From 9d8a803185edc86e43c5a63b364c2db6c4ecc09a Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Fri, 3 Jun 2016 11:09:48 +0200
Subject: [PATCH] Handle scope roles in scope checks

---
 src/routes/oauth2.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index d92b3203c..9755d3898 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -5,6 +5,7 @@ var appdb = require('../appdb'),
     assert = require('assert'),
     authcodedb = require('../authcodedb'),
     clientdb = require('../clientdb'),
+    clients = require('../clients'),
     config = require('../config.js'),
     constants = require('../constants.js'),
     DatabaseError = require('../databaseerror'),
@@ -462,10 +463,16 @@ function validateRequestedScopes(req, requestedScopes) {
     assert(Array.isArray(requestedScopes));
 
     if (!req.authInfo || !req.authInfo.scope) return new Error('No scope found');
-    if (req.authInfo.scope === '*') return null;
 
     var scopes = req.authInfo.scope.split(',');
 
+    // check for roles separately
+    if (requestedScopes.indexOf(clients.SCOPE_ROLE_SDK) !== -1 && scopes.indexOf(clients.SCOPE_ROLE_SDK) === -1) {
+        return new Error('Missing required scope role "' + clients.SCOPE_ROLE_SDK + '"');
+    }
+
+    if (scopes.indexOf('*') !== -1) return null;
+
     for (var i = 0; i < requestedScopes.length; ++i) {
         if (scopes.indexOf(requestedScopes[i]) === -1) {
             debug('scope: missing scope "%s".', requestedScopes[i]);