lewis.moe / bspds-sandbox
this repo has no description
fork atom

fix: Bad scope parsing

lewis 41d703d8 e86f5eb5

options
unified split
Changed files
+25 -26
frontend
src
routes
OAuthConsent.svelte
src
oauth
endpoints
authorize.rs
+5
frontend/src/routes/OAuthConsent.svelte
··· 508 508 margin-bottom: var(--space-2); 509 509 cursor: pointer; 510 510 transition: border-color var(--transition-fast); 511 + overflow: hidden; 511 512 } 512 513 513 514 .scope-item:hover:not(.required) { ··· 532 533 533 534 .scope-info { 534 535 flex: 1; 536 + min-width: 0; 535 537 display: flex; 536 538 flex-direction: column; 537 539 gap: 2px; 540 + overflow: hidden; 538 541 } 539 542 540 543 .scope-name { 541 544 font-weight: var(--font-medium); 542 545 color: var(--text-primary); 546 + word-break: break-all; 543 547 } 544 548 545 549 .scope-description { 546 550 font-size: var(--text-sm); 547 551 color: var(--text-secondary); 552 + word-break: break-all; 548 553 } 549 554 550 555 .required-badge {
+20 -26
src/oauth/endpoints/authorize.rs
··· 55 55 .into_response() 56 56 } 57 57 58 + fn is_granular_scope(s: &str) -> bool { 59 + s.starts_with("repo:") || s.starts_with("repo?") || s == "repo" 60 + || s.starts_with("blob:") || s.starts_with("blob?") || s == "blob" 61 + || s.starts_with("rpc:") || s.starts_with("rpc?") 62 + || s.starts_with("account:") 63 + || s.starts_with("identity:") 64 + } 65 + 66 + fn is_valid_scope(s: &str) -> bool { 67 + s == "atproto" 68 + || s == "transition:generic" 69 + || s == "transition:chat.bsky" 70 + || s == "transition:email" 71 + || is_granular_scope(s) 72 + || s.starts_with("include:") 73 + } 74 + 58 75 fn validate_auth_flow_state( 59 76 flow_state: &AuthFlowState, 60 77 require_authenticated: bool, ··· 1473 1490 }; 1474 1491 1475 1492 let requested_scopes: Vec<&str> = effective_scope_str.split_whitespace().collect(); 1476 - let has_granular_scopes = requested_scopes.iter().any(|s| { 1477 - s.starts_with("repo:") 1478 - || s.starts_with("blob:") 1479 - || s.starts_with("rpc:") 1480 - || s.starts_with("account:") 1481 - || s.starts_with("identity:") 1482 - }); 1493 + let has_granular_scopes = requested_scopes.iter().any(|s| is_granular_scope(s)); 1483 1494 let user_denied_some_granular = has_granular_scopes 1484 1495 && requested_scopes 1485 1496 .iter() 1486 - .filter(|s| { 1487 - s.starts_with("repo:") 1488 - || s.starts_with("blob:") 1489 - || s.starts_with("rpc:") 1490 - || s.starts_with("account:") 1491 - || s.starts_with("identity:") 1492 - }) 1497 + .filter(|s| is_granular_scope(s)) 1493 1498 .any(|s| !form.approved_scopes.contains(&s.to_string())); 1494 1499 let atproto_was_requested = requested_scopes.contains(&"atproto"); 1495 1500 if atproto_was_requested ··· 1519 1524 ); 1520 1525 } 1521 1526 let approved_scope_str = final_approved.join(" "); 1522 - let has_valid_scope = final_approved.iter().all(|s| { 1523 - s == "atproto" 1524 - || s == "transition:generic" 1525 - || s == "transition:chat.bsky" 1526 - || s == "transition:email" 1527 - || s.starts_with("repo:") 1528 - || s.starts_with("blob:") 1529 - || s.starts_with("rpc:") 1530 - || s.starts_with("account:") 1531 - || s.starts_with("identity:") 1532 - || s.starts_with("include:") 1533 - }); 1527 + let has_valid_scope = final_approved.iter().all(|s| is_valid_scope(s)); 1534 1528 if !has_valid_scope { 1535 1529 return json_error( 1536 1530 StatusCode::BAD_REQUEST,