feat: OAuth client scopes

apps/api/v2/src/app.module.ts

@@ -17,11 +17,13 @@ import { UrlencodedBodyMiddleware } from "@/middleware/body/urlencoded.body.midd
 import { ResponseInterceptor } from "@/middleware/request-ids/request-id.interceptor";
 import { RequestIdMiddleware } from "@/middleware/request-ids/request-id.middleware";
 import { AuthModule } from "@/modules/auth/auth.module";
+import { ThirdPartyPermissionsGuard } from "@/modules/auth/guards/third-party-permissions/third-party-permissions.guard";
 import { EndpointsModule } from "@/modules/endpoints.module";
 import { JwtModule } from "@/modules/jwt/jwt.module";
 import { PrismaModule } from "@/modules/prisma/prisma.module";
 import { RedisModule } from "@/modules/redis/redis.module";
 import { RedisService } from "@/modules/redis/redis.service";
+import { TokensModule } from "@/modules/tokens/tokens.module";
 import { VercelWebhookController } from "@/vercel-webhook.controller";
 
 @Module({
@@ -59,6 +61,7 @@ import { VercelWebhookController } from "@/vercel-webhook.controller";
     EndpointsModule,
     AuthModule,
     JwtModule,
+    TokensModule,
   ],
   controllers: [AppController, VercelWebhookController],
   providers: [
@@ -81,6 +84,10 @@ import { VercelWebhookController } from "@/vercel-webhook.controller";
       provide: APP_GUARD,
       useClass: CustomThrottlerGuard,
     },
+    {
+      provide: APP_GUARD,
+      useClass: ThirdPartyPermissionsGuard,
+    },
   ],
 })
 export class AppModule implements NestModule {

apps/api/v2/src/lib/docs/headers.ts

@@ -1,6 +1,5 @@
-import { ApiHeaderOptions } from "@nestjs/swagger";
-
 import { X_CAL_CLIENT_ID, X_CAL_SECRET_KEY } from "@calcom/platform-constants";
+import { ApiHeaderOptions } from "@nestjs/swagger";
 
 export const OPTIONAL_X_CAL_CLIENT_ID_HEADER: ApiHeaderOptions = {
   name: X_CAL_CLIENT_ID,
@@ -42,19 +41,20 @@ export const API_KEY_HEADER: ApiHeaderOptions = {
 export const API_KEY_OR_ACCESS_TOKEN_HEADER: ApiHeaderOptions = {
   name: "Authorization",
   description:
-    "value must be `Bearer <token>` where `<token>` is api key prefixed with cal_ or managed user access token",
+    "value must be `Bearer <token>` where `<token>` is api key prefixed with cal_, managed user access token, or OAuth access token",
   required: true,
 };
 
 export const OPTIONAL_API_KEY_OR_ACCESS_TOKEN_HEADER: ApiHeaderOptions = {
   name: "Authorization",
   description:
-    "value must be `Bearer <token>` where `<token>` is api key prefixed with cal_ or managed user access token",
+    "value must be `Bearer <token>` where `<token>` is api key prefixed with cal_, managed user access token, or OAuth access token",
   required: false,
 };
 
 export const ACCESS_TOKEN_HEADER: ApiHeaderOptions = {
   name: "Authorization",
-  description: "value must be `Bearer <token>` where `<token>` is managed user access token",
+  description:
+    "value must be `Bearer <token>` where `<token>` is managed user access token or OAuth access token",
   required: true,
 };

apps/api/v2/src/lib/modules/oauth.module.ts

@@ -1,13 +1,20 @@
 import { PrismaAccessCodeRepository } from "@/lib/repositories/prisma-access-code.repository";
 import { PrismaOAuthClientRepository } from "@/lib/repositories/prisma-oauth-client.repository";
+import { PrismaOAuthRefreshTokenRepository } from "@/lib/repositories/prisma-oauth-refresh-token.repository";
 import { PrismaTeamRepository } from "@/lib/repositories/prisma-team.repository";
 import { OAuthService } from "@/lib/services/oauth.service";
 import { PrismaModule } from "@/modules/prisma/prisma.module";
 import { Module } from "@nestjs/common";
 
