···
+
//! AT Protocol OAuth scopes module
+
//! Derived from https://tangled.org/@smokesignal.events/atproto-identity-rs/raw/main/crates/atproto-oauth/src/scopes.rs
+
//! This module provides comprehensive support for AT Protocol OAuth scopes,
+
//! including parsing, serialization, normalization, and permission checking.
+
//! Scopes in AT Protocol follow a prefix-based format with optional query parameters:
+
//! - `account`: Access to account information (email, repo, status)
+
//! - `identity`: Access to identity information (handle)
+
//! - `blob`: Access to blob operations with mime type constraints
+
//! - `repo`: Repository operations with collection and action constraints
+
//! - `rpc`: RPC method access with lexicon and audience constraints
+
//! - `atproto`: Required scope to indicate that other AT Protocol scopes will be used
+
//! - `transition`: Migration operations (generic or email)
+
//! Standard OpenID Connect scopes (no suffixes or query parameters):
+
//! - `openid`: Required for OpenID Connect authentication
+
//! - `profile`: Access to user profile information
+
//! - `email`: Access to user email address
+
use std::collections::{BTreeMap, BTreeSet};
+
use jacquard_common::types::did::Did;
+
use jacquard_common::types::nsid::Nsid;
+
use jacquard_common::types::string::AtStrError;
+
use jacquard_common::{CowStr, IntoStatic};
+
use smol_str::{SmolStr, ToSmolStr};
+
/// Represents an AT Protocol OAuth scope
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
/// Account scope for accessing account information
+
/// Identity scope for accessing identity information
+
Identity(IdentityScope),
+
/// Blob scope for blob operations with mime type constraints
+
/// Repository scope for collection operations
+
/// RPC scope for method access
+
/// AT Protocol scope - required to indicate that other AT Protocol scopes will be used
+
/// Transition scope for migration operations
+
Transition(TransitionScope),
+
/// OpenID Connect scope - required for OpenID Connect authentication
+
/// Profile scope - access to user profile information
+
/// Email scope - access to user email address
+
impl IntoStatic for Scope<'_> {
+
type Output = Scope<'static>;
+
fn into_static(self) -> Self::Output {
+
Scope::Account(scope) => Scope::Account(scope),
+
Scope::Identity(scope) => Scope::Identity(scope),
+
Scope::Blob(scope) => Scope::Blob(scope.into_static()),
+
Scope::Repo(scope) => Scope::Repo(scope.into_static()),
+
Scope::Rpc(scope) => Scope::Rpc(scope.into_static()),
+
Scope::Atproto => Scope::Atproto,
+
Scope::Transition(scope) => Scope::Transition(scope),
+
Scope::OpenId => Scope::OpenId,
+
Scope::Profile => Scope::Profile,
+
Scope::Email => Scope::Email,
+
/// Account scope attributes
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub struct AccountScope {
+
/// The account resource type
+
pub resource: AccountResource,
+
/// The action permission level
+
pub action: AccountAction,
+
/// Account resource types
+
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+
pub enum AccountResource {
+
/// Account action permissions
+
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+
pub enum AccountAction {
+
/// Management access (includes read)
+
/// Identity scope attributes
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub enum IdentityScope {
+
/// All identity access (wildcard)
+
/// Transition scope types
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub enum TransitionScope {
+
/// Generic transition operations
+
/// Email transition operations
+
/// Blob scope with mime type constraints
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub struct BlobScope<'s> {
+
/// Accepted mime types
+
pub accept: BTreeSet<MimePattern<'s>>,
+
impl IntoStatic for BlobScope<'_> {
+
type Output = BlobScope<'static>;
+
fn into_static(self) -> Self::Output {
+
accept: self.accept.into_iter().map(|p| p.into_static()).collect(),
+
/// MIME type pattern for blob scope
+
#[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
+
pub enum MimePattern<'s> {
+
/// Match all subtypes of a type (e.g., "image/*")
+
TypeWildcard(CowStr<'s>),
+
/// Exact mime type match
+
impl IntoStatic for MimePattern<'_> {
+
type Output = MimePattern<'static>;
+
fn into_static(self) -> Self::Output {
+
MimePattern::All => MimePattern::All,
+
MimePattern::TypeWildcard(s) => MimePattern::TypeWildcard(s.into_static()),
+
MimePattern::Exact(s) => MimePattern::Exact(s.into_static()),
+
/// Repository scope with collection and action constraints
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub struct RepoScope<'s> {
+
/// Collection NSID or wildcard
+
pub collection: RepoCollection<'s>,
+
pub actions: BTreeSet<RepoAction>,
+
impl IntoStatic for RepoScope<'_> {
+
type Output = RepoScope<'static>;
+
fn into_static(self) -> Self::Output {
+
collection: self.collection.into_static(),
+
/// Repository collection identifier
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub enum RepoCollection<'s> {
+
/// All collections (wildcard)
+
/// Specific collection NSID
+
impl IntoStatic for RepoCollection<'_> {
+
type Output = RepoCollection<'static>;
+
fn into_static(self) -> Self::Output {
+
RepoCollection::All => RepoCollection::All,
+
RepoCollection::Nsid(nsid) => RepoCollection::Nsid(nsid.into_static()),
+
#[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
+
/// RPC scope with lexicon method and audience constraints
+
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+
pub struct RpcScope<'s> {
+
/// Lexicon methods (NSIDs or wildcard)
+
pub lxm: BTreeSet<RpcLexicon<'s>>,
+
/// Audiences (DIDs or wildcard)
+
pub aud: BTreeSet<RpcAudience<'s>>,
+
impl IntoStatic for RpcScope<'_> {
+
type Output = RpcScope<'static>;
+
fn into_static(self) -> Self::Output {
+
lxm: self.lxm.into_iter().map(|s| s.into_static()).collect(),
+
aud: self.aud.into_iter().map(|s| s.into_static()).collect(),
+
/// RPC lexicon identifier
+
#[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
+
pub enum RpcLexicon<'s> {
+
/// All lexicons (wildcard)
+
/// Specific lexicon NSID
+
impl IntoStatic for RpcLexicon<'_> {
+
type Output = RpcLexicon<'static>;
+
fn into_static(self) -> Self::Output {
+
RpcLexicon::All => RpcLexicon::All,
+
RpcLexicon::Nsid(nsid) => RpcLexicon::Nsid(nsid.into_static()),
+
/// RPC audience identifier
+
#[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
+
pub enum RpcAudience<'s> {
+
/// All audiences (wildcard)
+
impl IntoStatic for RpcAudience<'_> {
+
type Output = RpcAudience<'static>;
+
fn into_static(self) -> Self::Output {
+
RpcAudience::All => RpcAudience::All,
+
RpcAudience::Did(did) => RpcAudience::Did(did.into_static()),
+
/// Parse multiple space-separated scopes from a string
+
/// # use jacquard_oauth::scopes::Scope;
+
/// let scopes = Scope::parse_multiple("atproto repo:*").unwrap();
+
/// assert_eq!(scopes.len(), 2);
+
pub fn parse_multiple(s: &'s str) -> Result<Vec<Self>, ParseError> {
+
if s.trim().is_empty() {
+
let mut scopes = Vec::new();
+
for scope_str in s.split_whitespace() {
+
scopes.push(Self::parse(scope_str)?);
+
/// Parse multiple space-separated scopes and return the minimal set needed
+
/// This method removes duplicate scopes and scopes that are already granted
+
/// by other scopes in the list, returning only the minimal set of scopes needed.
