Skip to content

refactor: pat scope restructure#454

Merged
AmanGIT07 merged 2 commits intomainfrom
refactor/pat-scopes-restructure
Mar 25, 2026
Merged

refactor: pat scope restructure#454
AmanGIT07 merged 2 commits intomainfrom
refactor/pat-scopes-restructure

Conversation

@AmanGIT07
Copy link
Contributor

@AmanGIT07 AmanGIT07 commented Mar 24, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Breaking Changes
    • Personal Access Token (PAT) scoping restructured: role and project lists replaced by unified scopes. Each PAT now requires at least one scope.
    • Scopes now include a required role, a required resource type, and optional resource IDs (instead of separate project IDs).
  • Behavioral
    • Existing PATs using old separate project/role fields may need to be recreated or migrated to the new scope format.

Before and after payload example

CreateCurrentUserPATRequest

Before:

{
    "title": "my-token",
    "role_ids": ["role-uuid-1", "role-uuid-2"],
    "project_ids": ["project-uuid-1"],
    "expires_at": "2026-12-31T00:00:00Z",
    "metadata": {}
  }

After:

  {
    "title": "my-token",
    "scopes": [
      {
        "role_id": "role-uuid-1",
        "resource_type": "app/organization"
      },
      {
        "role_id": "role-uuid-2",
        "resource_type": "app/project",
        "resource_ids": ["project-uuid-1"]
      }
    ],
    "expires_at": "2026-12-31T00:00:00Z",
    "metadata": {}
  }

UpdateCurrentUserPATRequest

Before:

  {
    "id": "pat-uuid",
    "role_ids": ["role-uuid-1"],
    "project_ids": [], // all projects
    "metadata": {}
  }

After:

  {
    "id": "pat-uuid",
    "scopes": [
      {
        "role_id": "role-uuid-1",
        "resource_type": "app/organization"
      }
    ],
    "metadata": {}
  }

PAT (response model)

Before:

  {
    "id": "pat-uuid",
    "title": "my-token",
    "role_ids": ["role-uuid-1", "role-uuid-2"],
    "project_ids": ["project-uuid-1"],
    "token": "ft_...",
    "expires_at": "2026-12-31T00:00:00Z",
    "last_used_at": "2026-03-25T10:00:00Z"
  }

After:

  {
    "id": "pat-uuid",
    "title": "my-token",
    "scopes": [
      {
        "role_id": "role-uuid-1",
        "resource_type": "app/organization",
        "resource_ids": []
      },
      {
        "role_id": "role-uuid-2",
        "resource_type": "app/project",
        "resource_ids": ["project-uuid-1"]
      }
    ],
    "token": "ft_...",
    "expires_at": "2026-12-31T00:00:00Z",
    "last_used_at": "2026-03-25T10:00:00Z"
  }

Key change: Flat role_ids + project_ids arrays replaced with a structured scopes array where each scope explicitly ties a role to its resource type and optional resource IDs. This makes the role-to-resource relationship explicit rather than implicit.

@coderabbitai
Copy link

coderabbitai bot commented Mar 24, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Replaces separate PAT scoping fields with a structured PATScope across Frontier protobufs: role_ids and project_ids removed; repeated PATScope scopes added to CreateCurrentUserPATRequest, UpdateCurrentUserPATRequest, and PAT. PATScope contains role_id, resource_type, and optional resource_ids.

Changes

Cohort / File(s) Summary
Frontier RPC requests
raystack/frontier/v1beta1/frontier.proto		 CreateCurrentUserPATRequest and UpdateCurrentUserPATRequest: removed repeated string role_ids and repeated string project_ids; added repeated PATScope scopes = 3 (required, min_items: 1). expires_at/metadata field numbers unchanged.
PAT model & new message
raystack/frontier/v1beta1/models.proto		 Added message PATScope { string role_id = 1; string resource_type = 2; repeated string resource_ids = 3 }. PAT message: removed role_ids and project_ids, added repeated PATScope scopes = 6.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Suggested reviewers

  • whoAbhishekSah

Poem

🐰 I hopped through proto fields today,
Rolled roles and projects into one bouquet.
Scopes now travel tidy, true—
role, resource, IDs in view.
A token snug, concise, and gay.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'refactor: pat scope restructure' clearly describes the main change: restructuring PAT (personal access token) scope handling by replacing flat role_ids/project_ids fields with a structured scopes array across request and response messages.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/pat-scopes-restructure

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 24, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
raystack/frontier/v1beta1/models.proto (1)

279-282: Consider adding validation for resource_type allowed values.

