Skip to content

Enforcement of OAuth scopes check for authenticated API endpoints

Enforces of OAuth scopes check for authenticated API endpoints.

Adds :skip_plug plug to mark a plug explicitly skipped (disabled).

Solves the problem of potentially "forgotten" or incorrect OAuthScopesPlug calls which would result in security breaches. Some of the reasons such issue could happen:

  • developer(s) could be unaware of (hopefully not) or forget to define OAuthScopesPlug call for specific action
  • action was moved to another controller (and OAuthScopesPlug not propagated)
  • action was renamed (with OAuthScopesPlug call's guard clause unmodified)

With this MR an automatic check whether OAuthScopesPlug was either called or explicitly skipped (via :skip_plug plug) is performed. If the check is failed, HTTP 403 is returned.

Edited by Ivan Tashkinov

Merge request reports