Use OAuth scope attached to the token to proceed

passport attaches the scope to req.authInfo, where we can pick it
up in other middlewares for verification

src/auth.js

@@ -120,7 +120,8 @@ passport.use(new BearerStrategy(function (accessToken, callback) {
             if (error) return callback(error);
 
             // scopes here can define what capabilities that token carries
-            var info = { scope: '*' };
+            // passport put the 'info' object into req.authInfo, where we can further validate the scopes
+            var info = { scope: token.scope };
             callback(null, user, info);
         });
     });