lib/rack/oauth2/models/access_grant.rb in rack-oauth2-server-2.0.0.beta3 vs lib/rack/oauth2/models/access_grant.rb in rack-oauth2-server-2.0.0.beta4

@@ -10,13 +10,14 @@
           def from_code(code)
             Server.new_instance self, collection.find_one({ :_id=>code, :revoked=>nil })
           end
 
           # Create a new access grant.
-          def create(identity, scope, client_id, redirect_uri)
+          def create(identity, client, scope, redirect_uri = nil)
+            scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
             fields = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
-                       :client_id=>BSON::ObjectId(client_id.to_s), :redirect_uri=>redirect_uri,
+                       :client_id=>client.id, :redirect_uri=>client.redirect_uri || redirect_uri,
                        :created_at=>Time.now.utc.to_i, :granted_at=>nil, :access_token=>nil, :revoked=>nil }
             collection.insert fields
             Server.new_instance self, fields
           end
 
@@ -32,11 +33,11 @@
         attr_reader :identity
         # Client that was granted this access token.
         attr_reader :client_id
         # Redirect URI for this grant.
         attr_reader :redirect_uri
-        # The scope granted in this token.
+        # The scope requested in this grant.
         attr_reader :scope
         # Does what it says on the label.
         attr_reader :created_at
         # Tells us when (and if) access token was created.
         attr_accessor :granted_at
@@ -51,10 +52,11 @@
         # requests to obtain it, so we need to make sure only first request is
         # successful in returning access token, futher requests raise
         # InvalidGrantError.
         def authorize!
           raise InvalidGrantError if self.access_token || self.revoked
-          access_token = AccessToken.get_token_for(identity, client_id, scope)
+          client = Client.find(client_id) or raise InvalidGrantError
+          access_token = AccessToken.get_token_for(identity, client, scope)
           self.access_token = access_token.token
           self.granted_at = Time.now.utc.to_i
           self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)
           reload = self.class.collection.find_one({ :_id=>code, :revoked=>nil }, { :fields=>%w{access_token} })
           raise InvalidGrantError unless reload && reload["access_token"] == access_token.token