Merge pull request #1266 from stokarenko/use-strong-parameters-for-pr…

…e-authorization Use strong parameters within pre-authorization
doorkeeper-gem · Jun 7, 2019 · 03b1437 · 03b1437
2 parents b21370d + d78c0b8
commit 03b1437
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ User-visible changes worth mentioning.
 ## master
 
 - [#PR ID] Add your description here.
+- [#1266]: Use strong parameters within pre-authorization.
 - [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
 - [#1263]: Response properly when introspection fails and fix configurations's user guide.
 

diff --git a/app/controllers/doorkeeper/authorizations_controller.rb b/app/controllers/doorkeeper/authorizations_controller.rb
@@ -68,7 +68,12 @@ def redirect_or_render(auth)
     def pre_auth
       @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration,
                                                 server.client_via_uid,
-                                                params)
+                                                pre_auth_params)
+    end
+
+    def pre_auth_params
+      params.permit(:response_type, :redirect_uri, :scope, :state,
+                    :code_challenge, :code_challenge_method)
     end
 
     def authorization

diff --git a/spec/controllers/authorizations_controller_spec.rb b/spec/controllers/authorizations_controller_spec.rb
@@ -524,4 +524,17 @@ def translated_error_message(key)
       post :create
     end
   end
+
+  describe "strong parameters" do
+    it "ignores non-scalar scope parameter" do
+      get :new, params: {
+        client_id: client.uid,
+        response_type: "token",
+        redirect_uri: client.redirect_uri,
+        scope: { "0" => "profile" },
+      }
+
+      expect(response).to be_successful
+    end
+  end
 end