WFPREV-797 Extra scope check for WFPREV_CREATOR

Author: ssylver93

client/wfprev-war/src/main/angular/src/app/services/token.service.spec.ts

@@ -406,4 +406,45 @@ describe('TokenService', () => {
       expect(service.getIdir()).toBe('');
     });
   });
+
+  describe('hasAllScopesFromHash (scope validation)', () => {
+  const call = (hash: string, required: string[]) =>
+    (service as any).hasAllScopesFromHash(hash, required);
+
+  afterEach(() => {
+    // clean up hash after each test
+    window.history.pushState({}, '', '/');
+  });
+
+  it('returns true when all explicit scopes are present (space encoded as %20)', () => {
+    const hash = '#access_token=t&scope=FOO%20BAR%20BAZ';
+    expect(call(hash, ['FOO', 'BAR'])).toBeTrue();
+  });
+
+  it('returns true when scopes are + separated (IdPs may encode spaces as +)', () => {
+    const hash = '#access_token=t&scope=FOO+BAR+BAZ';
+    expect(call(hash, ['FOO', 'BAR'])).toBeTrue();
+  });
+
+  it('supports wildcard prefix (WFDM.*) when at least one WFDM scope is present', () => {
+    const hash = '#access_token=t&scope=WFDM.CREATE_FILE%20WFPREV.GET_TOPLEVEL';
+    expect(call(hash, ['WFDM.*'])).toBeTrue();
+  });
+
+  it('fails wildcard check when no scope matches the prefix', () => {
+    const hash = '#access_token=t&scope=WFPREV.GET_TOPLEVEL';
+    expect(call(hash, ['WFDM.*'])).toBeFalse();
+  });
+
+  it('returns false if an explicit required scope is missing', () => {
+    const hash = '#access_token=t&scope=FOO%20BAR';
+    expect(call(hash, ['FOO', 'MISSING'])).toBeFalse();
+  });
+
+  it('treats empty required list as true (noop)', () => {
+    const hash = '#access_token=t&scope=ANY';
+    expect(call(hash, [])).toBeFalse();
+  });
+});
+
 });

client/wfprev-war/src/main/angular/src/app/services/token.service.ts

@@ -49,8 +49,13 @@ export class TokenService {
 
   public async checkForToken(redirectUri?: string, lazyAuth = false, allowLocalExpiredToken = false): Promise<void> {
     const hash = globalThis.location?.hash;
+    const authScopes: string[] = this.appConfigService?.getConfig()?.webade?.authScopes as unknown as string[];
 
     if (hash?.includes('access_token')) {
+      if (!this.hasAllScopesFromHash(hash, authScopes)) {
+        this.router.navigate(['/' + ResourcesRoutes.ERROR_PAGE]);
+        return; 
+      }
       this.parseToken(hash);
     } else if (this.useLocalStore && !navigator.onLine) {
       let tokenStore = localStorage.getItem(this.LOCAL_STORAGE_KEY);
@@ -78,6 +83,37 @@ export class TokenService {
     }
   }
 
+  private hasAllScopesFromHash(hash: string | undefined, required: string[] = []): boolean {
+  if (!hash || required.length === 0) return false;
+
+  const params = new URLSearchParams(hash.replace(/^#/, ''));
+  let scopeParam = params.get('scope') || '';
+
+  scopeParam = scopeParam.replace(/\+/g, ' ');
+
+  const grantedList = scopeParam.split(/\s+/).filter(Boolean);
+  const grantedSet = new Set(grantedList);
+
+  const missing: string[] = [];
+
+  for (const req of required) {
+    // handle wildcard pattern like "WFDM.*"
+    if (req.endsWith('.*')) {
+      const prefix = req.slice(0, -1);
+      const hasAny = grantedList.some(g => g.startsWith(prefix));
+      if (!hasAny) missing.push(req);
+    } else {
+      if (!grantedSet.has(req)) missing.push(req);
+    }
+  }
+
+  if (missing.length > 0) {
+    return false;
+  }
+  return true;
+}
+
+
   public isTokenExpired(token: any): boolean {
     if (token?.exp) {
       const expiryDate = moment.unix(token.exp);