Use unstable prefixes for scope names (#337)

2025-07-29 22:01:14 +03:00 · 2022-08-05 18:58:22 +01:00
parent 2568720106
commit 3215e86eaa
7 changed files with 19 additions and 17 deletions
--- a/crates/data-model/src/compat.rs
+++ b/crates/data-model/src/compat.rs
@ -46,7 +46,9 @@ impl Device {
    #[must_use]
    pub fn to_scope_token(&self) -> ScopeToken {
        // SAFETY: the inner id should only have valid scope characters
-        format!("urn:matrix:device:{}", self.id).parse().unwrap()
+        format!("urn:matrix:org.matrix.msc2967.client:device:{}", self.id)
            .parse()
            .unwrap()
    }
    /// Generate a random device ID
--- a/crates/handlers/src/oauth2/authorization/complete.rs
+++ b/crates/handlers/src/oauth2/authorization/complete.rs
@ -219,7 +219,7 @@ pub(crate) async fn complete(
    let lacks_consent = grant
        .scope
        .difference(&current_consent)
-        .any(|scope| !scope.starts_with("urn:matrix:device:"));
+        .any(|scope| !scope.starts_with("urn:matrix:org.matrix.msc2967.client:device:"));
    // Check if the client lacks consent *or* if consent was explicitely asked
    if lacks_consent || grant.requires_consent {
--- a/crates/handlers/src/oauth2/consent.rs
+++ b/crates/handlers/src/oauth2/consent.rs
@ -153,11 +153,11 @@ pub(crate) async fn post(
        return Err(anyhow::anyhow!("policy violation").into());
    }
-    // Do not consent for the "urn:matrix:device:*" scope
+    // Do not consent for the "urn:matrix:org.matrix.msc2967.client:device:*" scope
    let scope_without_device = grant
        .scope
        .iter()
-        .filter(|s| !s.starts_with("urn:matrix:device:"))
+        .filter(|s| !s.starts_with("urn:matrix:org.matrix.msc2967.client:device:"))
        .cloned()
        .collect();
    insert_client_consent(
--- a/crates/oauth2-types/src/scope.rs
+++ b/crates/oauth2-types/src/scope.rs
@ -206,6 +206,6 @@ mod tests {
        );
        assert!(Scope::from_str("http://example.com").is_ok());
-        assert!(Scope::from_str("urn:matrix:*").is_ok());
+        assert!(Scope::from_str("urn:matrix:org.matrix.msc2967.client:*").is_ok());
    }
 }
--- a/crates/policy/policies/authorization_grant.rego
+++ b/crates/policy/policies/authorization_grant.rego
@ -21,10 +21,10 @@ allowed_scope("urn:synapse:admin:*") {
 }
 allowed_scope(scope) {
-	regex.match("urn:matrix:device:[A-Za-z0-9-]{10,}", scope)
+	regex.match("urn:matrix:org.matrix.msc2967.client:device:[A-Za-z0-9-]{10,}", scope)
 }
-allowed_scope("urn:matrix:api:*") = true
+allowed_scope("urn:matrix:org.matrix.msc2967.client:api:*") = true
 violation[{"msg": msg}] {
 	some scope in split(input.authorization_grant.scope, " ")
@ -34,5 +34,5 @@ violation[{"msg": msg}] {
 violation[{"msg": "only one device scope is allowed at a time"}] {
 	scope_list := split(input.authorization_grant.scope, " ")
-	count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:device:")}) > 1
+	count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:org.matrix.msc2967.client:device:")}) > 1
 }
--- a/crates/policy/policies/authorization_grant_test.rego
+++ b/crates/policy/policies/authorization_grant_test.rego
@ -23,33 +23,33 @@ test_standard_scopes {
 test_matrix_scopes {
 	allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:api:*"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:api:*"}
 }
 test_device_scopes {
 	allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"}
 	allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01-asdasdsa1-2313"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01-asdasdsa1-2313"}
 	# Invalid characters
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AABB:CCDDEE"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB:CCDDEE"}
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AABB*CCDDEE"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB*CCDDEE"}
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AABB!CCDDEE"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB!CCDDEE"}
 	# Too short
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:abcd"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:abcd"}
 	# Multiple device scope
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01 urn:matrix:device:AAbbCCdd02"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01 urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd02"}
 }
 test_synapse_admin_scopes {
--- a/crates/templates/src/res/pages/consent.html
+++ b/crates/templates/src/res/pages/consent.html
@ -40,7 +40,7 @@ limitations under the License.
                  {% for scope in grant.scope | split(pat=" ") %}
                    {% if scope == "openid" %}
                      <li>See your profile info and contact details</li>
-                    {% elif scope is matching("^urn:matrix:device:") %}
+                    {% elif scope is matching("^urn:matrix:org.matrix.msc2967.client:device:") %}
                      <li>View your existing messages and data</li>
                      <li>Send new messages on your behalf</li>
                    {% else %}