GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 11:25:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: Disallow invalid scopes (#12099)

Browse Source
This commit is contained in:
Tom Moor
2026-04-17 23:26:08 -04:00
committed by GitHub
parent 505082b196
commit 04debcb607
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/utils/oauth/OAuthInterface.test.ts
+6
View File
@@ -347,5 +347,11 @@ describe("OAuthInterface", () => {
const result = await OAuthInterface.validateScope(user, client, scope);
expect(result).toBe(false);
});
it("should reject if any requested scope is invalid", async () => {
const scope = [Scope.Read, "*"];
const result = await OAuthInterface.validateScope(user, client, scope);
expect(result).toBe(false);
});
});
});
server/utils/oauth/OAuthInterface.ts
+1 -1
View File
@@ -395,7 +395,7 @@ export const OAuthInterface: RefreshTokenModel &
const scopes = Array.isArray(scope) ? scope : [scope];
const validAccessScopes = Object.values(Scope);
return scopes.some((s: string) => {
return scopes.every((s: string) => {
if (validAccessScopes.includes(s as Scope)) {
return true;
}