From ba5ffc0e88f222c6dd01f7802cc8519af2ff8335 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Sun, 1 Mar 2026 23:32:33 +0100
Subject: [PATCH] fix: consider scopes for OAuth2 token via basic login

There are two ways to use a OAuth2 token:

Via the Authorization header as a Bearer token.
Via the Authorization header as a Basic login.

For the former the scope was correctly passed through, for the latter it
was not and would mean no scope was checked if you used the token via
this way.
---
 services/auth/basic.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/auth/basic.go b/services/auth/basic.go
index 4ffe712744..111b53a39f 100644
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@@ -73,7 +73,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	}
 
 	// check oauth2 token
-	uid, _ := CheckOAuthAccessToken(req.Context(), authToken)
+	uid, grantScopes := CheckOAuthAccessToken(req.Context(), authToken)
 	if uid != 0 {
 		log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
 
@@ -84,6 +84,11 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 		}
 
 		store.GetData()["IsApiToken"] = true
+		if grantScopes != "" {
+			store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScope(grantScopes)
+		} else {
+			store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScopeAll // fallback to all
+		}
 		return u, nil
 	}