fix: enforce API token scope on requests

- Add apiTokenScope to App.Locals type definition - Store token scope in event.locals during API token auth - Block write operations (POST/PATCH/PUT/DELETE) for read-scoped tokens - Block admin paths for non-admin-scoped tokens - Returns 403 with descriptive error message
2026-03-25 14:32:48 +03:00
parent 014de026eb
commit 215c8fdd46
2 changed files with 27 additions and 1 deletions
@@ -18,6 +18,8 @@ declare global {
 				id: string;
 				expiresAt: Date;
 			} | null;
+			/** API token scope — set when auth is via Bearer token, null for JWT sessions */
+			apiTokenScope: 'read' | 'write' | 'admin' | null;
 		}

 		interface PageData {