API Endpoint for validating scoped tokens, returning a list of assigned scopes
What feature would you like implemented? (Please give us a brief description of what you'd like.)
Okay, so I am either about to be asking for something that's incredibly useful and something that should have been added a long time ago, or I am asking for something that has already existed. What I want is the ability to see the token scopes assigned to my token (via something like /api/auth/check?). Misskey doesn't have a way for me to validate a token either (I think that it should be dual purpose, validates the token and gives you a list of scopes you are assigned.) The permission list I would like it to return is available at https://misskey-hub.net/en/docs/for-developers/api/permission/.
Why should we add this feature? (Please give us a brief description of why your feature is important.)
I am a third party api library developer (my library is not endorsed by sharkey nor upstream misskey). My library is https://github.com/Cardboard-Net/Cardboard.Net. I have run into an issue in my library with ambiguity. Consider the following scenarios
Scenario 1) User without IsAdmin (or any roles giving admin) and who has given me a scoped token without admin:* In this case, it's doable. I mean, I will be doing library side permission checking (just for sanity - json deserialization exceptions being thrown because of a 403 is not something i want to have bug reports about). It's still ambiguous because I can go "well, you're not admin or you did not give the proper scope".
Scenario 2) User with isadmin (via roles, or account flag) who has given me a scoped token without admin:* Yeah, this is what bites me right here. I do not at all want to encourage unscoped tokens for an admin account, especially over a large instance such as transfem.social. I have no way of knowing my scopes unless I make a GET/POST request to scoped endpoints for each permission to "check". Something I am not willing to do, nor am I willing to store state (if I get a 403 from one endpoint, storing that is going to bite me if a role is assigned or something changes while the library is running). I would prefer to maintain a list of scopes that I am assigned. I am probably going to parse the json array of permissions into an enum flag on the self user class, but I'd prefer if you went ahead and just followed misskeyisms. Just send out something like
[
{
"permission":"write:admin:announcements",
"enabled":false
}
]or if you want to remove some misskeyisms...
{
"write:admin:announcements":false
}but I'd prefer the array of permission objects, because that means in my resulting class I can go
[JsonProperty("permission")]
public ScopePermissionType Permission {get; set;}
[JsonProperty("enabled")]
public bool Enabled {get; set;}The reason for this is because misskey doesn't really use bitflags anywhere, and as much as I'd love to shill bitflags and changing api responses... It would stick out like a sore thumb. I am a big girl, I already do data transformations into bitflags for library internal representation converting them back to the misskey approach when I need to.
Version (What version of Sharkey is your instance running? You can find this by clicking your instance's logo at the top left and then clicking instance information.)
N/A
Instance (What instance of Sharkey are you using?)
Contribution Guidelines By submitting this issue, you agree to follow our Contribution Guidelines
- I agree to follow this project's Contribution Guidelines
- I have searched the issue tracker for similar requests, and this is not a duplicate.