feat: add tag filtering to external JWT authentication

[HugoCasa]

Important

Add tag filtering for JWT authentication by modifying scope handling and SQL queries in the backend.

• Behavior:
  • Add tag filtering for JWT authentication in windmill-api/src/jobs.rs and windmill-api/src/users.rs.
  • Modify check_scopes to handle jobs: and run: scope prefixes.
  • Introduce get_scope_tags to extract tags from JWT scopes.
• JWT Claims:
  • Add scopes field to JWTAuthClaims in auth.rs.
• SQL Queries:
  • Update SQL queries in list_queue_jobs_query and list_completed_jobs_query to filter by tags.
• Misc:
  • Update ee-repo-ref.txt to new commit hash.

^{This description was created by for 20e2c24. It will automatically update as commits are pushed.}

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	20e2c24
Status:	✅  Deploy successful!
Preview URL:	https://05a394cf.windmill.pages.dev
Branch Preview URL:	https://hugo-win-373-tag-filtering-j.windmill.pages.dev

View logs

[ellipsis-dev]

👍 Looks good to me! Reviewed everything up to 20e2c24 in 31 seconds

More details

• Looked at 263 lines of code in 6 files
• Skipped 0 files when reviewing.
• Skipped posting 3 drafted comments based on config settings.

1. backend/windmill-api/src/users.rs:705

• Draft comment:
  Ensure that tags is not empty after splitting, to avoid unexpected behavior if tags are expected to be non-empty.
• Reason this comment was not posted:
  Confidence changes required: 50%
  The get_scope_tags function is used to extract tags from the scopes of an ApiAuthed object. However, the function is not handling the case where the tags variable is empty after splitting. This could lead to unexpected behavior if the tags are expected to be non-empty.

2. backend/windmill-api/src/users.rs:693

• Draft comment:
  Ensure that the scopes vector is not empty before checking for the required scope, to avoid unexpected behavior if scopes are expected to be non-empty.
• Reason this comment was not posted:
  Confidence changes required: 50%
  The check_scopes function is used to verify if the required scope is present in the ApiAuthed object. However, the function does not handle the case where the scopes vector is empty. This could lead to unexpected behavior if the scopes are expected to be non-empty.

3. backend/windmill-worker/src/worker.rs:198

• Draft comment:
  Consider if scopes should be set to a value other than None in JWTAuthClaims if scopes are needed for the token.
• Reason this comment was not posted:
  Confidence changes required: 50%
  The create_token_for_owner function in worker.rs sets the scopes field of JWTAuthClaims to None. This might be intentional, but if scopes are needed for the token, this should be revisited.

Workflow ID: wflow_6X7EM4mmMmfeNJsg

---

You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.