From 2d27da89d2815f20a06d61bf7d60ec302fb57776 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Mon, 25 Apr 2016 10:21:55 -0700
Subject: [PATCH] validate individual scopes

---
 src/clients.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/clients.js b/src/clients.js
index d80ebe4f9..4d14c5672 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -47,10 +47,13 @@ ClientsError.INVALID_CLIENT = 'Invalid client';
 function validateScope(scope) {
     assert.strictEqual(typeof scope, 'string');
 
+    var VALID_SCOPES = [ 'root', 'profile', 'users', 'apps', 'developer', 'settings' ];
+
     if (scope === '') return new ClientsError(ClientsError.INVALID_SCOPE);
     if (scope === '*') return null;
 
-    // TODO maybe validate all individual scopes if they exist
+    var allValid = scope.split(',').every(function (s) { return VALID_SCOPES.indexOf(s) !== -1; });
+    if (!allValid) return new ClientsError(ClientsError.INVALID_SCOPE);
 
     return null;
 }