Check scopes on login.

When performing a login, check that the scopes returned are what we expect, otherwise throw an exception causing a new login to be required.

Author: grokys

src/GitHub.Api/ApiClientConfiguration.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
 using System.Net;
@@ -33,6 +34,11 @@ static ApiClientConfiguration()
         /// </summary>
         public static string ClientSecret { get; private set; }
 
+        /// <summary>
+        /// Gets the scopes required by the application.
+        /// </summary>
+        public static IReadOnlyList<string> RequiredScopes { get; } = new[] { "user", "repo", "gist", "write:public_key" };
+
         /// <summary>
         /// Gets a note that will be stored with the OAUTH token.
         /// </summary>

src/GitHub.Api/GitHub.Api.csproj

@@ -46,6 +46,10 @@
   </PropertyGroup>
   <Import Project="$(SolutionDir)\src\common\signing.props" />
   <ItemGroup>
+    <Reference Include="Serilog, Version=2.0.0.0, Culture=neutral, PublicKeyToken=24c2f752a8e58a10, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Serilog.2.5.0\lib\net46\Serilog.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="System" />
     <Reference Include="System.ComponentModel.Composition" />
     <Reference Include="System.Core" />
@@ -64,6 +68,7 @@
     <Compile Include="ApiClientConfiguration_User.cs" Condition="$(Buildtype) != 'Internal'" />
     <Compile Include="IKeychain.cs" />
     <Compile Include="ILoginManager.cs" />
+    <Compile Include="IncorrectScopesException.cs" />
     <Compile Include="ITwoFactorChallengeHandler.cs" />
     <Compile Include="LoginManager.cs" />
     <Compile Include="KeychainCredentialStore.cs" />
@@ -99,6 +104,9 @@
       <Name>GitHub.Logging</Name>
     </ProjectReference>
   </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
        Other similar extension points exist, see Microsoft.Common.targets.

src/GitHub.Api/IncorrectScopesException.cs

@@ -0,0 +1,20 @@
+using System;
+
+namespace GitHub.Api
+{
+    /// <summary>
+    /// Thrown when the login for a user does not have the required scopes.
+    /// </summary>
+    public class IncorrectScopesException : Exception
+    {
+        public IncorrectScopesException()
+            : this("You need to sign out and back in.")
+        {
+        }
+
+        public IncorrectScopesException(string message)
+            : base(message)
+        {
+        }
+    }
+}

src/GitHub.Api/LoginManager.cs

@@ -1,9 +1,13 @@
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Net;
 using System.Threading.Tasks;
 using GitHub.Extensions;
+using GitHub.Logging;
 using GitHub.Primitives;
 using Octokit;
+using Serilog;
 
 namespace GitHub.Api
 {
@@ -12,11 +16,14 @@ namespace GitHub.Api
     /// </summary>
     public class LoginManager : ILoginManager
     {
-        readonly string[] scopes = { "user", "repo", "gist", "write:public_key" };
+        const string ScopesHeader = "X-OAuth-Scopes";
+        static readonly ILogger log = LogManager.ForContext<LoginManager>();
+        static readonly Uri UserEndpoint = new Uri("user", UriKind.Relative);
         readonly IKeychain keychain;
         readonly ITwoFactorChallengeHandler twoFactorChallengeHandler;
         readonly string clientId;
         readonly string clientSecret;
+        readonly IReadOnlyList<string> scopes;
         readonly string authorizationNote;
         readonly string fingerprint;
 
@@ -34,6 +41,7 @@ public LoginManager(
             ITwoFactorChallengeHandler twoFactorChallengeHandler,
             string clientId,
             string clientSecret,
+            IReadOnlyList<string> scopes,
             string authorizationNote = null,
             string fingerprint = null)
         {
@@ -46,6 +54,7 @@ public LoginManager(
             this.twoFactorChallengeHandler = twoFactorChallengeHandler;
             this.clientId = clientId;
             this.clientSecret = clientSecret;
+            this.scopes = scopes;
             this.authorizationNote = authorizationNote;
             this.fingerprint = fingerprint;
         }
@@ -106,24 +115,7 @@ public async Task<User> Login(
             } while (auth == null);
 
             await keychain.Save(userName, auth.Token, hostAddress).ConfigureAwait(false);
-
-            var retry = 0;
-
-            while (true)
-            {
-                try
-                {
-                    return await client.User.Current().ConfigureAwait(false);
-                }
-                catch (AuthorizationException)
-                {
-                    if (retry++ == 3) throw;
-                }
-
-                // It seems that attempting to use a token immediately sometimes fails, retry a few
-                // times with a delay of of 1s to allow the token to propagate.
-                await Task.Delay(1000);
-            }
+            return await ReadUserWithRetry(client);
         }
 
         /// <inheritdoc/>
@@ -132,7 +124,7 @@ public Task<User> LoginFromCache(HostAddress hostAddress, IGitHubClient client)
             Guard.ArgumentNotNull(hostAddress, nameof(hostAddress));
             Guard.ArgumentNotNull(client, nameof(client));
 
-            return client.User.Current();
+            return ReadUserWithRetry(client);
         }
 
         /// <inheritdoc/>
@@ -258,5 +250,55 @@ bool EnterpriseWorkaround(HostAddress hostAddress, Exception e)
                  e is ForbiddenException ||
                  apiException?.StatusCode == (HttpStatusCode)422);
         }
+
+        async Task<User> ReadUserWithRetry(IGitHubClient client)
+        {
+            var retry = 0;
+
+            while (true)
+            {
+                try
+                {
+                    return await GetUserAndCheckScopes(client).ConfigureAwait(false);
+                }
+                catch (AuthorizationException)
+                {
+                    if (retry++ == 3) throw;
+                }
+
+                // It seems that attempting to use a token immediately sometimes fails, retry a few
+                // times with a delay of of 1s to allow the token to propagate.
+                await Task.Delay(1000);
+            }
+        }
+
+        async Task<User> GetUserAndCheckScopes(IGitHubClient client)
+        {
+            var response = await client.Connection.Get<User>(
+                UserEndpoint, null, null).ConfigureAwait(false);
+
+            if (response.HttpResponse.Headers.ContainsKey(ScopesHeader))
+            {
+                var returnedScopes = response.HttpResponse.Headers[ScopesHeader]
+                    .Split(',')
+                    .Select(x => x.Trim())
+                    .ToArray();
+
+                if (scopes.Except(returnedScopes).Count() == 0)
+                {
+                    return response.Body;
+                }
+                else
+                {
+                    log.Error("Incorrect API scopes: require {RequiredScopes} but got {Scopes}", scopes, returnedScopes);
+                }
+            }
+            else
+            {
+                log.Error("Error reading scopes: /user succeeded but scopes header was not present");
+            }
+
+            throw new IncorrectScopesException();
+        }
     }
 }

src/GitHub.Api/packages.config

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Serilog" version="2.5.0" targetFramework="net461" />
+</packages>

src/GitHub.VisualStudio/GitHubPackage.cs

@@ -220,6 +220,7 @@ async Task<object> CreateService(IAsyncServiceContainer container, CancellationT
                     twoFaHandler,
                     ApiClientConfiguration.ClientId,
                     ApiClientConfiguration.ClientSecret,
+                    ApiClientConfiguration.RequiredScopes,
                     ApiClientConfiguration.AuthorizationNote,
                     ApiClientConfiguration.MachineFingerprint);
             }