feat(scopes): add missing parts on auth server (#975)

formancehq · Dec 8, 2023 · 5bf1d06 · 5bf1d06
1 parent 007314e
commit 5bf1d06
Show file tree

Hide file tree

Showing 14 changed files with 21 additions and 797 deletions.
diff --git a/openapi.yaml b/openapi.yaml
@@ -169,197 +169,6 @@ paths:
       responses:
         204:
           description: Secret deleted
-  /clients/{clientId}/scopes/{scopeId}:
-    put:
-      summary: Add scope to client
-      tags:
-        - Auth
-        - Clients
-      operationId: addScopeToClient
-      parameters:
-        - description: Client ID
-          in: path
-          name: clientId
-          required: true
-          schema:
-            type: string
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-      responses:
-        "204":
-          description: Scope added to client
-    delete:
-      summary: Delete scope from client
-      tags:
-        - Auth
-        - Clients
-      operationId: deleteScopeFromClient
-      parameters:
-        - description: Client ID
-          in: path
-          name: clientId
-          required: true
-          schema:
-            type: string
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-      responses:
-        "204":
-          description: Scope deleted from client
-  /scopes:
-    get:
-      summary: List scopes
-      tags:
-        - Auth
-        - Scopes
-      description: List Scopes
-      operationId: listScopes
-      responses:
-        200:
-          description: List of scopes
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ListScopesResponse'
-    post:
-      summary: Create scope
-      tags:
-        - Auth
-        - Scopes
-      description: Create scope
-      operationId: createScope
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/CreateScopeRequest'
-      responses:
-        201:
-          description: Created scope
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/CreateScopeResponse'
-  /scopes/{scopeId}:
-    get:
-      summary: Read scope
-      tags:
-        - Auth
-        - Scopes
-      description: Read scope
-      operationId: readScope
-      parameters:
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-      responses:
-        200:
-          description: Retrieved scope
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ReadScopeResponse'
-    put:
-      summary: Update scope
-      tags:
-        - Auth
-        - Scopes
-      description: Update scope
-      operationId: updateScope
-      parameters:
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/UpdateScopeRequest'
-      responses:
-        200:
-          description: Updated scope
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/UpdateScopeResponse'
-    delete:
-      summary: Delete scope
-      tags:
-        - Auth
-        - Scopes
-      description: Delete scope
-      operationId: deleteScope
-      parameters:
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-      responses:
-        204:
-          description: "Scope deleted"
-  /scopes/{scopeId}/transient/{transientScopeId}:
-    put:
-      summary: Add a transient scope to a scope
-      tags:
-        - Auth
-        - Scopes
-      description: Add a transient scope to a scope
-      operationId: addTransientScope
-      parameters:
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-        - description: Transient scope ID
-          in: path
-          name: transientScopeId
-          required: true
-          schema:
-            type: string
-      responses:
-        204:
-          description: "Scope added"
-    delete:
-      summary: Delete a transient scope from a scope
-      tags:
-        - Auth
-        - Scopes
-      description: Delete a transient scope from a scope
-      operationId: deleteTransientScope
-      parameters:
-        - description: Scope ID
-          in: path
-          name: scopeId
-          required: true
-          schema:
-            type: string
-        - description: Transient scope ID
-          in: path
-          name: transientScopeId
-          required: true
-          schema:
-            type: string
-      responses:
-        204:
-          description: "Transient scope deleted"
   /users:
     get:
       summary: List users
@@ -423,6 +232,10 @@ components:
             type: string
         metadata:
           $ref: '#/components/schemas/Metadata'
+        scopes:
+          type: array
+          items:
+            type: string
       required:
         - name
     ClientSecret:
@@ -447,10 +260,6 @@ components:
           properties:
             id:
               type: string
-            scopes:
-              type: array
-              items:
-                type: string
             secrets:
               type: array
               items:

diff --git a/pkg/api/authorization/accesstoken.go b/pkg/api/authorization/accesstoken.go
@@ -10,7 +10,6 @@ import (
 
 func verifyAccessToken(r *http.Request, o op.OpenIDProvider) error {
 	if !strings.HasPrefix(r.URL.String(), "/clients") &&
-		!strings.HasPrefix(r.URL.String(), "/scopes") &&
 		!strings.HasPrefix(r.URL.String(), "/users") {
 		return nil
 	}

diff --git a/pkg/api/authorization/accesstoken_test.go b/pkg/api/authorization/accesstoken_test.go
@@ -105,7 +105,7 @@ func TestVerifyAccessToken(t *testing.T) {
 	t.Run("protected routes", func(t *testing.T) {
 		t.Parallel()
 
