fix critical bug for scope validation

jorenvandeweyer · jorenvandeweyer · commit fc403c3fcb81 · 2023-08-26T09:01:51.000+02:00
diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js
@@ -187,10 +187,10 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
 	 * Save token.
 	 */
 
-  async saveToken(user, client, authorizationCode, scope) {
-    const validatedScope = await this.validateScope(user, client, scope);
-    const accessToken = await this.generateAccessToken(client, user, scope);
-    const refreshToken = await this.generateRefreshToken(client, user, scope);
+  async saveToken(user, client, authorizationCode, requestedScope) {
+    const validatedScope = await this.validateScope(user, client, requestedScope);
+    const accessToken = await this.generateAccessToken(client, user, validatedScope);
+    const refreshToken = await this.generateRefreshToken(client, user, validatedScope);
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt();
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 
diff --git a/lib/grant-types/client-credentials-grant-type.js b/lib/grant-types/client-credentials-grant-type.js
@@ -68,10 +68,10 @@ class ClientCredentialsGrantType extends AbstractGrantType {
 	 * Save token.
 	 */
 
-  async saveToken(user, client, scope) {
-    const validatedScope = await this.validateScope(user, client, scope);
-    const accessToken = await this.generateAccessToken(client, user, scope);
-    const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, scope);
+  async saveToken(user, client, requestedScope) {
+    const validatedScope = await this.validateScope(user, client, requestedScope);
+    const accessToken = await this.generateAccessToken(client, user, validatedScope);
+    const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, validatedScope);
     const token = {
       accessToken: accessToken,
       accessTokenExpiresAt: accessTokenExpiresAt,
diff --git a/lib/grant-types/password-grant-type.js b/lib/grant-types/password-grant-type.js
@@ -86,10 +86,10 @@ class PasswordGrantType extends AbstractGrantType {
 	 * Save token.
 	 */
 
-  async saveToken(user, client, scope) {
-    const validatedScope = await this.validateScope(user, client, scope);
-    const accessToken = await this.generateAccessToken(client, user, scope);
-    const refreshToken = await this.generateRefreshToken(client, user, scope);
+  async saveToken(user, client, requestedScope) {
+    const validatedScope = await this.validateScope(user, client, requestedScope);
+    const accessToken = await this.generateAccessToken(client, user, validatedScope);
+    const refreshToken = await this.generateRefreshToken(client, user, validatedScope);
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt();
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 
