fix(authorization): Correctly handle non-existing URL scopes during authorization. (#594) r=@vladikoff
Fixes #593;
This commit is contained in:
Родитель
237886dc0f
Коммит
21654a3738
|
@ -238,7 +238,7 @@ module.exports = {
|
|||
// so avoid trips to the DB for common scopes like 'profile'.
|
||||
if (scope.startsWith('https://')) {
|
||||
return db.getScope(scope).then(s => {
|
||||
if (s.hasScopedKeys) {
|
||||
if (s && s.hasScopedKeys) {
|
||||
exitEarly = true;
|
||||
throw AppError.invalidAssertion();
|
||||
}
|
||||
|
|
14
test/api.js
14
test/api.js
|
@ -545,6 +545,20 @@ describe('/v1', function() {
|
|||
});
|
||||
});
|
||||
|
||||
it('succeeds when fxa-tokenVerified is false and an unknown URL scope is requested', function() {
|
||||
mockAssertion().reply(200, VERIFY_GOOD_BUT_UNVERIFIED);
|
||||
return Server.api.post({
|
||||
url: '/authorization',
|
||||
payload: authParams({
|
||||
client_id: SCOPED_CLIENT_ID,
|
||||
scope: 'https://example.com/unknown-scope'
|
||||
})
|
||||
}).then(function(res) {
|
||||
assert.equal(res.statusCode, 200);
|
||||
assertSecurityHeaders(res);
|
||||
});
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
describe('?redirect_uri', function() {
|
||||
|
|
Загрузка…
Ссылка в новой задаче