feat: don't rely on secure JWT when it comes to scopes

2025-03-20 17:04:20 +01:00 · 2025-03-20 17:04:20 +01:00 · 7f4f6142c9
commit 7f4f6142c9
parent ded2b79db7
1 changed files with 6 additions and 1 deletions
--- a/security.py
+++ b/security.py
@ -141,8 +141,9 @@ async def get_current_user(
    user = get_user(username=token_data.username)
    if user is None:
        raise credentials_exception
+    allowed_scopes = set(user.scopes.split())
    for scope in security_scopes.scopes:
-        if scope not in token_data.scopes:
+        if scope not in allowed_scopes or scope not in token_data.scopes:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Not enough permissions",
@ -159,6 +160,10 @@ async def get_current_active_user(
    return current_user


+async def verify_team_scope(user: Annotated[Player, Depends(get_current_active_user)]):
+    allowed_scopes = set(user.scopes.split())
+
+
 async def login_for_access_token(
    form_data: Annotated[OAuth2PasswordRequestForm, Depends()], response: Response
 ) -> Token: