[default-scope] Accept default scope as a valid route scope when no r…

…oute scope is specified (#4089)
hapijs · Nov 9, 2020 · b9e341a · b9e341a
1 parent b9b8e6f
commit b9e341a
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/lib/auth.js b/lib/auth.js
@@ -419,10 +419,18 @@ exports = module.exports = internals.Auth = class {
 
 internals.setupScope = function (access) {
 
+    // No scopes
+
     if (!access.scope) {
         return false;
     }
 
+    // Already setup
+
+    if (!Array.isArray(access.scope)) {
+        return access.scope;
+    }
+
     const scope = {};
     for (const value of access.scope) {
         const prefix = value[0];

diff --git a/test/auth.js b/test/auth.js
@@ -255,7 +255,10 @@ describe('authentication', () => {
             const server = Hapi.server();
             server.auth.scheme('custom', internals.implementation);
             server.auth.strategy('default', 'custom', { users: { steve: {} } });
+
             server.auth.default({ strategy: 'default' });
+            expect(server.auth.settings.default).to.equal({ strategies: ['default'], mode: 'required' });
+
             server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });
 
             const res1 = await server.inject('/');
@@ -1014,6 +1017,34 @@ describe('authentication', () => {
             expect(res.result.message).to.equal('Insufficient scope');
         });
 
+        it('uses default scope when no scope override is set', async () => {
+
+            const server = Hapi.server();
+            server.auth.scheme('custom', internals.implementation);
+            server.auth.strategy('a', 'custom', { users: { steve: { scope: ['two'] } } });
+            server.auth.default({
+                strategy: 'a',
+                access: {
+                    scope: 'one'
+                }
+            });
+
+            server.route({
+                path: '/',
+                method: 'GET',
+                options: {
+                    auth: {
+                        mode: 'required'
+                    },
+                    handler: () => 'ok'
+                }
+            });
+
+            const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });
+            expect(res.statusCode).to.equal(403);
+            expect(res.result.message).to.equal('Insufficient scope');
+        });
+
         it('ignores default scope when override set to null', async () => {
 
             const server = Hapi.server();