Take into account scope from /privet/v3/auth call
For local case the scope was ignored. Behavior was similar to "auto" scope.
Change-Id: I6aabca13929d10101f5b350641aa6edd84d50a23
Reviewed-on: https://weave-review.googlesource.com/2880
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
diff --git a/src/privet/privet_handler.cc b/src/privet/privet_handler.cc
index 7afeb3b..97cacc5 100644
--- a/src/privet/privet_handler.cc
+++ b/src/privet/privet_handler.cc
@@ -713,6 +713,8 @@
return ReturnError(*error, callback);
}
+ CHECK_LE(access_token_scope, desired_scope);
+
if (access_token_scope < acceptable_scope) {
Error::AddToPrintf(&error, FROM_HERE, errors::kAccessDenied,
"Scope '%s' is not allowed",
diff --git a/src/privet/security_manager.cc b/src/privet/security_manager.cc
index 3b08613..3c11935 100644
--- a/src/privet/security_manager.cc
+++ b/src/privet/security_manager.cc
@@ -144,9 +144,11 @@
return disabled_mode(error);
const base::TimeDelta kTtl =
base::TimeDelta::FromSeconds(kAccessTokenExpirationSeconds);
- return auth_manager_->CreateAccessTokenFromAuth(
+ bool result = auth_manager_->CreateAccessTokenFromAuth(
auth_code, kTtl, access_token, access_token_scope, access_token_ttl,
error);
+ *access_token_scope = std::min(*access_token_scope, desired_scope);
+ return result;
}
return Error::AddTo(error, FROM_HERE, errors::kInvalidAuthMode,