From 9c072a372cededba2078298ba6cf769cf5c024ac Mon Sep 17 00:00:00 2001
From: Ben Toogood <bentoogood@gmail.com>
Date: Fri, 22 May 2020 11:37:12 +0100
Subject: [PATCH] Add auth scope constants

---
 auth/auth.go        | 10 ++++++++--
 auth/rules/rules.go |  8 ++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index 96434acd..3e9afbc8 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -7,8 +7,14 @@ import (
 	"time"
 )
 
-// BearerScheme used for Authorization header
-const BearerScheme = "Bearer "
+const (
+	// BearerScheme used for Authorization header
+	BearerScheme = "Bearer "
+	// ScopePublic is the scope applied to a rule to allow access to the public
+	ScopePublic = ""
+	// ScopeAccount is the scope applied to a rule to limit to users with any valid account
+	ScopeAccount = "*"
+)
 
 var (
 	// ErrInvalidToken is when the token provided is not valid
diff --git a/auth/rules/rules.go b/auth/rules/rules.go
index 221da415..95d75904 100644
--- a/auth/rules/rules.go
+++ b/auth/rules/rules.go
@@ -51,9 +51,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
 		// a blank scope indicates the rule applies to everyone, even nil accounts
-		if rule.Scope == "" && rule.Access == auth.AccessDenied {
+		if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
 			return nil
 		}
 
@@ -63,9 +63,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 		}
 
 		// this rule applies to any account
-		if rule.Scope == "*" && rule.Access == auth.AccessDenied {
+		if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Scope == "*" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
 			return nil
 		}