Check for sdk token instead of token type DEV

src/routes/oauth2.js

@@ -457,7 +457,7 @@ var token = [
 ];
 
 // tests if all requestedScopes are attached to the request
-function hasRequestedScopes(req, requestedScopes) {
+function validateRequestedScopes(req, requestedScopes) {
     assert.strictEqual(typeof req, 'object');
     assert(Array.isArray(requestedScopes));
 
@@ -494,7 +494,7 @@ function scope(requestedScope) {
     return [
         passport.authenticate(['bearer'], { session: false }),
         function (req, res, next) {
-            var error = hasRequestedScopes(req, requestedScopes);
+            var error = validateRequestedScopes(req, requestedScopes);
             if (error) return next(new HttpError(401, error.message));
 
             next();
@@ -526,7 +526,7 @@ exports = module.exports = {
     accountSetup: accountSetup,
     authorization: authorization,
     token: token,
-    hasRequestedScopes: hasRequestedScopes,
+    validateRequestedScopes: validateRequestedScopes,
     scope: scope,
     csrf: csrf
 };

src/routes/user.js

@@ -17,6 +17,7 @@ var assert = require('assert'),
     groups = require('../groups.js'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess,
+    oauth2 = require('./oauth2.js'),
     user = require('../user.js'),
     tokendb = require('../tokendb.js'),
     UserError = user.UserError,
@@ -135,8 +136,9 @@ function remove(req, res, next) {
 function verifyPassword(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
-    // developers are allowed through without password
-    if (req.user.tokenType === tokendb.TYPE_DEV) return next();
+    // using an 'sdk' token we skip password checks
+    var error = oauth2.validateRequestedScopes(req, ['sdk']);
+    if (!error) return next();
 
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));