feat: admin scope required for /api/teams and /api/backends

msmithstubbs · msmithstubbs · commit 960437516ecd · 2026-01-13T08:16:04.000+10:00
diff --git a/lib/logflare_web/router.ex b/lib/logflare_web/router.ex
@@ -104,10 +104,14 @@ defmodule LogflareWeb.Router do
     plug(LogflareWeb.Plugs.BufferLimiter)
   end
 
-  pipeline :require_mgmt_api_auth do
+  pipeline :require_private_api_auth do
     plug(LogflareWeb.Plugs.VerifyApiAccess, scopes: ~w(private))
   end
 
+  pipeline :require_admin_api_auth do
+    plug(LogflareWeb.Plugs.VerifyApiAccess, scopes: ~w(private:admin))
+  end
+
   pipeline :require_auth do
     plug(LogflareWeb.Plugs.RequireAuth)
   end
@@ -391,9 +395,9 @@ defmodule LogflareWeb.Router do
     get("/", HealthCheckController, :check)
   end
 
-  # Account management API.
+  # Account resource API
   scope "/api", LogflareWeb do
-    pipe_through([:api, :require_mgmt_api_auth])
+    pipe_through([:api, :require_private_api_auth])
 
     get("/account", UserController, :api_show)
     get("/query", Api.QueryController, :query)
@@ -426,7 +430,16 @@ defmodule LogflareWeb.Router do
 
     resources("/teams", Api.TeamController,
       param: "token",
-      only: [:index, :show, :create, :update, :delete]
+      only: [:index, :show]
+    )
+  end
+
+  scope "/api", LogflareWeb do
+    pipe_through([:api, :require_admin_api_auth])
+
+    resources("/teams", Api.TeamController,
+      param: "token",
+      only: [:create, :update, :delete]
     )
 
     resources("/backends", Api.BackendController,
diff --git a/test/logflare_web/controllers/api/backend_controller_test.exs b/test/logflare_web/controllers/api/backend_controller_test.exs
@@ -16,7 +16,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       assert [%{"id" => ^id, "inserted_at" => _, "updated_at" => _}] =
                conn
-               |> add_access_token(user, "private")
+               |> add_access_token(user, "private:admin")
                |> get(~p"/api/backends")
                |> json_response(200)
     end
@@ -27,12 +27,19 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       assert [result] =
                conn
-               |> add_access_token(user, "private")
+               |> add_access_token(user, "private:admin")
                |> get(~p"/api/backends?#{%{metadata: %{my: "field", data: true}}}")
                |> json_response(200)
 
       assert result["id"] == backend.id
     end
+
+    test "admin scope is required", %{conn: conn, user: user} do
+      assert conn
+             |> add_access_token(user, "private")
+             |> get(~p"/api/backends")
+             |> response(401) == ~s|{"error":"Unauthorized"}|
+    end
   end
 
   describe "show/2" do
@@ -41,7 +48,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> get("/api/backends/#{backend.token}")
         |> json_response(200)
 
@@ -53,10 +60,19 @@ defmodule LogflareWeb.Api.BackendControllerTest do
       invalid_user = insert(:user)
 
       conn
-      |> add_access_token(invalid_user, "private")
+      |> add_access_token(invalid_user, "private:admin")
       |> get("/api/backends/#{backend.token}")
       |> response(404)
     end
+
+    test "admin scope is required", %{conn: conn, user: user} do
+      backend = insert(:backend, user: user)
+
+      assert conn
+             |> add_access_token(user, "private")
+             |> get("/api/backends/#{backend.token}")
+             |> response(401) == ~s|{"error":"Unauthorized"}|
+    end
   end
 
   describe "create/2" do
@@ -65,7 +81,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "webhook",
@@ -84,7 +100,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       conn =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "postgres",
@@ -117,7 +133,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       conn =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "clickhouse",
@@ -159,7 +175,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       conn =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "datadog",
@@ -188,7 +204,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       conn =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "elastic",
@@ -218,7 +234,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       conn =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "loki",
@@ -246,7 +262,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
     test "returns 422 on missing arguments", %{conn: conn, user: user} do
       resp =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends")
         |> json_response(422)
 
