Merge branch 'master' into web-origin

README.md

@@ -89,7 +89,7 @@ app.get('/dialog/authorize',
     Clients.findOne(clientID, function(err, client) {
       if (err) { return done(err); }
       if (!client) { return done(null, false); }
-      if (!client.redirectUri != redirectURI) { return done(null, false); }
+      if (client.redirectUri != redirectURI) { return done(null, false); }
       return done(null, client, client.redirectURI);
     });
   }),

lib/exchange/clientCredentials.js

@@ -84,6 +84,10 @@ module.exports = function(options, issue) {
       , scope = req.body.scope;
 
     if (scope) {
+      if (typeof scope !== 'string') {
+        return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_request'));
+      }
+
       for (var i = 0, len = separators.length; i < len; i++) {
         var separated = scope.split(separators[i]);
         // only separate on the first matching separator.  this allows for a sort

lib/exchange/password.js

@@ -90,6 +90,10 @@ module.exports = function(options, issue) {
     if (!passwd) { return next(new TokenError('Missing required parameter: password', 'invalid_request')); }
 
     if (scope) {
+      if (typeof scope !== 'string') {
+        return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_request'));
+      }
+
       for (var i = 0, len = separators.length; i < len; i++) {
         var separated = scope.split(separators[i]);
         // only separate on the first matching separator.  this allows for a sort

lib/exchange/refreshToken.js

@@ -85,6 +85,10 @@ module.exports = function(options, issue) {
     if (!refreshToken) { return next(new TokenError('Missing required parameter: refresh_token', 'invalid_request')); }
 
     if (scope) {
+      if (typeof scope !== 'string') {
+        return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_request'));
+      }
+
       for (var i = 0, len = separators.length; i < len; i++) {
         var separated = scope.split(separators[i]);
         // only separate on the first matching separator.  this allows for a sort

package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth2orize",
-  "version": "1.8.0",
+  "version": "1.8.1",
   "description": "OAuth 2.0 authorization server toolkit for Node.js.",
   "keywords": [
     "oauth",

test/exchange/clientCredentials.test.js

@@ -429,6 +429,35 @@ describe('exchange.clientCredentials', function() {
       expect(err.message).to.equal('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?');
     });
   });
+
+  describe('handling a request where scope format is not string', function () {
+    var response, err;
+
+    before(function (done) {
+      function issue(client, done) {
+        return done(null, '.ignore')
+      }
+
+      chai.connect.use(clientCredentials(issue))
+        .req(function (req) {
+          req.user = { id: 'c123', name: 'Example' };
+          req.body = { scope: ['read', 'write'] };
+        })
+        .next(function (e) {
+          err = e;
+          done();
+        })
+        .dispatch();
+    });
+
+    it('should error', function () {
+      expect(err).to.be.an.instanceOf(Error);
+      expect(err.name).to.equal('TokenError');
+      expect(err.message).to.equal('Invalid parameter: scope must be a string');
+      expect(err.code).to.equal('invalid_request');
+      expect(err.status).to.equal(400);
+    });
+  });  
 
   describe('with scope separator option', function() {
     function issue(client, scope, done) {

test/exchange/password.test.js

@@ -506,6 +506,35 @@ describe('exchange.password', function() {
     });
   });
 
+  describe('handling a request where scope format is not string', function () {
+    var response, err;
+
+    before(function (done) {
+      function issue(client, username, passwd, done) {
+        return done(new Error('something is wrong'));
+      }
+
+      chai.connect.use(password(issue))
+        .req(function (req) {
+          req.user = { id: 'c123', name: 'Example' };
+          req.body = { username: 'bob', password: 'shh', scope: ['read', 'write'] };
+        })
+        .next(function (e) {
+          err = e;
+          done();
+        })
+        .dispatch();
+    });
+
+    it('should error', function () {
+      expect(err).to.be.an.instanceOf(Error);
+      expect(err.name).to.equal('TokenError');
+      expect(err.message).to.equal('Invalid parameter: scope must be a string');
+      expect(err.code).to.equal('invalid_request');
+      expect(err.status).to.equal(400);
+    });
+  });
+
   describe('with scope separator option', function() {
     describe('issuing an access token based on array of scopes', function() {
       function issue(client, username, passwd, scope, done) {

test/exchange/refreshToken.test.js

@@ -467,6 +467,35 @@ describe('exchange.refreshToken', function() {
       expect(err.message).to.equal('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?');
     });
   });
+
+  describe('handling a request where scope format is not string', function () {
+    var response, err;
+
+    before(function (done) {
+      function issue(client, refreshToken, done) {
+        return done(null, '.ignore')
+      }
+
+      chai.connect.use(refreshToken(issue))
+        .req(function (req) {
+          req.user = { id: 'c123', name: 'Example' };
+          req.body = { refresh_token: 'refreshing', scope: ['read', 'write'] };
+        })
+        .next(function (e) {
+          err = e;
+          done();
+        })
+        .dispatch();
+    });
+
+    it('should error', function () {
+      expect(err).to.be.an.instanceOf(Error);
+      expect(err.name).to.equal('TokenError');
+      expect(err.message).to.equal('Invalid parameter: scope must be a string');
+      expect(err.code).to.equal('invalid_request');
+      expect(err.status).to.equal(400);
+    });
+  });  
 
   describe('with scope separator option', function() {
     describe('issuing an access token based on array of scopes', function() {