When there is an invalid scope passed, there is still an accessToken and refreshToken generated.
Code
|
PasswordGrantType.prototype.saveToken = function(user, client, scope) { |
|
var fns = [ |
|
this.validateScope(user, client, scope), |
|
this.generateAccessToken(client, user, scope), |
|
this.generateRefreshToken(client, user, scope), |
|
this.getAccessTokenExpiresAt(), |
|
this.getRefreshTokenExpiresAt() |
|
]; |
|
|
|
return Promise.all(fns) |
|
.bind(this) |
|
.spread(function(scope, accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) { |
|
var token = { |
|
accessToken: accessToken, |
|
accessTokenExpiresAt: accessTokenExpiresAt, |
|
refreshToken: refreshToken, |
|
refreshTokenExpiresAt: refreshTokenExpiresAt, |
|
scope: scope |
|
}; |
|
|
|
return promisify(this.model.saveToken, 3).call(this.model, token, client, user); |
|
}); |
|
}; |
Suggestion
Move this.validateScope(user, client, scope) out of the array and check this before generating the tokens.
Use case
We use JWT's and only an internal token id is saved instead of the full JWT string. This means generating the token automatically means saving the token. So we are not actually using the saveToken function.
When there is an invalid scope passed, there is still an
accessTokenandrefreshTokengenerated.Code
node-oauth2-server/lib/grant-types/password-grant-type.js
Lines 105 to 127 in 0154165
Suggestion
Move
this.validateScope(user, client, scope)out of the array and check this before generating the tokens.Use case
We use JWT's and only an internal token id is saved instead of the full JWT string. This means generating the token automatically means saving the token. So we are not actually using the
saveTokenfunction.