-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 Scopes with user control #29
Conversation
… scope defs between front and backend
// Auto-approve for home immer | ||
if (client.isTrusted) { | ||
const params = {} | ||
const origin = new URL(req.redirectURI) | ||
params.origin = `${origin.protocol}//${origin.host}` | ||
// express protocol does not include colon | ||
params.issuer = `https://${domain}` | ||
params.scope = ['*'] | ||
return done(null, true, params) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When logging into your home immer, scope authorization is skipped and all scopes are granted. The easiest way to test this locally is to comment out this entire isTrusted
block and then you'll get the scoping dialog when logging in (clear your hubs localstorage to trigger re-authorization if you've already got a valid token)
break | ||
} | ||
if (!overlaps(requiredScope, authorizedScope)) { | ||
res.locals.apex.authorized = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All we have to do to block access on a specific request is set this flag and activitypub-express
handles the rest
Fix unable to post activities from profile page
Hash emails
Adds ability to limit the level of access you grant when visiting foreign immers