+
/// # use jacquard_oauth::scopes::Scope;
+
/// // repo:* grants repo:foo.bar, so only repo:* is kept
+
/// let scopes = Scope::parse_multiple_reduced("atproto repo:app.bsky.feed.post repo:*").unwrap();
+
/// assert_eq!(scopes.len(), 2); // atproto and repo:*
+
pub fn parse_multiple_reduced(s: &'s str) -> Result<Vec<Self>, ParseError> {
+
let all_scopes = Self::parse_multiple(s)?;
+
if all_scopes.is_empty() {
+
let mut result: Vec<Self> = Vec::new();
+
for scope in all_scopes {
+
// Check if this scope is already granted by something in the result
+
let mut is_granted = false;
+
for existing in &result {
+
if existing.grants(&scope) && existing != &scope {
+
continue; // Skip this scope, it's already covered
+
// Check if this scope grants any existing scopes in the result
+
let mut indices_to_remove = Vec::new();
+
for (i, existing) in result.iter().enumerate() {
+
if scope.grants(existing) && &scope != existing {
+
indices_to_remove.push(i);
+
// Remove scopes that are granted by the new scope (in reverse order to maintain indices)
+
for i in indices_to_remove.into_iter().rev() {
+
// Add the new scope if it's not a duplicate
+
if !result.contains(&scope) {
+
/// Serialize a list of scopes into a space-separated OAuth scopes string
+
/// The scopes are sorted alphabetically by their string representation to ensure
+
/// consistent output regardless of input order.
+
/// # use jacquard_oauth::scopes::Scope;
+
/// Scope::parse("repo:*").unwrap(),
+
/// Scope::parse("atproto").unwrap(),
+
/// Scope::parse("account:email").unwrap(),
+
/// let result = Scope::serialize_multiple(&scopes);
+
/// assert_eq!(result, "account:email atproto repo:*");
+
pub fn serialize_multiple(scopes: &[Self]) -> CowStr<'static> {
+
return CowStr::default();
+
let mut serialized: Vec<String> = scopes.iter().map(|scope| scope.to_string()).collect();
+
serialized.join(" ").into()
+
/// Remove a scope from a list of scopes
+
/// Returns a new vector with all instances of the specified scope removed.
+
/// If the scope doesn't exist in the list, returns a copy of the original list.
+
/// # use jacquard_oauth::scopes::Scope;
+
/// Scope::parse("repo:*").unwrap(),
+
/// Scope::parse("atproto").unwrap(),
+
/// Scope::parse("account:email").unwrap(),
+
/// let to_remove = Scope::parse("atproto").unwrap();
+
/// let result = Scope::remove_scope(&scopes, &to_remove);
+
/// assert_eq!(result.len(), 2);
+
/// assert!(!result.contains(&to_remove));
+
pub fn remove_scope(scopes: &[Self], scope_to_remove: &Self) -> Vec<Self> {
+
.filter(|s| *s != scope_to_remove)
+
/// Parse a scope from a string
+
pub fn parse(s: &'s str) -> Result<Self, ParseError> {
+
// Determine the prefix first by checking for known prefixes
+
let mut found_prefix = None;
+
for prefix in &prefixes {
+
if let Some(remainder) = s.strip_prefix(prefix)
+
&& (remainder.is_empty()
+
|| remainder.starts_with(':')
+
|| remainder.starts_with('?'))
+
found_prefix = Some(*prefix);
+
if let Some(stripped) = remainder.strip_prefix(':') {
+
suffix = Some(stripped);
+
} else if remainder.starts_with('?') {
+
suffix = Some(remainder);
+
let prefix = found_prefix.ok_or_else(|| {
+
// If no known prefix found, extract what looks like a prefix for error reporting
+
let end = s.find(':').or_else(|| s.find('?')).unwrap_or(s.len());
+
ParseError::UnknownPrefix(s[..end].to_string())
+
"account" => Self::parse_account(suffix),
+
"identity" => Self::parse_identity(suffix),
+
"blob" => Self::parse_blob(suffix),
+
"repo" => Self::parse_repo(suffix),
+
"rpc" => Self::parse_rpc(suffix),
+
"atproto" => Self::parse_atproto(suffix),
+
"transition" => Self::parse_transition(suffix),
+
"openid" => Self::parse_openid(suffix),
+
"profile" => Self::parse_profile(suffix),
+
"email" => Self::parse_email(suffix),
+
_ => Err(ParseError::UnknownPrefix(prefix.to_string())),
+
fn parse_account(suffix: Option<&'s str>) -> Result<Self, ParseError> {
+
let (resource_str, params) = match suffix {
+
if let Some(pos) = s.find('?') {
+
(&s[..pos], Some(&s[pos + 1..]))
+
None => return Err(ParseError::MissingResource),
+
let resource = match resource_str {
+
"email" => AccountResource::Email,
+
"repo" => AccountResource::Repo,
+
"status" => AccountResource::Status,
+
_ => return Err(ParseError::InvalidResource(resource_str.to_string())),
+
let action = if let Some(params) = params {
+
let parsed_params = parse_query_string(params);
+
.and_then(|v| v.first())
+
Some("read") => AccountAction::Read,
+
Some("manage") => AccountAction::Manage,
+
Some(other) => return Err(ParseError::InvalidAction(other.to_string())),
+
None => AccountAction::Read,
+
Ok(Scope::Account(AccountScope { resource, action }))
+
fn parse_identity(suffix: Option<&'s str>) -> Result<Self, ParseError> {
+
let scope = match suffix {
+
Some("handle") => IdentityScope::Handle,
+
Some("*") => IdentityScope::All,
+
Some(other) => return Err(ParseError::InvalidResource(other.to_string())),
+
None => return Err(ParseError::MissingResource),
+
Ok(Scope::Identity(scope))
+
fn parse_blob(suffix: Option<&'s str>) -> Result<Self, ParseError> {
+
let mut accept = BTreeSet::new();
+
Some(s) if s.starts_with('?') => {
+
let params = parse_query_string(&s[1..]);
+
if let Some(values) = params.get("accept") {
+
accept.insert(MimePattern::from_str(value)?);
+
accept.insert(MimePattern::from_str(s)?);
+
accept.insert(MimePattern::All);
+
accept.insert(MimePattern::All);
+
Ok(Scope::Blob(BlobScope { accept }))
+
fn parse_repo(suffix: Option<&'s str>) -> Result<Self, ParseError> {
+
let (collection_str, params) = match suffix {
+
if let Some(pos) = s.find('?') {
+
(Some(&s[..pos]), Some(&s[pos + 1..]))
