Assign admin panel s2s app with root scope for simpler migration (#60)

ValueMelody · Aug 1, 2024 · 832c835 · 832c835
1 parent 7a3a2e2
commit 832c835
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 11 deletions.
diff --git a/admin-panel/app/api/request.ts b/admin-panel/app/api/request.ts
@@ -86,7 +86,7 @@ export const obtainS2SAccessToken = async () => {
 
   const body = {
     grant_type: 'client_credentials',
-    scope: `${Scope.ReadUser} ${Scope.WriteUser} ${Scope.ReadApp} ${Scope.WriteApp} ${Scope.ReadRole} ${Scope.WriteRole} ${Scope.ReadScope} ${Scope.WriteScope}`,
+    scope: Scope.Root,
   }
   const res = await fetch(
     `${process.env.NEXT_PUBLIC_SERVER_URI}/oauth2/v1/token`,

diff --git a/docs/admin-panel.md b/docs/admin-panel.md
@@ -49,4 +49,4 @@ npm run dev
     cd melody-auth/server
     wrangler d1 execute melody-auth --command="insert into user_role (userId, roleId) values (1, 1)"
     ```
-4. Refresh the admin panel page. You should now have full access.
+4. Logout and login again. You should now have full access.
diff --git a/server/migrations/0006_create_scope_table.sql b/server/migrations/0006_create_scope_table.sql
@@ -11,6 +11,7 @@ CREATE UNIQUE INDEX idx_unique_scope_name ON scope (name) WHERE deletedAt IS NUL
 INSERT INTO scope ("name", "type") values ("openid", "spa");
 INSERT INTO scope ("name", "type") values ("profile", "spa");
 INSERT INTO scope ("name", "type") values ("offline_access", "spa");
+INSERT INTO scope ("name", "type") values ("root", "s2s");
 INSERT INTO scope ("name", "type") values ("read_user", "s2s");
 INSERT INTO scope ("name", "type") values ("write_user", "s2s");
 INSERT INTO scope ("name", "type") values ("read_app", "s2s");

diff --git a/server/migrations/0007_create_app_scope_table.sql b/server/migrations/0007_create_app_scope_table.sql
@@ -13,11 +13,4 @@ CREATE UNIQUE INDEX idx_unique_app_scope ON app_scope (appId, scopeId) WHERE del
 INSERT INTO app_scope ("appId", "scopeId") values (1, 1);
 INSERT INTO app_scope ("appId", "scopeId") values (1, 2);
 INSERT INTO app_scope ("appId", "scopeId") values (1, 3);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 4);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 5);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 6);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 7);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 8);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 9);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 10);
-INSERT INTO app_scope ("appId", "scopeId") values (2, 11);
+INSERT INTO app_scope ("appId", "scopeId") values (2, 4);
diff --git a/server/src/middlewares/auth.ts b/server/src/middlewares/auth.ts
@@ -79,7 +79,8 @@ const s2sScopeGuard = async (
   if (!accessTokenBody) return false
 
   const scopes = accessTokenBody.scope?.split(' ') ?? []
-  if (!scopes.includes(scope)) return false
+
+  if (!scopes.includes(scope) && !scopes.includes(Scope.Root)) return false
 
   c.set(
     'access_token_body',

diff --git a/shared/src/enum.ts b/shared/src/enum.ts
@@ -7,6 +7,7 @@ export enum Scope {
   OpenId = 'openid',
   Profile = 'profile',
   OfflineAccess = 'offline_access',
+  Root = 'root',
   ReadUser = 'read_user',
   WriteUser = 'write_user',
   ReadApp = 'read_app',