fix: use array scope and do not ignore scope on refresh token call

Merge pull request #238 from jorenvandeweyer/feature/scope-validation thanks to @jorenvandeweyer

Author: jankapunkt

CHANGELOG.md

@@ -8,6 +8,7 @@
 - this is a breaking change, because **it removes callback support** for
   `OAuthServer` and your model implementation.
 - fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
+- validate scope as an array of strings
 
 ## 4.2.0
 ### Fixed
@@ -52,7 +53,7 @@
 - Upgrades all code from ES5 to ES6, where possible.
 
 ## 4.1.0
-### Changed 
+### Changed
 * Bump dev dependencies to resolve vulnerabilities
 * Replaced jshint with eslint along with should and chai
 * Use sha256 when generating tokens

README.md

@@ -27,7 +27,7 @@ If you're using one of those frameworks it is strongly recommended to use the re
 ## Features
 
 - Supports `authorization_code`, `client_credentials`, `refresh_token` and `password` grant, as well as *extension grants*, with scopes.
-- Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
+- Can be used with *promises*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
 - Fully [RFC 6749](https://tools.ietf.org/html/rfc6749.html) and [RFC 6750](https://tools.ietf.org/html/rfc6750.html) compliant.
 - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc.
 - Support for PKCE

docs/api/oauth2-server.rst

@@ -57,7 +57,7 @@ Advanced example with additional options:
 
 .. _OAuth2Server#authenticate:
 
-``authenticate(request, response, [options], [callback])``
+``authenticate(request, response, [options])``
 ==========================================================
 
 Authenticates a request.
@@ -73,16 +73,14 @@ Authenticates a request.
 +------------------------------------------------+-----------------+-----------------------------------------------------------------------+
 | [options={}]                                   | Object          | Handler options.                                                      |
 +------------------------------------------------+-----------------+-----------------------------------------------------------------------+
-| [options.scope=undefined]                      | String          | The scope(s) to authenticate.                                         |
+| [options.scope=undefined]                      | String[]        | The scope(s) to authenticate.                                         |
 +------------------------------------------------+-----------------+-----------------------------------------------------------------------+
 | [options.addAcceptedScopesHeader=true]         | Boolean         | Set the ``X-Accepted-OAuth-Scopes`` HTTP header on response objects.  |
 +------------------------------------------------+-----------------+-----------------------------------------------------------------------+
 | [options.addAuthorizedScopesHeader=true]       | Boolean         | Set the ``X-OAuth-Scopes`` HTTP header on response objects.           |
 +------------------------------------------------+-----------------+-----------------------------------------------------------------------+
 | [options.allowBearerTokensInQueryString=false] | Boolean         | Allow clients to pass bearer tokens in the query string of a request. |
 +------------------------------------------------+-----------------+-----------------------------------------------------------------------+
-| [callback=undefined]                           | Function        | Node-style callback to be used instead of the returned ``Promise``.   |
-+------------------------------------------------+-----------------+-----------------------------------------------------------------------+
 
 **Return value:**
 
@@ -94,8 +92,6 @@ Possible errors include but are not limited to:
 :doc:`/api/errors/unauthorized-request-error`:
   The protected resource request failed authentication.
 
-The returned ``Promise`` **must** be ignored if ``callback`` is used.
-
 **Remarks:**
 
 ::
@@ -121,7 +117,7 @@ The returned ``Promise`` **must** be ignored if ``callback`` is used.
 
 .. _OAuth2Server#authorize:
 
-``authorize(request, response, [options], [callback])``
+``authorize(request, response, [options])``
 =======================================================
 
 Authorizes a token request.
@@ -145,8 +141,6 @@ Authorizes a token request.
 +-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
 | [options.authorizationCodeLifetime=300] | Number          | Lifetime of generated authorization codes in seconds (default = 5 minutes). |
 +-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [callback=undefined]                    | Function        | Node-style callback to be used instead of the returned ``Promise``.         |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
 
 **Return value:**
 
@@ -158,8 +152,6 @@ Possible errors include but are not limited to:
 :doc:`/api/errors/access-denied-error`
   The resource owner denied the access request (i.e. ``request.query.allow`` was ``'false'``).
 
-The returned ``Promise`` **must** be ignored if ``callback`` is used.
-
 **Remarks:**
 
 If ``request.query.allowed`` equals the string ``'false'`` the access request is denied and the returned promise is rejected with an :doc:`/api/errors/access-denied-error`.
@@ -211,7 +203,7 @@ When working with a session-based login mechanism, the handler can simply look l
 
 .. _OAuth2Server#token:
 
-``token(request, response, [options], [callback])``
+``token(request, response, [options])``
 ===================================================
 
 Retrieves a new token for an authorized token request.
@@ -239,8 +231,6 @@ Retrieves a new token for an authorized token request.
 +----------------------------------------------+-----------------+-------------------------------------------------------------------------------------------+
 | [options.extendedGrantTypes={}]              | Object          | Additional supported grant types.                                                         |
 +----------------------------------------------+-----------------+-------------------------------------------------------------------------------------------+
-| [callback=undefined]                         | Function        | Node-style callback to be used instead of the returned ``Promise``.                       |
-+----------------------------------------------+-----------------+-------------------------------------------------------------------------------------------+
 
 **Return value:**
 
@@ -252,8 +242,6 @@ Possible errors include but are not limited to:
 :doc:`/api/errors/invalid-grant-error`:
   The access token request was invalid or not authorized.
 
-The returned ``Promise`` **must** be ignored if ``callback`` is used.
-
 **Remarks:**
 
 If ``options.allowExtendedTokenAttributes`` is ``true`` any additional properties set on the object returned from :ref:`Model#saveToken() <Model#saveToken>` are copied to the token response sent to the client.

docs/docs/getting-started.rst

@@ -28,7 +28,7 @@ Features
 ========
 
 - Supports :ref:`authorization code <AuthorizationCodeGrant>`, :ref:`client credentials <ClientCredentialsGrant>`, :ref:`refresh token <RefreshTokenGrant>` and :ref:`password <PasswordGrant>` grant, as well as :ref:`extension grants <ExtensionGrants>`, with scopes.
-- Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using Babel_).
+- Can be used with *promises*, *ES6 generators* and *async*/*await* (using Babel_).
 - Fully :rfc:`6749` and :rfc:`6750` compliant.
 - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc.
 - Complete `test suite`_.