+
let collection = match collection_str {
+
Some("*") | None => RepoCollection::All,
+
Some(nsid) => RepoCollection::Nsid(Nsid::new(nsid)?),
+
let mut actions = BTreeSet::new();
+
if let Some(params) = params {
+
let parsed_params = parse_query_string(params);
+
if let Some(values) = parsed_params.get("action") {
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
other => return Err(ParseError::InvalidAction(other.to_string())),
+
if actions.is_empty() {
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
Ok(Scope::Repo(RepoScope {
+
fn parse_rpc(suffix: Option<&'s str>) -> Result<Self, ParseError> {
+
let mut lxm = BTreeSet::new();
+
let mut aud = BTreeSet::new();
+
lxm.insert(RpcLexicon::All);
+
aud.insert(RpcAudience::All);
+
Some(s) if s.starts_with('?') => {
+
let params = parse_query_string(&s[1..]);
+
if let Some(values) = params.get("lxm") {
+
if value.as_ref() == "*" {
+
lxm.insert(RpcLexicon::All);
+
lxm.insert(RpcLexicon::Nsid(Nsid::new(value)?.into_static()));
+
if let Some(values) = params.get("aud") {
+
if value.as_ref() == "*" {
+
aud.insert(RpcAudience::All);
+
aud.insert(RpcAudience::Did(Did::new(value)?.into_static()));
+
// Check if there's a query string in the suffix
+
if let Some(pos) = s.find('?') {
+
let params = parse_query_string(&s[pos + 1..]);
+
lxm.insert(RpcLexicon::Nsid(Nsid::new(nsid)?.into_static()));
+
if let Some(values) = params.get("aud") {
+
if value.as_ref() == "*" {
+
aud.insert(RpcAudience::All);
+
aud.insert(RpcAudience::Did(Did::new(value)?.into_static()));
+
lxm.insert(RpcLexicon::Nsid(Nsid::new(s)?.into_static()));
+
lxm.insert(RpcLexicon::All);
+
aud.insert(RpcAudience::All);
+
Ok(Scope::Rpc(RpcScope { lxm, aud }))
+
fn parse_atproto(suffix: Option<&str>) -> Result<Self, ParseError> {
+
return Err(ParseError::InvalidResource(
+
"atproto scope does not accept suffixes".to_string(),
+
fn parse_transition(suffix: Option<&str>) -> Result<Self, ParseError> {
+
let scope = match suffix {
+
Some("generic") => TransitionScope::Generic,
+
Some("email") => TransitionScope::Email,
+
Some(other) => return Err(ParseError::InvalidResource(other.to_string())),
+
None => return Err(ParseError::MissingResource),
+
Ok(Scope::Transition(scope))
+
fn parse_openid(suffix: Option<&str>) -> Result<Self, ParseError> {
+
return Err(ParseError::InvalidResource(
+
"openid scope does not accept suffixes".to_string(),
+
fn parse_profile(suffix: Option<&str>) -> Result<Self, ParseError> {
+
return Err(ParseError::InvalidResource(
+
"profile scope does not accept suffixes".to_string(),
+
fn parse_email(suffix: Option<&str>) -> Result<Self, ParseError> {
+
return Err(ParseError::InvalidResource(
+
"email scope does not accept suffixes".to_string(),
+
/// Convert the scope to its normalized string representation
+
pub fn to_string_normalized(&self) -> String {
+
Scope::Account(scope) => {
+
let resource = match scope.resource {
+
AccountResource::Email => "email",
+
AccountResource::Repo => "repo",
+
AccountResource::Status => "status",
+
AccountAction::Read => format!("account:{}", resource),
+
AccountAction::Manage => format!("account:{}?action=manage", resource),
+
Scope::Identity(scope) => match scope {
+
IdentityScope::Handle => "identity:handle".to_string(),
+
IdentityScope::All => "identity:*".to_string(),
+
Scope::Blob(scope) => {
+
if scope.accept.len() == 1 {
+
if let Some(pattern) = scope.accept.iter().next() {
+
MimePattern::All => "blob:*/*".to_string(),
+
MimePattern::TypeWildcard(t) => format!("blob:{}/*", t),
+
MimePattern::Exact(mime) => format!("blob:{}", mime),
+
let mut params = Vec::new();
+
for pattern in &scope.accept {
+
MimePattern::All => params.push("accept=*/*".to_string()),
+
MimePattern::TypeWildcard(t) => params.push(format!("accept={}/*", t)),
+
MimePattern::Exact(mime) => params.push(format!("accept={}", mime)),
+
format!("blob?{}", params.join("&"))
+
Scope::Repo(scope) => {
+
let collection = match &scope.collection {
+
RepoCollection::All => "*",
+
RepoCollection::Nsid(nsid) => nsid,
+
if scope.actions.len() == 3 {
+
format!("repo:{}", collection)
+
let mut params = Vec::new();
+
for action in &scope.actions {
+
RepoAction::Create => params.push("action=create"),
+
RepoAction::Update => params.push("action=update"),
+
RepoAction::Delete => params.push("action=delete"),
+
format!("repo:{}?{}", collection, params.join("&"))
+
if scope.lxm.len() == 1
+
&& scope.lxm.contains(&RpcLexicon::All)
+
&& scope.aud.len() == 1
+
&& scope.aud.contains(&RpcAudience::All)
+
} else if scope.lxm.len() == 1
+
&& scope.aud.len() == 1
+
&& scope.aud.contains(&RpcAudience::All)
+
if let Some(lxm) = scope.lxm.iter().next() {
+
RpcLexicon::All => "rpc:*".to_string(),
+
RpcLexicon::Nsid(nsid) => format!("rpc:{}", nsid),
+
let mut params = Vec::new();
+
for lxm in &scope.lxm {
+
RpcLexicon::All => params.push("lxm=*".to_string()),
+
RpcLexicon::Nsid(nsid) => params.push(format!("lxm={}", nsid)),
+
for aud in &scope.aud {
+
RpcAudience::All => params.push("aud=*".to_string()),
+
RpcAudience::Did(did) => params.push(format!("aud={}", did)),
+
format!("rpc?{}", params.join("&"))
+
Scope::Atproto => "atproto".to_string(),
+
Scope::Transition(scope) => match scope {
+
TransitionScope::Generic => "transition:generic".to_string(),
+
TransitionScope::Email => "transition:email".to_string(),
+
Scope::OpenId => "openid".to_string(),
+
Scope::Profile => "profile".to_string(),
+
Scope::Email => "email".to_string(),
+
/// Check if this scope grants the permissions of another scope
+
pub fn grants(&self, other: &Scope) -> bool {
+
// Atproto only grants itself (it's a required scope, not a permission grant)
+
(Scope::Atproto, Scope::Atproto) => true,
+
(Scope::Atproto, _) => false,
+
// Nothing else grants atproto
+
(_, Scope::Atproto) => false,
+
// Transition scopes only grant themselves
+
(Scope::Transition(a), Scope::Transition(b)) => a == b,
+
// Other scopes don't grant transition scopes
+
(_, Scope::Transition(_)) => false,
+
(Scope::Transition(_), _) => false,
+
// OpenID Connect scopes only grant themselves
+
(Scope::OpenId, Scope::OpenId) => true,
+
(Scope::OpenId, _) => false,
+
(_, Scope::OpenId) => false,
+
(Scope::Profile, Scope::Profile) => true,
+
(Scope::Profile, _) => false,
+
(_, Scope::Profile) => false,
+
(Scope::Email, Scope::Email) => true,
+
(Scope::Email, _) => false,
+
(_, Scope::Email) => false,
+
(Scope::Account(a), Scope::Account(b)) => {
+
a.resource == b.resource
+
