Begin cleaning up OAuth scope handling

Summary: Ref T7303. OAuth scope handling never got fully modernized and is a bit of a mess. Also introduce implicit "ALWAYS" and "NEVER" scopes. Always give tokens access to meta-methods like `conduit.getcapabilities` and `conduit.query`. These do not expose user information. Test Plan: - Used a token to call `user.whoami`. - Used a token to call `conduit.query`. - Used a token to try to call `user.query`, got rebuffed. Reviewers: chad Reviewed By: chad Maniphest Tasks: T7303 Differential Revision: https://secure.phabricator.com/D15593
2016-04-03 08:25:02 -07:00
parent 694a8543d8
commit 60133b6fa5
11 changed files with 138 additions and 81 deletions
--- a/src/applications/oauthserver/controller/PhabricatorOAuthServerTokenController.php
+++ b/src/applications/oauthserver/controller/PhabricatorOAuthServerTokenController.php
@@ -144,7 +144,7 @@ final class PhabricatorOAuthServerTokenController
      $result = array(
        'access_token' => $access_token->getToken(),
        'token_type'   => 'Bearer',
-        'expires_in'   => PhabricatorOAuthServer::ACCESS_TOKEN_TIMEOUT,
+        'expires_in'   => $access_token->getExpiresDuration(),
      );
      return $response->setContent($result);
    } catch (Exception $e) {