Added constraint on adding root scope

Author: djthorpe

pkg/handler/auth/endpoints.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"regexp"
+	"slices"
 	"strings"
 	"time"
 
@@ -130,7 +131,13 @@ func (service *auth) CreateToken(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	// TODO: Should not be able to add the root scope unless you have the root scope
+	// Should not be able to add the root scope unless you have the root scope
+	if slices.Contains(req.Scope, ScopeRoot) {
+		requestorScopes := TokenScope(r.Context())
+		if !slices.Contains(requestorScopes, ScopeRoot) {
+			httpresponse.Error(w, http.StatusForbidden, "Cannot create a token with root scope")
+		}
+	}
 
 	// Create the token
 	token := NewToken(req.Name, service.tokenBytes, req.Duration.Duration, req.Scope...)