From e9f6d186dc947863a5dfc18c8d6f2016b8030c88 Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Sat, 19 Apr 2025 21:57:50 +0200
Subject: [bugfix] Fix '+'-separated scopes not being recognized (#4028)

* [bugfix] Fix '+'-separated scopes not being recognized

* comment
---
 internal/api/auth/authorize.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'internal/api/auth/authorize.go')

diff --git a/internal/api/auth/authorize.go b/internal/api/auth/authorize.go
index 3676fd417..5b3e6ea3c 100644
--- a/internal/api/auth/authorize.go
+++ b/internal/api/auth/authorize.go
@@ -20,6 +20,7 @@ package auth
 import (
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -229,8 +230,8 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
 }
 
 // redirectAuthFormToSignIn binds an OAuthAuthorize form,
-// stores the values in the form into the session, and
-// redirects the user to the sign in page.
+// presumed to be set as url query params, stores the values
+// into the session, and redirects the user to the sign in page.
 func (m *Module) redirectAuthFormToSignIn(c *gin.Context) {
 	s := sessions.Default(c)
 
@@ -240,9 +241,14 @@ func (m *Module) redirectAuthFormToSignIn(c *gin.Context) {
 		return
 	}
 
-	// Set default scope to read.
+	// If scope isn't set default to read.
+	//
+	// Else massage submitted scope(s) from
+	// '+'-separated to space-separated.
 	if form.Scope == "" {
 		form.Scope = "read"
+	} else {
+		form.Scope = strings.ReplaceAll(form.Scope, "+", " ")
 	}
 
 	// Save these values from the form so we
-- 
cgit v1.2.3