Require permitted scopes when registering a client (#29718)

app/controllers/user_api_key_clients_controller.rb

@@ -2,26 +2,53 @@
 class UserApiKeyClientsController < ApplicationController
   layout "no_ember"
 
-  requires_login
-  skip_before_action :check_xhr, :preload_json
+  skip_before_action :check_xhr, :preload_json, :verify_authenticity_token
 
-  def register
+  def show
+    params.require(:client_id)
+    client = UserApiKeyClient.find_by(client_id: params[:client_id])
+    raise Discourse::InvalidParameters unless client && client.auth_redirect.present?
+    head :ok
+  end
+
+  def create
+    rate_limit
     require_params
+    validate_params
+    ensure_new_client
 
-    client = UserApiKeyClient.find_or_initialize_by(client_id: params[:client_id])
+    client = UserApiKeyClient.new(client_id: params[:client_id])
     client.application_name = params[:application_name]
     client.public_key = params[:public_key]
     client.auth_redirect = params[:auth_redirect]
 
-    if client.save!
+    ActiveRecord::Base.transaction do
+      client.save!
+      @scopes.each { |scope| client.scopes.create!(name: scope) }
+    end
+
+    if client.persisted?
       render json: success_json
     else
       render json: failed_json
     end
   end
 
+  def rate_limit
+    RateLimiter.new(nil, "user-api-key-clients-#{request.remote_ip}", 1, 24.hours).performed!
+  end
+
   def require_params
-    %i[client_id application_name public_key auth_redirect].each { |p| params.require(p) }
+    %i[client_id application_name public_key auth_redirect scopes].each { |p| params.require(p) }
+    @scopes = params[:scopes].split(",")
+  end
+
+  def validate_params
+    raise Discourse::InvalidAccess unless UserApiKeyClientScope.allowed.superset?(Set.new(@scopes))
     OpenSSL::PKey::RSA.new(params[:public_key])
   end
+
+  def ensure_new_client
+    raise Discourse::InvalidAccess if UserApiKeyClient.where(client_id: params[:client_id]).exists?
+  end
 end