[feature] Refactor tokens, allow multiple app redirect_uris

2025-12-23 01:46:16 -06:00 · 2025-03-03 11:45:45 +01:00 · 2025-03-03 11:45:45 +01:00 · 3b1b842890
commit 3b1b842890
parent 67a2b3650c
77 changed files with 860 additions and 554 deletions
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@ -93,11 +93,29 @@ const (
 // scope permits the wanted scope.
 func (has Scope) Permits(wanted Scope) bool {
 	if has == wanted {
-		// Exact match.
+		// Exact match on either a
+		// top-level or granular scope.
 		return true
 	}

-	// Check if we have a parent scope of what's wanted,
-	// eg., we have scope "admin", we want "admin:read".
-	return strings.HasPrefix(string(wanted), string(has))
+	// Ensure we have a
+	// known top-level scope.
+	switch has {
+
+	case ScopeProfile,
+		ScopePush,
+		ScopeRead,
+		ScopeWrite,
+		ScopeAdmin,
+		ScopeAdminRead,
+		ScopeAdminWrite:
+		// Check if top-level includes wanted,
+		// eg., have "admin", want "admin:read".
+		return strings.HasPrefix(string(wanted), string(has)+":")
+
+	default:
+		// Unknown top-level scope,
+		// can't permit anything.
+		return false
+	}
 }