fix: complies access scope validation to RFC8693

scope validation should support space separated values in credentials see https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim Co-authored-by: Vincent Hardouin <[email protected]>
hapijs · Feb 14, 2025 · eb7e81c · eb7e81c
1 parent 9aa775f
commit eb7e81c
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/lib/auth.js b/lib/auth.js
@@ -555,9 +555,10 @@ internals.validateScope = function (credentials, scope, type) {
         return true;
     }
 
-    const count = typeof credentials.scope === 'string' ?
-        scope[type].indexOf(credentials.scope) !== -1 ? 1 : 0 :
-        Hoek.intersect(scope[type], credentials.scope).length;
+    const count = Hoek.intersect(
+        scope[type],
+        (typeof credentials.scope === 'string') ? credentials.scope.split(' ') : credentials.scope
+    ).length;
 
     if (type === 'forbidden') {
         return count === 0;

diff --git a/test/auth.js b/test/auth.js
@@ -700,6 +700,27 @@ describe('authentication', () => {
             expect(res.statusCode).to.equal(204);
         });
 
+        it('matches scope (space separated to array)', async () => {
+
+            const server = Hapi.server();
+            server.auth.scheme('custom', internals.implementation);
+            server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one two' } } });
+            server.auth.default('default');
+            server.route({
+                method: 'GET',
+                path: '/',
+                options: {
+                    handler: (request) => request.auth.credentials.user,
+                    auth: {
+                        scope: ['one', 'three']
+                    }
+                }
+            });
+
+            const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });
+            expect(res.statusCode).to.equal(204);
+        });
+
         it('matches scope (single to single)', async () => {
 
             const server = Hapi.server();
@@ -1036,7 +1057,7 @@ describe('authentication', () => {
             expect(res5.result.message).to.equal('Insufficient scope');
         });
 
-        it('errors on missing scope using arrays', async () => {
+        it('errors on missing scope using (array to array )', async () => {
 
             const server = Hapi.server();
             server.auth.scheme('custom', internals.implementation);
@@ -1058,6 +1079,28 @@ describe('authentication', () => {
             expect(res.result.message).to.equal('Insufficient scope');
         });
 
+        it('errors on missing scope using (space separated to array )', async () => {
+
+            const server = Hapi.server();
+            server.auth.scheme('custom', internals.implementation);
+            server.auth.strategy('default', 'custom', { users: { steve: { scope: 'a b' } } });
+            server.auth.default('default');
+            server.route({
+                method: 'GET',
+                path: '/',
+                options: {
+                    handler: (request) => request.auth.credentials.user,
+                    auth: {
+                        scope: ['c', 'd']
+                    }
+                }
+            });
+
+            const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });
+            expect(res.statusCode).to.equal(403);
+            expect(res.result.message).to.equal('Insufficient scope');
+        });
+
         it('uses default scope when no scope override is set', async () => {
 
             const server = Hapi.server();