Skip to content

Commit aa2fd97

Browse files
committed
Added constraint on adding root scope
1 parent 201ca39 commit aa2fd97

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

pkg/handler/auth/endpoints.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"context"
55
"net/http"
66
"regexp"
7+
"slices"
78
"strings"
89
"time"
910

@@ -130,7 +131,13 @@ func (service *auth) CreateToken(w http.ResponseWriter, r *http.Request) {
130131
}
131132
}
132133

133-
// TODO: Should not be able to add the root scope unless you have the root scope
134+
// Should not be able to add the root scope unless you have the root scope
135+
if slices.Contains(req.Scope, ScopeRoot) {
136+
requestorScopes := TokenScope(r.Context())
137+
if !slices.Contains(requestorScopes, ScopeRoot) {
138+
httpresponse.Error(w, http.StatusForbidden, "Cannot create a token with root scope")
139+
}
140+
}
134141

135142
// Create the token
136143
token := NewToken(req.Name, service.tokenBytes, req.Duration.Duration, req.Scope...)

0 commit comments

Comments
 (0)