Skip to content

fix(oauth-provider): accept query-only granular scopes#175

Merged
ascorbic merged 1 commit into
mainfrom
fix-oauth-scope-query-form
May 24, 2026
Merged

fix(oauth-provider): accept query-only granular scopes#175
ascorbic merged 1 commit into
mainfrom
fix-oauth-scope-query-form

Conversation

@ascorbic
Copy link
Copy Markdown
Owner

@ascorbic ascorbic commented May 24, 2026

Summary

  • parseScope rejected canonical granular scopes that use the query-only form (prefix?query), e.g. repo?collection=a&collection=b, with Unknown scope resource. It only looked for : to find the resource prefix.
  • Fix: use the earlier of : and ? as the prefix delimiter, matching @atproto/oauth-scopes syntax. Now repo?collection=…&collection=… is recognised as a repo permission.
  • Real-world hit: expanding include:site.standard.authFull (a permission set with multiple collections in one repo permission) serialises to a single query-form token, which then failed to parse.

Test plan

  • New regression tests in packages/oauth-provider/test/scopes.test.ts covering the bare repo?collection=… form and the multi-collection case from the standard.site failure.
  • pnpm vitest run test/scopes.test.ts — 28 passing.

@ascorbic
fix(oauth-provider): accept query-only granular scopes
e5d3468 
`parseScope` only looked for `:` to find the resource prefix, so valid
canonical scopes using the `prefix?query` form (e.g. a multi-collection
`repo?collection=a&collection=b` produced by expanding a permission set)
were rejected as `Unknown scope resource`. Use the earlier of `:` and
`?` as the delimiter, matching `@atproto/oauth-scopes` syntax.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 24, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 atproto-pds e5d3468 May 24 2026, 03:23 PM

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 24, 2026

Open in StackBlitz

npm i https://pkg.pr.new/create-pds@175

npm i https://pkg.pr.new/@getcirrus/oauth-provider@175

npm i https://pkg.pr.new/@getcirrus/pds@175

commit: e5d3468

@ascorbic ascorbic merged commit 54ab459 into main May 24, 2026
5 checks passed
@ascorbic ascorbic deleted the fix-oauth-scope-query-form branch May 24, 2026 15:25
@mixie-bot mixie-bot Bot mentioned this pull request May 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ascorbic