Review Code Suggestions API token scope logic
The following discussion from !185072 (merged) should be addressed:
-
@mkaeppler started a discussion: (+3 comments) @eduardobonet I was not able to fix this test
🤔 It keeps returning 200 for me. I cannot see how this would be related to Cloud Connector (since this test API responses based on what kind of PAT was sent, which is unrelated to CC). Any ideas what's going on here?
While working on !185072 (merged), I ran into a problem where the test mentioned above would pass with 200 OK when instead it should fail with 403 Forbidden, depending on which scopes the API token has:
bin/rspec ee/spec/requests/api/code_suggestions_spec.rb -e 'when using token with :read_api scope' when using token with :read_api scope
#<PersonalAccessToken:0x0000ffff52340c90
id: 1929,
user_id: 895,
name: "PAT 2",
revoked: false,
expires_at: Wed, 23 Apr 2025,
created_at: Mon, 24 Mar 2025 14:59:08.696873557 UTC +00:00,
updated_at: Mon, 24 Mar 2025 14:59:08.696873557 UTC +00:00,
scopes: ["read_api"],
impersonation: false,
token_digest: "cD+tDpT5FB7XnSHcy3oJN+D4OCDJN+t5x/GSmEJf9Ik=",
expire_notification_delivered: false,
last_used_at: nil,
after_expiry_notification_delivered: false,
previous_personal_access_token_id: nil,
organization_id: 1320,
seven_days_notification_sent_at: nil,
thirty_days_notification_sent_at: nil,
sixty_days_notification_sent_at: nil,
description: "[FILTERED]">
"Bearer glpat-bzoxMG8KdTpvdtoi6ehcsmeK065bpj_iEr4Q.100dukvhl"
post-auth
is expected to respond with numeric status code forbidden (FAILED - 1)I tried to verify what the behavior was in production, and found that the Workflow IDE extension will fail with an error unless the token has scope api. This is also the default scope we add when logging in via the IDE. You can reproduce this by creating a PAT with scope ai_features and then logging into the IDE with this PAT.
I think we should review what the expectations are for this endpoint in terms of token scopes and make changes where necessary.