-
-
Notifications
You must be signed in to change notification settings - Fork 4.7k
feat(api): Advertise required scopes on token-scope 403s (RFC 6750) #118612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,12 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from collections.abc import Iterable | ||
|
|
||
| from django.contrib.auth import REDIRECT_FIELD_NAME | ||
| from django.http.request import HttpRequest | ||
| from django.urls import reverse | ||
| from rest_framework import status | ||
| from rest_framework.exceptions import APIException | ||
| from rest_framework.exceptions import APIException, PermissionDenied | ||
|
|
||
| from sentry.models.organization import Organization | ||
| from sentry.organizations.services.organization.model import RpcOrganization | ||
|
|
@@ -17,6 +19,26 @@ class ResourceDoesNotExist(APIException): | |
| default_detail = "The requested resource does not exist" | ||
|
|
||
|
|
||
| class InsufficientScope(PermissionDenied): | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not blocking, i'm curious if we will want this for any getsentry endpoints and if this will work out of the box for those
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i do think it works out of the box if i am to trust the agent here |
||
| """A token-authorized request denied for lacking the required scope. | ||
|
|
||
| Renders as an ordinary ``403`` (DRF's default ``PermissionDenied`` body is unchanged), | ||
| but advertises the required scopes via the RFC 6750 ``insufficient_scope`` challenge. | ||
| ``custom_exception_handler`` copies ``auth_header`` onto the ``WWW-Authenticate`` header. | ||
| """ | ||
|
|
||
| def __init__(self, required_scopes: Iterable[str]) -> None: | ||
| super().__init__() | ||
| scope = " ".join(sorted(required_scopes)) | ||
| self.auth_header = f'Bearer error="insufficient_scope", scope="{scope}"' | ||
|
|
||
|
|
||
| # Set on the request by the scope check when a token is denied for insufficient scope, and | ||
| # read by Endpoint.permission_denied to raise InsufficientScope. Lets has_permission stay a | ||
| # plain bool while the view still emits the RFC 6750 challenge. | ||
| INSUFFICIENT_SCOPE_ATTR = "_insufficient_scope_required" | ||
|
|
||
|
|
||
| class SentryAPIException(APIException): | ||
| code = "" | ||
| message = "" | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.