Scope name for root access — reserve "root"?

DougReeder · March 18, 2024, 7:49pm

The spec doesn’t mention requesting access to all scopes. remoteStorage.js handles root access by allowing client apps to call access.scope('*', mode) and passing that as the OAuth scope “root”. The spec only forbids using “public” for a normal scope — it would appear that “root” could be the name of a normal scope (that is, a top level folder).

Given this name conflict and the difficulty in changing something long in use, should the spec be changed to also reserve the scope “root”, and specify it refers to access to all folders?

raucao · March 26, 2024, 5:50am

I’m not sure where you have seen a root scope being used. rs.js turns it into *:rw or *:r respectively, which is also what the server implementations that I’m involved with are expecting.

See here e.g.:

github.com

remotestorage/remotestorage.js/blob/e91c5f50e6a5b38a4ac76d399d2d0053494ab425/src/access.ts#L148C11-L155


      
          private _adjustRootPaths (newScope: AccessScope): void {
            if ('*' in this.scopeModeMap || newScope === '*') {
              this.rootPaths = ['/'];
            } else if (!(newScope in this.scopeModeMap)) {
              this.rootPaths.push('/' + newScope + '/');
              this.rootPaths.push('/public/' + newScope + '/');
            }
          }

This also maps the specification for RS OAuth scopes. (And since category/module names are required to be alphanumerical, there is also no potential clash with a category named *.)

DougReeder · March 26, 2024, 2:17pm

“root:rw” is what Inspektor requests, and the code in Armadietto interprets that as root level. Perhaps they are operating off old versions of the spec and/or library.

Doug Reeder
reeder.29@gmail.com

raucao · March 26, 2024, 5:42pm

That’s odd. I tried with Inspektor and it uses *:rw for me. Are you sure it’s not Armadietto that transforms it?

DougReeder · March 31, 2024, 11:43pm

When connecting to 5apps.com, the redirect is for *:rw. When connecting to Armadietto, the the redirect is for root:rw. That suggests there’s a difference in the values returned from WebFinger. I’m having trouble capturing the WebFinger responses from both. Is there any documentation on what 5apps.com is returning for WebFinger when the app requests *:rw ?

DougReeder · April 1, 2024, 1:42am

Found it in access.ts in remotestorage.js:

 /**
   * TODO: document
   */
  private _scopeNameForParameter (scope: ScopeEntry): string {
    if (scope.name === '*' && this.storageType) {
      if (this.storageType === '2012.04') {
        return '';
      } else if (this.storageType.match(/remotestorage-0[01]/)) {
        return 'root';
      }
    }
    return scope.name;
  }

Armadietto was returning a status version of draft-dejong-remotestorage-01.

So, it looks like the spec needs to document that you can request a scope of *

Do we have notes for server implementers, that could be updated to mention this?

raucao · April 2, 2024, 9:08am

Aha, good catch! And should obviously be updated to something more recent.

That’s exactly what it does:

The access the bearer token gives is the sum of its access scopes,
with each access scope representing the following permissions:

'*:rw') any request,

'*:r') any GET or HEAD request,

<module> ':rw') any requests to paths relative to <storage_root>
                that start with '/' <module> '/' or
                '/public/' <module> '/',

<module> ':r') any GET or HEAD requests to paths relative to
               <storage_root> that start with
               '/' <module> '/' or '/public/' <module> '/',