(AccountAction::Manage, _) | (AccountAction::Read, AccountAction::Read)
+
(Scope::Identity(a), Scope::Identity(b)) => matches!(
+
(IdentityScope::All, _) | (IdentityScope::Handle, IdentityScope::Handle)
+
(Scope::Blob(a), Scope::Blob(b)) => {
+
for b_pattern in &b.accept {
+
let mut granted = false;
+
for a_pattern in &a.accept {
+
if a_pattern.grants(b_pattern) {
+
(Scope::Repo(a), Scope::Repo(b)) => {
+
let collection_match = match (&a.collection, &b.collection) {
+
(RepoCollection::All, _) => true,
+
(RepoCollection::Nsid(a_nsid), RepoCollection::Nsid(b_nsid)) => {
+
b.actions.is_subset(&a.actions) || a.actions.len() == 3
+
(Scope::Rpc(a), Scope::Rpc(b)) => {
+
let lxm_match = if a.lxm.contains(&RpcLexicon::All) {
+
b.lxm.iter().all(|b_lxm| match b_lxm {
+
RpcLexicon::All => false,
+
RpcLexicon::Nsid(_) => a.lxm.contains(b_lxm),
+
let aud_match = if a.aud.contains(&RpcAudience::All) {
+
b.aud.iter().all(|b_aud| match b_aud {
+
RpcAudience::All => false,
+
RpcAudience::Did(_) => a.aud.contains(b_aud),
+
fn grants(&self, other: &MimePattern) -> bool {
+
(MimePattern::All, _) => true,
+
(MimePattern::TypeWildcard(a_type), MimePattern::TypeWildcard(b_type)) => {
+
(MimePattern::TypeWildcard(a_type), MimePattern::Exact(b_mime)) => {
+
b_mime.starts_with(&format!("{}/", a_type))
+
(MimePattern::Exact(a), MimePattern::Exact(b)) => a == b,
+
impl FromStr for MimePattern<'_> {
+
fn from_str(s: &str) -> Result<Self, Self::Err> {
+
} else if let Some(stripped) = s.strip_suffix("/*") {
+
Ok(MimePattern::TypeWildcard(CowStr::Owned(
+
} else if s.contains('/') {
+
Ok(MimePattern::Exact(CowStr::Owned(s.to_smolstr())))
+
Err(ParseError::InvalidMimeType(s.to_string()))
+
impl FromStr for Scope<'_> {
+
fn from_str(s: &str) -> Result<Scope<'static>, Self::Err> {
+
match Scope::parse(s) {
+
Ok(parsed) => Ok(parsed.into_static()),
+
impl fmt::Display for Scope<'_> {
+
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+
write!(f, "{}", self.to_string_normalized())
+
/// Parse a query string into a map of keys to lists of values
+
fn parse_query_string(query: &str) -> BTreeMap<SmolStr, Vec<CowStr<'static>>> {
+
let mut params = BTreeMap::new();
+
for pair in query.split('&') {
+
if let Some(pos) = pair.find('=') {
+
let key = &pair[..pos];
+
let value = &pair[pos + 1..];
+
.entry(key.to_smolstr())
+
.or_insert_with(Vec::new)
+
.push(CowStr::Owned(value.to_smolstr()));
+
/// Error type for scope parsing
+
#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error, miette::Diagnostic)]
+
/// Unknown scope prefix
+
/// Missing required resource
+
/// Invalid resource type
+
InvalidResource(String),
+
/// Invalid action type
+
InvalidMimeType(String),
+
ParseError(#[from] AtStrError),
+
impl fmt::Display for ParseError {
+
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+
ParseError::UnknownPrefix(prefix) => write!(f, "Unknown scope prefix: {}", prefix),
+
ParseError::MissingResource => write!(f, "Missing required resource"),
+
ParseError::InvalidResource(resource) => write!(f, "Invalid resource: {}", resource),
+
ParseError::InvalidAction(action) => write!(f, "Invalid action: {}", action),
+
ParseError::InvalidMimeType(mime) => write!(f, "Invalid MIME type: {}", mime),
+
ParseError::ParseError(err) => write!(f, "Parse error: {}", err),
+
fn test_account_scope_parsing() {
+
let scope = Scope::parse("account:email").unwrap();
+
Scope::Account(AccountScope {
+
resource: AccountResource::Email,
+
action: AccountAction::Read,
+
let scope = Scope::parse("account:repo?action=manage").unwrap();
+
Scope::Account(AccountScope {
+
resource: AccountResource::Repo,
+
action: AccountAction::Manage,
+
let scope = Scope::parse("account:status?action=read").unwrap();
+
Scope::Account(AccountScope {
+
resource: AccountResource::Status,
+
action: AccountAction::Read,
+
fn test_identity_scope_parsing() {
+
let scope = Scope::parse("identity:handle").unwrap();
+
assert_eq!(scope, Scope::Identity(IdentityScope::Handle));
+
let scope = Scope::parse("identity:*").unwrap();
+
assert_eq!(scope, Scope::Identity(IdentityScope::All));
+
fn test_blob_scope_parsing() {
+
let scope = Scope::parse("blob:*/*").unwrap();
+
let mut accept = BTreeSet::new();
+
accept.insert(MimePattern::All);
+
assert_eq!(scope, Scope::Blob(BlobScope { accept }));
+
let scope = Scope::parse("blob:image/png").unwrap();
+
let mut accept = BTreeSet::new();
+
accept.insert(MimePattern::Exact(CowStr::new_static("image/png")));
+
assert_eq!(scope, Scope::Blob(BlobScope { accept }));
+
let scope = Scope::parse("blob?accept=image/png&accept=image/jpeg").unwrap();
+
let mut accept = BTreeSet::new();
+
accept.insert(MimePattern::Exact(CowStr::new_static("image/png")));
+
accept.insert(MimePattern::Exact(CowStr::new_static("image/jpeg")));
+
assert_eq!(scope, Scope::Blob(BlobScope { accept }));
+
let scope = Scope::parse("blob:image/*").unwrap();
+
let mut accept = BTreeSet::new();
+
accept.insert(MimePattern::TypeWildcard(CowStr::new_static("image")));
+
assert_eq!(scope, Scope::Blob(BlobScope { accept }));
+
fn test_repo_scope_parsing() {
+
let scope = Scope::parse("repo:*?action=create").unwrap();
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
Scope::Repo(RepoScope {
+
collection: RepoCollection::All,
+
let scope = Scope::parse("repo:app.bsky.feed.post?action=create&action=update").unwrap();
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
Scope::Repo(RepoScope {
+
collection: RepoCollection::Nsid(Nsid::new_static("app.bsky.feed.post").unwrap()),
+
let scope = Scope::parse("repo:app.bsky.feed.post").unwrap();
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
Scope::Repo(RepoScope {
+
collection: RepoCollection::Nsid(Nsid::new_static("app.bsky.feed.post").unwrap()),
+
fn test_rpc_scope_parsing() {
+
let scope = Scope::parse("rpc:*").unwrap();
+
let mut lxm = BTreeSet::new();
+
let mut aud = BTreeSet::new();
+
lxm.insert(RpcLexicon::All);
+
aud.insert(RpcAudience::All);
+
assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud }));
+
let scope = Scope::parse("rpc:com.example.service").unwrap();
+
let mut lxm = BTreeSet::new();
+
let mut aud = BTreeSet::new();
+
lxm.insert(RpcLexicon::Nsid(
+
Nsid::new_static("com.example.service").unwrap(),
+
aud.insert(RpcAudience::All);
+
assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud }));
+
Scope::parse("rpc:com.example.service?aud=did:plc:yfvwmnlztr4dwkb7hwz55r2g").unwrap();
+
let mut lxm = BTreeSet::new();
+
let mut aud = BTreeSet::new();
+
