fine tune

wxiaoguang · wxiaoguang · commit a9415a690663 · 2024-11-25T18:11:44.000+08:00
diff --git a/services/oauth2_provider/access_token.go b/services/oauth2_provider/access_token.go
@@ -83,17 +83,21 @@ func GrantAdditionalScopes(grantScopes string) auth.AccessTokenScope {
 
 	var accessScopes []string // the scopes for access control, but not for general information
 	for _, scope := range strings.Split(grantScopes, " ") {
-		if !slices.Contains(generalScopesSupported, scope) {
+		if scope != "" && !slices.Contains(generalScopesSupported, scope) {
 			accessScopes = append(accessScopes, scope)
 		}
 	}
 
 	// since version 1.22, access tokens grant full access to the API
 	// with this access is reduced only if additional scopes are provided
-	// TODO: if there are invalid access scopes, then it is treated as "all", but would we really always treat invalid scopes as "all"?
-	accessTokenScope := auth.AccessTokenScope(strings.Join(accessScopes, ","))
-	if normalizedAccessTokenScope, err := accessTokenScope.Normalize(); err == nil && normalizedAccessTokenScope != "" {
-		return normalizedAccessTokenScope
+	if len(accessScopes) > 0 {
+		accessTokenScope := auth.AccessTokenScope(strings.Join(accessScopes, ","))
+		if normalizedAccessTokenScope, err := accessTokenScope.Normalize(); err == nil {
+			return normalizedAccessTokenScope
+		}
+		// TODO: if there are invalid access scopes (err != nil),
+		// then it is treated as "all", maybe in the future we should make it stricter to return an error
+		// at the moment, to avoid breaking 1.22 behavior, invalid tokens are also treated as "all"
 	}
 	// fallback, empty access scope is treated as "all" access
 	return auth.AccessTokenScopeAll
diff --git a/services/oauth2_provider/additional_scopes_test.go b/services/oauth2_provider/additional_scopes_test.go
@@ -24,7 +24,7 @@ func TestGrantAdditionalScopes(t *testing.T) {
 		{"read:user write:issue public-only", "public-only,write:issue,read:user"},
 		{"openid profile email read:user", "read:user"},
 
-		// TODO: would we always treat invalid scopes as "all"?
+		// TODO: at the moment invalid tokens are treated as "all" to avoid breaking 1.22 behavior (more details are in GrantAdditionalScopes)
 		{"read:invalid_scope", "all"},
 		{"read:invalid_scope,write:scope_invalid,just-plain-wrong", "all"},
 	}

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ func TestGrantAdditionalScopes(t *testing.T) {`
`24`	`24`	`{"read:user write:issue public-only", "public-only,write:issue,read:user"},`
`25`	`25`	`{"openid profile email read:user", "read:user"},`
`26`	`26`
`27`		`- // TODO: would we always treat invalid scopes as "all"?`
	`27`	`+ // TODO: at the moment invalid tokens are treated as "all" to avoid breaking 1.22 behavior (more details are in GrantAdditionalScopes)`
`28`	`28`	`{"read:invalid_scope", "all"},`
`29`	`29`	`{"read:invalid_scope,write:scope_invalid,just-plain-wrong", "all"},`
`30`	`30`	`}`