feat: add API permission scopes for custom features #697

Closed
opened 2026-06-25 14:05:09 +00:00 by jmiller · 0 comments
Owner

Summary

Our custom features (licensing, metadata, update server, issue statuses, wiki extensions, org branch protection) currently lack proper API token permission scopes. Any token with basic repo access can call these endpoints. We need granular permission scopes so tokens can be restricted to only the features they need.

Features needing scopes

  • Licensing API (16 endpoints in /api/v1/licensing/) - manage licenses, entitlements, activations, product tiers
  • Metadata API (/api/v1/repos/{owner}/{repo}/metadata) - repo manifest/deploy fields
  • Update Server - stream config, download gating
  • Issue Statuses - custom status CRUD
  • Wiki Extensions - categories, backlinks, search, templates
  • Org Branch Protection - org-level branch rules

Approach

  1. Define new scope constants (e.g. scope:licensing, scope:metadata, scope:update_server)
  2. Register scopes in the token creation UI and API
  3. Add scope checks to each custom endpoint's middleware/handler
  4. Update API docs/swagger with required scopes
  5. Ensure backward compatibility - existing tokens with broad access continue to work

Acceptance Criteria

  • Each custom feature has its own API scope
  • Token creation UI shows the new scopes
  • Endpoints return 403 when token lacks required scope
  • Existing admin/full-access tokens are unaffected
  • API docs list required scopes per endpoint
## Summary Our custom features (licensing, metadata, update server, issue statuses, wiki extensions, org branch protection) currently lack proper API token permission scopes. Any token with basic repo access can call these endpoints. We need granular permission scopes so tokens can be restricted to only the features they need. ## Features needing scopes - **Licensing API** (16 endpoints in `/api/v1/licensing/`) - manage licenses, entitlements, activations, product tiers - **Metadata API** (`/api/v1/repos/{owner}/{repo}/metadata`) - repo manifest/deploy fields - **Update Server** - stream config, download gating - **Issue Statuses** - custom status CRUD - **Wiki Extensions** - categories, backlinks, search, templates - **Org Branch Protection** - org-level branch rules ## Approach 1. Define new scope constants (e.g. `scope:licensing`, `scope:metadata`, `scope:update_server`) 2. Register scopes in the token creation UI and API 3. Add scope checks to each custom endpoint's middleware/handler 4. Update API docs/swagger with required scopes 5. Ensure backward compatibility - existing tokens with broad access continue to work ## Acceptance Criteria - [ ] Each custom feature has its own API scope - [ ] Token creation UI shows the new scopes - [ ] Endpoints return 403 when token lacks required scope - [ ] Existing admin/full-access tokens are unaffected - [ ] API docs list required scopes per endpoint
Sign in to join this conversation.