fix: Bad scope parsing

2026-02-08 13:20:41 +00:00 · 2026-01-06 23:41:20 +02:00
parent 3d0939c038
commit 767f89ae76
2 changed files with 25 additions and 26 deletions
--- a/frontend/src/routes/OAuthConsent.svelte
+++ b/frontend/src/routes/OAuthConsent.svelte
@@ -508,6 +508,7 @@
    margin-bottom: var(--space-2);
    cursor: pointer;
    transition: border-color var(--transition-fast);
+    overflow: hidden;
  }

  .scope-item:hover:not(.required) {
@@ -532,19 +533,23 @@

  .scope-info {
    flex: 1;
+    min-width: 0;
    display: flex;
    flex-direction: column;
    gap: 2px;
+    overflow: hidden;
  }

  .scope-name {
    font-weight: var(--font-medium);
    color: var(--text-primary);
+    word-break: break-all;
  }

  .scope-description {
    font-size: var(--text-sm);
    color: var(--text-secondary);
+    word-break: break-all;
  }

  .required-badge {
--- a/src/oauth/endpoints/authorize.rs
+++ b/src/oauth/endpoints/authorize.rs
@@ -55,6 +55,23 @@ fn json_error(status: StatusCode, error: &str, description: &str) -> Response {
        .into_response()
 }

+fn is_granular_scope(s: &str) -> bool {
+    s.starts_with("repo:") || s.starts_with("repo?") || s == "repo"
+        || s.starts_with("blob:") || s.starts_with("blob?") || s == "blob"
+        || s.starts_with("rpc:") || s.starts_with("rpc?")
+        || s.starts_with("account:")
+        || s.starts_with("identity:")
+}
+
+fn is_valid_scope(s: &str) -> bool {
+    s == "atproto"
+        || s == "transition:generic"
+        || s == "transition:chat.bsky"
+        || s == "transition:email"
+        || is_granular_scope(s)
+        || s.starts_with("include:")
+}
+
 fn validate_auth_flow_state(
    flow_state: &AuthFlowState,
    require_authenticated: bool,
@@ -1473,23 +1490,11 @@ pub async fn consent_post(
    };

    let requested_scopes: Vec<&str> = effective_scope_str.split_whitespace().collect();
-    let has_granular_scopes = requested_scopes.iter().any(|s| {
-        s.starts_with("repo:")
-            || s.starts_with("blob:")
-            || s.starts_with("rpc:")
-            || s.starts_with("account:")
-            || s.starts_with("identity:")
-    });
+    let has_granular_scopes = requested_scopes.iter().any(|s| is_granular_scope(s));
    let user_denied_some_granular = has_granular_scopes
        && requested_scopes
            .iter()
-            .filter(|s| {
-                s.starts_with("repo:")
-                    || s.starts_with("blob:")
-                    || s.starts_with("rpc:")
-                    || s.starts_with("account:")
-                    || s.starts_with("identity:")
-            })
+            .filter(|s| is_granular_scope(s))
            .any(|s| !form.approved_scopes.contains(&s.to_string()));
    let atproto_was_requested = requested_scopes.contains(&"atproto");
    if atproto_was_requested
@@ -1519,18 +1524,7 @@ pub async fn consent_post(
        );
    }
    let approved_scope_str = final_approved.join(" ");
-    let has_valid_scope = final_approved.iter().all(|s| {
-        s == "atproto"
-            || s == "transition:generic"
-            || s == "transition:chat.bsky"
-            || s == "transition:email"
-            || s.starts_with("repo:")
-            || s.starts_with("blob:")
-            || s.starts_with("rpc:")
-            || s.starts_with("account:")
-            || s.starts_with("identity:")
-            || s.starts_with("include:")
-    });
+    let has_valid_scope = final_approved.iter().all(|s| is_valid_scope(s));
    if !has_valid_scope {
        return json_error(
            StatusCode::BAD_REQUEST,