lxm.insert(RpcLexicon::Nsid(
+
Nsid::new_static("com.example.service").unwrap(),
+
aud.insert(RpcAudience::Did(
+
Did::new_static("did:plc:yfvwmnlztr4dwkb7hwz55r2g").unwrap(),
+
assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud }));
+
Scope::parse("rpc?lxm=com.example.method1&lxm=com.example.method2&aud=did:plc:yfvwmnlztr4dwkb7hwz55r2g")
+
let mut lxm = BTreeSet::new();
+
let mut aud = BTreeSet::new();
+
lxm.insert(RpcLexicon::Nsid(
+
Nsid::new_static("com.example.method1").unwrap(),
+
lxm.insert(RpcLexicon::Nsid(
+
Nsid::new_static("com.example.method2").unwrap(),
+
aud.insert(RpcAudience::Did(
+
Did::new_static("did:plc:yfvwmnlztr4dwkb7hwz55r2g").unwrap(),
+
assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud }));
+
fn test_scope_normalization() {
+
("account:email", "account:email"),
+
("account:email?action=read", "account:email"),
+
("account:email?action=manage", "account:email?action=manage"),
+
("blob:image/png", "blob:image/png"),
+
"blob?accept=image/jpeg&accept=image/png",
+
"blob?accept=image/jpeg&accept=image/png",
+
("repo:app.bsky.feed.post", "repo:app.bsky.feed.post"),
+
"repo:app.bsky.feed.post?action=create",
+
"repo:app.bsky.feed.post?action=create",
+
for (input, expected) in tests {
+
let scope = Scope::parse(input).unwrap();
+
assert_eq!(scope.to_string_normalized(), expected);
+
fn test_account_scope_grants() {
+
let manage = Scope::parse("account:email?action=manage").unwrap();
+
let read = Scope::parse("account:email?action=read").unwrap();
+
let other_read = Scope::parse("account:repo?action=read").unwrap();
+
assert!(manage.grants(&read));
+
assert!(manage.grants(&manage));
+
assert!(!read.grants(&manage));
+
assert!(read.grants(&read));
+
assert!(!read.grants(&other_read));
+
fn test_identity_scope_grants() {
+
let all = Scope::parse("identity:*").unwrap();
+
let handle = Scope::parse("identity:handle").unwrap();
+
assert!(all.grants(&handle));
+
assert!(all.grants(&all));
+
assert!(!handle.grants(&all));
+
assert!(handle.grants(&handle));
+
fn test_blob_scope_grants() {
+
let all = Scope::parse("blob:*/*").unwrap();
+
let image_all = Scope::parse("blob:image/*").unwrap();
+
let image_png = Scope::parse("blob:image/png").unwrap();
+
let text_plain = Scope::parse("blob:text/plain").unwrap();
+
assert!(all.grants(&image_all));
+
assert!(all.grants(&image_png));
+
assert!(all.grants(&text_plain));
+
assert!(image_all.grants(&image_png));
+
assert!(!image_all.grants(&text_plain));
+
assert!(!image_png.grants(&image_all));
+
fn test_repo_scope_grants() {
+
let all_all = Scope::parse("repo:*").unwrap();
+
let all_create = Scope::parse("repo:*?action=create").unwrap();
+
let specific_all = Scope::parse("repo:app.bsky.feed.post").unwrap();
+
let specific_create = Scope::parse("repo:app.bsky.feed.post?action=create").unwrap();
+
let other_create = Scope::parse("repo:pub.leaflet.publication?action=create").unwrap();
+
assert!(all_all.grants(&all_create));
+
assert!(all_all.grants(&specific_all));
+
assert!(all_all.grants(&specific_create));
+
assert!(all_create.grants(&all_create));
+
assert!(!all_create.grants(&specific_all));
+
assert!(specific_all.grants(&specific_create));
+
assert!(!specific_create.grants(&specific_all));
+
assert!(!specific_create.grants(&other_create));
+
fn test_rpc_scope_grants() {
+
let all = Scope::parse("rpc:*").unwrap();
+
let specific_lxm = Scope::parse("rpc:com.example.service").unwrap();
+
let specific_both = Scope::parse("rpc:com.example.service?aud=did:example:123").unwrap();
+
assert!(all.grants(&specific_lxm));
+
assert!(all.grants(&specific_both));
+
assert!(specific_lxm.grants(&specific_both));
+
assert!(!specific_both.grants(&specific_lxm));
+
assert!(!specific_both.grants(&all));
+
fn test_cross_scope_grants() {
+
let account = Scope::parse("account:email").unwrap();
+
let identity = Scope::parse("identity:handle").unwrap();
+
assert!(!account.grants(&identity));
+
assert!(!identity.grants(&account));
+
fn test_parse_errors() {
+
Scope::parse("unknown:test"),
+
Err(ParseError::UnknownPrefix(_))
+
Scope::parse("account"),
+
Err(ParseError::MissingResource)
+
Scope::parse("account:invalid"),
+
Err(ParseError::InvalidResource(_))
+
Scope::parse("account:email?action=invalid"),
+
Err(ParseError::InvalidAction(_))
+
fn test_query_parameter_sorting() {
+
Scope::parse("blob?accept=image/png&accept=application/pdf&accept=image/jpeg").unwrap();
+
let normalized = scope.to_string_normalized();
+
assert!(normalized.contains("accept=application/pdf"));
+
assert!(normalized.contains("accept=image/jpeg"));
+
assert!(normalized.contains("accept=image/png"));
+
let pdf_pos = normalized.find("accept=application/pdf").unwrap();
+
let jpeg_pos = normalized.find("accept=image/jpeg").unwrap();
+
let png_pos = normalized.find("accept=image/png").unwrap();
+
assert!(pdf_pos < jpeg_pos);
+
assert!(jpeg_pos < png_pos);
+
fn test_repo_action_wildcard() {
+
let scope = Scope::parse("repo:app.bsky.feed.post?action=*").unwrap();
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
Scope::Repo(RepoScope {
+
collection: RepoCollection::Nsid(Nsid::new_static("app.bsky.feed.post").unwrap()),
+
fn test_multiple_blob_accepts() {
+
let scope = Scope::parse("blob?accept=image/*&accept=text/plain").unwrap();
+
assert!(scope.grants(&Scope::parse("blob:image/png").unwrap()));
+
assert!(scope.grants(&Scope::parse("blob:text/plain").unwrap()));
+
assert!(!scope.grants(&Scope::parse("blob:application/json").unwrap()));
+
fn test_rpc_default_wildcards() {
+
let scope = Scope::parse("rpc").unwrap();
+
let mut lxm = BTreeSet::new();
+
let mut aud = BTreeSet::new();
+
lxm.insert(RpcLexicon::All);
+
aud.insert(RpcAudience::All);
+
assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud }));
+
fn test_atproto_scope_parsing() {
+
let scope = Scope::parse("atproto").unwrap();
+
assert_eq!(scope, Scope::Atproto);
+
// Atproto should not accept suffixes
+
assert!(Scope::parse("atproto:something").is_err());
+
assert!(Scope::parse("atproto?param=value").is_err());
+
fn test_transition_scope_parsing() {
+
let scope = Scope::parse("transition:generic").unwrap();
+
assert_eq!(scope, Scope::Transition(TransitionScope::Generic));
+
let scope = Scope::parse("transition:email").unwrap();
+
assert_eq!(scope, Scope::Transition(TransitionScope::Email));
+
// Test invalid transition types
+
Scope::parse("transition:invalid"),
+
Err(ParseError::InvalidResource(_))
+
Scope::parse("transition"),
+
Err(ParseError::MissingResource)
