Add auth scope constants

auth/auth.go

@@ -7,8 +7,14 @@ import (
 	"time"
 )
 
-// BearerScheme used for Authorization header
+const (
-const BearerScheme = "Bearer "
+	// BearerScheme used for Authorization header
+	BearerScheme = "Bearer "
+	// ScopePublic is the scope applied to a rule to allow access to the public
+	ScopePublic = ""
+	// ScopeAccount is the scope applied to a rule to limit to users with any valid account
+	ScopeAccount = "*"
+)
 
 var (
 	// ErrInvalidToken is when the token provided is not valid

auth/rules/rules.go

@@ -51,9 +51,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
 		// a blank scope indicates the rule applies to everyone, even nil accounts
-		if rule.Scope == "" && rule.Access == auth.AccessDenied {
+		if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
 			return nil
 		}
 
@@ -63,9 +63,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 		}
 
 		// this rule applies to any account
-		if rule.Scope == "*" && rule.Access == auth.AccessDenied {
+		if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Scope == "*" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
 			return nil
 		}