add: grant scopes for all community endpoints

2025-06-13 12:49:09 -04:00 · 2025-06-13 12:49:09 -04:00 · c3139ef1d2
commit c3139ef1d2
parent ca8f510a3a
10 changed files with 342 additions and 75 deletions
--- a/crates/app/src/macros.rs
+++ b/crates/app/src/macros.rs
@ -77,17 +77,15 @@ macro_rules! create_dir_if_not_exists {
 #[macro_export]
 macro_rules! get_user_from_token {
    ($jar:ident, $db:expr) => {{
-        if let Some(token) = $jar.get("Atto-Grant") {
-            // this allows us to ALSO authenticate with a grant token...
-            // TODO: require macro to pass a required AppScope to check permission
-            // TODO: check token verifier
+        // pages; regular token only
+        if let Some(token) = $jar.get("__Secure-atto-token") {
            match $db
-                .get_user_by_grant_token(&tetratto_shared::hash::hash(
-                    token.to_string().replace("Atto-Grant=", ""),
+                .get_user_by_token(&tetratto_shared::hash::hash(
+                    token.to_string().replace("__Secure-atto-token=", ""),
                ))
                .await
            {
-                Ok((_, ua)) => {
+                Ok(ua) => {
                    if ua.permissions.check_banned() {
                        Some(tetratto_core::model::auth::User::banned())
                    } else {
@ -96,7 +94,38 @@ macro_rules! get_user_from_token {
                }
                Err(_) => None,
            }
+        } else {
+            None
+        }
+    }};
+
+    ($jar:ident, $db:expr, $grant_scope:expr) => {{
+        if let Some(token) = $jar.get("Atto-Grant")
+            && let Some(verifier) = $jar.get("Atto-Grant-Verifier")
+        {
+            // grant token
+            let verifier = verifier.to_string().replace("Atto-Grant-Verifier=", "");
+            match $db
+                .get_user_by_grant_token(&token.to_string().replace("Atto-Grant=", ""))
+                .await
+            {
+                Ok((grant, ua)) => {
+                    if grant.scopes.contains(&$grant_scope)
+                        && grant.check_verifier(&verifier).is_ok()
+                    {
+                        if ua.permissions.check_banned() {
+                            Some(tetratto_core::model::auth::User::banned())
+                        } else {
+                            Some(ua)
+                        }
+                    } else {
+                        None
+                    }
+                }
+                Err(_) => None,
+            }
        } else if let Some(token) = $jar.get("__Secure-atto-token") {
+            // regular token
            match $db
                .get_user_by_token(&tetratto_shared::hash::hash(
                    token.to_string().replace("__Secure-atto-token=", ""),