Enforcement of OAuth scopes check for authenticated API endpoints
Enforces of OAuth scopes check for authenticated API endpoints.
:skip_plug plug to mark a plug explicitly skipped (disabled).
Solves the problem of potentially "forgotten" or incorrect
OAuthScopesPlug calls which would result in security breaches. Some of the reasons such issue could happen:
- developer(s) could be unaware of (hopefully not) or forget to define
OAuthScopesPlugcall for specific action
- action was moved to another controller (and
- action was renamed (with
OAuthScopesPlugcall's guard clause unmodified)
With this MR an automatic check whether
OAuthScopesPlug was either called or explicitly skipped (via
:skip_plug plug) is performed. If the check is failed, HTTP 403 is returned.