Merge branch 'train-64' into upstream-master

CHANGELOG.md

@@ -1,3 +1,13 @@
+
+<a name"0.64.0"></a>
+## 0.64.0 (2016-07-02)
+
+
+#### Bug Fixes
+
+* **scopes:** Dont treat `foo:write` as a sub-scope of `foo`. ([fe2f1fef](https://github.com/mozilla/fxa-oauth-server/commit/fe2f1fef))
+
+
 <a name"0.61.0"></a>
 ## 0.61.0 (2016-05-04)
 

lib/scope.js

@@ -4,13 +4,13 @@
 
 
 function Scope(arr) {
-  if (!(this instanceof Scope)) {
+  if (arr instanceof Scope) {
+    return arr;
+  } else if (!(this instanceof Scope)) {
     return new Scope(arr);
   }
   if (!arr) {
     arr = [];
-  } else if (arr instanceof Scope) {
-    return arr;
   } else if (typeof arr === 'string') {
     arr = arr.split(/\s+/);
   }
@@ -32,7 +32,19 @@ Scope.prototype = {
       } else if (word in this._values || word + ':write' in this._values) {
         return true;
       } else {
-        var prefix = word.split(':').slice(0, -1).join(':');
+        var parts = word.split(':');
+        var suffix = parts.pop();
+        if (suffix === 'write') {
+          // pop the next one off
+          // but still require this to be a 'write' scope
+          if (parts.pop()) {
+            parts.push('write');
+          } else {
+            // this was a weird scope. don't try to fix it, just say NO!
+            return false;
+          }
+        }
+        var prefix = parts.join(':');
         return prefix && this.has(prefix);
       }
     }, this);

npm-shrinkwrap.json

@@ -1,6 +1,6 @@
 {
   "name": "fxa-oauth-server",
-  "version": "0.61.0",
+  "version": "0.64.0",
   "dependencies": {
     "blanket": {
       "version": "1.1.6",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "fxa-oauth-server",
-  "version": "0.61.0",
+  "version": "0.64.0",
   "private": true,
   "description": "Firefox Accounts OAuth2 server.",
   "scripts": {

test/api.js

@@ -1088,6 +1088,29 @@ describe('/v1', function() {
           });
         });
 
+        it('should not expand read scope to write scope', function() {
+          return newToken({
+            access_type: 'offline',
+            scope: 'foo'
+          }).then(function(res) {
+            assert.equal(res.statusCode, 200);
+            assert.equal(res.result.scope, 'foo');
+            return Server.api.post({
+              url: '/token',
+              payload: {
+                client_id: clientId,
+                client_secret: secret,
+                grant_type: 'refresh_token',
+                refresh_token: res.result.refresh_token,
+                scope: 'foo:write'
+              }
+            });
+          }).then(function(res) {
+            assert.equal(res.statusCode, 400);
+            assert.equal(res.result.errno, 114);
+          });
+        });
+
       });
 
       describe('?ttl', function() {

test/scope.js

@@ -53,6 +53,9 @@ describe('Scope', function() {
       assert(s1.has('foo:mah:pa bar:baz:quux'));
       assert(!s1.has('bar'));
 
+      assert(!s1.has('foo:write'));
+      assert(!s1.has('foo:dee:write'));
+
       var s2 = Scope('foo bar baz:quux:write');
       assert(s2.has('foo bar baz:quux'));