feat: enforce PAT scope on permission checks

[AmanGIT07]

Description

When a request is authenticated with a Personal Access Token, permission checks now verify that the PAT's assigned roles cover the requested permission before checking the user's own permissions. This applies to:

• single checks (CheckResourcePermission)
• batch checks (BatchCheckPermission)
• the authorization interceptor (IsAuthorized)
• federated checks (CheckFederatedResourcePermission) where the subject is an explicit app/pat principal.

Changes

• Add PAT scope pre-check in CheckAuthz that runs before the user permission check. If the PAT scope denies the permission, the request is rejected without querying user permissions.
• Add PAT scope pre-check in BatchCheck that batch-checks scope for all items first, then only runs user permission checks for scope-allowed items.
• Resolve PAT subjects to their owning user for the actual permission check (both from authenticated context and explicit subject).
• Add GetByID to PAT repository and service for resolving explicit PAT subjects in federated checks.
• Wire PAT service into resource service via cmd/serve.go.

Tests

• Manual tests done with multiple cases(including custom resources) to validate CheckResourcePermission, BatchCheckPermission, IsAuthorized and CheckFederatedResourcePermission.
• Unit tests in core/resource/service_test.go covering: non-PAT check, PAT scope allowed, PAT scope denied, PAT scope allowed but user denied, explicit PAT subject allowed, explicit PAT subject denied, batch check with PAT scope allowed, batch check with PAT scope denied.
• E2E regression tests in test/e2e/regression/pat_test.go covering six scenarios: org viewer + scoped project viewer, org owner with inherited project access, org viewer + all projects, billing manager role, interceptor enforcement returning PermissionDenied, and federated check with explicit PAT subject. All 26 sub-tests pass against real Postgres and SpiceDB.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Mar 11, 2026 10:33am

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added support for Personal Access Token (PAT) scope-based authorization. PATs can now be used with specified permission scopes, enabling fine-grained access control for programmatic operations.

• Tests

  • Added comprehensive test coverage for PAT authorization scenarios and end-to-end regression tests.

Walkthrough

This PR introduces PAT (Personal Access Token) scope-checking support into the authorization flow. It extends the server dependency wiring to pass userPATService through the API dependencies, updates resource.Service to perform PAT scope validation during permission checks, and includes comprehensive test coverage with generated mocks for testing interfaces.

Changes

Cohort / File(s)	Summary
Server dependency wiring cmd/serve.go	Added userPATService parameter to buildAPIDependencies function and propagated it to resource.NewService and api.Deps structure.
Generated mock implementations core/authenticate/mocks/authenticator_func.go, core/resource/mocks/authn_service.go, core/resource/mocks/config_repository.go, core/resource/mocks/org_service.go, core/resource/mocks/pat_service.go, core/resource/mocks/project_service.go, core/resource/mocks/relation_service.go, core/resource/mocks/repository.go	Added testify/mock-based mock implementations for testing interfaces including authenticator, authentication service, configuration repository, organization service, PAT service, project service, relation service, and resource repository.
PAT scope authorization logic core/resource/service.go	Integrated PAT support into Service with new PATService interface, PAT scope validation methods (checkPATScope, resolvePATUser, resolvePATID), and updated CheckAuthz and BatchCheck to enforce PAT scope constraints before permission checks.
PAT service interface extensions core/userpat/userpat.go, core/userpat/service.go, core/userpat/mocks/repository.go	Added GetByID method to Repository interface and Service, with mock implementation for testing.
PAT database access internal/store/postgres/userpat_repository.go	Implemented GetByID method to retrieve PAT records by ID from the database.
Test coverage core/resource/service_test.go, test/e2e/regression/pat_test.go	Added unit tests for PAT scope authorization flows (allowed/denied, federated checks, batch checks) and end-to-end regression tests covering multiple PAT scope scenarios with different roles and permissions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat: PAT authentication chain, token validation, and error handling #1442: Adds userPAT/service/validator parameter to server wiring for PAT support initialization and service construction in cmd/serve.go.
• feat: CreateCurrentUserPAT RPC implementation #1401: Extends API wiring in cmd/serve.go and modifies api.Deps structure to propagate UserPATService dependency.

Suggested reviewers

• rohilsurana
• whoAbhishekSah

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Pull Request Test Coverage Report for Build 22948289905

Details

• 86 of 126 (68.25%) changed or added relevant lines in 4 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.2%) to 40.595%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
cmd/serve.go	0	1	0.0%
core/userpat/service.go	0	3	0.0%
core/resource/service.go	86	102	84.31%
internal/store/postgres/userpat_repository.go	0	20	0.0%

Totals
Change from base Build 22947180652:	0.2%
Covered Lines:	14128
Relevant Lines:	34802

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

core/resource/service_test.go (1)

159-200: Add explicit PAT lookup failure-path coverage.

Please add a case where PAT scope is allowed but patSvc.GetByID returns an error, so CheckAuthz error propagation from resolvePATUser is locked by tests.

core/resource/service.go (1)

322-348: Defer user-subject resolution until after scope filtering in batch path.

buildBatchRelations resolves subjects for all checks up front. For explicit PAT subjects, this can trigger unnecessary GetByID calls for checks that are later scope-denied.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a9b92753-7be8-4c79-8833-15efa96866a5

📥 Commits

Reviewing files that changed from the base of the PR and between 53fbdbe and ab997c6.

📒 Files selected for processing (16)

• cmd/serve.go
• core/authenticate/mocks/authenticator_func.go
• core/resource/mocks/authn_service.go
• core/resource/mocks/config_repository.go
• core/resource/mocks/org_service.go
• core/resource/mocks/pat_service.go
• core/resource/mocks/project_service.go
• core/resource/mocks/relation_service.go
• core/resource/mocks/repository.go
• core/resource/service.go
• core/resource/service_test.go
• core/userpat/mocks/repository.go
• core/userpat/service.go
• core/userpat/userpat.go
• internal/store/postgres/userpat_repository.go
• test/e2e/regression/pat_test.go