From d62b2ad86df4a56a0a7c3c3745a27a53db37373a Mon Sep 17 00:00:00 2001
From: Marios Antonoudiou <mariosant@sent.com>
Date: Tue, 22 Apr 2025 10:10:29 +0300
Subject: [PATCH] Require enough scope

---
 server/routes/auth/strava.ts | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/server/routes/auth/strava.ts b/server/routes/auth/strava.ts
index fd57f3e..c966b61 100644
--- a/server/routes/auth/strava.ts
+++ b/server/routes/auth/strava.ts
@@ -1,10 +1,28 @@
-import { omit } from "radash";
+import { get, omit } from "radash";
+
+const requiredScope = ["read", "activity:write", "activity:read_all"];
+const hasEnoughScope = (scope: string) => {
+  const permissions = scope.split(",");
+
+  return requiredScope.every((p) => permissions.includes(p));
+};
 
 export default defineOAuthStravaEventHandler({
   config: {
-    scope: ["read,activity:read_all,activity:write"],
+    scope: [requiredScope.join(",")],
+    approvalPrompt: "force",
   },
   onSuccess: async (event, auth) => {
+    const query = getQuery(event);
+    const scope = get(query, "scope", "");
+
+    if (!hasEnoughScope(scope)) {
+      throw createError({
+        statusCode: 403,
+        message: "Insufficient scope",
+      });
+    }
+
     const userPayload = {
       id: auth.user.id,
       name: `${auth.user.firstname} ${auth.user.lastname}`,
@@ -15,10 +33,6 @@ export default defineOAuthStravaEventHandler({
       avatar: auth.user.profile,
     };
 
-    await setUserSession(event, {
-      user: userPayload,
-    });
-
     const db = useDrizzle();
 
     const [user] = await db
@@ -61,6 +75,10 @@ export default defineOAuthStravaEventHandler({
       })
       .onConflictDoNothing();
 
+    await setUserSession(event, {
+      user: userPayload,
+    });
+
     sendRedirect(event, "/");
   },
 });