fix: preventing PATs from creating PATs

specklesystems · Dec 11, 2023 · 3689e1c · 3689e1c
1 parent a329f91
commit 3689e1c
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 15 deletions.
diff --git a/packages/frontend-2/components/developer-settings/CreateEditApplicationDialog.vue b/packages/frontend-2/components/developer-settings/CreateEditApplicationDialog.vue
@@ -101,9 +101,9 @@ const redirectUrl = ref('')
 const description = ref('')
 
 const applicationScopes = computed(() => {
-  return Object.values(AllScopes).map((value) => ({
-    id: value,
-    text: value
+  return Object.values(allScopes.value).map((value) => ({
+    id: value.name,
+    text: value.name
   }))
 })
 

diff --git a/packages/frontend-2/components/developer-settings/CreateTokenDialog.vue b/packages/frontend-2/components/developer-settings/CreateTokenDialog.vue
@@ -39,7 +39,6 @@
 
 <script setup lang="ts">
 import { useMutation } from '@vue/apollo-composable'
-import { AllScopes } from '@speckle/shared'
 import { LayoutDialog, FormSelectBadges } from '@speckle/ui-components'
 import type { TokenFormValues } from '~~/lib/developer-settings/helpers/types'
 import { createAccessTokenMutation } from '~~/lib/developer-settings/graphql/mutations'
@@ -50,11 +49,13 @@ import {
   getFirstErrorMessage
 } from '~~/lib/common/helpers/graphql'
 import { useGlobalToast, ToastNotificationType } from '~~/lib/common/composables/toast'
+import { useServerInfoScopes } from '~/lib/common/composables/serverInfo'
 
 const emit = defineEmits<{
   (e: 'token-created', tokenId: string): void
 }>()
 
+const { scopes: allScopes } = useServerInfoScopes()
 const { mutate: createToken } = useMutation(createAccessTokenMutation)
 const { triggerNotification } = useGlobalToast()
 const { handleSubmit } = useForm<TokenFormValues>()
@@ -65,9 +66,9 @@ const name = ref('')
 const scopes = ref<typeof apiTokenScopes.value>([])
 
 const apiTokenScopes = computed(() => {
-  return Object.values(AllScopes).map((value) => ({
-    id: value,
-    text: value
+  return Object.values(allScopes.value).map((value) => ({
+    id: value.name,
+    text: value.name
   }))
 })
 

diff --git a/packages/server/modules/core/errors/user.ts b/packages/server/modules/core/errors/user.ts
@@ -9,3 +9,8 @@ export class UserValidationError extends BaseError {
   static defaultMessage = 'The user input data is invalid'
   static code = 'USER_VALIDATION_ERROR'
 }
+
+export class TokenCreateError extends BaseError {
+  static code = 'TOKEN_CREATE_ERROR'
+  static defaultMessage = 'An error occurred while creating a token'
+}
diff --git a/packages/server/modules/core/graph/resolvers/apitoken.js b/packages/server/modules/core/graph/resolvers/apitoken.js
@@ -6,7 +6,7 @@ const {
   revokeToken,
   getUserTokens
 } = require('../../services/tokens')
-const { canCreateToken } = require('@/modules/core/helpers/token')
+const { canCreatePAT } = require('@/modules/core/helpers/token')
 
 /** @type {import('@/modules/core/graph/generated/graphql').Resolvers} */
 const resolvers = {
@@ -23,11 +23,11 @@ const resolvers = {
   },
   Mutation: {
     async apiTokenCreate(parent, args, context) {
-      if (!canCreateToken(context.scopes || [], args.token.scopes)) {
-        throw new ForbiddenError(
-          "You can't create a token with scopes that you don't have"
-        )
-      }
+      canCreatePAT({
+        userScopes: context.scopes || [],
+        tokenScopes: args.token.scopes,
+        strict: true
+      })
 
       return await createPersonalAccessToken(
         context.userId,

diff --git a/packages/server/modules/core/helpers/token.ts b/packages/server/modules/core/helpers/token.ts
@@ -1,3 +1,35 @@
-export const canCreateToken = (userScopes: string[], tokenScopes: string[]) => {
-  return tokenScopes.every((scope) => userScopes.includes(scope))
+import { TokenCreateError } from '@/modules/core/errors/user'
+import { Scopes } from '@speckle/shared'
+
+export const canCreateToken = (params: {
+  userScopes: string[]
+  tokenScopes: string[]
+  strict?: boolean
+}) => {
+  const { userScopes, tokenScopes, strict } = params
+  const hasAllScopes = tokenScopes.every((scope) => userScopes.includes(scope))
+  if (!hasAllScopes) {
+    if (!strict) return false
+    throw new TokenCreateError(
+      "You can't create a token with scopes that you don't have"
+    )
+  }
+
+  return true
+}
+
+export const canCreatePAT = (params: {
+  userScopes: string[]
+  tokenScopes: string[]
+  strict?: boolean
+}) => {
+  const { tokenScopes, strict } = params
+  if (tokenScopes.includes(Scopes.Tokens.Write)) {
+    if (!strict) return false
+    throw new TokenCreateError(
+      "You can't create a personal access token with the tokens:write scope"
+    )
+  }
+
+  return canCreateToken(params)
 }
diff --git a/packages/server/modules/core/tests/apitokens.spec.ts b/packages/server/modules/core/tests/apitokens.spec.ts
@@ -66,6 +66,34 @@ describe('API Tokens', () => {
     ).to.be.ok
   })
 
+  it("can't create PAT with tokens:write scope", async () => {
+    const scopes = [Scopes.Profile.Read, Scopes.Tokens.Write]
+    const { data, errors } = await apollo.execute(
+      CreateTokenDocument,
+      {
+        token: {
+          name: 'sometoken',
+          scopes
+        }
+      },
+      {
+        context: {
+          scopes
+        }
+      }
+    )
+
+    expect(data?.apiTokenCreate).to.not.be.ok
+    expect(errors).to.be.ok
+    expect(
+      errors!.find((e) =>
+        e.message.includes(
+          "You can't create a personal access token with the tokens:write scope"
+        )
+      )
+    ).to.be.ok
+  })
+
   describe('without the tokens:write scope', () => {
     const limitedTokenScopes = difference(AllScopes, [Scopes.Tokens.Write])
     let limitedToken: string