Use unstable prefixes for scope names (#337)

crates/data-model/src/compat.rs

@@ -46,7 +46,9 @@ impl Device {
     #[must_use]
     pub fn to_scope_token(&self) -> ScopeToken {
         // SAFETY: the inner id should only have valid scope characters
-        format!("urn:matrix:device:{}", self.id).parse().unwrap()
+        format!("urn:matrix:org.matrix.msc2967.client:device:{}", self.id)
+            .parse()
+            .unwrap()
     }
 
     /// Generate a random device ID

crates/handlers/src/oauth2/authorization/complete.rs

@@ -219,7 +219,7 @@ pub(crate) async fn complete(
     let lacks_consent = grant
         .scope
         .difference(&current_consent)
-        .any(|scope| !scope.starts_with("urn:matrix:device:"));
+        .any(|scope| !scope.starts_with("urn:matrix:org.matrix.msc2967.client:device:"));
 
     // Check if the client lacks consent *or* if consent was explicitely asked
     if lacks_consent || grant.requires_consent {

crates/handlers/src/oauth2/consent.rs

@@ -153,11 +153,11 @@ pub(crate) async fn post(
         return Err(anyhow::anyhow!("policy violation").into());
     }
 
-    // Do not consent for the "urn:matrix:device:*" scope
+    // Do not consent for the "urn:matrix:org.matrix.msc2967.client:device:*" scope
     let scope_without_device = grant
         .scope
         .iter()
-        .filter(|s| !s.starts_with("urn:matrix:device:"))
+        .filter(|s| !s.starts_with("urn:matrix:org.matrix.msc2967.client:device:"))
         .cloned()
         .collect();
     insert_client_consent(

crates/oauth2-types/src/scope.rs

@@ -206,6 +206,6 @@ mod tests {
         );
 
         assert!(Scope::from_str("http://example.com").is_ok());
-        assert!(Scope::from_str("urn:matrix:*").is_ok());
+        assert!(Scope::from_str("urn:matrix:org.matrix.msc2967.client:*").is_ok());
     }
 }

crates/policy/policies/authorization_grant.rego

@@ -21,10 +21,10 @@ allowed_scope("urn:synapse:admin:*") {
 }
 
 allowed_scope(scope) {
-	regex.match("urn:matrix:device:[A-Za-z0-9-]{10,}", scope)
+	regex.match("urn:matrix:org.matrix.msc2967.client:device:[A-Za-z0-9-]{10,}", scope)
 }
 
-allowed_scope("urn:matrix:api:*") = true
+allowed_scope("urn:matrix:org.matrix.msc2967.client:api:*") = true
 
 violation[{"msg": msg}] {
 	some scope in split(input.authorization_grant.scope, " ")
@@ -34,5 +34,5 @@ violation[{"msg": msg}] {
 
 violation[{"msg": "only one device scope is allowed at a time"}] {
 	scope_list := split(input.authorization_grant.scope, " ")
-	count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:device:")}) > 1
+	count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:org.matrix.msc2967.client:device:")}) > 1
 }

crates/policy/policies/authorization_grant_test.rego

@@ -23,33 +23,33 @@ test_standard_scopes {
 
 test_matrix_scopes {
 	allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:api:*"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:api:*"}
 }
 
 test_device_scopes {
 	allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"}
 
 	allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01-asdasdsa1-2313"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01-asdasdsa1-2313"}
 
 	# Invalid characters
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AABB:CCDDEE"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB:CCDDEE"}
 
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AABB*CCDDEE"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB*CCDDEE"}
 
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AABB!CCDDEE"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB!CCDDEE"}
 
 	# Too short
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:abcd"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:abcd"}
 
 	# Multiple device scope
 	not allow with input.user as user
-		with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01 urn:matrix:device:AAbbCCdd02"}
+		with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01 urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd02"}
 }
 
 test_synapse_admin_scopes {

crates/templates/src/res/pages/consent.html

@@ -40,7 +40,7 @@ limitations under the License.
                   {% for scope in grant.scope | split(pat=" ") %}
                     {% if scope == "openid" %}
                       <li>See your profile info and contact details</li>
-                    {% elif scope is matching("^urn:matrix:device:") %}
+                    {% elif scope is matching("^urn:matrix:org.matrix.msc2967.client:device:") %}
                       <li>View your existing messages and data</li>
                       <li>Send new messages on your behalf</li>
                     {% else %}