62a622b37 --- /dev/null +++ b/internal/api/client/accounts/profile_test.go @@ -0,0 +1,141 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package accounts_test + +import ( + "encoding/json" + "fmt" + "io" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/gin-gonic/gin" + "github.com/stretchr/testify/suite" + "github.com/superseriousbusiness/gotosocial/internal/api/client/accounts" + apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/config" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/testrig" +) + +type AccountProfileTestSuite struct { + AccountStandardTestSuite +} + +func (suite *AccountProfileTestSuite) deleteProfileAttachment( + testAccountFixtureName string, + profileSubpath string, + handler func(*gin.Context), + expectedHTTPStatus int, +) (*apimodel.Account, error) { + // instantiate recorder + test context + recorder := httptest.NewRecorder() + ctx, _ := testrig.CreateGinTestContext(recorder, nil) + ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts[testAccountFixtureName]) + ctx.Set(oauth.SessionAuthorizedToken, oauth.DBTokenToToken(suite.testTokens[testAccountFixtureName])) + ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"]) + ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers[testAccountFixtureName]) + + // create the request + ctx.Request = httptest.NewRequest(http.MethodDelete, config.GetProtocol()+"://"+config.GetHost()+"/api"+accounts.ProfileBasePath+"/"+profileSubpath, nil) + ctx.Request.Header.Set("accept", "application/json") + + // trigger the handler + handler(ctx) + + // read the response + result := recorder.Result() + defer result.Body.Close() + + b, err := io.ReadAll(result.Body) + if err != nil { + return nil, err + } + + // check code + if resultCode := recorder.Code; expectedHTTPStatus != resultCode { + return nil, fmt.Errorf("expected %d got %d", expectedHTTPStatus, resultCode) + } + + resp := &apimodel.Account{} + if err := json.Unmarshal(b, resp); err != nil { + return nil, err + } + + return resp, nil +} + +// Delete the avatar of a user that has an avatar. Should succeed. +func (suite *AccountProfileTestSuite) TestDeleteAvatar() { + account, err := suite.deleteProfileAttachment( + "local_account_1", + "avatar", + suite.accountsModule.AccountAvatarDELETEHandler, + http.StatusOK, + ) + if suite.NoError(err) { + // An empty URL is legal *only* in the test environment, which may have no default avatars. + suite.True(account.Avatar == "" || strings.HasPrefix(account.Avatar, "http://localhost:8080/assets/default_avatars/")) + } +} + +// Delete the avatar of a user that doesn't have an avatar. Should succeed. +func (suite *AccountProfileTestSuite) TestDeleteNonexistentAvatar() { + account, err := suite.deleteProfileAttachment( + "admin_account", + "avatar", + suite.accountsModule.AccountAvatarDELETEHandler, + http.StatusOK, + ) + if suite.NoError(err) { + // An empty URL is legal *only* in the test environment, which may have no default avatars. + suite.True(account.Avatar == "" || strings.HasPrefix(account.Avatar, "http://localhost:8080/assets/default_avatars/")) + } +} + +// Delete the header of a user that has a header. Should succeed. +func (suite *AccountProfileTestSuite) TestDeleteHeader() { + account, err := suite.deleteProfileAttachment( + "local_account_2", + "header", + suite.accountsModule.AccountHeaderDELETEHandler, + http.StatusOK, + ) + if suite.NoError(err) { + suite.Equal("http://localhost:8080/assets/default_header.png", account.Header) + } +} + +// Delete the header of a user that doesn't have a header. Should succeed. +func (suite *AccountProfileTestSuite) TestDeleteNonexistentHeader() { + account, err := suite.deleteProfileAttachment( + "admin_account", + "header", + suite.accountsModule.AccountHeaderDELETEHandler, + http.StatusOK, + ) + if suite.NoError(err) { + suite.Equal("http://localhost:8080/assets/default_header.png", account.Header) + } +} + +func TestAccountProfileTestSuite(t *testing.T) { + suite.Run(t, new(AccountProfileTestSuite)) +} diff --git a/internal/processing/media/profile.go b/internal/processing/media/profile.go new file mode 100644 index 000000000..5c266e372 --- /dev/null +++ b/internal/processing/media/profile.go @@ -0,0 +1,77 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package media + +import ( + "context" + "fmt" + + apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" + "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" +) + +// DeleteAvatar deletes the account's avatar, if one exists, and returns the updated account. +// If no avatar exists, it returns anyway with no error. +func (p *Processor) DeleteAvatar( + ctx context.Context, + account *gtsmodel.Account, +) (*apimodel.Account, gtserror.WithCode) { + attachmentID := account.AvatarMediaAttachmentID + account.AvatarMediaAttachmentID = "" + return p.deleteProfileAttachment(ctx, account, "avatar_media_attachment_id", attachmentID) +} + +// DeleteHeader deletes the account's header, if one exists, and returns the updated account. +// If no header exists, it returns anyway with no error. +func (p *Processor) DeleteHeader( + ctx context.Context, + account *gtsmodel.Account, +) (*apimodel.Account, gtserror.WithCode) { + attachmentID := account.HeaderMediaAttachmentID + account.HeaderMediaAttachmentID = "" + return p.deleteProfileAttachment(ctx, account, "header_media_attachment_id", attachmentID) +} + +// deleteProfileAttachment updates an attachment ID column and then deletes the attachment. +// Precondition: the relevant attachment ID field of the account model has already been set to the empty string. +func (p *Processor) deleteProfileAttachment( + ctx context.Context, + account *gtsmodel.Account, + attachmentIDColumn string, + attachmentID string, +) (*apimodel.Account, gtserror.WithCode) { + if attachmentID != "" { + // Remove attachment from account. + if err := p.state.DB.UpdateAccount(ctx, account, attachmentIDColumn); err != nil { + return nil, gtserror.NewErrorInternalError(fmt.Errorf("could not update account: %s", err)) + } + + // Delete attachment media. + if err := p.Delete(ctx, attachmentID); err != nil { + return nil, err + } + } + + acctSensitive, err := p.converter.AccountToAPIAccountSensitive(ctx, account) + if err != nil { + return nil, gtserror.NewErrorInternalError(fmt.Errorf("could not convert account into apisensitive account: %s", err)) + } + + return acctSensitive, nil +} diff --git a/internal/typeutils/defaulticons.go b/internal/typeutils/defaulticons.go index bcb7b8c10..e3a090109 100644 --- a/internal/typeutils/defaulticons.go +++ b/internal/typeutils/defaulticons.go @@ -119,7 +119,7 @@ func (c *Converter) ensureAvatar(account *apimodel.Account) { account.AvatarStatic = avatar } -// EnsureAvatar ensures that the given account has a value set +// ensureHeader ensures that the given account has a value set // for the header URL. // // If no value is set, the default header will be set.