Dynamic API scopes

[thekonqueror]

I went over the wiki, issues and discussions before starting this thread, but coulnd't find any solution.

Is there a way to dynamically add api scopes for some users?

My use case for this is as follows:

User signs up for basic plan and has access to product, collection related features.
Higher plan allows them to control customers and recent orders as well.
Highest plan reads all orders (Shopify has granted read_all_orders scope for this).
I'd like to avoid asking for read_customers, read_orders, read_all_orders permissions unless the user is on higher plans.

I tried Config::set in laravel, but it only applies to verify.scopes, resulting in a redirect loop between auth and verify middlewares.

[badger-adam]

@thekonqueror This isn't possible at the moment based on my understanding but it also wouldn't be difficult to add for your project.

Take a look at getShopifyConfig in vendor/kyon147/laravel-shopify/src/Util.php and how if the key starts with "api", a callback can be used to dynamically assign app keys. See this wiki for an explanation: https://github.com/Kyon147/laravel-shopify/wiki/Multiple-Custom-Apps-on-Same-Codebase

I think you could override this function to add another callback or use the same one and remove the starts with "key" condition. If you add another column to the plans table for your plan specific scopes, then you could use the callback to return the scopes found on the $shop->plan.

You would have to make sure you're using the verify.scopes middleware.

[Kyon147]

@thekonqueror you'd need to create your own oauth update for those users and trigger it somehow in the UI for them or automatically if they meet a requirement.

There's nothing in the package to do this but as @badger-adam said, you can see how we do the auth to get an idea