[#1940] Added admin_token param (as admin_api_params/0) to existing Admin API OpenAPI operations.

lib/pleroma/web/api_spec/helpers.ex

@@ -29,6 +29,10 @@ def request_body(description, schema_ref, opts \\ []) do
     }
   end
 
+  def admin_api_params do
+    [Operation.parameter(:admin_token, :query, :string, "Allows authorization via admin token.")]
+  end
+
   def pagination_params do
     [
       Operation.parameter(:max_id, :query, :string, "Return items older than this ID"),

lib/pleroma/web/api_spec/operations/admin/config_operation.ex

@@ -26,6 +26,7 @@ def show_operation do
           %Schema{type: :boolean, default: false},
           "Get only saved in database settings"
         )
+        | admin_api_params()
       ],
       security: [%{"oAuth" => ["read"]}],
       responses: %{
@@ -41,6 +42,7 @@ def update_operation do
       summary: "Update config settings",
       operationId: "AdminAPI.ConfigController.update",
       security: [%{"oAuth" => ["write"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body("Parameters", %Schema{
           type: :object,
@@ -73,6 +75,7 @@ def descriptions_operation do
       summary: "Get JSON with config descriptions.",
       operationId: "AdminAPI.ConfigController.descriptions",
       security: [%{"oAuth" => ["read"]}],
+      parameters: admin_api_params(),
       responses: %{
         200 =>
           Operation.response("Config Descriptions", "application/json", %Schema{

lib/pleroma/web/api_spec/operations/admin/invite_operation.ex

@@ -20,6 +20,7 @@ def index_operation do
       summary: "Get a list of generated invites",
       operationId: "AdminAPI.InviteController.index",
       security: [%{"oAuth" => ["read:invites"]}],
+      parameters: admin_api_params(),
       responses: %{
         200 =>
           Operation.response("Invites", "application/json", %Schema{
@@ -51,6 +52,7 @@ def create_operation do
       summary: "Create an account registration invite token",
       operationId: "AdminAPI.InviteController.create",
       security: [%{"oAuth" => ["write:invites"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body("Parameters", %Schema{
           type: :object,
@@ -71,6 +73,7 @@ def revoke_operation do
       summary: "Revoke invite by token",
       operationId: "AdminAPI.InviteController.revoke",
       security: [%{"oAuth" => ["write:invites"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body(
           "Parameters",
@@ -97,6 +100,7 @@ def email_operation do
       summary: "Sends registration invite via email",
       operationId: "AdminAPI.InviteController.email",
       security: [%{"oAuth" => ["write:invites"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body(
           "Parameters",

lib/pleroma/web/api_spec/operations/admin/media_proxy_cache_operation.ex

@@ -33,6 +33,7 @@ def index_operation do
           %Schema{type: :integer, default: 50},
           "Number of statuses to return"
         )
+        | admin_api_params()
       ],
       responses: %{
         200 => success_response()
@@ -46,6 +47,7 @@ def delete_operation do
       summary: "Remove a banned MediaProxy URL from Cachex",
       operationId: "AdminAPI.MediaProxyCacheController.delete",
       security: [%{"oAuth" => ["write:media_proxy_caches"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body(
           "Parameters",
@@ -71,6 +73,7 @@ def purge_operation do
       summary: "Purge and optionally ban a MediaProxy URL",
       operationId: "AdminAPI.MediaProxyCacheController.purge",
       security: [%{"oAuth" => ["write:media_proxy_caches"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body(
           "Parameters",

lib/pleroma/web/api_spec/operations/admin/oauth_app_operation.ex

@@ -36,6 +36,7 @@ def index_operation do
           %Schema{type: :integer, default: 50},
           "Number of apps to return"
         )
+        | admin_api_params()
       ],
       responses: %{
         200 =>
@@ -72,6 +73,7 @@ def create_operation do
       summary: "Create OAuth App",
       operationId: "AdminAPI.OAuthAppController.create",
       requestBody: request_body("Parameters", create_request()),
+      parameters: admin_api_params(),
       security: [%{"oAuth" => ["write"]}],
       responses: %{
         200 => Operation.response("App", "application/json", oauth_app()),
@@ -85,7 +87,7 @@ def update_operation do
       tags: ["Admin", "oAuth Apps"],
       summary: "Update OAuth App",
       operationId: "AdminAPI.OAuthAppController.update",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       security: [%{"oAuth" => ["write"]}],
       requestBody: request_body("Parameters", update_request()),
       responses: %{
@@ -103,7 +105,7 @@ def delete_operation do
       tags: ["Admin", "oAuth Apps"],
       summary: "Delete OAuth App",
       operationId: "AdminAPI.OAuthAppController.delete",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       security: [%{"oAuth" => ["write"]}],
       responses: %{
         204 => no_content_response(),

