New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add read:me OAuth 2.0 scope, allowing more limited access to user data #29087
Add read:me OAuth 2.0 scope, allowing more limited access to user data #29087
Conversation
This pull request is complementary to #27142 which removed needing scopes to verify the OAuth 2.0 Application's credentials |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #29087 +/- ##
==========================================
- Coverage 85.01% 85.01% -0.01%
==========================================
Files 1059 1060 +1
Lines 28277 28285 +8
Branches 4538 4537 -1
==========================================
+ Hits 24040 24046 +6
- Misses 3074 3075 +1
- Partials 1163 1164 +1 ☔ View full report in Codecov by Sentry. |
I totally just realised I forgot to add the localisation strings for this new scope. Maybe we should have some specs that test "can I do the oauth flow using this scope" ? |
Missing localization strings do not actually prevent from performing the OAuth flow, so if the goal is to prevent missing translations, we want something different. Possibly integrated in |
For this scope to be useful / used, we'll need to implement #24099 such that clients can discover what scopes are available to them to use (falling back to "minimal version supported scopes" if that document can't be requested) |
1007c70
to
10ee849
Compare
… CredentialAccount This allows applications to request much more limited scope to the current user than that which `read` or `read:accounts` gives.
10ee849
to
fbd73f0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have rebased, and left two comments relating to either expanding endpoints for read:me
beyond verify account credentials, and adding tests for when that scope should NOT apply.
This allows applications to request a much more limited scope of information about the current user than that which the scopes of
read
orread:accounts
would give.NOTE: We don't currently allow
GET /api/v1/accounts/:id
where:id
is the current users'id
, since this would require asserting permissions in theAccountsController#show
method.My thinking here is to land this in 4.3, and then in 4.4, we can make that the default OAuth 2.0 scope, so by default applications only get access to
GET /api/v1/accounts/verify_credentials
nothing more.