fix: authorization scopes use REST resource shape#51
Merged
Subterrane merged 1 commit intomainfrom Apr 16, 2026
Merged
Conversation
The /scopes endpoint on api_authorizations is a standard nested REST
resource (config/api2_routes.rb:65), not a bulk endpoint. POST creates
one scope from {value, description}; DELETE requires the numeric
scope_id in the URL path.
- add_authorization_scopes now takes scopes: [{value, description?}]
and iterates, reporting per-item status
- remove_authorization_scopes now takes scope_ids: [number] (from
list_authorization_scopes) and iterates DELETE .../scopes/{scope_id}
- Both inspect response.success from the API wrapper so per-item
status reflects actual outcomes (the client returns wrapped errors
rather than throwing)
Same shape fix as PR #48 applied to the sibling /clients route.
Fixes #49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
add_authorization_scopesandremove_authorization_scopeswere treating/api/2/api_authorizations/{id}/scopesas a bulk endpoint, sending{scopes: [...]}. core-api routes it as a standard nested REST resource (config/api2_routes.rb:65) — each POST creates one scope from{value, description}, each DELETE needs the numericscope_idin the URL./clients;/scopeswas overlooked.response.successfrom the API wrapper so thestatusfield reflects reality (the client returns wrapped errors rather than throwing).Fixes #49
Schema changes (breaking for anyone using the broken form)
add_authorization_scopes:scopesis nowArray<{value, description?}>(wasstring[])remove_authorization_scopes: replacesscopes: string[]withscope_ids: number[](numeric IDs fromlist_authorization_scopes)Returns a
{results: [...]}envelope with per-item ok/error status, matching the patternaddAuthorizedClients/removeAuthorizedClientsalready use.Test plan
Verified end-to-end against Chicken-Shadow:
add_authorization_scopeswith two valid scopes + one whitespace value — two 201s, invalid item returns per-item error"Validation failed: Value may not have any whitespace characters"list_authorization_scopesshows the two created with numeric IDsremove_authorization_scopeswith those IDs + one bogus ID — two oks, bogus gets per-item"The resource with the given id could not be found"