From e191cdf5eacb961601034a98661645c264df0b8a Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Thu, 14 May 2020 13:04:06 -0400
Subject: [PATCH] API: Require scopes="*" on OAuth tokens for auth

---
 api/auth/auth.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/api/auth/auth.go b/api/auth/auth.go
index f43f31a..43cd6f2 100644
--- a/api/auth/auth.go
+++ b/api/auth/auth.go
@@ -238,7 +238,11 @@ Expected 'Authorization: Bearer <token>'`, http.StatusForbidden)
 				return
 			}
 
-			// TODO: Validate scopes
+			if scopes != "*" {
+				authError(w, "Presently, OAuth authentication to the GraphQL API is only supported for OAuth tokens with all permissions, namely '*'.", http.StatusForbidden)
+				return
+			}
+
 			ctx := context.WithValue(r.Context(), userCtxKey, &user)
 
 			r = r.WithContext(ctx)
-- 
2.38.4