Closed
Description
This is a tracking issue for the RFC "crates.io Token Scopes" (rust-lang/rfcs#2947).
Steps:
Backend:
- add token scopes to the database (database/api_tokens: Add
crate_scopesandendpoint_scopescolumnsΒ #5562) - check token scopes for authenticated endpoints (Implement token scope restrictions for our endpointsΒ #5572)
- implement API support for token scopes (Add
crate_scopesandendpoint_scopesfields to thePUT /me/tokensAPI endpointΒ #5973 and GET /me/tokens: Addcrate_scopesandendpoint_scopesfieldsΒ #6310)
Frontend:
- create a dedicated token creation route (Add new
settings/tokens/newpageΒ #6395) - implement support for endpoint scopes to the route (settings/tokens/new: Add "Scopes" sectionΒ #6428)
- implement support for crates scopes to the route (settings/tokens/new: Add "Crates" sectionΒ #6432)
- show token scopes in the API token list (settings/tokens: Display endpoint/crate scopes if they existΒ #6450)
The exact details of these steps are still tbd. Feel free to discuss here or contact the @rust-lang/crates-io team if you have any questions. It might be best to discuss the plans first before working on and opening a PR π
Unresolved questions:
- Are there more scopes that would be useful to implement from the start?
- Is the current behavior of crate scopes on endpoints that don't interact with
crates the best, or should a token with crate scopes prevent access to
endpoints that don't act on crates?