node-oauth · jankapunkt · Nov 28, 2023 · Nov 24, 2023 · Nov 24, 2023 · Nov 24, 2023
diff --git a/lib/handlers/token-handler.js b/lib/handlers/token-handler.js
@@ -266,6 +266,12 @@ class TokenHandler {
   updateSuccessResponse (response, tokenType) {
     response.body = tokenType.valueOf();
 
+    // for compliance reasons we rebuild the internal scope to be a string
+    // https://datatracker.ietf.org/doc/html/rfc6749.html#section-5.1
+    if (response.body.scope) {
+      response.body.scope = response.body.scope.join(' ');
+    }
+
     response.set('Cache-Control', 'no-store');
     response.set('Pragma', 'no-cache');
   }

diff --git a/lib/utils/scope-util.js b/lib/utils/scope-util.js
@@ -11,6 +11,6 @@ module.exports = {
       return undefined;
     }
 
-    return requestedScope.split(' ');
+    return Array.isArray(requestedScope) ? requestedScope : requestedScope.split(' ');
   }
 };
diff --git a/lib/validator/is.js b/lib/validator/is.js
diff --git a/test/compliance/client-authentication_test.js b/test/compliance/client-authentication_test.js
@@ -37,12 +37,14 @@ const client = db.saveClient({ id: 'a', secret: 'b', grants: ['password'] });
 const scope = 'read write';
 
 function createDefaultRequest () {
+  const dice = Math.random() > 0.5;
+  const currentScope = dice ? scope : scope.split(' ');
   return createRequest({
     body: {
       grant_type: 'password',
       username: user.username,
       password: user.password,
-      scope
+      scope: currentScope
     },
     headers: {
       'authorization': 'Basic ' + Buffer.from(client.id + ':' + client.secret).toString('base64'),

diff --git a/test/compliance/client-credential-workflow_test.js b/test/compliance/client-credential-workflow_test.js
@@ -90,7 +90,7 @@ describe('ClientCredentials Workflow Compliance (4.4)', function () {
       response.body.token_type.should.equal('Bearer');
       response.body.access_token.should.equal(token.accessToken);
       response.body.expires_in.should.be.a('number');
-      response.body.scope.should.eql(['read', 'write']);
+      response.body.scope.should.eql('read write');
       ('refresh_token' in response.body).should.equal(false);
 
       token.accessToken.should.be.a('string');

diff --git a/test/compliance/password-grant-type_test.js b/test/compliance/password-grant-type_test.js
@@ -101,7 +101,7 @@ describe('PasswordGrantType Compliance', function () {
       response.body.access_token.should.equal(token.accessToken);
       response.body.refresh_token.should.equal(token.refreshToken);
       response.body.expires_in.should.be.a('number');
-      response.body.scope.should.eql(['read', 'write']);
+      response.body.scope.should.eql('read write');
 
       token.accessToken.should.be.a('string');
       token.refreshToken.should.be.a('string');

diff --git a/test/compliance/refresh-token-grant-type_test.js b/test/compliance/refresh-token-grant-type_test.js
@@ -124,7 +124,7 @@ describe('RefreshTokenGrantType Compliance', function () {
       refreshResponse.body.access_token.should.equal(token.accessToken);
       refreshResponse.body.refresh_token.should.equal(token.refreshToken);
       refreshResponse.body.expires_in.should.be.a('number');
-      refreshResponse.body.scope.should.eql(['read', 'write']);
+      refreshResponse.body.scope.should.eql('read write');
 
       token.accessToken.should.be.a('string');
       token.refreshToken.should.be.a('string');
@@ -223,7 +223,7 @@ describe('RefreshTokenGrantType Compliance', function () {
       refreshResponse.body.access_token.should.equal(token.accessToken);
       refreshResponse.body.refresh_token.should.equal(token.refreshToken);
       refreshResponse.body.expires_in.should.be.a('number');
-      refreshResponse.body.scope.should.eql(['read']);
+      refreshResponse.body.scope.should.eql('read');
     });
   });
 });
diff --git a/test/helpers/model.js b/test/helpers/model.js
@@ -10,6 +10,9 @@ function createModel (db) {
   }
 
   async function saveToken (token, client, user) {
+    if (token.scope && !Array.isArray(token.scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     const meta = {
       clientId: client.id,
       userId: user.id,
@@ -38,7 +41,9 @@ function createModel (db) {
     if (!meta) {
       return false;
     }
-
+    if (meta.scope && !Array.isArray(meta.scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     return {
       accessToken,
       accessTokenExpiresAt: meta.accessTokenExpiresAt,
@@ -54,7 +59,9 @@ function createModel (db) {
     if (!meta) {
       return false;
     }
-
+    if (meta.scope && !Array.isArray(meta.scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     return {
       refreshToken,
       refreshTokenExpiresAt: meta.refreshTokenExpiresAt,
@@ -71,6 +78,9 @@ function createModel (db) {
   }
 
   async function verifyScope (token, scope) {
+    if (!Array.isArray(scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     return scope.every(s => scopes.includes(s));
   }
 

diff --git a/test/integration/handlers/token-handler_test.js b/test/integration/handlers/token-handler_test.js
@@ -329,7 +329,7 @@ describe('TokenHandler integration', function() {
     });
 
     it('should not return custom attributes in a bearer token if the allowExtendedTokenAttributes is not set', function() {
-      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {}, foo: 'bar' };
+      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['baz'], user: {}, foo: 'bar' };
       const model = {
         getClient: function() { return { grants: ['password'] }; },
         getUser: function() { return {}; },
@@ -344,7 +344,7 @@ describe('TokenHandler integration', function() {
           username: 'foo',
           password: 'bar',
           grant_type: 'password',
-          scope: 'baz'
+          scope: ['baz']
         },
         headers: { 'content-type': 'application/x-www-form-urlencoded', 'transfer-encoding': 'chunked' },
         method: 'POST',
@@ -357,14 +357,14 @@ describe('TokenHandler integration', function() {
           should.exist(response.body.access_token);
           should.exist(response.body.refresh_token);
           should.exist(response.body.token_type);
-          should.exist(response.body.scope);
+          response.body.scope.should.eql('baz');
           should.not.exist(response.body.foo);
         })
         .catch(should.fail);
     });
 
     it('should return custom attributes in a bearer token if the allowExtendedTokenAttributes is set', function() {
-      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {}, foo: 'bar' };
+      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['baz'], user: {}, foo: 'bar' };
       const model = {
         getClient: function() { return { grants: ['password'] }; },
         getUser: function() { return {}; },
@@ -392,7 +392,7 @@ describe('TokenHandler integration', function() {
           should.exist(response.body.access_token);
           should.exist(response.body.refresh_token);
           should.exist(response.body.token_type);
-          should.exist(response.body.scope);
+          response.body.scope.should.eql('baz');
           should.exist(response.body.foo);
         })
         .catch(should.fail);