@@ -256,7 +272,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
     test "returns 422 on bad arguments", %{conn: conn, user: user} do
       resp =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{name: 123})
         |> json_response(422)
 
@@ -268,7 +284,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "clickhouse",
@@ -289,7 +305,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> post("/api/backends", %{
           name: name,
           type: "clickhouse",
@@ -300,6 +316,13 @@ defmodule LogflareWeb.Api.BackendControllerTest do
       assert response["name"] == name
       assert response["default_ingest?"] == false
     end
+
+    test "admin scope is required", %{conn: conn, user: user} do
+      assert conn
+             |> add_access_token(user, "private")
+             |> post("/api/backends", %{name: TestUtils.random_string(), type: "webhook"})
+             |> response(401) == ~s|{"error":"Unauthorized"}|
+    end
   end
 
   describe "update/2" do
@@ -312,7 +335,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> patch("/api/backends/#{backend.token}", %{name: name})
         |> response(204)
 
@@ -324,7 +347,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
       backend = insert(:backend, user: user)
 
       conn
-      |> add_access_token(invalid_user, "private")
+      |> add_access_token(invalid_user, "private:admin")
       |> patch("/api/backends/#{backend.token}", %{name: TestUtils.random_string()})
       |> response(404)
     end
@@ -334,7 +357,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       resp =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> patch("/api/backends/#{backend.token}", %{name: 123})
         |> json_response(422)
 
@@ -346,13 +369,13 @@ defmodule LogflareWeb.Api.BackendControllerTest do
       source = insert(:source, user: user, default_ingest_backend_enabled?: true)
 
       conn
-      |> add_access_token(user, "private")
+      |> add_access_token(user, "private:admin")
       |> patch("/api/backends/#{backend.token}", %{default_ingest?: true, source_id: source.id})
       |> response(204)
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> get("/api/backends/#{backend.token}")
         |> json_response(200)
 
@@ -370,7 +393,7 @@ defmodule LogflareWeb.Api.BackendControllerTest do
 
       response =
         conn
-        |> add_access_token(user, "private")
+        |> add_access_token(user, "private:admin")
         |> patch("/api/backends/#{backend.token}", %{default_ingest?: true})
         |> json_response(422)
 
@@ -380,6 +403,15 @@ defmodule LogflareWeb.Api.BackendControllerTest do
                }
              }
     end
+
+    test "admin scope is required", %{conn: conn, user: user} do
+      backend = insert(:backend, user: user)
+
+      assert conn
+             |> add_access_token(user, "private")
+             |> patch("/api/backends/#{backend.token}", %{name: TestUtils.random_string()})
+             |> response(401) == ~s|{"error":"Unauthorized"}|
+    end
   end
 
   describe "delete/2" do
@@ -391,12 +423,12 @@ defmodule LogflareWeb.Api.BackendControllerTest do
       backend = insert(:backend, user: user)
 
       assert conn
-             |> add_access_token(user, "private")
+             |> add_access_token(user, "private:admin")
              |> delete("/api/backends/#{backend.token}", %{name: name})
              |> response(204)
 
       assert conn
-             |> add_access_token(user, "private")
+             |> add_access_token(user, "private:admin")
              |> get("/api/backends/#{backend.token}")
              |> response(404)
     end
@@ -409,9 +441,18 @@ defmodule LogflareWeb.Api.BackendControllerTest do
       backend = insert(:backend, user: user)
 
       assert conn
-             |> add_access_token(invalid_user, "private")
+             |> add_access_token(invalid_user, "private:admin")
              |> delete("/api/backends/#{backend.token}")
              |> response(404)
     end
+
+    test "admin scope is required", %{conn: conn, user: user} do
+      backend = insert(:backend, user: user)
+
+      assert conn
+             |> add_access_token(user, "private")
+             |> delete("/api/backends/#{backend.token}")
+             |> response(401) == ~s|{"error":"Unauthorized"}|
+    end
   end
 end
diff --git a/test/logflare_web/controllers/api/team_controller_test.exs b/test/logflare_web/controllers/api/team_controller_test.exs
