boraarslan / mapper-influence

0 stars 0 forks source link

Confirm users granted the correct permissions #75

Closed boraarslan closed 1 year ago

boraarslan commented 1 year ago

It is possible to manipulate the scopes when redirected to Osu! OAuth page. For example, if a user removes public from the query parameter scope and we try to make an Osu! Request that depends on that scope with that user's token, API fails because of insufficient permissions.

We want to know if the user granted us the correct permissions before letting them use the site.

112batuhan commented 1 year ago

The osu! API doesn't return the scopes in the request response. I looked up through the source code to find a way to get the scope information somehow but failed.

There are two options: Using client credentials grant for public scope requests or making a separate request to public endpoints to test the scopes.

I feel like the first option is the intended use by osu! devs and it would save us from extra request inbetween.

112batuhan commented 1 year ago

I also did some research on the implementation of the oauth 2 in osu-web repository and I think it's completely handled by laravel. Which means that the authorization code grant flow code is encrypted with the key hidden in the server. That's the reason why the length of the code changes with the changing scope. But since it's encyrpted, there is no way for us to get the contents. Therefore, the only reasonable way to test scopes is to verify the length of the code string if we want to avoid extra calls.

112batuhan commented 1 year ago

https://github.com/ppy/osu-web/issues/10146 PR will come soon.