Make default permissions use only : as separator.

passkey/fastapi/api.py

@@ -10,7 +10,7 @@ This module contains all the HTTP API endpoints for:
 
 from uuid import UUID, uuid4
 
-from fastapi import Body, Cookie, Depends, FastAPI, HTTPException, Response
+from fastapi import Body, Cookie, Depends, FastAPI, HTTPException, Query, Response
 from fastapi.security import HTTPBearer
 
 from passkey.util import passphrase
@@ -38,14 +38,12 @@ def register_api_routes(app: FastAPI):
             raise ValueError("Not authenticated")
         role_perm_ids = set(ctx.role.permissions or [])
         org_uuid_str = str(ctx.org.uuid)
-        is_global_admin = "auth/admin" in role_perm_ids
-        is_org_admin = f"auth/org:{org_uuid_str}" in role_perm_ids
+        is_global_admin = "auth:admin" in role_perm_ids
+        is_org_admin = f"auth:org:{org_uuid_str}" in role_perm_ids
         return ctx, is_global_admin, is_org_admin
 
     @app.post("/auth/validate")
-    async def validate_token(
-        response: Response, perm: list[str] | None = None, auth=Cookie(None)
-    ):
+    async def validate_token(perm=Query(None), auth=Cookie(None)):
         """Lightweight token validation endpoint.
 
         Query Params:
@@ -137,9 +135,9 @@ def register_api_routes(app: FastAPI):
                 "permissions": ctx.org.permissions,
             }
             effective_permissions = [p.id for p in (ctx.permissions or [])]
-            is_global_admin = "auth/admin" in role_info["permissions"]
+            is_global_admin = "auth:admin" in role_info["permissions"]
             is_org_admin = (
-                f"auth/org:{org_info['uuid']}" in role_info["permissions"]
+                f"auth:org:{org_info['uuid']}" in role_info["permissions"]
                 if org_info
                 else False
             )

passkey/fastapi/authz.py

@@ -12,7 +12,7 @@ from ..globals import db
 from ..util.tokens import session_key
 
 
-async def verify(auth: str | None, perms: list[str] | None):
+async def verify(auth: str | None, perm: list[str] | str | None):
     """Validate session token and optional list of required permissions.
 
     Returns the Session object on success. Raises HTTPException on failure.
@@ -22,14 +22,16 @@ async def verify(auth: str | None, perms: list[str] | None):
     if not auth:
         raise HTTPException(status_code=401, detail="Authentication required")
     session = await get_session(auth)
-    if perms:
+    if perm is not None:
+        if isinstance(perm, str):
+            perm = [perm]
         ctx = await db.instance.get_session_context(session_key(auth))
         if not ctx:
             raise HTTPException(status_code=401, detail="Session not found")
         available = set(ctx.role.permissions or []) | (
             set(ctx.org.permissions or []) if ctx.org else set()
         )
-        if any(p not in available for p in perms):
+        if any(p not in available for p in perm):
             raise HTTPException(status_code=403, detail="Permission required")
     return session
 

passkey/fastapi/mainapp.py

@@ -4,7 +4,7 @@ import os
 from contextlib import asynccontextmanager
 from pathlib import Path
 
-from fastapi import Cookie, FastAPI, HTTPException, Request, Response
+from fastapi import Cookie, FastAPI, HTTPException, Query, Request, Response
 from fastapi.responses import FileResponse, JSONResponse
 from fastapi.staticfiles import StaticFiles
 
@@ -72,9 +72,7 @@ app.mount("/auth/ws", ws.app)
 
 
 @app.get("/auth/forward-auth")
-async def forward_authentication(
-    request: Request, perm: list[str] | None = None, auth=Cookie(None)
-):
+async def forward_authentication(request: Request, perm=Query(None), auth=Cookie(None)):
     """A validation endpoint to use with Caddy forward_auth or Nginx auth_request.
 
     Query Params:

passkey/fastapi/session.py

@@ -30,5 +30,4 @@ def set_session_cookie(response: Response, token: str) -> None:
         max_age=int(EXPIRES.total_seconds()),
         httponly=True,
         secure=True,
-        path="/auth/",
     )