#1086: build scopes intersection in PreAuthorization for Authorizatio…

…nCode and Implicit flow
doorkeeper-gem · Apr 24, 2018 · 698fba0 · 698fba0
1 parent 976b235
commit 698fba0
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 2 deletions.
diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb
@@ -33,7 +33,7 @@ def scopes
       end
 
       def scope
-        @scope.presence || server.default_scopes.to_s
+        @scope.presence || build_scopes
       end
 
       def error_response
@@ -54,6 +54,15 @@ def as_json(_options)
 
       private
 
+      def build_scopes
+        client_scopes = client.application.scopes
+        if client_scopes.blank?
+          server.default_scopes.to_s
+        else
+          (server.default_scopes & client_scopes).to_s
+        end
+      end
+
       def validate_response_type
         server.authorization_response_types.include? response_type
       end
@@ -63,7 +72,7 @@ def validate_client
       end
 
       def validate_scopes
-        return true if scope.blank?
+        return true if scope.blank? && client.application.scopes.blank?
 
         Helpers::ScopeChecker.valid?(
           scope,

diff --git a/spec/requests/flows/authorization_code_spec.rb b/spec/requests/flows/authorization_code_spec.rb
@@ -275,6 +275,27 @@
     end
   end
 
+  context 'when application scopes are present and no scope is passed' do
+    background do
+      @client.update_attributes(scopes: 'public write read')
+    end
+
+    scenario 'it displays error if application scopes are different from default scopes' do
+      default_scopes_exist :admin
+      visit authorization_endpoint_url(client: @client)
+      access_grant_should_not_exist
+      expect(page).to have_content 'An error has occurred'
+    end
+
+    scenario 'access grant have scopes which are common in application scopees and default scopes' do
+      default_scopes_exist :public, :write
+      visit authorization_endpoint_url(client: @client)
+      click_on 'Authorize'
+      access_grant_should_exist_for(@client, @resource_owner)
+      access_grant_should_have_scopes :public, :write
+    end
+  end
+
   context 'with scopes' do
     background do
       default_scopes_exist :public

diff --git a/spec/requests/flows/implicit_grant_spec.rb b/spec/requests/flows/implicit_grant_spec.rb
@@ -17,6 +17,27 @@
 
     i_should_be_on_client_callback @client
   end
+
+  context 'when application scopes are present and no scope is passed' do
+    background do
+      @client.update_attributes(scopes: 'public write read')
+    end
+
+    scenario 'it displays error if application scopes are different from default scopes' do
+      default_scopes_exist :admin
+      visit authorization_endpoint_url(client: @client, response_type: 'token')
+      access_token_should_not_exist
+      expect(page).to have_content 'An error has occurred'
+    end
+
+    scenario 'access grant have scopes which are common in application scopees and default scopes' do
+      default_scopes_exist :public, :write
+      visit authorization_endpoint_url(client: @client, response_type: 'token')
+      click_on 'Authorize'
+      access_token_should_exist_for @client, @resource_owner
+      access_token_should_have_scopes :public, :write
+    end
+  end
 end
 
 describe 'Implicit Grant Flow (request spec)' do