[11.x] Add the ability to limit scopes by client (#1682)

* Add the ability to limit scopes by client

* Update Client.php

---------

Co-authored-by: Taylor Otwell <[email protected]>

Author: axlon

src/Bridge/ScopeRepository.php

@@ -2,12 +2,31 @@
 
 namespace Laravel\Passport\Bridge;
 
+use Laravel\Passport\ClientRepository;
 use Laravel\Passport\Passport;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 
 class ScopeRepository implements ScopeRepositoryInterface
 {
+    /**
+     * The client repository.
+     *
+     * @var \Laravel\Passport\ClientRepository
+     */
+    protected ClientRepository $clients;
+
+    /**
+     * Create a new scope repository.
+     *
+     * @param  \Laravel\Passport\ClientRepository  $clients
+     * @return void
+     */
+    public function __construct(ClientRepository $clients)
+    {
+        $this->clients = $clients;
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -31,8 +50,11 @@ public function finalizeScopes(
             })->values()->all();
         }
 
-        return collect($scopes)->filter(function ($scope) {
-            return Passport::hasScope($scope->getIdentifier());
+        $client = $this->clients->findActive($clientEntity->getIdentifier());
+
+        return collect($scopes)->filter(function ($scope) use ($client) {
+            return Passport::hasScope($scope->getIdentifier())
+                && $client->hasScope($scope->getIdentifier());
         })->values()->all();
     }
 }

src/Client.php

@@ -41,6 +41,7 @@ class Client extends Model
      */
     protected $casts = [
         'grant_types' => 'array',
+        'scopes' => 'array',
         'personal_access_client' => 'bool',
         'password_client' => 'bool',
         'revoked' => 'bool',
@@ -154,6 +155,17 @@ public function skipsAuthorization()
         return false;
     }
 
+    /**
+     * Determine whether the client has the given scope.
+     *
+     * @param  string  $scope
+     * @return bool
+     */
+    public function hasScope($scope)
+    {
+        return ! is_array($this->scopes) || in_array($scope, $this->scopes);
+    }
+
     /**
      * Determine if the client is a confidential client.
      *

tests/Unit/BridgeScopeRepositoryTest.php

@@ -5,7 +5,10 @@
 use Laravel\Passport\Bridge\Client;
 use Laravel\Passport\Bridge\Scope;
 use Laravel\Passport\Bridge\ScopeRepository;
+use Laravel\Passport\Client as ClientModel;
+use Laravel\Passport\ClientRepository;
 use Laravel\Passport\Passport;
+use Mockery;
 use PHPUnit\Framework\TestCase;
 
 class BridgeScopeRepositoryTest extends TestCase
@@ -16,7 +19,56 @@ public function test_invalid_scopes_are_removed()
             'scope-1' => 'description',
         ]);
 
-        $repository = new ScopeRepository;
+        $client = Mockery::mock(ClientModel::class)->makePartial();
+
+        $clients = Mockery::mock(ClientRepository::class);
+        $clients->shouldReceive('findActive')->withAnyArgs()->andReturn($client);
+
+        $repository = new ScopeRepository($clients);
+
+        $scopes = $repository->finalizeScopes(
+            [$scope1 = new Scope('scope-1'), new Scope('scope-2')], 'client_credentials', new Client('id', 'name', 'http://localhost'), 1
+        );
+
+        $this->assertEquals([$scope1], $scopes);
+    }
+
+    public function test_clients_do_not_restrict_scopes_by_default()
+    {
+        Passport::tokensCan([
+            'scope-1' => 'description',
+            'scope-2' => 'description',
+        ]);
+
+        $client = Mockery::mock(ClientModel::class)->makePartial();
+        $client->scopes = null;
+
+        $clients = Mockery::mock(ClientRepository::class);
+        $clients->shouldReceive('findActive')->withAnyArgs()->andReturn($client);
+
+        $repository = new ScopeRepository($clients);
+
+        $scopes = $repository->finalizeScopes(
+            [$scope1 = new Scope('scope-1'), $scope2 = new Scope('scope-2')], 'client_credentials', new Client('id', 'name', 'http://localhost'), 1
+        );
+
+        $this->assertEquals([$scope1, $scope2], $scopes);
+    }
+
+    public function test_scopes_disallowed_for_client_are_removed()
+    {
+        Passport::tokensCan([
+            'scope-1' => 'description',
+            'scope-2' => 'description',
+        ]);
+
+        $client = Mockery::mock(ClientModel::class)->makePartial();
+        $client->scopes = ['scope-1'];
+
+        $clients = Mockery::mock(ClientRepository::class);
+        $clients->shouldReceive('findActive')->withAnyArgs()->andReturn($client);
+
+        $repository = new ScopeRepository($clients);
 
         $scopes = $repository->finalizeScopes(
             [$scope1 = new Scope('scope-1'), new Scope('scope-2')], 'client_credentials', new Client('id', 'name', 'http://localhost'), 1
@@ -31,7 +83,12 @@ public function test_superuser_scope_cant_be_applied_if_wrong_grant()
             'scope-1' => 'description',
         ]);
 
-        $repository = new ScopeRepository;
+        $client = Mockery::mock(ClientModel::class)->makePartial();
+
+        $clients = Mockery::mock(ClientRepository::class);
+        $clients->shouldReceive('findActive')->withAnyArgs()->andReturn($client);
+
+        $repository = new ScopeRepository($clients);
 
         $scopes = $repository->finalizeScopes(
             [$scope1 = new Scope('*')], 'refresh_token', new Client('id', 'name', 'http://localhost'), 1