From 698fba0d21b457be9778e6d7a73ddbb3b8ce2486 Mon Sep 17 00:00:00 2001 From: Rishabh Sairawat Date: Tue, 24 Apr 2018 11:55:08 +0530 Subject: [PATCH] #1086: build scopes intersection in PreAuthorization for AuthorizationCode and Implicit flow --- lib/doorkeeper/oauth/pre_authorization.rb | 13 ++++++++++-- .../requests/flows/authorization_code_spec.rb | 21 +++++++++++++++++++ spec/requests/flows/implicit_grant_spec.rb | 21 +++++++++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb index f6803c9b8..f5a0d5845 100644 --- a/lib/doorkeeper/oauth/pre_authorization.rb +++ b/lib/doorkeeper/oauth/pre_authorization.rb @@ -33,7 +33,7 @@ def scopes end def scope - @scope.presence || server.default_scopes.to_s + @scope.presence || build_scopes end def error_response @@ -54,6 +54,15 @@ def as_json(_options) private + def build_scopes + client_scopes = client.application.scopes + if client_scopes.blank? + server.default_scopes.to_s + else + (server.default_scopes & client_scopes).to_s + end + end + def validate_response_type server.authorization_response_types.include? response_type end @@ -63,7 +72,7 @@ def validate_client end def validate_scopes - return true if scope.blank? + return true if scope.blank? && client.application.scopes.blank? Helpers::ScopeChecker.valid?( scope, diff --git a/spec/requests/flows/authorization_code_spec.rb b/spec/requests/flows/authorization_code_spec.rb index a2fdd5782..9f6c503e7 100644 --- a/spec/requests/flows/authorization_code_spec.rb +++ b/spec/requests/flows/authorization_code_spec.rb @@ -275,6 +275,27 @@ end end + context 'when application scopes are present and no scope is passed' do + background do + @client.update_attributes(scopes: 'public write read') + end + + scenario 'it displays error if application scopes are different from default scopes' do + default_scopes_exist :admin + visit authorization_endpoint_url(client: @client) + access_grant_should_not_exist + expect(page).to have_content 'An error has occurred' + end + + scenario 'access grant have scopes which are common in application scopees and default scopes' do + default_scopes_exist :public, :write + visit authorization_endpoint_url(client: @client) + click_on 'Authorize' + access_grant_should_exist_for(@client, @resource_owner) + access_grant_should_have_scopes :public, :write + end + end + context 'with scopes' do background do default_scopes_exist :public diff --git a/spec/requests/flows/implicit_grant_spec.rb b/spec/requests/flows/implicit_grant_spec.rb index 41add8aa8..93f5f074c 100644 --- a/spec/requests/flows/implicit_grant_spec.rb +++ b/spec/requests/flows/implicit_grant_spec.rb @@ -17,6 +17,27 @@ i_should_be_on_client_callback @client end + + context 'when application scopes are present and no scope is passed' do + background do + @client.update_attributes(scopes: 'public write read') + end + + scenario 'it displays error if application scopes are different from default scopes' do + default_scopes_exist :admin + visit authorization_endpoint_url(client: @client, response_type: 'token') + access_token_should_not_exist + expect(page).to have_content 'An error has occurred' + end + + scenario 'access grant have scopes which are common in application scopees and default scopes' do + default_scopes_exist :public, :write + visit authorization_endpoint_url(client: @client, response_type: 'token') + click_on 'Authorize' + access_token_should_exist_for @client, @resource_owner + access_token_should_have_scopes :public, :write + end + end end describe 'Implicit Grant Flow (request spec)' do