Logflare / logflare / 52446c207a7bcf246ec8bb794b46d575519fff6e
81%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 474
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 80.467% (+0.06%) from 80.409%
52446c207a7bcf246ec8bb794b46d575519fff6e

push

github

web-flow 
fix: prevent mass assignment of token scopes via user-controlled input (#3419)

* Fix mass assignment of token scopes via user-controlled input

Removes :scopes from the Ecto.Changeset cast list in Auth.create_access_token/2,
preventing attackers from injecting privileged scopes (e.g. "partner") via HTTP
request params.

Scopes are now accepted only via a server-side opts keyword argument:
  Auth.create_access_token(entity, attrs, scopes: "ingest")

Partner tokens always receive the "partner" scope server-side regardless of opts.
Updates all callers and tests to use the new three-argument form.

https://claude.ai/code/session_017y61M55BSqZyWgMaFLxBBa

* test: add regression tests for token scope mass assignment fix

Verifies that user-supplied attrs cannot inject the partner scope into
user tokens, and that partner tokens always receive exactly the partner
scope regardless of caller-provided opts.

https://claude.ai/code/session_017y61M55BSqZyWgMaFLxBBa

* fix: enforce partner-scope rejection at the Auth boundary

Move the partner-scope rejection out of the HTTP controller and into
Auth.create_access_token/3 so every caller — controller, LiveView,
internal code — gets the same guarantee without duplicating the check.

Adds a server-side allow-list filter in the access tokens LiveView so
crafted Phoenix form payloads can't smuggle scopes the UI doesn't
expose (e.g. `scopes_main: ["partner"]` via raw websocket frame).

Also restores the OAuth provider's `default_scopes: ~w(public)` for
API callers that omit the `scopes` field; the prior change was
overwriting it with the empty string.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clarify scope-rejection helper and broaden test coverage

Renames the private `sanitize_user_scopes/1` to `reject_partner_scope/1`
so the name reflects its actual behavior (returns `{:error,
:unauthorized}` rather than a sanitized value), drops a now-redundant
comment, and tightens the `crea... (continued)

30 of 30 new or added lines in 3 files covered. (100.0%)

3 existing lines in 2 files now uncovered.

12651 of 15722 relevant lines covered (80.47%)

3762.56 hits per line

Coverage Regressions

Lines Coverage File
2
72.31
 -3.08% lib/logflare/logs/search_query_executor.ex
1
30.77
 -3.85% lib/logflare/sources/source/text_notification_server.ex
Jobs
ID Job ID Ran Files Coverage
1 52446c207a7bcf246ec8bb794b46d575519fff6e.1 474
80.47
 GitHub Action Run
Source Files on build 52446c207a7bcf246ec8bb794b46d575519fff6e