allow tokens to limit a user's rank

2025-06-21 09:46:31 -04:00 · 2025-06-21 09:46:31 -04:00 · 70b85e5215
commit 70b85e5215
parent a4c816d07c
8 changed files with 72 additions and 4 deletions
--- a/packages/backend/src/models/AccessToken.ts
+++ b/packages/backend/src/models/AccessToken.ts
@ -8,6 +8,9 @@ import { id } from './util/id.js';
 import { MiUser } from './User.js';
 import { MiApp } from './App.js';

+export const accessTokenRanks = ['user', 'mod', 'admin'] as const;
+export type AccessTokenRank = typeof accessTokenRanks[number];
+
@Entity('access_token')
 export class MiAccessToken {
 	@PrimaryColumn(id())
@ -87,4 +90,11 @@ export class MiAccessToken {
 		default: false,
 	})
 	public fetched: boolean;
+
+	@Column('enum', {
+		enum: accessTokenRanks,
+		nullable: true,
+		comment: 'Limits the user\' rank (user, moderator, or admin) when using this token. If null (default), then uses the user\'s actual rank.',
+	})
+	public rank: AccessTokenRank | null;
 }
--- a/packages/backend/src/server/api/endpoints/miauth/gen-token.ts
+++ b/packages/backend/src/server/api/endpoints/miauth/gen-token.ts
@ -60,6 +60,7 @@ export const paramDef = {
 		grantees: { type: 'array', uniqueItems: true, items: {
 			type: 'string',
 		} },
+		rank: { type: 'string', enum: ['admin', 'mod', 'user'], nullable: true },
 	},
 	required: ['session', 'permission'],
 } as const;
@ -109,6 +110,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					description: ps.description,
 					iconUrl: ps.iconUrl,
 					permission: ps.permission,
+					rank: ps.rank,
 				});

 				// Insert shared access grants