Support unscoped sessions

oxidecomputer · Feb 21, 2024 · db74d3f · db74d3f
1 parent d691cdb
commit db74d3f
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 23 deletions.
diff --git a/v-api/src/authn/jwt.rs b/v-api/src/authn/jwt.rs
@@ -53,7 +53,7 @@ pub struct Claims {
     pub aud: String,
     pub sub: Uuid,
     pub prv: Uuid,
-    pub scp: Vec<String>,
+    pub scp: Option<Vec<String>>,
     pub exp: i64,
     pub nbf: i64,
     pub jti: Uuid,
@@ -64,7 +64,7 @@ impl Claims {
         ctx: &VContext<T>,
         user: &User,
         provider: &ApiUserProvider,
-        scope: Vec<String>,
+        scope: Option<Vec<String>>,
         expires_at: DateTime<Utc>,
     ) -> Self
     where

diff --git a/v-api/src/context.rs b/v-api/src/context.rs
@@ -467,8 +467,13 @@ where
             }
             AuthToken::Jwt(jwt) => {
                 // AuthnToken::Jwt can only be generated from a verified JWT
-                let permissions = ApiPermission::from_scope(jwt.claims.scp.iter())?;
-                Ok((jwt.claims.sub, BasePermissions::Restricted(permissions)))
+                let permissions = match &jwt.claims.scp {
+                    Some(scp) => {
+                        BasePermissions::Restricted(ApiPermission::from_scope(scp.iter())?)
+                    }
+                    None => BasePermissions::Full,
+                };
+                Ok((jwt.claims.sub, permissions))
             }
         }?)
     }
@@ -747,7 +752,7 @@ where
         caller: &Caller<T>,
         api_user: &ApiUser<ApiPermission>,
         api_user_provider: &ApiUserProvider,
-        scope: Vec<String>,
+        scope: Option<Vec<String>>,
     ) -> Result<RegisteredAccessToken, ApiError> {
         let expires_at = Utc::now() + Duration::seconds(self.default_jwt_expiration());
 
@@ -1589,7 +1594,7 @@ mod tests {
                 ctx,
                 &user,
                 &provider,
-                scope,
+                Some(scope),
                 Utc::now().add(Duration::seconds(300)),
             ))
             .await

diff --git a/v-api/src/endpoints/login/oauth/code.rs b/v-api/src/endpoints/login/oauth/code.rs
@@ -510,7 +510,7 @@ pub async fn authz_code_exchange_op(
             &ctx.builtin_registration_user(),
             &api_user,
             &api_user_provider,
-            scope,
+            Some(scope),
         )
         .await?;
 

diff --git a/v-api/src/endpoints/login/oauth/device_token.rs b/v-api/src/endpoints/login/oauth/device_token.rs
@@ -197,22 +197,7 @@ pub async fn exchange_device_token_op(
                             &ctx.builtin_registration_user(),
                             &api_user,
                             &api_user_provider,
-                            vec![
-                                "user:info:r".to_string(),
-                                "user:info:w".to_string(),
-                                "user:provider:w".to_string(),
-                                "user:token:r".to_string(),
-                                "user:token:w".to_string(),
-                                "group:r".to_string(),
-                                "group:w".to_string(),
-                                "mapper:r".to_string(),
-                                "mapper:w".to_string(),
-                                "rfd:content:r".to_string(),
-                                "rfd:discussion:r".to_string(),
-                                "search".to_string(),
-                                "oauth:client:r".to_string(),
-                                "oauth:client:w".to_string(),
-                            ],
+                            None,
                         )
                         .await?;