Skip to content

feat(auth): validate explicit scopes locally before login network request #760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
yux1a0-63 wants to merge 3 commits into from
Closed

feat(auth): validate explicit scopes locally before login network request #760

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8d18507
feat(auth): add local scope validator when login
yux1a0-63 May 6, 2026
a889ce1
fix(auth): use ErrWithHint instead of ErrValidation
yux1a0-63 May 6, 2026
6fe1939
refactor(auth): improve validateExplicitScopes reduce unused var
yux1a0-63 May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 67 additions & 4 deletions cmd/auth/login.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,12 +188,20 @@

finalScope := opts.Scope

// Resolve scopes from domain/permission filters
if len(selectedDomains) > 0 || opts.Recommend {
if opts.Scope != "" {
return output.ErrValidation("cannot use --scope together with --domain/--recommend")
// Mutual exclusion: --scope cannot be combined with --domain/--recommend
if opts.Scope != "" && (len(selectedDomains) > 0 || opts.Recommend) {
return output.ErrValidation("cannot use --scope together with --domain/--recommend")
}

// Validate explicitly provided scopes
if opts.Scope != "" {
if err := validateExplicitScopes(opts.Scope); err != nil {
return err
}
}

// Resolve scopes from domain/permission filters
if len(selectedDomains) > 0 || opts.Recommend {

Check warning on line 204 in cmd/auth/login.go

View check run for this annotation

Codecov / codecov/patch

cmd/auth/login.go#L204 

Added line #L204 was not covered by tests
var candidateScopes []string
if len(selectedDomains) > 0 {
candidateScopes = collectScopesForDomains(selectedDomains, "user")
Expand Down Expand Up @@ -521,6 +529,61 @@
return false
}

func validateExplicitScopes(scope string) error {
normalized := strings.Fields(scope)
if len(normalized) == 0 {
return output.ErrValidation("please specify at least one scope")
}

knownScopes := knownScopesForIdentity()
invalid := make([]string, 0)
result := make([]string, 0, len(normalized))
seen := make(map[string]bool, len(normalized))

for _, s := range normalized {
if !knownScopes[s] {
if !seen[s] {
seen[s] = true

Check warning on line 546 in cmd/auth/login.go

View check run for this annotation

Codecov / codecov/patch

cmd/auth/login.go#L546 

Added line #L546 was not covered by tests
invalid = append(invalid, s)
}
continue
}
if seen[s] {
continue
}
seen[s] = true
result = append(result, s)
}

if len(invalid) > 0 {
return output.ErrValidation(
"invalid scope(s): %s\ncheck the exact scope names with `lark-cli auth scopes --format pretty`, or use `lark-cli auth login --domain <domain> --recommend` to avoid manual scope typos",
strings.Join(invalid, ", "),
)
}

Check warning on line 563 in cmd/auth/login.go

View check run for this annotation

Codecov / codecov/patch

cmd/auth/login.go#L563 

Added line #L563 was not covered by tests
Comment thread
coderabbitai[bot] marked this conversation as resolved.

return nil
}

func knownScopesForIdentity() map[string]bool {
known := make(map[string]bool)
for scope := range registry.LoadScopePriorities() {
known[scope] = true
}
for _, scope := range registry.CollectAllScopesFromMeta("user") {
known[scope] = true
}
for _, sc := range shortcuts.AllShortcuts() {
if shortcutSupportsIdentity(sc, "user") {
for _, scope := range sc.ScopesForIdentity("user") {
known[scope] = true
}
}
}
known["offline_access"] = true
return known
}

// suggestDomain finds the best "did you mean" match for an unknown domain.
func suggestDomain(input string, known map[string]bool) string {
// Check common cases: prefix match or input is a substring
Expand Down
Loading
Loading