leaonline
diff --git a/‎.versions
+64-69 b/‎.versions
+64-69
diff --git a/‎API.md
+57-43 b/‎API.md
+57-43
diff --git a/‎HISTORY.md
+10 b/‎HISTORY.md
+10
diff --git a/‎lib/middleware/getDebugMiddleware.js
+22-5 b/‎lib/middleware/getDebugMiddleware.js
+22-5
diff --git a/‎lib/middleware/secureHandler.js
+2-3 b/‎lib/middleware/secureHandler.js
+2-3
@@ -1,70 +1,65 @@
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-dburles:[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+dburles:[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
 jkuester:[email protected]
-leaonline:[email protected]
-lmieulet:[email protected]
-lmieulet:[email protected]
-lmieulet:[email protected]
-local-test:leaonline:[email protected]
-[email protected]
-[email protected]
-[email protected]
-meteortesting:[email protected]
-meteortesting:[email protected]
-meteortesting:[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-practicalmeteor:[email protected]_3
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
-[email protected]
+lai:[email protected]
+leaonline:[email protected]
+local-test:leaonline:[email protected]
+[email protected]
+[email protected]
+[email protected]
+meteortesting:[email protected]
+meteortesting:[email protected]
+meteortesting:[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+[email protected]
@@ -46,12 +46,16 @@ Uses the following values to check:</p>
 <li>&#39;saveRefreshToken&#39;,</li>
 <li>&#39;saveToken&#39;,</li>
 <li>&#39;getAccessToken&#39;</li>
+<li>&#39;revokeToken&#39;</li>
 </ul>
 </dd>
 <dt><a href="#UserValidation">UserValidation</a></dt>
 <dd><p>Used to register handlers for different instances that validate users.
 This allows you to validate user access on a client-based level.</p>
 </dd>
+<dt><a href="#validateParams">validateParams</a> ⇒ <code>boolean</code></dt>
+<dd><p>Abstraction that checks given query/body params against a given schema</p>
+</dd>
 <dt><a href="#app">app</a> : <code>Object</code></dt>
 <dd><p>Wrapped <code>WebApp</code> with express-style get/post and default use routes.</p>
 </dd>
@@ -76,6 +80,8 @@ Implements the OAuth2Server model with Meteor-Mongo bindings.
     * [.saveRefreshToken(token, clientId, expires, user)](#OAuthMeteorModel+saveRefreshToken) ⇒ <code>Promise.&lt;\*&gt;</code>
     * [.getRefreshToken()](#OAuthMeteorModel+getRefreshToken)
     * [.grantTypeAllowed(clientId, grantType)](#OAuthMeteorModel+grantTypeAllowed) ⇒ <code>boolean</code>
+    * [.verifyScope(accessToken, scope)](#OAuthMeteorModel+verifyScope) ⇒ <code>Promise.&lt;boolean&gt;</code>
+    * [.revokeToken()](#OAuthMeteorModel+revokeToken)
 
 <a name="OAuthMeteorModel+log"></a>
 
@@ -199,6 +205,24 @@ getRefreshToken(token) should return an object with:
 | clientId | 
 | grantType | 
 
+<a name="OAuthMeteorModel+verifyScope"></a>
+
+### oAuthMeteorModel.verifyScope(accessToken, scope) ⇒ <code>Promise.&lt;boolean&gt;</code>
+Compares expected scope from token with actual scope from request
+
+**Kind**: instance method of [<code>OAuthMeteorModel</code>](#OAuthMeteorModel)  
+
+| Param |
+| --- |
+| accessToken | 
+| scope | 
+
+<a name="OAuthMeteorModel+revokeToken"></a>
+
+### oAuthMeteorModel.revokeToken()
+revokeToken(refreshToken) is required and should return true
+
+**Kind**: instance method of [<code>OAuthMeteorModel</code>](#OAuthMeteorModel)  
 <a name="OAuth2ServerDefaults"></a>
 
 ## OAuth2ServerDefaults : <code>Object</code>
@@ -250,6 +274,7 @@ Defaults to a 500 response, unless further details were added.
 | res |  |  |
 | options | <code>Object</code> | options with error information |
 | options.error | <code>String</code> | Error name |
+| options.logError | <code>boolean</code> | optional flag to log the erroe to the console |
 | options.description | <code>String</code> | Error description |
 | options.uri | <code>String</code> | Optional uri to redirect to when error occurs |
 | options.status | <code>Number</code> | Optional statuscode, defaults to 500 |
@@ -274,6 +299,7 @@ Uses the following values to check:
 - 'saveRefreshToken',
 - 'saveToken',
 - 'getAccessToken'
+- 'revokeToken'
 
 **Kind**: global constant  
 **Returns**: <code>boolean</code> - true if valid, otherwise false  
@@ -289,6 +315,24 @@ Used to register handlers for different instances that validate users.
 This allows you to validate user access on a client-based level.
 
