From 1748c4d2714323e50f92ecf90be0e3c2ac67d221 Mon Sep 17 00:00:00 2001
From: Pablo Derendinger
 <98769613+pderendinger-everse@users.noreply.github.com>
Date: Tue, 24 Feb 2026 16:55:02 -0300
Subject: [PATCH] Prevents APS login scope escalation

Removes the ability to specify OAuth scopes for APS 3-legged login via an input argument. The login scope is now strictly determined by the `APS_SCOPE` environment variable, defaulting to `data:read` if not set.

This prevents granting excessive permissions and ensures better control over requested scopes.
---
 src/index.ts | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index dfb2f5a..549263e 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -147,17 +147,11 @@ const TOOLS = [
       "Opens the user's browser to the Autodesk sign‑in page. " +
       "After the user logs in and grants consent, the token is cached to disk " +
       "and auto‑refreshed. All subsequent API calls use the 3LO token " +
-      "(with the user's own permissions) until aps_logout is called.",
+      "(with the user's own permissions) until aps_logout is called. " +
+      "The OAuth scope is determined by the APS_SCOPE setting configured by the user.",
     inputSchema: {
       type: "object" as const,
-      properties: {
-        scope: {
-          type: "string",
-          description:
-            "OAuth scope(s), space‑separated. " +
-            "Defaults to 'data:read data:write data:create account:read'.",
-        },
-      },
+      properties: {},
     },
   },
 
@@ -1008,10 +1002,7 @@ async function handleTool(
   // ── aps_login (3LO) ─────────────────────────────────────────
   if (name === "aps_login") {
     requireApsEnv();
-    const scope =
-      (args.scope as string | undefined)?.trim() ||
-      APS_SCOPE ||
-      "data:read data:write data:create account:read";
+    const scope = APS_SCOPE || "data:read";
     const result = await performAps3loLogin(
       APS_CLIENT_ID,
       APS_CLIENT_SECRET,