Merge branch 'feature/rfc7009' into rfc7009

jankapunkt · web-flow · commit 01e723d7e7b1 · 2026-01-23T08:34:24.000+01:00
diff --git a/lib/grant-types/refresh-token-grant-type.js b/lib/grant-types/refresh-token-grant-type.js
@@ -54,10 +54,12 @@ class RefreshTokenGrantType extends AbstractGrantType {
 
     let token;
     token = await this.getRefreshToken(request, client);
-    token = await this.revokeToken(token);
 
+    // Validate scope before revoking token to prevent destroying tokens on scope validation errors
     const scope = this.getScope(request, token);
 
+    token = await this.revokeToken(token);
+
     return this.saveToken(token.user, client, scope);
   }
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@node-oauth/oauth2-server",
   "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js",
-  "version": "5.2.0",
+  "version": "5.2.2-rc.0",
   "keywords": [
     "oauth",
     "oauth2"
diff --git a/test/integration/grant-types/refresh-token-grant-type_test.js b/test/integration/grant-types/refresh-token-grant-type_test.js
@@ -7,6 +7,7 @@
 const InvalidArgumentError = require('../../../lib/errors/invalid-argument-error');
 const InvalidGrantError = require('../../../lib/errors/invalid-grant-error');
 const InvalidRequestError = require('../../../lib/errors/invalid-request-error');
+const InvalidScopeError = require('../../../lib/errors/invalid-scope-error');
 const RefreshTokenGrantType = require('../../../lib/grant-types/refresh-token-grant-type');
 const Model = require('../../../lib/model');
 const Request = require('../../../lib/request');
@@ -183,6 +184,34 @@ describe('RefreshTokenGrantType integration', function() {
 
       grantType.handle(request, client).should.be.an.instanceOf(Promise);
     });
+
+    it('should throw an error if extra `scope` is requested', async function() {
+      const client = { id: 123 };
+      const token = {
+        accessToken: 'foo',
+        client: { id: 123 },
+        user: { name: 'foo' },
+        refreshTokenExpiresAt: new Date(new Date() * 2)
+      };
+      const model = {
+        getRefreshToken: async function() {
+          return token;
+        },
+        revokeToken: () => should.fail(),
+        saveToken: () => should.fail()
+      };
+      const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model });
+      const request = new Request({ body: { refresh_token: 'foobar', scope: 'read' }, headers: {}, method: {}, query: {} });
+
+      try {
+        await grantType.handle(request, client);
+
+        should.fail();
+      } catch (e) {
+        e.should.be.an.instanceOf(InvalidScopeError);
+        e.message.should.equal('Invalid scope: Unable to add extra scopes');
+      }
+    });
   });
 
   describe('getRefreshToken()', function() {

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@node-oauth/oauth2-server",`
`3`	`3`	`"description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js",`
`4`		`- "version": "5.2.0",`
	`4`	`+ "version": "5.2.2-rc.0",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"oauth",`
`7`	`7`	`"oauth2"`