Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 Scopes with user control #29

Merged
merged 13 commits into from
May 9, 2021
Merged

OAuth2 Scopes with user control #29

merged 13 commits into from
May 9, 2021

Conversation

wmurphyrd
Copy link
Member

Adds ability to limit the level of access you grant when visiting foreign immers

  • Define individual scopes and roles (bundles of scopes)
  • Update OAuth confirm dialog to take a requested role as input, allow user to change role before granting, and describe the permissions associated with the role
  • Enforce scope restrictions on API endpoints

wmurphyrd
wmurphyrd commented Apr 30, 2021
View reviewed changes
src/auth.js
Comment on lines +338 to 347
// Auto-approve for home immer
if (client.isTrusted) {
const params = {}
const origin = new URL(req.redirectURI)
params.origin = `${origin.protocol}//${origin.host}`
// express protocol does not include colon
params.issuer = `https://${domain}`
params.scope = ['*']
return done(null, true, params)
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When logging into your home immer, scope authorization is skipped and all scopes are granted. The easiest way to test this locally is to comment out this entire isTrusted block and then you'll get the scoping dialog when logging in (clear your hubs localstorage to trigger re-authorization if you've already got a valid token)

wmurphyrd
wmurphyrd commented Apr 30, 2021
View reviewed changes
src/apex.js
break
}
if (!overlaps(requiredScope, authorizedScope)) {
res.locals.apex.authorized = false
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All we have to do to block access on a specific request is set this flag and activitypub-express handles the rest

@wmurphyrd wmurphyrd mentioned this pull request Apr 30, 2021
Merged
@quinn-madson quinn-madson merged commit c291ae2 into master May 9, 2021
@quinn-madson quinn-madson deleted the roles branch May 9, 2021 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quinn-madson quinn-madson quinn-madson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wmurphyrd @quinn-madson