Enforces of OAuth scopes check for authenticated API endpoints.
Adds :skip_plug
plug to mark a plug explicitly skipped (disabled).
Solves the problem of potentially "forgotten" or incorrect OAuthScopesPlug
calls which would result in security breaches. Some of the reasons such issue could happen:
- developer(s) could be unaware of (hopefully not) or forget to define
OAuthScopesPlug
call for specific action - action was moved to another controller (and
OAuthScopesPlug
not propagated) - action was renamed (with
OAuthScopesPlug
call's guard clause unmodified)
With this MR an automatic check whether OAuthScopesPlug
was either called or explicitly skipped (via :skip_plug
plug) is performed. If the check is failed, HTTP 403 is returned.