 @Module({
   imports: [PrismaModule],
-  providers: [PrismaAccessCodeRepository, PrismaOAuthClientRepository, PrismaTeamRepository, OAuthService],
+  providers: [
+    PrismaAccessCodeRepository,
+    PrismaOAuthClientRepository,
+    PrismaOAuthRefreshTokenRepository,
+    PrismaTeamRepository,
+    OAuthService,
+  ],
   exports: [OAuthService],
 })
 export class oAuthServiceModule {}

apps/api/v2/src/lib/repositories/prisma-oauth-refresh-token.repository.ts

@@ -0,0 +1,12 @@
+import { PrismaWriteService } from "@/modules/prisma/prisma-write.service";
+import { Injectable } from "@nestjs/common";
+
+import { PrismaOAuthRefreshTokenRepository as PrismaOAuthRefreshTokenRepositoryLib } from "@calcom/platform-libraries/repositories";
+import type { PrismaClient } from "@calcom/prisma";
+
+@Injectable()
+export class PrismaOAuthRefreshTokenRepository extends PrismaOAuthRefreshTokenRepositoryLib {
+  constructor(private readonly dbWrite: PrismaWriteService) {
+    super(dbWrite.prisma as unknown as PrismaClient);
+  }
+}

apps/api/v2/src/lib/services/oauth.service.ts

@@ -3,6 +3,7 @@ import { OAuthService as BaseOAuthService } from "@calcom/platform-libraries";
 import { Injectable } from "@nestjs/common";
 import { PrismaAccessCodeRepository } from "@/lib/repositories/prisma-access-code.repository";
 import { PrismaOAuthClientRepository } from "@/lib/repositories/prisma-oauth-client.repository";
+import { PrismaOAuthRefreshTokenRepository } from "@/lib/repositories/prisma-oauth-refresh-token.repository";
 import { PrismaTeamRepository } from "@/lib/repositories/prisma-team.repository";
 import type { OAuth2ExchangeInput } from "@/modules/auth/oauth2/inputs/exchange.input";
 import { OAuth2ExchangeConfidentialInput } from "@/modules/auth/oauth2/inputs/exchange.input";
@@ -15,12 +16,14 @@ export class OAuthService extends BaseOAuthService {
   constructor(
     accessCodeRepository: PrismaAccessCodeRepository,
     oAuthClientRepository: PrismaOAuthClientRepository,
+    oAuthRefreshTokenRepository: PrismaOAuthRefreshTokenRepository,
     teamsRepository: PrismaTeamRepository
   ) {
     super({
-      accessCodeRepository: accessCodeRepository,
-      oAuthClientRepository: oAuthClientRepository,
-      teamsRepository: teamsRepository,
+      accessCodeRepository,
+      oAuthClientRepository,
+      oAuthRefreshTokenRepository,
+      teamsRepository,
     });
   }
 

apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts

@@ -1,15 +1,13 @@
-import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
-import { OAuthClientsOutputService } from "@/modules/oauth-clients/services/oauth-clients/oauth-clients-output.service";
-import { TokensRepository } from "@/modules/tokens/tokens.repository";
-import { TokensService } from "@/modules/tokens/tokens.service";
+import { APPS_WRITE, SCHEDULE_READ, SCHEDULE_WRITE } from "@calcom/platform-constants";
 import { createMock } from "@golevelup/ts-jest";
 import { ExecutionContext } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { Reflector } from "@nestjs/core";
-
-import { APPS_WRITE, SCHEDULE_READ, SCHEDULE_WRITE } from "@calcom/platform-constants";
-
 import { PermissionsGuard } from "./permissions.guard";
+import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
+import { OAuthClientsOutputService } from "@/modules/oauth-clients/services/oauth-clients/oauth-clients-output.service";
+import { TokensRepository } from "@/modules/tokens/tokens.repository";
+import { TokensService } from "@/modules/tokens/tokens.service";
 
 describe("PermissionsGuard", () => {
   let guard: PermissionsGuard;
@@ -76,6 +74,7 @@ describe("PermissionsGuard", () => {
     it("should return true for valid permissions", async () => {
       const mockContext = createMockExecutionContext({ Authorization: "Bearer token" });
       jest.spyOn(reflector, "get").mockReturnValue([SCHEDULE_WRITE]);
+      jest.spyOn(guard, "getDecodedThirdPartyAccessToken").mockReturnValue(null);
 
       let oAuthClientPermissions = 0;
       oAuthClientPermissions |= SCHEDULE_WRITE;
@@ -88,6 +87,7 @@ describe("PermissionsGuard", () => {
     it("should return true for multiple valid permissions", async () => {
       const mockContext = createMockExecutionContext({ Authorization: "Bearer token" });
       jest.spyOn(reflector, "get").mockReturnValue([SCHEDULE_WRITE, SCHEDULE_READ]);
+      jest.spyOn(guard, "getDecodedThirdPartyAccessToken").mockReturnValue(null);
 
       let oAuthClientPermissions = 0;
       oAuthClientPermissions |= SCHEDULE_WRITE;
@@ -143,15 +143,40 @@ describe("PermissionsGuard", () => {
       );
     });
 
