feat: add option to trun off oauth repo scope

CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+## Unreleased
+
+### Features/Changes
+- Add option to turn off oauth read repo scope
+
+### Bug Fixes

lapdev-api/src/auth.rs

@@ -17,6 +17,7 @@ pub struct AuthConfig {
  pub auth_url: &'static str,
  pub token_url: &'static str,
  pub scopes: &'static [&'static str],
+ pub read_repo_scopes: &'static [&'static str],
 }
 
 impl AuthConfig {
@@ -25,14 +26,16 @@ impl AuthConfig {
  client_secret: "github-client-secret",
  auth_url: "https://github.com/login/oauth/authorize",
  token_url: "https://github.com/login/oauth/access_token",
- scopes: &["read:user", "user:email", "repo"],
+ scopes: &["read:user", "user:email"],
+ read_repo_scopes: &["read:user", "user:email", "repo"],
  };
  pub const GITLAB: Self = AuthConfig {
  client_id: "gitlab-client-id",
  client_secret: "gitlab-client-secret",
  auth_url: "https://gitlab.com/oauth/authorize",
  token_url: "https://gitlab.com/oauth/token",
- scopes: &["read_user", "read_repository"],
+ scopes: &["read_user"],
+ read_repo_scopes: &["read_user", "read_repository"],
  };
 }
 
@@ -85,13 +88,18 @@ impl Auth {
  &self,
  provider: AuthProvider,
  redirect_url: &str,
+ no_read_repo: bool,
  ) -> Result<(String, String)> {
  let clients = self.clients.read().await;
  let (client, config) = clients
  .get(&provider)
  .ok_or_else(|| anyhow::anyhow!("can't find provider"))?;
  let mut client = client.authorize_url(oauth2::CsrfToken::new_random);
- for scope in config.scopes {
+ for scope in if no_read_repo {
+ config.scopes
+ } else {
+ config.read_repo_scopes
+ } {
  client = client.add_scope(oauth2::Scope::new(scope.to_string()));
  }
  let redirect_url = oauth2::RedirectUrl::new(redirect_url.to_string())?;

lapdev-api/src/session.rs

@@ -53,7 +53,11 @@ pub(crate) async fn new_session(
 
  let redirect_url =
  format!("{host}/api/private/session/authorize?provider={provider}&next={next}");
- let (url, csrf) = state.auth.authorize_url(provider, &redirect_url).await?;
+ let oauth_no_read_repo = state.db.oauth_no_read_repo().await.unwrap_or(false);
+ let (url, csrf) = state
+ .auth
+ .authorize_url(provider, &redirect_url, oauth_no_read_repo)
+ .await?;
 
  let mut claims = Claims::new()?;
  claims.add_additional(OAUTH_STATE, csrf.clone())?;

lapdev-db/src/api.rs

@@ -24,6 +24,7 @@ use super::entities::workspace;
 
 pub const LAPDEV_CLUSTER_NOT_INITIATED: &str = "lapdev-cluster-not-initiated";
 const LAPDEV_API_AUTH_TOKEN_KEY: &str = "lapdev-api-auth-token-key";
+const LAPDEV_OAUTH_NO_READ_REPO: &str = "lapdev-oauth-no-read-repo";
 
 #[derive(Clone)]
 pub struct DbApi {
@@ -97,6 +98,12 @@ impl DbApi {
  self.generate_api_auth_token_key().await
  }
 
+ pub async fn oauth_no_read_repo(&self) -> Result<bool> {
+ self.get_config(LAPDEV_OAUTH_NO_READ_REPO)
+ .await
+ .map(|v| v == "yes")
+ }
+
  async fn get_api_auth_token_key(&self) -> Result<SymmetricKey<V4>> {
  let key = self.get_config(LAPDEV_API_AUTH_TOKEN_KEY).await?;
  let key = STANDARD.decode(key)?;