Will require a new login for all users, but a deploy does that anyway since sessions are stored in memory currently ðĪŠ
+7
-2
Diff
round #1
+6
-1
apps/appview/src/lib/app-context.ts
+6
-1
apps/appview/src/lib/app-context.ts
···
78
78
client_name: "atBB Forum",
79
79
client_uri: oauthUrl,
80
80
redirect_uris: [`${oauthUrl}/api/auth/callback`],
81
-
scope: "atproto transition:generic",
81
+
// Minimal-privilege scopes:
82
+
// include:space.atbb.authFull â permission-set published on atbb.space's PDS;
83
+
// grants repo write access to space.atbb.post, space.atbb.reaction, space.atbb.membership
84
+
// rpc:app.bsky.actor.getProfile?aud=... â grants getProfile against the Bluesky AppView;
85
+
// %23 is the literal encoding required by the PDS for the DID fragment separator
86
+
scope: "atproto include:space.atbb.authFull rpc:app.bsky.actor.getProfile?aud=did:web:api.bsky.app%23bsky_appview",
82
87
grant_types: ["authorization_code", "refresh_token"],
83
88
response_types: ["code"],
84
89
application_type: "web",
+1
-1
apps/appview/src/routes/__tests__/auth.test.ts
+1
-1
apps/appview/src/routes/__tests__/auth.test.ts
···
37
37
aud: "http://localhost:3001",
38
38
exp: Math.floor(Date.now() / 1000) + 3600,
39
39
iat: Math.floor(Date.now() / 1000),
40
-
scope: "atproto transition:generic",
40
+
scope: "atproto include:space.atbb.authFull rpc:app.bsky.actor.getProfile?aud=did:web:api.bsky.app%23bsky_appview",
41
41
server: {} as any,
42
42
sessionGetter: {} as any,
43
43
dpopFetch: {} as any,
History
2 rounds
0 comments
malpercio.dev
submitted
#1
expand 0 comments
pull request successfully merged
malpercio.dev
submitted
#0
1 commit
expand
collapse
feat: constrain oauth scopes