fix(registry): restore protocol routing and test coverage for npm, oci, and api flows

2026-03-22 08:59:34 +00:00
parent 2d84470688
commit 3b2aa57b7d
14 changed files with 312 additions and 109 deletions
--- a/ts/providers/auth.provider.ts
+++ b/ts/providers/auth.provider.ts
@@ -144,15 +144,30 @@ export class StackGalleryAuthProvider implements plugins.smartregistry.IAuthProv
    // Map action
    const mappedAction = this.mapAction(action);

-    // For simple authorization without specific resource context,
-    // check if user is active
+    // Check if user is active
    const user = await User.findById(userId);
    if (!user || !user.isActive) return false;

    // System admins bypass all checks
    if (user.isSystemAdmin) return true;

-    return mappedAction === 'read'; // Default: authenticated users can read
+    // Check token scopes for the requested action
+    if (token.scopes) {
+      for (const scope of token.scopes) {
+        // Scope format: "protocol:action1,action2" or "*"
+        if (scope === '*') return true;
+        const [, actions] = scope.split(':');
+        if (actions) {
+          const actionList = actions.split(',');
+          if (actionList.includes(mappedAction) || actionList.includes('*')) {
+            return true;
+          }
+        }
+      }
+    }
+
+    // Default: authenticated users can read
+    return mappedAction === 'read';
  }

  /**