Sigra.Plug.RequireScopes (Sigra v1.20.0)

Copy Markdown View Source

Route-level scope enforcement plug for API token authentication.

Checks that the current connection's scope (from conn.assigns.current_scope) has the required scopes. Session-authenticated users bypass scope checks entirely.

Options

  • :scopes (required) - A non-empty list of required scope strings
  • :error_handler (required) - Module implementing Sigra.Plug.ErrorHandler
  • :match - :all (default) requires all scopes, :any requires at least one

Examples

# Require all listed scopes (AND mode, default)
plug Sigra.Plug.RequireScopes,
  scopes: ["profile:read", "sessions:read"],
  error_handler: MyAppWeb.AuthErrorHandler

# Require any listed scope (OR mode)
plug Sigra.Plug.RequireScopes,
  scopes: ["admin:write", "profile:write"],
  error_handler: MyAppWeb.AuthErrorHandler,
  match: :any

Session Bypass

When auth_method is :session, the plug passes the connection through without checking scopes. This enables a unified pipeline where browser sessions and API tokens share the same routes.

Summary

Functions

call(conn, opts)

Check scope requirements and halt if insufficient.

init(opts)

Initialize the plug with the given options.

Functions

call(conn, opts)

(since 0.7.0)

Check scope requirements and halt if insufficient.

init(opts)

(since 0.7.0)

Initialize the plug with the given options.

Validates that :scopes is a non-empty list and :error_handler is present.