diff --git a/packages/backend/src/server/api/endpoints/miauth/gen-token.ts b/packages/backend/src/server/api/endpoints/miauth/gen-token.ts index 3ed7227d79..fcfed8b7a9 100644 --- a/packages/backend/src/server/api/endpoints/miauth/gen-token.ts +++ b/packages/backend/src/server/api/endpoints/miauth/gen-token.ts @@ -4,14 +4,14 @@ */ import { Inject, Injectable } from '@nestjs/common'; -import { In } from 'typeorm'; import { ApiError } from '@/server/api/error.js'; import { Endpoint } from '@/server/api/endpoint-base.js'; -import type { AccessTokensRepository, UsersRepository } from '@/models/_.js'; +import type { AccessTokensRepository } from '@/models/_.js'; import { IdService } from '@/core/IdService.js'; import { NotificationService } from '@/core/NotificationService.js'; import { secureRndstr } from '@/misc/secure-rndstr.js'; import { DI } from '@/di-symbols.js'; +import { CacheService } from '@/core/CacheService.js'; export const meta = { tags: ['auth'], @@ -37,6 +37,11 @@ export const meta = { code: 'NO_SUCH_USER', id: 'a89abd3d-f0bc-4cce-beb1-2f446f4f1e6a', }, + mustBeLocal: { + message: 'Grantee must be local', + code: 'MUST_BE_LOCAL', + id: '403c73e5-6f03-41b4-9394-ac128947f7ae', + }, }, // 10 calls per 5 seconds @@ -70,18 +75,24 @@ export default class extends Endpoint { // eslint- @Inject(DI.accessTokensRepository) private accessTokensRepository: AccessTokensRepository, - @Inject(DI.usersRepository) - private readonly usersRepository: UsersRepository, - private idService: IdService, private notificationService: NotificationService, + private readonly cacheService: CacheService, ) { super(meta, paramDef, async (ps, me) => { + // Validate grantees if (ps.grantees && ps.grantees.length > 0) { - const existingCount = await this.usersRepository.countBy({ id: In(ps.grantees) }); - if (existingCount !== ps.grantees.length) { + const grantees = await this.cacheService.getUsers(ps.grantees); + + if (grantees.size !== ps.grantees.length) { throw new ApiError(meta.errors.noSuchUser); } + + for (const grantee of grantees.values()) { + if (grantee.host != null) { + throw new ApiError(meta.errors.mustBeLocal); + } + } } // Generate access token diff --git a/packages/frontend/src/components/MkTokenGenerateWindow.vue b/packages/frontend/src/components/MkTokenGenerateWindow.vue index ff789eb358..c287f1ce20 100644 --- a/packages/frontend/src/components/MkTokenGenerateWindow.vue +++ b/packages/frontend/src/components/MkTokenGenerateWindow.vue @@ -106,8 +106,7 @@ import { $i, iAmAdmin } from '@/i.js'; import MkFolder from '@/components/MkFolder.vue'; import MkUserCardMini from '@/components/MkUserCardMini.vue'; import MkSelect from '@/components/MkSelect.vue'; -import * as os from '@/os'; -import { instance } from '@/instance'; +import * as os from '@/os.js'; const props = withDefaults(defineProps<{ title?: string | null; @@ -204,8 +203,7 @@ function enableAllAdmin(): void { async function addGrantee(): Promise { const user = await os.selectUser({ - includeSelf: true, - localOnly: instance.noteSearchableScope === 'local', + localOnly: true, }); grantees.value.push(user); }