diff --git a/src/accesscontrol.js b/src/accesscontrol.js index 4f046ce3b..9ff4e0608 100644 --- a/src/accesscontrol.js +++ b/src/accesscontrol.js @@ -19,7 +19,7 @@ exports = module.exports = { accessTokenAuth: accessTokenAuth, validateScope: validateScope, - validateRequestedScopes: validateRequestedScopes, + hasScopes: hasScopes, intersectScope: intersectScope, canonicalScope: canonicalScope }; @@ -170,10 +170,10 @@ function validateScope(scope) { return null; } -// tests if all requestedScopes are attached to the request -function validateRequestedScopes(authInfo, requestedScopes) { +// tests if all requiredScopes are attached to the request +function hasScopes(authInfo, requiredScopes) { assert.strictEqual(typeof authInfo, 'object'); - assert(Array.isArray(requestedScopes)); + assert(Array.isArray(requiredScopes), 'Expecting array'); if (!authInfo || !authInfo.scope) return new Error('No scope found'); @@ -181,10 +181,10 @@ function validateRequestedScopes(authInfo, requestedScopes) { if (scopes.indexOf(exports.SCOPE_ANY) !== -1) return null; - for (var i = 0; i < requestedScopes.length; ++i) { - if (scopes.indexOf(requestedScopes[i]) === -1) { - debug('scope: missing scope "%s".', requestedScopes[i]); - return new Error('Missing required scope "' + requestedScopes[i] + '"'); + for (var i = 0; i < requiredScopes.length; ++i) { + if (scopes.indexOf(requiredScopes[i]) === -1) { + debug('scope: missing scope "%s".', requiredScopes[i]); + return new Error('Missing required scope "' + requiredScopes[i] + '"'); } } diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js index b86d80683..a90d4e133 100644 --- a/src/routes/accesscontrol.js +++ b/src/routes/accesscontrol.js @@ -19,16 +19,16 @@ var accesscontrol = require('../accesscontrol.js'), // See server.js: // var profileScope = routes.oauth2.scope('profile'); // -function scope(requestedScope) { - assert.strictEqual(typeof requestedScope, 'string'); +function scope(requiredScope) { + assert.strictEqual(typeof requiredScope, 'string'); - var requestedScopes = requestedScope.split(','); + var requiredScopes = requiredScope.split(','); return [ passport.authenticate(['bearer'], { session: false }), function (req, res, next) { - var error = accesscontrol.validateRequestedScopes(req.authInfo || null, requestedScopes); + var error = accesscontrol.hasScopes(req.authInfo || null, requiredScopes); if (error) return next(new HttpError(403, error.message)); next(); @@ -36,8 +36,8 @@ function scope(requestedScope) { ]; } -function websocketAuth(requestedScopes, req, res, next) { - assert(Array.isArray(requestedScopes)); +function websocketAuth(requiredScopes, req, res, next) { + assert(Array.isArray(requiredScopes)); if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'Unauthorized')); @@ -48,7 +48,7 @@ function websocketAuth(requestedScopes, req, res, next) { req.user = user; req.authInfo = info; - var e = accesscontrol.validateRequestedScopes(req.authInfo, requestedScopes); + var e = accesscontrol.hasScopes(req.authInfo, requiredScopes); if (e) return next(new HttpError(401, e.message)); next(); diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js index c917e67ee..759083b83 100644 --- a/src/test/accesscontrol-test.js +++ b/src/test/accesscontrol-test.js @@ -44,6 +44,18 @@ describe('access control', function () { it('everything is different', function () { expect(accesscontrol.intersectScope('cloudron,domains', 'clients,apps')).to.be(''); }); + }); + describe('hasScopes', function () { + it('succeeds if it contains the scope', function () { + expect(accesscontrol.hasScopes({ scope: 'apps' }, [ 'apps' ])).to.be(null); + expect(accesscontrol.hasScopes({ scope: 'apps,mail' }, [ 'mail' ])).to.be(null); + expect(accesscontrol.hasScopes({ scope: 'clients,*,apps,mail' }, [ 'mail' ])).to.be(null); + }); + + it('fails if it does not contain the scope', function () { + expect(accesscontrol.hasScopes({ scope: 'apps' }, [ 'mail' ])).to.be.an(Error); + expect(accesscontrol.hasScopes({ scope: 'apps,mail' }, [ 'clients' ])).to.be.an(Error); + }); }); });