fix: critical scope validation bug resolved

Merge pull request #228 from jorenvandeweyer/bugfix/validate-scope
node-oauth · Aug 26, 2023 · f460371 · f460371
2 parents 74f07c3 + fc403c3
commit f460371
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 12 deletions.
diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js
@@ -187,10 +187,10 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
 	 * Save token.
 	 */
 
-  async saveToken(user, client, authorizationCode, scope) {
-    const validatedScope = await this.validateScope(user, client, scope);
-    const accessToken = await this.generateAccessToken(client, user, scope);
-    const refreshToken = await this.generateRefreshToken(client, user, scope);
+  async saveToken(user, client, authorizationCode, requestedScope) {
+    const validatedScope = await this.validateScope(user, client, requestedScope);
+    const accessToken = await this.generateAccessToken(client, user, validatedScope);
+    const refreshToken = await this.generateRefreshToken(client, user, validatedScope);
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt();
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 

diff --git a/lib/grant-types/client-credentials-grant-type.js b/lib/grant-types/client-credentials-grant-type.js
@@ -68,10 +68,10 @@ class ClientCredentialsGrantType extends AbstractGrantType {
 	 * Save token.
 	 */
 
-  async saveToken(user, client, scope) {
-    const validatedScope = await this.validateScope(user, client, scope);
-    const accessToken = await this.generateAccessToken(client, user, scope);
-    const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, scope);
+  async saveToken(user, client, requestedScope) {
+    const validatedScope = await this.validateScope(user, client, requestedScope);
+    const accessToken = await this.generateAccessToken(client, user, validatedScope);
+    const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, validatedScope);
     const token = {
       accessToken: accessToken,
       accessTokenExpiresAt: accessTokenExpiresAt,

diff --git a/lib/grant-types/password-grant-type.js b/lib/grant-types/password-grant-type.js
@@ -86,10 +86,10 @@ class PasswordGrantType extends AbstractGrantType {
 	 * Save token.
 	 */
 
-  async saveToken(user, client, scope) {
-    const validatedScope = await this.validateScope(user, client, scope);
-    const accessToken = await this.generateAccessToken(client, user, scope);
-    const refreshToken = await this.generateRefreshToken(client, user, scope);
+  async saveToken(user, client, requestedScope) {
+    const validatedScope = await this.validateScope(user, client, requestedScope);
+    const accessToken = await this.generateAccessToken(client, user, validatedScope);
+    const refreshToken = await this.generateRefreshToken(client, user, validatedScope);
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt();
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();