crate/update: Add support for scoped API tokens

Turbo87 · Turbo87 · commit 1b5fb23cccfb · 2025-11-20T16:44:01.000+01:00
diff --git a/src/controllers/krate/update.rs b/src/controllers/krate/update.rs
@@ -3,9 +3,10 @@ use crate::auth::AuthCheck;
 use crate::controllers::krate::CratePath;
 use crate::email::EmailMessage;
 use crate::middleware::real_ip::RealIp;
+use crate::models::token::EndpointScope;
 use crate::models::{Crate, User};
 use crate::schema::*;
-use crate::util::errors::{AppResult, crate_not_found, custom};
+use crate::util::errors::{AppResult, crate_not_found, custom, forbidden};
 use crate::views::EncodableCrate;
 use anyhow::Context;
 use axum::{Extension, Json};
@@ -52,12 +53,25 @@ pub async fn update_crate(
 ) -> AppResult<Json<PatchResponse>> {
     let mut conn = app.db_write().await?;
 
-    // Check that the user is authenticated
-    let auth = AuthCheck::only_cookie().check(&req, &mut conn).await?;
-
     // Check that the crate exists
     let krate = path.load_crate(&mut conn).await?;
 
+    // Check that the user is authenticated with appropriate permissions
+    let auth = AuthCheck::default()
+        .with_endpoint_scope(EndpointScope::TrustedPublishing)
+        .for_crate(&krate.name)
+        .check(&req, &mut conn)
+        .await?;
+
+    if auth
+        .api_token()
+        .is_some_and(|token| token.endpoint_scopes.is_none())
+    {
+        return Err(forbidden(
+            "This endpoint cannot be used with legacy API tokens. Use a scoped API token instead.",
+        ));
+    }
+
     // Update crate settings in a transaction
     conn.transaction(|conn| {
         update_inner(conn, &app, &krate, auth.user(), &real_ip, body).scope_boxed()
diff --git a/src/tests/routes/crates/update.rs b/src/tests/routes/crates/update.rs
@@ -1,5 +1,6 @@
 use crate::builders::CrateBuilder;
 use crate::util::{RequestHelper, TestApp};
+use crates_io::models::token::{CrateScope, EndpointScope};
 use insta::{assert_json_snapshot, assert_snapshot};
 
 #[tokio::test(flavor = "multi_thread")]
@@ -123,3 +124,139 @@ async fn test_update_nonexistent_crate() {
 
     assert_eq!(app.emails().await.len(), 0);
 }
+
+mod auth {
+    use super::*;
+
+    const CRATE_NAME: &str = "foo";
+
+    async fn prepare() -> (TestApp, crate::util::MockCookieUser) {
+        let (app, _, user) = TestApp::full().with_user().await;
+        let mut conn = app.db_conn().await;
+
+        // Create a crate
+        let owner_id = user.as_model().id;
+        CrateBuilder::new(CRATE_NAME, owner_id)
+            .expect_build(&mut conn)
+            .await;
+
+        (app, user)
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn token_user_with_legacy_token() {
+        let (app, user) = prepare().await;
+        let token = user.db_new_token("test-token").await;
+
+        let url = format!("/api/v1/crates/{}", CRATE_NAME);
+        let body = serde_json::json!({ "trustpub_only": true });
+        let response = token.patch::<()>(&url, body.to_string()).await;
+        assert_snapshot!(response.status(), @"403 Forbidden");
+        assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"This endpoint cannot be used with legacy API tokens. Use a scoped API token instead."}]}"#);
+
+        assert_eq!(app.emails().await.len(), 0);
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn token_user_with_correct_endpoint_scope() {
+        let (app, user) = prepare().await;
+        let token = user
+            .db_new_scoped_token(
+                "test-token",
+                None,
+                Some(vec![EndpointScope::TrustedPublishing]),
+                None,
+            )
+            .await;
+
+        let url = format!("/api/v1/crates/{}", CRATE_NAME);
+        let body = serde_json::json!({ "trustpub_only": true });
+        let response = token.patch::<()>(&url, body.to_string()).await;
+        assert_snapshot!(response.status(), @"200 OK");
+
+        assert!(!app.emails().await.is_empty());
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn token_user_with_incorrect_endpoint_scope() {
+        let (app, user) = prepare().await;
+        let token = user
+            .db_new_scoped_token(
+                "test-token",
+                None,
+                Some(vec![EndpointScope::PublishUpdate]),
+                None,
+            )
+            .await;
+
+        let url = format!("/api/v1/crates/{}", CRATE_NAME);
+        let body = serde_json::json!({ "trustpub_only": true });
+        let response = token.patch::<()>(&url, body.to_string()).await;
+        assert_snapshot!(response.status(), @"403 Forbidden");
+        assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"this token does not have the required permissions to perform this action"}]}"#);
+
+        assert_eq!(app.emails().await.len(), 0);
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn token_user_with_only_crate_scope() {
+        let (app, user) = prepare().await;
+        let token = user
+            .db_new_scoped_token(
+                "test-token",
+                Some(vec![CrateScope::try_from(CRATE_NAME).unwrap()]),
+                None,
+                None,
+            )
+            .await;
+
+        let url = format!("/api/v1/crates/{}", CRATE_NAME);
+        let body = serde_json::json!({ "trustpub_only": true });
+        let response = token.patch::<()>(&url, body.to_string()).await;
+        assert_snapshot!(response.status(), @"403 Forbidden");
+        assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"This endpoint cannot be used with legacy API tokens. Use a scoped API token instead."}]}"#);
+
+        assert_eq!(app.emails().await.len(), 0);
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn token_user_with_incorrect_crate_scope() {
+        let (app, user) = prepare().await;
+        let token = user
+            .db_new_scoped_token(
+                "test-token",
+                Some(vec![CrateScope::try_from("bar").unwrap()]),
+                Some(vec![EndpointScope::TrustedPublishing]),
+                None,
+            )
+            .await;
+
+        let url = format!("/api/v1/crates/{}", CRATE_NAME);
+        let body = serde_json::json!({ "trustpub_only": true });
+        let response = token.patch::<()>(&url, body.to_string()).await;
+        assert_snapshot!(response.status(), @"403 Forbidden");
+        assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"this token does not have the required permissions to perform this action"}]}"#);
+
+        assert_eq!(app.emails().await.len(), 0);
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn token_user_with_both_scopes() {
+        let (app, user) = prepare().await;
+        let token = user
+            .db_new_scoped_token(
+                "test-token",
+                Some(vec![CrateScope::try_from(CRATE_NAME).unwrap()]),
+                Some(vec![EndpointScope::TrustedPublishing]),
+                None,
+            )
+            .await;
+
+        let url = format!("/api/v1/crates/{}", CRATE_NAME);
+        let body = serde_json::json!({ "trustpub_only": true });
+        let response = token.patch::<()>(&url, body.to_string()).await;
+        assert_snapshot!(response.status(), @"200 OK");
+
+        assert!(!app.emails().await.is_empty());
+    }
+}