The comment indicates that resource_type should be either "app/organization" or "app/project", but there's no validation rule enforcing this constraint. Adding an in rule would strengthen the API contract and provide clearer error messages for invalid inputs.

♻️ Suggested validation rule 
   // Resource type: "app/organization" or "app/project"
   string resource_type = 2 [
-    (google.api.field_behavior) = REQUIRED
+    (google.api.field_behavior) = REQUIRED,
+    (validate.rules).string = {in: ["app/organization", "app/project"]}
   ];
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@raystack/frontier/v1beta1/models.proto` around lines 279 - 282, Add a
validation rule to the string field resource_type to restrict values to the
allowed set ("app/organization", "app/project"); specifically, augment the
resource_type field's protobuf options (e.g., using protoc-gen-validate
string.in) so the generated validation enforces those two values and returns a
clear error on other inputs—update the resource_type field definition in the
same message to include the in rule referencing the two allowed strings.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@raystack/frontier/v1beta1/models.proto`:
- Around line 279-282: Add a validation rule to the string field resource_type
to restrict values to the allowed set ("app/organization", "app/project");
specifically, augment the resource_type field's protobuf options (e.g., using
protoc-gen-validate string.in) so the generated validation enforces those two
values and returns a clear error on other inputs—update the resource_type field
definition in the same message to include the in rule referencing the two
allowed strings.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 33e282ea-0882-4b56-92e8-10b8245938fd

📥 Commits

Reviewing files that changed from the base of the PR and between 6af92c6 and 3164387.

📒 Files selected for processing (2)
  • raystack/frontier/v1beta1/frontier.proto
  • raystack/frontier/v1beta1/models.proto

@whoAbhishekSah
Copy link
Member

whoAbhishekSah commented Mar 25, 2026

@AmanGIT07, can you add a before-and-after body example to clarify this change?

@AmanGIT07
Copy link
Contributor Author

AmanGIT07 commented Mar 25, 2026

@AmanGIT07, can you add a before-and-after body example to clarify this change?

Updated the description with the same

whoAbhishekSah
whoAbhishekSah reviewed Mar 25, 2026
View reviewed changes
@AmanGIT07 AmanGIT07 force-pushed the refactor/pat-scopes-restructure branch from 101320c to 3164387 Compare March 25, 2026 09:11
coderabbitai[bot]
coderabbitai bot reviewed Mar 25, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@raystack/frontier/v1beta1/models.proto`:
- Around line 279-282: Add a proto-level validation rule to
PATScope.resource_type to restrict values to the documented closed set; update
the PATScope message by adding (validate.rules).string = {in:
["app/organization", "app/project"]} (so resource_type enforces only those two
values), ensuring this enforces the contract for scopes used by
CreateCurrentUserPATRequest and UpdateCurrentUserPATRequest rather than relying
on handler-side checks.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a28d4da-0d16-4be9-bdd2-6e93d6810182

📥 Commits

Reviewing files that changed from the base of the PR and between 3164387 and 101320c.

📒 Files selected for processing (2)
  • raystack/frontier/v1beta1/frontier.proto
  • raystack/frontier/v1beta1/models.proto

@AmanGIT07 AmanGIT07 merged commit 9c069b5 into main Mar 25, 2026
5 checks passed
@AmanGIT07 AmanGIT07 deleted the refactor/pat-scopes-restructure branch March 25, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@whoAbhishekSah whoAbhishekSah whoAbhishekSah approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AmanGIT07 @whoAbhishekSah