From 5ff2250a59b0d4c7280f7a1fd15f9854a94a5cfa Mon Sep 17 00:00:00 2001
From: Anders Pitman <tapitman11@gmail.com>
Date: Wed, 16 Feb 2022 11:58:34 -0700
Subject: [PATCH] Allow scoped tokens to create clients

---
 api.go | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/api.go b/api.go
index b75211e..afe9238 100644
--- a/api.go
+++ b/api.go
@@ -104,7 +104,7 @@ func (a *Api) handleTunnels(w http.ResponseWriter, r *http.Request) {
 
 		if tokenData.Client != "" {
 			w.WriteHeader(403)
-			io.WriteString(w, fmt.Sprintf("Token can only be used to list tunnels for client %s", tokenData.Client))
+			io.WriteString(w, "Token cannot be used to create tunnels")
 			return
 		}
 
@@ -117,7 +117,7 @@ func (a *Api) handleTunnels(w http.ResponseWriter, r *http.Request) {
 	case "DELETE":
 		if tokenData.Client != "" {
 			w.WriteHeader(403)
-			io.WriteString(w, fmt.Sprintf("Token can only be used to list tunnels for client %s", tokenData.Client))
+			io.WriteString(w, "Token cannot be used to delete tunnels")
 			return
 		}
 
@@ -148,18 +148,19 @@ func (a *Api) handleUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if tokenData.Client != "" {
-		w.WriteHeader(403)
-		io.WriteString(w, fmt.Sprintf("Token can only be used to list tunnels for client %s", tokenData.Client))
-		return
-	}
-
 	path := r.URL.Path
 	parts := strings.Split(path[1:], "/")
 
 	r.ParseForm()
 
 	if path == "/" {
+
+		if tokenData.Client != "" {
+			w.WriteHeader(403)
+			io.WriteString(w, "Token cannot be used to create users")
+			return
+		}
+
 		switch r.Method {
 		case "POST":
 			err := a.CreateUser(tokenData, r.Form)
@@ -215,7 +216,7 @@ func (a *Api) handleTokens(w http.ResponseWriter, r *http.Request) {
 
 	if tokenData.Client != "" {
 		w.WriteHeader(403)
-		io.WriteString(w, fmt.Sprintf("Token can only be used to list tunnels for client %s", tokenData.Client))
+		io.WriteString(w, "Token cannot be used to manage tokens")
 		return
 	}