Use strong parameters for pre-authorization

doorkeeper-gem · Jun 5, 2019 · edd8fe9 · edd8fe9
1 parent adea1d2
commit edd8fe9
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ User-visible changes worth mentioning.
 ## master
 
 - [#PR ID] Add your description here.
+- [#1266]: Use strong parameters within pre-authorization.
 - [#1263]: Response properly when introspection fails and fix configurations's user guide.
 
 ## 5.2.0.rc1

diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb
@@ -15,7 +15,10 @@ class PreAuthorization
                     :code_challenge, :code_challenge_method
       attr_writer   :scope
 
-      def initialize(server, client, attrs = {})
+      def initialize(server, client, params)
+        attrs = params.permit(:response_type, :redirect_uri, :scope, :state,
+                              :code_challenge, :code_challenge_method)
+
         @server                = server
         @client                = client
         @response_type         = attrs[:response_type]

diff --git a/spec/lib/oauth/pre_authorization_spec.rb b/spec/lib/oauth/pre_authorization_spec.rb
@@ -22,11 +22,11 @@ module Doorkeeper::OAuth
     end
 
     let :attributes do
-      {
+      ActionController::Parameters.new(
         response_type: "code",
         redirect_uri: "http://tst.com/auth",
         state: "save-this",
-      }
+      )
     end
 
     subject do
@@ -140,6 +140,11 @@ module Doorkeeper::OAuth
         subject.scope = "public"
         expect(subject).not_to be_authorizable
       end
+
+      it "gracefully ignores scope injected as object parameter" do
+        attributes[:scope] = { "0" => "profile" }
+        expect(subject).to be_authorizable
+      end
     end
 
     it "uses default scopes when none is required" do