Assert usage of client credentials for account registration (#34828)

2025-05-28 14:09:32 +02:00 · 2025-05-28 14:09:32 +02:00 · a73ade526a
commit a73ade526a
parent 6ffa262546
4 changed files with 28 additions and 1 deletions
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -50,6 +50,10 @@ class Api::BaseController < ApplicationController
    nil
  end

+  def require_client_credentials!
+    render json: { error: 'This method requires an client credentials authentication' }, status: 403 if doorkeeper_token.resource_owner_id.present?
+  end
+
  def require_authenticated_user!
    render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
  end
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -10,6 +10,7 @@ class Api::V1::AccountsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:create]

  before_action :require_user!, except: [:index, :show, :create]
+  before_action :require_client_credentials!, only: [:create]
  before_action :set_account, except: [:index, :create]
  before_action :set_accounts, only: [:index]
  before_action :check_account_approval, except: [:index, :create]