k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(mcp): narrow OAuth scope to allowed intersection instead of rejecting

Browse Source 
When a client requests scopes it is not permitted for, silently drop
them rather than failing the entire authorization flow. The token is
issued with only the intersection of requested and allowed scopes.

Also fix /authorize/validate to always return HTTP 200 so the consent
page can surface the actual error_description instead of a generic
axios failure message.
This commit is contained in:
jubnl
2026-04-09 23:47:53 +02:00
parent 54f280c366
commit 5b44fe68b1
3 changed files with 50 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/routes/oauth.ts
-4
View File
@@ -167,10 +167,6 @@ oauthApiRouter.get('/authorize/validate', (req: Request, res: Response) => {
userId,
);
if (!result.valid) {
return res.status(400).json(result);
}
return res.json(result);
});