A scope is some resource (or a set of resources) that can be accessed only by authenticated users. A scope has some name or identifier. The scope name is defined by scope provider (such as webAppOS or Google) that hosts the resources represented by a scope.
webAppOS defines the general "login" scope with the ability to access user's server-side home directory, user's registry settings, etc. The "login" scope also allows the user to initiate web socket connections to activate "web memory". Currently, the "login" and the "project_id" scopes are the only one defined by webAppOS ("project_id" includes "login"; projects are related to webAppOS Memory, see <webAppOS Memory (MRAM) and Projects>).
TODO: In the future, finer scopes such as "fs" (for accessing only the filesystem) or "registry" (for accessing user's registry settings) can be introduced.
Google defines multiple scopes such as "profile" (https://www.googleapis.com/auth/userinfo.profile) and "spreadsheets" (https://www.googleapis.com/auth/spreadsheets) (see https://developers.google.com/identity/protocols/googlescopes for the full list of scopes).
To be able to access resources within the given scope, certain authentication is required. For instance, webAppOS "login" scope can be accessed after the user passes the login page. Google's scopes can be accessed after entering Google account password and by allowing the given web application (such as webAppOS itself or its web apps) to access the required scopes (Google login page will inform the user about the requested scopes). Since authorizing scopes requires user's intervention, logically, webAppOS API functions for scopes are browser-based.
webAppOS provides a uniform mechanism to access webAppOS and third-party scopes. The webappos.js script implements the following scope-related functions:
request_scopes | authenticates the user to use one or more particular scopes of the given provider. For that, request_scopes loads the corresponding scopes driver and calls request_access (see Scopes Drivers, if you want to create your own drivers or get to know how drivers are implemented). The driver can perform different actions depending on whether webAppOS is running in a serverfull or serverless mode (this is determined by checking whether some the webAppOS scopes such as "login" or "project_id" were requested earlier). See also: webappos.request_scopes Code example: |
webappos.request_scopes("webappos_scopes", "login").then( ()=>
webappos.request_scopes("google_scopes", "https://www.googleapis.com/auth/spreadsheets");
);
sign_out | Calls revoke_serverless_access() for all loaded scopes drivers, including "webappos_scopes", if it was loaded (thus, releasing the webAppOS "login"/"project_id" scope and redirecting to the login page). The sign_out function DOES NOT release server-side scope tokens. This is done intentionally: tokens remain stored at the server side for future access (e.g., for re-mounting cloud drives on the next logon automatically). See also: webappos.sign_out |