# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683834203 -7200
# Node ID d2594bbf7c365f9960977796c573bcdd4fa8eef4
# Parent  9c19a6b8e542d149a4632714c252efd6e7f9b3b3
mod_http_oauth2: Scope FIXMEs

diff -r 9c19a6b8e542 -r d2594bbf7c36 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:41:37 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:43:23 2023 +0200
@@ -368,6 +368,7 @@
 	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
 	if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
 	if params.scope and params.scope ~= "" then
+		-- FIXME allow a subset of granted scopes
 		return oauth_error("invalid_scope", "unknown scope requested");
 	end
 
@@ -544,6 +545,7 @@
 		local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
 		local request_username, request_host, request_resource = jid.prepped_split(request_jid);
 		if params.scope then
+			-- TODO shouldn't we support scopes / roles here?
 			return oauth_error("invalid_scope", "unknown scope requested");
 		end
 		if not request_host or request_host ~= module.host then