hacky hack hack

internal/middleware/tokencheck.go

@@ -65,6 +65,24 @@ func TokenCheck(dbConn db.DB, validateBearerToken func(r *http.Request) (oauth2.
 		}
 		c.Set(oauth.SessionAuthorizedToken, ti)
 
+		// check for application token
+		if clientID := ti.GetClientID(); clientID != "" {
+			log.Tracef(ctx, "authenticated client %s with bearer token, scope is %s", clientID, ti.GetScope())
+
+			// fetch app for this token
+			app, err := dbConn.GetApplicationByClientID(ctx, clientID)
+			if err != nil {
+				if err != db.ErrNoEntries {
+					log.Errorf(ctx, "database error looking for application with clientID %s: %s", clientID, err)
+					return
+				}
+				log.Warnf(ctx, "no app found for client %s", clientID)
+				return
+			}
+
+			c.Set(oauth.SessionAuthorizedApplication, app)
+		}
+
 		// check for user-level token
 		if userID := ti.GetUserID(); userID != "" {
 			log.Tracef(ctx, "authenticated user %s with bearer token, scope is %s", userID, ti.GetScope())
@@ -81,12 +99,12 @@ func TokenCheck(dbConn db.DB, validateBearerToken func(r *http.Request) (oauth2.
 			}
 
 			if user.ConfirmedAt.IsZero() {
-				log.Warnf(ctx, "authenticated user %s has never confirmed thier email address", userID)
+				log.Warnf(ctx, "authenticated user %s has never confirmed their email address", userID)
 				return
 			}
 
 			if !*user.Approved {
-				log.Warnf(ctx, "authenticated user %s's account was never approved by an admin", userID)
+				log.Warnf(ctx, "authenticated user %s's account not yet approved by an admin", userID)
 				return
 			}
 
@@ -118,23 +136,5 @@ func TokenCheck(dbConn db.DB, validateBearerToken func(r *http.Request) (oauth2.
 
 			c.Set(oauth.SessionAuthorizedAccount, user.Account)
 		}
-
-		// check for application token
-		if clientID := ti.GetClientID(); clientID != "" {
-			log.Tracef(ctx, "authenticated client %s with bearer token, scope is %s", clientID, ti.GetScope())
-
-			// fetch app for this token
-			app, err := dbConn.GetApplicationByClientID(ctx, clientID)
-			if err != nil {
-				if err != db.ErrNoEntries {
-					log.Errorf(ctx, "database error looking for application with clientID %s: %s", clientID, err)
-					return
-				}
-				log.Warnf(ctx, "no app found for client %s", clientID)
-				return
-			}
-
-			c.Set(oauth.SessionAuthorizedApplication, app)
-		}
 	}
 }

internal/oauth/util.go

@@ -79,7 +79,7 @@ func Authed(c *gin.Context, requireToken bool, requireApp bool, requireUser bool
 	}
 
 	if requireUser && a.User == nil {
-		return nil, errors.New("user not supplied or not authorized")
+		return nil, errors.New("user not supplied, not authorized, not confirmed, or email address unconfirmed")
 	}
 
 	if requireAccount && a.Account == nil {

internal/processing/account/create.go

@@ -68,14 +68,15 @@ func (p *Processor) Create(
 	}
 
 	user, err := p.state.DB.NewSignup(ctx, gtsmodel.NewSignup{
-		Username:    form.Username,
-		Email:       form.Email,
-		Password:    form.Password,
-		Reason:      text.SanitizeToPlaintext(reason),
-		PreApproved: !config.GetAccountsApprovalRequired(), // Mark as approved if no approval required.
-		SignUpIP:    form.IP,
-		Locale:      form.Locale,
-		AppID:       app.ID,
+		Username:      form.Username,
+		Email:         form.Email,
+		EmailVerified: true,
+		Password:      form.Password,
+		Reason:        text.SanitizeToPlaintext(reason),
+		PreApproved:   !config.GetAccountsApprovalRequired(), // Mark as approved if no approval required.
+		SignUpIP:      form.IP,
+		Locale:        form.Locale,
+		AppID:         app.ID,
 	})
 	if err != nil {
 		err := fmt.Errorf("db error creating new signup: %w", err)

testrig/config.go

@@ -70,7 +70,7 @@ var testDefaults = config.Configuration{
 	InstanceDeliverToSharedInboxes: true,
 
 	AccountsRegistrationOpen: true,
-	AccountsApprovalRequired: true,
+	AccountsApprovalRequired: false,
 	AccountsReasonRequired:   true,
 	AccountsAllowCustomCSS:   true,
 	AccountsCustomCSSLength:  10000,