From 8dfb7ec90ed45d990e8811f243ecb70b3f80d96e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristian=20St=C3=B6ckel?= <git@k118.de>
Date: Sun, 12 Apr 2026 16:18:30 +0200
Subject: [PATCH] :bug: explicitly set scopes for new mastodon instances

fixes #2666
---
 app/Http/Controllers/Backend/Social/MastodonController.php  | 4 ++--
 app/Http/Controllers/Frontend/Social/MastodonController.php | 4 +++-
 config/services.php                                         | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/Backend/Social/MastodonController.php b/app/Http/Controllers/Backend/Social/MastodonController.php
index 3fca5d043..024c3b3e8 100644
--- a/app/Http/Controllers/Backend/Social/MastodonController.php
+++ b/app/Http/Controllers/Backend/Social/MastodonController.php
@@ -75,9 +75,9 @@ private static function createMastodonServer(string $domain): MastodonServer
     {
         try {
             $info = Mastodon::domain($domain)->createApp(
-                client_name: config('services.mastodon.client_name'), // TODO: why is client name required here?
+                client_name: config('services.mastodon.client_name'),
                 redirect_uris: config('services.mastodon.redirect'),
-                scopes: 'write read',
+                scopes: config('services.mastodon.scopes'),
                 website: config('app.url')
             );
 
diff --git a/app/Http/Controllers/Frontend/Social/MastodonController.php b/app/Http/Controllers/Frontend/Social/MastodonController.php
index 0c0607378..2fc32e77f 100644
--- a/app/Http/Controllers/Frontend/Social/MastodonController.php
+++ b/app/Http/Controllers/Frontend/Social/MastodonController.php
@@ -48,7 +48,9 @@ public function redirect(Request $request): SympfonyRedirectResponse|RedirectRes
         session(['mastodon_server' => $server]);
 
         try {
-            return Socialite::driver('mastodon')->redirect();
+            return Socialite::driver('mastodon')
+                ->setScopes(explode(' ', config('services.mastodon.scopes')))
+                ->redirect();
         } catch (Exception $exception) {
             report($exception);
 
diff --git a/config/services.php b/config/services.php
index d268af506..1125634ca 100644
--- a/config/services.php
+++ b/config/services.php
@@ -16,11 +16,12 @@
 
     'mastodon' => [
         'domain' => env('MASTODON_DOMAIN'),
-        'client_name' => env('MASTODON_APPNAME'), // TODO: check if this is a required value...? I don't think, we need this. ~@kris
+        'client_name' => env('MASTODON_APPNAME', 'Träwelling'),
         'client_id' => env('MASTODON_ID'),
         'client_secret' => env('MASTODON_SECRET'),
         'redirect' => env('MASTODON_REDIRECT', 'http://localhost:8000/callback/mastodon'),
         'timeout' => env('MASTODON_TIMEOUT_SECONDS', 2),
+        'scopes' => env('MASTODON_SCOPES', 'read:statuses write:statuses read:accounts'),
     ],
 
     'telegram' => [