Closed
Description
This is a tracking issue for the RFC "crates.io Token Scopes" (rust-lang/rfcs#2947).
Steps:
Backend:
- add token scopes to the database (database/api_tokens: Add
crate_scopesandendpoint_scopescolumns #5562) - check token scopes for authenticated endpoints (Implement token scope restrictions for our endpoints #5572)
- implement API support for token scopes (Add
crate_scopesandendpoint_scopesfields to thePUT /me/tokensAPI endpoint #5973 and GET /me/tokens: Addcrate_scopesandendpoint_scopesfields #6310)
Frontend:
- create a dedicated token creation route (Add new
settings/tokens/newpage #6395) - implement support for endpoint scopes to the route (settings/tokens/new: Add "Scopes" section #6428)
- implement support for crates scopes to the route (settings/tokens/new: Add "Crates" section #6432)
- show token scopes in the API token list (settings/tokens: Display endpoint/crate scopes if they exist #6450)
The exact details of these steps are still tbd. Feel free to discuss here or contact the @rust-lang/crates-io team if you have any questions. It might be best to discuss the plans first before working on and opening a PR 😉
Unresolved questions:
- Are there more scopes that would be useful to implement from the start?
- Is the current behavior of crate scopes on endpoints that don't interact with
crates the best, or should a token with crate scopes prevent access to
endpoints that don't act on crates?