From a73ade526ab79bdf807b29a426dd09715f1e2166 Mon Sep 17 00:00:00 2001
From: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Date: Wed, 28 May 2025 14:09:32 +0200
Subject: [PATCH] Assert usage of client credentials for account registration
 (#34828)

---
 app/controllers/api/base_controller.rb        |  4 ++++
 app/controllers/api/v1/accounts_controller.rb |  1 +
 .../client_credentials_token_fabricator.rb    |  5 +++++
 spec/requests/api/v1/accounts_spec.rb         | 19 ++++++++++++++++++-
 4 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 spec/fabricators/client_credentials_token_fabricator.rb

diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index b10c2f5737..86907538db 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -50,6 +50,10 @@ class Api::BaseController < ApplicationController
     nil
   end
 
+  def require_client_credentials!
+    render json: { error: 'This method requires an client credentials authentication' }, status: 403 if doorkeeper_token.resource_owner_id.present?
+  end
+
   def require_authenticated_user!
     render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
   end
diff --git a/app/controllers/api/v1/accounts_controller.rb b/app/controllers/api/v1/accounts_controller.rb
index ae8df69a28..936cd56eb8 100644
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@@ -10,6 +10,7 @@ class Api::V1::AccountsController < Api::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:create]
 
   before_action :require_user!, except: [:index, :show, :create]
+  before_action :require_client_credentials!, only: [:create]
   before_action :set_account, except: [:index, :create]
   before_action :set_accounts, only: [:index]
   before_action :check_account_approval, except: [:index, :create]
diff --git a/spec/fabricators/client_credentials_token_fabricator.rb b/spec/fabricators/client_credentials_token_fabricator.rb
new file mode 100644
index 0000000000..24ab02a49c
--- /dev/null
+++ b/spec/fabricators/client_credentials_token_fabricator.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+Fabricator :client_credentials_token, from: :accessible_access_token do
+  resource_owner_id { nil }
+end
diff --git a/spec/requests/api/v1/accounts_spec.rb b/spec/requests/api/v1/accounts_spec.rb
index 9fe5b3d491..a040174d38 100644
--- a/spec/requests/api/v1/accounts_spec.rb
+++ b/spec/requests/api/v1/accounts_spec.rb
@@ -78,10 +78,27 @@ RSpec.describe '/api/v1/accounts' do
     end
 
     let(:client_app) { Fabricate(:application) }
-    let(:token) { Doorkeeper::AccessToken.find_or_create_for(application: client_app, resource_owner: nil, scopes: 'read write', use_refresh_token: false) }
+    let(:token) { Fabricate(:client_credentials_token, application: client_app, scopes: 'read write') }
     let(:agreement) { nil }
     let(:date_of_birth) { nil }
 
+    context 'when not using client credentials token' do
+      let(:token) { Fabricate(:accessible_access_token, application: client_app, scopes: 'read write', resource_owner_id: user.id) }
+
+      it 'returns http forbidden error' do
+        subject
+
+        expect(response).to have_http_status(403)
+        expect(response.content_type)
+          .to start_with('application/json')
+
+        expect(response.parsed_body)
+          .to include(
+            error: 'This method requires an client credentials authentication'
+          )
+      end
+    end
+
     context 'when age verification is enabled' do
       before do
         Setting.min_age = 16