logto-io · wangsijie · May 9, 2024 · May 5, 2024
@@ -59,7 +59,7 @@ describe('consent', () => {
 
   it('should update with new grantId if not exist', async () => {
     const provider = createMockProvider(jest.fn().mockResolvedValue(baseInteractionDetails), Grant);
-    await consent(context, provider, queries, baseInteractionDetails);
+    await consent({ ctx: context, provider, queries, interactionDetails: baseInteractionDetails });
 
     expect(grantSave).toHaveBeenCalled();
 
@@ -85,7 +85,7 @@ describe('consent', () => {
 
     const provider = createMockProvider(jest.fn().mockResolvedValue(interactionDetails), Grant);
 
-    await consent(context, provider, queries, interactionDetails);
+    await consent({ ctx: context, provider, queries, interactionDetails });
 
     expect(grantSave).toHaveBeenCalled();
 
@@ -109,29 +109,26 @@ describe('consent', () => {
     }));
 
     const provider = createMockProvider(jest.fn().mockResolvedValue(baseInteractionDetails), Grant);
-    await consent(context, provider, queries, baseInteractionDetails);
+    await consent({ ctx: context, provider, queries, interactionDetails: baseInteractionDetails });
 
     expect(userQueries.updateUserById).toHaveBeenCalledWith(mockUser.id, {
       applicationId: baseInteractionDetails.params.client_id,
     });
   });
 
   it('should grant missing scopes', async () => {
-    const interactionDetails = {
-      ...baseInteractionDetails,
-      prompt: {
-        details: {
-          missingOIDCScope: ['openid', 'profile'],
-          missingResourceScopes: {
-            resource1: ['resource1_scope1', 'resource1_scope2'],
-            resource2: ['resource2_scope1'],
-          },
-        },
+    const provider = createMockProvider(jest.fn().mockResolvedValue(baseInteractionDetails), Grant);
+    await consent({
+      ctx: context,
+      provider,
+      queries,
+      interactionDetails: baseInteractionDetails,
+      missingOIDCScopes: ['openid', 'profile'],
+      resourceScopesToGrant: {
+        resource1: ['resource1_scope1', 'resource1_scope2'],
+        resource2: ['resource2_scope1'],
       },
-    } as unknown as Interaction;
-
-    const provider = createMockProvider(jest.fn().mockResolvedValue(interactionDetails), Grant);
-    await consent(context, provider, queries, interactionDetails);
+    });
 
     expect(grantAddOIDCScope).toHaveBeenCalledWith('openid profile');
     expect(grantAddResourceScope).toHaveBeenCalledWith(

@@ -68,17 +68,27 @@
   return missingScopesGuard.parse(prompt.details);
 };
 
-export const consent = async (
-  ctx: Context,
-  provider: Provider,
-  queries: Queries,
-  interactionDetails: Awaited<ReturnType<Provider['interactionDetails']>>
-) => {
+export const consent = async ({
+  ctx,
+  provider,
+  queries,
+  interactionDetails,
+  missingOIDCScopes = [],
+  resourceScopesToGrant = {},
+  resourceScopesToReject = {},
+}: {
+  ctx: Context;
+  provider: Provider;
+  queries: Queries;
+  interactionDetails: Awaited<ReturnType<Provider['interactionDetails']>>;
+  missingOIDCScopes?: string[];
+  resourceScopesToGrant?: Record<string, string[]>;
+  resourceScopesToReject?: Record<string, string[]>;
+}) => {
   const {
     session,
     grantId,
     params: { client_id },
-    prompt,
   } = interactionDetails;
 
   assertThat(session, 'session.not_found');
@@ -91,17 +101,17 @@
 
   await saveUserFirstConsentedAppId(queries, accountId, String(client_id));
 
-  const { missingOIDCScope, missingResourceScopes } = getMissingScopes(prompt);
-
   // Fulfill missing scopes
-  if (missingOIDCScope) {
-    grant.addOIDCScope(missingOIDCScope.join(' '));
+  if (missingOIDCScopes.length > 0) {
+    grant.addOIDCScope(missingOIDCScopes.join(' '));
   }
 
-  if (missingResourceScopes) {
-    for (const [indicator, scope] of Object.entries(missingResourceScopes)) {
-      grant.addResourceScope(indicator, scope.join(' '));
-    }
+  for (const [indicator, scope] of Object.entries(resourceScopesToGrant)) {
+    grant.addResourceScope(indicator, scope.join(' '));
+  }
+
+  for (const [indicator, scope] of Object.entries(resourceScopesToReject)) {
+    grant.rejectResourceScope(indicator, scope.join(' '));
   }
 
   const finalGrantId = await grant.save();

@@ -4,7 +4,7 @@
 import type Provider from 'oidc-provider';
 import { errors } from 'oidc-provider';
 
-import { consent } from '#src/libraries/session.js';
+import { consent, getMissingScopes } from '#src/libraries/session.js';
 import type Queries from '#src/tenants/Queries.js';
 import assertThat from '#src/utils/assert-that.js';
 
@@ -18,7 +18,10 @@
 ): MiddlewareType<StateT, ContextT, ResponseBodyT> {
   return async (ctx, next) => {
     const interactionDetails = await provider.interactionDetails(ctx.req, ctx.res);
-    const { client_id: clientId } = interactionDetails.params;
+    const {
+      params: { client_id: clientId },
+      prompt,
+    } = interactionDetails;
 
     const {
       applications: { findApplicationById },
@@ -36,7 +39,17 @@
     const shouldAutoConsent = !application?.isThirdParty;
 
     if (shouldAutoConsent) {
-      const redirectTo = await consent(ctx, provider, query, interactionDetails);
+      const { missingOIDCScope: missingOIDCScopes, missingResourceScopes: resourceScopesToGrant } =
+        getMissingScopes(prompt);
+
+      const redirectTo = await consent({
+        ctx,
+        provider,
+        queries: query,
+        interactionDetails,
+        missingOIDCScopes,
+        resourceScopesToGrant,
+      });
 
       ctx.redirect(redirectTo);
       return;