this repo has no description
updates to auth scope syntax validation
+51
-26
+31
-13
atproto/auth/permission.go
+31
-13
atproto/auth/permission.go
···
65
65
if p.Attribute != "" {
66
66
positional = p.Attribute
67
67
}
68
-
if len(p.Action) != 0 {
69
-
params["action"] = p.Action
70
-
}
71
68
case "include":
72
69
if p.NSID != "" {
73
70
positional = p.NSID
···
175
172
176
173
switch g.Resource {
177
174
case "account":
175
+
for k, _ := range g.Params {
176
+
if !(k == "attr" || k == "action") {
177
+
return nil, fmt.Errorf("%w: unexpected param: %s", ErrInvalidPermissionSyntax, k)
178
+
}
179
+
}
178
180
if g.Params.Has("attr") {
179
181
if g.Positional != "" || len(g.Params["attr"]) != 1 {
180
182
return nil, ErrInvalidPermissionSyntax
···
187
189
if p.Attribute == "" {
188
190
return nil, ErrInvalidPermissionSyntax
189
191
}
190
-
if p.Attribute != "" && p.Attribute != "email" && p.Attribute != "repo" && p.Attribute != "status" {
192
+
if p.Attribute != "" && p.Attribute != "email" && p.Attribute != "repo" {
191
193
return nil, ErrInvalidPermissionSyntax
192
194
}
193
195
if len(g.Params["action"]) > 1 {
···
200
202
}
201
203
}
202
204
case "blob":
205
+
for k, _ := range g.Params {
206
+
if !(k == "accept") {
207
+
return nil, fmt.Errorf("%w: unexpected param: %s", ErrInvalidPermissionSyntax, k)
208
+
}
209
+
}
203
210
if g.Params.Has("accept") {
204
211
if g.Positional != "" {
205
212
return nil, ErrInvalidPermissionSyntax
···
218
225
}
219
226
}
220
227
case "identity":
228
+
for k, _ := range g.Params {
229
+
if !(k == "attr") {
230
+
return nil, fmt.Errorf("%w: unexpected param: %s", ErrInvalidPermissionSyntax, k)
231
+
}
232
+
}
221
233
if g.Params.Has("attr") {
222
234
if g.Positional != "" || len(g.Params["attr"]) != 1 {
223
235
return nil, ErrInvalidPermissionSyntax
···
230
242
if p.Attribute != "*" && p.Attribute != "handle" {
231
243
return nil, ErrInvalidPermissionSyntax
232
244
}
233
-
if len(g.Params["action"]) > 1 {
234
-
return nil, ErrInvalidPermissionSyntax
235
-
}
236
-
p.Action = g.Params["action"]
237
-
for _, act := range p.Action {
238
-
if act != "manage" && act != "submit" {
239
-
return nil, ErrInvalidPermissionSyntax
245
+
case "include":
246
+
for k, _ := range g.Params {
247
+
if !(k == "nsid" || k == "aud") {
248
+
return nil, fmt.Errorf("%w: unexpected param: %s", ErrInvalidPermissionSyntax, k)
240
249
}
241
250
}
242
-
case "include":
243
251
if g.Params.Has("nsid") {
244
252
if g.Positional != "" || len(g.Params["nsid"]) != 1 {
245
253
return nil, ErrInvalidPermissionSyntax
···
260
268
if p.Audience != "" && p.Audience != "*" && !validServiceRef(p.Audience) {
261
269
return nil, ErrInvalidPermissionSyntax
262
270
}
263
-
// TODO: also parse most other params...
271
+
// TODO: possibly other params in the future...
264
272
case "repo":
273
+
for k, _ := range g.Params {
274
+
if !(k == "collection" || k == "action") {
275
+
return nil, fmt.Errorf("%w: unexpected param: %s", ErrInvalidPermissionSyntax, k)
276
+
}
277
+
}
265
278
if g.Params.Has("collection") {
266
279
if g.Positional != "" {
267
280
return nil, ErrInvalidPermissionSyntax
···
290
303
}
291
304
}
292
305
case "rpc":
306
+
for k, _ := range g.Params {
307
+
if !(k == "lxm" || k == "aud") {
308
+
return nil, fmt.Errorf("%w: unexpected param: %s", ErrInvalidPermissionSyntax, k)
309
+
}
310
+
}
293
311
if g.Params.Has("lxm") {
294
312
if g.Positional != "" {
295
313
return nil, ErrInvalidPermissionSyntax
+1
-1
atproto/auth/permission_test.go
+1
-1
atproto/auth/permission_test.go
+17
-7
atproto/auth/testdata/permission_scopes_invalid.txt
+17
-7
atproto/auth/testdata/permission_scopes_invalid.txt
···
7
7
account:email?action=invalid
8
8
account
9
9
account:
10
+
account:status?action=manage
11
+
account:status
12
+
Account:email
13
+
account:Email
10
14
11
15
blob
12
16
blob:invalid
···
14
18
blob?accept=invalid
15
19
blob:*/**
16
20
blob:*/png
21
+
blob?Accept=image/png
22
+
Blob?accept=image/png
17
23
18
24
identity:invalid
19
25
identity:*?attr=*
···
21
27
identity:invalid
22
28
identity:handle?action=invalid
23
29
identity?attribute=invalid&action=invalid
24
-
25
-
# TODO: will be supported?
26
-
#identity:*?action=manage
27
-
#identity:*?action=submit
30
+
Identity:handle
31
+
identity:Handle
32
+
identity:*?action=manage
33
+
identity:*?action=submit
28
34
29
35
include
30
36
include#
37
+
Include:app.example.authBasics
31
38
32
39
# invalid NSID
33
40
include:
···
58
65
repo:invalid
59
66
repo:com.example.foo?action=invalid
60
67
repo?collection=invalid&action=invalid
68
+
Repo:com.example.foo
69
+
repo:*?Action=create
70
+
repo:*?action=Create
61
71
62
72
rpc
63
73
rpc:123
···
81
91
rpc:com.example.service?aud=invalid
82
92
notrpc:com.example.service?aud=did:web:example.com%23service_id
83
93
rpc?lxm=invalid&aud=invalid
94
+
rpc?Lxm=com.example.method1&aud=*
95
+
Rpc?lxm=com.example.method1&aud=*
96
+
rpc:com.example.service?aud=did:web:example.com%23service_id&invalid=param
84
97
85
98
# TODO: DID-level parsing
86
99
#rpc:foo.bar.baz?aud=did:plc:111%23service_id
87
100
#rpc:foo.bar.baz?aud=did:foo:bar%23service_id
88
-
89
-
# TODO: unknown param validation
90
-
#rpc:com.example.service?aud=did:web:example.com%23service_id&invalid=param
91
101
92
102
# missing LXM
93
103
rpc?aud=did:web:example.com%23service_id
+2
-5
atproto/auth/testdata/permission_scopes_valid.txt
+2
-5
atproto/auth/testdata/permission_scopes_valid.txt
···
2
2
account:email?action=read
3
3
account:email?action=manage
4
4
account:repo?action=manage
5
-
account:status?action=manage
6
-
account:status
7
5
account:email
8
6
account:repo
7
+
account?attr=email
9
8
10
9
blob:image/png
11
10
blob:*/*
12
11
blob:image/*
12
+
blob?accept=image/png
13
13
14
14
identity:handle
15
15
identity:*
16
16
identity?attr=handle
17
-
identity?attr=handle&action=manage
18
-
identity:*?action=manage
19
-
identity:*?action=submit
20
17
21
18
include:app.example.authBasics
22
19
include:com.example.bar