feat(api): send the scope when refreshing the access token

bpetetot · bpetetot · commit f9ef86b7fb0d · 2024-09-11T19:53:03.000+02:00
diff --git a/api/src/identity-access-management/application/token/token.controller.js b/api/src/identity-access-management/application/token/token.controller.js
@@ -32,9 +32,7 @@ const createToken = async function (request, h, dependencies = { tokenService })
   if (grantType === 'refresh_token') {
     refreshToken = request.payload.refresh_token;
 
-    // TODO: we should pass the scope when ember-simple-auth will pass it
-    // see https://github.com/mainmatter/ember-simple-auth/pull/2813 for further details
-    const tokensInfo = await usecases.createAccessTokenFromRefreshToken({ refreshToken });
+    const tokensInfo = await usecases.createAccessTokenFromRefreshToken({ refreshToken, scope });
 
     accessToken = tokensInfo.accessToken;
     expirationDelaySeconds = tokensInfo.expirationDelaySeconds;
diff --git a/api/tests/identity-access-management/acceptance/application/token.route.test.js b/api/tests/identity-access-management/acceptance/application/token.route.test.js
@@ -143,6 +143,42 @@ describe('Acceptance | Identity Access Management | Route | Token', function ()
         expect(result.user_id).to.equal(userId);
         expect(result.refresh_token).to.exist;
       });
+
+      context('when the scope is different from the refresh token one', function () {
+        it('returns a 401 (unauthorized)', async function () {
+          // given
+          const { result: accessTokenResult } = await server.inject({
+            method: 'POST',
+            url: '/api/token',
+            headers: {
+              'content-type': 'application/x-www-form-urlencoded',
+            },
+            payload: querystring.stringify({
+              grant_type: 'password',
+              username: userEmailAddress,
+              password: userPassword,
+              scope: 'pix-orga',
+            }),
+          });
+
+          // when
+          const response = await server.inject({
+            method: 'POST',
+            url: '/api/token',
+            headers: {
+              'content-type': 'application/x-www-form-urlencoded',
+            },
+            payload: querystring.stringify({
+              grant_type: 'refresh_token',
+              refresh_token: accessTokenResult.refresh_token,
+              scope: 'pix-admin',
+            }),
+          });
+
+          // then
+          expect(response.statusCode).to.equal(401);
+        });
+      });
     });
 
     context('when scope is admin', function () {
diff --git a/api/tests/identity-access-management/unit/application/token.controller.test.js b/api/tests/identity-access-management/unit/application/token.controller.test.js
@@ -100,7 +100,7 @@ describe('Unit | Identity Access Management | Application | Controller | Token',
 
         sinon
           .stub(usecases, 'createAccessTokenFromRefreshToken')
-          .withArgs({ refreshToken })
+          .withArgs({ refreshToken, scope })
           .resolves({ accessToken, expirationDelaySeconds });
 
         const tokenServiceStub = { extractUserId: sinon.stub() };
