Skip to content

Commit

Permalink
fixed critical scope validation bug for 4.x
Browse files Browse the repository at this point in the history
  • Loading branch information
jorenvandeweyer committed Aug 26, 2023
1 parent 5e4f552 commit d2086b0
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 66 deletions.
12 changes: 6 additions & 6 deletions lib/grant-types/abstract-grant-type.js
Original file line number Diff line number Diff line change
Expand Up @@ -93,18 +93,18 @@ AbstractGrantType.prototype.getScope = function(request) {
/**
* Validate requested scope.
*/
AbstractGrantType.prototype.validateScope = function(user, client, scope) {
AbstractGrantType.prototype.validateScope = function(user, client, requestedScoped) {
if (this.model.validateScope) {
return promisify(this.model.validateScope, 3).call(this.model, user, client, scope)
.then(function (scope) {
if (!scope) {
return promisify(this.model.validateScope, 3).call(this.model, user, client, requestedScoped)
.then(function (validatedScope) {
if (!validatedScope) {
throw new InvalidScopeError('Invalid scope: Requested scope is invalid');
}

return scope;
return validatedScope;
});
} else {
return scope;
return requestedScoped;
}
};

Expand Down
47 changes: 25 additions & 22 deletions lib/grant-types/authorization-code-grant-type.js
Original file line number Diff line number Diff line change
Expand Up @@ -205,28 +205,31 @@ AuthorizationCodeGrantType.prototype.revokeAuthorizationCode = function(code) {
* Save token.
*/

AuthorizationCodeGrantType.prototype.saveToken = function(user, client, authorizationCode, scope) {
const fns = [
this.validateScope(user, client, scope),
this.generateAccessToken(client, user, scope),
this.generateRefreshToken(client, user, scope),
this.getAccessTokenExpiresAt(),
this.getRefreshTokenExpiresAt()
];

return Promise.all(fns)
.bind(this)
.spread(function(scope, accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) {
const token = {
accessToken: accessToken,
authorizationCode: authorizationCode,
accessTokenExpiresAt: accessTokenExpiresAt,
refreshToken: refreshToken,
refreshTokenExpiresAt: refreshTokenExpiresAt,
scope: scope
};

return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
AuthorizationCodeGrantType.prototype.saveToken = function(user, client, authorizationCode, requestedScope) {
return Promise.bind(this)
.then(function() {
return this.validateScope(user, client, requestedScope);
})
.then(function(validatedScoped) {
return Promise.all([
this.generateAccessToken(client, user, validatedScoped),
this.generateRefreshToken(client, user, validatedScoped),
this.getAccessTokenExpiresAt(),
this.getRefreshTokenExpiresAt()
])
.bind(this)
.spread(function(accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) {
const token = {
accessToken: accessToken,
authorizationCode: authorizationCode,
accessTokenExpiresAt: accessTokenExpiresAt,
refreshToken: refreshToken,
refreshTokenExpiresAt: refreshTokenExpiresAt,
scope: validatedScoped
};

return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
});
});
};

Expand Down
37 changes: 20 additions & 17 deletions lib/grant-types/client-credentials-grant-type.js
Original file line number Diff line number Diff line change
Expand Up @@ -84,23 +84,26 @@ ClientCredentialsGrantType.prototype.getUserFromClient = function(client) {
* Save token.
*/

ClientCredentialsGrantType.prototype.saveToken = function(user, client, scope) {
const fns = [
this.validateScope(user, client, scope),
this.generateAccessToken(client, user, scope),
this.getAccessTokenExpiresAt(client, user, scope)
];

return Promise.all(fns)
.bind(this)
.spread(function(scope, accessToken, accessTokenExpiresAt) {
const token = {
accessToken: accessToken,
accessTokenExpiresAt: accessTokenExpiresAt,
scope: scope
};

return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
ClientCredentialsGrantType.prototype.saveToken = function(user, client, requestedScope) {
return Promise.bind(this)
.then(function() {
return this.validateScope(user, client, requestedScope);
})
.then(function(validatedScope) {
return Promise.all([
this.generateAccessToken(client, user, validatedScope),
this.getAccessTokenExpiresAt(client, user, validatedScope)
])
.bind(this)
.spread(function(accessToken, accessTokenExpiresAt) {
const token = {
accessToken: accessToken,
accessTokenExpiresAt: accessTokenExpiresAt,
scope: validatedScope
};

return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
});
});
};

Expand Down
45 changes: 24 additions & 21 deletions lib/grant-types/password-grant-type.js
Original file line number Diff line number Diff line change
Expand Up @@ -102,27 +102,30 @@ PasswordGrantType.prototype.getUser = function(request) {
* Save token.
*/

PasswordGrantType.prototype.saveToken = function(user, client, scope) {
const fns = [
this.validateScope(user, client, scope),
this.generateAccessToken(client, user, scope),
this.generateRefreshToken(client, user, scope),
this.getAccessTokenExpiresAt(),
this.getRefreshTokenExpiresAt()
];

return Promise.all(fns)
.bind(this)
.spread(function(scope, accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) {
const token = {
accessToken: accessToken,
accessTokenExpiresAt: accessTokenExpiresAt,
refreshToken: refreshToken,
refreshTokenExpiresAt: refreshTokenExpiresAt,
scope: scope
};

return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
PasswordGrantType.prototype.saveToken = function(user, client, requestedScope) {
return Promise.bind(this)
.then(function () {
return this.validateScope(user, client,requestedScope);
})
.then(function(validatedScope) {
return Promise.all([
this.generateAccessToken(client, user, validatedScope),
this.generateRefreshToken(client, user, validatedScope),
this.getAccessTokenExpiresAt(),
this.getRefreshTokenExpiresAt()
])
.bind(this)
.spread(function(accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) {
const token = {
accessToken: accessToken,
accessTokenExpiresAt: accessTokenExpiresAt,
refreshToken: refreshToken,
refreshTokenExpiresAt: refreshTokenExpiresAt,
scope: validatedScope
};

return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
});
});
};

Expand Down

0 comments on commit d2086b0

Please sign in to comment.