From 4c9dabe7b8b88c56e69b6f4cfb2c0f0ce8a88a2f Mon Sep 17 00:00:00 2001
From: ThatOneCalculator <kainoa@t1c.dev>
Date: Tue, 25 Oct 2022 19:22:30 -0700
Subject: [PATCH] Security fixes

---
 CALCKEY.md                                                     | 1 +
 package.json                                                   | 2 +-
 .../backend/src/server/api/endpoints/federation/followers.ts   | 3 ++-
 .../backend/src/server/api/endpoints/federation/following.ts   | 3 ++-
 .../backend/src/server/api/endpoints/federation/instances.ts   | 2 +-
 .../src/server/api/endpoints/federation/show-instance.ts       | 2 +-
 packages/backend/src/server/api/endpoints/stats.ts             | 2 +-
 packages/backend/src/server/api/endpoints/users.ts             | 2 +-
 8 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/CALCKEY.md b/CALCKEY.md
index ab1dc3c1d..99bf045a6 100644
--- a/CALCKEY.md
+++ b/CALCKEY.md
@@ -113,3 +113,4 @@
 	- 298febeb9c9501e3e3df16982c08657d1da474e0: enhance: add re-collapsing to quoted notes
 	- b0fdedb264db87575063abed45e52ad71ce4a6af: fix lints in folder.vue
 	- 6fed87f85d132304eb84b0a59b84dce299a1822f: fix pagination.vue lints
+	- Tosti's security fixes
diff --git a/package.json b/package.json
index bf781b90b..1242bfd82 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "calckey",
-	"version": "12.119.0-calc.1-rc.9.9",
+	"version": "12.119.0-calc.2",
 	"codename": "aqua",
 	"repository": {
 		"type": "git",
diff --git a/packages/backend/src/server/api/endpoints/federation/followers.ts b/packages/backend/src/server/api/endpoints/federation/followers.ts
index 8a04df2d5..01df3939e 100644
--- a/packages/backend/src/server/api/endpoints/federation/followers.ts
+++ b/packages/backend/src/server/api/endpoints/federation/followers.ts
@@ -5,7 +5,8 @@ import { makePaginationQuery } from '../../common/make-pagination-query.js';
 export const meta = {
 	tags: ['federation'],
 
-	requireCredential: false,
+	requireCredential: true,
+	requireAdmin: true,
 	requireCredentialPrivateMode: true,
 
 	res: {
diff --git a/packages/backend/src/server/api/endpoints/federation/following.ts b/packages/backend/src/server/api/endpoints/federation/following.ts
index fe41eefa4..17abf2e12 100644
--- a/packages/backend/src/server/api/endpoints/federation/following.ts
+++ b/packages/backend/src/server/api/endpoints/federation/following.ts
@@ -5,7 +5,8 @@ import { makePaginationQuery } from '../../common/make-pagination-query.js';
 export const meta = {
 	tags: ['federation'],
 
-	requireCredential: false,
+	requireCredential: true,
+	requireAdmin: true,
 	requireCredentialPrivateMode: true,
 
 	res: {
diff --git a/packages/backend/src/server/api/endpoints/federation/instances.ts b/packages/backend/src/server/api/endpoints/federation/instances.ts
index 41750f13e..84740bc92 100644
--- a/packages/backend/src/server/api/endpoints/federation/instances.ts
+++ b/packages/backend/src/server/api/endpoints/federation/instances.ts
@@ -6,7 +6,7 @@ import { fetchMeta } from '@/misc/fetch-meta.js';
 export const meta = {
 	tags: ['federation'],
 
-	requireCredential: false,
+	requireCredential: true,
 	requireCredentialPrivateMode: true,
 
 	res: {
diff --git a/packages/backend/src/server/api/endpoints/federation/show-instance.ts b/packages/backend/src/server/api/endpoints/federation/show-instance.ts
index 92298f672..8e6c59fc8 100644
--- a/packages/backend/src/server/api/endpoints/federation/show-instance.ts
+++ b/packages/backend/src/server/api/endpoints/federation/show-instance.ts
@@ -5,7 +5,7 @@ import { toPuny } from '@/misc/convert-host.js';
 export const meta = {
 	tags: ['federation'],
 
-	requireCredential: false,
+	requireCredential: true,
 	requireCredentialPrivateMode: true,
 
 	res: {
diff --git a/packages/backend/src/server/api/endpoints/stats.ts b/packages/backend/src/server/api/endpoints/stats.ts
index 0f2fb1f41..9e140184c 100644
--- a/packages/backend/src/server/api/endpoints/stats.ts
+++ b/packages/backend/src/server/api/endpoints/stats.ts
@@ -4,7 +4,7 @@ import { } from '@/services/chart/index.js';
 import { IsNull } from 'typeorm';
 
 export const meta = {
-	requireCredential: false,
+	requireCredential: true,
 	requireCredentialPrivateMode: true,
 
 	tags: ['meta'],
diff --git a/packages/backend/src/server/api/endpoints/users.ts b/packages/backend/src/server/api/endpoints/users.ts
index d2f2ddcbf..7ee9bb8c0 100644
--- a/packages/backend/src/server/api/endpoints/users.ts
+++ b/packages/backend/src/server/api/endpoints/users.ts
@@ -6,7 +6,7 @@ import { generateBlockQueryForUsers } from '../common/generate-block-query.js';
 export const meta = {
 	tags: ['users'],
 
-	requireCredential: false,
+	requireCredential: true,
 	requireCredentialPrivateMode: true,
 
 	res: {