Calls to the API are checked for scope.

- Move the `Oauth2::AccessTokenValidationService` class to
  `AccessTokenValidationService`, since it is now being used for
  personal access token validation as well.

- Each API endpoint declares the scopes it accepts (if any). Currently,
  the top level API module declares the `api` scope, and the `Users` API
  module declares the `read_user` scope (for GET requests).

- Move the `find_user_by_private_token` from the API `Helpers` module to
  the `APIGuard` module, to avoid littering `Helpers` with more
  auth-related methods to support `find_user_by_private_token`

1 files changed, 34 insertions, 0 deletions

diff --git a/app/services/access_token_validation_service.rb b/app/services/access_token_validation_service.rb
new file mode 100644
index 00000000000..69449f3a445
--- /dev/null
+++ b/app/services/access_token_validation_service.rb
@@ -0,0 +1,34 @@
+module AccessTokenValidationService
+  # Results:
+  VALID = :valid
+  EXPIRED = :expired
+  REVOKED = :revoked
+  INSUFFICIENT_SCOPE = :insufficient_scope
+
+  class << self
+    def validate(token, scopes: [])
+      if token.expired?
+        return EXPIRED
+
+      elsif token.revoked?
+        return REVOKED
+
+      elsif !self.sufficient_scope?(token, scopes)
+        return INSUFFICIENT_SCOPE
+
+      else
+        return VALID
+      end
+    end
+
+    # True if the token's scope contains any of the required scopes.
+    def sufficient_scope?(token, required_scopes)
+      if required_scopes.blank?
+        true
+      else
+        # Check whether the token is allowed access to any of the required scopes.
+        Set.new(required_scopes).intersection(Set.new(token.scopes)).present?
+      end
+    end
+  end
+end