From fbd658bf66bb5332fa539bd9fd3525ede490aafc Mon Sep 17 00:00:00 2001
From: Johannes Zellner <webmaster@nebulon.de>
Date: Wed, 10 Sep 2014 13:14:46 -0700
Subject: [PATCH] Use OAuth scope attached to the token to proceed

passport attaches the scope to req.authInfo, where we can pick it
up in other middlewares for verification
---
 src/auth.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/auth.js b/src/auth.js
index 18a956832..c438848aa 100644
--- a/src/auth.js
+++ b/src/auth.js
@@ -120,7 +120,8 @@ passport.use(new BearerStrategy(function (accessToken, callback) {
             if (error) return callback(error);
 
             // scopes here can define what capabilities that token carries
-            var info = { scope: '*' };
+            // passport put the 'info' object into req.authInfo, where we can further validate the scopes
+            var info = { scope: token.scope };
             callback(null, user, info);
         });
     });