fix(api-tokens): preserve scopes on a partial token update (#3407)

PATCH /api/tokens/{id} unconditionally recomputed scopes from payload.get("scopes"). On a rename — body {"name": "..."} with no "scopes" key — that is None, so _normalize_scopes(None) returned the default ["chat"] and the handler overwrote token.scopes, silently dropping every scope the token had been granted (e.g. email:read, calendar:write). Only write scopes when the request actually includes them, and return the token's real stored scopes in the response (matching the GET /tokens display shape) instead of the recomputed default. tests/test_api_token_routes.py: add rename-preserves-scopes, explicit-scopes-applied, and missing-token-404 cases for the PATCH handler.
2026-06-15 17:25:26 -04:00 · 2026-06-08 20:37:31 +03:00
parent d58202d10e
commit 8449baea80
2 changed files with 94 additions and 4 deletions
@@ -155,22 +155,30 @@ def setup_api_token_routes() -> APIRouter:
            payload = await request.json()
        except Exception:
            payload = {}
-        scope_list = _normalize_scopes(payload.get("scopes"))
-        scopes_value = ",".join(scope_list)
        with get_db_session() as db:
            token = db.query(ApiToken).filter(ApiToken.id == token_id).first()
            if not token:
                raise HTTPException(404, "Token not found")
            if isinstance(payload.get("name"), str) and payload["name"].strip():
                token.name = payload["name"].strip()[:MAX_NAME_LEN]
-            token.scopes = scopes_value
+            # Only touch scopes when the caller actually sent them. A partial
+            # update such as a rename ({"name": ...} with no "scopes" key) must
+            # not silently reset the token to the default scope — that dropped
+            # every previously granted scope.
+            if "scopes" in payload:
+                token.scopes = ",".join(_normalize_scopes(payload.get("scopes")))
            db.add(token)
+            current_scopes = [
+                s.strip()
+                for s in (getattr(token, "scopes", "") or DEFAULT_SCOPES).split(",")
+                if s.strip()
+            ]
            response = {
                "id": token_id,
                "name": getattr(token, "name", ""),
                "owner": getattr(token, "owner", None),
                "token_prefix": getattr(token, "token_prefix", ""),
-                "scopes": scope_list,
+                "scopes": current_scopes,
            }
        _invalidate_cache(request)
        return response