You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes#24501Closes#24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Copy file name to clipboardexpand all lines: docs/content/doc/development/oauth2-provider.en-us.md
+37-36
Original file line number
Diff line number
Diff line change
@@ -44,42 +44,43 @@ To use the Authorization Code Grant as a third party application it is required
44
44
45
45
## Scopes
46
46
47
-
Gitea supports the following scopes for tokens:
48
-
49
-
| Name | Description |
50
-
| ---- | ----------- |
51
-
|**(no scope)**| Grants read-only access to public user profile and public repositories. |
52
-
|**repo**| Full control over all repositories. |
53
-
| **repo:status**| Grants read/write access to commit status in all repositories. |
54
-
| **public_repo**| Grants read/write access to public repositories only. |
55
-
|**admin:repo_hook**| Grants access to repository hooks of all repositories. This is included in the `repo` scope. |
56
-
| **write:repo_hook**| Grants read/write access to repository hooks |
57
-
| **read:repo_hook**| Grants read-only access to repository hooks |
58
-
|**admin:org**| Grants full access to organization settings |
59
-
| **write:org**| Grants read/write access to organization settings |
60
-
| **read:org**| Grants read-only access to organization settings |
61
-
|**admin:public_key**| Grants full access for managing public keys |
62
-
| **write:public_key**| Grant read/write access to public keys |
63
-
| **read:public_key**| Grant read-only access to public keys |
64
-
|**admin:org_hook**| Grants full access to organizational-level hooks |
65
-
|**admin:user_hook**| Grants full access to user-level hooks |
66
-
|**notification**| Grants full access to notifications |
67
-
|**user**| Grants full access to user profile info |
68
-
| **read:user**| Grants read access to user's profile |
69
-
| **user:email**| Grants read access to user's email addresses |
70
-
| **user:follow**| Grants access to follow/un-follow a user |
71
-
|**delete_repo**| Grants access to delete repositories as an admin |
72
-
|**package**| Grants full access to hosted packages |
73
-
| **write:package**| Grants read/write access to packages |
74
-
| **read:package**| Grants read access to packages |
75
-
| **delete:package**| Grants delete access to packages |
76
-
|**admin:gpg_key**| Grants full access for managing GPG keys |
77
-
| **write:gpg_key**| Grants read/write access to GPG keys |
78
-
| **read:gpg_key**| Grants read-only access to GPG keys |
79
-
|**admin:application**| Grants full access to manage applications |
80
-
| **write:application**| Grants read/write access for managing applications |
81
-
| **read:application**| Grants read access for managing applications |
82
-
|**sudo**| Allows to perform actions as the site admin. |
47
+
Gitea supports scoped access tokens, which allow users the ability to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following:
48
+
49
+
-`read`: `GET` routes
50
+
-`write`: `POST`, `PUT`, `PATCH`, and `DELETE` routes (in addition to `GET`)
|**(no scope)**| Not supported. A scope is required even for public repositories. |
57
+
|**activitypub**|`activitypub` API routes: ActivityPub related operations. |
58
+
| **read:activitypub**| Grants read access for ActivityPub operations. |
59
+
| **write:activitypub**| Grants read/write/delete access for ActivityPub operations. |
60
+
|**admin**|`/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
61
+
| **read:admin**| Grants read access for admin operations, such as getting cron jobs or registered user emails. |
62
+
| **write:admin**| Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. ||
63
+
|**issue**|`issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
64
+
| **read:issue**| Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
65
+
| **write:issue**| Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
66
+
|**misc**| miscellaneous and settings top-level API routes. |
67
+
| **read:misc**| Grants read access to miscellaneous operations, such as getting label and gitignore templates. |
68
+
| **write:misc**| Grants read/write/delete access to miscellaneous operations, such as markup utility operations. |
69
+
|**notification**|`notification/*` API routes: user notification operations. |
70
+
| **read:notification**| Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
71
+
| **write:notification**| Grants read/write/delete access to user notifications, such as marking notifications as read. |
72
+
|**organization**|`orgs/*` and `teams/*` API routes: Organization and team management operations. |
73
+
| **read:organization**| Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. |
74
+
| **write:organization**| Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. |
75
+
|**package**|`/packages/*` API routes: Packages operations |
76
+
| **read:package**| Grants read access to package operations, such as reading and downloading available packages. |
77
+
| **write:package**| Grants read/write/delete access to package operations. Currently the same as `read:package`. |
78
+
|**repository**|`/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. |
79
+
| **read:repository**| Grants read access to repository operations, such as getting repository files, releases, collaborators. |
80
+
| **write:repository**| Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
81
+
|**user**|`/user/*` and `/users/*` API routes: User-related operations. |
82
+
| **read:user**| Grants read access to user operations, such as getting user repo subscriptions and user settings. |
83
+
| **write:user**| Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. |
0 commit comments