M masto.go → masto.go

@@ -5,6 +5,8 @@ "database/sql"
 	"fmt"
 	"log"
 	"net/http"
+	"slices"
+	"strings"
 	"time"
 
 	"humungus.tedunangst.com/r/webs/junk"
@@ -103,7 +105,7 @@ code := r.FormValue("code")
 	clientID := r.FormValue("client_id")
 	clientSecret := r.FormValue("client_secret")
 	redirectURI := r.FormValue("redirect_uri")
-	gotScopes := r.FormValue("scopes")
+	gotScope := r.FormValue("scope")
 
 	if !checkClient(clientID, clientSecret) {
 		elog.Println("oauth: no such client:", clientID)
@@ -121,8 +123,18 @@ return
 	}
 	log.Printf("%#v", app)
 
-	if app.Scopes != gotScopes {
-		elog.Printf("oauth: bad scopes: got %s; want %s", gotScopes, app.Scopes)
+	possibleScopes := strings.Split(app.Scopes, " ")
+	requestedScopes := strings.Split(gotScope, " ")
+	for _, scope := range requestedScopes {
+		if !slices.Contains(possibleScopes, scope) {
+			elog.Printf("oauth: invalid scope: %s", scope)
+			rw.WriteHeader(http.StatusBadRequest)
+			return
+		}
+	}
+
+	if app.Scopes != gotScope {
+		elog.Printf("oauth: bad scopes: got %s; want %s", gotScope, app.Scopes)
 		rw.WriteHeader(http.StatusBadRequest)
 		return
 	}