Closed Chappie74 closed 1 year ago
Chappie74
commented
1 year ago I forgot to add I would have tested this
@api_view(['GET'])
@permission_classes([permissions.IsAuthenticated])
@protected_resource(scopes=['read', 'write'])
def test_auth_view(request):and both customer and merchant tokens work in this scenario. I'm guessing since both contain the ' read write` scope
Chappie74
commented
1 year ago So I did some digging around and found in the code that there are two possible ways of handling the scope access.
found here
It seems this package chose to implement the former (1), where all the scopes are checked by checking if the scope of the requested resource is a subset of the scopes the token has.
The approach I expected for my use case was the latter, where it would check if token has at least one of the specified resource scopes, which would then require an intersection check rather than subset.
Chappie74
commented
1 year ago To work with this approach I'll have to create a separate scope which would work as a combination scope and attach it to both merchant and customer tokens. Then use that single scope check for my view.
For my project I would have added 3 additional scopes in the
settings.pyfile.For my use case I have separate views that issues tokens with separate scope. One login request might look like this.
or
I then have views that are protected like this
or like this
This works as intended. Tokens without the respective scope return 403. The problem I am having is when I want to protect a resource both the customer and merchant can access, which I am doing like so.
With the above, both of them return a 403. I'm expected that if the scope on the token has either one it should work, however that is not the case.
Is this how it is supposed to work? Can someone provide some clarity on this please? Thanks in advance.