Move validateScope outside promise.all

[jorenvandeweyer]

When there is an invalid scope passed, there is still an accessToken and refreshToken generated.

Code

node-oauth2-server/lib/grant-types/password-grant-type.js

Lines 105 to 127 in 0154165

	PasswordGrantType.prototype.saveToken = function(user, client, scope) {
	var fns = [
	this.validateScope(user, client, scope),
	this.generateAccessToken(client, user, scope),
	this.generateRefreshToken(client, user, scope),
	this.getAccessTokenExpiresAt(),
	this.getRefreshTokenExpiresAt()
	];
	return Promise.all(fns)
	.bind(this)
	.spread(function(scope, accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) {
	var token = {
	accessToken: accessToken,
	accessTokenExpiresAt: accessTokenExpiresAt,
	refreshToken: refreshToken,
	refreshTokenExpiresAt: refreshTokenExpiresAt,
	scope: scope
	};
	return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
	});
	};

Suggestion

Move this.validateScope(user, client, scope) out of the array and check this before generating the tokens.

Use case

We use JWT's and only an internal token id is saved instead of the full JWT string. This means generating the token automatically means saving the token. So we are not actually using the saveToken function.

[jorenvandeweyer]

It seems like some suggestions in #64 might fix this indirectly.

[jorenvandeweyer]

fixed in #229 & #228