Skip to content

fix(auth0-express-api): default scopesInclude match to 'all'#24

Open
frederikprijck wants to merge 1 commit into
mainfrom
fix/sdk-1-scopesinclude-default-all
Open

fix(auth0-express-api): default scopesInclude match to 'all'#24
frederikprijck wants to merge 1 commit into
mainfrom
fix/sdk-1-scopesinclude-default-all

Conversation

@frederikprijck

@frederikprijck frederikprijck commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

scopesInclude('read:admin write:admin') previously defaulted to match:'any', authorizing a request holding at least one of the listed scopes. A developer listing several scopes most often intends all are required, and the sibling requiresAuth({ scopes }) already uses .every — so the two APIs silently disagreed.

Changes

  • Default match changed from 'any''all'. Opt into OR semantics with { match: 'any' }.
  • Aligns with express-openid-connect's claimIncludes (uses .every()) and the sibling requiresAuth.
  • JSDoc, README, and EXAMPLES updated.

Breaking change — acceptable in beta. Consumers relying on the old OR default must now pass { match: 'any' }.

Tests

scopes-include.spec.ts rewritten to assert the new default (a token with only some required scopes is now rejected); explicit { match: 'any' } opt-in covered. Full auth0-express-api suite: 88/88 pass.

Aligns the default with express-openid-connect's claimIncludes (.every)
and the sibling requiresAuth({ scopes }) check, so listing multiple
scopes requires all of them by default. Opt into OR semantics with
{ match: 'any' }.

SECURITY: SDK-1 — weak-by-default authorization (CWE-285).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant