client credential scope down to supported scopes only

x1B · Jul 10, 2017 · cf8982a · cf8982a
1 parent 6fc050b
commit cf8982a
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/lib/actions/token/client_credentials.js b/lib/actions/token/client_credentials.js
@@ -1,14 +1,24 @@
-module.exports.handler = function getClientCredentialsHandler({ ClientCredentials }) {
+const { intersection } = require('lodash');
+const instance = require('../../helpers/weak_cache');
+
+module.exports.handler = function getClientCredentialsHandler(provider) {
   return async function clientCredentialsResponse(ctx, next) {
+    const { ClientCredentials } = provider;
+    const scope = intersection(String(ctx.oidc.params.scope).split(' '),
+      instance(provider).configuration('scopes'));
+
     const at = new ClientCredentials({
       clientId: ctx.oidc.client.clientId,
-      scope: ctx.oidc.params.scope,
+      scope: scope.length ? scope.join(' ') : undefined,
     });
 
     const token = await at.save();
-    const { expiresIn } = ClientCredentials;
 
-    ctx.body = { access_token: token, expires_in: expiresIn, token_type: 'Bearer' };
+    ctx.body = {
+      access_token: token,
+      expires_in: ClientCredentials.expiresIn,
+      token_type: 'Bearer',
+    };
 
     await next();
   };