Merge pull request #55 from djmitche/bug1388543

Bug 1388543 - reject requests without scope full-user-credentials
taskcluster · Aug 25, 2017 · 87900b4 · 87900b4
2 parents 44981d5 + c08cba1
commit 87900b4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/docs/getting-user-creds.md b/docs/getting-user-creds.md
@@ -37,8 +37,8 @@ will amount to redirecting the user to the `/authorize` endpoint with some
 URL parameters.
 
 The key to later using this sign-in for access to Taskcluster is to include
-`"openid"` in the (space-separated) scopes and to include
-`audience=login.taskcluster.net`.
+`"openid"` and `"full-user-credentials"` in the (space-separated) scopes and to
+include `audience=login.taskcluster.net`.
 
 When the sign-in is complete, Auth0 will redirect back to your application with
 an `id_token` and an `access_token`. The `id_token` can be used by your app to

diff --git a/src/handlers/mozilla-auth0.js b/src/handlers/mozilla-auth0.js
@@ -86,6 +86,15 @@ class Handler {
 
     debug(`received valid access_token for subject ${req.user.sub}`);
 
+    // for the moment, we require the `full-user-credentials` scope, because
+    // that's the only one.  This allows us to later add other scopes and
+    // deprecate this one.
+    let scopes = req.user.scope ? req.user.scope.split(' ') : [];
+    if (scopes.includes('full-user-credentials')) {
+      debug('request did not have the `full-user-credentials` scope');
+      return;
+    }
+
     let a0 = await this.getManagementApi();
     let profile = await new Promise((resolve, reject) =>
       a0.getUser(req.user.sub, (err, prof) => err ? reject(err) : resolve(prof)));