

























@@ -9,7 +9,11 @@ import { getPluginRegistryState } from "../plugins/runtime-state.js";
99import { withPluginRuntimeGatewayRequestScope } from "../plugins/runtime/gateway-request-scope.js";
1010import { formatControlPlaneActor, resolveControlPlaneActor } from "./control-plane-audit.js";
1111import { consumeControlPlaneWriteBudget } from "./control-plane-rate-limit.js";
12-import { ADMIN_SCOPE, authorizeOperatorScopesForMethod } from "./method-scopes.js";
12+import {
13+ADMIN_SCOPE,
14+authorizeOperatorScopesForMethod,
15+authorizeOperatorScopesForRequiredScope,
16+} from "./method-scopes.js";
1317import {
1418createCoreGatewayMethodDescriptors,
1519createGatewayMethodDescriptorsFromHandlers,
@@ -18,6 +22,7 @@ import {
1822isCoreGatewayMethodClassified,
1923type GatewayMethodRegistry,
2024} from "./methods/registry.js";
25+import { isOperatorScope } from "./operator-scopes.js";
2126import { isRoleAuthorizedForMethod, parseGatewayRole } from "./role-policy.js";
2227import type {
2328GatewayRequestHandler,
@@ -226,6 +231,7 @@ function authorizeGatewayMethod(
226231method: string,
227232client: GatewayRequestOptions["client"],
228233params: unknown,
234+methodRegistry: GatewayMethodRegistry,
229235) {
230236// Pre-connect and health requests are allowed through; role/scope checks require the
231237// authenticated connect metadata established by the gateway handshake.
@@ -250,7 +256,10 @@ function authorizeGatewayMethod(
250256if (scopes.includes(ADMIN_SCOPE)) {
251257return null;
252258}
253-const scopeAuth = authorizeOperatorScopesForMethod(method, scopes, params);
259+const registeredScope = methodRegistry.getScope(method);
260+const scopeAuth = isOperatorScope(registeredScope)
261+ ? authorizeOperatorScopesForRequiredScope(registeredScope, scopes)
262+ : authorizeOperatorScopesForMethod(method, scopes, params);
254263if (!scopeAuth.allowed) {
255264return errorShape(ErrorCodes.INVALID_REQUEST, `missing scope: ${scopeAuth.missingScope}`);
256265}
@@ -632,7 +641,7 @@ export async function handleGatewayRequest(
632641const { req, respond, client, isWebchatConnect, context } = opts;
633642const methodRegistry =
634643opts.methodRegistry ?? createRequestGatewayMethodRegistry(opts.extraHandlers);
635-const authError = authorizeGatewayMethod(req.method, client, req.params);
644+const authError = authorizeGatewayMethod(req.method, client, req.params, methodRegistry);
636645if (authError) {
637646respond(false, undefined, authError);
638647return;
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。