Skip to content

Commit

Permalink
feat: add option to trun off oauth repo scope (#3)
Browse files Browse the repository at this point in the history
  • Loading branch information
lyang2821 authored Mar 28, 2024
1 parent 73e21e7 commit e346d45
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 4 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Changelog

## Unreleased

### Features/Changes
- Add option to turn off oauth read repo scope

### Bug Fixes
14 changes: 11 additions & 3 deletions lapdev-api/src/auth.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ pub struct AuthConfig {
pub auth_url: &'static str,
pub token_url: &'static str,
pub scopes: &'static [&'static str],
pub read_repo_scopes: &'static [&'static str],
}

impl AuthConfig {
Expand All @@ -25,14 +26,16 @@ impl AuthConfig {
client_secret: "github-client-secret",
auth_url: "https://github.com/login/oauth/authorize",
token_url: "https://github.com/login/oauth/access_token",
scopes: &["read:user", "user:email", "repo"],
scopes: &["read:user", "user:email"],
read_repo_scopes: &["read:user", "user:email", "repo"],
};
pub const GITLAB: Self = AuthConfig {
client_id: "gitlab-client-id",
client_secret: "gitlab-client-secret",
auth_url: "https://gitlab.com/oauth/authorize",
token_url: "https://gitlab.com/oauth/token",
scopes: &["read_user", "read_repository"],
scopes: &["read_user"],
read_repo_scopes: &["read_user", "read_repository"],
};
}

Expand Down Expand Up @@ -85,13 +88,18 @@ impl Auth {
&self,
provider: AuthProvider,
redirect_url: &str,
no_read_repo: bool,
) -> Result<(String, String)> {
let clients = self.clients.read().await;
let (client, config) = clients
.get(&provider)
.ok_or_else(|| anyhow::anyhow!("can't find provider"))?;
let mut client = client.authorize_url(oauth2::CsrfToken::new_random);
for scope in config.scopes {
for scope in if no_read_repo {
config.scopes
} else {
config.read_repo_scopes
} {
client = client.add_scope(oauth2::Scope::new(scope.to_string()));
}
let redirect_url = oauth2::RedirectUrl::new(redirect_url.to_string())?;
Expand Down
6 changes: 5 additions & 1 deletion lapdev-api/src/session.rs
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,11 @@ pub(crate) async fn new_session(

let redirect_url =
format!("{host}/api/private/session/authorize?provider={provider}&next={next}");
let (url, csrf) = state.auth.authorize_url(provider, &redirect_url).await?;
let oauth_no_read_repo = state.db.oauth_no_read_repo().await.unwrap_or(false);
let (url, csrf) = state
.auth
.authorize_url(provider, &redirect_url, oauth_no_read_repo)
.await?;

let mut claims = Claims::new()?;
claims.add_additional(OAUTH_STATE, csrf.clone())?;
Expand Down
7 changes: 7 additions & 0 deletions lapdev-db/src/api.rs
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ use super::entities::workspace;

pub const LAPDEV_CLUSTER_NOT_INITIATED: &str = "lapdev-cluster-not-initiated";
const LAPDEV_API_AUTH_TOKEN_KEY: &str = "lapdev-api-auth-token-key";
const LAPDEV_OAUTH_NO_READ_REPO: &str = "lapdev-oauth-no-read-repo";

#[derive(Clone)]
pub struct DbApi {
Expand Down Expand Up @@ -97,6 +98,12 @@ impl DbApi {
self.generate_api_auth_token_key().await
}

pub async fn oauth_no_read_repo(&self) -> Result<bool> {
self.get_config(LAPDEV_OAUTH_NO_READ_REPO)
.await
.map(|v| v == "yes")
}

async fn get_api_auth_token_key(&self) -> Result<SymmetricKey<V4>> {
let key = self.get_config(LAPDEV_API_AUTH_TOKEN_KEY).await?;
let key = STANDARD.decode(key)?;
Expand Down

0 comments on commit e346d45

Please sign in to comment.