right now I’m following the create your own App guide(Creating Your Own App | Speckle Docs) and I need to somehow access the scopes of the currently logged in user. I think that my Graphqlquery is correct but I’m missing the requiered rights to acess a users ApiTokens in my app.
This is the query that I am trying to execute
{
user(id: "some-id") {
id
name
role
apiTokens {
scopes
}
}
}
I get all the data needed in my GetUser function but apiTokens is always “null”.
And this is how I fetch data (basically the code from the guide)
export async function speckleFetch(query: string) {
let token = localStorage.getItem(TOKEN)
if (token)
try {
var res = await fetch(`${SERVER_URL}/graphql`, {
method: "POST",
headers: {
Authorization: "Bearer " + token,
"Content-Type": "application/json"
},
body: JSON.stringify({
query: query
})
})
return await res.json()
} catch (err) {
console.error("API call failed", err)
}
else return Promise.reject("You are not logged in (token does not exist)")
}
Question is: How can I access the scopes of my users? (My user has a personal access token with all scopes activated)
It’s nice to see somebody is reading the guide I wrote!
Not sure if I understand correctly the question but I hope this helps. In order to “talk” to a speckle server you have 2 different strategies:
Using an ApiToken, which identifies anything your app does as done by your account.
Using an App which allows for users to log-in so any action will be taken on their behalf
Both of them will have specific scopes assigned on creation by you and those do not change. In the case of the app, all user’s authenticated through the app will have the same scopes inherited from the App, regardless of their role.
The query that you showed will fetch a user’s created tokens. Not the DB expert but I’m fairly certain nobody else can see your tokens but yourself (as they are used to authenticate as you in the app). And my guess is it comes back empty because you haven’t created one yet (not necessary for the app guide).
I’m fairly certain there is no way to get the scopes of a given app through our apiunless you’re the one that created it. You can access them under createdApps. You can also check what apps a random user has accepted using authorizedApps; though in this case, you don’t have access to the scopes
Could you give us a bit more detail about why do you need to know dynamically these scopes? The idea is for scopes to never change, as each user has to manually give consent to operate on their behalf, changing the scopes after the user allowed would not be good So whatever scopes you initially set, you can count on them being immutable.
By the way, if you want to inspect the API with less hastle, you can always head over to Speckle GraphQL API which already takes care of the authentication process for you and allows you to explore the API faster (it even has autocomplete)
Thank you for the quick answer.
I am aware that the permissions are immutable but I still want to read the Personal Access Tokens and send the permissions to our server.
The query results differ wether im setting the query up through the GraphQL playground and my App.
These are the results in the playground:
and here are the results for the same query called by my App:
As you can see, ApiTokens is set to “null”.
Maybe I just missunderstood the use of the Personal Access Tokens…
Anyway. our team came to the conclusion that for our App we don’t really need the Personal Access Tokens at the moment and that we only care about the stream permissions for now which are accessible to me through a query.
I’m sorry if I what I’m saying is a little bit confusion. I’m still trying to get into SpeckleV2 and understand it better.
Another thing that I would like to mention is, that it would be really nice to have more permission options. CRUD operations for Globals and Branches for example.
Hey @mgerhardt, yes they differ - and you’re right to bring this up. We (I) should document this… It’s for security purposes!
In the server, some scopes are private for security reasons. This includes the ones around api tokens:
If a scope is flagged as not public this means that only “first-party” applications will be able to access those endpoints; this is in order to reduce the security footprint and limit risk.
If your app really needs those scopes, there is a pathway to do so by pre-registering it on the server (but you said it doesn’t, so I won’t detail more now - check how the frontend app or the explorer is embedded in the backend!).
So whatever scopes you initially set, you can count on them being immutable.
