fix(web): Document 403 errors with user driven permission syncing when scope changes occur #639
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This comment has been minimized.
This comment has been minimized.
|
test |
brendan-kellam
requested review from
msukkari
and removed request for
msukkari
brendan-kellam
force-pushed
the
bkellam/fix_638
branch
2 times, most recently
from
6554248 to
d022066
Compare
brendan-kellam
force-pushed
the
bkellam/fix_638
branch
from
d022066 to
9a3ac61
Compare
…atically signing out accounts when oauth scopes change. The system is pretty fragile, so I'm going to take the safer approach and just add document this as a known issue.
…of automatically signing out accounts when oauth scopes change. The system is pretty fragile, so I'm going to take the safer approach and just add document this as a known issue." This reverts commit 84b1cf4.
brendan-kellam
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| const scopes = await getGitLabOAuthScopesForAuthenticatedUser(api); | ||
| if (!scopes.includes('read_api')) { | ||
| throw new Error(`OAuth token with scopes [${scopes.join(', ')}] is missing the 'read_api' scope required for permission syncing.`); | ||
| } |
There was a problem hiding this comment.
GitLab scope check rejects valid api scope tokens
Medium Severity
The GitLab scope validation only checks for the exact read_api scope, but GitLab's api scope is a superset that includes all read_api permissions. Users who configured their OAuth application with api scope (for other integrations or by preference) would be incorrectly rejected with a confusing error stating they're missing read_api, even though their token has sufficient permissions to list projects.
Ramble / context: user driven permission syncing uses the
access_tokenstored on theAccountobject that is acquired when the user signs in with GitHub/GitLab/whatever. Access tokens have a associated scopes (e.g.,read:user,repo, etc.). For permission syncing, we require additional oauth scopes from the base ones we usually request.When enabling permission syncing on a existing deployment, this will result in 403 errors since the existing oauth scopes are insufficient for the api requests we are making. Signing out of the account and re-signing in resolves the issue since the new oauth scopes will be requested.
This PR originally attempted to automate the process by automatically signing out the account when the scopes changed, but this was deemed to be too complicated and fragile. Instead, I've added improved error messages and documanted the issue in the docs.
Fixes #638
Fixes SOU-98
Note
Improves reliability and clarity of user-driven permission syncing by validating OAuth scopes and ensuring refreshed tokens are stored.
accountPermissionSyncer, fetch and validate OAuth scopes (repofor GitHub,read_apifor GitLab) via new helpers (getOAuthScopesForAuthenticatedUseringithub.ts/gitlab.ts); throw explicit errors and prompt re-auth when tokens/scopes are insufficient.signInevent, explicitly updateAccountwith latest OAuth token fields to persist refreshed credentials.permission-syncing.mdxexplaining scope-related errors when enabling on existing deployments and the need to re-authenticate.Written by Cursor Bugbot for commit 13c4c9c. This will update automatically on new commits. Configure here.