Use #scopes to work with original/default scopes

#1002: validate scopes based on the request or default server scopes.
doorkeeper-gem · Apr 20, 2018 · b5bf40e · b5bf40e
1 parent fe47522
commit b5bf40e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/lib/doorkeeper/oauth/password_access_token_request.rb b/lib/doorkeeper/oauth/password_access_token_request.rb
@@ -30,7 +30,7 @@ def validate_scopes
         application_scopes = client.try(:scopes)
         return true if @original_scopes.blank? && application_scopes.blank?
 
-        ScopeChecker.valid? @original_scopes, server.scopes, application_scopes
+        ScopeChecker.valid?(scopes.to_s, server.scopes, application_scopes)
       end
 
       def validate_resource_owner

diff --git a/spec/requests/flows/password_spec.rb b/spec/requests/flows/password_spec.rb
@@ -140,7 +140,7 @@
     end
   end
 
-  context 'when application scope is present and no scope is passed' do
+  context 'when application scopes are present and differs from configured default scopes and no scope is passed' do
     before do
       default_scopes_exist :public
       @client.update_attributes(scopes: 'abc')
@@ -167,12 +167,12 @@
 
   context 'when application scopes contain some of the default scopes and no scope is passed' do
     before do
-      default_scopes_exist :public
       @client.update_attributes(scopes: 'read write public')
     end
 
-    it 'should issue new token with default scopes that are present in application scopes' do
-      skip 'this is a failing test case for issue #1002: remove this line once fixed'
+    it 'should issue new token with one default scope that are present in application scopes' do
+      default_scopes_exist :public
+
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to change { Doorkeeper::AccessToken.count }.by(1)
@@ -183,6 +183,20 @@
       should_have_json 'access_token', token.token
       should_have_json 'scope', 'public'
     end
+
+    it 'should issue new token with multiple default scopes that are present in application scopes' do
+      default_scopes_exist :public, :read
+
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+      should_have_json 'scope', 'public read'
+    end
   end
 
   context 'with invalid scopes' do