feat: enforce PAT scope intersection on ByCurrentUser queries by AmanGIT07 · Pull Request #1447

feat: enforce PAT scope intersection on ByCurrentUser queries by AmanGIT07 · Pull Request #1447 · raystack/frontier

Core Authentication
core/authenticate/authenticate.go Adds ResolveSubject() method to Principal type that returns underlying user ID and type for PAT-backed principals, normalizing subject resolution. Group & Organization Services
core/group/service.go, core/organization/service.go Updates ListByUser signature from separate principalID/principalType strings to single Principal parameter. Adds PAT scope intersection logic to filter results by PAT-based permissions. Derives subjectID/subjectType from resolved principal. Project Service
core/project/service.go Updates ListByUser signature to accept Principal instead of separate strings. Adds listNonInheritedProjectIDs and intersectPATScope helpers. Refactors logic to resolve subject from principal and filter results by PAT scope. Service Tests
core/group/service_test.go, core/organization/service_test.go, core/project/service_test.go Adds test coverage for PAT principal resolution, PAT scope intersection with user memberships, and regular principal handling. Introduces PAT model imports and mock service setups. Interface Definitions
internal/api/v1beta1connect/interfaces.go Updates GroupService and ProjectService interface method signatures for ListByUser to accept Principal instead of separate principalId/principalType parameters. API Layer Call Sites
internal/api/v1beta1connect/user.go, internal/api/v1beta1connect/serviceuser.go Updates all ListByUser call sites to pass composite authenticate.Principal object with ID and Type instead of separate string parameters. Affects ListUserGroups, ListCurrentUserGroups, ListProjectsByUser, and ListProjectsByCurrentUser handlers. API Tests
internal/api/v1beta1connect/user_test.go, internal/api/v1beta1connect/serviceuser_test.go Updates test expectations and mock setup to pass authenticate.Principal objects instead of raw user ID strings when calling ListByUser. Service Interface
core/invitation/service.go Updates GroupService interface definition and call site in Service.Accept to use Principal parameter instead of separate principalID/principalType strings. Mock Services
core/invitation/mocks/group_service.go, core/project/mocks/group_service.go, internal/api/v1beta1connect/mocks/group_service.go, internal/api/v1beta1connect/mocks/project_service.go Updates all ListByUser mock method signatures, type assertions, and call handlers to accept authenticate.Principal instead of separate string parameters. Updates Run/RunAndReturn signatures and internal dispatch logic.