Fix clientCredentials scopes

Author: abraham

dist/schema.json

@@ -39250,29 +39250,7 @@
             "tokenUrl": "/oauth/token",
             "scopes": {
               "read": "Read access",
-              "write": "Write access",
-              "read:accounts": "Read access to accounts",
-              "read:blocks": "Read access to blocks",
-              "read:bookmarks": "Read access to bookmarks",
-              "read:favourites": "Read access to favourites",
-              "read:filters": "Read access to filters",
-              "read:follows": "Read access to follows",
-              "read:lists": "Read access to lists",
-              "read:mutes": "Read access to mutes",
-              "read:search": "Read access to search",
-              "read:statuses": "Read access to statuses",
-              "write:accounts": "Write access to accounts",
-              "write:blocks": "Write access to blocks",
-              "write:bookmarks": "Write access to bookmarks",
-              "write:conversations": "Write access to conversations",
-              "write:favourites": "Write access to favourites",
-              "write:filters": "Write access to filters",
-              "write:follows": "Write access to follows",
-              "write:lists": "Write access to lists",
-              "write:media": "Write access to media",
-              "write:mutes": "Write access to mutes",
-              "write:reports": "Write access to reports",
-              "write:statuses": "Write access to statuses"
+              "write:accounts": "Write access to accounts"
             }
           }
         }

src/__tests__/generators/SpecBuilder.test.ts

@@ -28,6 +28,7 @@ jest.mock('../../parsers/OAuthScopeParser', () => {
         scopes: [
           { name: 'read', description: 'Read access' },
           { name: 'write', description: 'Write access' },
+          { name: 'write:accounts', description: 'Manage your account' },
         ],
       }),
     })),
@@ -187,11 +188,12 @@ describe('SpecBuilder', () => {
         'Write access'
       );
 
-      // Check clientCredentials flow has scopes
+      // Check clientCredentials flow has limited scopes (read and write:accounts only)
       expect(oauth2.flows?.clientCredentials?.scopes).toBeDefined();
       expect(oauth2.flows?.clientCredentials?.scopes.read).toBe('Read access');
-      expect(oauth2.flows?.clientCredentials?.scopes.write).toBe(
-        'Write access'
+      expect(oauth2.flows?.clientCredentials?.scopes.write).toBeUndefined();
+      expect(oauth2.flows?.clientCredentials?.scopes['write:accounts']).toBe(
+        'Manage your account'
       );
     });
   });

src/generators/SpecBuilder.ts

@@ -24,17 +24,15 @@ class SpecBuilder {
       scopesObject[scope.name] = scope.description;
     }
 
-    // Filter scopes for clientCredentials flow (typically only read/write scopes)
+    // Filter scopes for clientCredentials flow (app tokens)
+    // Per Mastodon docs, client credentials tokens can only be used for:
+    // - GET /api/v1/apps/verify_credentials
+    // - POST /api/v1/accounts (account creation)
+    // So we only include minimal scopes needed for these endpoints
     const clientCredentialsScopes: Record<string, string> = {};
     for (const scope of oauthScopes.scopes) {
-      // Include high-level scopes and non-user-specific scopes for client credentials
-      if (
-        ['read', 'write'].includes(scope.name) ||
-        (scope.name.startsWith('read:') &&
-          !scope.name.includes('notifications')) ||
-        (scope.name.startsWith('write:') &&
-          !scope.name.includes('notifications'))
-      ) {
+      // Only include read scope and write:accounts for account creation
+      if (scope.name === 'read' || scope.name === 'write:accounts') {
         clientCredentialsScopes[scope.name] = scope.description;
       }
     }