app delegation flag. Closes #1

outmoded · Sep 18, 2015 · 25f407b · 25f407b
1 parent 902c304
commit 25f407b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ assumes the reader is familiar with the OAuth 1.0a protocol workflow.
   the server issues an application ticket.
 2. The application directs the [user](#user) to grant it authorization by providing the user with its
   application identifier. The user authenticates with the server, reviews the authorization
-  [grant](#grant)and its [scope](#scope), and if approved the server returns an [rsvp](#rsvp).
+  [grant](#grant) and its [scope](#scope), and if approved the server returns an [rsvp](#rsvp).
 3. The user returns to the application with the rsvp which the application uses to request a new
   user-specific ticket. If valid, the server returns a new ticket.
 4. The application uses the user-ticket to access the user's protected resources.
@@ -43,6 +43,8 @@ the control of a user who grants the application access.
 Each application definition includes:
 - `id` - a unique application identifier.
 - `scope` - the default application [scope](#scope).
+- `delegate` - if `true`, the application is allowed to delegate a ticket to another application.
+  Defaults to `false`.
 
 Applications must be registered with the server prior to using Oz. The method through which
 applications register is outside the scope of this protocol. When an application registers, it is

diff --git a/lib/endpoints.js b/lib/endpoints.js
@@ -76,6 +76,12 @@ exports.reissue = function (req, payload, options, callback) {
                     return callback(Hawk.utils.unauthorized('Invalid application'));
                 }
 
+                if (payload.issueTo &&
+                    !app.delegate) {
+
+                    return callback(Boom.forbidden('Application has no delegation rights'));
+                }
+
                 // Application ticket
 
                 if (!ticket.grant) {
@@ -118,7 +124,7 @@ exports.reissue = function (req, payload, options, callback) {
         }
 
         if (payload.issueTo) {
-            ticketOptions.issueTo = payload.issueTo;            // TODO: Check if the app has permission to delegate or re-delegate
+            ticketOptions.issueTo = payload.issueTo;
         }
 
         if (payload.scope) {

diff --git a/test/index.js b/test/index.js
@@ -29,7 +29,8 @@ describe('Oz', function () {
                 id: 'social',
                 scope: ['a', 'b', 'c'],
                 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
-                algorithm: 'sha256'
+                algorithm: 'sha256',
+                delegate: true
             },
             network: {
                 id: 'network',