lib/pleroma/web/api_spec/operations/admin/relay_operation.ex

@@ -19,6 +19,7 @@ def index_operation do
       summary: "List Relays",
       operationId: "AdminAPI.RelayController.index",
       security: [%{"oAuth" => ["read"]}],
+      parameters: admin_api_params(),
       responses: %{
         200 =>
           Operation.response("Response", "application/json", %Schema{
@@ -41,6 +42,7 @@ def follow_operation do
       summary: "Follow a Relay",
       operationId: "AdminAPI.RelayController.follow",
       security: [%{"oAuth" => ["write:follows"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body("Parameters", %Schema{
           type: :object,
@@ -64,6 +66,7 @@ def unfollow_operation do
       summary: "Unfollow a Relay",
       operationId: "AdminAPI.RelayController.unfollow",
       security: [%{"oAuth" => ["write:follows"]}],
+      parameters: admin_api_params(),
       requestBody:
         request_body("Parameters", %Schema{
           type: :object,

lib/pleroma/web/api_spec/operations/admin/report_operation.ex

@@ -48,6 +48,7 @@ def index_operation do
           %Schema{type: :integer, default: 50},
           "Number number of log entries per page"
         )
+        | admin_api_params()
       ],
       responses: %{
         200 =>
@@ -71,7 +72,7 @@ def show_operation do
       tags: ["Admin", "Reports"],
       summary: "Get an individual report",
       operationId: "AdminAPI.ReportController.show",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       security: [%{"oAuth" => ["read:reports"]}],
       responses: %{
         200 => Operation.response("Report", "application/json", report()),
@@ -86,6 +87,7 @@ def update_operation do
       summary: "Change the state of one or multiple reports",
       operationId: "AdminAPI.ReportController.update",
       security: [%{"oAuth" => ["write:reports"]}],
+      parameters: admin_api_params(),
       requestBody: request_body("Parameters", update_request(), required: true),
       responses: %{
         204 => no_content_response(),
@@ -100,7 +102,7 @@ def notes_create_operation do
       tags: ["Admin", "Reports"],
       summary: "Create report note",
       operationId: "AdminAPI.ReportController.notes_create",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       requestBody:
         request_body("Parameters", %Schema{
           type: :object,
@@ -124,6 +126,7 @@ def notes_delete_operation do
       parameters: [
         Operation.parameter(:report_id, :path, :string, "Report ID"),
         Operation.parameter(:id, :path, :string, "Note ID")
+        | admin_api_params()
       ],
       security: [%{"oAuth" => ["write:reports"]}],
       responses: %{

lib/pleroma/web/api_spec/operations/admin/status_operation.ex

@@ -55,6 +55,7 @@ def index_operation do
           %Schema{type: :integer, default: 50},
           "Number of statuses to return"
         )
+        | admin_api_params()
       ],
       responses: %{
         200 =>
@@ -71,7 +72,7 @@ def show_operation do
       tags: ["Admin", "Statuses"],
       summary: "Show Status",
       operationId: "AdminAPI.StatusController.show",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       security: [%{"oAuth" => ["read:statuses"]}],
       responses: %{
         200 => Operation.response("Status", "application/json", status()),
@@ -85,7 +86,7 @@ def update_operation do
       tags: ["Admin", "Statuses"],
       summary: "Change the scope of an individual reported status",
       operationId: "AdminAPI.StatusController.update",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       security: [%{"oAuth" => ["write:statuses"]}],
       requestBody: request_body("Parameters", update_request(), required: true),
       responses: %{
@@ -100,7 +101,7 @@ def delete_operation do
       tags: ["Admin", "Statuses"],
       summary: "Delete an individual reported status",
       operationId: "AdminAPI.StatusController.delete",
-      parameters: [id_param()],
+      parameters: [id_param() | admin_api_params()],
       security: [%{"oAuth" => ["write:statuses"]}],
       responses: %{
         200 => empty_object_response(),

test/web/admin_api/controllers/config_controller_test.exs

@@ -152,6 +152,14 @@ test "subkeys with full update right merge", %{conn: conn} do
       assert emoji_val[:groups] == [a: 1, b: 2]
       assert assets_val[:mascots] == [a: 1, b: 2]
     end
+
+    test "with valid `admin_token` query parameter, skips OAuth scopes check" do
+      clear_config([:admin_token], "password123")
+
+      build_conn()
+      |> get("/api/pleroma/admin/config?admin_token=password123")
+      |> json_response_and_validate_schema(200)
+    end
   end
 
   test "POST /api/pleroma/admin/config error", %{conn: conn} do