From 155acecb4b39ef6722ca5d1fe9d7aba7a511f9f6 Mon Sep 17 00:00:00 2001 From: Gusted Date: Sun, 1 Mar 2026 23:32:33 +0100 Subject: [PATCH] fix: consider scopes for OAuth2 token via basic login There are two ways to use a OAuth2 token: Via the Authorization header as a Bearer token. Via the Authorization header as a Basic login. For the former the scope was correctly passed through, for the latter it was not and would mean no scope was checked if you used the token via this way. --- services/auth/basic.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/services/auth/basic.go b/services/auth/basic.go index f117494762..2167055384 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -72,7 +72,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore } // check oauth2 token - uid, _ := CheckOAuthAccessToken(req.Context(), authToken) + uid, grantScopes := CheckOAuthAccessToken(req.Context(), authToken) if uid != 0 { log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid) @@ -83,6 +83,11 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore } store.GetData()["IsApiToken"] = true + if grantScopes != "" { + store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScope(grantScopes) + } else { + store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScopeAll // fallback to all + } return u, nil }