+
// Test transition doesn't accept query parameters
+
Scope::parse("transition:generic?param=value"),
+
Err(ParseError::InvalidResource(_))
+
fn test_atproto_scope_normalization() {
+
let scope = Scope::parse("atproto").unwrap();
+
assert_eq!(scope.to_string_normalized(), "atproto");
+
fn test_transition_scope_normalization() {
+
("transition:generic", "transition:generic"),
+
("transition:email", "transition:email"),
+
for (input, expected) in tests {
+
let scope = Scope::parse(input).unwrap();
+
assert_eq!(scope.to_string_normalized(), expected);
+
fn test_atproto_scope_grants() {
+
let atproto = Scope::parse("atproto").unwrap();
+
let account = Scope::parse("account:email").unwrap();
+
let identity = Scope::parse("identity:handle").unwrap();
+
let blob = Scope::parse("blob:image/png").unwrap();
+
let repo = Scope::parse("repo:app.bsky.feed.post").unwrap();
+
let rpc = Scope::parse("rpc:com.example.service").unwrap();
+
let transition_generic = Scope::parse("transition:generic").unwrap();
+
let transition_email = Scope::parse("transition:email").unwrap();
+
// Atproto only grants itself (it's a required scope, not a permission grant)
+
assert!(atproto.grants(&atproto));
+
assert!(!atproto.grants(&account));
+
assert!(!atproto.grants(&identity));
+
assert!(!atproto.grants(&blob));
+
assert!(!atproto.grants(&repo));
+
assert!(!atproto.grants(&rpc));
+
assert!(!atproto.grants(&transition_generic));
+
assert!(!atproto.grants(&transition_email));
+
// Nothing else grants atproto
+
assert!(!account.grants(&atproto));
+
assert!(!identity.grants(&atproto));
+
assert!(!blob.grants(&atproto));
+
assert!(!repo.grants(&atproto));
+
assert!(!rpc.grants(&atproto));
+
assert!(!transition_generic.grants(&atproto));
+
assert!(!transition_email.grants(&atproto));
+
fn test_transition_scope_grants() {
+
let transition_generic = Scope::parse("transition:generic").unwrap();
+
let transition_email = Scope::parse("transition:email").unwrap();
+
let account = Scope::parse("account:email").unwrap();
+
// Transition scopes only grant themselves
+
assert!(transition_generic.grants(&transition_generic));
+
assert!(transition_email.grants(&transition_email));
+
assert!(!transition_generic.grants(&transition_email));
+
assert!(!transition_email.grants(&transition_generic));
+
// Transition scopes don't grant other scope types
+
assert!(!transition_generic.grants(&account));
+
assert!(!transition_email.grants(&account));
+
// Other scopes don't grant transition scopes
+
assert!(!account.grants(&transition_generic));
+
assert!(!account.grants(&transition_email));
+
fn test_parse_multiple() {
+
// Test parsing multiple scopes
+
let scopes = Scope::parse_multiple("atproto repo:*").unwrap();
+
assert_eq!(scopes.len(), 2);
+
assert_eq!(scopes[0], Scope::Atproto);
+
Scope::Repo(RepoScope {
+
collection: RepoCollection::All,
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
// Test with more scopes
+
let scopes = Scope::parse_multiple("account:email identity:handle blob:image/png").unwrap();
+
assert_eq!(scopes.len(), 3);
+
assert!(matches!(scopes[0], Scope::Account(_)));
+
assert!(matches!(scopes[1], Scope::Identity(_)));
+
assert!(matches!(scopes[2], Scope::Blob(_)));
+
// Test with complex scopes
+
let scopes = Scope::parse_multiple(
+
"account:email?action=manage repo:app.bsky.feed.post?action=create transition:email",
+
assert_eq!(scopes.len(), 3);
+
let scopes = Scope::parse_multiple("").unwrap();
+
assert_eq!(scopes.len(), 0);
+
// Test whitespace only
+
let scopes = Scope::parse_multiple(" ").unwrap();
+
assert_eq!(scopes.len(), 0);
+
// Test with extra whitespace
+
let scopes = Scope::parse_multiple(" atproto repo:* ").unwrap();
+
assert_eq!(scopes.len(), 2);
+
let scopes = Scope::parse_multiple("atproto").unwrap();
+
assert_eq!(scopes.len(), 1);
+
assert_eq!(scopes[0], Scope::Atproto);
+
// Test error propagation
+
assert!(Scope::parse_multiple("atproto invalid:scope").is_err());
+
assert!(Scope::parse_multiple("account:invalid repo:*").is_err());
+
fn test_parse_multiple_reduced() {
+
// Test repo scope reduction - wildcard grants specific
+
Scope::parse_multiple_reduced("atproto repo:app.bsky.feed.post repo:*").unwrap();
+
assert_eq!(scopes.len(), 2);
+
assert!(scopes.contains(&Scope::Atproto));
+
assert!(scopes.contains(&Scope::Repo(RepoScope {
+
collection: RepoCollection::All,
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
// Test reverse order - should get same result
+
Scope::parse_multiple_reduced("atproto repo:* repo:app.bsky.feed.post").unwrap();
+
assert_eq!(scopes.len(), 2);
+
assert!(scopes.contains(&Scope::Atproto));
+
assert!(scopes.contains(&Scope::Repo(RepoScope {
+
collection: RepoCollection::All,
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
// Test account scope reduction - manage grants read
+
Scope::parse_multiple_reduced("account:email account:email?action=manage").unwrap();
+
assert_eq!(scopes.len(), 1);
+
Scope::Account(AccountScope {
+
resource: AccountResource::Email,
+
action: AccountAction::Manage,
+
// Test identity scope reduction - wildcard grants specific
+
let scopes = Scope::parse_multiple_reduced("identity:handle identity:*").unwrap();
+
assert_eq!(scopes.len(), 1);
+
assert_eq!(scopes[0], Scope::Identity(IdentityScope::All));
+
// Test blob scope reduction - wildcard grants specific
+
let scopes = Scope::parse_multiple_reduced("blob:image/png blob:image/* blob:*/*").unwrap();
+
assert_eq!(scopes.len(), 1);
+
let mut accept = BTreeSet::new();
+
accept.insert(MimePattern::All);
+
assert_eq!(scopes[0], Scope::Blob(BlobScope { accept }));
+
// Test no reduction needed - different scope types
+
Scope::parse_multiple_reduced("account:email identity:handle blob:image/png").unwrap();
+
assert_eq!(scopes.len(), 3);
+
// Test repo action reduction
+
let scopes = Scope::parse_multiple_reduced(
+
"repo:app.bsky.feed.post?action=create repo:app.bsky.feed.post",
+
assert_eq!(scopes.len(), 1);
+
Scope::Repo(RepoScope {
+
collection: RepoCollection::Nsid(Nsid::new_static("app.bsky.feed.post").unwrap()),
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
// Test RPC scope reduction
+
let scopes = Scope::parse_multiple_reduced(
+
"rpc:com.example.service?aud=did:example:123 rpc:com.example.service rpc:*",
+
assert_eq!(scopes.len(), 1);
+
let mut lxm = BTreeSet::new();
+
lxm.insert(RpcLexicon::All);
+
let mut aud = BTreeSet::new();
+
aud.insert(RpcAudience::All);
+
// Test duplicate removal
+
let scopes = Scope::parse_multiple_reduced("atproto atproto atproto").unwrap();
+
assert_eq!(scopes.len(), 1);
+
assert_eq!(scopes[0], Scope::Atproto);
+
// Test transition scopes - only grant themselves
+
let scopes = Scope::parse_multiple_reduced("transition:generic transition:email").unwrap();
+
assert_eq!(scopes.len(), 2);
+
assert!(scopes.contains(&Scope::Transition(TransitionScope::Generic)));
+
assert!(scopes.contains(&Scope::Transition(TransitionScope::Email)));
+
let scopes = Scope::parse_multiple_reduced("").unwrap();
+
assert_eq!(scopes.len(), 0);
+
// Test complex scenario with multiple reductions
+
let scopes = Scope::parse_multiple_reduced(
+
"account:email?action=manage account:email account:repo account:repo?action=read identity:* identity:handle"
+
assert_eq!(scopes.len(), 3);
+
// Should have: account:email?action=manage, account:repo, identity:*
+
assert!(scopes.contains(&Scope::Account(AccountScope {
+
resource: AccountResource::Email,
+
action: AccountAction::Manage,
+
assert!(scopes.contains(&Scope::Account(AccountScope {
+
resource: AccountResource::Repo,
+
action: AccountAction::Read,
+
assert!(scopes.contains(&Scope::Identity(IdentityScope::All)));
+
// Test that atproto doesn't grant other scopes (per recent change)
+
let scopes = Scope::parse_multiple_reduced("atproto account:email repo:*").unwrap();
+
assert_eq!(scopes.len(), 3);
+
assert!(scopes.contains(&Scope::Atproto));
+
assert!(scopes.contains(&Scope::Account(AccountScope {
+
resource: AccountResource::Email,
+
action: AccountAction::Read,
+
assert!(scopes.contains(&Scope::Repo(RepoScope {
+
collection: RepoCollection::All,
+
let mut actions = BTreeSet::new();
+
actions.insert(RepoAction::Create);
+
actions.insert(RepoAction::Update);
+
actions.insert(RepoAction::Delete);
+
fn test_openid_connect_scope_parsing() {
+
let scope = Scope::parse("openid").unwrap();
+
assert_eq!(scope, Scope::OpenId);
+
let scope = Scope::parse("profile").unwrap();
+
assert_eq!(scope, Scope::Profile);
+
let scope = Scope::parse("email").unwrap();
+
assert_eq!(scope, Scope::Email);
+
// Test that they don't accept suffixes
+
assert!(Scope::parse("openid:something").is_err());
+
assert!(Scope::parse("profile:something").is_err());
+
assert!(Scope::parse("email:something").is_err());
+
// Test that they don't accept query parameters
+
assert!(Scope::parse("openid?param=value").is_err());
+
assert!(Scope::parse("profile?param=value").is_err());
+
assert!(Scope::parse("email?param=value").is_err());
+
fn test_openid_connect_scope_normalization() {
+
let scope = Scope::parse("openid").unwrap();
+
assert_eq!(scope.to_string_normalized(), "openid");
+
let scope = Scope::parse("profile").unwrap();
+
assert_eq!(scope.to_string_normalized(), "profile");
+
let scope = Scope::parse("email").unwrap();
+
assert_eq!(scope.to_string_normalized(), "email");
+
fn test_openid_connect_scope_grants() {
+
let openid = Scope::parse("openid").unwrap();
+
let profile = Scope::parse("profile").unwrap();
+
let email = Scope::parse("email").unwrap();
+
let account = Scope::parse("account:email").unwrap();
+
// OpenID Connect scopes only grant themselves
+
assert!(openid.grants(&openid));
+
assert!(!openid.grants(&profile));
+
assert!(!openid.grants(&email));
+
assert!(!openid.grants(&account));
+
assert!(profile.grants(&profile));
+
assert!(!profile.grants(&openid));
+
assert!(!profile.grants(&email));
+
assert!(!profile.grants(&account));
+
assert!(email.grants(&email));
+
assert!(!email.grants(&openid));
+
assert!(!email.grants(&profile));
+
assert!(!email.grants(&account));
+
// Other scopes don't grant OpenID Connect scopes
+
assert!(!account.grants(&openid));
+
assert!(!account.grants(&profile));
+
assert!(!account.grants(&email));
+
fn test_parse_multiple_with_openid_connect() {
+
let scopes = Scope::parse_multiple("openid profile email atproto").unwrap();
+
assert_eq!(scopes.len(), 4);
+
assert_eq!(scopes[0], Scope::OpenId);
+
assert_eq!(scopes[1], Scope::Profile);
+
assert_eq!(scopes[2], Scope::Email);
+
assert_eq!(scopes[3], Scope::Atproto);
+
// Test with mixed scopes
+
let scopes = Scope::parse_multiple("openid account:email profile repo:*").unwrap();
+
assert_eq!(scopes.len(), 4);
+
assert!(scopes.contains(&Scope::OpenId));
+
assert!(scopes.contains(&Scope::Profile));
+
fn test_parse_multiple_reduced_with_openid_connect() {
+
// OpenID Connect scopes don't grant each other, so no reduction
+
let scopes = Scope::parse_multiple_reduced("openid profile email openid").unwrap();
+
assert_eq!(scopes.len(), 3);
+
assert!(scopes.contains(&Scope::OpenId));
+
assert!(scopes.contains(&Scope::Profile));
+
assert!(scopes.contains(&Scope::Email));
+
// Mixed with other scopes
+
let scopes = Scope::parse_multiple_reduced(
+
"openid account:email account:email?action=manage profile",
+
assert_eq!(scopes.len(), 3);
+
assert!(scopes.contains(&Scope::OpenId));
+
assert!(scopes.contains(&Scope::Profile));
+
assert!(scopes.contains(&Scope::Account(AccountScope {
+
resource: AccountResource::Email,
+
action: AccountAction::Manage,
+
fn test_serialize_multiple() {
+
let scopes: Vec<Scope> = vec![];
+
assert_eq!(Scope::serialize_multiple(&scopes), "");
+
let scopes = vec![Scope::Atproto];
+
assert_eq!(Scope::serialize_multiple(&scopes), "atproto");
+
// Test multiple scopes - should be sorted alphabetically
+
Scope::parse("repo:*").unwrap(),
+
Scope::parse("account:email").unwrap(),
+
Scope::serialize_multiple(&scopes),
+
"account:email atproto repo:*"
+
// Test that sorting is consistent regardless of input order
+
Scope::parse("identity:handle").unwrap(),
+
Scope::parse("blob:image/png").unwrap(),
+
Scope::parse("account:repo?action=manage").unwrap(),
+
Scope::serialize_multiple(&scopes),
+
"account:repo?action=manage blob:image/png identity:handle"
+
// Test with OpenID Connect scopes
+
let scopes = vec![Scope::Email, Scope::OpenId, Scope::Profile, Scope::Atproto];
+
Scope::serialize_multiple(&scopes),
+
"atproto email openid profile"
+
// Test with complex scopes including query parameters
+
Scope::parse("rpc:com.example.service?aud=did:plc:yfvwmnlztr4dwkb7hwz55r2g&lxm=com.example.method")
+
Scope::parse("repo:app.bsky.feed.post?action=create&action=update").unwrap(),
+
Scope::parse("blob:image/*?accept=image/png&accept=image/jpeg").unwrap(),
+
let result = Scope::serialize_multiple(&scopes);
+
// The result should be sorted alphabetically
+
// Note: RPC scope with query params is serialized as "rpc?aud=...&lxm=..."
+
assert!(result.starts_with("blob:"));
+
assert!(result.contains(" repo:"));
+
result.contains("rpc?aud=did:plc:yfvwmnlztr4dwkb7hwz55r2g&lxm=com.example.service")
+
// Test with transition scopes
+
Scope::Transition(TransitionScope::Email),
+
Scope::Transition(TransitionScope::Generic),
+
Scope::serialize_multiple(&scopes),
+
"atproto transition:email transition:generic"
+
// Test duplicates - they remain in the output (caller's responsibility to dedupe if needed)
+
Scope::parse("account:email").unwrap(),
+
Scope::serialize_multiple(&scopes),
+
"account:email atproto atproto"
+
// Test normalization is preserved in serialization
+
let scopes = vec![Scope::parse("blob?accept=image/png&accept=image/jpeg").unwrap()];
+
// Should normalize query parameters alphabetically
+
Scope::serialize_multiple(&scopes),
+
"blob?accept=image/jpeg&accept=image/png"
+
fn test_serialize_multiple_roundtrip() {
+
// Test that parse_multiple and serialize_multiple are inverses (when sorted)
+
let original = "account:email atproto blob:image/png identity:handle repo:*";
+
let scopes = Scope::parse_multiple(original).unwrap();
+
let serialized = Scope::serialize_multiple(&scopes);
+
assert_eq!(serialized, original);
+
// Test with complex scopes
+
let original = "account:repo?action=manage blob?accept=image/jpeg&accept=image/png rpc:*";
+
let scopes = Scope::parse_multiple(original).unwrap();
+
let serialized = Scope::serialize_multiple(&scopes);
+
// Parse again to verify it's valid
+
let reparsed = Scope::parse_multiple(&serialized).unwrap();
+
assert_eq!(scopes, reparsed);
+
// Test with OpenID Connect scopes
+
let original = "email openid profile";
+
let scopes = Scope::parse_multiple(original).unwrap();
+
let serialized = Scope::serialize_multiple(&scopes);
+
assert_eq!(serialized, original);
+
fn test_remove_scope() {
+
// Test removing a scope that exists
+
Scope::parse("repo:*").unwrap(),
+
Scope::parse("account:email").unwrap(),
+
let to_remove = Scope::Atproto;
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 2);
+
assert!(!result.contains(&to_remove));
+
assert!(result.contains(&Scope::parse("repo:*").unwrap()));
+
assert!(result.contains(&Scope::parse("account:email").unwrap()));
+
// Test removing a scope that doesn't exist
+
Scope::parse("repo:*").unwrap(),
+
Scope::parse("account:email").unwrap(),
+
let to_remove = Scope::parse("identity:handle").unwrap();
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 2);
+
assert_eq!(result, scopes);
+
// Test removing from empty list
+
let scopes: Vec<Scope> = vec![];
+
let to_remove = Scope::Atproto;
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 0);
+
// Test removing all instances of a duplicate scope
+
Scope::parse("account:email").unwrap(),
+
Scope::parse("repo:*").unwrap(),
+
let to_remove = Scope::Atproto;
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 2);
+
assert!(!result.contains(&to_remove));
+
assert!(result.contains(&Scope::parse("account:email").unwrap()));
+
assert!(result.contains(&Scope::parse("repo:*").unwrap()));
+
// Test removing complex scopes with query parameters
+
Scope::parse("account:email?action=manage").unwrap(),
+
Scope::parse("blob?accept=image/png&accept=image/jpeg").unwrap(),
+
Scope::parse("rpc:com.example.service?aud=did:example:123").unwrap(),
+
let to_remove = Scope::parse("blob?accept=image/jpeg&accept=image/png").unwrap(); // Note: normalized order
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 2);
+
assert!(!result.contains(&to_remove));
+
// Test with OpenID Connect scopes
+
let scopes = vec![Scope::OpenId, Scope::Profile, Scope::Email, Scope::Atproto];
+
let to_remove = Scope::Profile;
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 3);
+
assert!(!result.contains(&to_remove));
+
assert!(result.contains(&Scope::OpenId));
+
assert!(result.contains(&Scope::Email));
+
assert!(result.contains(&Scope::Atproto));
+
// Test with transition scopes
+
Scope::Transition(TransitionScope::Generic),
+
Scope::Transition(TransitionScope::Email),
+
let to_remove = Scope::Transition(TransitionScope::Email);
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 2);
+
assert!(!result.contains(&to_remove));
+
assert!(result.contains(&Scope::Transition(TransitionScope::Generic)));
+
assert!(result.contains(&Scope::Atproto));
+
// Test that only exact matches are removed
+
Scope::parse("account:email").unwrap(),
+
Scope::parse("account:email?action=manage").unwrap(),
+
Scope::parse("account:repo").unwrap(),
+
let to_remove = Scope::parse("account:email").unwrap();
+
let result = Scope::remove_scope(&scopes, &to_remove);
+
assert_eq!(result.len(), 2);
+
assert!(!result.contains(&Scope::parse("account:email").unwrap()));
+
assert!(result.contains(&Scope::parse("account:email?action=manage").unwrap()));
+
assert!(result.contains(&Scope::parse("account:repo").unwrap()));
zbrox.com