e052daa08a
See #17478
42 lines
1 KiB
Ruby
42 lines
1 KiB
Ruby
module Oauth2::AccessTokenValidationService
|
|
# Results:
|
|
VALID = :valid
|
|
EXPIRED = :expired
|
|
REVOKED = :revoked
|
|
INSUFFICIENT_SCOPE = :insufficient_scope
|
|
|
|
class << self
|
|
def validate(token, scopes: [])
|
|
if token.expired?
|
|
return EXPIRED
|
|
|
|
elsif token.revoked?
|
|
return REVOKED
|
|
|
|
elsif !self.sufficient_scope?(token, scopes)
|
|
return INSUFFICIENT_SCOPE
|
|
|
|
else
|
|
return VALID
|
|
end
|
|
end
|
|
|
|
protected
|
|
|
|
# True if the token's scope is a superset of required scopes,
|
|
# or the required scopes is empty.
|
|
def sufficient_scope?(token, scopes)
|
|
if scopes.blank?
|
|
# if no any scopes required, the scopes of token is sufficient.
|
|
return true
|
|
else
|
|
# If there are scopes required, then check whether
|
|
# the set of authorized scopes is a superset of the set of required scopes
|
|
required_scopes = Set.new(scopes)
|
|
authorized_scopes = Set.new(token.scopes)
|
|
|
|
return authorized_scopes >= required_scopes
|
|
end
|
|
end
|
|
end
|
|
end
|