search

storyblok / app-extension-auth

MIT License
2 stars 2 forks source link

Not possibly to grant write_content scope #1

Closed marckraw closed 1 year ago

marckraw commented 1 year ago

When i'm trying to modify my scope, it never gives me write permissions.

Expected Behavior

Based on that auth file:

import {AuthHandlerParams} from '@storyblok/app-extension-auth'

export const endpointPrefix = '/api/authenticate'

export const authHandlerParams: AuthHandlerParams = {
  clientId: process.env.CLIENT_ID,
  clientSecret: process.env.CLIENT_SECRET,
  baseUrl: process.env.BASE_URL,
  successCallback: '/',
  errorCallback: '/401',
  endpointPrefix,
  // Increase scope if needed
  scope: ['read_content', 'write_content'],
}

should be able to give me write_content scope

Current Behavior

It always gives only read_content scope.

Potential solution

I think in storyblok-auth-api/grant/grant-handler.ts, custom scope from params is just not being passed, and only hardcoded one is used:

export const grantHandler =
  (params: GrantHandlerParams): RequestHandler =>
  async (req, res) => {
    const { clientId, clientSecret, endpointPrefix, baseUrl, } = params
    void (await grant.node({
      config: {
        defaults: {
          origin: baseUrl,
          transport: 'session',
          prefix: endpointPrefix,
        },
        storyblok: {
          client_id: clientId,
          client_secret: clientSecret,
          scope: ['read_content'],
          callback: `${endpointPrefix}/${callbackRouteSlug}`,
          profile_url: userinfo_endpoint,
          response: ['tokens', 'profile', 'raw'], // raw is needed for the expires_in, token is needed for profile
          pkce: true,
          state: true,
          token_endpoint_auth_method: 'client_secret_post',
        },
      },
      session: {
        secret: clientSecret,
        name: grantCookieName,
        cookie: {
          path: '/',
          secure: true,
          sameSite: 'none', // Needed since custom apps are embedded in iframes
          httpOnly: true, // The refresh token must not be accessible via client-side javascript
        },
      },
    })(req, res))
  }

Steps to Reproduce

Just use provided nextjs template. And modify src/auth.ts to:

import {AuthHandlerParams} from '@storyblok/app-extension-auth'

export const endpointPrefix = '/api/authenticate'

export const authHandlerParams: AuthHandlerParams = {
  clientId: process.env.CLIENT_ID,
  clientSecret: process.env.CLIENT_SECRET,
  baseUrl: process.env.BASE_URL,
  successCallback: '/',
  errorCallback: '/401',
  endpointPrefix,
  // Increase scope if needed
  scope: ['read_content', 'write_content'],
}
marckraw commented 1 year ago

created PR: https://github.com/storyblok/app-extension-auth/pull/2

Not sure though if its the only change needed for that :) @johannes-lindgren

johannes-lindgren commented 1 year ago

Hi @marckraw, I've answered in #2