From 1b37944f8b8eccc2afcfb0f603786209a3b7402d Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Mon, 3 Mar 2025 16:03:36 +0100
Subject: [feature] Refactor tokens, allow multiple app redirect_uris (#3849)

* [feature] Refactor tokens, allow multiple app redirect_uris

* move + tweak handlers a bit

* return error for unset oauth2.ClientStore funcs

* wrap UpdateToken with cache

* panic handling

* cheeky little time optimization

* unlock on error
---
 internal/api/util/scopes.go | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

(limited to 'internal/api/util/scopes.go')

diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go
index d02d3cc0d..8161de500 100644
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@@ -93,11 +93,29 @@ const (
 // scope permits the wanted scope.
 func (has Scope) Permits(wanted Scope) bool {
 	if has == wanted {
-		// Exact match.
+		// Exact match on either a
+		// top-level or granular scope.
 		return true
 	}
 
-	// Check if we have a parent scope of what's wanted,
-	// eg., we have scope "admin", we want "admin:read".
-	return strings.HasPrefix(string(wanted), string(has))
+	// Ensure we have a
+	// known top-level scope.
+	switch has {
+
+	case ScopeProfile,
+		ScopePush,
+		ScopeRead,
+		ScopeWrite,
+		ScopeAdmin,
+		ScopeAdminRead,
+		ScopeAdminWrite:
+		// Check if top-level includes wanted,
+		// eg., have "admin", want "admin:read".
+		return strings.HasPrefix(string(wanted), string(has)+":")
+
+	default:
+		// Unknown top-level scope,
+		// can't permit anything.
+		return false
+	}
 }
-- 
cgit v1.2.3