CLI: Refactor authentication subcommand flags

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2025-10-23 09:04:30 +02:00
parent 9514542d44
commit 6609e9c998
6 changed files with 20 additions and 21 deletions
--- a/internal/commands/auth_add.go
+++ b/internal/commands/auth_add.go
@@ -22,11 +22,11 @@ var AuthAddFlags = []cli.Flag{
 		Aliases: []string{"n"},
 		Usage:   "`CLIENT` name to help identify the application",
 	},
-	ScopeFlag("", []string{"s"}),
+	ScopeFlag("token authorization `SCOPE` as space-separated resources, or '*' for full access"),
 	&cli.Int64Flag{
 		Name:    "expires",
 		Aliases: []string{"e"},
-		Usage:   "authentication `LIFETIME` in seconds, after which access expires (-1 to disable the limit)",
+		Usage:   "token `LIFETIME` in seconds, or -1 to disable the limit",
 		Value:   unix.Year,
 	},
 }
--- a/internal/commands/clients.go
+++ b/internal/commands/clients.go
@@ -15,7 +15,7 @@ const (
 	ClientIdUsage          = "static client `UID` for test purposes"
 	ClientSecretUsage      = "static client `SECRET` for test purposes"
 	ClientNameUsage        = "`CLIENT` name to help identify the application"
-	ClientAuthScope        = "client authorization `SCOPES`, e.g. metrics or \"vision photos albums\" (\"*\" to allow all)"
+	ClientAuthScope        = "client authorization `SCOPE` as space-separated resources, or '*' for full access"
 	ClientAuthProvider     = "client authentication `PROVIDER`"
 	ClientAuthMethod       = "client authentication `METHOD`"
 	ClientAuthExpires      = "access token `LIFETIME` in seconds, after which a new token must be requested"
@@ -63,7 +63,7 @@ var ClientAddFlags = []cli.Flag{
 		Usage:   ClientRoleUsage,
 		Value:   acl.RoleClient.String(),
 	},
-	ScopeFlag(ClientAuthScope, []string{"s"}),
+	ScopeFlag(ClientAuthScope),
 	&cli.StringFlag{
 		Name:    "provider",
 		Aliases: []string{"p"},
@@ -110,7 +110,7 @@ var ClientModFlags = []cli.Flag{
 		Usage:   ClientRoleUsage,
 		Value:   acl.RoleClient.String(),
 	},
-	ScopeFlag(ClientAuthScope, []string{"s"}),
+	ScopeFlag(ClientAuthScope),
 	&cli.StringFlag{
 		Name:    "provider",
 		Aliases: []string{"p"},
--- a/internal/commands/flags.go
+++ b/internal/commands/flags.go
@@ -27,15 +27,24 @@ func YesFlag() *cli.BoolFlag {
 	return &cli.BoolFlag{Name: "yes", Aliases: []string{"y"}, Usage: "runs the command non-interactively"}
 }

-// ScopeFlag returns the shared CLI flag definition for scopes.
-func ScopeFlag(usage string, aliases []string) *cli.StringFlag {
+// SuperAdminFlag returns the shared super admin CLI flag definition.
+func SuperAdminFlag(usage string) *cli.BoolFlag {
 	if usage == "" {
-		usage = "authorization `SCOPE` (space-separated resource:permission pairs or '*' for full access)"
+		usage = "makes user super admin with full access"
+	}
+
+	return &cli.BoolFlag{Name: "superadmin", Aliases: []string{"super"}, Usage: usage}
+}
+
+// ScopeFlag returns the shared CLI flag definition for scopes.
+func ScopeFlag(usage string) *cli.StringFlag {
+	if usage == "" {
+		usage = "authorization `SCOPE` as space-separated resources, or '*' for full access"
 	}

 	return &cli.StringFlag{
 		Name:    "scope",
-		Aliases: aliases,
+		Aliases: []string{"s"},
 		Usage:   usage,
 	}
 }
--- a/internal/commands/users.go
+++ b/internal/commands/users.go
@@ -76,11 +76,7 @@ var UserFlags = []cli.Flag{
 		Usage: UserAuthIDUsage,
 		Value: "",
 	},
-	&cli.BoolFlag{
-		Name:    "superadmin",
-		Aliases: []string{"s"},
-		Usage:   UserAdminUsage,
-	},
+	SuperAdminFlag(UserAdminUsage),
 	&cli.BoolFlag{
 		Name:    "no-login",
 		Aliases: []string{"l"},
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -58,12 +58,6 @@ var Flags = CliFlags{
 			Usage:   fmt.Sprintf("initial `PASSWORD` of the superadmin account (%d-%d characters)", entity.PasswordLength, txt.ClipPassword),
 			EnvVars: EnvVars("ADMIN_PASSWORD"),
 		}}, {
-		Flag: &cli.StringFlag{
-			Name:    "admin-scope",
-			Usage:   "initial `SCOPE` of the superadmin account",
-			EnvVars: EnvVars("ADMIN_SCOPE"),
-			Hidden:  true,
-		}}, {
 		Flag: &cli.IntFlag{
 			Name:    "password-length",
 			Usage:   "minimum password `LENGTH` in characters",
--- a/internal/config/options.go
+++ b/internal/config/options.go
@@ -31,7 +31,7 @@ type Options struct {
 	NoHub                   bool          `yaml:"-" json:"-" flag:"no-hub"`
 	AdminUser               string        `yaml:"AdminUser" json:"-" flag:"admin-user"`
 	AdminPassword           string        `yaml:"AdminPassword" json:"-" flag:"admin-password"`
-	AdminScope              string        `yaml:"AdminScope" json:"-" flag:"admin-scope"`
+	AdminScope              string        `yaml:"AdminScope" json:"-" flag:"admin-scope" tags:"pro"`
 	PasswordLength          int           `yaml:"PasswordLength" json:"-" flag:"password-length"`
 	PasswordResetUri        string        `yaml:"PasswordResetUri" json:"-" flag:"password-reset-uri" tags:"plus,pro"`
 	RegisterUri             string        `yaml:"RegisterUri" json:"-" flag:"register-uri" tags:"pro"`