Handle auth tokens with insufficient permissions

CHANGELOG.md

@@ -49,6 +49,7 @@ This version went through a major refactor, which resulted in a different arcite
 - The web server is now decoupled from Playlet specific logic
 - When not logged in, authenticated feed (like user Subscriptions and Playlists) show a "Login to view X" message, with a QR Code that redirects to the login screen
 - [Breaking change] web apis changed a bit (for example the `/api/command` endpoint is removed) refer to the [Open API spec](docs/playlet-web-api.yml)
+- If the Invidious auth token is missing permissions (A token aquired using a previous version of Playlet) you will be auto logged out.
 
 ### Removed
 

playlet-app/src/components/BootstrapScene/BootstrapScene.bs

@@ -15,16 +15,16 @@ function Init() as void
 end function
 
 function GetPlayletLibUrls() as object
-    savedUrls = GetPlayletLibUrlsFromRegistry()
-    if savedUrls <> invalid
-        m.shouldClearRegistryOnLoadFail = true
-        return savedUrls
-    end if
-
     #if DEBUG
         debug = { type: "debug", link: ReadManifestValue("playlet_lib_debug_url") }
         return [debug]
     #else
+        savedUrls = GetPlayletLibUrlsFromRegistry()
+        if savedUrls <> invalid
+            m.shouldClearRegistryOnLoadFail = true
+            return savedUrls
+        end if
+
         github = { type: "github", link: ReadManifestValue("playlet_lib_remote_url") }
         embedded = { type: "embedded", link: ReadManifestValue("playlet_lib_embedded_url") }
         return [github, embedded]

playlet-lib/src/components/Services/Invidious/Invidious.bs

@@ -14,10 +14,6 @@ function GetAuthorizeTokenLink(unused as dynamic) as dynamic
     return m.service.GetAuthorizeTokenLink()
 end function
 
-function Logout(unused as dynamic)
-    m.service.Logout()
-end function
-
 function SetAuthToken(token as string, instance as string, username as dynamic)
     m.service.SetAuthToken(token, instance, username)
 end function

playlet-lib/src/components/Services/Invidious/Invidious.xml

@@ -9,7 +9,6 @@
         <field id="authToken" type="assocarray" />
         <field id="apiDefinitions" type="assocarray" />
 
-        <function name="Logout" />
         <function name="GetCurrentInstance" />
         <function name="GetAuthorizeTokenLink" />
         <function name="SetAuthToken" />

playlet-lib/src/components/Services/Invidious/InvidiousService.bs

@@ -289,13 +289,21 @@ namespace Invidious
             if tokenPayload = invalid
                 return invalid
             end if
-            authData = ParseJson(tokenPayload)
-            ' TODO:P0 delete token if we're missing scope
-            if authData = invalid or authData.instance = invalid or authData.token = invalid
+            authToken = ParseJson(tokenPayload)
+            if authToken = invalid or authToken.instance = invalid or authToken.token = invalid
                 RegistryUtils.Delete(RegistryUtils.INVIDIOUS_TOKEN)
                 return invalid
             end if
-            return authData
+            if not m.VerifyTokenScope(authToken.token)
+                ' TODO:P1 automatically logging out the user is not a good experience
+                ' We can at least show a message to the user on why they are logged out
+                ' TODO:P2 right now we're probably in a UI thread, and we can't unregister the token
+                ' So we're just going to ignore it for now
+                ' m.UnregisterToken(authToken)
+                RegistryUtils.Delete(RegistryUtils.INVIDIOUS_TOKEN)
+                return invalid
+            end if
+            return authToken
         end function
 
         function SetAuthToken(token as string, instance as string, username as dynamic)
@@ -311,6 +319,19 @@ namespace Invidious
             m.node.authToken = obj
         end function
 
+        function VerifyTokenScope(token as string) as boolean
+            tokenObject = ParseJson(token)
+            if tokenObject = invalid
+                return false
+            end if
+            if not IsArray(tokenObject.scopes)
+                return false
+            end if
+
+            scopes = tokenObject.scopes.join(",")
+            return scopes = Invidious.AUTH_SCOPES
+        end function
+
         function DeleteAuthToken()
             m.node.authToken = invalid
             RegistryUtils.Delete(RegistryUtils.INVIDIOUS_TOKEN)

playlet-lib/src/source/services/HttpClient.bs

@@ -205,6 +205,11 @@ namespace HttpClient
             end if
 
             m.urlTransfer = m.CreateRoUrlTransfer()
+            if m.urlTransfer = invalid
+                m.log.error("Failed to create roUrlTransfer. We're probably not in a background thread.")
+                return m
+            end if
+
             m.urlTransfer.setUrl(m.BuildUrl())
             if m._headers <> invalid
                 m.urlTransfer.SetHeaders(m._headers)
@@ -321,6 +326,9 @@ namespace HttpClient
 
         private function CreateRoUrlTransfer() as object
             urlTransfer = CreateObject("roUrlTransfer")
+            if urlTransfer = invalid
+                return invalid
+            end if
             urlTransfer.EnableEncodings(true)
             urlTransfer.RetainBodyOnError(true)
             if LCase(left(m._url, 6)).StartsWith("https:")