[Proposal] Redesign Scoped Personal Access Tokens (PATs) / Fine Grained Personal Access Tokens #24501
Comments
kdumontnu
added
type/proposal
|
In general, I agree that we can have an improved scoping. I implemented the token scope, so to answer a few questions:
It's a UI issue and should be fixed. On the backend, lower level scopes are actually enabled. I think the routes require some cleanup too and we should order then based on hierarchy. Currently, a few endpoints are scattered in different groups. That makes it harder to maintain. |
|
Thanks for the followup @harryzcy! I'm working with @jackHay22 on refactoring some of these items. It would be great to have your help implementing/reviewing. What do you think about refactoring the scopes to align more with the API routes? |
|
@kdumontnu Scopes that align with API routes are much easier to understand. Totally agreed. If we want to support "fine-grained" scopes, we probably should leave room for it when designing the token pattern. Matching the repo names or even the specific routes could be options. The actually implementation could be for another PR. |
This might be a bit contentious, but I think we should try to limit the impact of deprecating scoped PATs with the rewrite proposed here we're working on for v1.20: #24501 We should have a PR opened shortly to re-scope the routes.
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Feature Description
There are a number of issues with scoped access tokens currently, ranging from UI/UX to implementation.
The gitea implementation of scoped PATs was clearly based off of GitHub's original implementation, which inherits some issues:
Additionally, our implementation had to map the odd GH scopes to our API routes, which further complicates the implementation, and leaves
reqTokencalls sprinkled around the code (which introduces bugs now and will be difficult to maintain going forward).Consider that we already have a nice hierarchy of scopes introduced by the API - imo, there is no reason to remap these to arbitrary GH scopes. I propose the following high-level scopes:
activitypubadmin(hidden if user is not a site admin)miscnotificationorganizationpackageissuerepositoryuserThe for each of the above we have an option for:
readwritedeleteWe also add an option at the top for:
This will be significantly easier for users to understand and for us to document and maintain, and it more closely matches the direction GitHub is moving.
While we're here, some further improvements:
all, but the shows Scopes:(empty)' and notall`repo:statusandpublic_repo), however, it does not for us. So what happens if I selectrepo("Full control over all repositories."), but not "repo:status")?Screenshots
eg.
The text was updated successfully, but these errors were encountered: