Auth: Apply same scope when session is created from auth token #782 #808

Signed-off-by: Michael Mayer <michael@photoprism.app>

internal/entity/auth_session.go

@@ -356,6 +356,27 @@ func (m *Session) SetAuthID(id string) *Session {
 	return m
 }
 
+// Scope returns the authorization scope as a sanitized string.
+func (m *Session) Scope() string {
+	return clean.Scope(m.AuthScope)
+}
+
+// HasScope checks if the session has the given authorization scope.
+func (m *Session) HasScope(scope string) bool {
+	return list.ParseAttr(m.Scope()).Contains(scope)
+}
+
+// SetScope sets a custom authentication scope.
+func (m *Session) SetScope(scope string) *Session {
+	if scope == "" {
+		return m
+	}
+
+	m.AuthScope = clean.Scope(scope)
+
+	return m
+}
+
 // Method returns the authentication method.
 func (m *Session) Method() authn.MethodType {
 	return authn.Method(m.AuthMethod)
@@ -793,13 +814,3 @@ func (m *Session) HttpStatus() int {
 
 	return http.StatusUnauthorized
 }
-
-// Scope returns the authorization scope as a sanitized string.
-func (m *Session) Scope() string {
-	return clean.Scope(m.AuthScope)
-}
-
-// HasScope checks if the session has the given authorization scope.
-func (m *Session) HasScope(scope string) bool {
-	return list.ParseAttr(m.Scope()).Contains(scope)
-}

internal/entity/auth_session_login.go

@@ -126,6 +126,7 @@ func AuthLocal(user *User, f form.Login, m *Session, c *gin.Context) (authn.Prov
 			return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials)
 		} else {
 			m.SetAuthID(authSess.AuthID)
+			m.SetScope(authSess.Scope())
 			m.SetMethod(authn.MethodSession)
 			event.AuditInfo([]string{clientIp, "session %s", "login as %s with auth secret", "succeeded"}, m.RefID, clean.LogQuote(userName))
 			event.LoginInfo(clientIp, "api", userName, m.UserAgent)