From 846888b2c7764b99c0856c77f1caf0644188321a Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Wed, 9 Oct 2024 21:39:32 +0200
Subject: [PATCH] [backend/core] Prevent system users from authenticating or
 creating notes

---
 Iceshrimp.Backend/Controllers/Web/AuthController.cs | 2 ++
 Iceshrimp.Backend/Core/Services/NoteService.cs      | 2 ++
 Iceshrimp.Backend/Pages/OAuth/Authorize.cshtml.cs   | 1 +
 3 files changed, 5 insertions(+)

diff --git a/Iceshrimp.Backend/Controllers/Web/AuthController.cs b/Iceshrimp.Backend/Controllers/Web/AuthController.cs
index d27766ac..3d19da19 100644
--- a/Iceshrimp.Backend/Controllers/Web/AuthController.cs
+++ b/Iceshrimp.Backend/Controllers/Web/AuthController.cs
@@ -54,6 +54,8 @@ public class AuthController(DatabaseContext db, UserService userSvc, UserRendere
 		                                                   p.UsernameLower == request.Username.ToLowerInvariant());
 		if (user == null)
 			throw GracefulException.Forbidden("Invalid username or password");
+		if (user.IsSystemUser)
+			throw GracefulException.BadRequest("Cannot log in as system user");
 		var settings = await db.UserSettings.FirstOrDefaultAsync(p => p.User == user);
 		if (settings?.Password == null)
 			throw GracefulException.Forbidden("Invalid username or password");
diff --git a/Iceshrimp.Backend/Core/Services/NoteService.cs b/Iceshrimp.Backend/Core/Services/NoteService.cs
index ef283c45..220e8535 100644
--- a/Iceshrimp.Backend/Core/Services/NoteService.cs
+++ b/Iceshrimp.Backend/Core/Services/NoteService.cs
@@ -110,6 +110,8 @@ public class NoteService(
 			throw GracefulException.UnprocessableEntity($"Note was rejected by {policy.Name}");
 		if (data.User.IsLocalUser && (data.Text?.Length ?? 0) + (data.Cw?.Length ?? 0) > config.Value.CharacterLimit)
 			throw GracefulException.UnprocessableEntity($"Text & content warning cannot exceed {config.Value.CharacterLimit} characters in total");
+		if (data.User.IsSystemUser)
+			throw GracefulException.BadRequest("System users cannot create notes");
 		if (data.Text is { Length: > 100000 })
 			throw GracefulException.UnprocessableEntity("Text cannot be longer than 100.000 characters");
 		if (data.Cw is { Length: > 100000 })
diff --git a/Iceshrimp.Backend/Pages/OAuth/Authorize.cshtml.cs b/Iceshrimp.Backend/Pages/OAuth/Authorize.cshtml.cs
index 8bfba129..c976cc86 100644
--- a/Iceshrimp.Backend/Pages/OAuth/Authorize.cshtml.cs
+++ b/Iceshrimp.Backend/Pages/OAuth/Authorize.cshtml.cs
@@ -71,6 +71,7 @@ public class AuthorizeModel(DatabaseContext db) : PageModel
 			user = await db.Users.FirstOrDefaultAsync(p => p.IsLocalUser &&
 			                                               p.UsernameLower == username.ToLowerInvariant()) ??
 			       throw Forbidden();
+			if (user.IsSystemUser) throw GracefulException.BadRequest("Cannot log in as system user");
 			var userSettings = await db.UserSettings.FirstOrDefaultAsync(p => p.User == user);
 			if (userSettings?.Password == null)
 				throw Forbidden();