authorizedScope, allow for no role scopes

anvilresearch / connect

A modern authorization server built to authenticate your users and protect your APIs

http://anvil.io

MIT License

361 stars 85 forks source link

authorizedScope, allow for no role scopes #328

Open ikb42 opened 8 years ago

ikb42 commented 8 years ago

not allowing for this case can cause a crash

christiansmith commented 8 years ago

@ikb42 can you describe what's happening in a little more detail? I'm not sure I understand "no role scopes". We're handling these "unassigned" scopes in Scope.determine() method:

https://github.com/anvilresearch/connect/blob/master/models/Scope.js#L46-L85

ikb42 commented 8 years ago

In the case that the subject client has been assigned a role but the role has no permitted scopes. If this subject and a scope is then passed to Scope.determine, then subject.authorizedScope will return [ undefined ] which will then crash in Scope.determine on line found = found || (result.indexOf(scope.name) !== -1).