-		protectedRoutes := []string{"/clients", "/scopes", "/users"}
+		protectedRoutes := []string{"/clients", "/users"}
 		for _, route := range protectedRoutes {
 
 			t.Run("no token", func(t *testing.T) {

diff --git a/pkg/api/clients.go b/pkg/api/clients.go
@@ -17,8 +17,6 @@ func addClientRoutes(db *gorm.DB, router *mux.Router) {
 	router.Path("/clients/{clientId}").Methods(http.MethodDelete).HandlerFunc(deleteClient(db))
 	router.Path("/clients/{clientId}/secrets").Methods(http.MethodPost).HandlerFunc(createSecret(db))
 	router.Path("/clients/{clientId}/secrets/{secretId}").Methods(http.MethodDelete).HandlerFunc(deleteSecret(db))
-	router.Path("/clients/{clientId}/scopes/{scopeId}").Methods(http.MethodPut).HandlerFunc(addScopeToClient(db))
-	router.Path("/clients/{clientId}/scopes/{scopeId}").Methods(http.MethodDelete).HandlerFunc(deleteScopeOfClient(db))
 }
 
 type clientSecretView struct {
@@ -43,14 +41,8 @@ func mapBusinessClient(c auth.Client) clientView {
 			PostLogoutRedirectUris: c.PostLogoutRedirectUris,
 			Metadata:               c.Metadata,
 		},
-		ID: c.Id,
-		Scopes: func() []string {
-			ret := make([]string, 0)
-			for _, scope := range c.Scopes {
-				ret = append(ret, scope.ID)
-			}
-			return ret
-		}(),
+		ID:     c.Id,
+		Scopes: c.Scopes,
 		Secrets: mapList(c.Secrets, func(i auth.ClientSecret) clientSecretView {
 			return clientSecretView{
 				ClientSecret: i,
@@ -118,9 +110,6 @@ func readClient(db *gorm.DB) http.HandlerFunc {
 		if client == nil {
 			return
 		}
-		if err := loadAssociation(w, r, db, client, "Scopes", &client.Scopes); err != nil {
-			return
-		}
 		writeJSONObject(w, r, mapBusinessClient(*client))
 	}
 }
@@ -144,7 +133,6 @@ func listClients(db *gorm.DB) http.HandlerFunc {
 		clients := make([]auth.Client, 0)
 		if err := db.
 			WithContext(r.Context()).
-			Preload("Scopes").
 			Find(&clients).Error; err != nil {
 			internalServerError(w, r, err)
 			return
@@ -172,10 +160,6 @@ func updateClient(db *gorm.DB) http.HandlerFunc {
 			return
 		}
 
-		if err := loadAssociation(w, r, db, c, "Scopes", &c.Scopes); err != nil {
-			return
-		}
-
 		writeJSONObject(w, r, mapBusinessClient(*c))
 	}
 }
@@ -195,49 +179,3 @@ func createClient(db *gorm.DB) http.HandlerFunc {
 		writeCreatedJSONObject(w, r, mapBusinessClient(*c), c.Id)
 	}
 }
-
-func deleteScopeOfClient(db *gorm.DB) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		client := findById[auth.Client](w, r, db, "clientId")
-		if client == nil {
-			return
-		}
-		scope := findById[auth.Scope](w, r, db, "scopeId")
-		if scope == nil {
-			return
-		}
-		if err := loadAssociation(w, r, db, client, "Scopes", &client.Scopes); err != nil {
-			return
-		}
-		if !client.HasScope(scope.ID) {
-			return
-		}
-		if err := removeFromAssociation(w, r, db, client, "Scopes", scope); err != nil {
-			return
-		}
-		w.WriteHeader(http.StatusNoContent)
-	}
-}
-
-func addScopeToClient(db *gorm.DB) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		client := findById[auth.Client](w, r, db, "clientId")
-		if client == nil {
-			return
-		}
-		scope := findById[auth.Scope](w, r, db, "scopeId")
-		if scope == nil {
-			return
-		}
-		if err := loadAssociation(w, r, db, client, "Scopes", &client.Scopes); err != nil {
-			return
-		}
-		if client.HasScope(scope.ID) {
-			return
-		}
-		if err := appendToAssociation(w, r, db, client, "Scopes", scope); err != nil {
-			return
-		}
-		w.WriteHeader(http.StatusNoContent)
-	}
-}