Merge branch 'master' of github.com:mozilla/fxa-oauth-server

2018-03-27 14:25:29 +11:00 · 2018-03-27 14:25:29 +11:00 · d395e66df7
--- a/lib/routes/verify.js
+++ b/lib/routes/verify.js
@ -12,7 +12,7 @@ module.exports = {
  validate: {
    payload: {
      token: validators.token.required(),
-      email: Joi.boolean().default(true)
+      email: Joi.boolean().default(false)
    }
  },
  response: {
--- a/test/api.js
+++ b/test/api.js
@ -2664,12 +2664,12 @@ describe('/v1', function() {
          assert.equal(res.result.user, USERID);
          assert.equal(res.result.client_id, clientId);
          assert.equal(res.result.scope[0], 'profile');
-          assert.equal(res.result.email, VEMAIL);
+          assert.equal(res.result.email, undefined);
        });
      });
    });

-    it('should return the email with profile:email scope', function() {
+    it('should not return the email by default for profile:email scope', function() {
      return newToken({ scope: 'profile:email' }).then(function(res) {
        assert.equal(res.statusCode, 200);
        assertSecurityHeaders(res);
@ -2682,11 +2682,11 @@ describe('/v1', function() {
      }).then(function(res) {
        assert.equal(res.statusCode, 200);
        assertSecurityHeaders(res);
-        assert.equal(res.result.email, VEMAIL);
+        assert.equal(res.result.email, undefined);
      });
    });

-    it('should not return the email if opted out', function() {
+    it('should not return the email if email:false for profile:email scope', function() {
      return newToken({ scope: 'profile:email' }).then(function(res) {
        assert.equal(res.statusCode, 200);
        assertSecurityHeaders(res);
@ -2704,6 +2704,24 @@ describe('/v1', function() {
      });
    });

+    it('should return the email if opted in', function() {
+      return newToken({ scope: 'profile:email' }).then(function(res) {
+        assert.equal(res.statusCode, 200);
+        assertSecurityHeaders(res);
+        return Server.api.post({
+          url: '/verify',
+          payload: {
+            token: res.result.access_token,
+            email: true
+          }
+        });
+      }).then(function(res) {
+        assert.equal(res.statusCode, 200);
+        assertSecurityHeaders(res);
+        assert.equal(res.result.email, VEMAIL);
+      });
+    });
+
  });

  describe('/destroy', function() {