# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683483918 -7200
# Node ID 0bbeee8ba8b5f8f9efe503a60a8e1a003de43984
# Parent  07e166b34c4ccf70206b9c50e55c40de85e48620
mod_http_oauth2: Strip unknown scopes from consent page

Since the scope string can be any arbitrary space-separated strings.

diff -r 07e166b34c4c -r 0bbeee8ba8b5 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun May 07 20:24:18 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun May 07 20:25:18 2023 +0200
@@ -651,7 +651,8 @@
 		return render_page(templates.login, { state = auth_state, client = client });
 	elseif auth_state.consent == nil then
 		-- Render consent page
-		return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true);
+		local scopes, roles = split_scopes(parse_scopes(params.scope or ""));
+		return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true);
 	elseif not auth_state.consent then
 		-- Notify client of rejection
 		return error_response(request, oauth_error("access_denied"));