OAuth Scope Widening

Medium+100 XPA01:2021 Broken Access ControlCWE-269

OAuthScopePrivilege Escalation

Scenario

An OAuth 2.0 authorization server issues tokens with a set of scopes the user explicitly approved (e.g. read:profile, read:orders).

When the client later requests a new access token via token refresh or a downstream scope-check, it passes a list of requested scopes. The server must verify that every requested scope was already granted by the user.

The buggy implementation simply returns whatever the client asks for, silently granting scopes like write:orders or admin that the user never approved — a classic OAuth scope widening attack.

OAuth scope widening lets a malicious or compromised client silently escalate its own privileges. A single missing intersection check can turn a read-only token into an admin token without the user's knowledge.

Your Tasks

Fix filterScopes so it returns only the scopes present in both requestedScopes and grantedScopes.
If none of the requested scopes were granted, return an empty array.
Legitimate scopes the user granted must still be returned when requested.

Examples

Example 1 — Scope widening blocked

filterScopes(['read:profile','write:orders','admin'], ['read:profile','read:orders'])
// write:orders and admin were never granted
// → ['read:profile']

Example 2 — All requested scopes granted

filterScopes(['read:profile','read:orders'], ['read:profile','read:orders'])
// → ['read:profile','read:orders']

Constraints

›Only edit the function body — do not change the function signature.
›Return a string[] containing only the intersection of the two input arrays.
›Order of the returned scopes should match the order they appear in requestedScopes.
›No external packages.

Hint

References

CWE-269: Improper Privilege Management RFC 6749 §3.3 — Access Token Scope OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization OAuth 2.0 Security Best Current Practice (RFC 9700)

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run