diff --git a/src/accesscontrol.js b/src/accesscontrol.js index befaebc94..a7f985ac3 100644 --- a/src/accesscontrol.js +++ b/src/accesscontrol.js @@ -107,8 +107,11 @@ function hasScopes(authorizedScopes, requiredScopes) { return null; } -function scopesForUser(user) { - return user.admin ? exports.VALID_SCOPES : [ 'profile', 'apps:read' ]; +function scopesForUser(user, callback) { + assert.strictEqual(typeof user, 'object'); + assert.strictEqual(typeof callback, 'function'); + + return callback(null, user.admin ? exports.VALID_SCOPES : [ 'profile', 'apps:read' ]); } function validateToken(accessToken, callback) { @@ -123,12 +126,15 @@ function validateToken(accessToken, callback) { if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401 if (error) return callback(error); - const userScopes = scopesForUser(user); - var authorizedScopes = intersectScopes(userScopes, token.scope.split(',')); - const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI - var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo + scopesForUser(user, function (error, userScopes) { + if (error) return callback(error); - callback(null, user, info); + var authorizedScopes = intersectScopes(userScopes, token.scope.split(',')); + const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI + var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo + + callback(null, user, info); + }); }); }); } diff --git a/src/clients.js b/src/clients.js index a5bc66a34..46b191aad 100644 --- a/src/clients.js +++ b/src/clients.js @@ -257,21 +257,24 @@ function addTokenByUserId(clientId, userId, expiresAt, callback) { if (error && error.reason === UsersError.NOT_FOUND) return callback(new ClientsError(ClientsError.NOT_FOUND, 'No such user')); if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error)); - const userScopes = accesscontrol.scopesForUser(user); - var scope = accesscontrol.canonicalScopeString(result.scope); - var authorizedScopes = accesscontrol.intersectScopes(userScopes, scope.split(',')); - - var token = tokendb.generateToken(); - - tokendb.add(token, userId, result.id, expiresAt, authorizedScopes.join(','), function (error) { + accesscontrol.scopesForUser(user, function (error, userScopes) { if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error)); - callback(null, { - accessToken: token, - tokenScopes: authorizedScopes, - identifier: userId, - clientId: result.id, - expires: expiresAt + var scope = accesscontrol.canonicalScopeString(result.scope); + var authorizedScopes = accesscontrol.intersectScopes(userScopes, scope.split(',')); + + var token = tokendb.generateToken(); + + tokendb.add(token, userId, result.id, expiresAt, authorizedScopes.join(','), function (error) { + if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error)); + + callback(null, { + accessToken: token, + tokenScopes: authorizedScopes, + identifier: userId, + clientId: result.id, + expires: expiresAt + }); }); }); });