Skip to content

feat(auth): mb auth login --workspace requests a workspace-manager-scoped grant#34

Draft
escherize wants to merge 1 commit into
mainfrom
bcm/ghy-4053-workspace-login
Draft

feat(auth): mb auth login --workspace requests a workspace-manager-scoped grant#34
escherize wants to merge 1 commit into
mainfrom
bcm/ghy-4053-workspace-login

Conversation

@escherize

Copy link
Copy Markdown
Contributor

Refs GHY-4053 (Linear). Pairs with the parent-side defscope (GHY-4055).

The scoped token is Option B's containment primitive: the parent credential on an agent's machine can only do workspace CRUD, and the narrowness is enforced server-side by Metabase's default-deny scope middleware — curl with the same token 403s identically. The flag itself is the human's setup step: every OAuth path needs a TTY + browser consent, so a headless agent can neither run it nor mint itself anything broader.

Why the shape it has

  • Scope threads end-to-end through the existing PKCE flow: discovery gating (the server must advertise mb:workspace-manager in scopes_supported, else a clean "not supported" error), dynamic client registration, the authorize URL, the stored credential, and refresh.
  • Refresh can't widen client-side: the refresh request carries no scope parameter, so the new grant inherits the original. (Server-side refresh pinning is GHY-4060/4062 verification.)
  • profiles.json gains oauth.scope; pre-scope records resolve to mb:full — a fact, not a guess, since every legacy login was minted with the hardcoded full scope. This field is what the stale-credential sweep (GHY-4054) reads next.
  • Key-shaped paths are refused (--api-key, MB_API_KEY, non-TTY) so an unscoped API key can't masquerade as a scoped login.
  • A 403 on a scope-narrowed profile is enriched to name the scope and the fix (re-login without --workspace, or use a workspace profile) instead of a bare "Forbidden." — follows the enrichTransformCollectionError precedent (HttpError → ConfigError, exit 2).

Known limit

No server ships the workspace-manager defscope yet (GHY-4055), so against every real server the interactive scoped login currently ends at the friendly unsupported error. The browser→403-proof e2e joins the containment suite (GHY-4062) once 4055 lands.

Test plan

  • Unit (836): scope threading through registration/authorize/credential, discovery gate both directions, refresh scope preservation, storage round-trip + pre-scope-record default, 403 enrichment (5 cases).
  • e2e: guard refusals (non-TTY, --api-key, MB_API_KEY) with exact messages; full suite green (366 passed / 2 skipped) including the real-PKCE oauth suite against the live stack.

…oped grant

The scoped token is the containment primitive for Option B: a parent
credential on an agent's machine that can only do workspace CRUD,
enforced server-side by default-deny scope middleware.

- scope threads through discovery gating, dynamic client registration,
  the authorize URL, the stored credential, and refresh (which sends no
  scope parameter, so a refresh can never widen the grant)
- pre-scope profile records resolve to mb:full, which is what every
  legacy login was minted with
- workspace login is browser-OAuth only: --api-key, MB_API_KEY, and
  non-TTY contexts are refused so a key can't masquerade as scoped
- a 403 on a scope-narrowed profile is enriched to name the scope and
  the fix instead of a bare "Forbidden."

Refs GHY-4053
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@alxnddr, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 2 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7eb1ec73-9eec-4d96-8824-2fa295610cc0

📥 Commits

Reviewing files that changed from the base of the PR and between 02e7de8 and f3dbe52.

📒 Files selected for processing (20)
  • README.md
  • src/commands/auth/login.ts
  • src/commands/auth/logout.test.ts
  • src/commands/auth/status.test.ts
  • src/commands/runtime.test.ts
  • src/commands/runtime.ts
  • src/core/auth/credential.test.ts
  • src/core/auth/credential.ts
  • src/core/auth/oauth-login.test.ts
  • src/core/auth/oauth-login.ts
  • src/core/auth/oauth-session.test.ts
  • src/core/auth/oauth-session.ts
  • src/core/auth/profile-record.ts
  • src/core/auth/storage.test.ts
  • src/core/auth/storage.ts
  • src/core/config.test.ts
  • src/core/http/client.test.ts
  • src/core/http/oauth.test.ts
  • src/core/http/oauth.ts
  • tests/e2e/auth.e2e.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch bcm/ghy-4053-workspace-login

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@alxnddr

alxnddr commented Jul 6, 2026

Copy link
Copy Markdown
Member

@coderabbitai review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants