[feature] Refactor tokens, allow multiple app redirect_uris (#3849)

* [feature] Refactor tokens, allow multiple app redirect_uris

* move + tweak handlers a bit

* return error for unset oauth2.ClientStore funcs

* wrap UpdateToken with cache

* panic handling

* cheeky little time optimization

* unlock on error

2 files changed, 32 insertions, 4 deletions

diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go
index d02d3cc0d..8161de500 100644
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@@ -93,11 +93,29 @@ const (
 // scope permits the wanted scope.
 func (has Scope) Permits(wanted Scope) bool {
 	if has == wanted {
-		// Exact match.
+		// Exact match on either a
+		// top-level or granular scope.
 		return true
 	}
 
-	// Check if we have a parent scope of what's wanted,
-	// eg., we have scope "admin", we want "admin:read".
-	return strings.HasPrefix(string(wanted), string(has))
+	// Ensure we have a
+	// known top-level scope.
+	switch has {
+
+	case ScopeProfile,
+		ScopePush,
+		ScopeRead,
+		ScopeWrite,
+		ScopeAdmin,
+		ScopeAdminRead,
+		ScopeAdminWrite:
+		// Check if top-level includes wanted,
+		// eg., have "admin", want "admin:read".
+		return strings.HasPrefix(string(wanted), string(has)+":")
+
+	default:
+		// Unknown top-level scope,
+		// can't permit anything.
+		return false
+	}
 }
diff --git a/internal/api/util/scopes_test.go b/internal/api/util/scopes_test.go
index bd533585b..72f6b57aa 100644
--- a/internal/api/util/scopes_test.go
+++ b/internal/api/util/scopes_test.go
@@ -89,6 +89,16 @@ func TestScopes(t *testing.T) {
 			WantsScope: util.ScopeWrite,
 			Expect:     false,
 		},
+		{
+			HasScope:   util.ScopeProfile,
+			WantsScope: util.ScopePush,
+			Expect:     false,
+		},
+		{
+			HasScope:   util.Scope("p"),
+			WantsScope: util.ScopePush,
+			Expect:     false,
+		},
 	} {
 		res := test.HasScope.Permits(test.WantsScope)
 		if res != test.Expect {