Add support for invite codes in the registration API (#27805)

2023-11-13 14:27:00 +01:00 · 2023-11-13 14:27:00 +01:00 · 07a4059901
commit 07a4059901
parent 5bca5c4c5b
9 changed files with 158 additions and 78 deletions
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Api::V1::AccountsController < Api::BaseController
+  include RegistrationHelper
+
  before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:create, :follow, :unfollow, :remove_from_followers, :block, :unblock, :mute, :unmute]
  before_action -> { doorkeeper_authorize! :follow, :write, :'write:follows' }, only: [:follow, :unfollow, :remove_from_followers]
  before_action -> { doorkeeper_authorize! :follow, :write, :'write:mutes' }, only: [:mute, :unmute]
@ -90,18 +92,14 @@ class Api::V1::AccountsController < Api::BaseController
  end

  def account_params
-    params.permit(:username, :email, :password, :agreement, :locale, :reason, :time_zone)
+    params.permit(:username, :email, :password, :agreement, :locale, :reason, :time_zone, :invite_code)
+  end
+
+  def invite
+    Invite.find_by(code: params[:invite_code]) if params[:invite_code].present?
  end

  def check_enabled_registrations
-    forbidden if single_user_mode? || omniauth_only? || !allowed_registrations?
-  end
-
-  def allowed_registrations?
-    Setting.registrations_mode != 'none'
-  end
-
-  def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
+    forbidden unless allowed_registration?(request.remote_ip, invite)
  end
 end
--- a/app/controllers/api/v1/invites_controller.rb
+++ b/app/controllers/api/v1/invites_controller.rb
@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Api::V1::InvitesController < Api::BaseController
+  include RegistrationHelper
+
+  skip_before_action :require_authenticated_user!
+  skip_around_action :set_locale
+
+  before_action :set_invite
+  before_action :check_enabled_registrations!
+
+  # Override `current_user` to avoid reading session cookies
+  def current_user; end
+
+  def show
+    render json: { invite_code: params[:invite_code], instance_api_url: api_v2_instance_url }, status: 200
+  end
+
+  private
+
+  def set_invite
+    @invite = Invite.find_by!(code: params[:invite_code])
+  end
+
+  def check_enabled_registrations!
+    return render json: { error: I18n.t('invites.invalid') }, status: 401 unless @invite.valid_for_use?
+
+    raise Mastodon::NotPermittedError unless allowed_registration?(request.remote_ip, @invite)
+  end
+end
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class Auth::RegistrationsController < Devise::RegistrationsController
+  include RegistrationHelper
  include RegistrationSpamConcern

  layout :determine_layout
@ -82,19 +83,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def check_enabled_registrations
-    redirect_to root_path if single_user_mode? || omniauth_only? || !allowed_registrations? || ip_blocked?
-  end
-
-  def allowed_registrations?
-    Setting.registrations_mode != 'none' || @invite&.valid_for_use?
-  end
-
-  def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
-  end
-
-  def ip_blocked?
-    IpBlock.where(severity: :sign_up_block).where('ip >>= ?', request.remote_ip.to_s).exists?
+    redirect_to root_path unless allowed_registration?(request.remote_ip, @invite)
  end

  def invite_code
--- a/app/helpers/registration_helper.rb
+++ b/app/helpers/registration_helper.rb
@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module RegistrationHelper
+  extend ActiveSupport::Concern
+
+  def allowed_registration?(remote_ip, invite)
+    !Rails.configuration.x.single_user_mode && !omniauth_only? && (registrations_open? || invite&.valid_for_use?) && !ip_blocked?(remote_ip)
+  end
+
+  def registrations_open?
+    Setting.registrations_mode != 'none'
+  end
+
+  def omniauth_only?
+    ENV['OMNIAUTH_ONLY'] == 'true'
+  end
+
+  def ip_blocked?(remote_ip)
+    IpBlock.where(severity: :sign_up_block).exists?(['ip >>= ?', remote_ip.to_s])
+  end
+end
--- a/app/services/app_sign_up_service.rb
+++ b/app/services/app_sign_up_service.rb
@ -1,12 +1,14 @@
 # frozen_string_literal: true

 class AppSignUpService < BaseService
+  include RegistrationHelper
+
  def call(app, remote_ip, params)
    @app       = app
    @remote_ip = remote_ip
    @params    = params

-    raise Mastodon::NotPermittedError unless allowed_registrations?
+    raise Mastodon::NotPermittedError unless allowed_registration?(remote_ip, invite)

    ApplicationRecord.transaction do
      create_user!
@ -34,8 +36,12 @@ class AppSignUpService < BaseService
    )
  end

+  def invite
+    Invite.find_by(code: @params[:invite_code]) if @params[:invite_code].present?
+  end
+
  def user_params
-    @params.slice(:email, :password, :agreement, :locale, :time_zone)
+    @params.slice(:email, :password, :agreement, :locale, :time_zone, :invite_code)
  end

  def account_params
@ -45,24 +51,4 @@ class AppSignUpService < BaseService
  def invite_request_params
    { text: @params[:reason] }
  end
-
-  def allowed_registrations?
-    registrations_open? && !single_user_mode? && !omniauth_only? && !ip_blocked?
-  end
-
-  def registrations_open?
-    Setting.registrations_mode != 'none'
-  end
-
-  def single_user_mode?
-    Rails.configuration.x.single_user_mode
-  end
-
-  def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
-  end
-
-  def ip_blocked?
-    IpBlock.where(severity: :sign_up_block).where('ip >>= ?', @remote_ip.to_s).exists?
-  end
 end