ducky/devices
ducky/devices/apiv1/scopes.go
Add updating devices to apiv1. We needed a way to be able to update devices after they were created. This is supported in the devices package, we just needed to expose it using apiv1 endpoints. In doing so, it became apparent that allowing users to change the Owner of their Devices wasn't properly thought through, and pending a reason to use it, I'm just removing it. The biggest issue came when trying to return usable error messages; we couldn't distinguish between "you don't own the device you're trying to update" and "you're not allowed to change the owner of the device". I also couldn't figure out _who should be able to_ change the owner of the device, which is generally an indication that I'm building a feature before I have a use case for it. To support this change, the apiv1.DeviceChange type needed its Owner property removed. I also needed to add deviceFromAPI and devicesFromAPI helpers to return devices.Device types from apiv1.Device types. There's now a new validateDeviceUpdate helper that checks to ensure that a device update request is valid and the user has the appropriate permissions. The createRequest type now accepts a slice of Devices, not a slice of DeviceChanges, because we want to pass the Owner in. A new updateRequest type is created, which accepts a DeviceChange to apply. A new handleUpdateDevice handler is created, which is assigned to the endpoint for PATCH requests against a device ID. It checks that the user is logged in, the Device they're trying to update exists, and that it's a valid update. If all of that is true, the device is updated and the updated device is returned. Finally, we had to add two new scopes to support new functionality: ScopeUpdateOtherUserDevices allows a user to update other user's devices, and ScopeUpdateLastSeen allows a user to update the LastSeen property of a device. Pending some better error messages, this should be a full implementation of updating a device, which leaves only the deletion endpoint to deal with.
| paddy@15 | 1 package apiv1 |
| paddy@15 | 2 |
| paddy@15 | 3 import "code.secondbit.org/scopes.hg/types" |
| paddy@15 | 4 |
| paddy@15 | 5 var ( |
| paddy@15 | 6 // ScopeViewPushToken is a Scope that grants access to viewing pushTokens for |
| paddy@15 | 7 // Devices. |
| paddy@15 | 8 ScopeViewPushToken = scopeTypes.Scope{ |
| paddy@15 | 9 ID: "https://scopes.useducky.com/devices/pushToken/view", |
| paddy@15 | 10 Name: "View device push tokens.", |
| paddy@15 | 11 Description: "View the push tokens that allow sending messages and notifications to your device. This can be used to force your device to open links, and should be granted with extreme caution.", |
| paddy@15 | 12 } |
| paddy@16 | 13 |
| paddy@18 | 14 // ScopeViewDevices is a Scope that grants access to viewing the Devices |
| paddy@18 | 15 // that belong to a user. |
| paddy@18 | 16 ScopeViewDevices = scopeTypes.Scope{ |
| paddy@18 | 17 ID: "https://scopes.useducky.com/devices/view", |
| paddy@18 | 18 Name: "View devices.", |
| paddy@18 | 19 Description: "View the devices that are associated with your account.", |
| paddy@18 | 20 } |
| paddy@18 | 21 |
| paddy@16 | 22 // ScopeImport is a Scope that grants access to bulk importing Devices. It grants |
| paddy@16 | 23 // what equates to admin permissions, including the ability to create Devices for |
| paddy@16 | 24 // other users, and thus should be granted with extreme caution. |
| paddy@16 | 25 ScopeImport = scopeTypes.Scope{ |
| paddy@16 | 26 ID: "https://scopes.useducky.com/devices/import", |
| paddy@16 | 27 Name: "Import devices.", |
| paddy@16 | 28 Description: "Import devices into the system, including creating devices for other users. This should only ever be granted to system resources.", |
| paddy@16 | 29 } |
| paddy@16 | 30 |
| paddy@16 | 31 // ScopeCreateOtherUserDevices is a Scope that grants the user the ability to create |
| paddy@16 | 32 // Devices with an Owner property that doesn't match the authenticated user's ID. |
| paddy@16 | 33 ScopeCreateOtherUserDevices = scopeTypes.Scope{ |
| paddy@16 | 34 ID: "https://scopes.useducky.com/devices/otherUser/create", |
| paddy@16 | 35 Name: "Create devices for other users.", |
| paddy@16 | 36 Description: "Create devices like usual, but make a different user the owner of the device.", |
| paddy@16 | 37 } |
| paddy@20 | 38 |
| paddy@20 | 39 // ScopeUpdateOtherUserDevices is a Scope that grants the user the ability to update |
| paddy@20 | 40 // Devices with an Owner property that doesn't match the authenticated user's ID. |
| paddy@20 | 41 ScopeUpdateOtherUserDevices = scopeTypes.Scope{ |
| paddy@20 | 42 ID: "https://scopes.useducky.com/devices/otherUser/update", |
| paddy@20 | 43 Name: "Update devices for other users.", |
| paddy@20 | 44 Description: "Update devices like usual, but don't check if you're the owner of the device.", |
| paddy@20 | 45 } |
| paddy@20 | 46 |
| paddy@20 | 47 // ScopeUpdateLastSeen is a Scope that grants the user the ability to update the |
| paddy@20 | 48 // LastSeen property of their Devices. |
| paddy@20 | 49 ScopeUpdateLastSeen = scopeTypes.Scope{ |
| paddy@20 | 50 ID: "https://scopes.useducky.com/devices/lastSeen/update", |
| paddy@20 | 51 Name: "Update when a device was last seen.", |
| paddy@20 | 52 Description: "Update the timestamp tracking when a device was last seen.", |
| paddy@20 | 53 } |
| paddy@15 | 54 ) |