Require permitted scopes when registering a client (#29718)

2025-02-25 18:55:32 -06:00 · 2024-11-19 21:28:04 +01:00
parent 4f11d16deb
commit ec7de0fd68
12 changed files with 259 additions and 44 deletions
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1631,7 +1631,8 @@ Discourse::Application.routes.draw do
    get "/user-api-key/otp" => "user_api_keys#otp"
    post "/user-api-key/otp" => "user_api_keys#create_otp"

-    post "/user-api-key-client/register" => "user_api_key_clients#register"
+    get "/user-api-key-client" => "user_api_key_clients#show"
+    post "/user-api-key-client" => "user_api_key_clients#create"

    get "/safe-mode" => "safe_mode#index"
    post "/safe-mode" => "safe_mode#enter", :as => "safe_mode_enter"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -3120,6 +3120,10 @@ user_api:
  allow_user_api_key_scopes:
    default: "read|write|message_bus|push|notifications|session_info|one_time_password"
    type: list
+  allow_user_api_key_client_scopes:
+    default: ""
+    type: list
+    hidden: true
  push_api_secret_key:
    default: ""
    hidden: true
@@ -3147,6 +3151,10 @@ user_api:
    default: 0
    max: 36500
    hidden: true
+  unused_registered_user_api_key_clients_days:
+    default: 30
+    max: 36500
+    hidden: true

 tags:
  tagging_enabled: