[TB] limit oauth scopes (#20131)

gitpod-io · Aug 16, 2024 · 4f6e2cb · 4f6e2cb
1 parent 987c714
commit 4f6e2cb
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/components/server/src/oauth-server/db.ts b/components/server/src/oauth-server/db.ts
@@ -147,8 +147,17 @@ const toolbox: OAuthClient = {
     redirectUris: ["jetbrains://gateway/io.gitpod.toolbox.gateway/auth"],
     allowedGrants: ["authorization_code"],
     scopes: [
-        // We scope all so that it can work in papi like a PAT
-        { name: "function:*" },
+        { name: "function:getGitpodTokenScopes" },
+        { name: "function:getLoggedInUser" },
+        { name: "function:getOwnerToken" },
+        { name: "function:getWorkspace" },
+        { name: "function:getWorkspaces" },
+        { name: "function:listenForWorkspaceInstanceUpdates" },
+        { name: "function:startWorkspace" },
+        { name: "function:stopWorkspace" },
+        { name: "function:deleteWorkspace" },
+        { name: "function:getToken" },
+        { name: "resource:default" },
     ],
 };