# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683833855 -7200
# Node ID dd7bddc87f989dabc2fa98f36c44101e771272af
# Parent  74fdf4a7cca19a3dba05e341e62c6e726e63c19f
mod_http_oauth2: Fix inclusion of role in refreshed access tokens

`refresh_token_info` does not carry the role, and due to behavior prior
to prosody trunk rev a1ba503610ed it would have reverted to the users'
default role. After that it instead issues a token without role which is
thus not usable with e.g. mod_rest

diff -r 74fdf4a7cca1 -r dd7bddc87f98 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 15:10:44 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:37:35 2023 +0200
@@ -410,11 +410,14 @@
 		return oauth_error("invalid_grant", "invalid refresh token");
 	end
 
+	local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
+	local new_scopes, role = filter_scopes(username, refresh_scopes);
+
 	-- new_access_token() requires the actual token
 	refresh_token_info.token = params.refresh_token;
 
 	return json.encode(new_access_token(
-		refresh_token_info.jid, refresh_token_info.role, refresh_token_info.grant.data.oauth2_scopes, client, nil, refresh_token_info
+		refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info
 	));
 end