 **Kind**: global constant  
+
+* [UserValidation](#UserValidation)
+    * [.register(instance, validationHandler)](#UserValidation.register)
+    * [.isValid(instance, handlerArgs)](#UserValidation.isValid) ⇒ <code>\*</code>
+
+<a name="UserValidation.register"></a>
+
+### UserValidation.register(instance, validationHandler)
+Registers a validation method that allows
+to validate users on custom logic.
+
+**Kind**: static method of [<code>UserValidation</code>](#UserValidation)  
+
+| Param | Type | Description |
+| --- | --- | --- |
+| instance | [<code>OAuth2Server</code>](#OAuth2Server) |  |
+| validationHandler | <code>function</code> | sync or async function that performs the validation |
+
 <a name="UserValidation.isValid"></a>
 
 ### UserValidation.isValid(instance, handlerArgs) ⇒ <code>\*</code>
@@ -302,53 +346,23 @@ Delegates `handlerArgs` to the registered validation handler.
 | instance | [<code>OAuth2Server</code>](#OAuth2Server) | 
 | handlerArgs | <code>\*</code> | 
 
-<a name="app"></a>
+<a name="validateParams"></a>
 
-## app : <code>Object</code>
-Wrapped `WebApp` with express-style get/post and default use routes.
+## validateParams ⇒ <code>boolean</code>
+Abstraction that checks given query/body params against a given schema
 
 **Kind**: global constant  
-**See**: https://docs.meteor.com/packages/webapp.html  
-
-* [app](#app) : <code>Object</code>
-    * [.get(url, handler)](#app.get)
-    * [.post(url, handler)](#app.post)
-    * [.use(args)](#app.use)
-
-<a name="app.get"></a>
-
-### app.get(url, handler)
-Creates a get route for a given handler
-
-**Kind**: static method of [<code>app</code>](#app)  
-
-| Param | Type |
-| --- | --- |
-| url | <code>string</code> | 
-| handler | <code>function</code> | 
-
-<a name="app.post"></a>
-
-### app.post(url, handler)
-Creates a post route for a given handler.
-If headers' content-type does not equal to `application/x-www-form-urlencoded`
-then it will be transformed accordingly.
-
-**Kind**: static method of [<code>app</code>](#app)  
-
-| Param | Type |
-| --- | --- |
-| url | <code>string</code> | 
-| handler | <code>function</code> | 
-
-<a name="app.use"></a>
-
-### app.use(args)
-Default wrapper around `WebApp.use`
-
-**Kind**: static method of [<code>app</code>](#app)  
 
 | Param |
 | --- |
-| args | 
+| actualParams | 
+| requiredParams | 
+| debug | 
+
+<a name="app"></a>
 
+## app : <code>Object</code>
+Wrapped `WebApp` with express-style get/post and default use routes.
+
+**Kind**: global constant  
+**See**: https://docs.meteor.com/packages/webapp.html  
@@ -1,5 +1,15 @@
 # History
 
+### 6.0.0
+- Meteor 3 / Express compatibility
+- added scope verification in authenticated routes
+- improved internal logging
+- fix bug in validation for custom models
+- fix support for explicit `client.id` field
+
+## 5.0.0
+- sync support for @node-oauth/oauth2-server 5.x by
+
 ## 4.2.1
 - this is a patch release, fixing a syntax error 
   (that never got picked up, due to wrong linter config)
 
@@ -4,12 +4,29 @@ import { debug } from '../utils/console'
  * Creates a middleware to debug routes on an instance level
  * @private
  * @param instance
- * @return {function(*, *, *): *}
+ * @param options {object?} optional options
+ * @param options.description {string?} optional way to descrive the next handler
+ * @param options.data {boolean?} optional flag to log body/query
  */
-export const getDebugMiddleWare = instance => (req, res, next) => {
-  if (instance.debug === true) {
+export const getDebugMiddleWare = (instance, options = {}) => {
+  if (!instance.debug) {
+    return function (req, res, next) { next() }
+  }
+
+  return function (req, res, next) {
     const baseUrl = req.originalUrl.split('?')[0]
-    debug(req.method, baseUrl, req.query || req.body)
+    let message = `${req.method} ${baseUrl}`
+
+    if (options.description) {
+      message = `${message} (${options.description})`
+    }
+
+    if (options.data) {
+      const data = { query: req.query, body: req.body }
+      message = `${message} data: ${data}`
+    }
+
+    debug(message)
+    next()
   }
-  return next()
 }
@@ -8,11 +8,10 @@ import { bind } from '../utils/bind'
  * @param handler
  * @return {Function}
  */
-export const secureHandler = (self, handler) => bind(function (req, res, next) {
+export const secureHandler = (self, handler) => bind(async function (req, res, next) {
   const that = this
-
   try {
-    handler.call(that, req, res, next)
+    return handler.call(that, req, res, next)
   } catch (anyError) {
     // to avoid server-crashes we wrap all request handlers and
     // catch the error here, creating a default 500 response