From 460c7dbb26a22b66304eb749e9601b822c5119d9 Mon Sep 17 00:00:00 2001
From: Konrad Kleine <kkleine@redhat.com>
Date: Thu, 28 Jun 2018 17:03:12 +0200
Subject: [PATCH] Rework JWT with scopes in GOA design

---
 design/api.go    | 18 ++++++++++++------
 design/labels.go | 12 ++++++++++++
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/design/api.go b/design/api.go
index c80d3c33d0..69993794b8 100644
--- a/design/api.go
+++ b/design/api.go
@@ -5,6 +5,18 @@ import (
 	a "github.com/goadesign/goa/design/apidsl"
 )
 
+// JWT defines a security scheme using JWT.  The scheme uses the "Authorization"
+// header to lookup the token.  It also defines then scopes "view",
+// "collaborate" and "manage".
+var JWT = a.JWTSecurity("jwt", func() {
+	a.Description("JWT Token Auth")
+	a.TokenURL("/api/login/authorize")
+	a.Header("Authorization")
+	a.Scope("view", "view a resource")
+	a.Scope("collaborate", "collaborate on a resource (includes view scope)")
+	a.Scope("manage", "manage the resource (includes view and collaborate scope)")
+})
+
 var _ = a.API("wit", func() {
 	a.Title("Fabric8-wit: One to rule them all")
 	a.Description("The next big thing")
@@ -43,12 +55,6 @@ var _ = a.API("wit", func() {
 		})
 	})
 
-	a.JWTSecurity("jwt", func() {
-		a.Description("JWT Token Auth")
-		a.TokenURL("/api/login/authorize")
-		a.Header("Authorization")
-	})
-
 	a.ResponseTemplate(d.OK, func() {
 		a.Description("Resource created")
 		a.Status(200)
diff --git a/design/labels.go b/design/labels.go
index 54296d31ef..cdc6e70984 100644
--- a/design/labels.go
+++ b/design/labels.go
@@ -62,6 +62,9 @@ var _ = a.Resource("label", func() {
 	a.BasePath("/labels")
 
 	a.Action("show", func() {
+		a.Security(JWT, func() { // Use JWT to auth requests to this endpoint
+			a.Scope("view") // Enforce presence of "view" scope in JWT claims.
+		})
 		a.Routing(
 			a.GET("/:labelID"),
 		)
@@ -78,6 +81,9 @@ var _ = a.Resource("label", func() {
 	})
 
 	a.Action("list", func() {
+		a.Security(JWT, func() { // Use JWT to auth requests to this endpoint
+			a.Scope("view") // Enforce presence of "view" scope in JWT claims.
+		})
 		a.Routing(
 			a.GET(""),
 		)
@@ -90,6 +96,9 @@ var _ = a.Resource("label", func() {
 	})
 
 	a.Action("create", func() {
+		a.Security(JWT, func() { // Use JWT to auth requests to this endpoint
+			a.Scope("manage") // Enforce presence of "manage" scope in JWT claims.
+		})
 		a.Security("jwt")
 		a.Routing(
 			a.POST(""),
@@ -108,6 +117,9 @@ var _ = a.Resource("label", func() {
 	})
 
 	a.Action("update", func() {
+		a.Security(JWT, func() { // Use JWT to auth requests to this endpoint
+			a.Scope("collaborate") // Enforce presence of "collaborate" scope in JWT claims.
+		})
 		a.Security("jwt")
 		a.Routing(
 			a.PATCH("/:labelID"),