fix: better scope handling

src/controllers/api/oauth2/access_token.rs

@@ -76,9 +76,10 @@ pub async fn get_access_token(
     // 3. Generate JWT for oauth2 client user session
     let jwt = create_token(
         &app_state.secrets,
-        AppUserTokenClaims::from_client_user_id(
+        AppUserTokenClaims::new(
             &app_client_session.client_id,
-            &authorization.user_id
+            &authorization.user_id,
+            authorization.scopes.to_vec()
         )
     );
     // 4. return JWT

src/controllers/api/openid/well_known.rs

@@ -1,8 +1,9 @@
 use axum::{extract::State, response::IntoResponse, Json};
 use fully_pub::fully_pub;
 use serde::Serialize;
+use strum::IntoEnumIterator;
 
-use crate::server::AppState;
+use crate::{models::authorization::AuthorizationScope, server::AppState};
 
 #[derive(Serialize)]
 #[fully_pub]
@@ -25,7 +26,7 @@ pub async fn get_well_known_openid_configuration(
         authorization_endpoint: format!("{}/authorize", base_url),
         token_endpoint: format!("{}/api/token", base_url),
         userinfo_endpoint: format!("{}/api/user", base_url),
-        scopes_supported: vec!["read_user_basic".into()],
+        scopes_supported: AuthorizationScope::iter().map(|v| v.to_string()).collect(),
         response_types_supported: vec!["code".into()],
         token_endpoint_auth_methods_supported: vec!["client_secret_basic".into()],
     })

src/controllers/ui/authorize.rs

@@ -87,13 +87,23 @@ pub async fn authorize_form(
             ).into_response();
         }
     };
-
+    // 1.4. Parse and validate scopes
+    let scopes = match parse_scope(&authorization_params.scope) {
+        Ok(v) => v,
+        Err(_err) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Html("Invalid scopes. Scopes must be space-delimited and snake_case.")
+            ).into_response();
+        }
+    };
     // 2. Check if the app is already authorized
     let authorizations_res = sqlx::query_as::<_, Authorization>(
-        "SELECT * FROM authorizations WHERE user_id = $1 AND client_id = $2"
+        "SELECT * FROM authorizations WHERE user_id = $1 AND client_id = $2 AND scopes = $3"
     )
         .bind(&token_claims.sub)
         .bind(&authorization_params.client_id)
+        .bind(sqlx::types::Json(&scopes))
         .fetch_one(&app_state.db)
         .await;
 
@@ -160,17 +170,17 @@ pub async fn perform_authorize(
             ).into_response();
         }
     };
-    // parse scope again
+    // 1.2. Parse and validate scope to use in DB
     let scopes = match parse_scope(&authorize_form.scope) {
         Ok(v) => v,
-        Err(err) => {
+        Err(_err) => {
             return (
                 StatusCode::BAD_REQUEST,
-                Html(format!("Invalid scope: {}", err))
+                Html("Invalid scopes.")
             ).into_response();
         }
     };
-    // 2. Create an authorizaton code
+    // 2. Create an authorization code
     let authorization_code = get_random_alphanumerical(32);
 
     let authorization = Authorization {

src/controllers/ui/me.rs

@@ -1,6 +1,7 @@
 use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
 use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
 use fully_pub::fully_pub;
+use log::error;
 use minijinja::context;
 
 use crate::{
@@ -99,11 +100,11 @@ pub async fn me_perform_update_details(
             )
         },
         Err(err) => {
-            dbg!(&err);
+            error!("Cannot update user details. {}", err);
             renderer.render(
                 template_path,
                 context!(
-                    error => Some("Cannot update user details".to_string()),
+                    error => Some("Cannot update user details.".to_string()),
                     user => user_res
                 )
             )

src/models/authorization.rs

@@ -2,17 +2,17 @@ use fully_pub::fully_pub;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use sqlx::types::Json;
-use strum_macros::{Display, EnumString};
+use strum_macros::{Display, EnumIter, EnumString};
 
 #[derive(
     Clone, Debug, Serialize, Deserialize, PartialEq,
     sqlx::Type,
-    Display, EnumString
+    Display, EnumString, EnumIter
 )]
-#[strum(serialize_all = "lowercase")]
-#[fully_pub]
-enum AuthorizationScope {
-    ReadBasics
+#[strum(serialize_all = "snake_case")]
+pub enum AuthorizationScope {
+    UserReadBasic,
+    UserReadRoles
 }
 
 #[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]

src/models/token_claims.rs

@@ -2,6 +2,8 @@ use fully_pub::fully_pub;
 use jsonwebtoken::get_current_timestamp;
 use serde::{Deserialize, Serialize};
 
+use super::authorization::AuthorizationScope;
+
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[fully_pub]
 struct UserTokenClaims {
@@ -30,6 +32,7 @@ struct AppUserTokenClaims {
     /// combined subject
     client_id: String,
     user_id: String,
+    scopes: Vec<AuthorizationScope>,
     /// token expiration
     exp: u64,
     /// token issuer
@@ -37,10 +40,11 @@ struct AppUserTokenClaims {
 }
 
 impl AppUserTokenClaims {
-    pub fn from_client_user_id(client_id: &str, user_id: &str) -> Self {
+    pub fn new(client_id: &str, user_id: &str, scopes: Vec<AuthorizationScope>) -> Self {
         AppUserTokenClaims {
             client_id: client_id.into(),
             user_id: user_id.into(),
+            scopes,
             exp: get_current_timestamp() + 86_000,
             iss: "Minauth".into()
         }

src/templates/pages/authorize.html

@@ -15,7 +15,7 @@
     <ul>
         <li>App name: {{ app.name }}</li>
         <li>App description: <i>{{ app.description }}</i></li>
-        <li>Permisions: {{ authorization_params.scope }}</li>
+        <li>Permissions: {{ authorization_params.scope }}</li>
     </ul>
     <input type="hidden" name="client_id" value="{{ authorization_params.client_id }}" />
     <input type="hidden" name="scope" value="{{ authorization_params.scope }}" />