if user.is_admin || !contains_admin_scopes?(scopes) || !contains_admin_scopes?(app_scopes) do
{:ok, scopes}
else
- {:error, :unsupported_scopes}
+ # Gracefully dropping admin scopes from requested scopes if user isn't an admin (not raising)
+ scopes = scopes -- OAuthScopesPlug.filter_descendants(scopes, ["admin"])
+ validate(scopes, app_scopes, user)
end
end
- defp contains_admin_scopes?(scopes) do
+ def contains_admin_scopes?(scopes) do
scopes
|> OAuthScopesPlug.filter_descendants(["admin"])
|> Enum.any?()