esnure activity permissions are present in server tokens

with a warning

avoids case where custom server token permissions remove necessary permissions for posting activity updates

jupyterhub/tests/test_spawner.py

@@ -374,13 +374,13 @@ async def test_spawner_bad_api_token(app):
         (["self"], [], ["access:servers!server=USER/", "users:activity!user"]),
         (
             ["self"],
-            ["admin:groups", "users:activity!server"],
+            ["admin:groups", "read:servers!server"],
-            ["users:activity!server=USER/"],
+            ["users:activity!user", "read:servers!server=USER/"],
         ),
         (
-            ["self", "read:groups!group=x"],
+            ["self", "read:groups!group=x", "users:activity"],
-            ["admin:groups", "users:activity!user"],
+            ["admin:groups", "users:activity"],
-            ["read:groups!group=x", "read:groups:name!group=x", "users:activity!user"],
+            ["read:groups!group=x", "read:groups:name!group=x", "users:activity"],
         ),
     ],
 )

jupyterhub/user.py

@@ -693,6 +693,16 @@ class User:
             scope + server_filter if scope.endswith("!server") else scope
             for scope in requested_scopes
         }
+        # ensure activity scope is requested, since activity doesn't work without
+        activity_scope = "users:activity!user"
+        if not {activity_scope, "users:activity", "inherit"}.intersection(
+            requested_scopes
+        ):
+            self.log.warning(
+                f"Adding required scope {activity_scope} to server token, missing from Spawner.server_token_scopes. Please make sure to add it!"
+            )
+            requested_scopes |= {activity_scope}
+
         have_scopes = roles.roles_to_scopes(roles.get_roles_for(self.orm_user))
         have_scopes |= {"inherit"}
         jupyterhub_client = (