(request, route)
| 302 | } |
| 303 | |
| 304 | _access(request, route) { |
| 305 | |
| 306 | const config = this.lookup(route || request.route); |
| 307 | if (!config?.access) { |
| 308 | return true; |
| 309 | } |
| 310 | |
| 311 | const credentials = request.auth.credentials; |
| 312 | if (!credentials) { |
| 313 | if (config.mode !== 'required') { |
| 314 | return false; |
| 315 | } |
| 316 | |
| 317 | throw Boom.forbidden('Request is unauthenticated'); |
| 318 | } |
| 319 | |
| 320 | const requestEntity = (credentials.user ? 'user' : 'app'); |
| 321 | |
| 322 | const scopeErrors = []; |
| 323 | for (const access of config.access) { |
| 324 | |
| 325 | // Check entity |
| 326 | |
| 327 | const entity = access.entity; |
| 328 | if (entity && |
| 329 | entity !== 'any' && |
| 330 | entity !== requestEntity) { |
| 331 | |
| 332 | continue; |
| 333 | } |
| 334 | |
| 335 | // Check scope |
| 336 | |
| 337 | let scope = access.scope; |
| 338 | if (scope) { |
| 339 | if (!credentials.scope) { |
| 340 | scopeErrors.push(scope); |
| 341 | continue; |
| 342 | } |
| 343 | |
| 344 | scope = internals.expandScope(request, scope); |
| 345 | if (!internals.validateScope(credentials, scope, 'required') || |
| 346 | !internals.validateScope(credentials, scope, 'selection') || |
| 347 | !internals.validateScope(credentials, scope, 'forbidden')) { |
| 348 | |
| 349 | scopeErrors.push(scope); |
| 350 | continue; |
| 351 | } |
| 352 | } |
| 353 | |
| 354 | return true; |
| 355 | } |
| 356 | |
| 357 | // Scope error |
| 358 | |
| 359 | if (scopeErrors.length) { |
| 360 | request._log(['auth', 'scope', 'error']); |
| 361 | throw Boom.forbidden('Insufficient scope', { got: credentials.scope, need: scopeErrors }); |
no test coverage detected