-    it("should return true for 3rd party access token", async () => {
-      const mockContext = createMockExecutionContext({ Authorization: "Bearer token" });
-      jest.spyOn(guard, "getDecodedThirdPartyAccessToken").mockReturnValue({
-        scope: ["scope"],
-        token_type: "Bearer",
+    describe("delegates 3rd party access token validation to ThirdPartyPermissionsGuard", () => {
+      it("should return true for 3rd party access token with legacy scopes for backward compatibility", async () => {
+        const mockContext = createMockExecutionContext({ Authorization: "Bearer token" });
+        jest.spyOn(reflector, "get").mockReturnValue([SCHEDULE_WRITE]);
+        jest.spyOn(guard, "getDecodedThirdPartyAccessToken").mockReturnValue({
+          scope: ["READ_BOOKING"],
+          token_type: "Bearer",
+        });
+
+        await expect(guard.canActivate(mockContext)).resolves.toBe(true);
       });
-
-      await expect(guard.canActivate(mockContext)).resolves.toBe(true);
-    });
+
+      it("should return true for 3rd party access token with empty scopes for backward compatibility", async () => {
+        const mockContext = createMockExecutionContext({ Authorization: "Bearer token" });
+        jest.spyOn(reflector, "get").mockReturnValue([SCHEDULE_WRITE]);
+        jest.spyOn(guard, "getDecodedThirdPartyAccessToken").mockReturnValue({
+          scope: [],
+          token_type: "Bearer",
+        });
+
+        await expect(guard.canActivate(mockContext)).resolves.toBe(true);
+      });
+
+      it("should return true for 3rd party access token and delegate to ThirdPartyPermissionsGuard", async () => {
+        const mockContext = createMockExecutionContext({ Authorization: "Bearer token" });
+        jest.spyOn(reflector, "get").mockReturnValue([SCHEDULE_WRITE]);
+        jest.spyOn(guard, "getDecodedThirdPartyAccessToken").mockReturnValue({
+          scope: ["BOOKING_READ"],
+          token_type: "Bearer",
+        });
+
+        await expect(guard.canActivate(mockContext)).resolves.toBe(true);
+      });
+    })
   });
 
   describe("when OAuth id is provided", () => {

apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts

@@ -1,17 +1,16 @@
+import { X_CAL_CLIENT_ID } from "@calcom/platform-constants";
+import { hasPermissions } from "@calcom/platform-utils";
+import type { PlatformOAuthClient } from "@calcom/prisma/client";
+import { CanActivate, ExecutionContext, ForbiddenException, Injectable } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { Reflector } from "@nestjs/core";
+import { getToken } from "next-auth/jwt";
 import { isApiKey } from "@/lib/api-key";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
 import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
 import { OAuthClientsOutputService } from "@/modules/oauth-clients/services/oauth-clients/oauth-clients-output.service";
 import { TokensRepository } from "@/modules/tokens/tokens.repository";
 import { TokensService } from "@/modules/tokens/tokens.service";
-import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
-import { Reflector } from "@nestjs/core";
-import { getToken } from "next-auth/jwt";
-
-import { X_CAL_CLIENT_ID } from "@calcom/platform-constants";
-import { hasPermissions } from "@calcom/platform-utils";
-import type { PlatformOAuthClient } from "@calcom/prisma/client";
 
 @Injectable()
 export class PermissionsGuard implements CanActivate {
@@ -37,10 +36,9 @@ export class PermissionsGuard implements CanActivate {
     const nextAuthToken = await getToken({ req: request, secret: nextAuthSecret });
     const oAuthClientId = request.params?.clientId || request.get(X_CAL_CLIENT_ID);
     const apiKey = bearerToken && isApiKey(bearerToken, this.config.get("api.apiKeyPrefix") ?? "cal_");
-    const isThirdPartyBearerToken = bearerToken && this.getDecodedThirdPartyAccessToken(bearerToken);
+    const decodedThirdPartyToken = bearerToken ? this.getDecodedThirdPartyAccessToken(bearerToken) : null;
 
-    // only check permissions for accessTokens attached to platform oAuth Client or platform oAuth credentials, not for next token or api key or third party oauth client
-    if (nextAuthToken || apiKey || isThirdPartyBearerToken) {
+    if (nextAuthToken || apiKey || decodedThirdPartyToken) {
       return true;
     }