feat: OAuth scopes for orgs and teams#28040
Open
supalarry wants to merge 6 commits intolauris/cal-7030-feat-oauth-client-scopesfrom
Open
feat: OAuth scopes for orgs and teams#28040supalarry wants to merge 6 commits intolauris/cal-7030-feat-oauth-client-scopesfrom
supalarry wants to merge 6 commits intolauris/cal-7030-feat-oauth-client-scopesfrom
Conversation
supalarry
changed the base branch from
main
to
lauris/cal-7030-feat-oauth-client-scopes
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 3 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/api/v2/src/modules/auth/guards/oauth-permissions/oauth-permissions.guard.e2e-spec.ts">
<violation number="1" location="apps/api/v2/src/modules/auth/guards/oauth-permissions/oauth-permissions.guard.e2e-spec.ts:235">
P3: This helper duplicates the existing getAccessToken logic; consider generalizing the existing helper to accept an optional userId or reuse it instead of reimplementing the OAuth token exchange flow.</violation>
</file>
<file name="apps/api/v2/src/modules/auth/guards/roles/roles.guard.ts">
<violation number="1" location="apps/api/v2/src/modules/auth/guards/roles/roles.guard.ts:30">
P1: Security: Bypassing RolesGuard for third-party tokens conflates OAuth *scope* authorization with *role/membership* authorization. OAuthPermissionsGuard only checks that the token has the right scopes — it does not verify the user's role within a specific org/team. This means a third-party token with e.g. `ORG_PROFILE_READ` scope could access endpoints requiring `ORG_ADMIN` role, because the role check is skipped entirely. Scopes and roles are orthogonal authorization layers and should both be enforced.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
apps/api/v2/src/modules/auth/guards/oauth-permissions/oauth-permissions.guard.e2e-spec.ts
Outdated
Show resolved
Hide resolved
Contributor
Devin AI is addressing Cubic AI's review feedbackA Devin session has been created to address the issues identified by Cubic AI. |
Contributor
|
I reviewed both Cubic AI comments and checked their confidence scores:
Per the review policy, only issues with confidence ≥ 9/10 are auto-fixed. Neither issue meets that bar, so no changes were made in this pass. The PR author should evaluate both findings manually — particularly the P1 security concern about orthogonal scope vs. role authorization. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #27893